ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
This topic is locked: you cannot edit posts or make replies.
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
When I was preparing signatures for Clam AV , all False positive signature corrections had to be done manually, and no one worked on Clam AV full-time (except for the 1-5 hours I volunteered each day as an open source sigmaker). Since Clam was/is designed primarily for Linux email servers, there was/is not much concern with false positives. I'm fairly certain the situation has not changed under Cisco. It's been that way since the original Clam AV project sold out to Sourcefire.

Report FPs to Virus Total and then report them to Clam AV. That's about all you can do--unless you want to prepare a local FP sig as I have explained. As a last resort, send email to Joel Esler at Clam--he's the open source representative, and tell him about it.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
UPDATE: we have movement!
Last nights scan has revealed that one of the test case FP's has been removed (leaving the other 4 still being detected). ONE of the 5 FP's has now stopped appearing suggesting they have made amendments to correct it. And that program is the SAMASSASSINFORWINDOWS.EXE. Now interestingly, this was the one I performed the following with:
jimimaseye wrote:

Ok, 2 days on and I checked Virustotal to see what it now thinks of one of the above files. I chose the SpamassassinForWindows installation. https://www.virustotal.com/en/file/2204752c635e00b50a0e557597a67852e8e8f4388aa43884c68a98ae76f4fb29/analysis/1454433757/

NOW Virustotal is saying that CLAMAV detects it as a Win.Trojan.Application-1470 (with defs dated 02-feb-2016/today) just as Clam detects over night. Note: VT does NOT say it is any kind of PUA.

I made a point of not sending the other file. Marketsplash.msi, for re-analysis so that we can now see if reporting to Virustotal really does make the difference. (If it does I expect this spamassassin program to be immunised and marketsplash to still be falsely detected; The idea being that if I dont reanalyse it, and therefore VT still has it on file as being clean, then it wont be fed back to Clam for rectifying). Or if it doesnt make a difference, and both files get their false positives rectified together, then it shows that simply reporting it via the ClamAV website is the only method they respond to....or not (as the case may be).

So 7 days later they have corrected one of the FP's. Is it a result of sending it to Virustotal after VT finally sees it as detected (as above)? Hmmmm... Well what I can tell you is that I have simply only ever uploaded it to them using the 'report FP' page but never reported the VT analysis link back to Clam. So the question remains whether the VT report has any influence on them actioning against reported FP's.

INTERESTINGLY, I also note that this report that also appeared last week (on the 3rd Feb):
jimimaseye wrote:
(Another night, another scan, and another additional False Positive: OpenOfficePortable\OpenOfficePortable.exe: Win.Trojan.Ramnit-8177 FOUND. And it seems that I am not the only one, someone else already told VT about it: https://www.virustotal.com/en/file/26ec327fbb3de17b4a0c2c0c5b768ffef2b861218f6e2bdb6c3499886bdd9787/analysis/)

....is also no longer being detected. This also has been corrected but it was a few days ago (I dont remember exactly) which was somewhat a lot quicker in correcting. (reported 3rd, and hasnt been around for a couple of days (lets say since the 7th) so was corrected within 4 days. Compare this to spmassassin with has taken 7 days, and the other 4 FP (test cases) that still havent been corrected at all.

    6 programs detected as FP's, ALL reported to Clam via 'FP REPORT' page.
    2 checked with VT with VT not seeing clam as detecting,
    ....1 of those later checked with VT again with VT to then finally see Clam as a detection, along with another one of the 6 (presumably reported by someone else) - so only 2 seen by VT as an FP
    Within 7 days only 2 of the 6 were immunised and they happen to be the 2 seen by VT as clam detecting them.


Last edited by jimimaseye on Tue Feb 09, 2016 4:18 pm; edited 1 time in total
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
Virus Total started notifying the AVs involved with FPs some time last year. Since the bulk of the Clam AV signatures are now auotomated, it maiy be that they have now automated Clam FPs that are reported to them as well. Are those 2 FPs on Windows PE file malware?

When I was working at Clam, they only automated the Windows PE file malware (they couldn't easily automate the non-PE stuff), so I think the FPs would be the same. this means hey have to work the non-PE FPs manually the same as they do the non-PE malware. Since no one at Cisco/Sourcefire works full-time on Clam, the non-PE stuff (both FP and malware) has to wait until someone has some free time to work after their primary Cisco/Sourcefire work.

I think we have figured it out--due to your hanging in there!

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
All AVs want to see a virustotal report of false positives. This is why I said to send a VT result with your FP files. It also might be a good idea to submit them one at a time and not all at once. The reason why all AVs want to see a VT link is because it helps them understand a detail reported of the file(s) from other AVs and helps them determine if it's a false positive or not.

Still, ClamAV is good at somethings. It's usually good at detecting worms and has really unarchiving abilities. It can even parse multiple file types, just like any commercial AV would do. I, for one, will always stick with the Clam engine because I know they will improve and it's really the only open-source AV engine on the web.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
Amen, RRK! However, I have some doubts about Cisco, which now owns Clam AV. I'm sure they bought Sourcefire to get Snort and the Sourcefire staff. Clam AV is probably not too important to them, and you just can't trust them to take good care of it. When I was at Clam AV, they told me that Cisco used Clam on hundreds of computers but had never paid a cent to support the Clam AV project!

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
ROCKNROLLKID wrote:
All AVs want to see a virustotal report of false positives. This is why I said to send a VT result with your FP files. It also might be a good idea to submit them one at a time and not all at once.

I really hope that this isnt the reality.

At no point on the CLAMAV website, in the 'REPORT A FALSE POSITIVE' page, does it say something to the tune of "check it out yourself using Virustotal first and post their link to us because we wont trust you or act on your report without it". They need to take responsibility for their own product; relying on the other 54 'official' antivirus solutions to tell Clam whether they are right or wrong is beyond comment. A virus is a virus (malware) because of the damage and risk it poses, not because "other AV solutions have told me so".

If this is the real way they operate then I can very easily change my mind on really how sh1te they are. Because that attitude is just appalling.
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
It's not like that at all Jimimaseye. Maybe I should have said most AVs and not all. When I was malware hunting for Malwarebytes and Avast years ago, I use to submit false positives to them all the time, but both companies wanted a VT result, as well, in order to fix a FP. It is not because they do not trust their users, it is because VT is a great way in knowing if a file is malware or false positive. A lot of AVs rely on each other at times.

For example, look how many AVs on the web run off the BitDefender engine.

Still, ever since Virustotal started to send false positives to AVs, I have noticed a lot less false positives in ClamAV then how it was a few years ago.
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
To say that they 'ask VT' to judge if something is malware (or a false positive), is the same as saying "they'll ask their competitors what they think". VT is just an amalgamation of opinions of the other AV suppliers, and SOMEONE has got to make a decision to begin with. And that decision must be, simply, "is this damaging or not?".

I would like to think that the other big players dont actually work like this and as they have the resources actually put EFFORT and research in to deciding whether something is unwanted or not based on the merits and actions of the software rather than a competitors opinion. In any case, whether they do or they dont, its not relevant really as even if they do consult VT they at least do the research themselves. If anyone reports an FP to them, they accept report and act upon it and dont pick and choose whether to do so just on whether the 'victim' has done their research upfront for them.

Yes, I know, 'Clam...free...open source....ask for your money back if youre not happy....etc ....etc', BUT even with their limited resources it takes nothing to do their lookup with VT instead of us end users. They have the time to write their website, and it would take nothing to run a web app that automatically parses whatever is sent to them to VT for comparison and return the report. OR ADVERTISE AND TELL THE USERS if they must be doing the VT lookup first if they want to be listened to. In any case, there is no excuse.

(To answer the question that some readers may be asking themselves right now: "Why do you still use it then Jimimaseye?" I use it as it is an easy to use INLINE commandline scanner for incoming mail on a mailserver but it must be used with 3rd party definitions to be any use at all. I use 'sanesecurity' definitions that have been proven by my testing to provide by far the best Zero-hour detections compared to any of the other big players. And (only!) with these definitions, and the ability to run inline ondemand single file scanning, clam fits my environment perfectly. Of course, its pointless for any other realtime protection and I use Bitdefender for that on the clients. (Never really understood the concept of 'weekly scheduled or on-demand system scans': if its been on your system for a week then the damage has already been done or its isnt ever going to happen. You need to stop the malware before it starts.) If youre interested (or its allowed): https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829)

Anyway....

