[clamav-win32] Rogue Antispyware Using ClamAV Database

auto67209 at hushmail.com auto67209 at hushmail.com
Sat May 17 10:00:42 CEST 2008

Just in case you weren't already aware, "WinReanimator" downloads a 
copy of the ClamAV database, leaving a ClamAV folder inside 
%profile%\Local Settings\Temp, and a copy of daily.cvd in 
C:\Program Files\WinReanimator\data.

While the License Agreement does state that some components may be 
GPL'ed, and that those components are subject to the less 
restrictive terms of that license, there are a handful of potential 
problems with that as far as I can see.

Let's start with the obvious; what we know about these rogue 
programs... sometimes the License Agreement (including copyright 
and modification dates if applicable) aren't shown when the 
software is forcibly installed, and there's no way to get to that 
information from the user interface. While the GPL license 
agreement isn't necessarily important for running the program, 
should there be GPL components, which the license agreement for 
WinReanimator says is possible, it's the copyright and modification 
information that is important.

Next, I'll assume that the CVD file itself is the preferred method 
of viewing and/or editing the database, and, for benefit of the 
doubt, the database is kindly downloaded from ClamAV's servers as 
opposed to being packaged with WinReanimator and/or first mirrored 
to and thereafter downloaded from WinReanimator's servers; even so, 
there must be some amount of source code used by ClamAV and/or 
ClamWin to actually read the database and act upon it. Now, yes, 
rogue programs tend to generate fake results, but I'm forced to 
wonder what WinReanimator might be doing with the ClamAV 
database... I, the average user, unfortunately can't know, because 
the promised source code that is supposed to reside within a 
designated folder in the program files directory (as stated in the 
license agreement) isn't there, and, unless the database was put 
there by WinReanimator to waste disk space, I can assume it does 
something with it.

Finally, the GPL states that the entire package must be licensed 
GPL, and not just individual components; only the LGPL allows that. 
Even if WinReanimator contains no GPL'ed code, it seems as if the 
section of the license relating to the GPL is invalid. If 
WinReanimator does happen to contain GPL'ed code of any kind, 
perhaps, for example, some amount of code used to read and act upon 
the database, I'd assume they would have a difficult time arguing 
that an anti-malware program isn't an extension of an anti-malware 
database along with the code used to read and act upon an anti-
malware database, and one could try and argue that their license 
isn't enforceable given the GPL components and that the entire 
WinReanimator program should therefore be GPL'ed.

Now, for my disclaimer. I've made mistakes before, and everything 
I've said above could be complete rubbish and a complete 
misinterpretation of the GPL. The above is my opinion, but I 
believe it to be fairly accurate.

Any thoughts?

Flexible Medical Administration programs. Click to start advancing your career.

More information about the clamav-win32 mailing list