Mailing List Archive

Hi there,

On Wed, 22 Apr 2020, Simon Eigeldinger wrote:

> I plan to set up some ClamAV instances on Windows Servers to scan some office
> documents and other files.

If I were going to scan files for Windows malware, I wouldn't use a
Windows box to scan them - but that's up to you.

> So helping the other scanner which is already installed and to see
> if it is missing a virus.

I'd expect you'd have more luck if you used the other scanner to see
what was missed by ClamAV.

> I have just some stupid questions :-) :

They're not stupid, but they do really only scratch the surface.

> Which signatures to use?
> The default ones that come with the example config?

Any that you can get hold of. There are a lot of them about. The
Sansecurity signatures get a good press but I use them to fight spam
rather than protect against malware. I personally think that if you
can find malware on a machine, it's already too late to be looking.

> Any config i should take a look at?

There's a lot of documentation, you should read it.

> As far as i have seen ClamAV isn't scanning the whole file just a
> part of it. Do viruses sit at a special point of a file or do
> traces of them exist at special spots?

It's not really like that. Drink deep, or taste not...

ClamAV needs to know something about the different types of files, so
it can do a better job of scanning, and there's an upper limit to the
amount of data that ClamAV will scan in any event. There have been
discussions about it on this list, please spend some quality time with
the archives.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello,


>> Which signatures to use?
>> The default ones that come with the example config?
>
> Any that you can get hold of.  There are a lot of them about.  The
> Sansecurity signatures get a good press but I use them to fight spam
> rather than protect against malware.  I personally think that if you
> can find malware on a machine, it's already too late to be looking.

According to
https://www.securiteinfo.com/attaques/hacking/stats_malwares_internet.shtml
(updated daily), ClamAV official detects 10% of daily malwares,
SaneSecurity detects 10% of daily malwares, SecuriteInfo.com detects 93%
of daily malwares.

SaneSecurity is very good and very reliable to detect spams, or malware
in mail flow (exe in zip, js in zip ...). But SecuriteInfo.com is the
best to detect malware files.

I personnaly recommand SecuriteInfo.com signatures for malware hunting:

https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml?lg=en

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi,

Thanks for writing back.
Will have a look at the documentation and at the archive.

Greetings,
Simon



Am 22.04.2020 um 01:48 schrieb G.W. Haywood via clamav-users:
> Hi there,
>
> On Wed, 22 Apr 2020, Simon Eigeldinger wrote:
>
>> I plan to set up some ClamAV instances on Windows Servers to scan some
>> office documents and other files.
>
> If I were going to scan files for Windows malware, I wouldn't use a
> Windows box to scan them - but that's up to you.
>
>> So helping the other scanner which is already installed and to see
>> if it is missing a virus.
>
> I'd expect you'd have more luck if you used the other scanner to see
> what was missed by ClamAV.
>
>> I have just some stupid questions :-) :
>
> They're not stupid, but they do really only scratch the surface.
>
>> Which signatures to use?
>> The default ones that come with the example config?
>
> Any that you can get hold of.  There are a lot of them about.  The
> Sansecurity signatures get a good press but I use them to fight spam
> rather than protect against malware.  I personally think that if you
> can find malware on a machine, it's already too late to be looking.
>
>> Any config i should take a look at?
>
> There's a lot of documentation, you should read it.
>
>> As far as i have seen ClamAV isn't scanning the whole file just a
>> part of it.  Do viruses sit at a special point of a file or do
>> traces of them exist at special spots?
>
> It's not really like that.  Drink deep, or taste not...
>
> ClamAV needs to know something about the different types of files, so
> it can do a better job of scanning, and there's an upper limit to the
> amount of data that ClamAV will scan in any event.  There have been
> discussions about it on this list, please spend some quality time with
> the archives.
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml