Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Oct 3, 2014, at 5:12 PM, Dennis Peterson denni...@inetnw.com wrote: On 10/3/14 8:10:24AM, Mark Allan wrote: On 3 Oct 2014, at 03:39 pm, Gene Heskett ghesk...@wdtv.com wrote: On Friday 03 October 2014 07:19:13 Tim Smith did opine Over the last 24-48 hours, I submitted a number of email attachments. RAR files that contained viruses. Running one or two of them through VirusTotal today, I see ClamAV have *STILL* not managed to produce virus definitions for them ! All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . Looking forward to hearing the reasons why ! Perhaps you should consider submitted them in a compressed file format that is NOT proprietary to apple and which carries a per seat license fee? Cheers, Gene Heskett I'll admit that Tim's email rather reeked of entitlement, but Gene's response is just confusing and wrong. Yes, the RAR file format is proprietary, but not to Apple - it was a Russian named Eugene Roshal (Roshal ARchive hence RAR) who came up with it and the licence is only required for creating files of that format; software to extract RAR files is free. Also, ClamAV already contains code to unRAR these archives. Anyway, I digress from the original question. The reason it takes time to generate signatures from files/samples which are contributed by users is that the signatures are still generated manually by humans, most of whom have other jobs and unless I'm mistaken are therefore giving their time voluntarily. I've always found the turnaround time to be pretty good actually, especially for free software. Mark ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml From http://www.unrarlib.org/faq.html Q: Do you know that the license for the unrar sources from RARLab is not compatible with the GNU Public license? A: Yes, this is true. But we have the permission from Eugene Roshal to release unrarlib 0.4.0 under GPL and unrarlib-license. Note: this doesn't mean that RAR is free now or you can use the unrar source from RARlabs under GPL. You are just allowed to use UniquE RAR File Library version 0.4.0 (unrarlib 0.4.0) under GPL. A lot of people avoid RAR as a result. We have issues with some distributions, as they don’t want to build that feature in (because of the license) or don’t build Clam into the distribution at all because of this exclusion. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
exactly On 10/3/2014 4:54 PM, Leonardo Rodrigues wrote: On 03/10/14 08:19, Tim Smith wrote: All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . are you really trying to compare response times from PAID sollutions to the free/community maintened ones ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Oct 3, 2014, at 5:16 PM, Dennis Peterson denni...@inetnw.com wrote: On 10/3/14 2:11:15PM, Charles Swiger wrote: On Oct 3, 2014, at 1:54 PM, Leonardo Rodrigues leolis...@solutti.com.br wrote: On 03/10/14 08:19, Tim Smith wrote: All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . are you really trying to compare response times from PAID sollutions to the free/community maintened ones Assuming this wasn't a rhetorical question, the answer is pretty clearly: yes. So what? I would expect that an expensive A/V solution should do better than ClamAV for does for free. Frankly, it's a credit to the ClamAV team that their offering provides significant value for the price Regards, ClamAV also gives each of us tools to provide a Day Zero response to a threat. Our responsibility to our users (for those of us who have them) is to take advantage of that tool set. Well said Dennis. The other part of the equation is that we are always open to accepting the signatures and protection generated by our users for the greater good via our community signatures mailing list. http://www.clamav.net/contact.html#ml http://www.clamav.net/contact.html#ml -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
Gene, Perhaps you should consider submitted them in a compressed file format that is NOT proprietary to apple and which carries a per seat license fee? How about ***YOU*** consider the fact that I was merely submitting a RAR file becasue that was the exact file that was received in my email ! I received a RAR, thus I submitted a RAR ! Geez ... some people ! ;-( On 3 October 2014 15:39, Gene Heskett ghesk...@wdtv.com wrote: On Friday 03 October 2014 07:19:13 Tim Smith did opine And Gene did reply: Hi, Over the last 24-48 hours, I submitted a number of email attachments. RAR files that contained viruses. Running one or two of them through VirusTotal today, I see ClamAV have *STILL* not managed to produce virus definitions for them ! All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . Looking forward to hearing the reasons why ! ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml Perhaps you should consider submitted them in a compressed file format that is NOT proprietary to apple and which carries a per seat license fee? Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
are you really trying to compare response times from PAID sollutions to the free/community maintened ones Of course not, the paid solutions will always be better. But three days to get some definitions pushed out for a zero-day is a bit on the slow side, you must agree ! ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On October 6, 2014 3:37:34 PM Tim Smith randomd...@gmail.com wrote: are you really trying to compare response times from PAID sollutions to the free/community maintened ones ? Of course not, the paid solutions will always be better. Dream on, my commodore 64 is the best 8bit computer ever not needing antivirus at all, restarting it cleans any virus for free, sorry could not resists But three days to get some definitions pushed out for a zero-day is a bit on the slow side, you must agree ! You are free to define opensource as you wish, but call paid prebuildt software always better is not correct, but mostly just marketing What other av product can you make your own virus signatures with, not usefull, hmm ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On 06/10/2014 14:37, Tim Smith wrote: are you really trying to compare response times from PAID sollutions to the free/community maintened ones Of course not, the paid solutions will always be better. But three days to get some definitions pushed out for a zero-day is a bit on the slow side, you must agree ! It's only on the slow side if you expect it to be quicker... Personally, I'm glad this is available at all from a free solution. As other people have said, you can make YOUR Clam AV installation detect the virus pretty much instantly - which is much quicker than any paid solution. (eg http://www.clamav.net/doc/latest/signatures.pdf) Analysing a virus updating signatures is not a quick trivial job, and they'll get lots of samples submitted (I've heard figures of a million a day). Many will be duplicates, but many will also be innocuous files where someone has been paranoid, or even where files are maliciously submitted, so I expect that files that are submitted have to be checked somehow to make sure they really are malicious files, and a useful signature has to be generated and tested. I'm fairly sure you'd be (rightly) miffed if an update was released which suddenly generated lots of false positives because corners had been cut. If you think it needs to be quicker, then maybe you could volunteer your time to help with the analysis (I'm not sure how you'd go about this) or send a financial donation to help with the process. Obviously the paid AV solutions will have more resources to do this task than a community maintained one will have, so you'd expect the paid ones to be considerably quicker. - Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news updates at http://www.pscs.co.uk/go/subscribe ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Mon, Oct 6, 2014 at 9:37 AM, Tim Smith randomd...@gmail.com wrote: are you really trying to compare response times from PAID sollutions to the free/community maintened ones Of course not, the paid solutions will always be better. But three days to get some definitions pushed out for a zero-day is a bit on the slow side, you must agree ! A few months ago, Joel Esler and the ClamAV signature writing team introduced the Community Signatures mailing list for sharing signatures. You could always create the detection signatures yourself and submit them to us via the Community Signatures list. Additionally, as has been said before, you can always just submit the file via the normal signatures then ping us here on this list with the md5/sha256 hash of the file you submitted. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
If you think it needs to be quicker, then maybe you could volunteer your time to help with the analysis (I'm not sure how you'd go about this) http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html - Alain ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
but call paid prebuildt software always better is not correct, but mostly just marketing What rubbish... ClamAV always lags behind the commercial vendors in any comparative you wish to mention. The majority of well established vendors will also do a better job of detecting and pushing out definitions as it seems that ClamAV is reactive, not proactive on the definitions front What other av product can you make your own virus signatures with, not usefull, hmm You don't need to when they've got a decent set of analysts who are on the ball and push out new definitions quickly ! F-Secure, Sophos, Kasperksy and others all had coverage already of this virus. Seriously, why should I mess around with creating virus signatures, its a waste of my time. Evangelising over how wonderful open-source anti-virus is is great but if you're severely lagging on pushing out virus definitions then it very quickly removes the attractiveness of the product. 80% of people using your open-source project won't have the knowledge, time or inclination to hack together their own virus definitions I'm off to sign up with one of the well established software vendors. On 6 October 2014 14:55, Benny Pedersen m...@junc.eu wrote: On October 6, 2014 3:37:34 PM Tim Smith randomd...@gmail.com wrote: are you really trying to compare response times from PAID sollutions to the free/community maintened ones ? Of course not, the paid solutions will always be better. Dream on, my commodore 64 is the best 8bit computer ever not needing antivirus at all, restarting it cleans any virus for free, sorry could not resists But three days to get some definitions pushed out for a zero-day is a bit on the slow side, you must agree ! You are free to define opensource as you wish, but call paid prebuildt software always better is not correct, but mostly just marketing What other av product can you make your own virus signatures with, not usefull, hmm ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Oct 6, 2014, at 10:21 AM, Tim Smith randomd...@gmail.com wrote: but call paid prebuildt software always better is not correct, but mostly just marketing What rubbish... ClamAV always lags behind the commercial vendors in any comparative you wish to mention. The majority of well established vendors will also do a better job of detecting and pushing out definitions as it seems that ClamAV is reactive, not proactive on the definitions front …. Incorrect. For instance, just one of our signatures may catch tens of thousands of samples. We can malware when it arrives, and if we catch the “new” piece of malware with an already present signature, we assign the new piece of malware to the already present signature. For instance, I just went into our internal interface, and picked the first “prior detect” on my list, and it has 94 pieces of malware assigned to it. You can actually see some of the de-duplicated ones if you subscribe to the clamav-virusdb mailing list. We don’t list them all in there, because frankly it’d be too large of an email to send out. So only particular malware “Senders” are there. Just because we don’t detect the piece of malware that you found, doesn’t mean we aren’t proactive. What other av product can you make your own virus signatures with, not usefull, hmm You don't need to when they've got a decent set of analysts who are on the ball and push out new definitions quickly ! F-Secure, Sophos, Kasperksy and others all had coverage already of this virus. Those companies also have hundreds of analysts dedicated to the problem. We don’t have hundreds. Seriously, why should I mess around with creating virus signatures, its a waste of my time. That’s kind of the point of a community open-source project. Evangelising over how wonderful open-source anti-virus is is great but if you're severely lagging on pushing out virus definitions then it very quickly removes the attractiveness of the product. 80% of people using your open-source project won't have the knowledge, time or inclination to hack together their own virus definitions …. We try to make it very simple for people to do it, in fact, we include tools for people to be able to do it. I'm off to sign up with one of the well established software vendors. We’re sorry to see you go. We try to offer a good service, for free, to the community in order to make the internet, just a little bit safer. We’ll understand if you’d like a refund. ;) -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On 6 October 2014 14:55, Benny Pedersen m...@junc.eu wrote: On October 6, 2014 3:37:34 PM Tim Smith randomd...@gmail.com wrote: are you really trying to compare response times from PAID sollutions to the free/community maintened ones ? Of course not, the paid solutions will always be better. Dream on, my commodore 64 is the best 8bit computer ever not needing antivirus at all, restarting it cleans any virus for free, sorry could not resists But three days to get some definitions pushed out for a zero-day is a bit on the slow side, you must agree ! You are free to define opensource as you wish, but call paid prebuildt software always better is not correct, but mostly just marketing What other av product can you make your own virus signatures with, not usefull, hmm ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On 06/10/2014 15:21, Tim Smith wrote: but call paid prebuildt software always better is not correct, but mostly just marketing What rubbish... ClamAV always lags behind the commercial vendors in any comparative you wish to mention. Not if I want to make my own signatures... It also beats the others on price and (IMHO) usability. What other av product can you make your own virus signatures with, not usefull, hmm You don't need to when they've got a decent set of analysts who are on the ball and push out new definitions quickly ! Yes you do. We have AVG, Avira, Sophos and ClamAV. Yes, AVG, Avira and Sophos will release virus definition updates before ClamAV. But usually by the time even Sophos have released their updates we've already received a few thousand copies of the virus. With ClamAV we can beat Sophos by adding our own definitions, so we can beat even the fastest AV vendors by a few hours (that's not knocking them, we have different requirements from them, so we can knock together a simple signature test and if we cause false positives, it's our problem. We're not going to have zillions of other people complaining and be on news channels because we broke something). Seriously, why should I mess around with creating virus signatures, its a waste of my time. OK. That's a valid choice, in which case YOU will probably be better off spending money on a commercial product. For other people, the few seconds to generate a signature is worth the many thousands of pounds savings they'll make from not using a commercial product. Neither is wrong, just different priorities. - Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news updates at http://www.pscs.co.uk/go/subscribe ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
Le lundi 6 octobre 2014, 10:05:11 Alain Zidouemba a écrit : If you think it needs to be quicker, then maybe you could volunteer your time to help with the analysis (I'm not sure how you'd go about this) Or use this : https://securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml It rises Clamav detection rate up to 80% on 0-day malwares. Best regards Arnaud Jacques SecuriteInfo.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On October 6, 2014 4:21:58 PM Tim Smith randomd...@gmail.com wrote: Seriously, why should I mess around with creating virus signatures, its a waste of my time. Well sayed, this maillist here is not waste of your time, can you pay back now ? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On 10/06/2014 08:32 AM, Webmaster wrote: Le lundi 6 octobre 2014, 10:05:11 Alain Zidouemba a écrit : If you think it needs to be quicker, then maybe you could volunteer your time to help with the analysis (I'm not sure how you'd go about this) Or use this : https://securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml It rises Clamav detection rate up to 80% on 0-day malwares. Speaking of SecuriteInfo, is the High Risk label deserved for the spam_marketing signatures? Have used all the others in the Securite list but that one. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On 10/6/14 7:21 AM, Tim Smith wrote: Seriously, why should I mess around with creating virus signatures, its a waste of my time. Because that is the norm for community-supported products and because nobody but you is ultimately responsible for protecting your systems from malware. dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
Hi, Speaking of SecuriteInfo, is the High Risk label deserved for the spam_marketing signatures? Have used all the others in the Securite list but that one. Yes, spam_marketing.ndb has high level of false positive. Why ? Because it focuses french spam/marketing/private selling/special offers/and mailling lists I haven't subscribe. It also targets scam from Africa or Asia, and other kind of emails my customers don't want. But some of my customers *wants* to receive these kind of emails (gasp!). You can use .ign signatures to suit your needs, or don't use spam_marketing.ndb at all. It is up to you. Give it a try by offline scanning your mailboxes and see by yourself what is detected. If you believe some signatures are generating too many false positives, please contact me off list. Maybe spam_marketing.ndb needs tuning after all. Me and my (french) customers are pretty happy with spam_marketing.ndb. They have a very few spam passing through. Other signature files I provide have a very low false positive rate. Best regards, Arnaud Jacques SecuriteInfo.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml