SecuriteInfo.com provides additional signatures for Clamav/ClamWin. Here are the
features :

* 0-day malware signatures, based on real malwares on the wild.
* More than 500.000 signatures !
* Detection rate increase up to 80% on 0-day malwares.
* We detect any kind of malwares : exe, html, android, mac, and even spam !
* Daily updated
* The signatures are quite generic and each signature can detect several
malwares
* Very few false positives
* Typical usage : web servers (scan your hosted websites), mail server
(antispam signatures), proxy (catch malwares during surf), and of course
workstations.

More information at :
https://www.securiteinfo.com/services/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml

Best regards

That's pretty good. That will sure help detection in ClamAV by a lot. How do you deploy all those signatures to ClamAV? Do you submit them all at once or in parts?

RRK: it appears the sigs are not deployed to Clam AV--they are a separate service. The basic service is free with limited downloads. I signed up and was able to utilize the first 3 of 6 sets of signatures. They seem to work--no db errors once installed in the ClamWin db folder with a subsequent scan. They also appear to be utilized by Clam Sentinel. If Arnaud Jacques was involved in their preparation, I am sure they are very good. This appears to provide some good additional detection capability for ClamWin/Clam Sentinel.

Regards,

Interesting, but I think instead of paying for this as a separate service, you should submit these signatures to the ClamAV team and let them apply them directly to their engine. The Clam family is big and there is more then just ClamAV and ClamWin ( I can make a list of all the AVs that run the ClamAV engine if you want). Also, you should not that ClamAV does not have type of dynamic/heuristic way to block malware, so some - most of those signatures will not last long and will need to be updated often.

RRK: It appears to me that these sigs took some work. Clam AV exists only because Cisco/Sourcefire subsidizes it. No one is subsidizing these signatures. It takes time, talent, hardware, and a system to get virus samples, analyze them, prepare signatures, and then make them available to users. While email services and networks will probably benefit the most from these sigs, a basic set of sigs is free to individual users who register, so all users of the Clam AV scan engine can benefit.

Considering the quantity/quality of the "official" Clam AV signatures, I think Securiteinfo.com is certainly entitled to remuneration for its work. The basic sigs that were available to me after registering amounted to about 1/2 of the signatures in the ClamAV main database. If they are new, then this offers a significant improvement to protection of Clam AV/ClamWin users, and even if some of the sigs are not new, as long as they do not duplicate existing Clam AV "official" sigs, they offer improved protection.

Regards,

3/6 ? You should be able to download the whole set. Even with Basic account. Did you get some technical difficulties to download the 6 files ?

A.J.

I agree with you. That's why our signatures are updated every day.

@Guitarbob: My goal is to try and get everyone from the clam family to work together, instead of separate everyone into different products. That's why I suggested to submit some to the ClamAV engine.

I will download them myself and make some use of them. Are these signatures simple md5/hash signatures or are they more complex? Also, is there a way to download them automatically?

For some reason, my system downloaded the last 3 sets of signatures to my download folder, although I was working with the ClamWin DB folder for the first 3. Anyway, I salvaged them, and they are now in the ClamWin DB folder ready to protect me.

@RRK: there are different types of signatures--probably depending upon the types of malware involved.

Regards,

@SecureityInfo.com: Where can I submit false positives to? I have a few to report.

Hello,

You can send false positives in the "Contact" tab in your personnal account at www.securiteinfo.com

Regards,

A.J.

I sent the false positives in a archive.

If you don't mind me asking, how old are these signatures? When I was looking up some of the hashes, they were ranging from 2013-2015.

Also, on you site you said "Free version (30-day malwares)" Does that mean I will only get signature for 30 days then have to pay or does it mean that the signatures are within 30 days?

Hello,

Thank you for the false positives. They are now removed.

The signatures are based on malwares from 2012 until today.

"Free version (30-day malwares)" means all the signatures from 2012 up to now - 30 days.

Regards,

A.J.

Thanks for answering, although, 30days or older would really be no better then the ClamAV official signatures. I guess you have to pay to get the newer, 0-day malware.

Sure. If security is really important for you, 0-day malware protection is mandatory.

But, the 30-days (free) signatures do a good job too. Do you really think Clamav is able to detect all 30-days old malwares ?
When I submit a signature or a false positive to Clamav, they do not publish it for days, sometimes weeks or months

I got a really big virus collection. Sad to say that Clamav have a bad detection rate on malwares I got during the last 3 months...
That's why I decided to give access to my signatures for the Clamav community. Before that, only my customers had this level of protection.