[clamav-users] Signature update timeliness
Al Varnell
alvarnell at mac.com
Fri May 5 22:36:03 UTC 2017
On Fri, May 05, 2017 at 10:14 AM, Mark Foley wrote:
> I have a question about the timeliness of signature updates. I am running a
> clamav-milter to check email when received by the MDA -- this rarely finds
> anything. I also have clamscan running multiple times a day checking all the
> Maildir folders.
>
> Yesterday, the Maildir folder scan found Js.Downloader.Nemucod. But, this
> message was recieved on April 26th -- 8 days before the malware was detected by
> clamscan. Doing a quick google search, I find that the JS.Nemucod trojan has
> been around since at least December 2015.
In various forms, but obviously with a variety of signatures.
> So, was the clamav signature for this malware just added to the list on May 4th?
Without the complete signature name, I can't give you a definitive answer, but signatures that start with Js.Downloader.Nemucod. were added on the following dates:
Mar 29 Fourteen Js.Downloader.Nemucod-61720xx-x added
Apr 3 Js.Downloader.Nemucod-6198135-0
Apr 5 Js.Downloader.Nemucod-6210215-0
Apr 7 Js.Downloader.Nemucod-6210215-1 dropped: Js.Downloader.Nemucod-6210215-0
Apr 26 Js.Downloader.Nemucod-6297599-0
May 3 Js.Downloader.Nemucod-6305809-0
> If so, why does it take so long to include a malware that's been around for
> years? If it was added earlier, why did clamscan not find it for 8 days?
> Mutation?
Probably because nobody had submitted a sample of it to ClamAV for several days.
-Al-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170505/823a8941/attachment.bin>
More information about the clamav-users
mailing list