Hi,
I been reading the clamav source for quit some time. I also been investigating some other anti-virus like XYZ (i cant mention specific name for security reasons). I figure it out some basic methodology using by anti-virus products which are as follows:-
1. Signature based scanning .
2. Algorithmic detection (which mainly covers some of variant ).
3. General purpose monitors.
4. Access control shells.
5. Heuristics binary analysis.

Please correct me if i miss anything.

I was camparing ClamAV with other anti-virus products(commercial). I have been able to found some false positive in some other commercial anti-virus
products.
For example, i been successfully modified a target WIN x86 binary to generate false positive of anti-virus and then frame a comparative study of scanning tehniques.
Results says that on a respective binary some other commercial anti-virus gives some false positive while scanning that respective binary.
That binary is nothing but false sections are embedded into it and just compressed with UPX packer.
But the clamA response was far most appreciable than others.

So, my focus turn to the clamAV peheader and pe-executable scanning api. After a short investigating the behaviuor of clamAV i figure it out there can be some more advancement of those API for scanning infection inside the Win PE executable file. The api are <cli_peheader> and <cli_scanpe>.
i believe there are some sort of other techniques for infecting Win PE executable which are not consider while writing clamAV. [Please reply with some sort of technical idea regarding this. If i m wrong point out the areas for which those two api is working correctly and with corresponding limitation].

For example,
A PE file can be infected in various ways which are as follows:--
1. No. of sections more than 100 and embedded code inside it.
2. Adding new object to the object table and the pointing Entry poiint RVA to this new object.
3. Modifiying raw data by increasing few bytes. etc
[Please point out other methods or i made a mistakes regarding PE infection].

These all above techinques can be done for exploiting or bypassing Anti-virus or for triggering false poisitive from AV.
My point is that what sort or techniques incorporated in ClamAV for handling such techniques. I may not be able to point out all methods of PE infection but some others could be like packing virus code inside a executable which may be packed with other packers[ point it out if i m wrong].
I m pretty much sure about the areas of polymorphic and metamorphic virus which are not fully covered by clamAV .

Virus code can be packed with the following known packer:--
1. UPX
2. FSG
3. Petite
4. Crinkler
5. Win32
6. WWPack32
7 ASPACK
8. ASPR
9 MEW
10. MPRESS
11. PKLite32
12. Shrinker32
13. Upack
14 PESpin etc
[Please report me if other exits]

I have no idea what is the ClamAV support for such packer. All i know clamAV support UPX , MEW packer.
My point is, what are the measures taken by clamAV for handling suck huge packer facilities and what are measure clamAv have taken for
upcoming packers. Is there is any generic rule for Alerting user in packer are unkown. I guess it do exist but how will clamAV confirm for non-existence of viral code inside it.
[Please reply with full technical point regarding each issue.]

i may have not done complete Virus infection issue. but as far as i could do i pointed out pretty much.
i need a handfull reply on this matter.

Thanks.
[Please reply covering each issue if not please make a point regarding each issue.. I urge developers of ClamAV to take this discussion healthy and appreciable].
[For non-clamAv user , reply with some sort of proof if available or just make a point in brief or point to other discussion which are applicable to my views.]

You might be better off psotinfg in clamav-users mailing list. This is clamwin forum

Give me the clamAv forum links. I couldn't find it

I can't find a forum for Clam AV, but here is the link to their developers blog at https://clam-av.blogspot.com/ on the web. Perhaps that will lead you somewhere or put you in touch with someone who can help.

Regards,

Consider this fact that my discusion might be helpful for this forum.
Take this as a compliment, a guy from AV forum redirecting the discussion to other forum just because the discussion topic
is for *nix platform and the forum is mainly for Win platform.

Thanks for help

The items you were addressing are technical. Clam Antivirus provides the scanning engine and signature database used by ClamWin. ClamWin isn't directly involved in developing the antivirus--it merely ports the Clam AV engine over to Windows and applies a graphical interface. Actual development of the antivirus is at Clam AV. Additionally, Clam AV is now owned by Sourcefire, a commercial company, although Sourcefire has announced its intention to keep Clam Open Source.

Regards,

What sort of clamAV is product? There is no forum for discussion.
I m tried of searching ClamAV forum..
Where is CTO of that company

There is clamav-users mailing list and it is easy to find

clamav-user mailing list cool! There is no repl from other side. i m waiting on a stone for long time.

venting you anger here won't get you anywhere

**got help** from Site Admin at last

I can't help you even if I wanted to. The scanning engine is developed by clamav team. I suggest you download clamav source code and study it thoroughly:
https://www.clamav.net/download/sources/

ok... but i have some query . where i could ask?

how to protect/ shield my own anti-virus deamon binary from infectin. Is there any know standard mechanism.

I wouldn't worry too much about your AV being attacked specifically. This isn't done very often by malware. Each AV is a little different, and many AVs are now "hardened" to a certain extent. Usually malware tries to disable AV/security software by disabling the updates or preventing AVs from running in the first place.A file infector, like Sality (Dr. Web--Sector 19) may infect the AV, but there aren't too many of them now.

There are some programs that will monitor your AV (or any program you want). Look at Task Catcher for one. There is some information about it at https://billpstudios.blogspot.com/2009/06/new-task-catcher-feedback-requested.html on the web. I believe there are free and paid versions.

Regards,