Sorry. I've been doing some Av testing. Pidgin is one of those IMs that you need another account to use. It's been so long since I was on ICQ it looks like my account is no good. ICQ is a bit dated now anyway. I think I'll try Yahoo Messenger if that is okay--it is easiest for me even though they want access to my email contacts. I can block some of their privacy intrusions with those programs you mentioned.

Regards,

I just noticed this, it was posted last week. ClamAV .98.5 rc1 was released here: https://blog.clamav.net/2014/10/clamav-0955rc1-is-now-available-for.html

Guess they haven't abandon the project, after all.

No, Cisco/Sourcefire will find it hard to really abandon the Clam AV project. Clam has about 1 million users plus the ClamWin users and a few other groups as well, which probably amounts to 1.5 million or so in total. I'm almost certain, however, that Clam et al will not get the best efforts of Cisco/Sourcefire in malware protection, so it is incumbent on us non/Clam/Windows users to enhance the Clam protection with some additional protection that is designed for Windows users in a real-time environment. A couple of years ago, Sourcefire mentioned that they were working on integrating Clam into the Cloud, but I haven't heard anything since then. That would best serve ClamWin in a real-time environment, however so better protection for ClamWin hinges on that--plus web protection and at least some basic heuristics to complement the too-little/too-late Clam Av signatures. I gave Clam a sample of a couple of exploits a week ago, and my samples are still not being detected.

Regards,

You are right. Abandoning the ClamAV project would probably would be a mistake on their side. Database is moving slow these past few days. I think this new version is suppose to help with byte code signatures. Speeding up the process or something like that.

In my opinion, it doesn't matter how fast bytecode sigs are. They are too much trouble. They take too long to prepare, and they follow the standard Clam AV pattern of identifying exactly only one (or maybe a few more) malware. This ignores the fact that today's malware is professionally prepared and changed very often. In all the malware I worked for Clam, I only saw bytecode sigs detect a handful of samples. As I have said before, a good sigmaker can often prepare 50-100 regular signatures (that will be just as good) in the time that it takes to prepare one bytecode sig. And by the time that bytecode sig is prepared, it is likely that you will need another bytecode sig to detect the newest version of the same malware!

I have several years worth of malware samples, and I don't believe that even one sample will be detected by a bytecode sig!

Regards,

Large amount of exploit signatures were added in database number 19585.

Added: Win.Exploit.CVE_2014_4076
Added: Html.Exploit.CVE_2014_6332
Added: Swf.Exploit.CVE_2014_0564
Added: Swf.Exploit.CVE_2014_0564-1
Added: Swf.Exploit.CVE_2014_0564-2
Added: Swf.Exploit.CVE_2014_0564-3
Added: Html.Exploit.CVE_2014_1765

Good, but I sent in a Nuclear Pack javascript exploit October 20th which is still undetected.

No doubt those current exploit sigs are a few crumbs from the Snort side of Cisco/Sourcefire efforts.

They can prepare an MD5 hash sig for an exploit pretty fast, and it will last for a while--longer than for a Trojan. It takes time for malware authors to come up with another version--and they might not be able to do that. The SWF exploits are currently "popular" so I guess that's why they are concentrating upon them.

Regards,

More exploit signatures in database number 19591.

Added: Win.Exploit.CVE_2014_4123
Added: Html.Exploit.CVE_2014_4121
Added: Html.Exploit.CVE_2014_4080
Added: Win.Exploit.CVE_2014_4084
Added: Swf.Exploit.CVE_2014_0531
Added: Html.Exploit.CVE_2014_0531
Added: Swf.Exploit.CVE_2014_0531-1
Added: Swf.Exploit.CVE_2014_0499

ClamAV version .98.5 has been released. It has offers bytecode improvements as well as improved detection for PE malware and several bug and security fixes. You can read more about it here: https://blog.clamav.net/2014/11/clamav-0985-has-been-released.html We can expect a new ClamWin beta version coming out within a week or 2.

Guys: This version appears to be a bit more sophisticated than the normal Clam AV version update, so it might take longer. You can be sure, however, that the ClamWin developers will have it as soon as possible. I hope the sophistication makes up for the low/slow Clam AV signature output!

Regards,

This was just posted today: https://blog.clamav.net/2014/11/brief-re-introduction-to-clamav.html It looks like they are going start bytecode signatures, again. Let's see how fast and how improved they have been made.

A lot more exploits added in database number 19658.

Added: Swf.Exploit.CVE_2014_0577-1
Added: Html.Exploit.CVE_2014_6340
Added: Swf.Exploit.CVE_2014_0581
Added: Html.Exploit.CVE_2014_6343
Added: Html.Exploit.CVE_2013_3027-1
Added: Swf.Exploit.CVE_2014_0555
Added: Swf.Exploit.CVE_2014_0584
Added: Swf.Exploit.CVE_2014_0584-1
Added: Html.Exploit.CVE_2014_8441
Added: Win.Exploit.CVE_2014_6322

Some information about collecting and analyzing of file properties for bytecode signatures posted here: https://blog.clamav.net/2014/11/intro-to-collection-and-analysis-of.html

Keep in mind that the primary sigmaker for Clam AV consists of some automated scripts that work on the feed from Virus Total! To really automate, they need to put heuristics inside the Clam AV program instead of having a sigmaker occasionally prepare a bytecode or other signature. Clam also fails to realize that users are an asset (via telemetry from submissions/comments) and should also be in the loop, but I think this is true with many AVs.

Regards,

New ClamAV API keys for bytecode signatures posted today: https://blog.clamav.net/2014/11/welcome-to-new-clamav-bytecode-api.html