.98.4 of ClamAV stable just came out. It won't be long before ClamWin beta testing will be out for their new release. We will see what OpenSSL has for us and a few other changes as well.

Yes, I am very interested to see what happens. OpenSSSL is a dependency for future functionality. I hope ClamWin/Clam Sentinel can take advantage of it.

Regards,

When they say "future functionality", what exactly is that suppose to mean? Does that mean better support for ClamAV in the future? Does that mean easier development?

I'm not sure myself, but I think they are looking at new detection capability including the cloud.

Regards,

Two questions:

1. If ClamAV now uses VirusTotal for signature collections, what do they do with submissions that are sent directly to ClamAV: http://www.clamav.net/lang/en/sendvirus/submit-malware/ ?

2. How long does it take for ClamAV, averagely, to fix false positive submissions sent directly to ClamAV via the send false positive on their website?

The samples from Virus Total were used for automated signatures (Windows executables only) because they have a lot of information supplied by Virus Total. All other signatures were prepared manually--as the sigmakers had time to work on Clam AV signatures. Since no one worked full-time on Clam AV, not many non-executable samples were being worked. False positive corrections were not worked regularly and were mostly handled by one sigmaker who did them in bulk when time permitted. My guess is it took anywhere from one week to one month to get a false positive corrected.

This was the way things were at Clam AV when I left early this year. I do not know what is going on now, but I think it is probably about the same. This is why I say that the Clam AV signatures are too little too late and recommend a real-time scanner be used in conjunction with ClamWin/Clam Sentinel. The Sentinel heuristics provide extra protection against ordinary malware, but there is lots of high-tech stuff out there, some of which never gets in a file.

Regards,

Why did you leave ClamAV? I guess with all the changes recently, it's hard to keep up. Also, I thought you left ClamAV a long time ago?

I started sigmaking as an open source representative at Clam AV back when Sourcefire acquired Clam in 2008. The ClamWin project had a good relationship with the Clam AV developers then, and the developers were concerned that Sourcefire with its commercial orientation might make the signatures proprietary and lock out open source. If there were some open source sigmakers, then we could not be locked out. It turned out that Sourcefire was committed to open source, so there was not really any problem, but I continued to work signatures for about 5 years. A while after Cisco acquired Sourcefire, I informed them that I would not be preparing any more signatures. This was because I was not getting the support that I needed from the outdated submission interface and the people responsible for keeping it up. I also had little contact with any Sourcefire people. To my knowledge, I was the only sigmaker working Clam AV signatures on a regular basis. Understandably, the Cisco/Sourcefire commercial applications got most of the attention.

Regards