Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Wouter Miltenburg]

Hi all,

Was subscribed to this mailing list for some time and didn't respond to
it that much, but this topic really got my attention.
> What rubbish... ClamAV always lags behind the commercial vendors in
> any comparative you wish to mention.
>
> The majority of well established vendors will also do a better job of
> detecting and pushing out definitions as it seems that ClamAV is
> reactive, not proactive on the definitions front  
Do you have any proof of this somewhat of accusation? It sounds to me
that you are only talking about the problem that you are facing right
now. I quickly looked through my old mails and didn't see your name pop
up nor do I see any other issues that you have highlighter in this
mailing list.

>> What other av product can you make your own virus signatures with, not 
>> usefull,  hmm
> You don't need to when they've got a decent set of analysts who are on
> the ball and push out new definitions quickly !
>
> F-Secure, Sophos, Kasperksy and others all had coverage already of this virus.
>
> Seriously, why should I mess around with creating virus signatures,
> its a waste of my time.
>
> Evangelising over how wonderful open-source anti-virus is is great
> but if you're severely lagging on pushing out virus definitions then
> it very quickly removes the attractiveness of the product.   80% of
> people using your open-source project won't have the knowledge, time
> or inclination to hack together their own virus definitions 

I may be wrong, but it really sounds to me that you are only frustrated
about the issue that you are experiencing right now. Didn't see any
other complaints from you about ClamAV or complaints about signature
creations. One of the ideas behind some of the open source projects is
that you can contribute to the project or discuss the issues that you
are facing with a certain open source project. The problem with this
whole thread is that you are only criticising the ClamAV project but
don't come up with any suggestions. Some of the suggestions from people
were to create the signatures yourself. You immediately rejected the
whole idea about creating your own signatures and you are only
complaining. There was never, never once, a suggestion from your side.
If you really want to help this community and make the open source
project better, please give suggestions on how we could make it better.
Please keep in mind that not all open source projects have the money or
people to be as good as commercial companies.

Cheers,
Wouter.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Alessandro Vesely]

On Mon 06/Oct/2014 15:37:34 +0200 Tim Smith wrote: 

>> are you really trying to compare response times from PAID
>> solutions to the free/community maintained ones 
> 
> Of course not, the paid solutions will always be better.

Careful betting on that... It's the famous-last-words sort of phrase.

Ten years ago I started using Sophos, as I deemed an AV product was
way too much of an engagement for an unpaid free-software developer to
maintain.  I switched to ClamAV only a few months ago as Sophos
discontinued their Linux support, and I'm happy to see I was wrong.

ClamAV is unique in its category, so it's well possible that there's
room for improving both the cooperation on detection/analysis and the
software tools to accomplish it.  Of course, global cooperation will
be unbeatable once established.

OTOH, users of proprietary products will always be at the mercy of
marketing teams striving after profits, where more profitable is not
necessarily better for users.

> But three days to get some definitions pushed out for a zero-day is a
> bit on the slow side, you must agree !

Agreed, but I received 0-day viral mail even when scanning with
Sophos.  I'm not going to switch back, really.

Ale
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Bernd Petrovitsch]

On Mon, 2014-10-06 at 15:21 +0100, Tim Smith wrote:
> > but call paid prebuildt software always better is not correct, but mostly 
> > just marketing
> 
> What rubbish... ClamAV always lags behind the commercial vendors in
> any comparative you wish to mention.
> 
> The majority of well established vendors will also do a better job of
> detecting and pushing out definitions as it seems that ClamAV is
> reactive, not proactive on the definitions front  

Well, as with all free software/opens source, you can help to speed it
up.

[...]
> Seriously, why should I mess around with creating virus signatures,
> its a waste of my time.

To get them earlies/fster into ClamAV?

[...]
> it very quickly removes the attractiveness of the product.   80% of
> people using your open-source project won't have the knowledge, time
> or inclination to hack together their own virus definitions 

At least that is the same with the proprietory vendors: Then you you
get what they feel to deliver to you.

Bernd
-- 
"I dislike type abstraction if it has no real reason. And saving
on typing is not a good reason - if your typing speed is the main
issue when you're coding, you're doing something seriously wrong."
- Linus Torvalds

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Webmaster]

Hi,

> Speaking of SecuriteInfo, is the "High Risk" label deserved
> for the spam_marketing signatures?  Have used all the others
> in the Securite list but that one.

Yes, spam_marketing.ndb has high level of false positive. Why ? Because it 
focuses french spam/marketing/private selling/special offers/and mailling lists 
I haven't subscribe. It also targets scam from Africa or Asia, and other kind 
of emails my customers don't want. But some of my customers *wants* to receive 
these kind of emails (gasp!).

