On Mon, 2009-12-14 at 23:07 +0100, Yet Another Ninja wrote: > On 12/14/2009 10:55 PM, Daniel J McDonald wrote: > > I'd love to have the clamav unofficial signature families scored. I > > have a fine guess as to how relevant they are, but it is just that - a > > guess. > > someone, somewhere is alreay converting ClamV signatures to HUGE (slow) > rule files, forgot where I saw them. Google around...
That's not the issue. I have no problem scanning with clam and no problem associating some signature families with scores rather than blindly discarding. The issue is: how much should I trust the various sets of signatures? Although I have a fairly good feel for it based on intuition, there is nothing like a mass-check to settle the matter. That's the issue with pulling all of the whitelists out of the scoring mix - the whitelist components are part of the mix that allows 5 points to indicate spam. And I was trying to counter the argument that we should simply rip those pieces out and expect that, when people re-assemble them piecemeal, the end result will still be 5 points for spam... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com