edwin at clamav
Feb 13, 2012, 3:13 AM
Post #3 of 3
On 02/13/2012 12:57 PM, Henri Salo wrote:
> On Mon, Feb 13, 2012 at 05:04:34AM -0500, Michael Richards wrote:
>> Do the sigmakers just waste their time sifting through tons of
>> duplicate submissions?
> I sure hope not. I am more than happy to help creating faster "process" for this if ClamAV guys can tell what they need or at least old system should be documented somehow. Why not create this as a open-source :) If I am correct the duplicates mostly come from big av-check sites. They send reports with old signatures and/or when they send the file it is not in fact known, but it is known when ClamAV guys starts to add the signature.
The duplicate submissions are not bit-to-bit identical.
Bit-to-bit identical submissions are thrown away/merged automatically early in the process, and they don't get reported to clamav-virusdb@.
Same with files that are already detected by ClamAV.
The duplicates ("Same as") mean that ClamAV detects them _now_ with the same virusname, but at the time
of the submission they were not detected at all.
It is easy to see why this could happen:
- if it is a file infector then we get a unique submission for each file it infected. It is still the same malware,
and if a signature gets added to detect one particular instance of the infection then the other infected files
should get detected as well
- if it is a polymorphic virus then each instance is unique, and depending on how good the signature is
it may detect many instances of the malware with the same virus name
- the signature might be generic, so it detects more than one malware under the same name
- ... etc.
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net