[clamav-users] Becoming disillusioned

Ralf Hildebrandt Ralf.Hildebrandt at charite.de
Fri Aug 14 14:14:50 UTC 2020 

* Kurt Fitzner <kurt+clamav at va1der.ca>:

> ClamAV has, I'm afraid, become worse than nothing.  Nothing doesn't take
> up memory, storage space, and execution resources but nets the same
> result.  Nothing, by definition, doesn't come with that implied "it's
> better than nothing" which ClamAV does and clearly isn't. 
> 
> What can be done as a community to fix this?  Is there anything that can
> be done?  Is it time to fork and abandon? 

I looked at my mailserver and created some statistics (Sophos &
clamav) over the last week, TOP 25 detections:

   1134 "CXmail/OleDl-AD
    370 "CXmail/MalPE-AC
    162 "CXmail/MalPE-AW
    109 "Sanesecurity.Spam.12724.UNOFFICIAL
    109 "Sanesecurity.Malware.25738.AceHeur.Exe.UNOFFICIAL
     77 "CXmail/RtfObf-D
     53 "SecuriteInfo.com.Suspicious-ACE-exe.UNOFFICIAL
     52 "CXmail/IsoDl-A
     47 "Sanesecurity.Malware.27301.RtfHeur.BadVer.UNOFFICIAL
     41 "CXmail/OleDl-BI
     35 "CXmail/MalPE-U
     33 "SecuriteInfo.com.FakeRTF-2.UNOFFICIAL
     31 "Win.Downloader.WannaMine-6442440-2
     29 "CXmail/MalPE-B
     28 "SecuriteInfo.com.Malware.XML.Autoload-1.UNOFFICIAL
     28 "Mal/BredoZp-B
     27 "CXmail/MalPE-AU
     22 "CXmail/MalPE-G
     19 "Mal/DrodZp-A
     18 "CXmail/OleDl-AL
     17 "CXmail/MalPE-AZ
     16 "Sanesecurity.Malware.27382.Rar5Heur.UNOFFICIAL
     14 "Sanesecurity.Foxhole.Iso_fs915.UNOFFICIAL
     13 "Sanesecurity.Malware.27342.RarHeur.v5.HideExt.UNOFFICIAL
     13 "CXmail/MalPE-H
     
Most detections come from sophos (the ones with a "/" in the name), the
ones with UNOFFICIAL are from clamav, but use unofficial pattern
sources (like Sanesecurity and to lesser extent SecuriteInfo).

The only offical "hit" in the top 25 is "Win.Downloader.WannaMine-6442440-2"

I see the extensibility as a major advantage. Just the other day I
created a set of patterns to detect EPOCH3 EMOTET files.

But to some extent I agree to the point you're making.

-- 
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebrandt at charite.de
https://www.charite.de

More information about the clamav-users mailing list