I know I should probably ask ClamAV this, but I am not registered in their forums, nor do I really want to, so I figured someone here could answer. Since database 18533, that was the first database update on March 4th, to todays latest database update, 18540, ClamAV had a giant list of signatures through all the databases, but mostly all of them in each database was marked as Not Added. Is this something we should worry about because that would mean the last sucessful update was on March 3rd. I am signed up for ClamAV signature email alerts, so this is how I know what the databases are.

The last Clam AV database update I have is 18540, which I think is the latest one. There are normally 4 updates each day, but there can be more or less depending upon availablility of Clam AV personnel (there is no one working signatures on a regular basis but they try to make up for this with a limited number of automated signatures). There could also be infrastructure problems , as Clam AV shares servers/software/IT personnel with the commercial operations of Cisco/Sourcefire, and commercial operations are primary.

ClamWin has no control over the signatures in the Clam AV database or the updates. If you are using Clam Sentinel, I wouldn't worry too much about a lack of Clam AV signature updates. The Clam AV signatures are mediocre--too little/too late to detect new malware that is changed often, and that describes most malware now. Unlike the Clam AV signatures, the Clam Sentinel heuristics do not use exact signatures, and they will detect 70-90% of Windows executable malware that might be downloaded to your computer, so Clam Sentinel users have decent protection regardless of the Clam AV signatures. Nevertheless, fast-executing malware can still do some damage, so for extra protection, I recommend users of XT and newer computers use another AV - such as Microsoft Security Essentials alongside ClamWin/Clam Sentinel. Malwarebytes free is also very good at detecting infections, but it does not have real-time detection, and its detection is after the fact.

Regards,

It looks like ClamAV took notice of this and increased their signature output. The past 2 days there have been over 7 updates with lots of added signatures and less non-added ones.

That is good--I hope they keep it up. Lack of infrastructure (servers, etc.) and an outdated submission system has hurt them, and Clam AV also shares infrastructure and personnel with the commercial projects. Understandably the commercial projects get first crack.

I just wish they would incorporate some real heuristics in the Clam AV code to detect at least some malware without the need for a signature. It is not hard to develop some heuristics based on the Windows PE file. This could make up, to a certain extent, for slow signatures at low volume. They still do not check extensively for valid digital signatures (ClamWin has done this for false positive protection for a couple of years now). I keep getting false positives from the Clam AV database in ClamWin for Windows system files.

Regards,

Their scan engine is also quite abnormal. I guess that's why OpenSSL was created. I have been going around asking people if they know anyone who can build an AV from scratch, specifiably for real-time protection, self-defense moduel, and heuristics. So far I got 3 responses. One was willing to ask around for people, but he didn't know anyone who knew how to build one. The second worked at a IT tech college and he did know people but I haven't heard word since. The third said that he did know people, but he also recommended to put the source code on https://github.com/ and https://www.freelancer.com/ and we might be able to get more people that way. I'll continue my search and see what else I can come up with.

The Clam AV and ClamWin source code is freely available to anyone, but it's hard to find someone who is qualifie that will work on a free AV. ClamWin has been unable to find anyone. A few people have indicated interest in working on ClamWin, but when they see the work involved (for free), they lose interest. After you write an AV, then you need the organization/instructure to keep it going (web site, submission interface, sigmakers, researchers, maintenance coders, management). this is just about impossible to do for free. Of course, an open source program like ClamWin can still charge for the program, but you will need the organization. The ClamWin developers do not want to charge for the program--probably because of the organizational/management requirements.

It appears that a good AV is best left to well-funded commercial organizations today, and the other free ones are subsidized by commercial AV companies or Microsoft. Many small commercial AVs now license the engine/signatures from larger AV companies.

Regards,