[clamav-users] Low detection rate

Kris Deugau kdeugau at vianet.ca
Mon Mar 3 11:25:15 EST 2014


Alain Zidouemba wrote:
> Confirming a false negative on the sample you mentioned. We'll provide
> coverage as soon as possible. Please continue to submit your malware
> samples to: http://www.clamav.net/lang/en/sendvirus/

I've been submitting the first FN I find in a day (some days I see 4-5)
for several weeks, yet moving my local.hdb aside, running freshclam, and
rescanning the archived files I've kept for reference shows only one
file (the same one every time) flagged.

As an ISP mail/spam filter administrator I see an irregular stream of
emails that have .zip files attached, which contain a Windows
executable.  In context, entirely without feeding these to any kind of
antivirus tool, I am certain that they are unwanted at the very best,
and most likely malicious.  A handful have been .rar archives instead of
.zip.

I've accumulated over 100 examples, *all* of which triggered at least
three or four other scanners (usually 10+) on virustotal.com shortly
before I submitted the particular file to the link above.  (Recently the
files have also been "new" to virustotal.com, but still triggering 10 or
more of the ~50 scanners.)

I don't particularly know, nor do I care to spend the time to try and
find out, exactly what *kind* of nastyware these things are;  based on
what I recall of results from virustotal.com they are almost all
variants on a relatively small number of viruses.  Should I be noting
some of the specific results in my submissions?

> 
> Thanks,
> 
> - Alain
> 
> 
> On Mon, Mar 3, 2014 at 7:28 AM, Steve Hill <steve at opendium.com> wrote:
> 
>>
>> I'm using clamd together with exim under Scientific Linux 6.3 and I'm
>> having problems with Clam not detecting many viruses - in fact, looking
>> back through the logs it basically only seems to be finding a few phishing
>> emails.
>>
>> Other virus scanners are picking up a number of viruses which are being
>> allowed through by clam - for example, http://persephone.nexusuk.org/
>> ~steve/eticket_ba_70391830.doc is identified as CVE_2010_3333 by a number
>> of other scanners, but clam says it's clean (I've now submitted this to the
>> sendvirus page on the website).
>>
>> I'm using ClamAV 0.98.1 from the EPEL repository and as far as I can tell
>> my virus signatures are up to date:
>> # freshclam
>> ClamAV update process started at Mon Mar  3 12:25:40 2014
>> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder:
>> neo)
>> daily.cld is up to date (version: 18526, sigs: 719612, f-level: 63,
>> builder: neo)
>> bytecode.cld is up to date (version: 236, sigs: 43, f-level: 63, builder:
>> dgoddard)
>>
>> I'm not sure how to go about debugging the problem - any advice would be
>> welcome.
>>
>> Thank you.
>>
>> --
>>  - Steve Hill
>>    Technical Director
>>    Opendium Limited     http://www.opendium.com
>>
>> Direct contacts:
>>    Instant messager: xmpp:steve at opendium.com
>>    Email:            steve at opendium.com
>>    Phone:            sip:steve at opendium.com
>>
>> Sales / enquiries contacts:
>>    Email:            sales at opendium.com
>>    Phone:            +44-844-9791439 / sip:sales at opendium.com
>>
>> Support contacts:
>>    Email:            support at opendium.com
>>    Phone:            +44-844-4844916 / sip:support at opendium.com
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> http://www.clamav.net/support/ml
>>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml
> 




More information about the clamav-users mailing list