How dependent upon ClamAV will ClamWin version 1.0 be? In other words, is the code written so that it would be possible to use another antivirus engine and/or signature database without a major revision?

I am just wondering. At some point, this might become an important consideration because of differences in users, philosophy or location.

Regards,

if the engine can be changed...then probably developers must change the name also - ClamWin will be not so good then
i hope developers will break the connection between ClamWin versions and ClamAV engine versions.
because there are so many reasonable suggestions (about gui and etc.) which can be implemented before engine updates.
or developers could make new numbering - for example ClamWin 0.88.7-A, 0.88.7-B and etc., to mark ClamWin changes without engine differences.

The ClamAV engine is a good one, and they are making it better all the time. This year they should start using some advanced heuristics. ClamAV's "market" is email servers using Linux, however. The average Windows PC user has an ISP that already scans email for them, so their primary exposure to malware is going to be malicious Web sites, Active-X scripts, and adware/spyware instead of mostly email viruses. Understandably, ClamAV gives priority to its market and to developing signatures for it. I believe that ClamWin at some point will have to have a "market" of its own. Maybe in version 2.0?

Regards,

Sherp and I had mentioned not using clamav engine anymore, just their signatures, but "heading off on our own" requires a large technical base of supporting malware analysts.

where exactly is the problem:
- scanning engine can't scan for spyware?
- or lack of signatures for spyware in database?

Well, you probably don't want to do that at this point, but perhaps eventually ClamWin could either 1) develop a few signatures for really bad Windows malware on its own or 2) rely more heavily upon heuristic techniques specific to Windows PC viruses. Either option might not require a massive effort. Also, I understand that some antivirus companies are automating the process to a certain extent. Finally, the quality of the signature database is equally as important as the number of signatures--especially if you are able to identify an entire virus "family" with just a few signatures.

ClamWin provides one of the scanners at VIRUSTOTAL, and I understand that VIRUSTOTAL submits virus samples to the scanner providers. If they furnish MD 5 hashes, could you use that for a signature? And, of course, you could accept virus samples from users.

Just a few ideas--perhaps for version 2.0 or 3.0.

Regards,

Virus samples are sent to ClamAV virus database maintainers.
And they include them as fast as they can.
You may look at this list: https://lurker.clamav.net/list/clamav-virusdb.html

You wrote:

"Virus samples are sent to ClamAV virus database maintainers.
And they include them as fast as they can."

Yes, I am aware of that. I also know that ClamAV does a good job with limited resources--they're now approaching 90,000 signatures. I am also aware that VIRUSTOTAL submits viruses to those scanners that it uses, and it references Clam/ClamWin as one of its scanners at the VIRUSTOTAL Web site.

I once sent ClamAV a copy of a virus that it didn't detect, although my other/real-time scanner did. I checked it at VIRUSTOTAL, and I assume VIRUSTOTAL also sent it to ClamAV. I scanned the file with ClamWin several times over the next couple of weeks, and each time I found that it was not in the signatures from ClamAV (I quit looking and deleted it after that). Several other people have also mentioned a similar experience after submitting malware to ClamAV. Conclusion: things could be different now, but based on my experience, ClamAV gives signature priority to email services/viruses--certainly not to Windows PC users.

I am a Windows PC user.

Regards,

Is there any chance that Rainbow Cracking can be useful in analyzing viruses? Further info at:

https://www.antsight.com/zsl/rainbowcrack/

Regards,

Not unless cracking hashes can determine if an executables machine code has malicious intent, and be able to classify it correctly.

You said recently that Clam can ID viruses via MD 5 hash. Are there a finite number of malicious tasks that can be accomplished on a computer? Would a malicious task have a different hash series for every virus that accomplishes it? I'm wondering just about the malicious part--not anything else that might be in the virus signature.

Regards,

Yup, they are hashes of entire files.
Is downloading a file a malicious task? Or is it only malicious when it downloads a file then executes it without user interaction? Are all browser-helper-objects for internet explorer inherently bad because they can see your pre and post rendered web pages?

I see what you're getting at, but unfortunately, there are many ways to "code" the malicious behavior, and MD5s are very exacting. One byte change to a piece of code changes the MD5 completely.

This is best illustrated with an example; I selected a piece of code that checks whether or not the internet is available between two variants of SDBot:

lxsys.exe - SDBot variant
Byte signature: 33FFC745FC02000000393DACBD41000F85181E000057578D45F45750FF1508BB4100F645F4017408
MD5 of this "code chunk": A4ED69600AE3A59254A0489E0D16F211

final0new.exe - A very similar SDBot variant
Byte signature: 33FFC745FC02000000393DBCBD41000F85181E000057578D45F45750FF1518BB4100F645F4017408
MD5 of this code chunk: F0615C30C4BEF8D20D1C3339E7B4C40D

As you can see, there are two bytes difference between these two pieces of nearly identical machine code instructions, however look at the MD5 values for these two chunks.

You wrote:

"Are all browser-helper-objects for internet explorer inherently bad because they can see your pre and post rendered web pages?"

That's the problem--eh? Browsers are inherently dangerous because of their functionality, and we can't/don't want to lose that functionality. We have to live with that then and minimize the danger where possible.

"I see what you're getting at, but unfortunately, there are many ways to "code" the malicious behavior, and MD5s are very exacting. One byte change to a piece of code changes the MD5 completely. "

Perhaps the behavior blocker guys have it right then, but some of their "hooks" are about as bad as rootkit viruses. I was hoping you could do a lot of work up front to a rainbow table for malicous actions that would facilitate things when checking for viruses.

Downloading malicious software doesn't hurt--until it's actually run on your computer. Guess that's why some AV software doesn't worry about unpacking everything, but they need to be very fast when the bad stuff kicks in.

As usual, thanks for the info.

Regards,