All users with clam will have to upload md5 signatures (with for example md5summer or better with clamwin if it is implement that ability eg. with a help of a torrent or other ability that finds unique files between users to reduce upload bandwidth to clamwin server site) for all Windows, Program Files, and files in Documents and Settings except the user files (eg. photos, downloaded files (eg. zip, rar)). The md5 list is validate against the files which held in a clamwin server site. Those files that are not in the clamwin server site are request from any (or all) of the users who has it, and the server site stuff investigate and add only that files. After a while the server has most programs, dlls, scripts etc. from all languages and versions signed with md5 sum which is not bad. So anyone with access to that list will indicate the possibility that the new exe contain a virus or a spyware. If the server site stuff pick files with the lowest ratio will probably hit a spyware or virus. And after a while the system has the ability to auto healing based on user voting against specific files which no-one has investigate it yet. Lets say one has post a program in some download center which contain a spyware, the first very few negatives votes it's receive from the users who has it, (votes within clamwin application), is strong indication for the next users to not download or run it. Voting and how many users have it maybe has another hidden meaning..
So if I think correct that is the end for both false positives and unrecognized virus or spywares.

I'm glad you are thinking about a way to get more functionality into ClamWin.

For a while, I prepared MD5 signatures for my personal ClamWin program for a few files each day that ClamWin didn't recognize on the Jotti online file-scanning service and kept them in the ClamWin signature directory for several days--until I figured the Clam virus analysts had gotten them in the official signatues (they never would tell me their turnaround time).

I finally quit this because there were just too many malwares that Clam (and any other antivirus program) did not recognize, and I could only devote a short time each day to signature development.

The MD5 signatures are very limited. An MD5 sig is for an entire malware file. Some malware is released in a different version several times each day (some of them every hour or so), and just a slight change will outdate a previous MD5 signature. There is also now a trend toward "local" malware, so a signature for such malware will not do any good for someone in another region/country.

This proposal would require additional resources for ClamWin--programming, probably equipment, and dedicated personnel time. Considering its limited resources, it might be best for ClamWin to continue "piggybacking" on ClamAV. At one time, they were kicking around the idea of a virus lab, but I think they have shelved it.

If we just sit tight, ClamAV is coming along nicely, and ClamWin will benefit from it. I would like to see ClamWin "stretch" the program--after version 1.0 to allow for another engine/signatures--sort of like F-Secure, or maybe some capabilities that apply to Windows personal users instead of just email services, which are ClamAV's intended users.


Regards,