I have long been curious about "anti-virus" programs and hope I can
ask some simple questions here. Is this the place?

Who updates the db?

Where does the data originate?

That sounds boring, so what is their long term incentive?

Thanks!

It is a community project so users like you submit the virus samples to clamav database team (https://www.clamav.net), they review the submission and add it to the database.



Actually it doesn't sound boring.

Computers can help mankind to move forward in a logical manner. Anything that impedes that progress is worth changing/removing. Computer viruses certainly are an impediment to better use of computers, and anyone who works to prevent them certainly has my respect. In addition, the Clam/ClamWin projects are conducted on a voluntary basis, which I think deserves even more respect.

Regards,

What specifically does one submit? A virus file, or just a file name? I am trying to understand what/how an "anti-virus" program works.

Thanks!


I don't see that yet.

The community submits a virus file (a file that is not recognised as a virus by clam, but definitely is). Then the Clam definition writes find a way to recognise that file by creating a "signature": a part of the code that is specific to that virus.
The signature is then added to the definition database (with some extra data like virus-name etcetera), so clam will recognise the virus in the future.

It's a challenging job to create a signature that only recognises that particular virus, without generating false positives. I guess that's what makes it interesting (though i haven't reached that level of expertise at this moment, so i couldn't tell).

A virus signatures is unique to an individual virus, and I realize that is a sure-fire way to identify a computer virus, but just like you can say the same thing many ways, many viruses can perform the same actions, but their code can be different. Why can't we learn to idendify the actions and not have to rely so much on signatures?

It appears to me that computer viruses all act in fairly similar manners. They may:

Change system files
Gather passwords, email addresses, and other information from the host computer
Send information to other computers
Receive instructions from other computers
Change other progrmas/files on the host computer
Perform malicious actions to the host computer
Insert themselves in the system
Attempt to hide/protect themselves
Attempt to destroy antivirus software on the host computer

I may have left out something, but the point is that most (if not all) computer viruses perform a limited number of actions. Why can't we target the actions and not devote as much effort to their signatures?

Regards,

Which is why you should also use a good firewall.

I use the scanner just to scan files I download online. For the rest of the time I use:


=> XP SP2's inbound firewall.


=> An outgoing firewall (I use the freeware Winpooch).


=> Registry's "run" keys' protector (I use the freeware Winpooch).
Nothing can register itself to run in the startup without me knowing.
To also check other startup method but the registry, I frequently run one of those program that sums up the items in my startup and lets me delete unwanted ones (I use the freeware https://www.mlin.net/StartupCPL.shtml Startup Control Panel . They also offer https://www.mlin.net/StartupMonitor.shtml StartupMonitor that sits in the background and asks your approval whenever a program tries to add itself to the startup - any of the startup methods).


=> If it's XP's own files, it protects them, you know.


=> I don't see how you could protect against that unless you'd use one of those file checkers that check the most basic internals of your system, which I think is too much. I don't like programs - even the good ones - to bury themselves so deep in the heart of my computer.


=> I have no direct solution to that...