[clamav-users] clamav-virusdb mailing list - what is the use?

Groach groachmail-stopspammingme at yahoo.com
Fri Mar 11 20:15:31 UTC 2016 


On 11/03/2016 19:12, Joel Esler (jesler) wrote:
> If it is not useful to you, then unsubscribe from it, best advice.  It is for notification of updates to the ClamAV signature database.

Of course one can unsubscribe, and in fact *I* am not subscribed.  I did 
make the point, though, that the confirmation email one receives when a 
report has finally been processed includes the link to the mailing list 
as if the contents of the link are helpful  My point is that it isnt 
helpful, (and consequently I am not subscribed to it), but that doesnt 
prevent me and others wondering of that mailing list, "why?".

> As far as what those fields mean:
> <snip>
>
> Submission-ID:
>
> The number is an internal number that each sample it assigned.  Meaningless to the outside world for the most part, unless you have a question about a particular malware file in that email, then you can ask, specifically using that number.

How? When will anyone have a question "about a malware in *that email* 
that we can ask about using *that number?  What number?  We never get 
given a number. And the email they receive says nothing at all other than

*SNIP******************************
Dear ClamAV user,

The following submissions have been processed and published:
-

Seehttp://lists.clamav.net/pipermail/clamav-virusdb/2016-March/  
*END OF SNIP***********************

....."the following submissions have been processed"  WHAT 
submissions??? [ Example: I did many over the last week, which one(s) 
have you done? ]

So we get drawn to reading the mailing list to see a page of Submission 
ID's.  But that submission ID is for your internal purposes only and 
means nothing to anyone so what is the point of publishing it?

> Sender:  Who we have received the sample from.  We have TONS of people and places where ClamAV receives malware samples from.  Including your name, if you type it into ClamAV.net<http://clamav.net> (which is checked to be “anonymous” by default.
Already acknowledged.

> Added:
>
> Did we add a new signature to cover this?
>
> Added: No, means, the file that someone submitted is detected by another signature already, and this is a duplicate.
> Added: Yes, means, net new detection.
Again, 99.5% of all entries have "No" against them.  Given the quantity 
of submissions you have, ok, this is likely and that I acknowledge.  But 
what about those that report a *False Positive*? Even those reports end 
up with a "no" instead of a "removed" or "acknowledged" or "rectified" 
(anything more meaningful).

It seems the report is for internal staff (but I still dont understand 
how given its limited information).  The best it gives external users is 
an option to (slowly!) do a vanity search for their name. (I say this 
because even if they find their name, they cant see any other useful 
information about why it is mentioned or what it relates to).

Instead of taking this as an attack, is it not just possible to take it 
as feedback, maybe recognise the points made, look at the list with a 
'different set of eyes' and maybe then improve whatever the entries report?

Example (suggestion):

1, First, when someone reports a file (either suspicious or False 
Positive) by the website, allocate their Submission Id at that point 
(submission time) and report it to the useruser straight away so they 
can look for it in the mail list later and relate it to the 
submission/file they made.

2, Second, the "Added" entry:  "Yes" (signature generated),  "No" 
(duplicate - signature already exists) or "Removed" (False positive 
rectified)

Just those 2 modifications will change the dynamic and worthiness of the 
list contents to the end user.

3,  If you could also include the file that has been reported then 
people would be able to search, see and not waste your or their time 
submitting it again AND consequently would mean less work for you guys 
and smaller lists for users to read through.

Then

4, Forth, if possible bring back some sort of search facility. Because 
even if there was some worthy information to be found, it still means 
people have to go in to reach individual posting, do a browser search 
for their name, back out, and go into the next posting and so on and so 
on until they find what they are looking for.  And as you know there can 
be many postings in a day and there could be days worth to look through 
given the amount of time it takes to action against an initial report.  
Such searching difficulties makes the list not just impractical but 
virtually irrelevant in its existence.

Groach

More information about the clamav-users mailing list