On Wed, October 14, 2015 9:45 am, Gene Heskett wrote: > I am with rajesh on this. clamav's hit rate, and I run every incoming > mail past it, is disgustingly poor at detecting this stuff. I have fed 500 > or more of these *^%$ .zip or .doc attachments to sa-learn spam, probably > poisoning its database since the last actual hit by clamav, which was on > Sept 8th. I'll see if this improves the hit rate, because > it has never been even accceptably accurate and has become very poor these > days.
In fairness to ClamAV, lots of AV's have poor hit rates, here's a sample I received 8 hours ago... https://www.virustotal.com/en/file/bb35fa3b86bef9b8ede7bb1690c8aaf486405392538a8f9edff2195158f73e2c/analysis/1444814562/ Currently: 4 out of 54 scanners find it (this was 8 hours later) Was automatically added to rogue.hdb (within the hour of receiving it) Sanesecurity.Rogue.0h.20151014-0350 (Shipment_Advice.zip) Obviously this would have been blocked by foxhole_all.cdb and/or the sigs posted earlier, if you aren't too bothered about FPs. Hop over to the Sanesecurity list if people are still having issues with the 3rd Party sigs catching things. http://sanesecurity.com/support/mailing-list/ Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
