[clamav-users] Why are the ClamAV team so slow at creating signatures ?

Joel Esler (jesler) jesler at cisco.com
Mon Oct 6 10:34:23 EDT 2014


> On Oct 6, 2014, at 10:21 AM, Tim Smith <randomdev4 at gmail.com> wrote:
> 
>> but call paid prebuildt software always better is not correct, but mostly just marketing
> 
> What rubbish... ClamAV always lags behind the commercial vendors in
> any comparative you wish to mention.
> 
> The majority of well established vendors will also do a better job of
> detecting and pushing out definitions as it seems that ClamAV is
> reactive, not proactive on the definitions front  ….

Incorrect.  For instance, just one of our signatures may catch tens of thousands of samples.  We can malware when it arrives, and if we catch the “new” piece of malware with an already present signature, we assign the new piece of malware to the already present signature.  For instance, I just went into our internal interface, and picked the first “prior detect” on my list, and it has 94 pieces of malware assigned to it.  You can actually see some of the de-duplicated ones if you subscribe to the clamav-virusdb mailing list.  We don’t list them all in there, because frankly it’d be too large of an email to send out.  So only particular malware “Senders” are there.

Just because we don’t detect the piece of malware that you found, doesn’t mean we aren’t proactive.  

> 
>> What other av product can you make your own virus signatures with, not usefull,  hmm
> 
> You don't need to when they've got a decent set of analysts who are on
> the ball and push out new definitions quickly !
> 
> F-Secure, Sophos, Kasperksy and others all had coverage already of this virus.

Those companies also have hundreds of analysts dedicated to the problem.  We don’t have hundreds.

> 
> Seriously, why should I mess around with creating virus signatures,
> its a waste of my time.

That’s kind of the point of a community open-source project.  

> 
> Evangelising over how wonderful open-source anti-virus is is great....
> but if you're severely lagging on pushing out virus definitions then
> it very quickly removes the attractiveness of the product.   80% of
> people using your open-source project won't have the knowledge, time
> or inclination to hack together their own virus definitions ….

We try to make it very simple for people to do it, in fact, we include tools for people to be able to do it.
> 
> I'm off to sign up with one of the well established software vendors.

We’re sorry to see you go.  We try to offer a good service, for free, to the community in order to make the internet, just a little bit safer.   We’ll understand if you’d like a refund.  ;)


--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

> 
> On 6 October 2014 14:55, Benny Pedersen <me at junc.eu> wrote:
>> On October 6, 2014 3:37:34 PM Tim Smith <randomdev4 at gmail.com> wrote:
>> 
>>>> are you really trying to compare response times from PAID sollutions to
>>>> the free/community maintened ones ?
>>> Of course not, the paid solutions will always be better.
>> 
>> 
>> Dream on, my commodore 64 is the best 8bit computer ever not needing
>> antivirus at all, restarting it cleans any virus for free, sorry could not
>> resists
>> 
>>> But three days to get some definitions pushed out for a zero-day is a
>>> bit on the slow side, you must agree !
>> 
>> 
>> You are free to define opensource as you wish, but call paid prebuildt
>> software always better is not correct, but mostly just marketing
>> 
>> What other av product can you make your own virus signatures with, not
>> usefull,  hmm
>> 
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4881 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20141006/ea77de82/attachment.bin>


More information about the clamav-users mailing list