[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Wed, Nov 2, 2011 at 11:41 PM, Grant Sewell wrote: > Anyway, as has already been mentioned, one of the big players in the > Linux anti-virus field is ClamAV. I personally prefer it to others > because of their principle behind how to identify a virus. It seems > that many anti-virus developers took the route of waiting until a > significant number of cases were reported before declaring that XYZ is > a virus and adding it to their virus database. As I understand it, > ClamAV take the opposite approach and will add things to their database > at the drop of a hat, but if it subsequently turns out to be a false > positive, it gets removed from the database at the drop of a hat too. It's a bit more complicated than that. A lot of malware is detected based on its heuristics: if it does something bad, it is blocked. Which is the only way really, what with 70k new malware samples being discovered every day; you simply can't rely on a database. Of course, a lot of malware is detected because it has been added to a malware database. The proper way to add it is not wait until you've received x sampels, but to receive one sample, check its behaviour (in a sandbox, for instance) and then add it if it does something bad. I don't know about ClamAV, but if it does what you say it does, it's going to cause a lot of false positives. Which may not be a big problem if you run it to scan email attachments but is not what you'd want for a desktop scanner. Martijn. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq