[clamav-users] Clamav is not finding any viruses

Joel Esler (jesler) jesler at cisco.com
Fri May 9 11:23:14 UTC 2014 

We exchange samples with many groups, companies, and people.  Bringing in over 650,000 unique samples a day.  Which highlights the "understaffed" issue.  

--
Joel Esler
Sent from my iPhone

> On May 9, 2014, at 4:59, "Al Varnell" <alvarnell at mac.com> wrote:
> 
> Thorvald,
> 
> Just another user here, but I don’t understand why you would be surprised by this. Are you under the impression that Kaspersky shares it’s samples with anybody else? As far as I know, the only way the ClamAV® team would have a sample is if one of us users submitted it to them or it was provided to them by VirusTotal. I looked on VirusTotal.com and was not able to locate a Kaspersky (or any other scanner) identification by that name. 
> 
> I’m also under the impression that the ClamAV® signature team is overworked and understaffed, even though they have taken steps recently to improve that situation.
> 
> Any time I find a situation such as this, I submit the samples to VirusTotal to validate my findings and if confirmed to the ClamAV® submit a file site.
> 
> 
> -Al-
> -- 
> Al Varnell
> Mountain View, CA
> 
>> On May 9, 2014, at 1:28 AM, Thorvald Hallvardsson <thorvald.hallvardsson at gmail.com> wrote:
>> Hi,
>> 
>> The virus I'm looking at in particular is Trojan.Win32.Yakes.elfb. That's
>> how Kaspersky finds it and calls it. It was submitted at the 20th July 2011
>> so it's quite old. After applying SaneSecurity databases the virus still
>> cannot be found.
>> 
>> I tried to scan a ZIP file - no virus found.
>> I tried to scan extracted file - no virus found.
>> 
>> Tested that file with NOD32 and Kaspersky - they both shout there is a
>> virus.
>> 
>> So I'm quite surprised such an old stuff is not found by clamav :(.
>> 
>> Regards,
>> TH
> 
>>> On 8 May 2014 19:20, Steve Basford <steveb_clamav at sanesecurity.com> wrote:
>>>> On Thu, May 8, 2014 5:47 pm, Kris Deugau wrote:
>>>> I have been adding MD5 signatures, and somewhat more recently, .zmd
>>>> .zip-content-filename signatures (for doubled-extension files), but I do
>>>> not have time to dig more deeply and create more general signatures.
>>>> 
>>>> -kgd
> 
>>> Hi,
>>> 
>>> You could add sanesecurity.com signatures
>>> 
>>> phish.ndb: has some simple zip heuristics to block some of these
>>> rogue.hdb: updated hourly for malware received
>>> 
>>> Foxhole can be added to block all double extensions in zips *or* all
>>> dangerous attachments in Zips/rar/7zip:
>>> 
>>> sanesecurity.com/foxhole-databases/
>>> 
>>> Just in case it helps..
>>> 
>>> Cheers,
>>> 
>>> Steve
>>> Sanesecurity
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml

More information about the clamav-users mailing list