On Tue, 2004-09-28 at 21:35, Steffen Heil wrote: > Hi > > > I have a serious issue with the current way virus samples are submitted. > Right now, many viruses, such as the currently-spreading jpeg virus (see > http://www.easynews.com/virus.txt) are detected by 0.80rc# or by some CVS > version. But we can't be expected to run those on production servers. > > Yes, I understand that 0.7x can't do a heuristic check for the jpeg > exploit. However, it *can* look for this particular file (get your free > copy from http://easynews.com/virus/virus-jpeg.zip), and a signature should > be released. > > This is not an isolated case. The virus submission page must be changed > to run the latest RELEASED version of clamav. > > I totally agree. > It is great to know, that some soon coming version will detect things better > and can detect generic problems instead of single viri only. > However I have somehow the feeling, that right now our servers are under > attack and we are left in the rain alone.
One of the major advantages of ClamAV over commercial products is that you are able to add your own signatures. Signatures for the JPEG exploit for non-80rc versions have been posted to the list. The only signatures in the new format in the current db are there because old style signatures would either produce false positives, or are not possible to create. There are less than 10 of them. The main advantage of the 0.80 version is the new unpackers and file type support. As such it is able to spot existing signatures in more file types. It does not inherently support a huge number of new signatures. The ClamAV team have very limited resources, and our time is better spent creating new signatures for unknown viruses, rather than wading through old viruses we already have signatures for, just because they happen to be in some archive type that old versions of clam don't know about. > > Maybe, development could be split into two parts: engine and program host. > Then updates to the engine (to accomodate new virus signature types) could > be added, while the program can be developed more slowly. Are you volunteering to build 'engine' binaries for every platform that every user would conceivably use ClamAV on in order to support this? > > I like clam-av very much, but knowing, that I got a virus that was happily > detected by McAfee some weeks ago and that I tried to submit to the clamav > team, is still not detected by my server and may still hit my customers is a > nightmare. I've said this before, and I'll say it again. Thats a business decision on your part. You have to way up the pro and cons of the options and make a decision based on those. You can do things to mitigate the perceived risks of deploying the 0.80rc3 version, like doing internal testing, having an warm backup of your production system with which to continually test CVS versions (and supply feedback), re-configure your system to use clamscan rather than clamdscan, etc. Personally, I chucked 15GB of customer email through CVS versions prior to 0.80rc in order to check it's integrity. And continued to do so until I was happy with the results. As such I have confidence in it's stability. -trog
signature.asc
Description: This is a digitally signed message part
