Clam antivirus

[null]

Here's an overview:

http://www.clamav.net/

The Windows version can be downloaded here (on-demand scanning only):

http://clamwin.sourceforge.net/

Submit viruses here:

http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi

Online file scanner here:

http://www.gietl.com/test-clamav/

As of this posting, clamav detects about 21,000 malwares. By way of
comparison, F-Prot now claims to detect something over 100,000
malwares. So clamav has a way to go before it can compare favorably in
detection with the leading antivirus products in broad ranging tests
including zoo viruses, Trojans and other malware. I don't know how it
presently compares in strictly ITW testing. I do know that its
detection does include many kinds of malware since I've tested that
aspect.

I've decided to do what I can to support and assist this free
antivirus (antimalware) product development. I'll be submitting both
suspect and known malware. I hope to see it become as effective and
useful as the best antivirus products.


Art
http://www.epix.net/~artnpeg

 

[tk]

On Thu, 08 Apr 2004 14:25:05 +0000, null wrote:


[ snip ]

As of this posting, clamav detects about 21,000 malwares. By way of
comparison, F-Prot now claims to detect something over 100,000
malwares. So clamav has a way to go before it can compare favorably in
detection with the leading antivirus products in broad ranging tests
including zoo viruses, Trojans and other malware. I don't know how it
presently compares in strictly ITW testing. I do know that its
detection does include many kinds of malware since I've tested that
aspect.

I've decided to do what I can to support and assist this free
antivirus (antimalware) product development. I'll be submitting both
suspect and known malware. I hope to see it become as effective and
useful as the best antivirus products.

I can vouch that ClamAV does a pretty good job.. catches the latest worms
etc anyway at least (or the majority until they have a sample).

I'm a "hardcore F-Prot fan" myself.. but I have found that Clam works very
well hooked up to my Postfix mail server with amavisd.

I was very wary of Clam to begin with for the exact reason you mention
above.. the lack of numbers detected.. but it does have some advantages
also.. one being that you can add your own definitions. OK, I don't say
this is a task for the "IT illiterate" or the likes and so far, I haven't
attempted this myself but the docs seem to explain how quite well. This
would make detection of some worms by base64 strings easier (such as
procmail was used in the beginning by some to detect the first n chars of
the base64 ZIP to detect bagle etc).

Sometimes I also receive 5 or 6 updates a day.. so you defintely can't
grumble at their attention to making sure detection is covered.

I can only assume that the low numbers it claims is that it primarily
detects "new" viruses / worms. Tbh, I haven't scanned my collection to see
if it picks the older stuff up (michaelangelo, stoned, concept etc) but
they may have initially targeted "todays threats" as such.

I have no affiliation with them whatsoever so anything mentioned here in
what they might be doing is pure speculation and personal thoughts /
feelings. What it's like as a standalone, on-demand scaner I couldn't
comment on (I have F-Prot for that very task).. but as an integrated
mailserver scanner.. it's great!



Regards,

tk

 

[null]

I can only assume that the low numbers it claims is that it primarily
detects "new" viruses / worms. Tbh, I haven't scanned my collection to see
if it picks the older stuff up (michaelangelo, stoned, concept etc) but
they may have initially targeted "todays threats" as such.

It alerts on "some of" in several categories including old DOS
viruses, macro viruses, Trojans and misc. malware such as dialers. I
presume, based on that, that the developers are aiming at building up
detection in all such categories of malware ... but I haven't yet
determined that with them. I don't have a decent collection of ITW
viruses but it makes sense that the developers would be _primarily_
interested in keeping up with the latest stuff in circulation. I look
forward to seeing ITW test results.


Art
http://www.epix.net/~artnpeg

 

[tk]

It alerts on "some of" in several categories including old DOS
viruses, macro viruses, Trojans and misc. malware such as dialers. I
presume, based on that, that the developers are aiming at building up
detection in all such categories of malware ... but I haven't yet
determined that with them. I don't have a decent collection of ITW
viruses but it makes sense that the developers would be _primarily_
interested in keeping up with the latest stuff in circulation. I look
forward to seeing ITW test results.

Good to see that at least some of the older stuff is catered for.

I don't know how well my collection scores in regards to ITW.. I haven't
really looked at it much for a while.. so like yourself, can't really do
any specific tests but what I will do.. is scan what I do have with F-Prot
adn then scan the same with Clam. I'm expecting a rather large difference
as I know a lot of the ones I do have are from zines and other sources
like this that probably never got near the wild.. but it may be intersting
to see what Clam _does_ pick up out of the list compared to F-Prot.

I'll post the findings on me server over the weekend probably and a link
here as the comparison list will make an uncomfortably long post here..
but like you, would also be interested to see a proper ITW comparison test =)



Regards,

tk

 

[David W. Hodgins]

Online file scanner here:
http://www.gietl.com/test-clamav/

A note of caution. Be carefull using this scanner, to identify a virus. I just
tried it with a copy of what Kaspersky, and Rav call Netsky.D.

Clamav reports
File is valid, and was successfully uploaded.
clamav scans the file ...
Clamav-Output:
/tmp/phpmdLDyX: Worm.SomeFool.Gen-1 FOUND
And found something:
Worm.SomeFool.Gen-1

While it's a good description of anyone who gets their computer infected,
it doesn't help much, figuring out how to remove it.

Regards, Dave Hodgins

 

[kurt wismer]

A note of caution. Be carefull using this scanner, to identify a
virus. I just
tried it with a copy of what Kaspersky, and Rav call Netsky.D.

Clamav reports
File is valid, and was successfully uploaded.
clamav scans the file ...
Clamav-Output:
/tmp/phpmdLDyX: Worm.SomeFool.Gen-1 FOUND
And found something:
Worm.SomeFool.Gen-1

While it's a good description of anyone who gets their computer infected,
it doesn't help much, figuring out how to remove it.

indeed... if they're going to use such wildly non-standard names one
might want to wait until they're included in project vgrep...

 

[null]

A note of caution. Be carefull using this scanner, to identify a virus. I just
tried it with a copy of what Kaspersky, and Rav call Netsky.D.

Clamav reports
File is valid, and was successfully uploaded.
clamav scans the file ...
Clamav-Output:
/tmp/phpmdLDyX: Worm.SomeFool.Gen-1 FOUND
And found something:
Worm.SomeFool.Gen-1

While it's a good description of anyone who gets their computer infected,
it doesn't help much, figuring out how to remove it.

I didn't notice when I did my tests that clamav has any unusual
tendency for realy oddball naming the way ... say ... AntiVir does.
Your example smells a bit of generic misidentification. I've noticed
many scanners doing that sometimes. Even McAfee In fact, McAfee can
really be annoying with this sort of thing.


Art
http://www.epix.net/~artnpeg

 

[Christoph Cordes]

A note of caution. Be carefull using this scanner, to identify a
virus. I just
tried it with a copy of what Kaspersky, and Rav call Netsky.D.

Clamav reports
File is valid, and was successfully uploaded.
clamav scans the file ...
Clamav-Output:
/tmp/phpmdLDyX: Worm.SomeFool.Gen-1 FOUND
And found something:
Worm.SomeFool.Gen-1

While it's a good description of anyone who gets their computer infected,
it doesn't help much, figuring out how to remove it.

Regards, Dave Hodgins

When ClamAV received the first sample of Worm.SomeFool there was no
other scanner (i checked 8) that was able to detect it. So it was named
Worm.SomeFool and an update was published. If you google for
Worm.SomeFool it wont take long to find out that other vendors call it
NetSky.

Best regards
Christoph

 

[Christoph Cordes]

indeed... if they're going to use such wildly non-standard names one
might want to wait until they're included in project vgrep...

Or just join the clam mailing list and get a quick answer there.

Best regards
Christoph

 

[kurt wismer]

kurt wismer wrote: [snip]

indeed... if they're going to use such wildly non-standard names one
might want to wait until they're included in project vgrep...

Or just join the clam mailing list and get a quick answer there.

unless you're already joined up to more mailing lists than you have
time to deal with...

mailing lists are sub-optimal ways to deal with this kind of problem...
either they straighten up their naming convention (to avoid the
confusion in the first place) or we wait for them to be included in
vgrep (the equivalent of an 'also-known-as' knowledge base) - a mailing
list is a terrible avenue for sorting out such confusion...

 

[kurt wismer]

Christoph Cordes wrote:
[snip]

When ClamAV received the first sample of Worm.SomeFool there was no
other scanner (i checked 8) that was able to detect it. So it was named
Worm.SomeFool and an update was published. If you google for
Worm.SomeFool it wont take long to find out that other vendors call it
NetSky.

yes, and? go rename it already... f-secure has already renamed it from
moodown to netsky...

the situation you describe will always be a problem for any av scanner
vendor, and the only good solution is for vendors to adjust their names
to match the one that's been agreed on...

 

[null]

On Fri, 09 Apr 2004 14:39:39 +0200, Christoph Cordes

When ClamAV received the first sample of Worm.SomeFool there was no
other scanner (i checked 8) that was able to detect it. So it was named
Worm.SomeFool and an update was published. If you google for
Worm.SomeFool it wont take long to find out that other vendors call it
NetSky.

Are you a part of the clamav development team? I've submitted many
malware samples, each time requesting feedback, and so far the only
malwares they seem to be interested in are newer or ITW it seems.

I'd like to know what their policy is. If they aren't interested in
building up their zoo capability then frankly I'm not interested in
helping them out or having anything further to do with the project or
the product.


Art
http://www.epix.net/~artnpeg

 

[Conor]

On Fri, 09 Apr 2004 14:39:39 +0200, Christoph Cordes



Are you a part of the clamav development team? I've submitted many
malware samples, each time requesting feedback, and so far the only
malwares they seem to be interested in are newer or ITW it seems.

I'd like to know what their policy is. If they aren't interested in
building up their zoo capability then frankly I'm not interested in
helping them out or having anything further to do with the project or
the product.

What is the point of telling them about something they already know
about?

 

[null]

..>> I'd like to know what their policy is. If they aren't interested

What is the point of telling them about something they already know
about?

Huh? What exactly is your question? I've only sent them samples of
malware their av _doesn't_ know about.

Actually, they have now started responding on some of these
submissions. Some detections they are putting off until they have a
better underlying capability. Some they have incorporated detection
for. So I guess they are gradually building a zoo capability.


Art
http://www.epix.net/~artnpeg

 

[Conor]

Huh? What exactly is your question? I've only sent them samples of
malware their av _doesn't_ know about.

Ah sorry, my mistake.

Actually, they have now started responding on some of these
submissions. Some detections they are putting off until they have a
better underlying capability. Some they have incorporated detection
for. So I guess they are gradually building a zoo capability.

The joys of an opensource project.