On Aug 22, 2014, at 6:44 PM, Daniel Quintiliani <d...@runbox.com<mailto:d...@runbox.com>> wrote:
On Fri, 22 Aug 2014 18:26:37 -0400, Dan McDaniel <d...@dm3.us<mailto:d...@dm3.us>> wrote: I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet. Should I submit it again? Also, on the web form when submitting false positives there is a check-box that says "notify me". It would seem to imply that you might get some kind of notification when your sample had been processed, but I have never received any notification for any of the samples I've submitted. What is that check-box for? I don't know what's going on. It seems that ever since the Cisco buyout the quality of ClamAV has disintegrated really fast. I am always submitting samples from my email and blog spam to VirusTotal, ClamAV, and CRDF. VirusTotal often shows tons of failures, often more than half of the major antivirus products but never ClamAV, and then I submit to CRDF, who do their own automated VirusTotal scans and mark them as malware right away. ClamAV, however, marks them clean for weeks (unless you use CRDF's signatures) and often they are never marked malware. In fact, I have a list of MD5s of 600 MB worth of malware from a "game hack" site spammed to my blogs. I sent e-mails to ClamAV saying I had the MD5s and files but received no response. I wound up deleting the files because only two were marked as malware, and by CRDF's signatures, not by ClamAV's. (I still have the MD5s list if anyone wants me to post it on the message board) Good thing I only use Linux now, where the effectiveness of antivirus software isn't too important. I just wish ClamAV developers were more attentive to their product, which they haven't been since Cisco bought Sourcefire. I’d disagree here. In fact, we’ve only added to the team since the Cisco purchase. We’re currently working on a better way to report false positives, so hopefully we’ll see some resolution to the issue soon, but by all means, if you have FP reports, please report them via the website and we’ll take a look at the issue. As far as reports of new malware, again, the website is the best place to send them, however, for bulk uploads, like the website says, it’s best to contact us. Where did you send emails to us that we missed? Maybe we’re having a server problem that I haven’t seen yet and we need to get that fixed. If people would like to contribute their own signatures to the ruleset, we’d be happy to take a look at that as well: http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
