Clarification on databases

[extremeshok]

Hi

Please could you clarify the following, as I would like to include them in the latest version of the clamav-unofficial-sigs

MiscreantPunch099-Low.ldb, low false positive for usage with clamav 0.99+ (yara)

miscreantpunch.hdb, false positive is low, medium, high ? Only use for clamav 0.98 and lower?

miscreantpunch099.ldb, false positive is medium, high ? can this be used with MiscreantPunch099-Low.ldb ?

Thanks

[extremeshok]

Have I missed/ommited any other database files ?

[malwareforme]

Hi,

MiscreantPunch099-Low.ldb, low false positive for usage with clamav 0.99+ (yara)

This is currently being used for distribution elsewhere and is designed for wide distribution across many environments. It has a "Low" FP rate.

miscreantpunch.hdb, false positive is low, medium, high ? Only use for clamav 0.98 and lower?

This would be considered "Low" FP rate, as it just hashes of known evil stuff. This can be used in any clam version.

miscreantpunch099.ldb, false positive is medium, high ? can this be used with MiscreantPunch099-Low.ldb ?

miscreantpunch099.ldb and MiscreantPunch099-Low.ldb are very very similar. MiscreantPunch099-Low.ldb is designed for widespread distribution and miscreantpunch099.ldb is nearly identical, just less housekeeping compared to MiscreantPunch099-Low.ldb. I would suggest only distributing MiscreantPunch099-Low.ldb.

Have I missed/ommited any other database files ?

I would consider adding MiscreantPunch099-INFO-Low.ldb, which is more of "low/medium" level of FPs. This ruleset contains informational sigs (read as: not always malicious) but could be useful.

Please do not hesitate to reach out with any other questions or concerns!