dennispe at inetnw.com
Mon Jan 18 03:38:27 EST 2016
The VirusTotal site provides a distorted view of virus detection. Their (Google
$$) server farm uses every available tool out there to determine the status of a
submission. The even say they make no effort of their own to detect malware, but
rely on the hard work of the teams that do the heavy lifting. The signature
creation resources of that pool of vendors is greater by far than any individual
vendor, and the opportunities for becoming aware of a malware threat is greater
for the pool than that of any individual vendor. The pool will always find more
than any single vendor. That is the nature of the chaotic world of malware. To
expect an individual vendor to be as effective as the pool is idiocy. If it were
possible the pool would be unnecessary.
Because VirusTotal consults all of them they have greater opportunity of
returning a hit than any single vendor and that artificially makes them look
more effective. That is a fallacy and creates false expectations from the
individual vendors. There will ALWAYS be a disparity among antivirus vendors
regarding signatures for a particular threat. It will always be this way.
Malware will always arrive faster than a response can be launched and these
threats don't land in the queue of all the vendors at the same time. This is why
heuristics are so popular/prevalent. It is a bigger net.
It would be far better for VirusTotal to provide information in the report the
admin can use. Even something a simple as a checksum is better than nothing
because it gives the admin a helpful bit of defense. Regardless, as the admin if
you submit a file that results in a positive response from any vendor you can
generate your own checksum to protect your environment. If you have the needed
information and don't take advantage of your tool set you have not basis to
complain about a free service from those who do your work for you.
Writing signatures is trivial - testing them for false positive is orders of
magnitude more difficult and more than one AV tool has brought down whole data
centers by pushing out bad signatures. We all have to be patient, do our jobs,
and thank those open source volunteers that make ClamAV the value it is.
The ClamAV group receives millions of submissions to examine, write and test
signatures for, and then deal with the false positives problem. It does nothing
to send in a pissy email that suggests in so many words, "fine, but what have
you done lately?"
On 1/17/16 10:49 PM, Walter H. wrote:
> On Mon, January 18, 2016 07:11, Al Varnell wrote:
>> We’ll have to wait for the ClamAV signature team to come to work in the AM
>> to get an official answer, but I’m curious on how you know that all of
>> these submissions to VirusTotal represent proven threats? In my
>> experience, many files uploaded to VT are totally harmless with no
>> scanners detecting them as infected.
> maybe, but then it would be no bad idea to note this with
> "no threat, harmless" or similar
>> One possibility is that these entries were posted simply to let the
>> submitter know that a new signature was not required.
> maybe, but these should also be noted, as this is confusing;
>> Another possible explanation that I’ve seen in the past is that they were
>> already detected with a current signature, but normally the entry is
>> annotated with that information.
> correct, something like
> "Submission notes: Same as in Submission-ID 1172664244"
> Help us build a comprehensive ClamAV guide:
More information about the clamav-users