[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [clamav-users] False Positve rule set of Snort- on clamd-0.97.3-3 G.W. Haywood Thu Feb 09 04:00:29 2012

Hi there,

On Wed, 8 Feb 2012, Joel Esler wrote:

We're looking into a solution for this.

A simple solution would be to encrypt the database (even when it's in
memory) and have the scanning engine be able to decrypt it on the fly.
It wouldn't _have_ to take forever. :(

Chuck Swiger wrote:

Oh, sure...when this issue was first noticed, anti-virus providers
started doing things like obfuscating or encrypting the malware
signatures.  However, since malware generally also tries to conceal
itself, anti-virus software tries to un-obfuscate stuff (with
varying degrees of success).  It's a circumstance where you can
chicken-and-egg indefinitely.

I'm not convinced that a PATTERN which matches a virus 'signature' must
necessarily trigger the detection of the signature by another scanner.
For example "[Vv][iI][Rr][uU][Ss]" matches "Virus" but it doesn't look
even remotely like it.  Maybe I haven't had enough chocolate today and
I don't understand the problem well enough...

Or you can simply decide to not quarantine or delete filesystem
locations containing malware signatures.

Giving malicious software a convenient place to stay? :)


Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net