I will now do the VT thing with the remaining FP's in my test case and report them to Clam...Again! We'll see how it goes from here.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
When I worked sigs for Clam, we checked the FP "farm" on all submissions to see if a file was benign, but we did not have every Windows app on the "farm". We also checked for the absence/presence of malware after execution on a system, so manual research was done. The automated sigs developed from Virus Total had to meet certain requirements, of course. There should not be be very many FPs on them. Most FPs will usually occur on manual signatures--for both Windows PE or non-PE files that are not on the FP farm.

Clam AV gives us only a basic antivirus. It is up to us what we do with it. If you would like to help make either ClamWin or Clam AV better, contact the respective developer parties. The ClamWin project is a bit "closed", but Clam AV has many improvements/corrections/etc. submitted by users.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
Watch out for some of those third party signatures. I remember this user posted his site, it was some French, that was selling signatures for the Clam database, which I thought was ridiculous. They had a free version, but only contained malware 30 days or older. I haven't used Sane security, so I don't know much about them.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
The ClamWin developers have always said that it should be used as a backup scanner to a real-time scanner. Granted, the Clam AV signatures used by ClamWin are a bit deficient for use on Windows computers when compared to commercial AVs, but if you do as they say, you will be well-protected from malware.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
Quote:
Watch out for some of those third party signatures

Indeed.

I tested the sanesecurity signatures thoroughly before adapting them. So far they have been proven to be valuable and are especially effective against the latest ongoing threats such as the Dridex/cryptolocker type viruses that are spread through Office doc macros. Of course, testing never stops. Any attachments that are removed still leaves the email (minus attachment) which can still be viewed and dtermined whether to be falsely removed or not. And as yet, I havent had a single FP with them and only a handful of times (less than 5) where the dangerous (newly released) DOC/attachment has been receieved before my hourly database update runs to retrieve the relwvant definition. But remember, we always then have the backup of Bitdefender on the clients (assuming they have updated their definitions by the time the user comes to open it)...and a sharp eyed admin bod monitoring such emails just in case. Wink
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
Oh by the way......
jimimaseye wrote:

INTERESTINGLY, I also note that this report that also appeared last week (on the 3rd Feb):
jimimaseye wrote:
(Another night, another scan, and another additional False Positive: OpenOfficePortable\OpenOfficePortable.exe: Win.Trojan.Ramnit-8177 FOUND. And it seems that I am not the only one, someone else already told VT about it: https://www.virustotal.com/en/file/26ec327fbb3de17b4a0c2c0c5b768ffef2b861218f6e2bdb6c3499886bdd9787/analysis/)

....is also no longer being detected. This also has been corrected but it was a few days ago (I dont remember exactly) which was somewhat a lot quicker in correcting.

....nah. I was wrong. The file is on a different disk from my nightly scan and is only scanned once a week (rather than every night) and it was done last night. The same FP detection of openoffice is still there.

Oh well. Seems the theory of simply uploading to VT first as the answer was just that, a theory....and proven not to be true. 1 week on since doing it and no change.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
Well, no one may have done any manual sigmaking/correcting at Clam in a week. When I was doing sigs there, there was an unwritten rule that each sigmaker was responsible for correcting his own false positives--unless there was a FP that was a major boo boo. We had several sigmakers working on Clam AV back then though--one full time, two from open source, and two more when they could be spared. I think the problem now is lack of responsibility. I always corrected my FPs as soon as I saw them. I prepared about 50,000 signatures and corrected about 100 FPs in my 5 years there. All sigs were prepared manually except for the last year.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
If all the signatures (and rectifying of them) are all reliant on *volunteers*, and it seems from looking at the mailing list that there are only the same 3 that do them (Shaun, Alain and one other that I dont remember), I kind of wonder what happens if something happens to them on the christmas night out and they are no longer around to work on them? Does that make Clam (even more) useless? (No point building a fantastic engine if theres a fuel drought and none available to run it.). At least with a company, he COMPANY takes responsibility to create the sigs to keep their product running.

Talking of companies: Didnt some say Oracle own Clamwin?
View user's profileSend private message
Sudden malware or false positives?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 3 of 7  

  
  
 This topic is locked: you cannot edit posts or make replies.