ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Submission Of Virus Samples
GuitarBob


Joined: 09 Jul 2006
Posts: 4363
Location: USA
Reply with quote
Instead of submitting a sample of an undetected virus to Clam AV for signature preparation, I suggest that you submit it to the Virus Total online scanner instead. Clam receives samples from Virus Total, and the automated sigmaker gives a preference to Virus Total samples. The human sigmakers concentrate upon the samples from users, but there are just not enough humans!

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
If you don't mind me asking, how long have you guys been receiving samples from virus total? Also, all we do is upload file and push scan it and it automatically sends to you guys? I am a little confuse how it works.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4363
Location: USA
Reply with quote
I prepared virus signatures for Clam AV from the summer of 2008 until just a few days ago (for future reference it's now December 3, 2013). They received samples from Virus Total during all of that time. They also receive samples from many organizations that fight malware. They started preparing automated signatures some time earlier in 2013. Being from the open source community and not an employee of Clam AV/Sourcefire, I was not privy to the details of the automation, but as far as I can tell, the bulk of automated signatues is on samples containing PE malware submitted by Virus Total. The Virus Total submissions are quite detailed and therefore have information the automated sigmaker program can use--virus names, detections by other AVs and even file information if the automated sigmaker program contians code that can use it. Individual submissions to Clam AV are not this detailed, and they may not even contain actual malware--some users just use Clam as a scanning service.

Sourcefire is looking at ways to expand the sigmaking process, and I hope they can do so. They need to automate sigmaking for submission by users to catch malware that has not been submitted to Virus Total. They also need to automate signatures for malware that is not based on Windows PE files--like PDF, HTML, JS, Java, Office malware, etc. Again, as far as I can tell, human sigmakers are the only ones working on non-PE malware files and user submissions, and that is only for a couple of hours by someione every once-in-a-while. Sourcefire personnel have to devote most of their time to the commercial projects since that is what pays the bills, and Clam AV (from which ClamWin gets its scan engine/signatures ) is not a commercial project.

That is why I recommend that undetected virus submissions go to Virus Total--to increase the speed/possibliity of signature preparation so ClamWin users will get better protection.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
So this is something recent, I see. So anyone who uploads on virus total gets sent to you? How do other companies feel about this? Also, I guess this makes people who are helping with virus submissions a lot easier.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4363
Location: USA
Reply with quote
Not recent. Virus Total has always submitted samples to the AV companies that it scans with that each AV does not detect. What is recent is the automated sigmaker process Clam AV now uses--but only for the submissions received from Virus Total. They can do thousands of these automated sigs per day. See why I suggested users submit their undetected viruses to Virus Total now?

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
Does ClamWin also collect virus samples from Jotti: http://virusscan.jotti.org/en Virscan: http://www.virscan.org/ or Metascan: https://www.metascan-online.com/ at all? I just figured since you ClamWin and ClamAV has scanners there might as well collect from them, too? I do know these are less popular scanners and will probably receive mostly duplicate signatures, but you never know.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4363
Location: USA
Reply with quote
Sure, Clam AV gets copies of viruse files submitted to online scanners like Jotti, Virus Total, and Virus Scan that it does not detect, and it also gets some submissions from other AV companies. ClamWin is not set up to get any submissions, but it uses the Clam AV scanning engine and the Clam AV virus database, so it benefits from the Clam AV submissions that way. It appears that Clam AV prepares automated signatures from high profle Virus Total samples. It uses manual signatures for samples from other sources, but it is only able to prepare a limited number of manual signatures, since the sigmakers only work on Clam samples on a sporadic basis. That is why I recommend that users scan their suspicious file on Virus Total--they have a good chance that the file will be worked if there are lots of submissions of their file(s) to Virus Total. Unfortunately there are just too many virus samples to work them all under their present system. Clam is working on a way to extend the automated signatures but that might take some time.

Regards,
View user's profileSend private message
Please update the signature of the viruses
eugensyl


Joined: 30 Jan 2014
Posts: 1
Location: Romania
Reply with quote
Hi,

I put since last week the file to virustotal.com. This is the page:

https://www.virustotal.com/ro/file/53a2ad2b8271d1220e3de49c5962ae7f93a339a8e40484c20e1c2e7c06261e2e/analysis/1391070523/

Avira detect this virus. I like ClamWin and this is why I want to contribute here.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4363
Location: USA
Reply with quote
Thank you for submitting the sample. All ClamWin users will benefit.

Regards,
View user's profileSend private message
scanfan


Joined: 14 Aug 2014
Posts: 4
Reply with quote
Almost every virus has already been submitted to VirusTotal and is detected by other AVs by the time I scan it but ClamWin often doesn't detect it. Why is this?

Could you hash every sample that's detected by many other AVs and then flag matching files with a sig like "suspect.virustotal.detected"?


Last edited by scanfan on Thu Aug 14, 2014 12:10 pm; edited 1 time in total
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4363
Location: USA
Reply with quote
Clam AV has been preparing automated signatures from samples received from the AV industry for Windows executable files, but the signatures are just not enough in quantity. A few user submissions are worked, but they must be worked manually, no one works on them on a regular basis, and these sigs are also just not enough. When I stopped preparing signatures for Clam about a year or so ago, the Clam AV submission interface to Sourcefire/Cisco was getting old and subject to breakdown regularly. It looks to me like they have currently not had any new signatures for a day or longer.

Since ClamWin uses the scan engine and virus signatures from Clam AV, our ClamWin protection is deficient, but the ClamWin developers have always recommended ClamWin for use only as a backup scanner. The scan engine relies upon virus signatures and has practically no heuristics. Clam AV is free/open source, and the commercial ventures of Cisco/Sourcefire are more important to them. The Clam Sentinel add-on to ClamWin was developed to provide some additional protection to ClamWin users because of this. Clam Sentinel can detect lots of malware (via heuristics) for which there is no ClamWin signature, and it does so in real-time as files are added, copied, or modified on your computer. It is a separate project from ClamWin, but ClamWin must be installed before Clam Sentinel can be used. The Clam Sentinel site is at http://sourceforge.net/projects/clamsentinel/ on the web.

You can prepare your own ClamWin MD5 has signatures to detect malware files for yourself. I was doing that before I started as a sigmaker with Clam. The scanning services will actually give you enough information to prepare a MD5 hash signature: File platform, file size, virus name, and MD5 hash. Make sure the MD5 hash itself is in small letters--not capital letters because Clam AV can not use large letters for its hashes. There will usually not be any false positives on an MD5 signature if you make sure the file is really infected by a virus/malware. You could also get a file hasher to make MD5 signatures, but you will not need it for MD5 file hashes.

A Clam AV HDB signature takes this form: filehash:bytesize:platform.Virustype.virusname. That is the MD5 hash, then a colon, then the bytesize of the file (no commas), then a colon, then the computer platform used by the virus, then a period, then the virus type (trojan, exploit, etc.), then a period, then the last part of the virus name. Here is a real virus signature: ac8798fe7b5c237c5ec521bbe129b3eb:1283072:Win.Trojan.Agent. Paste your signature in a Windows notepad/text file and call it Sigfile.hdb (hdb indicates an MD5 file hash). Save the file in your ClamWin database directory. I suggest you pick another AV on Virus Total, Jotti, or VirScan and name your virus similarily.

Thanks for using ClamWin!

Regards,
View user's profileSend private message
scanfan


Joined: 14 Aug 2014
Posts: 4
Reply with quote
Thank you for the detailed reply. I shall investigate Clam Sentinel; its support for heuristics sounds useful.

The thread mentioned Clam has access to VirusTotal files, I was wondering why they don't automatically add the hashes of clearly detected files from that to the AV, or do they?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4363
Location: USA
Reply with quote
I prepared Open Source signatures for Clam AV for 5 years, but I was not privy as to how the automated Clam AV sigmaker worked. I am not 100% certain they use the submissions passed on to them by Virus Total, but I assume that is where they start--since Virus Total has so much information about a file. They do not seem to work any submissions sent from the Jotti and VirScan online scan services. They still need to go through a verification/discovery process for any file for which they prepare a signature--even if it is from Virus Total. Most likely they are using 1 or 2 scanners on Virus Total as "triggers"--the names they give their signatures are similar to a couple of AVs on Virus Total, changed to meet ClamAV naming convention. They get lots and lots of submissions from the scanning services and industry partners, but they just don't have the infrastructure/personnel/time to devote to the Clam AV project.

It is my opinion (and mine only) that there are 1 or 2 Cisco/Sourcefire people that are dedicated to Clam on a part-time basis and that Clam is used as a training ground for new sigmakers. That is just about the only way they could do a non-commercial/non-paying project like Clam AV. We shall see what happens with Clam AV (and, consequently ClamWin) in the future. I think we will get a few "crumbs" from Cisco/Sourcefire.

Regards,
View user's profileSend private message
Submission Of Virus Samples
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic