On Thursday 29 December 2016 07:06:38 Groach wrote: > On 29/12/2016 09:32, Reindl Harald wrote: > > Am 29.12.2016 um 10:21 schrieb Reindl Harald: > >> state of the official sgnatures is that clamav don't catch many > >> real malware all over the time without sanesecurity 3rd party > >> signatures and the official > > > > given how much memory the instance with the officical signatures i > > am going so far to say that i would love to be able to *completly* > > exclude "daily.cld", "daily.cvd" and "main.cvd" and only update > > "safebrowsing.cvd" and just keep the few sanesecurity signatures in > > the clamd-instance which is allowed to reject directly via milter > > I couldnt agree more. Clam sigs have *never* caught a single threat - > in many cases many MANY months after the threat had been and gone (I > have documented evidence if anyone cares to read it). The only thing > Clam has ever done is 'catch' false positives (yes, I mean "ONLY") - > so much so that I have been forced to turn off quarantine/action upon > threat and put it in to REPORT MODE only. If I could exclude the Clam > default signatures and just continue to use Sane then I would and then > I could turn back on quarantining to make our systems safe again. The > irony is that Sane has been tested and proven by me to be the best > Zero hour threat detector and thats why I have chosen it (even against > all the big commercial boys) but its built on and uses the Clam > engine - yet its the default Clam signatures that stop me keeping my > system safe despite Sane doing its work properly. (Its like Sane being > employed by the police and telling the police of the intruder but the > police not doing anything about it because they would simploy go about > arresting the intruder and even the innocent premises owners and > general public. Answer: done tell the police and just write it down > instead.) _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > I don't enjoy piling on in the middle of a fight, but the catch times as logged here, are very revealing. Only on incoming mail does a catch result in its being quarantined by sending it to /var/spool/mail/virii. But the date on that files creation was june 6th. And I've tried every way to make ls show me last mod time, and it stubbornly remains June 6th. About 117 kilobytes.
clamscan says its: /var/spool/mail/virii: Win.Worm.Mydoom-90 FOUND So either my isp is doing a great job of black holeing questionable stuff, or 10,000 emails have been deleted by me without reading them. And I've done a hell of a lot of that. It seems to me, with all this hoorah about viri about in the wild, I ought to be getting hit more often than nearly 7 months ago. My $0.02. Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
