On 11/7/2018 1:24 PM, Kris Deugau wrote:
I use a combination of adding local signatures (mainly hashes for "random-executable-inna-archive") and selected signatures from a number of third parties to the stock set in a "primary" Clam instance that's an absolute yes/no check, and using only things like the Heuristics.Spoofdomain test and a selection of riskier local and third-party signatures in a second instance called from SA and scored according to the signature (or signature group).
I call ClamAV from MIMEDefang before invoking SA. I use the "unofficial sigs" package (available as an RPM via yum for Red Hat systems) for much better detection.
https://sourceforge.net/projects/unofficial-sigs/
