I might be wrong--frequently am, but I think that most optional Clam AV functionality is not included in the ClamWin port of V.98.5.

As for new detection from Clam AV, I would rather see some functionality based on the PE file envelope, PE header information, file size/location, digital signatures, and suspicious Windows property details. These characteristics do not require a separate environment to implement like the way Clam AV seems to be going.

Regards,

From this point on, I will post when ClamAV releases a false positive patch for people who are curious (I will filter out the senders for privacy concerns). False positives fixed in database number 19675.

Submission-ID: 32688596
Submission notes: file whitelisted in fp database.

Submission-ID: 319004561
Submission notes: file whitelisted in fp database.

Submission-ID: 651291751
Submission notes: file whitelisted in fp database.

Submission-ID: 620796229
Submission notes: file whitelisted in fp database.

Is this useful, RRK? We don't receive any sort of ID when a false positive file is sent to Clam AV.

By the way, they still haven't corrected my Nimbda submissions. I resubmit once a week:

viruses:
C:\Windows\System32\DriverStore\FileRepository\nova8.inf_amd64_f60993cd4ed3304a\amd64\novaem8.exe: [Win.Worm.Nimda-15] FALSE POSITIVE FOUND
C:\Windows\System32\DriverStore\FileRepository\nova8.inf_x86_f60993cd4ed3304a\i386\novaem8.exe: [Win.Worm.Nimda-15] FALSE POSITIVE FOUND
C:\Windows\System32\spool\drivers\W32X86\3\novaem8.exe: [Win.Worm.Nimda-15] FALSE POSITIVE FOUND
C:\Windows\System32\spool\drivers\x64\3\novaem8.exe: [Win.Worm.Nimda-15] FALSE POSITIVE FOUND
Please do not be alarmed and help us by submitting the files identified above as FALSE POSITIVE at https://www.clamav.net/sendvirus/


Regards,

Perhaps you are right. Maybe if they showed more information on each false positive, it would be more useful then.

Yes, I think it would be. As it stands now, a user has to work pretty hard to find if the false signature on his sample has been corrected. Best way I've found is just to check the file occasionally with ClamWin.

Before ClamWin developed the protection from FPs on signed Microsoft files, there were many false positives on Windows system files after each Patch Tuesday update. That was a couple of years ago, so evidently Clam AV cares more about preparing automated signatures for Virus Total submissions than correcting user-submitted false positives. I could be wrong (frequently am), but it seems to me that Clam AV (via its Sourcefire handlers) really has more of an intrusion detection orientation than AV.

Regards,

Walk through for sample file properties for bytecode signatures is posted here: https://blog.clamav.net/2014/11/sample-file-properties-collection.html

I can't endorse the way Clam AV is going. The average user is not/should not be concerned with this. a user should not have to be a sigmaker to get good protection. I actually hope that ClamWmin is not enabling these types of signatures. If it is, they will only be useful to users who are sysops or higher level. I don't see how this can benefit the average ClamWin user. Clam AV already lacks in the categories of signature production, false positive remediation, as well as preparation time. They are going to need hoards of sigmakers for this, and there is no personnel. It appears that Clam AV expects the user to be responsible for his own protection.

Regards,

Actually, they have a few staff working on bytecode signatures, either volunteered or hired by Cisco (most likely volunteered), atleast that's what it says in there blog. They were put on hault for a long time because of the issues with bytecode signatures not being very good. I think the reason they put those up is if anyone was interested in helping.

Yes, they can certainly use all the help they can get, but it appears to be manual help, and the bytecode sigs are still complicated. Most people that are qualified to prepare them would probably want to be paid for their knowledge, and that will probably not happen.

The last I heard was that there are about 80 thousand pieces of malware (viruses) that appear daily. See https://www.pcworld.com/article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.html on the web. This malware consists of some brand new viruses but mostly re-packaged versions of current viruses that are changed just enough to escape detection for a few hours/days. Of course, only a small portion of this malware will probably affect Clam AV/ClamWin users, but I do not think that Clam AV can cover them with a few bytecode sigs. I used to be happy if one of my signatures caught a few hundred.

I guess we shall se, eh?

Regards,

This was just added in database number 19782. I am not to sure what these are.

Added: crtdb.4918813
Added: crtdb.4918815
Added: crtdb.4918817
Added: crtdb.4918819
Added: crtdb.4918821
Added: crtdb.4918823
Added: crtdb.4918825
Added: crtdb.4918827
Added: crtdb.4918829
Added: crtdb.4918831
Added: crtdb.4918851
Added: crtdb.4918857
Added: crtdb.4918861
Added: crtdb.4918869
Added: crtdb.4918873
Added: crtdb.4918881
Added: crtdb.4918887
Added: crtdb.4918893
Added: crtdb.4918897
Added: crtdb.4918901
Added: crtdb.4918929
Added: crtdb.4918945
Added: crtdb.4918953
Added: crtdb.4918967
Added: crtdb.4918983
Added: crtdb.4919025
Added: crtdb.4919037
Added: crtdb.4919045
Added: crtdb.4919057
Added: crtdb.4919067
Added: crtdb.4919093
Added: crtdb.4919099
Added: crtdb.4919101
Added: crtdb.4919103
Added: crtdb.4919105
Added: crtdb.4919107
Added: crtdb.4919109
Added: crtdb.4919111
Added: crtdb.4919113
Added: crtdb.4919115
Added: crtdb.4919117
Added: crtdb.4919119
Added: crtdb.4919121
Added: crtdb.4919123
Added: crtdb.4919125
Added: crtdb.4919127
Added: crtdb.4919129
Added: crtdb.4919131
Added: crtdb.4919133
Added: crtdb.4919135
Added: crtdb.4919137
Added: crtdb.5347605
Added: pdb/wdb-signature
Added: pdb/wdb-signature
Added: pdb/wdb-signature
Added: pdb/wdb-signature
Added: pdb/wdb-signature
Added: crtdb.5820691
Added: crtdb.5823779
Added: crtdb.5823781
Added: crtdb.5823783
Added: crtdb.5823785
Added: crtdb.5823787
Added: crtdb.5823789
Added: crtdb.5823791
Added: crtdb.5823793
Added: crtdb.5823795
Added: crtdb.5823797
Added: crtdb.5823799
Added: crtdb.5823801
Added: crtdb.5823803
Added: crtdb.5840791
Added: crtdb.5840793
Added: crtdb.5840795
Added: crtdb.5840797
Added: crtdb.5903799
Added: crtdb.5903801
Added: pdb/wdb-signature
Added: Win.Exploit.CVE_2014_6349

Nothing really important, but ClamAV was voted project of the week on sourceforge: https://blog.clamav.net/2014/12/clamav-is-among-sourceforge-projects-of.html

The crtdb files are databases of revoked digital certificates. It seems that Clam AV would rather have a database of them instead of just checking the certificate chain when they scan a file.

Regards,

Once again, nothing important, but there was a blog created about detection and prevention for ClamAV on Gravity Forms. You can view more about that here: https://blog.clamav.net/2015/01/detection-and-prevention-of-malware.html

ClamAV version .98.6 was released today. the change log and information is available here: https://blog.clamav.net/2015/01/clamav-0986-has-been-released.html

ClamAV won community choice award for February. More information about this is here: https://blog.clamav.net/2015/02/clamav-wins-community-choice-award-for.html and here: https://sourceforge.net/blog/february-2015-community-choice-project-of-the-month-clamav/