At 8:42 AM +0100 10/16/09, Steve Basford wrote:
> The script I use has a bit more finesse than this simple overview. I use a
randomizer to prevent this process from running at the same minute past
the hour
Note there's a *tiny* chance if the script runs at 10.07 and then 11.03,
you'll get temp block for an hour from some of the mirrors, depending if
they have setup hourly "abuse" checks.
If Steve puts all is changes at the end of the file then this can be very
efficient. If changes are scattered around the files then not so much.
99% of the time they are are all added at the end of the file now, which
means it's much more efficient then it used to be.
As for the databases to use, well it's up to the end user but if I was
only interested in malware only...
I'd use:
phish.ndb
rougue.hdb
winnow_malware_links.ndb
winnow_malware.hdb
For example:
Some malware in my "to look at" folder this morning...
Sanesecurity only (phish.ndb/rougue.hdb)
Scanned files: 226
Infected files: 135
Official only:
Scanned files: 226
Infected files: 119
winnow malware didn't hit.
Just to clarify winnow_malware.hdb is designed to detect malware
payloads. Thus, it is effective in an email system only when the
payload is attached (such as a dropper, etc). It is also very
effective when used in file system/download checking scenarios.
winnow_malware_links.ndb is a collection of active urls and
zeus/botnet domains used to deliver malware payloads and invoke xsite
injections as well as hand crafted signatures to detect links to
malware. It also contains other signatures to augment
winnow_malware.hdb to detect malware loaded on your system.
Tom
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