You can use .ign signatures to suit your needs, or don't use 
spam_marketing.ndb at all. It is up to you. Give it a try by offline scanning 
your mailboxes and see by yourself what is detected. If you believe some 
signatures are generating too many false positives, please contact me off list. 
Maybe spam_marketing.ndb needs tuning after all.

Me and my (french) customers are pretty happy with spam_marketing.ndb. They 
have a very few spam passing through.

Other signature files I provide have a very low false positive rate.

Best regards,

Arnaud Jacques
SecuriteInfo.com
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Dennis Peterson]

On 10/6/14 7:21 AM, Tim Smith wrote:
Seriously, why should I mess around with creating virus signatures, its a 
waste of my time.


Because that is the norm for community-supported products and because nobody but 
you is ultimately responsible for protecting your systems from malware.


dp
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Vincent Fox]

On 10/06/2014 08:32 AM, Webmaster wrote:

Le lundi 6 octobre 2014, 10:05:11 Alain Zidouemba a écrit :

If you think it needs to be quicker, then maybe you could volunteer your
time to help with the analysis (I'm not sure how you'd go about this)

Or use this :

https://securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml

It rises Clamav detection rate up to 80% on 0-day malwares.



Speaking of SecuriteInfo, is the "High Risk" label deserved
for the spam_marketing signatures?  Have used all the others
in the Securite list but that one.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Benny Pedersen]

On October 6, 2014 4:21:58 PM Tim Smith  wrote:


Seriously, why should I mess around with creating virus signatures,
its a waste of my time.


Well sayed, this maillist here is not waste of your time, can you pay back  
now ?

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Webmaster]

Le lundi 6 octobre 2014, 10:05:11 Alain Zidouemba a écrit :
> > If you think it needs to be quicker, then maybe you could volunteer your
> > time to help with the analysis (I'm not sure how you'd go about this)

Or use this :

https://securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml

It rises Clamav detection rate up to 80% on 0-day malwares.

Best regards

Arnaud Jacques
SecuriteInfo.com
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Paul Smith]

On 06/10/2014 15:21, Tim Smith wrote:

but call paid prebuildt software always better is not correct, but mostly just 
marketing

What rubbish... ClamAV always lags behind the commercial vendors in
any comparative you wish to mention.

Not if I want to make my own signatures...

It also beats the others on price and (IMHO) usability.


What other av product can you make your own virus signatures with, not usefull, 
 hmm

You don't need to when they've got a decent set of analysts who are on
the ball and push out new definitions quickly !

Yes you do.

We have AVG, Avira, Sophos and ClamAV.

Yes, AVG, Avira and Sophos will release virus definition updates before 
ClamAV. But usually by the time even Sophos have released their updates 
we've already received a few thousand copies of the virus.


With ClamAV we can beat Sophos by adding our own definitions, so we can 
beat even the fastest AV vendors by a few hours (that's not knocking 
them, we have different requirements from them, so we can knock together 
a simple signature test and if we cause false positives, it's our 
problem. We're not going to have zillions of other people complaining 
and be on news channels because we broke something).



Seriously, why should I mess around with creating virus signatures,
its a waste of my time.
OK. That's a valid choice, in which case YOU will probably be better off 
spending money on a commercial product.  For other people, the few 
seconds to generate a signature is worth the many thousands of pounds 
savings they'll make from not using a commercial product. Neither is 
wrong, just different priorities.




-


Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53

Sign up for news & updates at http://www.pscs.co.uk/go/subscribe
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Joel Esler (jesler)]

> On Oct 6, 2014, at 10:21 AM, Tim Smith  wrote:
> 
>> but call paid prebuildt software always better is not correct, but mostly 
>> just marketing
> 
> What rubbish... ClamAV always lags behind the commercial vendors in
> any comparative you wish to mention.
> 
> The majority of well established vendors will also do a better job of
> detecting and pushing out definitions as it seems that ClamAV is
> reactive, not proactive on the definitions front  ….

Incorrect.  For instance, just one of our signatures may catch tens of 
thousands of samples.  We can malware when it arrives, and if we catch the 
“new” piece of malware with an already present signature, we assign the new 
piece of malware to the already present signature.  For instance, I just went 
into our internal interface, and picked the first “prior detect” on my list, 
and it has 94 pieces of malware assigned to it.  You can actually see some of 
the de-duplicated ones if you subscribe to the clamav-virusdb mailing list.  We 
don’t list them all in there, because frankly it’d be too large of an email to 
send out.  So only particular malware “Senders” are there.

Just because we don’t detect the piece of malware that you found, doesn’t mean 
we aren’t proactive.  

> 
>> What other av product can you make your own virus signatures with, not 
>> usefull,  hmm
> 
> You don't need to when they've got a decent set of analysts who are on
> the ball and push out new definitions quickly !
> 
> F-Secure, Sophos, Kasperksy and others all had coverage already of this virus.

Those companies also have hundreds of analysts dedicated to the problem.  We 
don’t have hundreds.

> 
> Seriously, why should I mess around with creating virus signatures,
> its a waste of my time.

That’s kind of the point of a community open-source project.  

> 
> Evangelising over how wonderful open-source anti-virus is is great
> but if you're severely lagging on pushing out virus definitions then
> it very quickly removes the attractiveness of the product.   80% of
> people using your open-source project won't have the knowledge, time
> or inclination to hack together their own virus definitions ….

We try to make it very simple for people to do it, in fact, we include tools 
for people to be able to do it.
> 
> I'm off to sign up with one of the well established software vendors.

We’re sorry to see you go.  We try to offer a good service, for free, to the 
community in order to make the internet, just a little bit safer.   We’ll 
understand if you’d like a refund.  ;)


--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

> 
> On 6 October 2014 14:55, Benny Pedersen  wrote:
>> On October 6, 2014 3:37:34 PM Tim Smith  wrote:
>> 
 are you really trying to compare response times from PAID sollutions to
 the free/community maintened ones ?
>>> Of course not, the paid solutions will always be better.
>> 
>> 
>> Dream on, my commodore 64 is the best 8bit computer ever not needing
>> antivirus at all, restarting it cleans any virus for free, sorry could not
>> resists
>> 
>>> But three days to get some definitions pushed out for a zero-day is a
>>> bit on the slow side, you must agree !
>> 
>> 
>> You are free to define opensource as you wish, but call paid prebuildt
>> software always better is not correct, but mostly just marketing
>> 
>> What other av product can you make your own virus signatures with, not
>> usefull,  hmm
>> 
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Tim Smith]

> but call paid prebuildt software always better is not correct, but mostly 
> just marketing

What rubbish... ClamAV always lags behind the commercial vendors in
any comparative you wish to mention.

The majority of well established vendors will also do a better job of
detecting and pushing out definitions as it seems that ClamAV is
reactive, not proactive on the definitions front  

> What other av product can you make your own virus signatures with, not 
> usefull,  hmm

You don't need to when they've got a decent set of analysts who are on
the ball and push out new definitions quickly !

F-Secure, Sophos, Kasperksy and others all had coverage already of this virus.

Seriously, why should I mess around with creating virus signatures,
its a waste of my time.

Evangelising over how wonderful open-source anti-virus is is great
but if you're severely lagging on pushing out virus definitions then
it very quickly removes the attractiveness of the product.   80% of
people using your open-source project won't have the knowledge, time
or inclination to hack together their own virus definitions 


I'm off to sign up with one of the well established software vendors.

On 6 October 2014 14:55, Benny Pedersen  wrote:
> On October 6, 2014 3:37:34 PM Tim Smith  wrote:
>
>> > are you really trying to compare response times from PAID sollutions to
>> > the free/community maintened ones ?
>> Of course not, the paid solutions will always be better.
>
>
> Dream on, my commodore 64 is the best 8bit computer ever not needing
> antivirus at all, restarting it cleans any virus for free, sorry could not
> resists
>
>> But three days to get some definitions pushed out for a zero-day is a
>> bit on the slow side, you must agree !
>
>
> You are free to define opensource as you wish, but call paid prebuildt
> software always better is not correct, but mostly just marketing
>
> What other av product can you make your own virus signatures with, not
> usefull,  hmm
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Alain Zidouemba]

> If you think it needs to be quicker, then maybe you could volunteer your
> time to help with the analysis (I'm not sure how you'd go about this)


http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html

- Alain
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Shawn Webb]

On Mon, Oct 6, 2014 at 9:37 AM, Tim Smith  wrote:

> > are you really trying to compare response times from PAID sollutions to
> the free/community maintened ones 
>
> Of course not, the paid solutions will always be better.
>
> But three days to get some definitions pushed out for a zero-day is a
> bit on the slow side, you must agree !


A few months ago, Joel Esler and the ClamAV signature writing team
introduced the Community Signatures mailing list for sharing signatures.
You could always create the detection signatures yourself and submit them
to us via the Community Signatures list. Additionally, as has been said
before, you can always just submit the file via the normal signatures then
ping us here on this list with the md5/sha256 hash of the file you
submitted.

Thanks,

Shawn
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Paul Smith]

On 06/10/2014 14:37, Tim Smith wrote:

are you really trying to compare response times from PAID sollutions to the 
free/community maintened ones 

Of course not, the paid solutions will always be better.

But three days to get some definitions pushed out for a zero-day is a
bit on the slow side, you must agree !

It's only on the slow side if you expect it to be quicker... Personally, 
I'm glad this is available at all from a free solution.


As other people have said, you can make YOUR Clam AV installation detect 
the virus pretty much instantly - which is much quicker than any paid 
solution.

(eg http://www.clamav.net/doc/latest/signatures.pdf)

Analysing a virus & updating signatures is not a quick & trivial job, 
and they'll get lots of samples submitted (I've heard figures of a 
million a day). Many will be duplicates, but many will also be innocuous 
files where someone has been paranoid, or even where files are 
maliciously submitted, so I expect that files that are submitted have to 
be checked somehow to make sure they really are malicious files, and a 
useful signature has to be generated and tested. I'm fairly sure you'd 
be (rightly) miffed if an update was released which suddenly generated 
lots of false positives because corners had been cut.


If you think it needs to be quicker, then maybe you could volunteer your 
time to help with the analysis (I'm not sure how you'd go about this) or 
send a financial donation to help with the process. Obviously the paid 
AV solutions will have more resources to do this task than a community 
maintained one will have, so you'd expect the paid ones to be 
considerably quicker.




-


Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53

Sign up for news & updates at http://www.pscs.co.uk/go/subscribe
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Benny Pedersen]

On October 6, 2014 3:37:34 PM Tim Smith  wrote:

> are you really trying to compare response times from PAID sollutions to 
the free/community maintened ones ?

Of course not, the paid solutions will always be better.


Dream on, my commodore 64 is the best 8bit computer ever not needing 
antivirus at all, restarting it cleans any virus for free, sorry could not 
resists



But three days to get some definitions pushed out for a zero-day is a
bit on the slow side, you must agree !


You are free to define opensource as you wish, but call paid prebuildt 
software always better is not correct, but mostly just marketing


What other av product can you make your own virus signatures with, not 
usefull,  hmm

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Tim Smith]

> are you really trying to compare response times from PAID sollutions to the 
> free/community maintened ones 

Of course not, the paid solutions will always be better.

But three days to get some definitions pushed out for a zero-day is a
bit on the slow side, you must agree !
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Tim Smith]

Gene,

>Perhaps you should consider submitted them in a compressed file format
>that is NOT proprietary to apple and which carries a per seat license fee?


How about ***YOU*** consider the fact that I was merely submitting a
RAR file becasue that was the exact file that was received in my email
!

I received a RAR, thus I submitted a RAR !

Geez ... some people !

;-(

On 3 October 2014 15:39, Gene Heskett  wrote:
> On Friday 03 October 2014 07:19:13 Tim Smith did opine
> And Gene did reply:
>> Hi,
>>
>> Over the last 24-48 hours, I submitted a number of email attachments.
>> RAR files that contained viruses.
>>
>> Running one or two of them through VirusTotal today, I see ClamAV have
>> *STILL* not managed to produce virus definitions for them !
>>
>> All of the commercial vendors I submitted the samples to had analysed
>> and created samples in timeframes ranging from hours to one day.
>>
>> At this rate I'm going to be dumping ClamAV from my systems and
>> subscribing to a service from a commercial vendor .
>>
>> Looking forward to hearing the reasons why !
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> Perhaps you should consider submitted them in a compressed file format
> that is NOT proprietary to apple and which carries a per seat license fee?
>
> Cheers, Gene Heskett
> --
> "There are four boxes to be used in defense of liberty:
>  soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> Genes Web page 
> US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Joel Esler (jesler)]

> On Oct 3, 2014, at 5:16 PM, Dennis Peterson  wrote:
> 
> On 10/3/14 2:11:15PM, Charles Swiger wrote:
>> On Oct 3, 2014, at 1:54 PM, Leonardo Rodrigues  
>> wrote:
>>> On 03/10/14 08:19, Tim Smith wrote:
 All of the commercial vendors I submitted the samples to had analysed
 and created samples in timeframes ranging from hours to one day.
 
 At this rate I'm going to be dumping ClamAV from my systems and
 subscribing to a service from a commercial vendor .
>>>are you really trying to compare response times from PAID sollutions to 
>>> the free/community maintened ones 
>> Assuming this wasn't a rhetorical question, the answer is pretty clearly: 
>> yes.
>> 
>> So what?  I would expect that an expensive A/V solution should do better 
>> than ClamAV for does for free.
>> Frankly, it's a credit to the ClamAV team that their offering provides 
>> significant value for the price
>> 
>> Regards,
> 
> ClamAV also gives each of us tools to provide a Day Zero response to a 
> threat. Our responsibility to our users (for those of us who have them) is to 
> take advantage of that tool set.


Well said Dennis.

The other part of the equation is that we are always open to accepting the 
signatures and protection generated by our users for the greater good via our 
community signatures mailing list.

http://www.clamav.net/contact.html#ml 


--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Ed Christiansen MS]

exactly

On 10/3/2014 4:54 PM, Leonardo Rodrigues wrote:

On 03/10/14 08:19, Tim Smith wrote:

All of the commercial vendors I submitted the samples to had analysed
and created samples in timeframes ranging from hours to one day.

At this rate I'm going to be dumping ClamAV from my systems and
subscribing to a service from a commercial vendor .




 are you really trying to compare response times from PAID
sollutions to the free/community maintened ones 



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Joel Esler (jesler)]

> On Oct 3, 2014, at 5:12 PM, Dennis Peterson  wrote:
> 
> On 10/3/14 8:10:24AM, Mark Allan wrote:
>> On 3 Oct 2014, at 03:39 pm, Gene Heskett  wrote:
>> 
>>> On Friday 03 October 2014 07:19:13 Tim Smith did opine
 Over the last 24-48 hours, I submitted a number of email attachments.
 RAR files that contained viruses.
 
 Running one or two of them through VirusTotal today, I see ClamAV have
 *STILL* not managed to produce virus definitions for them !
 
 All of the commercial vendors I submitted the samples to had analysed
 and created samples in timeframes ranging from hours to one day.
 
 At this rate I'm going to be dumping ClamAV from my systems and
 subscribing to a service from a commercial vendor .
 
 Looking forward to hearing the reasons why !
>>> Perhaps you should consider submitted them in a compressed file format
>>> that is NOT proprietary to apple and which carries a per seat license fee?
>>> 
>>> Cheers, Gene Heskett
>> I'll admit that Tim's email rather reeked of entitlement, but Gene's 
>> response is just confusing and wrong.  Yes, the RAR file format is 
>> proprietary, but not to Apple - it was a Russian named Eugene Roshal (Roshal 
>> ARchive hence RAR) who came up with it and the licence is only required for 
>> creating files of that format; software to extract RAR files is free.
>> 
>> Also, ClamAV already contains code to unRAR these archives.
>> 
>> Anyway, I digress from the original question.
>> 
>> The reason it takes time to generate signatures from files/samples which are 
>> contributed by users is that the signatures are still generated manually by 
>> humans, most of whom have other jobs and unless I'm mistaken are therefore 
>> giving their time voluntarily.  I've always found the turnaround time to be 
>> pretty good actually, especially for free software.
>> 
>> Mark
>> 
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> From http://www.unrarlib.org/faq.html
> 
> Q: Do you know that the license for the unrar sources from RARLab is not 
> compatible with the GNU Public license?
> 
> A: Yes, this is true. But we have the permission from Eugene Roshal to 
> release unrarlib 0.4.0 under GPL and unrarlib-license. Note: this doesn't 
> mean that RAR is free now or you can use the unrar source from RARlabs under 
> GPL. You are just allowed to use UniquE RAR File Library version 0.4.0 
> (unrarlib 0.4.0) under GPL.
> 
> A lot of people avoid RAR as a result.


We have issues with some distributions, as they don’t want to build that 
feature in (because of the license) or don’t build Clam into the distribution 
at all because of this exclusion.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos



smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[G.W. Haywood]

Hi Steve,

On Sat, 4 Oct 2014, Steve Basford wrote:


Slightly off topic, does anyone have a folder full of saved malware
zips/rars etc. they have kept over the past xxx months, if so can U
contact me off-list...


I don't, exactly, but I do keep records and do I look at them.

Firstly I'm only interested in what's in electronic mail.  I don't run
Windows boxes, and on the odd occasion that I need one I fire up a VM.

However the several mail servers and many other Linux boxes for which
I'm responsible have the potential to assist in the propagation of
malicious software to customers, suppliers, colleagues, family and
casual acquaintances all around the world.  Although running only
Linux boxes means I can more or less forget the threat from malware to
the machines themselves, I take the view that using them to communicate
with more vulnerable systems gives me some responsibilities.  One of my
employees could, for example, forward a message with a malicious link
in it (to which the Linux box she uses is not vulnerable) to someone
using XP.  Six months after XP went EOL, over 25% of the Windows boxes
in the UK for example are still running it.

I can't say I blame people for not wanting to be shafted by Microsoft
yet again, but I don't think they're being very responsible.  Perhaps
they'd only have themselves to blame for not using Linux, but I don't
want to add to their problems, nor to those of almost everyone else,
by sending them a virus for which their machine has no defence - and
thus help to create a source of yet more trouble.

So here's what I do: after binning stuff from 25% of the IPV4 address
space without even looking at it, and then everything from (at present)
seventy-four county codes after paying them much the same attention, I
then pass the much-thinned cream of the crop through a huge regular
expression filter which looks for things like my spam-trap addresses
(more for the bin) and if anything's left I use MIMEDefang to delete
every attachment that might be some sort of Windows executable.  If a
message contains an archive which can't be extracted (e.g. password
protected) then it goes in the bit bucket as well.

Finally, ClamAV gets to look at what little is left.

Why am I scanning stuff that can't be executed?  Well, it still might
be cr@p that we don't want.

That's where Sansecurity comes in.  I don't actually care if ClamAV can
find a virus or not, that's not what I'm use it for.  (And here we are
almost back on topic:).

My contribution to the off-topic topic is that the vast majority of
malicious email messages that I see now contains links to the real
payload, not the payload itself, and ClamAV doesn't get much to do:

2014.01.06 05:28:44 mail5 clamd[19238]: Sanesecurity.Junk.37650.UNOFFICIAL FOUND
2014.01.16 01:03:28 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain 
FOUND
2014.01.27 11:14:13 mail5 clamd[19238]: 
Sanesecurity.Phishing.Cur.17130.UNOFFICIAL FOUND
2014.01.28 13:43:18 mail5 clamd[19238]: 
Sanesecurity.Phishing.Cur.1117.UNOFFICIAL FOUND
2014.02.01 22:35:24 mail5 clamd[19238]: Email.Phishing.Card-9 FOUND
2014.02.11 18:40:51 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain 
FOUND
2014.02.19 08:39:54 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain 
FOUND
2014.02.22 18:19:02 mail5 clamd[19238]: Sanesecurity.Lott.1874.UNOFFICIAL FOUND
2014.03.03 15:46:01 mail5 clamd[19238]: Sanesecurity.Scam4.1567.UNOFFICIAL FOUND
2014.03.20 22:52:32 mail5 clamd[19238]: Sanesecurity.Junk.24795.UNOFFICIAL FOUND
2014.05.01 19:01:25 mail5 clamd[19238]: 
ScamNailer.Phish.administrator_AT_domain.com.UNOFFICIAL FOUND
2014.05.14 18:41:24 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain 
FOUND
2014.05.16 08:36:28 mail5 clamd[19238]: Sanesecurity.Junk.43451.UNOFFICIAL FOUND
2014.05.30 22:36:11 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain 
FOUND
2014.06.17 23:12:36 mail5 clamd[19238]: 
Sanesecurity.Spear.info_at_it_dot_org.UNOFFICIAL FOUND
2014.06.25 01:40:45 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain 
FOUND
2014.07.14 17:01:21 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain 
FOUND
2014.07.19 02:01:59 mail5 clamd[19238]: Sanesecurity.Scam4.1570.UNOFFICIAL FOUND
2014.07.28 17:41:24 mail5 clamd[19238]: Sanesecurity.Junk.20083.UNOFFICIAL FOUND
2014.08.14 18:42:14 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain 
FOUND
2014.09.06 15:33:23 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain 
FOUND
2014.09.12 21:13:47 mail5 clamd[19238]: 
Sanesecurity.Phishing.Fake.20863.UNOFFICIAL FOUND

This server has an incoming load of about 5,000 mostly spam messages
per day, the vast majority of which never get past MAIL FROM: in the
SMTP conversation.  As you can see, twenty-two messages were rejected
by ClamAV in nine months, of which *none* contained viruses because I
already dealt with them the easy way, using practcally no CPU cycles.

So, in the same period, how many messages were rejected by MIMEDefa

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Dennis Peterson]

On 10/3/14 2:11:15PM, Charles Swiger wrote:

On Oct 3, 2014, at 1:54 PM, Leonardo Rodrigues  wrote:

On 03/10/14 08:19, Tim Smith wrote:

All of the commercial vendors I submitted the samples to had analysed
and created samples in timeframes ranging from hours to one day.

At this rate I'm going to be dumping ClamAV from my systems and
subscribing to a service from a commercial vendor .

are you really trying to compare response times from PAID sollutions to the 
free/community maintened ones 

Assuming this wasn't a rhetorical question, the answer is pretty clearly: yes.

So what?  I would expect that an expensive A/V solution should do better than 
ClamAV for does for free.
Frankly, it's a credit to the ClamAV team that their offering provides 
significant value for the price

Regards,


ClamAV also gives each of us tools to provide a Day Zero response to a 
threat. Our responsibility to our users (for those of us who have them) 
is to take advantage of that tool set.


dp
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Dennis Peterson]

On 10/3/14 8:10:24AM, Mark Allan wrote:

On 3 Oct 2014, at 03:39 pm, Gene Heskett  wrote:


On Friday 03 October 2014 07:19:13 Tim Smith did opine

Over the last 24-48 hours, I submitted a number of email attachments.
RAR files that contained viruses.

Running one or two of them through VirusTotal today, I see ClamAV have
*STILL* not managed to produce virus definitions for them !

All of the commercial vendors I submitted the samples to had analysed
and created samples in timeframes ranging from hours to one day.

At this rate I'm going to be dumping ClamAV from my systems and
subscribing to a service from a commercial vendor .

Looking forward to hearing the reasons why !

Perhaps you should consider submitted them in a compressed file format
that is NOT proprietary to apple and which carries a per seat license fee?

Cheers, Gene Heskett

I'll admit that Tim's email rather reeked of entitlement, but Gene's response 
is just confusing and wrong.  Yes, the RAR file format is proprietary, but not 
to Apple - it was a Russian named Eugene Roshal (Roshal ARchive hence RAR) who 
came up with it and the licence is only required for creating files of that 
format; software to extract RAR files is free.

Also, ClamAV already contains code to unRAR these archives.

Anyway, I digress from the original question.

The reason it takes time to generate signatures from files/samples which are 
contributed by users is that the signatures are still generated manually by 
humans, most of whom have other jobs and unless I'm mistaken are therefore 
giving their time voluntarily.  I've always found the turnaround time to be 
pretty good actually, especially for free software.

Mark

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


From http://www.unrarlib.org/faq.html

Q: Do you know that the license for the unrar sources from RARLab is not 
compatible with the GNU Public license?


A: Yes, this is true. But we have the permission from Eugene Roshal to 
release unrarlib 0.4.0 under GPL and unrarlib-license. Note: this 
doesn't mean that RAR is free now or you can use the unrar source from 
RARlabs under GPL. You are just allowed to use UniquE RAR File Library 
version 0.4.0 (unrarlib 0.4.0) under GPL.


A lot of people avoid RAR as a result.

dp
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Charles Swiger]

On Oct 3, 2014, at 1:54 PM, Leonardo Rodrigues  wrote:
> On 03/10/14 08:19, Tim Smith wrote:
>> All of the commercial vendors I submitted the samples to had analysed
>> and created samples in timeframes ranging from hours to one day.
>> 
>> At this rate I'm going to be dumping ClamAV from my systems and
>> subscribing to a service from a commercial vendor .
> 
>are you really trying to compare response times from PAID sollutions to 
> the free/community maintened ones 

Assuming this wasn't a rhetorical question, the answer is pretty clearly: yes.

So what?  I would expect that an expensive A/V solution should do better than 
ClamAV for does for free.
Frankly, it's a credit to the ClamAV team that their offering provides 
significant value for the price

Regards,
-- 
-Chuck

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Leonardo Rodrigues]

On 03/10/14 08:19, Tim Smith wrote:

All of the commercial vendors I submitted the samples to had analysed
and created samples in timeframes ranging from hours to one day.

At this rate I'm going to be dumping ClamAV from my systems and
subscribing to a service from a commercial vendor .




are you really trying to compare response times from PAID 
sollutions to the free/community maintened ones 



--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Joel Esler (jesler)]

> On Oct 3, 2014, at 7:19 AM, Tim Smith  wrote:
> 
> Hi,
> 
> Over the last 24-48 hours, I submitted a number of email attachments.
> RAR files that contained viruses.
> 
> Running one or two of them through VirusTotal today, I see ClamAV have
> *STILL* not managed to produce virus definitions for them !
> 
> All of the commercial vendors I submitted the samples to had analysed
> and created samples in timeframes ranging from hours to one day.
> 
> At this rate I'm going to be dumping ClamAV from my systems and
> subscribing to a service from a commercial vendor .
> 
> Looking forward to hearing the reasons why !
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

Tim, I know someone contacted you offlist, however, for the sake of the 
community —

We receive about 1.1M samples a day here.  If you submit something, and is more 
than just a casual submission, maybe you need something covered right away.  We 
are always open to a little poke with the md5/sha256 so we can look at what you 
submitted.

We love the feedback from our users, and always look forward to a constructive 
dialog.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Steve Basford]

On Fri, October 3, 2014 12:19 pm, Tim Smith wrote:
>
> Over the last 24-48 hours, I submitted a number of email attachments.
> RAR files that contained viruses.
>
> Running one or two of them through VirusTotal today, I see ClamAV have
> *STILL* not managed to produce virus definitions for them !

> Looking forward to hearing the reasons why !

Hi Tim,

Although I can't speak for the ClamAV team, I will say this... it's
time and people to analyse the sheer number of samples being received.

...but before you even get to that stage, it de-duping, sorting the wheat
from the chaffall of which takes time.

>From a Sanesecurity point of view, here's the amount of updates pushed out
today...

http://pastebin.com/Z07NvcEe

Ok some are spam related but the Sanesecurity.Rogue.0hr and
Sanesecurity.Malware.24411.ZipHeur are malware related.

Now, the Sanesecurity.Rogue.0hr are hashes of malware, updated hourly,
and pretty much automatic...the Sanesecurity.Malware ones are generated
manually, while I've awake of course... ;)

But.. you need something to fix the stuff in between, foxhole databases,
are helping in that direction...

foxhole_all.cdb: blocks dangerous attachments in Zips etc..  but may be too
aggressive.

foxhole_generic.cdb: as above but ONLY for double extension/hidden extension

foxhole_filename.cdb: will block known dangerous single extensions, in
Zips etc, it's quite empty at the moment but I've got a huge update coming
shortly to massively improve this.

Douglas from the ClamAV Team is adding sigs like 
Zip.Suspect.ExecutableFax-zippwd-1, which like the foxhole sigs, look at
the Zip filename and use a bit of common sense on the name, in order to
block it... and it's all
helping, to minimise the missed ones and save times on the 0 hour analysing

The ClamAV engine is flexible and opensource and without it, Sanesecurity
sigs certainly wouldn't be here without it, so I'm all for it's
defence

One thing though about update frequency, to some people it don't
matter that much...here's an interesting poll on my website..

How often does freshclam update?

Every Day (35%, 20 Votes)
Every Hour (25%, 14 Votes)
Every Four Hours (18%, 10 Votes)
Every 30 mins (12%, 7 Votes)
Every 15 mins (10%, 6 Votes)

Total Voters: 57

Really? Every Day? 

You can, of course email the missed RAR samples to:

samples ATT sanesecurity.me.uk

Slightly off topic, does anyone have a folder full of saved malware
zips/rars etc. they have kept over the past xxx months, if so can U
contact me off-list...

Cheers,

Steve
Sanesecurity.com

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Mark Allan]

On 3 Oct 2014, at 03:39 pm, Gene Heskett  wrote:

> On Friday 03 October 2014 07:19:13 Tim Smith did opine
>> Over the last 24-48 hours, I submitted a number of email attachments.
>> RAR files that contained viruses.
>> 
>> Running one or two of them through VirusTotal today, I see ClamAV have
>> *STILL* not managed to produce virus definitions for them !
>> 
>> All of the commercial vendors I submitted the samples to had analysed
>> and created samples in timeframes ranging from hours to one day.
>> 
>> At this rate I'm going to be dumping ClamAV from my systems and
>> subscribing to a service from a commercial vendor .
>> 
>> Looking forward to hearing the reasons why !
> 
> Perhaps you should consider submitted them in a compressed file format 
> that is NOT proprietary to apple and which carries a per seat license fee?
> 
> Cheers, Gene Heskett

I'll admit that Tim's email rather reeked of entitlement, but Gene's response 
is just confusing and wrong.  Yes, the RAR file format is proprietary, but not 
to Apple - it was a Russian named Eugene Roshal (Roshal ARchive hence RAR) who 
came up with it and the licence is only required for creating files of that 
format; software to extract RAR files is free.

Also, ClamAV already contains code to unRAR these archives.

Anyway, I digress from the original question.

The reason it takes time to generate signatures from files/samples which are 
contributed by users is that the signatures are still generated manually by 
humans, most of whom have other jobs and unless I'm mistaken are therefore 
giving their time voluntarily.  I've always found the turnaround time to be 
pretty good actually, especially for free software.

Mark

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Gene Heskett]

On Friday 03 October 2014 07:19:13 Tim Smith did opine
And Gene did reply:
> Hi,
> 
> Over the last 24-48 hours, I submitted a number of email attachments.
> RAR files that contained viruses.
> 
> Running one or two of them through VirusTotal today, I see ClamAV have
> *STILL* not managed to produce virus definitions for them !
> 
> All of the commercial vendors I submitted the samples to had analysed
> and created samples in timeframes ranging from hours to one day.
> 
> At this rate I'm going to be dumping ClamAV from my systems and
> subscribing to a service from a commercial vendor .
> 
> Looking forward to hearing the reasons why !
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

Perhaps you should consider submitted them in a compressed file format 
that is NOT proprietary to apple and which carries a per seat license fee?

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Tim Smith]

Hi,

Over the last 24-48 hours, I submitted a number of email attachments.
RAR files that contained viruses.

Running one or two of them through VirusTotal today, I see ClamAV have
*STILL* not managed to produce virus definitions for them !

All of the commercial vendors I submitted the samples to had analysed
and created samples in timeframes ranging from hours to one day.

At this rate I'm going to be dumping ClamAV from my systems and
subscribing to a service from a commercial vendor .

Looking forward to hearing the reasons why !
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml