It is not an attack on ClamAV Joel - but I tell you what, delete the post if it makes you happier.
Truly I'm sorry I wasted the effort trying to contribute, and you can relax because I certainly won't again. -----Original Message----- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Joel Esler Sent: 12 January 2013 11:02 PM To: ClamAV users ML Cc: ClamAV users ML Subject: Re: [clamav-users] Virus names - a rose by any name? So what you want is for us to change the millions of Names we have for Trojans to match one of our competitors? So when people look up the open source detection that we provide in our open signature format, they instead get pointed to a competitor with closed proprietary detection? Even leaving our competitors out of this, how does this make sense to go and change millions of signatures for no functionally viable reason? -- Joel Esler Sent from my iPhone On Jan 12, 2013, at 3:42 PM, "Pancho" <p...@originsystems.co.za> wrote: > Hi - thanks to everyone for the replies. I have seen 2 replies now and > it may well be that I have not been clear enough because both are at > cross purposes. > > Unfortunately I don't have further time to invest in this topic but I > do hope that someone at ClamAV sees value in the suggestions. > > If not, well such is life. > > -----Original Message----- > From: clamav-users-boun...@lists.clamav.net > [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Simon > Hobson > Sent: 12 January 2013 06:32 PM > To: clamav-users@lists.clamav.net > Subject: Re: [clamav-users] Virus names - a rose by any name? > > "Pancho" wrote: > >> While I understand the comment, it makes it risky I believe from a >> security perspective to tell users anything more than " file contains > virus". >> >> I say this because if we find a virus and provide the message "file >> contains virus with name <ClamAV proprietary virus name XYZ>" then >> malicious users can effectively deduce our virus engine simply by >> using the > custom name. >> See the site http://virusscan.jotti.org/en for a very easy >> illustration of how to do this. >> >> Once the malicious user knows this again, it is a fairly >> straightforward thing for them to test exploits against a site like >> jotti until they find one not detected by ClamAV - then submit that >> exploit to our site knowing that it will successfully bypass our anti > virus. > > AFAIK ClamAV doesn't tell outside users anything - that is up to the > software that calls it and the administrator that set it up. > > For example, suppose we are using ClamAV to scan inbound mail - using > Amavis as integration software as that's a fairly common setup. So > when the email is submitted by the outside MTA, our MTA hands off the > message the Amavis, and Amavis (amongst other things) halds it off to ClamAV. > > The response sent to the outside MTA can be anything from "message blocked" > at one extreme to "ClamAV found XXX" at the other - and where in that > spectrum is down to not just ClamAV (which should correctly identify > what it found IMO), but also the config of Amavis and the config of our MTA. > > Of course, what is reported to the outside MTA can be different to > what is logged in our mail log. We may just report "blocked" to > outside while logging full details (as is usually the case) in the > mail log so that the administrator has more information if the reason is > queried. > > Much the same applies if you scan innbound file on a web site that > allows uploads - what ClamAV reports to your software, and what your > software reports to the end user may be different things. > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit > http://wiki.clamav.net http://www.clamav.net/support/ml > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit > http://wiki.clamav.net http://www.clamav.net/support/ml _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
