Re: [clamav-users] Bad detection rate

[Ralf Hildebrandt]

* Dennis Peterson :
> The OP brought up several points, none of which were addressed.
> 
> 1. Nevertheless, the detection rate of viruses, trojans, etc. is not
> very good. Almost every time I submit a sample file on virustotal.com
> ClamAV can not detect the virus or malware.
> 
> 2. Up to now, I never got a notification, although "Notify me" was checked.

Indeed. I also submitted quite a lot of malware and never got a
notification (in years!)

> 3. Why shall we not post more than two sample files per day ?

I also wondered about that.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Walter Bürger]

Joel Esler (jesler) wrote:

On Jun 25, 2014, at 4:23 AM, Walter Bürger  wrote:


bestellung_9AF6AAE4.exe
(MD5 186a1745b54467fa168309da93960df4)
18 out of 54 scanners detected a trojan
(F-Secure named it Trojan.Injector.AWD)
but ClamAV did not detect it.

I submitted both files to
http://www.clamav.net/lang/en/sendvirus/submit-malware

And I submitted the same file as yesterday and the day before yesterday to 
virustotal.com:

Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
(MD5 ad690be247dda635781e20887fcac0e7)


Are you sure you submitted these files?  We don’t have them.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team




___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml



Hi Joel,

yes I am sure I submitted
bestellung_074B5277.exe and
bestellung_9AF6AAE4.exe this morning:

Result:

Submission completed!
bestellung_9AF6AAE4.exe has been successfully sent to the virusdb 
maintainer team...


Thank you for helping the ClamAV project.

And I am sure I submitted
Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
on Monday, 23.06.2014

But I submitted all 3 files again, 2 minutes ago.

Best regards,
Walter.




signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Joel Esler (jesler)]

On Jun 25, 2014, at 4:23 AM, Walter Bürger  wrote:

> bestellung_9AF6AAE4.exe
> (MD5 186a1745b54467fa168309da93960df4)
> 18 out of 54 scanners detected a trojan
> (F-Secure named it Trojan.Injector.AWD)
> but ClamAV did not detect it.
> 
> I submitted both files to
> http://www.clamav.net/lang/en/sendvirus/submit-malware
> 
> And I submitted the same file as yesterday and the day before yesterday to 
> virustotal.com:
> 
> Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
> (MD5 ad690be247dda635781e20887fcac0e7)

Are you sure you submitted these files?  We don’t have them.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Joel Esler (jesler)]

> On Jun 25, 2014, at 0:17, "Al Varnell"  wrote:
> 
> The signature team has always been overwhelmed by the number of new samples 
> it receives every day and even though the team is bigger today, so is the 
> input.

Right.  We have several people working on malware full time. But we receive 
well over 650,000 samples a day. We build and ship all this stuff for free.  We 
love it when the community contributes.  It's for the benefit of all. 

> They established a third party signature contribution system a few months ago 
> and I’m sure part of the reason is to try to reduce what is apparently a 
> growing backlog of samples which require manual signature writing.  If those 
> with the ability to write quality signatures and contribute them to this 
> project can do so, we will all benefit from this.  I don’t blame the team for 
> trying to promote this new means of community contributions.

Thank you Al.  Building a community to solve a problem is important.  That's 
what this whole "open source" thing is supposed to be about. It's not just that 
the software is free, it's so that everyone can participate. 

> It would appear that Steve is in a unique position here, in that he has his 
> own UNOFFICIAL signature databases to contribute as well as the apparent 
> skills to write them on his own.  Obviously there is a much larger user base 
> for official set so contributions there would be of broader benefit, yet he 
> runs his own services to the community.  Something he’ll need to consider and 
> decide on his own.

We'd love it if Steve wanted to do it.  I've never reached out to him 
individually, but is be glad to have the conversation!

Joel
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Joel Esler (jesler)]

On Jun 25, 2014, at 2:34, "Al Varnell"  wrote:

>> Tue, Jun 24, 2014 at 10:40 PM, Dennis Peterson wrote:
>> 
>> It wouldn't hurt to have a youtube video that shows admins how to generate 
>> simple day 0 check sum sigs that they can deploy locally while waiting for a 
>> Cisco/SourceFire signature. In fact the submission process generates a 
>> checksum that just needs to be captured to a file.
> 
> Good point and FYI Mark Allan has implemented exactly that process to provide 
> such a quick-turnaround capability for all ClamXav users (currently 65 
> additional signatures).  Unfortunately I haven’t noticed a single one of them 
> replaced by an official signature yet.

Same goes for Mark.  Mark, you want to submit them to official?  Let's do this. 
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Joel Esler (jesler)]

> On Jun 25, 2014, at 1:40, "Dennis Peterson"  wrote:
> 
>> On 6/24/14, 9:16 PM, Al Varnell wrote:
>> That’s certainly a valid question and deserves a ClamAV® answer, but I’ll 
>> throw this comment out.
>> 
>> The signature team has always been overwhelmed by the number of new samples 
>> it receives every day and even though the team is bigger today, so is the 
>> input.
>> 
>> They established a third party signature contribution system a few months 
>> ago and I’m sure part of the reason is to try to reduce what is apparently a 
>> growing backlog of samples which require manual signature writing.  If those 
>> with the ability to write quality signatures and contribute them to this 
>> project can do so, we will all benefit from this.  I don’t blame the team 
>> for trying to promote this new means of community contributions.
>> 
>> It would appear that Steve is in a unique position here, in that he has his 
>> own UNOFFICIAL signature databases to contribute as well as the apparent 
>> skills to write them on his own.  Obviously there is a much larger user base 
>> for official set so contributions there would be of broader benefit, yet he 
>> runs his own services to the community.  Something he’ll need to consider 
>> and decide on his own.
>> 
>> Just my two cents.
>> 
>> -Al-
>> Al Varnell
>> Mountain View, CA
> I don't blame them either but the arrangement is that of peers. Why set some 
> of them up as unofficial? Why put a limit on the very resource (2 submissions 
> per day) that that people need to make the product useful? Run all the 
> submitted signatures through the same QA process and stamp them official. 
> Create a signature writer's certification test to help streamline the 
> submission process so qualified people can include a sig with the submission. 
> And they can answer the earlier question, "How can we make the process 
> better?"

If people, Steve or others want to submit to the official list, they are more 
than welcome. We'll receive it, QA it like we do ours, and ship it in the 
official set, with attribution. It's not a problem.  There's an artificial 
limitation (not really a restriction on uploads) because we have people, all 
the time that want to send us, say 100,000 samples.  Well, submitting those all 
through the interface would be a bit tiresome :). So if people are going to 
submit a bunch of samples we ask them to get in touch with us and we can handle 
that differently.   The certification is not a bad idea. We do it internally, 
and I know we have discussed it internally for external people as well.  Alain 
can probably comment better on this, but I know he's worked with a couple 
people to teach them the more advanced sigs, and those people generate content. 


> It wouldn't hurt to have a youtube video that shows admins how to generate 
> simple day 0 check sum sigs that they can deploy locally while waiting for a 
> Cisco/SourceFire signature. In fact the submission process generates a 
> checksum that just needs to be captured to a file.

We're currently doing a major overhaul to several of the backend systems on 
ClamAV. One is ClamAV.net itself. 

We do have training somewhere on how to write signatures. I don't know if we 
have the recording anymore, maybe I can get Alain to re-teach it.  

But if there Are people out there interested in writing sigs for ClamAV, by all 
means, let's do this.  

Steve, if you want to submit some, a few, all, (I know you have several feeds) 
whatever, to the official db, let's do this. 

Joel
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Walter Bürger]

Hi dear ClamAV team,

a few minutes ago I submitted 2 files
bestellung_074B5277.exe
bestellung_9AF6AAE4.exe
to virustotal.com

bestellung_074B5277.exe
(MD5 1da7c04ac540e4e02ef12cdcab7cffe3)
14 out of 53 scanners detected a trojan
(F-Secure named it Trojan.Injector.AWD)
but ClamAV did not detect it.

bestellung_9AF6AAE4.exe
(MD5 186a1745b54467fa168309da93960df4)
18 out of 54 scanners detected a trojan
(F-Secure named it Trojan.Injector.AWD)
but ClamAV did not detect it.

I submitted both files to
http://www.clamav.net/lang/en/sendvirus/submit-malware

And I submitted the same file as yesterday and the day before yesterday 
to virustotal.com:


Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
(MD5 ad690be247dda635781e20887fcac0e7)

32 out of 54 scanners detected a virus
(NOD32 named it Win32/Emotet.AA)
but ClamAV did not detect it.

Alain said:
"We received your sample for the first time today and will be analyzing it
for coverage in the ClamAV signature set. Thanks for your submission."

Has Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
not yet been analyzed ?

Best regards,
Walter.





signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Al Varnell]

On Tue, Jun 24, 2014 at 10:40 PM, Dennis Peterson wrote:
> 
> It wouldn't hurt to have a youtube video that shows admins how to generate 
> simple day 0 check sum sigs that they can deploy locally while waiting for a 
> Cisco/SourceFire signature. In fact the submission process generates a 
> checksum that just needs to be captured to a file.

Good point and FYI Mark Allan has implemented exactly that process to provide 
such a quick-turnaround capability for all ClamXav users (currently 65 
additional signatures).  Unfortunately I haven’t noticed a single one of them 
replaced by an official signature yet.


-Al-
-- 
Al Varnell
Mountain View, CA




___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Dennis Peterson]

On 6/24/14, 9:16 PM, Al Varnell wrote:

That’s certainly a valid question and deserves a ClamAV® answer, but I’ll throw 
this comment out.

The signature team has always been overwhelmed by the number of new samples it 
receives every day and even though the team is bigger today, so is the input.

They established a third party signature contribution system a few months ago 
and I’m sure part of the reason is to try to reduce what is apparently a 
growing backlog of samples which require manual signature writing.  If those 
with the ability to write quality signatures and contribute them to this 
project can do so, we will all benefit from this.  I don’t blame the team for 
trying to promote this new means of community contributions.

It would appear that Steve is in a unique position here, in that he has his own 
UNOFFICIAL signature databases to contribute as well as the apparent skills to 
write them on his own.  Obviously there is a much larger user base for official 
set so contributions there would be of broader benefit, yet he runs his own 
services to the community.  Something he’ll need to consider and decide on his 
own.

Just my two cents.

-Al-
Al Varnell
Mountain View, CA


I don't blame them either but the arrangement is that of peers. Why set some of 
them up as unofficial? Why put a limit on the very resource (2 submissions per 
day) that that people need to make the product useful? Run all the submitted 
signatures through the same QA process and stamp them official. Create a 
signature writer's certification test to help streamline the submission process 
so qualified people can include a sig with the submission. And they can answer 
the earlier question, "How can we make the process better?"


It wouldn't hurt to have a youtube video that shows admins how to generate 
simple day 0 check sum sigs that they can deploy locally while waiting for a 
Cisco/SourceFire signature. In fact the submission process generates a checksum 
that just needs to be captured to a file.


dp
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Al Varnell]

That’s certainly a valid question and deserves a ClamAV® answer, but I’ll throw 
this comment out.

The signature team has always been overwhelmed by the number of new samples it 
receives every day and even though the team is bigger today, so is the input.

They established a third party signature contribution system a few months ago 
and I’m sure part of the reason is to try to reduce what is apparently a 
growing backlog of samples which require manual signature writing.  If those 
with the ability to write quality signatures and contribute them to this 
project can do so, we will all benefit from this.  I don’t blame the team for 
trying to promote this new means of community contributions.

It would appear that Steve is in a unique position here, in that he has his own 
UNOFFICIAL signature databases to contribute as well as the apparent skills to 
write them on his own.  Obviously there is a much larger user base for official 
set so contributions there would be of broader benefit, yet he runs his own 
services to the community.  Something he’ll need to consider and decide on his 
own.

Just my two cents.

-Al-
Al Varnell
Mountain View, CA

On Tue, Jun 24, 2014 at 07:44 PM, Dennis Peterson wrote:
> 
> Why wouldn't ClamAV be interested in creating this signature as part of their 
> own distribution? It's a virus, it's what you do, no?
> 
> dp
> 
> On 6/24/14, 11:14 AM, Joel Esler (jesler) wrote:
>> On Jun 24, 2014, at 11:01 AM, Bowie Bailey 
>> mailto:bowie_bai...@buc.com>> wrote:
>> On 6/24/2014 9:53 AM, Walter Bürger wrote:
>> Hi dear ClamAV team,
>> 
>> I submitted the same file as yesterday to 
>> virustotal.com:
>> 
>> Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
>> (MD5 ad690be247dda635781e20887fcac0e7)
>> 
>> 30 out of 54 scanners detected a virus
>> (NOD32 named it Win32/Emotet.AA)
>> but ClamAV did not detect it.
>> 
>> I am just curious why ClamAV still can't detect it.
>> 
>> AFAIK, virustotal only uses the official signatures.  Your samples were 
>> detected by a Sanesecurity unofficial signature.
>> 
>> Correct.
>> 
>> Steve,
>> 
>> If SaneSecurity wants to push the sig into the official set, you can get in 
>> touch with us at any time, which we’ll give you and your team full credit 
>> for.
>> 
>> --
>> Joel Esler
>> Open Source Manager
>> Threat Intelligence Team Lead
>> Vulnerability Research Team=
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Dennis Peterson]

Why wouldn't ClamAV be interested in creating this signature as part of their 
own distribution? It's a virus, it's what you do, no?


dp


On 6/24/14, 11:14 AM, Joel Esler (jesler) wrote:

On Jun 24, 2014, at 11:01 AM, Bowie Bailey 
mailto:bowie_bai...@buc.com>> wrote:
On 6/24/2014 9:53 AM, Walter Bürger wrote:
Hi dear ClamAV team,

I submitted the same file as yesterday to 
virustotal.com:

Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
(MD5 ad690be247dda635781e20887fcac0e7)

30 out of 54 scanners detected a virus
(NOD32 named it Win32/Emotet.AA)
but ClamAV did not detect it.

I am just curious why ClamAV still can't detect it.

AFAIK, virustotal only uses the official signatures.  Your samples were 
detected by a Sanesecurity unofficial signature.

Correct.

Steve,

If SaneSecurity wants to push the sig into the official set, you can get in 
touch with us at any time, which we’ll give you and your team full credit for.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Joel Esler (jesler)]

On Jun 24, 2014, at 11:01 AM, Bowie Bailey 
mailto:bowie_bai...@buc.com>> wrote:
On 6/24/2014 9:53 AM, Walter Bürger wrote:
Hi dear ClamAV team,

I submitted the same file as yesterday to 
virustotal.com:

Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
(MD5 ad690be247dda635781e20887fcac0e7)

30 out of 54 scanners detected a virus
(NOD32 named it Win32/Emotet.AA)
but ClamAV did not detect it.

I am just curious why ClamAV still can't detect it.

AFAIK, virustotal only uses the official signatures.  Your samples were 
detected by a Sanesecurity unofficial signature.

Correct.

Steve,

If SaneSecurity wants to push the sig into the official set, you can get in 
touch with us at any time, which we’ll give you and your team full credit for.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Bowie Bailey]

On 6/24/2014 9:53 AM, Walter Bürger wrote:

Hi dear ClamAV team,

I submitted the same file as yesterday to virustotal.com:

Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
(MD5 ad690be247dda635781e20887fcac0e7)

30 out of 54 scanners detected a virus
(NOD32 named it Win32/Emotet.AA)
but ClamAV did not detect it.

I am just curious why ClamAV still can't detect it.


AFAIK, virustotal only uses the official signatures.  Your samples were 
detected by a Sanesecurity unofficial signature.


--
Bowie
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Walter Bürger]

Hi dear ClamAV team,

I submitted the same file as yesterday to virustotal.com:

Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
(MD5 ad690be247dda635781e20887fcac0e7)

30 out of 54 scanners detected a virus
(NOD32 named it Win32/Emotet.AA)
but ClamAV did not detect it.

I am just curious why ClamAV still can't detect it.

Best regards,
Walter.



signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Walter Bürger]

Steve Basford wrote:

On Mon, June 23, 2014 4:47 pm, Walter Bürger wrote:

About 4 hours later I checked again and
12 out of 54 scanners detected a virus in this file
but ClamAV did not detect it.


I know 4 hours sounds a long time but when you consider the current amount
of malware that is submitted / auto-submitted to very few official
signature writers, things will take time.

Sanesecurity sigs consist of manually generated and auto-generated
signatures, for example rogue.hdb is updated hourly automatically (hashes)
and will be short-lived detection but quick.

Whereas phish.ndb is manually generated but will normally have longer term
effectiveness that rogue.hdb.

Currently though, download script download from the Sanesecurity mirrors
hourly but even that may not be good enough/quick enough for some.

I'm actually looking as quicker updates via freshclam for a few users, so
I've put a poll on the Sanesecurity.com website, to see how often
freshclam updates happen, just to gauge if it would help.

Anyway, this is more for the sanesecurity list really.

But just wanted to say a huge kudos to the whole ClamAV team and sig
writers, without which we wouldn't have ClamAV and it's engine to play
with in the first place.


Cheers,

Steve
Sanesecurity.com

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml



I love it!
This is like it should always be:

Mon Jun 23 21:08:27 2014 -> /var/amavisd/afs5NJ8Q5r020716/parts/p005: 
Sanesecurity.Malware.23787.ZipHeur.UNOFFICIAL(69bef6560be0d55ce5956533627cb083:124659) 
FOUND

Mon Jun 23 21:10:16 2014 -> SelfCheck: Database status OK.
Mon Jun 23 21:20:16 2014 -> SelfCheck: Database status OK.
Mon Jun 23 21:28:27 2014 -> /var/amavisd/afs5NJSQ42006874/parts/p005: 
Sanesecurity.Malware.23787.ZipHeur.UNOFFICIAL(f3b2ccae8204ca28d90c5e648ad5f964:124659) 
FOUND

Mon Jun 23 21:30:17 2014 -> SelfCheck: Database status OK.
Mon Jun 23 21:40:17 2014 -> SelfCheck: Database status OK.
Mon Jun 23 21:50:17 2014 -> SelfCheck: Database status OK.
Mon Jun 23 22:00:17 2014 -> SelfCheck: Database status OK.
Mon Jun 23 22:08:28 2014 -> /var/amavisd/afs5NK8RPh000911/parts/p005: 
Sanesecurity.Malware.23787.ZipHeur.UNOFFICIAL(c6319e040ab69ebff2f60ca863087469:124659) 
FOUND

Mon Jun 23 22:10:17 2014 -> SelfCheck: Database status OK.

Best regards,
Walter.




signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Steve Basford]

On Mon, June 23, 2014 4:47 pm, Walter Bürger wrote:
>
> About 4 hours later I checked again and
> 12 out of 54 scanners detected a virus in this file
> but ClamAV did not detect it.

I know 4 hours sounds a long time but when you consider the current amount
of malware that is submitted / auto-submitted to very few official
signature writers, things will take time.

Sanesecurity sigs consist of manually generated and auto-generated
signatures, for example rogue.hdb is updated hourly automatically (hashes)
and will be short-lived detection but quick.

Whereas phish.ndb is manually generated but will normally have longer term
effectiveness that rogue.hdb.

Currently though, download script download from the Sanesecurity mirrors
hourly but even that may not be good enough/quick enough for some.

I'm actually looking as quicker updates via freshclam for a few users, so
I've put a poll on the Sanesecurity.com website, to see how often
freshclam updates happen, just to gauge if it would help.

Anyway, this is more for the sanesecurity list really.

But just wanted to say a huge kudos to the whole ClamAV team and sig
writers, without which we wouldn't have ClamAV and it's engine to play
with in the first place.


Cheers,

Steve
Sanesecurity.com

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Benny Pedersen]

On 23. jun. 2014 19.36.58 CEST, Steve Basford  
wrote:
>
>Sanesecurity.Malware.23787.ZipHeur
>Added: 23 Jun 2014 09:32:40 UT

I have a dream on virustotal start using 3dr party clamav signatures
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Walter Bürger]

Steve Basford wrote:

On Mon, June 23, 2014 4:47 pm, Walter Bürger wrote:

This morning I submitted the file
Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
(MD5 ad690be247dda635781e20887fcac0e7)
on virustotal.com.

4 out of 54 scanners detected a virus
(NOD32 named it Win32/Kryptik.CFAE)
but ClamAV did not detect it.


Hi Walter,

This was added to phish.ndb:

Sanesecurity.Malware.23787.ZipHeur

Added: 23 Jun 2014 09:32:40 UT

Cheers,

Steve
Sanesecurity.com

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml


Thank you Steve,

I am using the Sanesecurity signatures for a long time
but at the time I wrote my post to the list, I ran clamdscan
only on the exe file. If I run clamdscan on both, the zip and the exe 
file, the malware in the zip file is detected:


clamdscan /tmp/bann/*
/tmp/bann/2014_06rechnung_12553625576148_sign.zip: 
Sanesecurity.Malware.23787.ZipHeur.UNOFFICIAL FOUND


/tmp/bann/Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe: OK

--- SCAN SUMMARY ---
Infected files: 1
Time: 0.137 sec (0 m 0 s)


Best regards,
Walter.



signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Joel Esler (jesler)]

Always, as a reminder, we have the ClamAV Community sigs list, which anyone in 
the world can submit signatures to us, which we’ll put through the system and 
they’ll go out in the official list.

http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

On Jun 23, 2014, at 2:00 PM, Dennis Peterson 
mailto:denni...@inetnw.com>> wrote:

Quick dump of found signature results: ClamAV vs Basford et al

Unofficial sigs, total:
grep UNOFFICIAL clam* |wc -l
174

Unofficial Sane Security sigs found
grep Sanesecur.*FOUND clam* |wc -l
141

Official ClamAV sigs found:
grep FOUND clam* |grep -c -v UNOFFICIAL
10

Non-Sanesecurity unofficial sigs found:
grep UNOFFICIAL clam* |grep -v Sanesecurity |awk '{print $8}' |sort |uniq -c 
|sort -rn
 7 winnow.spam.ts.stock.4.UNOFFICIAL
 7 ScamNailer.Phish.info_AT_un.org.UNOFFICIAL
 3 winnow.spam.ts.miscspam.843424.UNOFFICIAL
 3 winnow.malware.m0.malware.863749.UNOFFICIAL
 2 winnow.spam.ts.yahoo.1.UNOFFICIAL
 2 winnow.spam.ts.miscspam.848859.UNOFFICIAL
 2 ScamNailer.Phish.info_AT_uk-lotto.co.uk.UNOFFICIAL
 1 winnow.spam.ts.photoeditting.12.UNOFFICIAL
 1 winnow.spam.ts.miscspam.842244.UNOFFICIAL
 1 ScamNailer.Phish.test_AT_test.com.UNOFFICIAL
 1 ScamNailer.Phish.neyland_AT_gonzaga.edu.UNOFFICIAL
 1 ScamNailer.Phish.info_AT_loan.com.UNOFFICIAL
 1 ScamNailer.Phish.info_AT_it.org.UNOFFICIAL
 1 ScamNailer.Phish.fedmail_AT_fedmail.prime-vendor.com.UNOFFICIAL
33

Good job, Steve.

On 6/23/14, 10:36 AM, Steve Basford wrote:
On Mon, June 23, 2014 4:47 pm, Walter Bürger wrote:
This morning I submitted the file
Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
(MD5 ad690be247dda635781e20887fcac0e7)
on virustotal.com.

4 out of 54 scanners detected a virus
(NOD32 named it Win32/Kryptik.CFAE)
but ClamAV did not detect it.
Hi Walter,

This was added to phish.ndb:

Sanesecurity.Malware.23787.ZipHeur

Added: 23 Jun 2014 09:32:40 UT

Cheers,

Steve
Sanesecurity.com

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Dennis Peterson]

Quick dump of found signature results: ClamAV vs Basford et al

Unofficial sigs, total:
grep UNOFFICIAL clam* |wc -l
174

Unofficial Sane Security sigs found
grep Sanesecur.*FOUND clam* |wc -l
141

Official ClamAV sigs found:
grep FOUND clam* |grep -c -v UNOFFICIAL
10

Non-Sanesecurity unofficial sigs found:
grep UNOFFICIAL clam* |grep -v Sanesecurity |awk '{print $8}' |sort |uniq -c 
|sort -rn

  7 winnow.spam.ts.stock.4.UNOFFICIAL
  7 ScamNailer.Phish.info_AT_un.org.UNOFFICIAL
  3 winnow.spam.ts.miscspam.843424.UNOFFICIAL
  3 winnow.malware.m0.malware.863749.UNOFFICIAL
  2 winnow.spam.ts.yahoo.1.UNOFFICIAL
  2 winnow.spam.ts.miscspam.848859.UNOFFICIAL
  2 ScamNailer.Phish.info_AT_uk-lotto.co.uk.UNOFFICIAL
  1 winnow.spam.ts.photoeditting.12.UNOFFICIAL
  1 winnow.spam.ts.miscspam.842244.UNOFFICIAL
  1 ScamNailer.Phish.test_AT_test.com.UNOFFICIAL
  1 ScamNailer.Phish.neyland_AT_gonzaga.edu.UNOFFICIAL
  1 ScamNailer.Phish.info_AT_loan.com.UNOFFICIAL
  1 ScamNailer.Phish.info_AT_it.org.UNOFFICIAL
  1 ScamNailer.Phish.fedmail_AT_fedmail.prime-vendor.com.UNOFFICIAL
33

Good job, Steve.

On 6/23/14, 10:36 AM, Steve Basford wrote:

On Mon, June 23, 2014 4:47 pm, Walter Bürger wrote:

This morning I submitted the file
Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
(MD5 ad690be247dda635781e20887fcac0e7)
on virustotal.com.

4 out of 54 scanners detected a virus
(NOD32 named it Win32/Kryptik.CFAE)
but ClamAV did not detect it.

Hi Walter,

This was added to phish.ndb:

Sanesecurity.Malware.23787.ZipHeur

Added: 23 Jun 2014 09:32:40 UT

Cheers,

Steve
Sanesecurity.com

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Steve Basford]

On Mon, June 23, 2014 4:47 pm, Walter Bürger wrote:
>
> This morning I submitted the file
> Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
> (MD5 ad690be247dda635781e20887fcac0e7)
> on virustotal.com.
>
> 4 out of 54 scanners detected a virus
> (NOD32 named it Win32/Kryptik.CFAE)
> but ClamAV did not detect it.

Hi Walter,

This was added to phish.ndb:

Sanesecurity.Malware.23787.ZipHeur

Added: 23 Jun 2014 09:32:40 UT

Cheers,

Steve
Sanesecurity.com

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Dennis Peterson]

The OP brought up several points, none of which were addressed.

1. Nevertheless, the detection rate of viruses, trojans, etc. is not very good. 
Almost every time I submit a sample file on virustotal.com ClamAV can not detect 
the virus or malware.


2. Up to now, I never got a notification, although "Notify me" was checked.

3. Why shall we not post more than two sample files per day ?

4. What can we do to improve the detection rate of ClamAV ?


Let's start the conversation.

dp


On 6/23/14, 9:42 AM, Alain Zidouemba wrote:

Walter,

We received your sample for the first time today and will be analyzing it
for coverage in the ClamAV signature set. Thanks for your submission.

If you are planning to submit a large number of samples on a regular basis,
please contact me off-list.

- Alain


On Mon, Jun 23, 2014 at 11:47 AM, Walter Bürger 
wrote:


Hi dear ClamAV team,

ClamAV is a good software and it runs very stable
on my servers for years!

Many thanks for ClamAV and for your efforts making it
such a stable software!

Nevertheless, the detection rate of viruses, trojans, etc.
is not very good.

Almost every time I submit a sample file on virustotal.com
ClamAV can not detect the virus or malware.

This morning I submitted the file Rechnung_23_14_06_
198630274520031_telekom_deutschland_GmbH.exe
(MD5 ad690be247dda635781e20887fcac0e7)
on virustotal.com.

4 out of 54 scanners detected a virus
(NOD32 named it Win32/Kryptik.CFAE)
but ClamAV did not detect it.

About 4 hours later I checked again and
12 out of 54 scanners detected a virus in this file
but ClamAV did not detect it.

Of course I submitted this sample file on
http://www.clamav.net/lang/en/sendvirus/submit-malware/
too.

Up to now, I never got a notification, although "Notify me" was checked.

A few minutes ago on one of my mailservers:
clamdscan Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe: OK

Why shall we not post more than two sample files per day ?
I think you would get many more sample files and hence a better detection
rate.
While submitting my sample file to
http://www.clamav.net/lang/en/sendvirus/submit-malware/
"Share this sample with other AV vendors" was checked.
Do other AV vendors share their samples with ClamAV ?

What can we do to improve the detection rate of ClamAV ?

Best regards,
Walter.


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Bad detection rate

[Alain Zidouemba]

Walter,

We received your sample for the first time today and will be analyzing it
for coverage in the ClamAV signature set. Thanks for your submission.

If you are planning to submit a large number of samples on a regular basis,
please contact me off-list.

- Alain


On Mon, Jun 23, 2014 at 11:47 AM, Walter Bürger 
wrote:

>
> Hi dear ClamAV team,
>
> ClamAV is a good software and it runs very stable
> on my servers for years!
>
> Many thanks for ClamAV and for your efforts making it
> such a stable software!
>
> Nevertheless, the detection rate of viruses, trojans, etc.
> is not very good.
>
> Almost every time I submit a sample file on virustotal.com
> ClamAV can not detect the virus or malware.
>
> This morning I submitted the file Rechnung_23_14_06_
> 198630274520031_telekom_deutschland_GmbH.exe
> (MD5 ad690be247dda635781e20887fcac0e7)
> on virustotal.com.
>
> 4 out of 54 scanners detected a virus
> (NOD32 named it Win32/Kryptik.CFAE)
> but ClamAV did not detect it.
>
> About 4 hours later I checked again and
> 12 out of 54 scanners detected a virus in this file
> but ClamAV did not detect it.
>
> Of course I submitted this sample file on
> http://www.clamav.net/lang/en/sendvirus/submit-malware/
> too.
>
> Up to now, I never got a notification, although "Notify me" was checked.
>
> A few minutes ago on one of my mailservers:
> clamdscan Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
> Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe: OK
>
> Why shall we not post more than two sample files per day ?
> I think you would get many more sample files and hence a better detection
> rate.
> While submitting my sample file to
> http://www.clamav.net/lang/en/sendvirus/submit-malware/
> "Share this sample with other AV vendors" was checked.
> Do other AV vendors share their samples with ClamAV ?
>
> What can we do to improve the detection rate of ClamAV ?
>
> Best regards,
> Walter.
>
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] Bad detection rate

[Walter Bürger]

Hi dear ClamAV team,

ClamAV is a good software and it runs very stable
on my servers for years!

Many thanks for ClamAV and for your efforts making it
such a stable software!

Nevertheless, the detection rate of viruses, trojans, etc.
is not very good.

Almost every time I submit a sample file on virustotal.com
ClamAV can not detect the virus or malware.

This morning I submitted the file 
Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe

(MD5 ad690be247dda635781e20887fcac0e7)
on virustotal.com.

4 out of 54 scanners detected a virus
(NOD32 named it Win32/Kryptik.CFAE)
but ClamAV did not detect it.

About 4 hours later I checked again and
12 out of 54 scanners detected a virus in this file
but ClamAV did not detect it.

Of course I submitted this sample file on
http://www.clamav.net/lang/en/sendvirus/submit-malware/
too.

Up to now, I never got a notification, although "Notify me" was checked.

A few minutes ago on one of my mailservers:
clamdscan Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe: OK

Why shall we not post more than two sample files per day ?
I think you would get many more sample files and hence a better 
detection rate.

While submitting my sample file to
http://www.clamav.net/lang/en/sendvirus/submit-malware/
"Share this sample with other AV vendors" was checked.
Do other AV vendors share their samples with ClamAV ?

What can we do to improve the detection rate of ClamAV ?

Best regards,
Walter.



signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml