[clamav-users] Why are the ClamAV team so slow at creating signatures ?

Steve Basford steveb_clamav at sanesecurity.com
Fri Oct 3 14:44:11 EDT 2014


On Fri, October 3, 2014 12:19 pm, Tim Smith wrote:
>
> Over the last 24-48 hours, I submitted a number of email attachments.
> RAR files that contained viruses.
>
> Running one or two of them through VirusTotal today, I see ClamAV have
> *STILL* not managed to produce virus definitions for them !

> Looking forward to hearing the reasons why !

Hi Tim,

Although I can't speak for the ClamAV team, I will say this... it's
time and people to analyse the sheer number of samples being received.

...but before you even get to that stage, it de-duping, sorting the wheat
from the chaff....all of which takes time.

>From a Sanesecurity point of view, here's the amount of updates pushed out
today...

http://pastebin.com/Z07NvcEe

Ok some are spam related but the Sanesecurity.Rogue.0hr and
Sanesecurity.Malware.24411.ZipHeur are malware related.

Now, the Sanesecurity.Rogue.0hr are hashes of malware, updated hourly,
and pretty much automatic...the Sanesecurity.Malware ones are generated
manually, while I've awake of course... ;)

But.. you need something to fix the stuff in between, foxhole databases,
are helping in that direction...

foxhole_all.cdb: blocks dangerous attachments in Zips etc..  but may be too
aggressive.

foxhole_generic.cdb: as above but ONLY for double extension/hidden extension

foxhole_filename.cdb: will block known dangerous single extensions, in
Zips etc, it's quite empty at the moment but I've got a huge update coming
shortly to massively improve this.

Douglas from the ClamAV Team is adding sigs like 
Zip.Suspect.ExecutableFax-zippwd-1, which like the foxhole sigs, look at
the Zip filename and use a bit of common sense on the name, in order to
block it... and it's all
helping, to minimise the missed ones and save times on the 0 hour analysing

The ClamAV engine is flexible and opensource and without it, Sanesecurity
sigs certainly wouldn't be here without it, so I'm all for it's
defence....

One thing though about update frequency, to some people it don't
matter that much...here's an interesting poll on my website..

How often does freshclam update?

    Every Day (35%, 20 Votes)
    Every Hour (25%, 14 Votes)
    Every Four Hours (18%, 10 Votes)
    Every 30 mins (12%, 7 Votes)
    Every 15 mins (10%, 6 Votes)

Total Voters: 57

Really? Every Day? <faint>

You can, of course email the missed RAR samples to:

samples ATTTTTT sanesecurity.me.uk

Slightly off topic, does anyone have a folder full of saved malware
zips/rars etc. they have kept over the past xxx months, if so can U
contact me off-list...

Cheers,

Steve
Sanesecurity.com




More information about the clamav-users mailing list