[clamav-users] Clamav is not finding any viruses

Al Varnell alvarnell at mac.com
Fri May 9 08:59:04 UTC 2014 

Thorvald,

Just another user here, but I don’t understand why you would be surprised by this. Are you under the impression that Kaspersky shares it’s samples with anybody else? As far as I know, the only way the ClamAV® team would have a sample is if one of us users submitted it to them or it was provided to them by VirusTotal. I looked on VirusTotal.com and was not able to locate a Kaspersky (or any other scanner) identification by that name. 

I’m also under the impression that the ClamAV® signature team is overworked and understaffed, even though they have taken steps recently to improve that situation.

Any time I find a situation such as this, I submit the samples to VirusTotal to validate my findings and if confirmed to the ClamAV® submit a file site.


-Al-
-- 
Al Varnell
Mountain View, CA

On May 9, 2014, at 1:28 AM, Thorvald Hallvardsson <thorvald.hallvardsson at gmail.com> wrote:
> Hi,
> 
> The virus I'm looking at in particular is Trojan.Win32.Yakes.elfb. That's
> how Kaspersky finds it and calls it. It was submitted at the 20th July 2011
> so it's quite old. After applying SaneSecurity databases the virus still
> cannot be found.
> 
> I tried to scan a ZIP file - no virus found.
> I tried to scan extracted file - no virus found.
> 
> Tested that file with NOD32 and Kaspersky - they both shout there is a
> virus.
> 
> So I'm quite surprised such an old stuff is not found by clamav :(.
> 
> Regards,
> TH

> On 8 May 2014 19:20, Steve Basford <steveb_clamav at sanesecurity.com> wrote:
>> On Thu, May 8, 2014 5:47 pm, Kris Deugau wrote:
>>> I have been adding MD5 signatures, and somewhat more recently, .zmd
>>> .zip-content-filename signatures (for doubled-extension files), but I do
>>> not have time to dig more deeply and create more general signatures.
>>> 
>>> -kgd

>> Hi,
>> 
>> You could add sanesecurity.com signatures
>> 
>> phish.ndb: has some simple zip heuristics to block some of these
>> rogue.hdb: updated hourly for malware received
>> 
>> Foxhole can be added to block all double extensions in zips *or* all
>> dangerous attachments in Zips/rar/7zip:
>> 
>> sanesecurity.com/foxhole-databases/
>> 
>> Just in case it helps..
>> 
>> Cheers,
>> 
>> Steve
>> Sanesecurity

More information about the clamav-users mailing list