Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
Hi all, Was subscribed to this mailing list for some time and didn't respond to it that much, but this topic really got my attention. What rubbish... ClamAV always lags behind the commercial vendors in any comparative you wish to mention. The majority of well established vendors will also do a better job of detecting and pushing out definitions as it seems that ClamAV is reactive, not proactive on the definitions front Do you have any proof of this somewhat of accusation? It sounds to me that you are only talking about the problem that you are facing right now. I quickly looked through my old mails and didn't see your name pop up nor do I see any other issues that you have highlighter in this mailing list. What other av product can you make your own virus signatures with, not usefull, hmm You don't need to when they've got a decent set of analysts who are on the ball and push out new definitions quickly ! F-Secure, Sophos, Kasperksy and others all had coverage already of this virus. Seriously, why should I mess around with creating virus signatures, its a waste of my time. Evangelising over how wonderful open-source anti-virus is is great but if you're severely lagging on pushing out virus definitions then it very quickly removes the attractiveness of the product. 80% of people using your open-source project won't have the knowledge, time or inclination to hack together their own virus definitions I may be wrong, but it really sounds to me that you are only frustrated about the issue that you are experiencing right now. Didn't see any other complaints from you about ClamAV or complaints about signature creations. One of the ideas behind some of the open source projects is that you can contribute to the project or discuss the issues that you are facing with a certain open source project. The problem with this whole thread is that you are only criticising the ClamAV project but don't come up with any suggestions. Some of the suggestions from people were to create the signatures yourself. You immediately rejected the whole idea about creating your own signatures and you are only complaining. There was never, never once, a suggestion from your side. If you really want to help this community and make the open source project better, please give suggestions on how we could make it better. Please keep in mind that not all open source projects have the money or people to be as good as commercial companies. Cheers, Wouter. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Mon, 2014-10-06 at 15:21 +0100, Tim Smith wrote: but call paid prebuildt software always better is not correct, but mostly just marketing What rubbish... ClamAV always lags behind the commercial vendors in any comparative you wish to mention. The majority of well established vendors will also do a better job of detecting and pushing out definitions as it seems that ClamAV is reactive, not proactive on the definitions front Well, as with all free software/opens source, you can help to speed it up. [...] Seriously, why should I mess around with creating virus signatures, its a waste of my time. To get them earlies/fster into ClamAV? [...] it very quickly removes the attractiveness of the product. 80% of people using your open-source project won't have the knowledge, time or inclination to hack together their own virus definitions At least that is the same with the proprietory vendors: Then you you get what they feel to deliver to you. Bernd -- I dislike type abstraction if it has no real reason. And saving on typing is not a good reason - if your typing speed is the main issue when you're coding, you're doing something seriously wrong. - Linus Torvalds ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Mon 06/Oct/2014 15:37:34 +0200 Tim Smith wrote: are you really trying to compare response times from PAID solutions to the free/community maintained ones Of course not, the paid solutions will always be better. Careful betting on that... It's the famous-last-words sort of phrase. Ten years ago I started using Sophos, as I deemed an AV product was way too much of an engagement for an unpaid free-software developer to maintain. I switched to ClamAV only a few months ago as Sophos discontinued their Linux support, and I'm happy to see I was wrong. ClamAV is unique in its category, so it's well possible that there's room for improving both the cooperation on detection/analysis and the software tools to accomplish it. Of course, global cooperation will be unbeatable once established. OTOH, users of proprietary products will always be at the mercy of marketing teams striving after profits, where more profitable is not necessarily better for users. But three days to get some definitions pushed out for a zero-day is a bit on the slow side, you must agree ! Agreed, but I received 0-day viral mail even when scanning with Sophos. I'm not going to switch back, really. Ale ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Oct 3, 2014, at 5:12 PM, Dennis Peterson denni...@inetnw.com wrote: On 10/3/14 8:10:24AM, Mark Allan wrote: On 3 Oct 2014, at 03:39 pm, Gene Heskett ghesk...@wdtv.com wrote: On Friday 03 October 2014 07:19:13 Tim Smith did opine Over the last 24-48 hours, I submitted a number of email attachments. RAR files that contained viruses. Running one or two of them through VirusTotal today, I see ClamAV have *STILL* not managed to produce virus definitions for them ! All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . Looking forward to hearing the reasons why ! Perhaps you should consider submitted them in a compressed file format that is NOT proprietary to apple and which carries a per seat license fee? Cheers, Gene Heskett I'll admit that Tim's email rather reeked of entitlement, but Gene's response is just confusing and wrong. Yes, the RAR file format is proprietary, but not to Apple - it was a Russian named Eugene Roshal (Roshal ARchive hence RAR) who came up with it and the licence is only required for creating files of that format; software to extract RAR files is free. Also, ClamAV already contains code to unRAR these archives. Anyway, I digress from the original question. The reason it takes time to generate signatures from files/samples which are contributed by users is that the signatures are still generated manually by humans, most of whom have other jobs and unless I'm mistaken are therefore giving their time voluntarily. I've always found the turnaround time to be pretty good actually, especially for free software. Mark ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml From http://www.unrarlib.org/faq.html Q: Do you know that the license for the unrar sources from RARLab is not compatible with the GNU Public license? A: Yes, this is true. But we have the permission from Eugene Roshal to release unrarlib 0.4.0 under GPL and unrarlib-license. Note: this doesn't mean that RAR is free now or you can use the unrar source from RARlabs under GPL. You are just allowed to use UniquE RAR File Library version 0.4.0 (unrarlib 0.4.0) under GPL. A lot of people avoid RAR as a result. We have issues with some distributions, as they don’t want to build that feature in (because of the license) or don’t build Clam into the distribution at all because of this exclusion. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
exactly On 10/3/2014 4:54 PM, Leonardo Rodrigues wrote: On 03/10/14 08:19, Tim Smith wrote: All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . are you really trying to compare response times from PAID sollutions to the free/community maintened ones ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Oct 3, 2014, at 5:16 PM, Dennis Peterson denni...@inetnw.com wrote: On 10/3/14 2:11:15PM, Charles Swiger wrote: On Oct 3, 2014, at 1:54 PM, Leonardo Rodrigues leolis...@solutti.com.br wrote: On 03/10/14 08:19, Tim Smith wrote: All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . are you really trying to compare response times from PAID sollutions to the free/community maintened ones Assuming this wasn't a rhetorical question, the answer is pretty clearly: yes. So what? I would expect that an expensive A/V solution should do better than ClamAV for does for free. Frankly, it's a credit to the ClamAV team that their offering provides significant value for the price Regards, ClamAV also gives each of us tools to provide a Day Zero response to a threat. Our responsibility to our users (for those of us who have them) is to take advantage of that tool set. Well said Dennis. The other part of the equation is that we are always open to accepting the signatures and protection generated by our users for the greater good via our community signatures mailing list. http://www.clamav.net/contact.html#ml http://www.clamav.net/contact.html#ml -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
Gene, Perhaps you should consider submitted them in a compressed file format that is NOT proprietary to apple and which carries a per seat license fee? How about ***YOU*** consider the fact that I was merely submitting a RAR file becasue that was the exact file that was received in my email ! I received a RAR, thus I submitted a RAR ! Geez ... some people ! ;-( On 3 October 2014 15:39, Gene Heskett ghesk...@wdtv.com wrote: On Friday 03 October 2014 07:19:13 Tim Smith did opine And Gene did reply: Hi, Over the last 24-48 hours, I submitted a number of email attachments. RAR files that contained viruses. Running one or two of them through VirusTotal today, I see ClamAV have *STILL* not managed to produce virus definitions for them ! All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . Looking forward to hearing the reasons why ! ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml Perhaps you should consider submitted them in a compressed file format that is NOT proprietary to apple and which carries a per seat license fee? Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
are you really trying to compare response times from PAID sollutions to the free/community maintened ones Of course not, the paid solutions will always be better. But three days to get some definitions pushed out for a zero-day is a bit on the slow side, you must agree ! ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On October 6, 2014 3:37:34 PM Tim Smith randomd...@gmail.com wrote: are you really trying to compare response times from PAID sollutions to the free/community maintened ones ? Of course not, the paid solutions will always be better. Dream on, my commodore 64 is the best 8bit computer ever not needing antivirus at all, restarting it cleans any virus for free, sorry could not resists But three days to get some definitions pushed out for a zero-day is a bit on the slow side, you must agree ! You are free to define opensource as you wish, but call paid prebuildt software always better is not correct, but mostly just marketing What other av product can you make your own virus signatures with, not usefull, hmm ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On 06/10/2014 14:37, Tim Smith wrote: are you really trying to compare response times from PAID sollutions to the free/community maintened ones Of course not, the paid solutions will always be better. But three days to get some definitions pushed out for a zero-day is a bit on the slow side, you must agree ! It's only on the slow side if you expect it to be quicker... Personally, I'm glad this is available at all from a free solution. As other people have said, you can make YOUR Clam AV installation detect the virus pretty much instantly - which is much quicker than any paid solution. (eg http://www.clamav.net/doc/latest/signatures.pdf) Analysing a virus updating signatures is not a quick trivial job, and they'll get lots of samples submitted (I've heard figures of a million a day). Many will be duplicates, but many will also be innocuous files where someone has been paranoid, or even where files are maliciously submitted, so I expect that files that are submitted have to be checked somehow to make sure they really are malicious files, and a useful signature has to be generated and tested. I'm fairly sure you'd be (rightly) miffed if an update was released which suddenly generated lots of false positives because corners had been cut. If you think it needs to be quicker, then maybe you could volunteer your time to help with the analysis (I'm not sure how you'd go about this) or send a financial donation to help with the process. Obviously the paid AV solutions will have more resources to do this task than a community maintained one will have, so you'd expect the paid ones to be considerably quicker. - Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news updates at http://www.pscs.co.uk/go/subscribe ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Mon, Oct 6, 2014 at 9:37 AM, Tim Smith randomd...@gmail.com wrote: are you really trying to compare response times from PAID sollutions to the free/community maintened ones Of course not, the paid solutions will always be better. But three days to get some definitions pushed out for a zero-day is a bit on the slow side, you must agree ! A few months ago, Joel Esler and the ClamAV signature writing team introduced the Community Signatures mailing list for sharing signatures. You could always create the detection signatures yourself and submit them to us via the Community Signatures list. Additionally, as has been said before, you can always just submit the file via the normal signatures then ping us here on this list with the md5/sha256 hash of the file you submitted. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
If you think it needs to be quicker, then maybe you could volunteer your time to help with the analysis (I'm not sure how you'd go about this) http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html - Alain ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
but call paid prebuildt software always better is not correct, but mostly just marketing What rubbish... ClamAV always lags behind the commercial vendors in any comparative you wish to mention. The majority of well established vendors will also do a better job of detecting and pushing out definitions as it seems that ClamAV is reactive, not proactive on the definitions front What other av product can you make your own virus signatures with, not usefull, hmm You don't need to when they've got a decent set of analysts who are on the ball and push out new definitions quickly ! F-Secure, Sophos, Kasperksy and others all had coverage already of this virus. Seriously, why should I mess around with creating virus signatures, its a waste of my time. Evangelising over how wonderful open-source anti-virus is is great but if you're severely lagging on pushing out virus definitions then it very quickly removes the attractiveness of the product. 80% of people using your open-source project won't have the knowledge, time or inclination to hack together their own virus definitions I'm off to sign up with one of the well established software vendors. On 6 October 2014 14:55, Benny Pedersen m...@junc.eu wrote: On October 6, 2014 3:37:34 PM Tim Smith randomd...@gmail.com wrote: are you really trying to compare response times from PAID sollutions to the free/community maintened ones ? Of course not, the paid solutions will always be better. Dream on, my commodore 64 is the best 8bit computer ever not needing antivirus at all, restarting it cleans any virus for free, sorry could not resists But three days to get some definitions pushed out for a zero-day is a bit on the slow side, you must agree ! You are free to define opensource as you wish, but call paid prebuildt software always better is not correct, but mostly just marketing What other av product can you make your own virus signatures with, not usefull, hmm ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Oct 6, 2014, at 10:21 AM, Tim Smith randomd...@gmail.com wrote: but call paid prebuildt software always better is not correct, but mostly just marketing What rubbish... ClamAV always lags behind the commercial vendors in any comparative you wish to mention. The majority of well established vendors will also do a better job of detecting and pushing out definitions as it seems that ClamAV is reactive, not proactive on the definitions front …. Incorrect. For instance, just one of our signatures may catch tens of thousands of samples. We can malware when it arrives, and if we catch the “new” piece of malware with an already present signature, we assign the new piece of malware to the already present signature. For instance, I just went into our internal interface, and picked the first “prior detect” on my list, and it has 94 pieces of malware assigned to it. You can actually see some of the de-duplicated ones if you subscribe to the clamav-virusdb mailing list. We don’t list them all in there, because frankly it’d be too large of an email to send out. So only particular malware “Senders” are there. Just because we don’t detect the piece of malware that you found, doesn’t mean we aren’t proactive. What other av product can you make your own virus signatures with, not usefull, hmm You don't need to when they've got a decent set of analysts who are on the ball and push out new definitions quickly ! F-Secure, Sophos, Kasperksy and others all had coverage already of this virus. Those companies also have hundreds of analysts dedicated to the problem. We don’t have hundreds. Seriously, why should I mess around with creating virus signatures, its a waste of my time. That’s kind of the point of a community open-source project. Evangelising over how wonderful open-source anti-virus is is great but if you're severely lagging on pushing out virus definitions then it very quickly removes the attractiveness of the product. 80% of people using your open-source project won't have the knowledge, time or inclination to hack together their own virus definitions …. We try to make it very simple for people to do it, in fact, we include tools for people to be able to do it. I'm off to sign up with one of the well established software vendors. We’re sorry to see you go. We try to offer a good service, for free, to the community in order to make the internet, just a little bit safer. We’ll understand if you’d like a refund. ;) -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On 6 October 2014 14:55, Benny Pedersen m...@junc.eu wrote: On October 6, 2014 3:37:34 PM Tim Smith randomd...@gmail.com wrote: are you really trying to compare response times from PAID sollutions to the free/community maintened ones ? Of course not, the paid solutions will always be better. Dream on, my commodore 64 is the best 8bit computer ever not needing antivirus at all, restarting it cleans any virus for free, sorry could not resists But three days to get some definitions pushed out for a zero-day is a bit on the slow side, you must agree ! You are free to define opensource as you wish, but call paid prebuildt software always better is not correct, but mostly just marketing What other av product can you make your own virus signatures with, not usefull, hmm ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On 06/10/2014 15:21, Tim Smith wrote: but call paid prebuildt software always better is not correct, but mostly just marketing What rubbish... ClamAV always lags behind the commercial vendors in any comparative you wish to mention. Not if I want to make my own signatures... It also beats the others on price and (IMHO) usability. What other av product can you make your own virus signatures with, not usefull, hmm You don't need to when they've got a decent set of analysts who are on the ball and push out new definitions quickly ! Yes you do. We have AVG, Avira, Sophos and ClamAV. Yes, AVG, Avira and Sophos will release virus definition updates before ClamAV. But usually by the time even Sophos have released their updates we've already received a few thousand copies of the virus. With ClamAV we can beat Sophos by adding our own definitions, so we can beat even the fastest AV vendors by a few hours (that's not knocking them, we have different requirements from them, so we can knock together a simple signature test and if we cause false positives, it's our problem. We're not going to have zillions of other people complaining and be on news channels because we broke something). Seriously, why should I mess around with creating virus signatures, its a waste of my time. OK. That's a valid choice, in which case YOU will probably be better off spending money on a commercial product. For other people, the few seconds to generate a signature is worth the many thousands of pounds savings they'll make from not using a commercial product. Neither is wrong, just different priorities. - Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news updates at http://www.pscs.co.uk/go/subscribe ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
Le lundi 6 octobre 2014, 10:05:11 Alain Zidouemba a écrit : If you think it needs to be quicker, then maybe you could volunteer your time to help with the analysis (I'm not sure how you'd go about this) Or use this : https://securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml It rises Clamav detection rate up to 80% on 0-day malwares. Best regards Arnaud Jacques SecuriteInfo.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On October 6, 2014 4:21:58 PM Tim Smith randomd...@gmail.com wrote: Seriously, why should I mess around with creating virus signatures, its a waste of my time. Well sayed, this maillist here is not waste of your time, can you pay back now ? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On 10/06/2014 08:32 AM, Webmaster wrote: Le lundi 6 octobre 2014, 10:05:11 Alain Zidouemba a écrit : If you think it needs to be quicker, then maybe you could volunteer your time to help with the analysis (I'm not sure how you'd go about this) Or use this : https://securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml It rises Clamav detection rate up to 80% on 0-day malwares. Speaking of SecuriteInfo, is the High Risk label deserved for the spam_marketing signatures? Have used all the others in the Securite list but that one. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On 10/6/14 7:21 AM, Tim Smith wrote: Seriously, why should I mess around with creating virus signatures, its a waste of my time. Because that is the norm for community-supported products and because nobody but you is ultimately responsible for protecting your systems from malware. dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
Hi, Speaking of SecuriteInfo, is the High Risk label deserved for the spam_marketing signatures? Have used all the others in the Securite list but that one. Yes, spam_marketing.ndb has high level of false positive. Why ? Because it focuses french spam/marketing/private selling/special offers/and mailling lists I haven't subscribe. It also targets scam from Africa or Asia, and other kind of emails my customers don't want. But some of my customers *wants* to receive these kind of emails (gasp!). You can use .ign signatures to suit your needs, or don't use spam_marketing.ndb at all. It is up to you. Give it a try by offline scanning your mailboxes and see by yourself what is detected. If you believe some signatures are generating too many false positives, please contact me off list. Maybe spam_marketing.ndb needs tuning after all. Me and my (french) customers are pretty happy with spam_marketing.ndb. They have a very few spam passing through. Other signature files I provide have a very low false positive rate. Best regards, Arnaud Jacques SecuriteInfo.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
Hi Steve, On Sat, 4 Oct 2014, Steve Basford wrote: Slightly off topic, does anyone have a folder full of saved malware zips/rars etc. they have kept over the past xxx months, if so can U contact me off-list... I don't, exactly, but I do keep records and do I look at them. Firstly I'm only interested in what's in electronic mail. I don't run Windows boxes, and on the odd occasion that I need one I fire up a VM. However the several mail servers and many other Linux boxes for which I'm responsible have the potential to assist in the propagation of malicious software to customers, suppliers, colleagues, family and casual acquaintances all around the world. Although running only Linux boxes means I can more or less forget the threat from malware to the machines themselves, I take the view that using them to communicate with more vulnerable systems gives me some responsibilities. One of my employees could, for example, forward a message with a malicious link in it (to which the Linux box she uses is not vulnerable) to someone using XP. Six months after XP went EOL, over 25% of the Windows boxes in the UK for example are still running it. I can't say I blame people for not wanting to be shafted by Microsoft yet again, but I don't think they're being very responsible. Perhaps they'd only have themselves to blame for not using Linux, but I don't want to add to their problems, nor to those of almost everyone else, by sending them a virus for which their machine has no defence - and thus help to create a source of yet more trouble. So here's what I do: after binning stuff from 25% of the IPV4 address space without even looking at it, and then everything from (at present) seventy-four county codes after paying them much the same attention, I then pass the much-thinned cream of the crop through a huge regular expression filter which looks for things like my spam-trap addresses (more for the bin) and if anything's left I use MIMEDefang to delete every attachment that might be some sort of Windows executable. If a message contains an archive which can't be extracted (e.g. password protected) then it goes in the bit bucket as well. Finally, ClamAV gets to look at what little is left. Why am I scanning stuff that can't be executed? Well, it still might be cr@p that we don't want. That's where Sansecurity comes in. I don't actually care if ClamAV can find a virus or not, that's not what I'm use it for. (And here we are almost back on topic:). My contribution to the off-topic topic is that the vast majority of malicious email messages that I see now contains links to the real payload, not the payload itself, and ClamAV doesn't get much to do: 2014.01.06 05:28:44 mail5 clamd[19238]: Sanesecurity.Junk.37650.UNOFFICIAL FOUND 2014.01.16 01:03:28 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.01.27 11:14:13 mail5 clamd[19238]: Sanesecurity.Phishing.Cur.17130.UNOFFICIAL FOUND 2014.01.28 13:43:18 mail5 clamd[19238]: Sanesecurity.Phishing.Cur.1117.UNOFFICIAL FOUND 2014.02.01 22:35:24 mail5 clamd[19238]: Email.Phishing.Card-9 FOUND 2014.02.11 18:40:51 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.02.19 08:39:54 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.02.22 18:19:02 mail5 clamd[19238]: Sanesecurity.Lott.1874.UNOFFICIAL FOUND 2014.03.03 15:46:01 mail5 clamd[19238]: Sanesecurity.Scam4.1567.UNOFFICIAL FOUND 2014.03.20 22:52:32 mail5 clamd[19238]: Sanesecurity.Junk.24795.UNOFFICIAL FOUND 2014.05.01 19:01:25 mail5 clamd[19238]: ScamNailer.Phish.administrator_AT_domain.com.UNOFFICIAL FOUND 2014.05.14 18:41:24 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.05.16 08:36:28 mail5 clamd[19238]: Sanesecurity.Junk.43451.UNOFFICIAL FOUND 2014.05.30 22:36:11 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.06.17 23:12:36 mail5 clamd[19238]: Sanesecurity.Spear.info_at_it_dot_org.UNOFFICIAL FOUND 2014.06.25 01:40:45 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.07.14 17:01:21 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.07.19 02:01:59 mail5 clamd[19238]: Sanesecurity.Scam4.1570.UNOFFICIAL FOUND 2014.07.28 17:41:24 mail5 clamd[19238]: Sanesecurity.Junk.20083.UNOFFICIAL FOUND 2014.08.14 18:42:14 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.09.06 15:33:23 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND 2014.09.12 21:13:47 mail5 clamd[19238]: Sanesecurity.Phishing.Fake.20863.UNOFFICIAL FOUND This server has an incoming load of about 5,000 mostly spam messages per day, the vast majority of which never get past MAIL FROM: in the SMTP conversation. As you can see, twenty-two messages were rejected by ClamAV in nine months, of which *none* contained viruses because I already dealt with them the easy way, using practcally no CPU cycles. So, in the same period, how many messages were rejected by
[clamav-users] Why are the ClamAV team so slow at creating signatures ?
Hi, Over the last 24-48 hours, I submitted a number of email attachments. RAR files that contained viruses. Running one or two of them through VirusTotal today, I see ClamAV have *STILL* not managed to produce virus definitions for them ! All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . Looking forward to hearing the reasons why ! ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Oct 3, 2014, at 7:19 AM, Tim Smith randomd...@gmail.com wrote: Hi, Over the last 24-48 hours, I submitted a number of email attachments. RAR files that contained viruses. Running one or two of them through VirusTotal today, I see ClamAV have *STILL* not managed to produce virus definitions for them ! All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . Looking forward to hearing the reasons why ! ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml Tim, I know someone contacted you offlist, however, for the sake of the community — We receive about 1.1M samples a day here. If you submit something, and is more than just a casual submission, maybe you need something covered right away. We are always open to a little poke with the md5/sha256 so we can look at what you submitted. We love the feedback from our users, and always look forward to a constructive dialog. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On 03/10/14 08:19, Tim Smith wrote: All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . are you really trying to compare response times from PAID sollutions to the free/community maintened ones -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Oct 3, 2014, at 1:54 PM, Leonardo Rodrigues leolis...@solutti.com.br wrote: On 03/10/14 08:19, Tim Smith wrote: All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . are you really trying to compare response times from PAID sollutions to the free/community maintened ones Assuming this wasn't a rhetorical question, the answer is pretty clearly: yes. So what? I would expect that an expensive A/V solution should do better than ClamAV for does for free. Frankly, it's a credit to the ClamAV team that their offering provides significant value for the price Regards, -- -Chuck ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On 10/3/14 8:10:24AM, Mark Allan wrote: On 3 Oct 2014, at 03:39 pm, Gene Heskett ghesk...@wdtv.com wrote: On Friday 03 October 2014 07:19:13 Tim Smith did opine Over the last 24-48 hours, I submitted a number of email attachments. RAR files that contained viruses. Running one or two of them through VirusTotal today, I see ClamAV have *STILL* not managed to produce virus definitions for them ! All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . Looking forward to hearing the reasons why ! Perhaps you should consider submitted them in a compressed file format that is NOT proprietary to apple and which carries a per seat license fee? Cheers, Gene Heskett I'll admit that Tim's email rather reeked of entitlement, but Gene's response is just confusing and wrong. Yes, the RAR file format is proprietary, but not to Apple - it was a Russian named Eugene Roshal (Roshal ARchive hence RAR) who came up with it and the licence is only required for creating files of that format; software to extract RAR files is free. Also, ClamAV already contains code to unRAR these archives. Anyway, I digress from the original question. The reason it takes time to generate signatures from files/samples which are contributed by users is that the signatures are still generated manually by humans, most of whom have other jobs and unless I'm mistaken are therefore giving their time voluntarily. I've always found the turnaround time to be pretty good actually, especially for free software. Mark ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml From http://www.unrarlib.org/faq.html Q: Do you know that the license for the unrar sources from RARLab is not compatible with the GNU Public license? A: Yes, this is true. But we have the permission from Eugene Roshal to release unrarlib 0.4.0 under GPL and unrarlib-license. Note: this doesn't mean that RAR is free now or you can use the unrar source from RARlabs under GPL. You are just allowed to use UniquE RAR File Library version 0.4.0 (unrarlib 0.4.0) under GPL. A lot of people avoid RAR as a result. dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On 10/3/14 2:11:15PM, Charles Swiger wrote: On Oct 3, 2014, at 1:54 PM, Leonardo Rodrigues leolis...@solutti.com.br wrote: On 03/10/14 08:19, Tim Smith wrote: All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . are you really trying to compare response times from PAID sollutions to the free/community maintened ones Assuming this wasn't a rhetorical question, the answer is pretty clearly: yes. So what? I would expect that an expensive A/V solution should do better than ClamAV for does for free. Frankly, it's a credit to the ClamAV team that their offering provides significant value for the price Regards, ClamAV also gives each of us tools to provide a Day Zero response to a threat. Our responsibility to our users (for those of us who have them) is to take advantage of that tool set. dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml