[clamav-users] Why are the ClamAV team so slow at creating signatures ?

G.W. Haywood clamav at jubileegroup.co.uk
Sat Oct 4 15:35:03 EDT 2014

Hi Steve,

On Sat, 4 Oct 2014, Steve Basford wrote:

> Slightly off topic, does anyone have a folder full of saved malware
> zips/rars etc. they have kept over the past xxx months, if so can U
> contact me off-list...

I don't, exactly, but I do keep records and do I look at them.

Firstly I'm only interested in what's in electronic mail.  I don't run
Windows boxes, and on the odd occasion that I need one I fire up a VM.

However the several mail servers and many other Linux boxes for which
I'm responsible have the potential to assist in the propagation of
malicious software to customers, suppliers, colleagues, family and
casual acquaintances all around the world.  Although running only
Linux boxes means I can more or less forget the threat from malware to
the machines themselves, I take the view that using them to communicate
with more vulnerable systems gives me some responsibilities.  One of my
employees could, for example, forward a message with a malicious link
in it (to which the Linux box she uses is not vulnerable) to someone
using XP.  Six months after XP went EOL, over 25% of the Windows boxes
in the UK for example are still running it.

I can't say I blame people for not wanting to be shafted by Microsoft
yet again, but I don't think they're being very responsible.  Perhaps
they'd only have themselves to blame for not using Linux, but I don't
want to add to their problems, nor to those of almost everyone else,
by sending them a virus for which their machine has no defence - and
thus help to create a source of yet more trouble.

So here's what I do: after binning stuff from 25% of the IPV4 address
space without even looking at it, and then everything from (at present)
seventy-four county codes after paying them much the same attention, I
then pass the much-thinned cream of the crop through a huge regular
expression filter which looks for things like my spam-trap addresses
(more for the bin) and if anything's left I use MIMEDefang to delete
every attachment that might be some sort of Windows executable.  If a
message contains an archive which can't be extracted (e.g. password
protected) then it goes in the bit bucket as well.

Finally, ClamAV gets to look at what little is left.

Why am I scanning stuff that can't be executed?  Well, it still might
be cr at p that we don't want.

That's where Sansecurity comes in.  I don't actually care if ClamAV can
find a virus or not, that's not what I'm use it for.  (And here we are
almost back on topic:).

My contribution to the off-topic topic is that the vast majority of
malicious email messages that I see now contains links to the real
payload, not the payload itself, and ClamAV doesn't get much to do:

2014.01.06 05:28:44 mail5 clamd[19238]: Sanesecurity.Junk.37650.UNOFFICIAL FOUND
2014.01.16 01:03:28 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND
2014.01.27 11:14:13 mail5 clamd[19238]: Sanesecurity.Phishing.Cur.17130.UNOFFICIAL FOUND
2014.01.28 13:43:18 mail5 clamd[19238]: Sanesecurity.Phishing.Cur.1117.UNOFFICIAL FOUND
2014.02.01 22:35:24 mail5 clamd[19238]: Email.Phishing.Card-9 FOUND
2014.02.11 18:40:51 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND
2014.02.19 08:39:54 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND
2014.02.22 18:19:02 mail5 clamd[19238]: Sanesecurity.Lott.1874.UNOFFICIAL FOUND
2014.03.03 15:46:01 mail5 clamd[19238]: Sanesecurity.Scam4.1567.UNOFFICIAL FOUND
2014.03.20 22:52:32 mail5 clamd[19238]: Sanesecurity.Junk.24795.UNOFFICIAL FOUND
2014.05.01 19:01:25 mail5 clamd[19238]: ScamNailer.Phish.administrator_AT_domain.com.UNOFFICIAL FOUND
2014.05.14 18:41:24 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND
2014.05.16 08:36:28 mail5 clamd[19238]: Sanesecurity.Junk.43451.UNOFFICIAL FOUND
2014.05.30 22:36:11 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND
2014.06.17 23:12:36 mail5 clamd[19238]: Sanesecurity.Spear.info_at_it_dot_org.UNOFFICIAL FOUND
2014.06.25 01:40:45 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND
2014.07.14 17:01:21 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND
2014.07.19 02:01:59 mail5 clamd[19238]: Sanesecurity.Scam4.1570.UNOFFICIAL FOUND
2014.07.28 17:41:24 mail5 clamd[19238]: Sanesecurity.Junk.20083.UNOFFICIAL FOUND
2014.08.14 18:42:14 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND
2014.09.06 15:33:23 mail5 clamd[19238]: Phishing.Heuristics.Email.SpoofedDomain FOUND
2014.09.12 21:13:47 mail5 clamd[19238]: Sanesecurity.Phishing.Fake.20863.UNOFFICIAL FOUND

This server has an incoming load of about 5,000 mostly spam messages
per day, the vast majority of which never get past MAIL FROM: in the
SMTP conversation.  As you can see, twenty-two messages were rejected
by ClamAV in nine months, of which *none* contained viruses because I
already dealt with them the easy way, using practcally no CPU cycles.

So, in the same period, how many messages were rejected by MIMEDefang
on this server because of executable attachments?

Four.  And three of them were perfectly kosher shell scripts from the
Cygwin mailing list.  (Oops. :)

In nine months of spam collection, with a conservatively estimated
body of a million messages, exactly one containing a virus got as far
as MIMEDefang, which rejected it before ClamAV even saw it.

Maybe we're getting better here at handling mail, I'd like to think so,
but absolute volumes of spam attempts here are down by at least 50% from
a couple of years ago.  In 2012 this same system saw 66 rejections by
third-party signatures (mostly Sanesecurity), four being viruses, from
a body of a couple of million messages.

I think our target is intelligent, and it seems to me that it's moved,
but things do seem to be going in the right direction.

And yes, I probably should reboot that server more often. :)




More information about the clamav-users mailing list