Re: [clamav-users] false positive sample
On Aug 22, 2014, at 8:24 PM, Dan McDaniel d...@dm3.usmailto:d...@dm3.us wrote: On Fri 22.Aug.14 15:36, Al Varnell wrote: On Aug 22, 2014, at 3:26 PM, Dan McDaniel d...@dm3.usmailto:d...@dm3.us wrote: I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet. Should I submit it again? Providing the MD5 of the submitted file will allow the team to locate it quickly. md5sum: 04f34a0597ab21ce25f4fc6bc84cc5d4 I see this on the server side and the hash is assigned to an analyst to take a look. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] false positive sample
On Aug 22, 2014, at 6:44 PM, Daniel Quintiliani d...@runbox.commailto:d...@runbox.com wrote: On Fri, 22 Aug 2014 18:26:37 -0400, Dan McDaniel d...@dm3.usmailto:d...@dm3.us wrote: I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet. Should I submit it again? Also, on the web form when submitting false positives there is a check-box that says notify me. It would seem to imply that you might get some kind of notification when your sample had been processed, but I have never received any notification for any of the samples I've submitted. What is that check-box for? I don't know what's going on. It seems that ever since the Cisco buyout the quality of ClamAV has disintegrated really fast. I am always submitting samples from my email and blog spam to VirusTotal, ClamAV, and CRDF. VirusTotal often shows tons of failures, often more than half of the major antivirus products but never ClamAV, and then I submit to CRDF, who do their own automated VirusTotal scans and mark them as malware right away. ClamAV, however, marks them clean for weeks (unless you use CRDF's signatures) and often they are never marked malware. In fact, I have a list of MD5s of 600 MB worth of malware from a game hack site spammed to my blogs. I sent e-mails to ClamAV saying I had the MD5s and files but received no response. I wound up deleting the files because only two were marked as malware, and by CRDF's signatures, not by ClamAV's. (I still have the MD5s list if anyone wants me to post it on the message board) Good thing I only use Linux now, where the effectiveness of antivirus software isn't too important. I just wish ClamAV developers were more attentive to their product, which they haven't been since Cisco bought Sourcefire. I’d disagree here. In fact, we’ve only added to the team since the Cisco purchase. We’re currently working on a better way to report false positives, so hopefully we’ll see some resolution to the issue soon, but by all means, if you have FP reports, please report them via the website and we’ll take a look at the issue. As far as reports of new malware, again, the website is the best place to send them, however, for bulk uploads, like the website says, it’s best to contact us. Where did you send emails to us that we missed? Maybe we’re having a server problem that I haven’t seen yet and we need to get that fixed. If people would like to contribute their own signatures to the ruleset, we’d be happy to take a look at that as well: http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] false positive sample
Hi there, On Mon, 25 Aug 2014, it was difficult to figure out who wrote: Good thing I only use Linux now, where the effectiveness of antivirus software isn't too important. I just wish ClamAV developers were more attentive to their product, which they haven't been since Cisco bought Sourcefire. I?d disagree here. In fact, we?ve only added to the team since the Cisco purchase. ... There's a distinction between adding to the team and improving it. Seems to me I've been reading the same old complaints here on the ClamAV mailing list for years now. Good job I only use ClamAV because of the third party databases like Sanesecurity. And it would *really* help if the people who use this list learn how to write to mailing lists. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] false positive sample
On Mon, 25 Aug 2014 13:17:23 +, Joel Esler (jesler) jes...@cisco.com wrote: We’re currently working on a better way to report false positives, so hopefully we’ll see some resolution to the issue soon, but by all means, if you have FP reports, please report them via the website and we’ll take a look at the issue. As far as reports of new malware, again, the website is the best place to send them, however, for bulk uploads, like the website says, it’s best to contact us. Where did you send emails to us that we missed? Maybe we’re having a server problem that I haven’t seen yet and we need to get that fixed. I most likely sent the list of MD5s (actually they were SHA256sums) as an attachment to azidouemba-AT-sourcefire-D0T-c0m I've just sent the attachment to jesler-AT-cisco-D0T-c0m I actually haven't had a false positive in a very long time, but lots of undetected malware which fail VirusTotal scans for all the major brands. Like I said CRDF third-party signatures detect the malware an hour or so after you submit the files. I've been also sending them to ClamAV, no more than 2 per day, using the clamsubmit tool. -- -Dan Q ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] false positive sample
I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet. Should I submit it again? Also, on the web form when submitting false positives there is a check-box that says notify me. It would seem to imply that you might get some kind of notification when your sample had been processed, but I have never received any notification for any of the samples I've submitted. What is that check-box for? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] false positive sample
On Aug 22, 2014, at 3:26 PM, Dan McDaniel d...@dm3.us wrote: I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet. Should I submit it again? Providing the MD5 of the submitted file will allow the team to locate it quickly. Also, on the web form when submitting false positives there is a check-box that says notify me. It would seem to imply that you might get some kind of notification when your sample had been processed, but I have never received any notification for any of the samples I've submitted. What is that check-box for? Sent from Janet's iPad -Al- -- Al Varnell ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] false positive sample
On Fri, 22 Aug 2014 18:26:37 -0400, Dan McDaniel d...@dm3.us wrote: I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet. Should I submit it again? Also, on the web form when submitting false positives there is a check-box that says notify me. It would seem to imply that you might get some kind of notification when your sample had been processed, but I have never received any notification for any of the samples I've submitted. What is that check-box for? I don't know what's going on. It seems that ever since the Cisco buyout the quality of ClamAV has disintegrated really fast. I am always submitting samples from my email and blog spam to VirusTotal, ClamAV, and CRDF. VirusTotal often shows tons of failures, often more than half of the major antivirus products but never ClamAV, and then I submit to CRDF, who do their own automated VirusTotal scans and mark them as malware right away. ClamAV, however, marks them clean for weeks (unless you use CRDF's signatures) and often they are never marked malware. In fact, I have a list of MD5s of 600 MB worth of malware from a game hack site spammed to my blogs. I sent e-mails to ClamAV saying I had the MD5s and files but received no response. I wound up deleting the files because only two were marked as malware, and by CRDF's signatures, not by ClamAV's. (I still have the MD5s list if anyone wants me to post it on the message board) Good thing I only use Linux now, where the effectiveness of antivirus software isn't too important. I just wish ClamAV developers were more attentive to their product, which they haven't been since Cisco bought Sourcefire. -- -Dan Q ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] false positive sample
On Fri 22.Aug.14 15:36, Al Varnell wrote: On Aug 22, 2014, at 3:26 PM, Dan McDaniel d...@dm3.us wrote: I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet. Should I submit it again? Providing the MD5 of the submitted file will allow the team to locate it quickly. md5sum: 04f34a0597ab21ce25f4fc6bc84cc5d4 Also, on the web form when submitting false positives there is a check-box that says notify me. It would seem to imply that you might get some kind of notification when your sample had been processed, but I have never received any notification for any of the samples I've submitted. What is that check-box for? Sent from Janet's iPad -Al- -- Al Varnell ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml