We exchange samples with many groups, companies, and people. Bringing in over 650,000 unique samples a day. Which highlights the "understaffed" issue.
-- Joel Esler Sent from my iPhone > On May 9, 2014, at 4:59, "Al Varnell" <alvarn...@mac.com> wrote: > > Thorvald, > > Just another user here, but I don’t understand why you would be surprised by > this. Are you under the impression that Kaspersky shares it’s samples with > anybody else? As far as I know, the only way the ClamAV® team would have a > sample is if one of us users submitted it to them or it was provided to them > by VirusTotal. I looked on VirusTotal.com and was not able to locate a > Kaspersky (or any other scanner) identification by that name. > > I’m also under the impression that the ClamAV® signature team is overworked > and understaffed, even though they have taken steps recently to improve that > situation. > > Any time I find a situation such as this, I submit the samples to VirusTotal > to validate my findings and if confirmed to the ClamAV® submit a file site. > > > -Al- > -- > Al Varnell > Mountain View, CA > >> On May 9, 2014, at 1:28 AM, Thorvald Hallvardsson >> <thorvald.hallvards...@gmail.com> wrote: >> Hi, >> >> The virus I'm looking at in particular is Trojan.Win32.Yakes.elfb. That's >> how Kaspersky finds it and calls it. It was submitted at the 20th July 2011 >> so it's quite old. After applying SaneSecurity databases the virus still >> cannot be found. >> >> I tried to scan a ZIP file - no virus found. >> I tried to scan extracted file - no virus found. >> >> Tested that file with NOD32 and Kaspersky - they both shout there is a >> virus. >> >> So I'm quite surprised such an old stuff is not found by clamav :(. >> >> Regards, >> TH > >>> On 8 May 2014 19:20, Steve Basford <steveb_cla...@sanesecurity.com> wrote: >>>> On Thu, May 8, 2014 5:47 pm, Kris Deugau wrote: >>>> I have been adding MD5 signatures, and somewhat more recently, .zmd >>>> .zip-content-filename signatures (for doubled-extension files), but I do >>>> not have time to dig more deeply and create more general signatures. >>>> >>>> -kgd > >>> Hi, >>> >>> You could add sanesecurity.com signatures >>> >>> phish.ndb: has some simple zip heuristics to block some of these >>> rogue.hdb: updated hourly for malware received >>> >>> Foxhole can be added to block all double extensions in zips *or* all >>> dangerous attachments in Zips/rar/7zip: >>> >>> sanesecurity.com/foxhole-databases/ >>> >>> Just in case it helps.. >>> >>> Cheers, >>> >>> Steve >>> Sanesecurity > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml