On Feb 16, 2005, at 7:04 PM, John Madden wrote:
In any case, Clam is a user supported project. ALL viruses are submitted
by
end users. So, the only way response will get any better is if you submit
new viruses you receive that get by clam.
It's not going to 'improve' any other way.
Well, that'd be my assumption as well. What I'm poking for is the
potential for a means of making the process more formalized, like having a
team of officials per continent who volunteer to be on the spot for given
hours of the day? Are [vendor] forums where outbreaks are discussed?
Does anyone watch releases from the major vendors to be able to develop
signatures for ClamAV? Things like this have probably been mentioned
before, I suppose.
If ClamAV is to compete with companies who do nothing but develop virus
signatures, I would think we'd have to find a way of tapping into the same
resources or methodology somehow.
They get samples submitted or they arrive at their honeypots, they disassemble them, and integrate them into their signature databases.
Try searching for how long commercial vendors do updates. I typically get updates every couple of hours from ClamAV, and have been extremely pleased with the timeliness of their updates. Other vendors are NOT necessarily ahead of Clam.
Read up on it for some examples.
http://www.av-test.org/down/papers/2004-02_vb_outbreak.pdf
http://www.dslreports.com/forum/ remark,12249908~mode=flat~days=9999~start=20
There is a wide variation in vendor releases and their updates are not immediate to threats.
Timing is everything -- we don't have to be the first, but we have to beat the outbreak.
There's always someone infected "first" and there's always more people getting infected in the time between discovery, analysis, updates, dispersing the update...
If you're in a situation where this is a gargantuan problem, run multiple AV's on your system. Educate your users about checking email frequently and keeping their AV's up to date, use mime-defang, don't accept messages with executables attached...greatly restrict what can be attached to incoming messages and you have most of the battle won there.
_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
