Hi Cedric, I have a few questions/points: - Are you writing your own zmd/rmd signatures? - If so, have have you tried using .cdb signatures? I've noticed in docs/signatures.pdf the zmd/rmd are annotated as "obsolete" and the cdb format seems to subsume, although this may not accomplish what you want it to do. - Not the most elegant, but you could use sigtool and split up the signature data base into a pattern/hash set and a container set and filter through two ClamAV instances(or just eliminate the container sigs and use a single ClamAV, if that works for your case) - Feel free to submit feature requests to bugzilla.clamav.net
Steve On Thu, Nov 6, 2014 at 5:27 AM, Cedric Knight <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi > > Like a lot of users I suspect, I use ClamAV to search within archives > for generic filename patterns (or other characteristics) specified in > a .zmd file. Like some, I use clamdscan through amavis and rescore > some types of hits that conceivably might be a false positive as a > number of spam points. Unfortunately the .zmd/.rmd file appears to > take precedence over particular signatures, so the archive rules hit > *instead of* detection of, for example, a specific Zeus variant. > > I'm all for minimising CPU usage where possible, but actually in > combination with SpamAssassin this situation of having generic > detection first rather than an immediate quarantine can require more > CPU. Security is of course more of a priority, and also the current > behaviour makes it harder to find samples that aren't detected by the > current signatures. > > Is it possible to configure ClamAV to only do the archive .zmd/.rmd > tests after other more specific tests pass OK? I was wondering > whether to file this as a RFE. > > Thanks > > CK > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBAgAGBQJUW00OAAoJEN5s/jLcInyIdw4QAI7+DOzA0bmadlMvgZeKZ2nr > SmnMYiNpq/Imt/jLSDlxSuy3LYx+8ZQHfZmmGUG9bM4Ov5MSJWYc0dWdKbb2588k > DN9PiNvLLWZg+mHvVyqjk/UkfJS7YUNK7POzXYZUxk/5jX67WVA/B/K8WYqWKuo5 > S6330gDh5SsuV3xYvjrhBSCWYS4XgAq+lnfN6cp5zUhOyQLnt/unSbGvSzW84/X6 > 4dbiiSLeCuva8LOxwFb+qbE9H6WuLt9l8FnFII9nzGOF1LvGGHIgIuaIKu6g/E0w > 5mQuZzImtByu73X7nGztEv/MFI3dzgyoYPhtZ94cmlWD9Qm6rF4NkVy9CDzjr2T4 > sWxuvxUJ5sZPZnoQGxQz5hNK2J06uWG5rk3bkAbo+RtboJMMRm+TQdZF6hUy0R+y > 5sqa3jj4ZAOjNYyXXmRUOhPjwbUmyCPZIrnETuR9oi2/lVsjZ56eCAn2o5w0s69r > hCJNfcRFZn4EOW6NNtBQr+ytrLKyJsNNW/ZX2km+AXW09JRh42xElisq7DddxQl5 > IOYp54BtQWueXiXRTbRQY/AvJK4JlWBtUQhLuJkkaRBmqEycnN+A/n3j/saPujFw > Vc61YacHUJ1z1uOFvvLlxai9wX/YsE8m1oVd4w2RdTTc4l6QbxbW24gMRoA868XL > f0uEYfRFMAGPADzgfXvS > =eWDZ > -----END PGP SIGNATURE----- > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
