When I saw you can't detect it, I submitted it to ClamAV but it has been a while and they didn't even confirm the submission to my e-mail!

So it's on the way to your e-mail (zipped and password protected).

To prove to myself my version of ClamWin is ok, I tried scanning this virus in your online scanner but I couldn't do it https://forums.clamwin.com/viewtopic.php?t=520 because it's dead. Nevertheless, https://www.virustotal.com indeed claims ClamAV is among the ones that don't detect it:



Where is NAV in this list?
Nav detects this virus as https://www.symantec.com/security_response/writeup.jsp?docid=2006-061009-4441-99 Bloodhound.NsAnti.

please be patient, it takes some time to add a new virus. The priority is given to wider-spread variants, but your submission will get there.

What's going on...? I sent that message to clamwim at clamwin.com and got this in return:

I got the message with the virus attached, thanks. I forward all mail to GMail and it doesn't like some of the attachment types.

It has been months and as you see this virus was added to some of the programs that didn't know about it back then. So what about ClamAV?

And again I ask where is NAV in this list (which does recognize it)?

Thanks!

P.S.
It doesn't matter (both for that online check and for WinClam itself) that I've renamed it from "2.exe" to "virus.bak" (so I wouldn't click on it by mistake), right?

I believe ClamAV at one time had the capability for knowledgeable users to add to the virus signatures that is on their personal machines. I don't know if you can/could do this with ClamWin. If this capability still exists, and if ClamWin has it, you can add it to yours by using the proper procedures--if you could get the signature from VirusTotal or elsewhere.

Regards,

As you see in the line that opened this whole topic - I have sent the actual virus to ClamAV and later to alch, which is why I wonder why nothing changed all these months.

Since we're not part of either the ClamAV or the ClamWin teams, we can't really tell why it hasn't been added. ClamAV is responsibe for the database, and they do a pretty good job. They have been updating like mad recently--with over 74,000 signatures now. They update more frequently than many of the commercial AV programs, but their time is limited, and as Alch said, they have to concentrate upon the most prevalent malware signatures. It might help the entire AV industry if there was a common naming scheme, and if the AV companies shared signature information. Otherwise, there is a lot of duplication of effort/cost as is the case now.

I noticed in the additional information at the end of your VirusTotal report that the malware may have been packed/compressed with something called "Aspack." If that's true, then perhaps ClamAV doesn't yet support it, and that is your reason. Each packer requires separate code, I believe, and there are so many different packing schemes around. They now support quite a few packers, and version 0.90 promises a few more.

I saw that VirusTotal used 27 different AV programs, and 10 of them, including ClamWin, didn't find the virus.

Hope this helps.

Regards,

Who's "we"? Thanks for the info, but do you know where's NAV in this list?

You were asking why the virus you found was included in the ClamAV database. "We" are you and I, so since we aren't on the Clam or ClamWin team, we can only guess as to the answer. I offered my best guess, but it certainly isn't an "official" answer.

You will have to check with the administrator of the site to which you submitted the virus sample to find out why certain antivirus software was omitted from their test. I can give you my best guess, but I don't think you want that--eh?

Regards,

A new year has come upon us (and I hope in one year I won't say "come and gone") and still ClamAV is among the only antiviruses that don't recognize this virus...

I see that Microsoft, NOD 32, and E-Trust still don't detect the virus either. If you want to help Clam get it into its database, I suggest that you send a zipped sample of the virus to ClamAV. Go to Web page https://cgi.clamav.net/sendvirus.cgi.

Regards,

Hmm...here's the line the opened up this entire topic...



All the more reason to detect it. You want to be one of the best, not one of the worst.

'Peers to me that ClamAV is oriented toward large capacity email service providers. It looks like they get first preference.

If that is true, it might be a good reason for ClamWin to have a separate signature database specific to Windows PC users, but that would be hard to do--where do you draw the line and avoid duplication?

It also 'peer to me that the antivirus industry would be better off using a common signature database. It would certainly eliminate some confusion and make sure they are all on the right page. Why don't they all contribute to a World Wide Signature Effort. But that might put a lot of virus signature maintenance people out of jobs--eh?

If you want to go to the time/trouble, you can learn to update the signatures yourself. According to bOne, Clam can use MD5 hashes, and I believe VIRUSTOTAL provides an MD5 hash.

Regards,

What bothers me is the lack of NAV in this list (at least I can't spot it) as while it may be an annoying program it's still mainstream enough to find info based on its brand names for viruses.

Anyway, you're certainly not the first one to realize that, and there were many articles about it, but so far they can't come to an agreement. Kind of like DVD+, DVD- and DVD-RAM, which is so insane that while they're fighting, even newer formats keep coming out like HD-DVD and Blu-ray Disc. I guess the days of VHS vs. Beta, when the loser dissapeared pretty quickly and without a trace, are gone. Then again, maybe it's easier to support multiple types of digital media (especially in a computer drive) than it was to support multiple types of analog media.

BTW, out of curiosity, why do you bother creating a different subject (let alone a subject) to each of your posts?