Currently, I am tracking 233 files containing malware that have been submitted both directly to clamav.net and virustotal.com and yet continue not to show up in the signature database so that they can be detected. My scripts check them frequently against the current clamav databases using 0.95.1 and re-report them to clamav.net every two weeks or so.
I am pretty sure that they all are malware as the virustotal reports the some AV vendors detect them within the first two weeks after we initially receive them in our honeypot. I release signatures of these files in winnow_malware.hdb which sanesecurity graciously distributes for me. What I would like (and I think that others that submit malware files to clamav.net would like) is for clamav.net to provide a method for us to programmatically query to determine if either 1) the file has already been determined by clamav to be not malicious or 2) you have the file in your processing queue and don't need a second copy. This would allow us to stop resending reports to you when you are already on top of it and also allow us to remove them from our signature files when they are added to the main clamav database (which we do now) or when you have determined that the file is not malware. Thanks for your consideration, Tom _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
