[clamav-users] Virus-Datebase-Updates?

Dennis Peterson dennispe at inetnw.com
Mon Jan 18 03:38:27 EST 2016

The VirusTotal site provides a distorted view of virus detection. Their (Google 
$$) server farm uses every available tool out there to determine the status of a 
submission. The even say they make no effort of their own to detect malware, but 
rely on the hard work of the teams that do the heavy lifting. The signature 
creation resources of that pool of vendors is greater by far than any individual 
vendor, and the opportunities for becoming aware of a malware threat is greater 
for the pool than that of any individual vendor. The pool will always find more 
than any single vendor. That is the nature of the chaotic world of malware. To 
expect an individual vendor to be as effective as the pool is idiocy. If it were 
possible the pool would be unnecessary.

Because VirusTotal consults all of them they have greater opportunity of 
returning a hit than any single vendor and that artificially makes them look 
more effective. That is a fallacy and creates false expectations from the 
individual vendors. There will ALWAYS be a disparity among antivirus vendors 
regarding signatures for a particular threat. It will always be this way. 
Malware will always arrive faster than a response can be launched and these 
threats don't land in the queue of all the vendors at the same time. This is why 
heuristics are so popular/prevalent. It is a bigger net.

It would be far better for VirusTotal to provide information in the report the 
admin can use. Even something a simple as a checksum is better than nothing 
because it gives the admin a helpful bit of defense. Regardless, as the admin if 
you submit a file that results in a positive response from any vendor you can 
generate your own checksum to protect your environment. If you have the needed 
information and don't take advantage of your tool set you have not basis to 
complain about a free service from those who do your work for you.

Writing signatures is trivial - testing them for false positive is orders of 
magnitude more difficult and more than one AV tool has brought down whole data 
centers by pushing out bad signatures. We all have to be patient, do our jobs, 
and thank those open source volunteers that make ClamAV the value it is.

The ClamAV group receives millions of submissions to examine, write and test 
signatures for, and then deal with the false positives problem.  It does nothing 
to send in a pissy email that suggests in so many words, "fine, but what have 
you done lately?"


On 1/17/16 10:49 PM, Walter H. wrote:
> Hello,
> On Mon, January 18, 2016 07:11, Al Varnell wrote:
>> We’ll have to wait for the ClamAV signature team to come to work in the AM
>> to get an official answer, but I’m curious on how you know that all of
>> these submissions to VirusTotal represent proven threats?  In my
>> experience, many files uploaded to VT are totally harmless with no
>> scanners detecting them as infected.
> maybe, but then it would be no bad idea to note this with
> "no threat, harmless" or similar
>> One possibility is that these entries were posted simply to let the
>> submitter know that a new signature was not required.
> maybe, but these should also be noted, as this is confusing;
>> Another possible explanation that I’ve seen in the past is that they were
>> already detected with a current signature, but normally the entry is
>> annotated with that information.
> correct, something like
> "Submission notes: Same as in Submission-ID 1172664244"
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list