An article about MD5 check sums was posted at their blog. You can read about it here: http://blog.clamav.net/2015/02/what-to-do-with-md5-checksums-of-files.html

Yes - I've made a lot of MD5 signatures for Clam/ClamWin in my time. The security bloggers used to post MD5 information on malware often, but I don't see it mentioned as much now. MD5 is a file hash. It is pretty old now and in general has been replaced by the SHA1 and SHA256 file hashes, which are more modern, but you still see it. Clam AV puts the file size with the MD5 hash to make a signature, which is better than using an MD5 hash alone. MD5 signatures are exact signatures, however, so they will only detect one version of a malware file--if a malware file is changed (and they often are), it will not be detected by an old MD5 signature. Virus Total still shows MD5 hashes, and it even shows the MD5 hash for the different sections of a Windows PE file. Clam AV sometimes uses MD5 hashes for the code section or the RSRC section of a file, which can detect more malware than just one--if the section has not been changed by the malware authors.

Here is an MD5 file hash signature: ab887f60040df29c23de4e0ff2dc2213:30378:Win.Worm.Gamarue. The MD5 hash goes first, then a colon, then the file size (in exact bytes), then a colon, then the platform (Win, Linux, OSX, etc.), then a dot, then the type of malware (worm, Trojan, rootkit, backdoor, etc.), then a dot, then the name of the malware (use the name given by one of the large AV companies). Put this information in a Notepad file and save it in the ClamWin signature folder and name it something.hdb. I always used Sigfile.hdb. The HDB extension indicates it is an MD5 file hash. I would say that an MD5 signature has is only good for a few days to a couple of months (at most). After that, the old version of the malware is certainly not used any more. Some malware is even changed hourly. You don't see very many big malware outbreaks any more. The trend is to produce less malware that is more targeted and produce it more often

Regards,

ClamAV .98.7 has been released. Expect a ClamWin beta version release, soon.

For people who are infected or want to prepare themselves against Teslacrypt, please read here: http://blog.clamav.net/2015/04/clamav-0987-has-been-released.html

Don't know about soon for V .98.7--that's up to the ClamWin developers.

Regards,

Re: decryption tools for ransomware infections, Clam AV is a little late to the party, and they only have one tool. Several other AVs have been developing free decryption tools for a while now. Dr. Web has always done a good job at decryption, and a few of the major AVs also have these tools, plus some security experts/bloggers have also developed them. As per usual, the Clam tool appears to be a bit hard to use. Look at the command line stuff--They still refuse to admit that their engine is used on Windows machines where a menu is pretty much the standard.

Regards,

Just realized, I forgot to post the change log for .98.7. Here it is for anyone who is interested: http://blog.clamav.net/2015/04/clamav-0987-has-been-released.html

It looks to me like the Clam AV "team" is relying pretty heavily upon the user community to identify problems/improvements. Makes you wonder...

Regards,

I would consider ClamAV almost abandoned. Nowadays it's pretty much just a hash generator. Work on meaningful features (eg. bytecode signatures) came to a halt a long time ago.

Try to remember that ClamAV is a volunteer app, made by people who volunteer their spare time to develop it. Even the original developers only worked on it on their spare time. No one gets paid over their, unless they are now Cisco staff. The only way ClamAV would be considered abandon is if all the volunteers stopped working on it. You should also note that this was just a minor version update (.97.4, .98.7, .99.3, 1.2, 2.9, etc). You only see major updates in whole number versions (.97, .98, .99, 1.0, 2.0, etc). That's usually how companies do it. Joel mentioned in the next major version, they have some ideas on improving detection ratios and being able to detect malware in more languages. I would say ClamAV is long from abandon.

As for bytecode signatures, I seen it update recently. The original ClamAV developers put a lot of work improving bytecode signatures over the years, but it might be better if they used generic signatures over bytecode signatures. I wonder if there is anyway they can improve them where as they do not take a long time to make.

I never liked bytecode sigs, but they are still being prepared once in a while. Looks like one may have been prepared yesterday. When I was preparing signatures at Clam AV, they all had great hopes for bytecode sigs, but they are still signatures--not heuristics. A sigmaker such as myself could prepare 50 to 100 signatures in the time it took a reverse engineer to prepare one bytecode signature. Clam AV was reserving bytecode sigs for advanced malware like rootkits.

When I was at Clam, the automated signatures were prepared from a Virus Total feed, and the signatures were MDB signatures - which are an MD5 hash prepared for the RSRC section of a Windows PE file. This produced some false positives because the RSRC section is normally a data section, and it may be common to both "good" and evil files. They should have prepared the sig from the code section of the PE file--unless the entropy of the RSRC section is very high--in which case it probably contains code or something else that the malware author doesn't want you to see.

Clam also prepared NDB signatures, which are hexadecimal signatures for some part of the malware file per a debugger or other tool. When I was at Clam, the NDB was the standard signature. There were also other signatures--icon sigs, etc.

I don't think things have changed too much since I left, but there seem to be a few other signatures now. Anything but the authomated signature requires manual work from a sigmaker, and no one works on Clam AV on a consistent basis--it's a free AV, and that doesn't pay anything. It looks to me like they are building in some good capability to detect malicious non-PE files in the future. I hope it can be automated.

That's why ClamWin needs to be a real-time scanner with at least a basic set of heuristics.

Regards,

ClamAV now allows you to create much faster signatures using CASC. If anyone is a signature maker for ClamAV/ClamWin, I recommend you read the blog post here: http://blog.clamav.net/2015/05/create-your-own-clamav-signatures-with.html

This new attempt to make sigmaking easier for Clam Av users requires the use of the IDA Pro disassembler, which is rather expensive and requires a bit of knowledge to use it. I doubt if anyone other than a professional sigmaker or reverse engineer would pay the price for it. It would have been better to tie it to something in the free/open source area such as Ollydbg or the Windows debugger.

There used to be a free, downgraded version of Ida Pro available. I haven't kept up with it, however.

Regards,

They said it will work with the free version, too. I don't think many "average users" write signatures in general. Most just demand rather then supply, if you know what I mean.

ClamAV is ending life to Lurker, which was used for archive emails, and they are switching to a different method. This will effect everyone receiving emails from ClamAV. You can read more about it here: http://blog.clamav.net/2015/05/lurker-is-going-end-of-life.html