[clamav-users] false positive sample

[Daniel Quintiliani]

On Fri, 22 Aug 2014 18:26:37 -0400, Dan McDaniel <dan at dm3.us> wrote:

> I submitted a false positive awhile ago -- probably back in May. It
> hasn't been fixed yet. Should I submit it again?
> 
> Also, on the web form when submitting false positives there is a
> check-box that says "notify me". It would seem to imply that you 
> might get some kind of notification when your sample had been processed,
> but I have never received any notification for any of the samples I've
> submitted. What is that check-box for?
> 

I don't know what's going on. It seems that ever since the Cisco buyout the quality of ClamAV has disintegrated really fast. 

I am always submitting samples from my email and blog spam to VirusTotal, ClamAV, and CRDF. VirusTotal often shows tons of failures, often more than half of the major antivirus products but never ClamAV, and then I submit to CRDF, who do their own automated VirusTotal scans and mark them as malware right away. 

ClamAV, however, marks them clean for weeks (unless you use CRDF's signatures) and often they are never marked malware.

In fact, I have a list of MD5s of 600 MB worth of malware from a "game hack" site spammed to my blogs. I sent e-mails to ClamAV saying I had the MD5s and files but received no response. I wound up deleting the files because only two were marked as malware, and by CRDF's signatures, not by ClamAV's. 

(I still have the MD5s list if anyone wants me to post it on the message board)

Good thing I only use Linux now, where the effectiveness of antivirus software isn't too important. I just wish ClamAV developers were more attentive to their product, which they haven't been since Cisco bought Sourcefire.

--

-Dan Q