[clamav-users] Bad detection rate

[Dennis Peterson]

Quick dump of found signature results: ClamAV vs Basford et al

Unofficial sigs, total:
grep UNOFFICIAL clam* |wc -l
174

Unofficial Sane Security sigs found
grep Sanesecur.*FOUND clam* |wc -l
141

Official ClamAV sigs found:
grep FOUND clam* |grep -c -v UNOFFICIAL
10

Non-Sanesecurity unofficial sigs found:
grep UNOFFICIAL clam* |grep -v Sanesecurity |awk '{print $8}' |sort |uniq -c 
|sort -rn
       7 winnow.spam.ts.stock.4.UNOFFICIAL
       7 ScamNailer.Phish.info_AT_un.org.UNOFFICIAL
       3 winnow.spam.ts.miscspam.843424.UNOFFICIAL
       3 winnow.malware.m0.malware.863749.UNOFFICIAL
       2 winnow.spam.ts.yahoo.1.UNOFFICIAL
       2 winnow.spam.ts.miscspam.848859.UNOFFICIAL
       2 ScamNailer.Phish.info_AT_uk-lotto.co.uk.UNOFFICIAL
       1 winnow.spam.ts.photoeditting.12.UNOFFICIAL
       1 winnow.spam.ts.miscspam.842244.UNOFFICIAL
       1 ScamNailer.Phish.test_AT_test.com.UNOFFICIAL
       1 ScamNailer.Phish.neyland_AT_gonzaga.edu.UNOFFICIAL
       1 ScamNailer.Phish.info_AT_loan.com.UNOFFICIAL
       1 ScamNailer.Phish.info_AT_it.org.UNOFFICIAL
       1 ScamNailer.Phish.fedmail_AT_fedmail.prime-vendor.com.UNOFFICIAL
33

Good job, Steve.

On 6/23/14, 10:36 AM, Steve Basford wrote:
> On Mon, June 23, 2014 4:47 pm, Walter Bürger wrote:
>> This morning I submitted the file
>> Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
>> (MD5 ad690be247dda635781e20887fcac0e7)
>> on virustotal.com.
>>
>> 4 out of 54 scanners detected a virus
>> (NOD32 named it Win32/Kryptik.CFAE)
>> but ClamAV did not detect it.
> Hi Walter,
>
> This was added to phish.ndb:
>
> Sanesecurity.Malware.23787.ZipHeur
>
> Added: 23 Jun 2014 09:32:40 UT
>
> Cheers,
>
> Steve
> Sanesecurity.com
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml