How about changing the % progress scan indicator (from the General Configuration menu) to a % of progress for the entire scan? I think this would mean more to a user than the % of progress of the current file--even if it's only an educated guess.

Re: email notification of a virus: how about also notifying someone from the ClamWin team so you can tally up what's really in the wild out there?

Regards,

A good idea, but most of the time this value is not correct. I am talking ,for example, for some commercial products.
Kaspersky may scan 80% for 30 minutes, 5% for 1 hour, and latest 15% for 10 seconds.


I do not understand what you exactly want with this...
As far as I know there are a lot of websites and organizations which are monitoring malware activity.
Creating new one may be a waste of time and energy.

A reasonable overall scan progress implies a pre-analysis on all files that need to be scanned to pick the size, this means
a lot of overhead imho, and would be not precise If there are many archives

You wrote:

"I do not understand what you exactly want with this...
As far as I know there are a lot of websites and organizations which are monitoring malware activity.
Creating new one may be a waste of time and energy."

Well, we don't want to waste time and energy--they're both in limited supply. My intent in making this suggestion was to try to get a way to let the ClamWin team know about trends in virus writing. I believe Alch mentioned in the Wiki about setting up a separate ClamWin signature database. Some of the antivirus software is now "phoning home" to let the developers know about stuff like this. One reason I don't use ESET is that it (optionally) does this quite often--uploads user statistics. I guess a better way for ClamWin to do this is to get into the loop with VIRUSTOTAL scan--even to the extent of getting signatures (MD5 hashes can be used by ClamWin per bOne)--a cheap way to develop your own signature database, eh?

There also needs to be a way (eventually) to go beyond the signatures from ClamAV. The ClamAV signatures don't incorporate malware you would get by surfing--which, I feel, is really getting bad.

Regards,

As I know - ClamAV team has very good contacts with VirusTotal and Jotti - all (or at least all infected) submitted files are send to ClamAV (if the submitter did not decide to not distribute the sample).

A couple of months ago, I got a trojan downloader virus. AntiVir found it, but ClamWin didn't. I verified it on VIRUSTOTAL. I sent it to ClamAV, and I understood that Clam would get back to me. They never did, and a month or so later, ClamWin still didn't have the signature.

Based on this experience, I can only conclude that unless things change, if ClamWin wants substantial number of signatures in its database for malware that the average PC user would encounter, they're going to have to develop an auxilliary database. ClamAV is going to concentrate upon viruses that a large email service provider will find.

Regards,

but if ClamWin already detects it - then why "phone home"?
if we have heuristic scannig - yes, then probably it will be good.
about sending samples: right, it can take time....
i send one to them, and after that send it again (using virustotal and jotti)
it took about 5 database updates to unclude it in daily.cvd.

Well, an AV program can't phone home about viruses it can't find (some-like NOD32 do send user statistics), but "home" might be able to find a virus "family" early on (say after seeing 20 such related viruses) and develop something to ID the entire family--instead of having to come up with signatures for each virus in the family. 2006 saw the use of several such families, you will recall, and it looks like this will continue. Some individual viruses in these families are very narrowly targeting businesses (perhaps in the hope that the AV companies will not hear about/bother with signatures in such cases), so a family ID might be more feasable than a separate ID for each of the 100 or so family members, if it is possible.

Regards,