Re: [clamav-users] About new samples at clamav website.
Walter, Thanks. The issue is that we receive over a million new samples a day. We prioritize those samples for analysis and detection in a number of ways, one of the ways, of course, being number of submitters. So, for example if we see 13 different places giving us the same sample, obviously the file is pretty widespread. One of the best ways to help us, is to generate your own signatures and submit those to us on the Community-sigs list. http://www.clamav.net/contact.html That way we can take the coverage, FP test it, and ship it out faster. I'll even return in kind, after 20 submissions, I'll send you a brand new (just had them made) ClamAV Tshirt. How does that sound? -- Joel Esler Sent from my iPhone On Jan 28, 2015, at 6:23 AM, Walter Bürger walter.buer...@arscons.demailto:walter.buer...@arscons.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I can confirm that. My samples never make it into daily. I am very frustrated about that. I use the same link to upload as Wagner, http://www.clamav.net/report/report-malware.html, enter my full name, my email, check notify me, check share this sample with other AV vendors, upload the malware file and submit the malware report. The submit procedure is successful every time as I get the http://www.clamav.net/report/success.html page every time. In the last three days I uploaded a sample, I don't know how often I uploaded it. Every day I checked if clamav could detect the virus in the sample after a new daily arrived. And every day clamav couldn't detect it. I checked on three different machines, linux, windows and openbsd. Virustotal.comhttp://Virustotal.com says about my sample: SHA256: bb1e635aa88a6906473713bd49368553f49c21e885c1586742542b3fee4b405c Dateiname: ccp.exe Erkennungsrate: 42 / 57 Analyse-Datum: 2015-01-28 09:32:11 UTC ( vor 0 Minuten ) If I imagine how often this possibly happens and how many samples it never make into daily, then this could be one of the main reasons why clamav has such a terribly bad detection rate. So, what can we do to remedy the problem and make the detection rate of clamav better ? Best regards, Walter. On 01/26/15 19:08, Wagner De Queiroz wrote: Dear users. I receive new viruses (Brazilian malware trojans) all day, and I submit to clamav, but my submissions never appear at virus list. I like to suggest at clamav page to submit files a kind of verify the upload sha256 or md5sum like virustotal website does to know if the submission are new one or not. to stop rising the high number of new submissions all day and maybe better our beloved anti-virus. Maybe put a option at clamav anti-virus to check before send new samples. When I receive a new malware sample, when came at .zip or .rar file, I open the .zip or .rar to expose the .exe trojan before send to virustotal check if the last clamav saw anything before send at website of clamav. My english is not good, and maybe my message can't be understood. but I have hope this email can make a difference. The link what I use to send new samples are: http://www.clamav.net/report/report-malware.html http://cgi.clamav.net/sendvirus.cgi ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlTIxqYACgkQkoswlxeNK+xWMACgqfiZYE7qM5nHBrd+3pYBE+D/ C5YAoIZMEu9ZkBAOYP+EJAX9DcFNRjNw =sr9b -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] About new samples at clamav website.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I can confirm that. My samples never make it into daily. I am very frustrated about that. I use the same link to upload as Wagner, http://www.clamav.net/report/report-malware.html, enter my full name, my email, check notify me, check share this sample with other AV vendors, upload the malware file and submit the malware report. The submit procedure is successful every time as I get the http://www.clamav.net/report/success.html page every time. In the last three days I uploaded a sample, I don't know how often I uploaded it. Every day I checked if clamav could detect the virus in the sample after a new daily arrived. And every day clamav couldn't detect it. I checked on three different machines, linux, windows and openbsd. Virustotal.com says about my sample: SHA256: bb1e635aa88a6906473713bd49368553f49c21e885c1586742542b3fee4b405c Dateiname: ccp.exe Erkennungsrate: 42 / 57 Analyse-Datum: 2015-01-28 09:32:11 UTC ( vor 0 Minuten ) If I imagine how often this possibly happens and how many samples it never make into daily, then this could be one of the main reasons why clamav has such a terribly bad detection rate. So, what can we do to remedy the problem and make the detection rate of clamav better ? Best regards, Walter. On 01/26/15 19:08, Wagner De Queiroz wrote: Dear users. I receive new viruses (Brazilian malware trojans) all day, and I submit to clamav, but my submissions never appear at virus list. I like to suggest at clamav page to submit files a kind of verify the upload sha256 or md5sum like virustotal website does to know if the submission are new one or not. to stop rising the high number of new submissions all day and maybe better our beloved anti-virus. Maybe put a option at clamav anti-virus to check before send new samples. When I receive a new malware sample, when came at .zip or .rar file, I open the .zip or .rar to expose the .exe trojan before send to virustotal check if the last clamav saw anything before send at website of clamav. My english is not good, and maybe my message can't be understood. but I have hope this email can make a difference. The link what I use to send new samples are: http://www.clamav.net/report/report-malware.html http://cgi.clamav.net/sendvirus.cgi ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlTIxqYACgkQkoswlxeNK+xWMACgqfiZYE7qM5nHBrd+3pYBE+D/ C5YAoIZMEu9ZkBAOYP+EJAX9DcFNRjNw =sr9b -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] About new samples at clamav website.
Hello Wagner, Le lundi 26 janvier 2015, 16:08:23 Wagner De Queiroz a écrit : Dear users. I receive new viruses (Brazilian malware trojans) all day, and I submit to clamav, but my submissions never appear at virus list. Could you please send them to me in private mail ? Please use ZIP file with password : infected I will include them for my alternative signatures https://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml -- Best regards, Arnaud Jacques SecuriteInfo.com https://www.facebook.com/pages/SecuriteInfocom/132872523492286 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] I have some queries about ClamAV
clamscan and clamd options exist to remove or move (--move --remove) infected files. The documentation indicates use with care. I've not tried them myself. Steve On Tue, Jan 27, 2015 at 7:40 PM, Dennis Peterson denni...@inetnw.com wrote: He wants to know if ClamAV takes any corrective action such as quarantine or even remediate the problem by replacing corrupted files with originals. ClamAV does neither, but it can alert tertiary software to perform quarantining and provide notification of a need for user initiated remediation. One can conjecture the wisdom of auto-remediation by an AV product, but some of the worst botch jobs I've ever worked with were done by well-meaning AV products that got fix-up wrong. dp On 1/27/15 4:13 PM, Joel Esler (jesler) wrote: I believe I emailed this privately to you. ClamAV can have the ability to quarantine an infected file if it finds one. We don’t know what you mean by the word “cure”. Can you elaborate what you mean there for the group? -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Jan 27, 2015, at 7:10 PM, Jihyun-Chang jhyun_ch...@naver.commailto: jhyun_ch...@naver.com wrote: Is there no one to answer me ? === Dear ClamAV Team, Hi~ I am a student interested in security. I found ClamAV as Anti-virus program and it looks good to me while looking through User-manual. I have a few questions about ClamAV. Does it can use as a cure (It means ClamAV can fix the scanned files) or just virus-scanner ? (It means ClamAV cannot support fix the scanned files) It seems not mentioned in User-manual and http://www.clamav.net/index. html. It may not have seen my eyes only :) Could you explain my request? I will be looking forward to your reply. Thanks in advance for any help. ~Chang~ -Original Message- From: Jihyun-Changjhyun_ch...@naver.commailto:jhyun_ch...@naver.com To: Joel Esler (jesler)jes...@cisco.commailto:jes...@cisco.com; Cc: clamav-devel-ow...@lists.clamav.netmailto:clamav- devel-ow...@lists.clamav.netclamav-devel-ow...@lists.clamav.net mailto:clamav-devel-ow...@lists.clamav.net; clamav-users-owner@lists. clamav.netmailto:clamav-users-ow...@lists.clamav.net clamav-users-ow...@lists.clamav.netmailto:clamav- users-ow...@lists.clamav.net; Sent: 2015-01-27 (화) 11:29:01 Subject: Re: I have some queries about ClamAV I wrote the user list already but nobody answer my questuon for two weeks. I don't know why it is taking so long. Even though my question is not difficult. thanks. Best regards. -Original Message- From: Joel Esler (jesler) jes...@cisco.commailto:jes...@cisco.comgt To: Jihyun-Chang jhyun_ch...@naver.commailto:jhyun_ch...@naver.comgt Cc: clamav-devel-ow...@lists.clamav.netmailto:clamav- devel-ow...@lists.clamav.net clamav-devel-ow...@lists.clamav.net mailto:clamav-devel-ow...@lists.clamav.netgt Sent: 2015. 1. 27. 오전 11:20:20 Subject: Re: I have some queries about ClamAV You are writing the development list. You should be writing the users list unless you are contributing development code. -- Joel Esler Sent from my iPhone On Jan 26, 2015, at 9:07 PM, Jihyun-Chang jhyun_ch...@naver.commailto: jhyun_ch...@naver.com wrote: can you hear me ? I'm waiting answer from ClamAV team long time ago.. -Original Message- From: Jihyun-Changjhyun_ch...@naver.commailto:jhyun_ch...@naver.com To: clamav-de...@lists.clamav.netmailto:clamav-de...@lists.clamav.net ; Cc: Sent: 2015-01-22 (목) 17:19:18 Subject: I have some queries about ClamAV Dear ClamAV Team, Hi~ I am a student interested in security. I found ClamAV as Anti-virus program and it looks good to me while looking through User-manual. I have a few questions about ClamAV. Does it can use as a cure (It means ClamAV can fix the scanned files) or just virus-scanner ? (It means ClamAV cannot support fix the scanned files) It seems not mentioned in User-manual and http://www.clamav.net/index. html. It may not have seen my eyes only :) Could you explain my request? I will be looking forward to your reply. Thanks in advance for any help. ~Chang~ [http://mail.naver.com/readReceipt/notify/?img=FmFjWNkl1zcYar% 2B5M6CoMrU9KziCFAb9MxMdFxkoF4UXpxk4Frp0Kqu%2FKxF4MdIo% 2BrkSKxt5W4d5W4C5bX0q%2BzkR74FTWx%2FsMrwCW6Jr7630% 2B4kn76eXW4kZtzwGbX3q74FnM69C%2BSl5pBt5.gif] [http://mail.naver.com/readReceipt/notify/?img=FY%2BjWNkl1zcYar% 2B5M6CoKxUwpxbXFxMXM43SKx0vM6FoFxE9Fq0vMoblpzMmtzFXp6UwaLl5W Ll51zlqDBFdp6d5MreRhoR8pBFnpBigMr0qMrY5MreR.gif] ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Offline updates
The VirusDB files are listed on that page. However, it is highly recommended that you use freshclam to update. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Dec 3, 2014, at 1:57 AM, Pascal patate...@gmail.com wrote: Hi, I found this on http://www.clamav.net/doc/cvd.html : * Can I download the virusdb manually? Yes, the virusdb can be downloaded from the Latest releases section on our home page. But I didn't the link on http://www.clamav.net/download.html :-( Where can I find virusdb ? Thanks, lacsaP. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Offline updates
Team, Looks like you sent this to the wrong person. -Joe -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Joel Esler (jesler) Sent: Wednesday, January 28, 2015 9:34 PM To: ClamAV users ML Subject: Re: [clamav-users] Offline updates The VirusDB files are listed on that page. However, it is highly recommended that you use freshclam to update. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Dec 3, 2014, at 1:57 AM, Pascal patate...@gmail.com wrote: Hi, I found this on http://www.clamav.net/doc/cvd.html : * Can I download the virusdb manually? Yes, the virusdb can be downloaded from the Latest releases section on our home page. But I didn't the link on http://www.clamav.net/download.html :-( Where can I find virusdb ? Thanks, lacsaP. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml