[clamav-users] Question about ClamScan
Hi ClamAV Developers, Users I think Clamscan is a Single Thread Application. Am i right?. i inspected this for a little bit time. it doesn't have read any config file to read some thing before it about to start. Thanks, Crazy Thinker, Inc ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about ClamAV
On Thu, May 11, 2017 at 03:03 AM, crazy thinker wrote: > > @AI > May be my question is a stupid one.. i have a still doubt so want to > clarify my self.. Why Heuristics Scanner need Signature Database when > Heruisitcs Scanning Technique detects malware based on behavior? Sorry to sound exasperated but this is the third time I have explained this to you. The database contains a list of the financial institutions that need to be checked by that engine for phishing attempts (.pdb) along with a whitelist (.sfp) of combinations that are known to be acceptable. > Can't Heuristic Scanner detects Malware detected by Signature Based > Scanner. if Yes, why not we use Heuristic Scanner alone in AV Software? The Heuristic Scanner you are talking about is only used to detect financial institution phishing attempts in email messages. It does nothing at all to detect other types of email or non-email malware. -Al- > On 11 May 2017 at 14:58, Al Varnell wrote: > >> On Thu, May 11, 2017 at 02:11 AM, crazy thinker wrote: >>> >>> Hi ClamAV Developers, Users >>> >>> SaneSecurtiy and SecruiteInfo provides better virus signature database >>> feeds. with help of this, we can Increase the ClamAV Engine Detection >> Rate >>> up to 80%-90%. I had already integrated ClamAV Enine with unofficial >>> database (excluded official database) in experimental way. ClamAV >>> Performance better than earlier now. I want to rewrite the Engine first >>> from scratch and i am looking for some guys who willing join to work >> with >>> me >> >> How is performance better for you? >> >>> when i debugged ClamAV CodeBase, i am interestingly found that ClamAV >>> Creating 14 Engine Instances Internally. out of 14, one only Heuristic >>> Engine >> >> This is really a developer question, but what are the other engines for >> and how can you say for certain that they are non-heuristic? >> >>> ClamAV providing both Signature Baed Scanner and Heuristic Based Scanner. >>> As per my understanding, Signature Based Scanner will never involve in >>> false postive/false negative results. >> >> Not at all true. Signatures are being dropped daily due to reports of >> False Positives. >> >>> But Heuristic scanner some times >>> gives false postive/false negative results. >> >> Heuristic determinations are by their nature warnings based on best guess >> that something can be malware. It's then up to the user to check further to >> determine whether they are or not. False positive/negative has little >> meaning here. >> >>> My Question is All AV Vendors are Including both Signature Based >> Scanner >>> and Heuristic Based Scanner in their Software? for an example, Most >>> Poplular AV Vendors like AVAST, KASPER SKY,AVG,NORTON,SYMANTEC do the >> same >>> thing? >> >> This is a ClamAV user forum, so it would be appropriate to ask that >> question elsewhere. >> >>> I had researched on virus scanning tecniques with the help of google >>> engine..i come to know that heuristic scanning techniques provides >>> better results than traditional signature based scanning.. then why >> ClamAV >>> not created Scanner with Heuristic Scanning Technique Alone? >>> or my thought is wrong ah ? >> >> Define "better." I'd have to guess that signature based scanning results >> in an order of magnitude more detections that any current AI technique >> being used by any vendor, but fixed signatures only work when scanning for >> known malware. AI techniques are most useful against so called zero-day >> malware attacks, so both techniques are necessary for complete protection. >> >> -Al- >> >>> Thanks, >>> Crazy Thinker , Inc >> >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about ClamAV
I would consider a malware author that does not pass his/her new product through several file scanners to be incompetent. There is little point in distributing such files if it is commonly detectable. Scanners are one of the best quality inspection tools a malware author has at their disposal. Conveniently, it can be done cheaply at VirusTotal and other sites that do live scans using multiple engines. dp On 5/11/17 8:21 AM, Matthew Molyett wrote: Crazy Thinker, As per my understanding, Signature Based Scanner will never involve in false postive/false negative results. But Heuristic scanner some times gives false postive/false negative results. Signature Based scanning can and will have false positive and false negative results. In fact, the high rate of False Negatives from Signature Based is the entire reason Heuristic scanning ( and run-time scanning ) is performed. A brand new, unknown threat, from a careful author, will be free of existing signatures. Similarly, a signature on a library only seen before in malicious software will cause a False Positive when a legitimate software begins using it. Large, exact signatures prevent False Positives, but can be trivially defeated. Flexible signatures with wildcards can identify larger blocks malicious content, but at the price of potential False Positives. The response from Maarten Broekman does a great job discussing the issues we are facing. Thank you for your choosing Clam AV. Helping protect you and your users is what keeps me happily getting to work each day. On Thu, May 11, 2017 at 9:54 AM, Arnaud Jacques / SecuriteInfo.com < webmas...@securiteinfo.com> wrote: Hello, is that a *technical* reason or do you *think* it's recommended for whatever reason It is technical : we avoid duplicate signatures in our databases. It means everyday we remove samples already detected by Clamav. - as example sanesecurity works just fine without the official stuff an dthe difference are hundrets of MB useless wasted RAM while i have not seen any relevant hit on our inbound MX caught by the official signatures which woul dhave slipped through sanesecurity In your example you are right. On mail filtering, sanesecurity and spam_marketing.ndb from SecuriteInfo.com are good enough to protect mailboxes, because Win32 malwares are not spreaded by mail nowadays. In any other case (system protection, HTTP scanning, file hosting, etc...) you have to get Clamav official + 3rd party signatures for a maximum detection. -- Best regards, Arnaud Jacques SecuriteInfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Question about Scanning speed of clamd 0.99.2 with PCRE
Hi, all. We are using clamd 0.99.2 with PCRE. The required time for scan varies significantly by the CVD version. Does the the required time for scan depend on the number of signatures for PCRE which are inside the CVD? When we use clamd without PCRE, the required time for scan are not so different. Is there any way to check the number of signatures which are used by PCRE? Thanks, T.O. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about ClamAV
Crazy Thinker, > As per my understanding, Signature Based Scanner will never involve in > false postive/false negative results. But Heuristic scanner some times > gives false postive/false negative results. Signature Based scanning can and will have false positive and false negative results. In fact, the high rate of False Negatives from Signature Based is the entire reason Heuristic scanning ( and run-time scanning ) is performed. A brand new, unknown threat, from a careful author, will be free of existing signatures. Similarly, a signature on a library only seen before in malicious software will cause a False Positive when a legitimate software begins using it. Large, exact signatures prevent False Positives, but can be trivially defeated. Flexible signatures with wildcards can identify larger blocks malicious content, but at the price of potential False Positives. The response from Maarten Broekman does a great job discussing the issues we are facing. Thank you for your choosing Clam AV. Helping protect you and your users is what keeps me happily getting to work each day. On Thu, May 11, 2017 at 9:54 AM, Arnaud Jacques / SecuriteInfo.com < webmas...@securiteinfo.com> wrote: > Hello, > > > is that a *technical* reason or do you *think* it's recommended for > > whatever reason > > It is technical : we avoid duplicate signatures in our databases. It means > everyday we remove samples already detected by Clamav. > > > - as example sanesecurity works just fine without the > > official stuff an dthe difference are hundrets of MB useless wasted RAM > > while i have not seen any relevant hit on our inbound MX caught by the > > official signatures which woul dhave slipped through sanesecurity > > In your example you are right. On mail filtering, sanesecurity and > spam_marketing.ndb from SecuriteInfo.com are good enough to protect > mailboxes, > because Win32 malwares are not spreaded by mail nowadays. > > In any other case (system protection, HTTP scanning, file hosting, etc...) > you > have to get Clamav official + 3rd party signatures for a maximum detection. > > -- > Best regards, > > Arnaud Jacques > SecuriteInfo.com > > Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 > Twitter : @SecuriteInfoCom > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Matthew Molyett Malware Researcher mmoly...@cisco.com Phone: (410) 309-4834 Mobile: (410) 674-2049 Cisco.com - http://www.cisco.com This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about ClamAV
Hello, > is that a *technical* reason or do you *think* it's recommended for > whatever reason It is technical : we avoid duplicate signatures in our databases. It means everyday we remove samples already detected by Clamav. > - as example sanesecurity works just fine without the > official stuff an dthe difference are hundrets of MB useless wasted RAM > while i have not seen any relevant hit on our inbound MX caught by the > official signatures which woul dhave slipped through sanesecurity In your example you are right. On mail filtering, sanesecurity and spam_marketing.ndb from SecuriteInfo.com are good enough to protect mailboxes, because Win32 malwares are not spreaded by mail nowadays. In any other case (system protection, HTTP scanning, file hosting, etc...) you have to get Clamav official + 3rd party signatures for a maximum detection. -- Best regards, Arnaud Jacques SecuriteInfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about ClamAV
Your understanding of scanning techniques is flawed at best (I believe this has been pointed out multiple times). Both techniques have issues with false positive and false negative matches. The only significant difference is how they perform against unknown threats. In that regard, heuristic scanning _may_ be able to detect the threat while it is unlikely that a signature would be able to detect it. All of the AV vendors you've named provide signature based scanning. Some also have a behavior or heuristic based engine as well. As Al mentioned, heuristic-based approaches are great for matching things that "might" be malicious. However, they also tend to generate false positives depending on how tight or loose their rules are. Tighter rules for is considered 'malicious' means fewer false positives but also fewer matches. Signature based approaches have similar issues but they only work against known threats. But the more generic the signature, the more likely it is to run into false positives. Also, what *you* consider to be malware might be "just another tool" for someone else. Having multiple engines performing behavior based analysis (heuristics) is pointless as they would need to share everything they "detect" in order to perform the analysis correctly. On the other hand, having multiple engines for signatures makes sense as you can have separate engines looking at different types of signatures or files. Your claim of regarding the detection rate is just the statistics against your collection of malware. The official databases don't seem to be aimed at the kinds of samples you're running against while Sanesecurity and SecuriteInfo databases are more closely aimed at the malware population you're testing against. If other databases work better for your workload, great. Not everyone has the same experience you do. Also, you can help improve the official databases by submitting samples that are not detected by the official signatures. I wish you all the best with writing your own engine, but I think you'll find that it's not easy to get close to the performance that ClamAV has. Also, then you still need to write signatures that your engine can understand to look for. On Thu, May 11, 2017 at 8:55 AM, crazy thinker wrote: > @AI > > Any Comments from your end on my question in previous mail thread > > On 11 May 2017 at 15:33, crazy thinker wrote: > > > @AI > > May be my question is a stupid one.. i have a still doubt so want to > > clarify my self.. Why Heuristics Scanner need Signature Database when > > Heruisitcs Scanning Technique detects malware based on behaviour? > > > > Can't Heuristic Scanner detects Malware detected by Signature Based > > Scanner. if Yes, why not we use Heuristic Scanner alone in AV > Software? > > > > On 11 May 2017 at 14:58, Al Varnell wrote: > > > >> On Thu, May 11, 2017 at 02:11 AM, crazy thinker wrote: > >> > > >> > Hi ClamAV Developers, Users > >> > > >> > SaneSecurtiy and SecruiteInfo provides better virus signature database > >> > feeds. with help of this, we can Increase the ClamAV Engine Detection > >> Rate > >> > up to 80%-90%. I had already integrated ClamAV Enine with unofficial > >> > database (excluded official database) in experimental way. ClamAV > >> > Performance better than earlier now. I want to rewrite the Engine > first > >> > from scratch and i am looking for some guys who willing join to work > >> with > >> > me > >> > >> How is performance better for you? > >> > >> > when i debugged ClamAV CodeBase, i am interestingly found that ClamAV > >> > Creating 14 Engine Instances Internally. out of 14, one only > Heuristic > >> > Engine > >> > >> This is really a developer question, but what are the other engines for > >> and how can you say for certain that they are non-heuristic? > >> > >> > ClamAV providing both Signature Baed Scanner and Heuristic Based > >> Scanner. > >> > As per my understanding, Signature Based Scanner will never involve in > >> > false postive/false negative results. > >> > >> Not at all true. Signatures are being dropped daily due to reports of > >> False Positives. > >> > >> > But Heuristic scanner some times > >> > gives false postive/false negative results. > >> > >> Heuristic determinations are by their nature warnings based on best > guess > >> that something can be malware. It's then up to the user to check > further to > >> determine whether they are or not. False positive/negative has little > >> meaning here. > >> > >> > My Question is All AV Vendors are Including both Signature Based > >> Scanner > >> > and Heuristic Based Scanner in their Software? for an example, Most > >> > Poplular AV Vendors like AVAST, KASPER SKY,AVG,NORTON,SYMANTEC do the > >> same > >> > thing? > >> > >> This is a ClamAV user forum, so it would be appropriate to ask that > >> question elsewhere. > >> > >> > I had researched on virus scanning tecniques with the help of google > >> > engine..i come to know that heuristic scanning techniq
Re: [clamav-users] Question about ClamAV
@Arnaud.. Yes, you are right dude.. but most of clamav virus signautres looks like junk to me. To avoid more memory consumption, I just removed it :) On 11 May 2017 at 19:07, Arnaud Jacques / SecuriteInfo.com < webmas...@securiteinfo.com> wrote: > Hello, > > > SaneSecurtiy and SecruiteInfo provides better virus signature database > > feeds. with help of this, we can Increase the ClamAV Engine Detection > Rate > > up to 80%-90%. I had already integrated ClamAV Enine with unofficial > > database (excluded official database) in experimental way. ClamAV > > Performance better than earlier now. > > To be clear : The signature databases provided by SecuriteInfo.com have to > be > used *with* the official ones from Clamav. > > The aim of our signature databases is *not* to replace official ones from > Clamav. > > -- > Best regards, > > Arnaud Jacques > SecuriteInfo.com > > Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 > Twitter : @SecuriteInfoCom > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about ClamAV
Am 11.05.2017 um 15:37 schrieb Arnaud Jacques / SecuriteInfo.com: Hello, SaneSecurtiy and SecruiteInfo provides better virus signature database feeds. with help of this, we can Increase the ClamAV Engine Detection Rate up to 80%-90%. I had already integrated ClamAV Enine with unofficial database (excluded official database) in experimental way. ClamAV Performance better than earlier now. To be clear : The signature databases provided by SecuriteInfo.com have to be used *with* the official ones from Clamav. The aim of our signature databases is *not* to replace official ones from Clamav not really clear: is that a *technical* reason or do you *think* it's recommended for whatever reason - as example sanesecurity works just fine without the official stuff an dthe difference are hundrets of MB useless wasted RAM while i have not seen any relevant hit on our inbound MX caught by the official signatures which woul dhave slipped through sanesecurity ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about ClamAV
Hello, > SaneSecurtiy and SecruiteInfo provides better virus signature database > feeds. with help of this, we can Increase the ClamAV Engine Detection Rate > up to 80%-90%. I had already integrated ClamAV Enine with unofficial > database (excluded official database) in experimental way. ClamAV > Performance better than earlier now. To be clear : The signature databases provided by SecuriteInfo.com have to be used *with* the official ones from Clamav. The aim of our signature databases is *not* to replace official ones from Clamav. -- Best regards, Arnaud Jacques SecuriteInfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about ClamAV
@AI Any Comments from your end on my question in previous mail thread On 11 May 2017 at 15:33, crazy thinker wrote: > @AI > May be my question is a stupid one.. i have a still doubt so want to > clarify my self.. Why Heuristics Scanner need Signature Database when > Heruisitcs Scanning Technique detects malware based on behaviour? > > Can't Heuristic Scanner detects Malware detected by Signature Based > Scanner. if Yes, why not we use Heuristic Scanner alone in AV Software? > > On 11 May 2017 at 14:58, Al Varnell wrote: > >> On Thu, May 11, 2017 at 02:11 AM, crazy thinker wrote: >> > >> > Hi ClamAV Developers, Users >> > >> > SaneSecurtiy and SecruiteInfo provides better virus signature database >> > feeds. with help of this, we can Increase the ClamAV Engine Detection >> Rate >> > up to 80%-90%. I had already integrated ClamAV Enine with unofficial >> > database (excluded official database) in experimental way. ClamAV >> > Performance better than earlier now. I want to rewrite the Engine first >> > from scratch and i am looking for some guys who willing join to work >> with >> > me >> >> How is performance better for you? >> >> > when i debugged ClamAV CodeBase, i am interestingly found that ClamAV >> > Creating 14 Engine Instances Internally. out of 14, one only Heuristic >> > Engine >> >> This is really a developer question, but what are the other engines for >> and how can you say for certain that they are non-heuristic? >> >> > ClamAV providing both Signature Baed Scanner and Heuristic Based >> Scanner. >> > As per my understanding, Signature Based Scanner will never involve in >> > false postive/false negative results. >> >> Not at all true. Signatures are being dropped daily due to reports of >> False Positives. >> >> > But Heuristic scanner some times >> > gives false postive/false negative results. >> >> Heuristic determinations are by their nature warnings based on best guess >> that something can be malware. It's then up to the user to check further to >> determine whether they are or not. False positive/negative has little >> meaning here. >> >> > My Question is All AV Vendors are Including both Signature Based >> Scanner >> > and Heuristic Based Scanner in their Software? for an example, Most >> > Poplular AV Vendors like AVAST, KASPER SKY,AVG,NORTON,SYMANTEC do the >> same >> > thing? >> >> This is a ClamAV user forum, so it would be appropriate to ask that >> question elsewhere. >> >> > I had researched on virus scanning tecniques with the help of google >> > engine..i come to know that heuristic scanning techniques provides >> > better results than traditional signature based scanning.. then why >> ClamAV >> > not created Scanner with Heuristic Scanning Technique Alone? >> > or my thought is wrong ah ? >> >> Define "better." I'd have to guess that signature based scanning results >> in an order of magnitude more detections that any current AI technique >> being used by any vendor, but fixed signatures only work when scanning for >> known malware. AI techniques are most useful against so called zero-day >> malware attacks, so both techniques are necessary for complete protection. >> >> -Al- >> >> > Thanks, >> > Crazy Thinker , Inc >> >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about ClamAV
@AI May be my question is a stupid one.. i have a still doubt so want to clarify my self.. Why Heuristics Scanner need Signature Database when Heruisitcs Scanning Technique detects malware based on behaviour? Can't Heuristic Scanner detects Malware detected by Signature Based Scanner. if Yes, why not we use Heuristic Scanner alone in AV Software? On 11 May 2017 at 14:58, Al Varnell wrote: > On Thu, May 11, 2017 at 02:11 AM, crazy thinker wrote: > > > > Hi ClamAV Developers, Users > > > > SaneSecurtiy and SecruiteInfo provides better virus signature database > > feeds. with help of this, we can Increase the ClamAV Engine Detection > Rate > > up to 80%-90%. I had already integrated ClamAV Enine with unofficial > > database (excluded official database) in experimental way. ClamAV > > Performance better than earlier now. I want to rewrite the Engine first > > from scratch and i am looking for some guys who willing join to work > with > > me > > How is performance better for you? > > > when i debugged ClamAV CodeBase, i am interestingly found that ClamAV > > Creating 14 Engine Instances Internally. out of 14, one only Heuristic > > Engine > > This is really a developer question, but what are the other engines for > and how can you say for certain that they are non-heuristic? > > > ClamAV providing both Signature Baed Scanner and Heuristic Based Scanner. > > As per my understanding, Signature Based Scanner will never involve in > > false postive/false negative results. > > Not at all true. Signatures are being dropped daily due to reports of > False Positives. > > > But Heuristic scanner some times > > gives false postive/false negative results. > > Heuristic determinations are by their nature warnings based on best guess > that something can be malware. It's then up to the user to check further to > determine whether they are or not. False positive/negative has little > meaning here. > > > My Question is All AV Vendors are Including both Signature Based > Scanner > > and Heuristic Based Scanner in their Software? for an example, Most > > Poplular AV Vendors like AVAST, KASPER SKY,AVG,NORTON,SYMANTEC do the > same > > thing? > > This is a ClamAV user forum, so it would be appropriate to ask that > question elsewhere. > > > I had researched on virus scanning tecniques with the help of google > > engine..i come to know that heuristic scanning techniques provides > > better results than traditional signature based scanning.. then why > ClamAV > > not created Scanner with Heuristic Scanning Technique Alone? > > or my thought is wrong ah ? > > Define "better." I'd have to guess that signature based scanning results > in an order of magnitude more detections that any current AI technique > being used by any vendor, but fixed signatures only work when scanning for > known malware. AI techniques are most useful against so called zero-day > malware attacks, so both techniques are necessary for complete protection. > > -Al- > > > Thanks, > > Crazy Thinker , Inc > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about ClamAV
On Thu, May 11, 2017 at 02:11 AM, crazy thinker wrote: > > Hi ClamAV Developers, Users > > SaneSecurtiy and SecruiteInfo provides better virus signature database > feeds. with help of this, we can Increase the ClamAV Engine Detection Rate > up to 80%-90%. I had already integrated ClamAV Enine with unofficial > database (excluded official database) in experimental way. ClamAV > Performance better than earlier now. I want to rewrite the Engine first > from scratch and i am looking for some guys who willing join to work with > me How is performance better for you? > when i debugged ClamAV CodeBase, i am interestingly found that ClamAV > Creating 14 Engine Instances Internally. out of 14, one only Heuristic > Engine This is really a developer question, but what are the other engines for and how can you say for certain that they are non-heuristic? > ClamAV providing both Signature Baed Scanner and Heuristic Based Scanner. > As per my understanding, Signature Based Scanner will never involve in > false postive/false negative results. Not at all true. Signatures are being dropped daily due to reports of False Positives. > But Heuristic scanner some times > gives false postive/false negative results. Heuristic determinations are by their nature warnings based on best guess that something can be malware. It's then up to the user to check further to determine whether they are or not. False positive/negative has little meaning here. > My Question is All AV Vendors are Including both Signature Based Scanner > and Heuristic Based Scanner in their Software? for an example, Most > Poplular AV Vendors like AVAST, KASPER SKY,AVG,NORTON,SYMANTEC do the same > thing? This is a ClamAV user forum, so it would be appropriate to ask that question elsewhere. > I had researched on virus scanning tecniques with the help of google > engine..i come to know that heuristic scanning techniques provides > better results than traditional signature based scanning.. then why ClamAV > not created Scanner with Heuristic Scanning Technique Alone? > or my thought is wrong ah ? Define "better." I'd have to guess that signature based scanning results in an order of magnitude more detections that any current AI technique being used by any vendor, but fixed signatures only work when scanning for known malware. AI techniques are most useful against so called zero-day malware attacks, so both techniques are necessary for complete protection. -Al- > Thanks, > Crazy Thinker , Inc smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Question about ClamAV
Hi ClamAV Developers, Users SaneSecurtiy and SecruiteInfo provides better virus signature database feeds. with help of this, we can Increase the ClamAV Engine Detection Rate up to 80%-90%. I had already integrated ClamAV Enine with unofficial database (excluded official database) in experimental way. ClamAV Performance better than earlier now. I want to rewrite the Engine first from scratch and i am looking for some guys who willing join to work with me when i debugged ClamAV CodeBase, i am interestingly found that ClamAV Creating 14 Engine Instances Internally. out of 14, one only Heuristic Engine ClamAV providing both Signature Baed Scanner and Heuristic Based Scanner. As per my understanding, Signature Based Scanner will never involve in false postive/false negative results. But Heuristic scanner some times gives false postive/false negative results. My Question is All AV Vendors are Including both Signature Based Scanner and Heuristic Based Scanner in their Software? for an example, Most Poplular AV Vendors like AVAST, KASPER SKY,AVG,NORTON,SYMANTEC do the same thing? I had researched on virus scanning tecniques with the help of google engine..i come to know that heuristic scanning techniques provides better results than traditional signature based scanning.. then why ClamAV not created Scanner with Heuristic Scanning Technique Alone? or my thought is wrong ah ? Thanks, Crazy Thinker , Inc ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] disabling a database
Yes, I did not mean to indicate that Spam was the only thing done with UNOFFICIALS, just that I don't believe ClamAV target Spam. Sent from Janet's iPad -Al- -- Al Varnell Mountain View, CA On May 11, 2017, at 12:03 AM, Steve Basford wrote: > > On Thu, May 11, 2017 6:40 am, Al Varnell wrote: >> while Spam detection is all done using UNOFFICIAL sigs. > > Not quite Malware, Phishing and Spam... > > http://sanesecurity.com/usage/signatures/ > > And a lot of people decide the emails fate with "pam_score_maps" scoring.. > > eg: > > http://sanesecurity.com/support/problems/ > > > -- > Cheers, > > Steve > Twitter: @sanesecurity > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] disabling a database
On Thu, May 11, 2017 6:40 am, Al Varnell wrote: > while Spam detection is all done using UNOFFICIAL sigs. Not quite Malware, Phishing and Spam... http://sanesecurity.com/usage/signatures/ And a lot of people decide the emails fate with "pam_score_maps" scoring.. eg: http://sanesecurity.com/support/problems/ -- Cheers, Steve Twitter: @sanesecurity ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml