Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Time to add a new virus?

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


hackish at gmail

Feb 13, 2012, 2:04 AM

Post #1 of 3 (362 views)
Permalink
Time to add a new virus?

Hi everyone,

I was wondering if anyone could give their review of how long it takes
to have a new virus added to the database?
Is there something that can be done to speed up the process?
I notice on the virusdb updates list most submissions are duplicates.
Do the sigmakers just waste their time sifting through tons of
duplicate submissions?
How about a tracking system when you submit a file?

I've used the web submit option a number of times and checked back to
see that a virus was added but without any results. I encounter a
large number of viruses each month as I run a large mail system.
Whenever a new threat begins I typically start seeing it at the
mailserver first. I've found that Norton has taken a number of my
submissions and generally released updates within hours of the new
virus being submitted. I respect the fact that clamav is free and
everyone has a day job but more than a week after the bbb email virus
came out it still hasn't been added and my mailserver has recorded
more than 100,000 instances (so it's not some rare email virus). This
is not the first time this has happened. For example the dhl virus I
submitted over a month ago was never added. I finally added a script
to load some non-official virus sigs which catches a few more but the
official database updates seem to be going a little slow.

-Michael
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


henri at nerv

Feb 13, 2012, 2:57 AM

Post #2 of 3 (357 views)
Permalink
Re: Time to add a new virus? [In reply to]

On Mon, Feb 13, 2012 at 05:04:34AM -0500, Michael Richards wrote:
> Do the sigmakers just waste their time sifting through tons of
> duplicate submissions?

I sure hope not. I am more than happy to help creating faster "process" for this if ClamAV guys can tell what they need or at least old system should be documented somehow. Why not create this as a open-source :) If I am correct the duplicates mostly come from big av-check sites. They send reports with old signatures and/or when they send the file it is not in fact known, but it is known when ClamAV guys starts to add the signature.

> How about a tracking system when you submit a file?

In my opinion these could help.

https://bugzilla.clamav.net/show_bug.cgi?id=1969
https://bugzilla.clamav.net/show_bug.cgi?id=4335

> I've used the web submit option a number of times and checked back to
> see that a virus was added but without any results. I encounter a
> large number of viruses each month as I run a large mail system.
> Whenever a new threat begins I typically start seeing it at the
> mailserver first. I've found that Norton has taken a number of my
> submissions and generally released updates within hours of the new
> virus being submitted. I respect the fact that clamav is free and
> everyone has a day job but more than a week after the bbb email virus
> came out it still hasn't been added and my mailserver has recorded
> more than 100,000 instances (so it's not some rare email virus). This
> is not the first time this has happened. For example the dhl virus I
> submitted over a month ago was never added. I finally added a script
> to load some non-official virus sigs which catches a few more but the
> official database updates seem to be going a little slow.

This is also a reason that I have heard in the field for not taking ClamAV as a mail-filtering product to company.

- Henri Salo
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwin at clamav

Feb 13, 2012, 3:13 AM

Post #3 of 3 (357 views)
Permalink
Re: Time to add a new virus? [In reply to]

On 02/13/2012 12:57 PM, Henri Salo wrote:
> On Mon, Feb 13, 2012 at 05:04:34AM -0500, Michael Richards wrote:
>> Do the sigmakers just waste their time sifting through tons of
>> duplicate submissions?
>
> I sure hope not. I am more than happy to help creating faster "process" for this if ClamAV guys can tell what they need or at least old system should be documented somehow. Why not create this as a open-source :) If I am correct the duplicates mostly come from big av-check sites. They send reports with old signatures and/or when they send the file it is not in fact known, but it is known when ClamAV guys starts to add the signature.

The duplicate submissions are not bit-to-bit identical.
Bit-to-bit identical submissions are thrown away/merged automatically early in the process, and they don't get reported to clamav-virusdb@.
Same with files that are already detected by ClamAV.

The duplicates ("Same as") mean that ClamAV detects them _now_ with the same virusname, but at the time
of the submission they were not detected at all.

It is easy to see why this could happen:
- if it is a file infector then we get a unique submission for each file it infected. It is still the same malware,
and if a signature gets added to detect one particular instance of the infection then the other infected files
should get detected as well
- if it is a polymorphic virus then each instance is unique, and depending on how good the signature is
it may detect many instances of the malware with the same virus name
- the signature might be generic, so it detects more than one malware under the same name
- ... etc.

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.