New ClamAV database number 19330 adds even more new Potentially Unwanted Applications to their signatures.

Added: PUA.Macro.DoubleExtension-zippwd-2
Added: PUA.Misc.DoubleExtension-zippwd-4
Added: PUA.Macro.DoubleExtension-rarpwd-2
Added: PUA.Misc.DoubleExtension-rarpwd-2
Added: PUA.Windows.DoubleExtension-zippwd-3
Added: PUA.Windows.DoubleExtension-rarpwd-3

The PUA sigs about a year or so ago hit a lot of packers and were really a nuisance, so we took PUAs out of Clam Sentinel detections. One person's PUA is another person's acceptable program. I think AVs should just confine themselves to real malware, and many of them seem to be doing that. Some users will even accept adware as okay if they get something in return. Lots of legitimate software now snoops on users, geolocates, etc.

Regards,

New types of signatures added in ClamAV database 19346.

Added: Rar.Suspect.MacroDoubleExtension-rarpwd-2
Added: Rar.Suspect.MiscDoubleExtension-rarpwd-2
Added: Zip.Suspect.WinDoubleExtension-zippwd
Added: Rar.Suspect.WinDoubleExtension-rarpwd-2
Added: Zip.Suspect.MacroDoubleExtension-zippwd-3
Added: Zip.Suspect.MiscDoubleExtension-zippwd-3

Some type of rar and zip infections?

Looks to me like signatures for double extensions in various situations--instead of a comprehensive heuristic--like that used by Clan Sentinel.

Regards,

More double zip/rar entenstion signatures have been added to database version 19372.

Added: Rar.Suspect.MacroDoubleExtension-rarpwd-3
Added: Rar.Suspect.MiscDoubleExtension-rarpwd-3
Added: Zip.Suspect.WinDoubleExtension-zippwd-1
Added: Rar.Suspect.WinDoubleExtension-rarpwd-3
Added: Zip.Suspect.MiscDoubleExtension-zippwd-4
Added: Zip.Suspect.MacroDoubleExtension-zippwd-4

Yes - they are all PUAs, which might not really be malware. For some reason, Virus Total is treating Clam PUAs the same way it does the Symantec "suspicious" designation. Many AVs have gotten away from PUP/PUA--a file is either "good" or "bad."
Regards,

More double extension added to database number 19417 and 19422

Database 19417:

Added: Zip.Suspect.FileName-zippwd-2
Added: Rar.Suspect.FileName-rarpwd-2
Added: Zip.Suspect.ExecutableAirfare-zippwd-1
Added: Rar.Suspect.ExecutableAirfare-rarpwd-1
Added: Rar.Suspect.ExecutableCopy-rarpwd
Added: Zip.Suspect.ExecutableCopy-zippwd
Added: Zip.Suspect.ExecutableProduct-zippwd
Added: Rar.Suspect.ExecutableProduct-rarpwd
Added: Rar.Suspect.ExecutablePurchaseOrder-rarpwd-2
Added: Zip.Suspect.ExecutablePhoto-zippwd-2
Added: Zip.Suspect.ExecutablePurchaseOrder-zippwd-3
Added: Rar.Suspect.ExecutablePurchaseOrder-rarpwd-3
Added: Rar.Suspect.ExecutablePhoto-rarpwd-2

Database 19422:

Added: Rar.Suspect.MiscDoubleExtension-rarpwd-5
Added: Zip.Suspect.MacroDoubleExtension-zippwd-5
Added: Zip.Suspect.WinDoubleExtension-zippwd-2
Added: Rar.Suspect.MacroDoubleExtension-rarpwd-4

They are all detections for malware inside zipped files, and it appears to me that each detection is rather narrow. They will probably not detect much after the individual files are changed, and you can be sure that they will be changed very shortly! There are other archive programs besides rar/zip, and other executable formats besides .exe/photos, and filenames can be changed.

Regards,

July 8th is apparently when .98.5 beta version came out. It is now September 25th and it is still in beta. Anyone know why it is taking longer then other versions? It has been over 2 months now.

I think it's the same old story, RRK. Clam AV is free and open source--Cisco can't make much money from that. They continue to concentrate (understandably, I guess) upon the commercial side, and Clam AV (ultimately ClamWin as well) gets a few crumbs now and then. Personnel, time, and equipment mainly support commercial.

Regards,

It isn't like the ClamAV to hold a version for over a month like this. At first, I thought maybe they hold the version back because of the new website, but now I am thinking, maybe something big is coming, something unexpected from ClamAV. Then again, you could also be right, GuitarBob. Hopefully, ClamAV won't let us down.

I think the biggest thing they could do is make user submissions more important than Virus Total submission!. Part of the time I was sigmaking at Clam they used Kaspersky, Bit Defender, and Dr. Web to scan submissions as an aid to sigmakers, but they quit that. It was too expensive, I guess, but if two of those three AVs say something is infected, it probably is, and they could have gone ahead and gotten an automated sig for it a long time ago--before a lot of other AVs were using automated sigs.

Regards,

One thing I noticed with ClamAV database, they seem to get a lot of the same samples. The signature makers should really communicate with each other and search different parts of the web to help reduce this. Might also improve detection ratios slightly doing it this way, too. This is how I did it with my old malware hunter team at Malwarebytes.

Probably 90% of the Clam AV samples come from Virus Total. The rest comes from user submissions and other security industry sources. The only ones that are regularly worked (by automation) are the samples from Virus Total. They do a very poor job of working user submissions because they are not automated.

Telemetry is everything to an AV company. You need to at least cover your user submissions. Clam AV doesn't do a good job at that The bulk of the Virus Total samples come from somewhere else.

Malwarebytes is doing a good job of covering the viruses I check, but they don't have a good easy way for users to submit samples, so I don't know how well they are serving their actual users. Perhaps they are still concentrating upon the high-profile, advanced persistent threat stuff. I wonder how many of those their users will encounter. I once had an MBR virus I was working on get away from me, and the Pro edition of Malwarebytes did not catch it.

Regards,

Even if that is the case, they should still communicate with each other to prevent this duplication. We should also remember ClamAV is a Linux anti-virus and that was meant to stop the spread of virus from Linux systems to Windows systems. In that case, VT signatures are good enough if that was the intention. I think that's what they also think, too.

Still no luck with pidgin, at all? Do you need help setting it up?