Hi, >> Yes, I'm using all the third-party sigs, including sanesecurity, but >> they are still getting through. >> > Hi Alex, > > What types are getting through JavaScript or docs etc.
JavaScript (.js files) is rejected outright. I don't have any examples, particularly of the cryptolocker type, but it's what customers are complaining about. It's almost always Word documents. I also don't always get the feedback from the users on the specific Word documents that were missed, only that their desktop was compromised. I hate to have to completely block macros because a better solution doesn't exist. One customer recently did an eval with another company that used F-Secure, and it continually outperformed clamav with blocking macro viruses that would otherwise have been missed. It made us look real bad. > What dbs are you using ? Here is the full list: badmacro.ndb blurl.ndb bofhland_cracked_URL.ndb bofhland_malware_attach.hdb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb bytecode.cld crdfam.clamav.hdb daily.cld foxhole_filename.cdb foxhole_generic.cdb foxhole_js.cdb hackingteam.hsb javascript.ndb junk.ndb jurlbla.ndb jurlbl.ndb lott.ndb main.cvd malwarehash.hsb malwarepatrol.ndb mirrors.dat phish.ndb phishtank.ndb porcupine.hsb porcupine.ndb rogue.hdb safebrowsing.cld sanesecurity.ftm scamnailer.ndb scam.ndb securiteinfoascii.hdb securiteinfo.hdb securiteinfohtml.hdb securiteinfo.ign2 sigwhitelist.ign2 spamattach.hdb spamimg.hdb spam.ldb spearl.ndb spear.ndb winnow.attachments.hdb winnow_bad_cw.hdb winnow.complex.patterns.ldb winnow_extended_malware.hdb winnow_extended_malware_links.ndb winnow_malware.hdb winnow_malware_links.ndb winnow_phish_complete_url.ndb winnow_spam_complete.ndb _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
