[clamav-users] clamav-virusdb mailing list - what is the use?

Joel Esler (jesler) jesler at cisco.com
Sat Mar 12 02:12:27 UTC 2016 

Okay.  Feedback noted.  To be perfectly honest, this is low in the priority list at the minute.  We’ll revisit after we get the Signature Interface system back up and running, and see what additional functionality we can provide.

Regarding your last point tho…  trying to make people’s lives easier..  how about.

site:lists.clamav.net/pipermail/clamav-virusdb/ "Stephen Kelly”

Replace “Stephen Kelly” with your name.  Throw that into Google..  Bingo, find your results.

--
Joel Esler
Manager, Talos Group




On Mar 11, 2016, at 3:15 PM, Groach <groachmail-stopspammingme at yahoo.com<mailto:groachmail-stopspammingme at yahoo.com>> wrote:



On 11/03/2016 19:12, Joel Esler (jesler) wrote:
If it is not useful to you, then unsubscribe from it, best advice.  It is for notification of updates to the ClamAV signature database.

Of course one can unsubscribe, and in fact *I* am not subscribed.  I did make the point, though, that the confirmation email one receives when a report has finally been processed includes the link to the mailing list as if the contents of the link are helpful  My point is that it isnt helpful, (and consequently I am not subscribed to it), but that doesnt prevent me and others wondering of that mailing list, "why?".

As far as what those fields mean:
<snip>

Submission-ID:

The number is an internal number that each sample it assigned.  Meaningless to the outside world for the most part, unless you have a question about a particular malware file in that email, then you can ask, specifically using that number.

How? When will anyone have a question "about a malware in *that email* that we can ask about using *that number?  What number?  We never get given a number. And the email they receive says nothing at all other than

*SNIP******************************
Dear ClamAV user,

The following submissions have been processed and published:
-

Seehttp://lists.clamav.net/pipermail/clamav-virusdb/2016-March/  *END OF SNIP***********************

....."the following submissions have been processed"  WHAT submissions??? [ Example: I did many over the last week, which one(s) have you done? ]

So we get drawn to reading the mailing list to see a page of Submission ID's.  But that submission ID is for your internal purposes only and means nothing to anyone so what is the point of publishing it?

Sender:  Who we have received the sample from.  We have TONS of people and places where ClamAV receives malware samples from.  Including your name, if you type it into ClamAV.net<http://clamav.net><http://clamav.net> (which is checked to be “anonymous” by default.
Already acknowledged.

Added:

Did we add a new signature to cover this?

Added: No, means, the file that someone submitted is detected by another signature already, and this is a duplicate.
Added: Yes, means, net new detection.
Again, 99.5% of all entries have "No" against them.  Given the quantity of submissions you have, ok, this is likely and that I acknowledge.  But what about those that report a *False Positive*? Even those reports end up with a "no" instead of a "removed" or "acknowledged" or "rectified" (anything more meaningful).

It seems the report is for internal staff (but I still dont understand how given its limited information).  The best it gives external users is an option to (slowly!) do a vanity search for their name. (I say this because even if they find their name, they cant see any other useful information about why it is mentioned or what it relates to).

Instead of taking this as an attack, is it not just possible to take it as feedback, maybe recognise the points made, look at the list with a 'different set of eyes' and maybe then improve whatever the entries report?

Example (suggestion):

1, First, when someone reports a file (either suspicious or False Positive) by the website, allocate their Submission Id at that point (submission time) and report it to the useruser straight away so they can look for it in the mail list later and relate it to the submission/file they made.

2, Second, the "Added" entry:  "Yes" (signature generated),  "No" (duplicate - signature already exists) or "Removed" (False positive rectified)

Just those 2 modifications will change the dynamic and worthiness of the list contents to the end user.

3,  If you could also include the file that has been reported then people would be able to search, see and not waste your or their time submitting it again AND consequently would mean less work for you guys and smaller lists for users to read through.

Then

4, Forth, if possible bring back some sort of search facility. Because even if there was some worthy information to be found, it still means people have to go in to reach individual posting, do a browser search for their name, back out, and go into the next posting and so on and so on until they find what they are looking for.  And as you know there can be many postings in a day and there could be days worth to look through given the amount of time it takes to action against an initial report.  Such searching difficulties makes the list not just impractical but virtually irrelevant in its existence.

Groach
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list