ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
ClamWin Version 1.0 Dependency On ClamAV
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
How dependent upon ClamAV will ClamWin version 1.0 be? In other words, is the code written so that it would be possible to use another antivirus engine and/or signature database without a major revision?

I am just wondering. At some point, this might become an important consideration because of differences in users, philosophy or location.

Regards,
View user's profileSend private message
drgoa.r


Joined: 20 Nov 2006
Posts: 66
Location: Bulgaria
Reply with quote
if the engine can be changed...then probably developers must change the name also - ClamWin will be not so good then Smile
i hope developers will break the connection between ClamWin versions and ClamAV engine versions.
because there are so many reasonable suggestions (about gui and etc.) which can be implemented before engine updates.
or developers could make new numbering - for example ClamWin 0.88.7-A, 0.88.7-B and etc., to mark ClamWin changes without engine differences.
View user's profileSend private message
ClamWin Dependency Upon ClamAV
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
The ClamAV engine is a good one, and they are making it better all the time. This year they should start using some advanced heuristics. ClamAV's "market" is email servers using Linux, however. The average Windows PC user has an ISP that already scans email for them, so their primary exposure to malware is going to be malicious Web sites, Active-X scripts, and adware/spyware instead of mostly email viruses. Understandably, ClamAV gives priority to its market and to developing signatures for it. I believe that ClamWin at some point will have to have a "market" of its own. Maybe in version 2.0?

Regards,
View user's profileSend private message
Re: ClamWin Dependency Upon ClamAV
b0ne


Joined: 26 Oct 2006
Posts: 174
Reply with quote
GuitarBob wrote:
I believe that ClamWin at some point will have to have a "market" of its own.
Sherp and I had mentioned not using clamav engine anymore, just their signatures, but "heading off on our own" requires a large technical base of supporting malware analysts.
View user's profileSend private message
drgoa.r


Joined: 20 Nov 2006
Posts: 66
Location: Bulgaria
Reply with quote
where exactly is the problem:
- scanning engine can't scan for spyware?
- or lack of signatures for spyware in database?
View user's profileSend private message
ClamWin Heading Off On Its Own
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
Well, you probably don't want to do that at this point, but perhaps eventually ClamWin could either 1) develop a few signatures for really bad Windows malware on its own or 2) rely more heavily upon heuristic techniques specific to Windows PC viruses. Either option might not require a massive effort. Also, I understand that some antivirus companies are automating the process to a certain extent. Finally, the quality of the signature database is equally as important as the number of signatures--especially if you are able to identify an entire virus "family" with just a few signatures.

ClamWin provides one of the scanners at VIRUSTOTAL, and I understand that VIRUSTOTAL submits virus samples to the scanner providers. If they furnish MD 5 hashes, could you use that for a signature? And, of course, you could accept virus samples from users.

Just a few ideas--perhaps for version 2.0 or 3.0.

Regards,
View user's profileSend private message
Re: ClamWin Heading Off On Its Own
drgoa.r


Joined: 20 Nov 2006
Posts: 66
Location: Bulgaria
Reply with quote
GuitarBob wrote:
ClamWin provides one of the scanners at VIRUSTOTAL, and I understand that VIRUSTOTAL submits virus samples to the scanner providers. If they furnish MD 5 hashes, could you use that for a signature? And, of course, you could accept virus samples from users.

Virus samples are sent to ClamAV virus database maintainers.
And they include them as fast as they can.
You may look at this list: http://lurker.clamav.net/list/clamav-virusdb.html
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
You wrote:

"Virus samples are sent to ClamAV virus database maintainers.
And they include them as fast as they can."

Yes, I am aware of that. I also know that ClamAV does a good job with limited resources--they're now approaching 90,000 signatures. I am also aware that VIRUSTOTAL submits viruses to those scanners that it uses, and it references Clam/ClamWin as one of its scanners at the VIRUSTOTAL Web site.

I once sent ClamAV a copy of a virus that it didn't detect, although my other/real-time scanner did. I checked it at VIRUSTOTAL, and I assume VIRUSTOTAL also sent it to ClamAV. I scanned the file with ClamWin several times over the next couple of weeks, and each time I found that it was not in the signatures from ClamAV (I quit looking and deleted it after that). Several other people have also mentioned a similar experience after submitting malware to ClamAV. Conclusion: things could be different now, but based on my experience, ClamAV gives signature priority to email services/viruses--certainly not to Windows PC users.

I am a Windows PC user.

Regards,
View user's profileSend private message
Analyzing Viruses
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
Is there any chance that Rainbow Cracking can be useful in analyzing viruses? Further info at:

http://www.antsight.com/zsl/rainbowcrack/

Regards,
View user's profileSend private message
Re: Analyzing Viruses
b0ne


Joined: 26 Oct 2006
Posts: 174
Reply with quote
GuitarBob wrote:
Is there any chance that Rainbow Cracking can be useful in analyzing viruses?
Not unless cracking hashes can determine if an executables machine code has malicious intent, and be able to classify it correctly.
View user's profileSend private message
Craching Hashes
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
You said recently that Clam can ID viruses via MD 5 hash. Are there a finite number of malicious tasks that can be accomplished on a computer? Would a malicious task have a different hash series for every virus that accomplishes it? I'm wondering just about the malicious part--not anything else that might be in the virus signature.

Regards,
View user's profileSend private message
Re: Craching Hashes
b0ne


Joined: 26 Oct 2006
Posts: 174
Reply with quote
GuitarBob wrote:
You said recently that Clam can ID viruses via MD 5 hash.
Yup, they are hashes of entire files.
Quote:
Are there a finite number of malicious tasks that can be accomplished on a computer?
Is downloading a file a malicious task? Or is it only malicious when it downloads a file then executes it without user interaction? Are all browser-helper-objects for internet explorer inherently bad because they can see your pre and post rendered web pages?

I see what you're getting at, but unfortunately, there are many ways to "code" the malicious behavior, and MD5s are very exacting. One byte change to a piece of code changes the MD5 completely.

Quote:
Would a malicious task have a different hash series for every virus that accomplishes it?
This is best illustrated with an example; I selected a piece of code that checks whether or not the internet is available between two variants of SDBot:

lxsys.exe - SDBot variant
Code:
xor     edi, edi
mov     [ebp+var_4], 2
cmp     dword_41BDAC, edi
jnz     loc_4072D2
push    edi
push    edi
lea     eax, [ebp+var_C]
push    edi
push    eax
call    InternetGetConnectedStateEx
test    byte ptr [ebp+var_C], INTERNET_STATE_CONNECTED
jz      short loc_4054D5
Byte signature: 33FFC745FC02000000393DACBD41000F85181E000057578D45F45750FF1508BB4100F645F4017408
MD5 of this "code chunk": A4ED69600AE3A59254A0489E0D16F211

final0new.exe - A very similar SDBot variant
Code:
xor     edi, edi
mov     [ebp+var_4], 2
cmp     dword_41BDBC, edi
jnz     loc_4072D2
push    edi
push    edi
lea     eax, [ebp+var_C]
push    edi
push    eax
call    InternetGetConnectedStateEx
test    byte ptr [ebp+var_C], INTERNET_STATE_CONNECTED
jz      short loc_4054D5
Byte signature: 33FFC745FC02000000393DBCBD41000F85181E000057578D45F45750FF1518BB4100F645F4017408
MD5 of this code chunk: F0615C30C4BEF8D20D1C3339E7B4C40D

As you can see, there are two bytes difference between these two pieces of nearly identical machine code instructions, however look at the MD5 values for these two chunks.
View user's profileSend private message
Finding The Bad Guys
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
You wrote:

"Are all browser-helper-objects for internet explorer inherently bad because they can see your pre and post rendered web pages?"

That's the problem--eh? Browsers are inherently dangerous because of their functionality, and we can't/don't want to lose that functionality. We have to live with that then and minimize the danger where possible.

"I see what you're getting at, but unfortunately, there are many ways to "code" the malicious behavior, and MD5s are very exacting. One byte change to a piece of code changes the MD5 completely. "

Perhaps the behavior blocker guys have it right then, but some of their "hooks" are about as bad as rootkit viruses. I was hoping you could do a lot of work up front to a rainbow table for malicous actions that would facilitate things when checking for viruses.

Downloading malicious software doesn't hurt--until it's actually run on your computer. Guess that's why some AV software doesn't worry about unpacking everything, but they need to be very fast when the bad stuff kicks in.

As usual, thanks for the info.

Regards,
View user's profileSend private message
ClamWin Version 1.0 Dependency On ClamAV
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic