[clamav-users] Why are the ClamAV team so slow at creating signatures ?

Joel Esler (jesler) jesler at cisco.com
Mon Oct 6 09:11:41 EDT 2014


> On Oct 3, 2014, at 5:12 PM, Dennis Peterson <dennispe at inetnw.com> wrote:
> 
> On 10/3/14 8:10:24AM, Mark Allan wrote:
>> On 3 Oct 2014, at 03:39 pm, Gene Heskett <gheskett at wdtv.com> wrote:
>> 
>>> On Friday 03 October 2014 07:19:13 Tim Smith did opine
>>>> Over the last 24-48 hours, I submitted a number of email attachments.
>>>> RAR files that contained viruses.
>>>> 
>>>> Running one or two of them through VirusTotal today, I see ClamAV have
>>>> *STILL* not managed to produce virus definitions for them !
>>>> 
>>>> All of the commercial vendors I submitted the samples to had analysed
>>>> and created samples in timeframes ranging from hours to one day.
>>>> 
>>>> At this rate I'm going to be dumping ClamAV from my systems and
>>>> subscribing to a service from a commercial vendor .....
>>>> 
>>>> Looking forward to hearing the reasons why !
>>> Perhaps you should consider submitted them in a compressed file format
>>> that is NOT proprietary to apple and which carries a per seat license fee?
>>> 
>>> Cheers, Gene Heskett
>> I'll admit that Tim's email rather reeked of entitlement, but Gene's response is just confusing and wrong.  Yes, the RAR file format is proprietary, but not to Apple - it was a Russian named Eugene Roshal (Roshal ARchive hence RAR) who came up with it and the licence is only required for creating files of that format; software to extract RAR files is free.
>> 
>> Also, ClamAV already contains code to unRAR these archives.
>> 
>> Anyway, I digress from the original question.
>> 
>> The reason it takes time to generate signatures from files/samples which are contributed by users is that the signatures are still generated manually by humans, most of whom have other jobs and unless I'm mistaken are therefore giving their time voluntarily.  I've always found the turnaround time to be pretty good actually, especially for free software.
>> 
>> Mark
>> 
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> From http://www.unrarlib.org/faq.html
> 
> Q: Do you know that the license for the unrar sources from RARLab is not compatible with the GNU Public license?
> 
> A: Yes, this is true. But we have the permission from Eugene Roshal to release unrarlib 0.4.0 under GPL and unrarlib-license. Note: this doesn't mean that RAR is free now or you can use the unrar source from RARlabs under GPL. You are just allowed to use UniquE RAR File Library version 0.4.0 (unrarlib 0.4.0) under GPL.
> 
> A lot of people avoid RAR as a result.


We have issues with some distributions, as they don’t want to build that feature in (because of the license) or don’t build Clam into the distribution at all because of this exclusion.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4881 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20141006/3b3a0a8c/attachment.bin>


More information about the clamav-users mailing list