For performance we have to use the least numbers if signatures to clear a area.
For example if we are taking on a standard Linux system. Particular directories should not contain anything executable like the man page directory. So any executable found in that location is a issue that can be raised with person as something to look into. It should fail to user really even if no signature exists matching it due to its location in the file system. Same method can be applied for word documents. In every business there will be a stack of archival documents that should not contain macros at all. To do this is really adding a few more levels of signatures. 1 lot of signatures that detect and reject all possible locations a virus could hide. Anything that gets past these signatures has to be clean. Even better these signatures tune able only to allow particular groups of files past at the users selection. This new set of signatures is the only way we can really scan and say 100 percent there is no virus somewhere in that space. Scanning for existence of macros inside a word document has to be less than scanning a word document for every word macro virus created. We basically need to create 3 list of files. 1 Files that no known way to infect exists. 2 Files that have a known way to infect but don't detect to contain a virus/malware. 3 Files that are infected with something. All three types have there use. Users being able to find type 1 and 2 in emails would allow sorting. Type 1 could go straight threw. Type 2 could be delayed by 7 days+ so signatures could catch up closing the race between virus release and signature being released to kill it. Other option is business might choose to apply a out going filter that they can only send not infect able files. Lets provide the tools for users to attempt to block viruses before we even know what they are. Peter Dolding _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
