ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Where can we find information About a detected virus?
HarryStottle


Joined: 14 Feb 2008
Posts: 9
Location: UK
Reply with quote
One of the only things I used to like about Norton AV (20 years ago!) was that when it detected a virus, it gave you the option of going to its library of virus descriptions so you could see what it was reputed to be doing and what level of threat it represented.

I'd like to be able to do that with the viruses detected by Clamwin.

For example, I'm just scanning a mate's laptop and it's detected 2 infections
Win malware Locky - 6598055 -0
Win Virus triusor 6916675-0

The first one *Locky" has a comprehensive reference online, in a Microsoft blog:
https://www.microsoft.com/security/blog/2016/02/24/locky-malware-lucky-to-avoid-it/

although nothing confirms that its the same "Locky" detected above because there is no reference online to the "6598055"

The second one (again without the numeric suffix) is described here:
https://www.virusresearch.org/win-malware-triusor-trojan-virus-removal/

If either of the above descriptions were appropriate to the Clamwin detections I've found, then the laptop ought to be an inaccessible zombie! But it isn't, which either means that the detections aren't the same as the malware being described above, or those descriptions are seriously exaggerated.

No doubt, having detected them, Clamwin can treat or quarantine them. But I'd like to be able to advise the victim on how seriously they've been exposed. But on the basis of what I can find online, I can offer no credible advice.

Where, if anywhere, can we find Clamwin's own guide to the malware it detects?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4480
Location: USA
Reply with quote
Google is your friend!

Regards,
View user's profileSend private message
HarryStottle


Joined: 14 Feb 2008
Posts: 9
Location: UK
Reply with quote
not to put too fine a point on it, I wouldn't have bothered with this post had google answered the question. You can see the inconclusive results I obtained by following the links in my post.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4480
Location: USA
Reply with quote
Sorry--didn't mean to be so flip. Some of the big AVs still have a descriptive database that you can access on their web sites that describe a virus. One problem is that they sometimes have different names depending upon the AV.

ClamWin depends upon the Clam AV Project for Linux email server viruses. We make a Windows port of their Linux source code, and we even use their virus signature database. We have very little resources. Clam AV may have some virus descriptions at their web site, but I haven't seen any.

Clam/ClamWin has a good amount of false detections, (false positives), so check any files they detect on the Virus Total web site. I like to see at least 2 of these AVs detect something before I believe it: Avira, Bitdefender, Eset, Kaspersky, and Sophos. You can report false positives at the Clam AV web site via the Contacts page.

Be sure to use a real-time AV for primary use and employ ClamWin as a backup, on-demand scanner.

Thanks for using ClamWin!

Regards,
View user's profileSend private message
HarryStottle


Joined: 14 Feb 2008
Posts: 9
Location: UK
Reply with quote
thanks for that more detailed reply.

I think it confirms what I've perceived to be a growing problem.

I already set up my users/clients/friends and myself as you suggest. Real time scanner. Clamwin for confirmation and ad hoc scans. Anything found, tested on Virus Total. I have a higher tolerance threshold than you. I don't take it as a VT confirmation, generally, unless there are at least 5 confirmations, although the source of confirmation can reduce that number.

But none of that addresses my central concern. Basically we need to know, once a potential attack has been discovered, how seriously we should advise our "dependents" to take it. And that routine element of malware information has almost entirely disappeared. This forces punters either to over-react and wipe/re-image systems at the first hint of malware, then change all their passwords and security data, just in case it was a serious attack and the crown jewels were compromised; or else treat all infections as trivial (once detected and treated) despite the fact that the crown jewels really WERE compromised...

Seems to me there's a growing gap in the market...

But as you are obviously part of the team working on Clamwin (for which much respect and genuflection) perhaps you can answer this question:

Presumably there are a number of ways in which an AV author discovers new threats and their signatures. Most, I suspect, will be randomly discovered by security geeks around the planet whose working lives are dedicated to that task. Some you might discover for yourselves. But I'm assuming, once discovered, the news is shared and that sharing isn't limited to the discoverer's name for the malware and those details needed for detection. It must include justification for identifying the package as a threat, together with samples, or, at least discussion about, the kind of damage it can do, the likely routes of infection and so on.

a) Do you, as AV authors, not get to see this metadata? (and, if so, why can't it just be stored where we can all see it?) or
b) isn't there a global repository for such data, which we can all see (and if not, why not?)
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4480
Location: USA
Reply with quote
Samples of infected files are the most important way that AVs discover viruses.

I think AVs do not share as much as they used to. Information about high profile viruses is available on security blogs.

Virus Total has become a clearing house for virus information. Clam AV gets most of its samples from Virus Total. It also gets some from users and its Cisco owner.

ClamWin gets Linux source code (from which it does a Windows port) and virus signatures--nothing else.

I, too rely upon Virus Total detections by Avira, Bitdefender, Eset, Kaspersky, and Sophos for confirmation. You have to consider the AVs that are detecting something if there are not many detections.

I would consider a confirmed detection of any virus as major. After your regular AV(s) detect and clean, you can rely upon several other good cleaners like Dr. Web's CureIT, Eset's Online Scanner, Malwarebytes, and Kaspersky's TDSS cleaner to make sure the infected computer is clean.

Regards,
View user's profileSend private message
Where can we find information About a detected virus?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic