At 05:50 PM 10/20/2006, Dennis Peterson wrote:
>
> Dennis Peterson wrote:
> > http://www.secureworks.com/analysis/spamthru/
> >
> > Is this hyperbole or ??? The 'no virus found'
response next to clamav is a bit
> > worrying. Somebody in management is probably going to
ask about it soon - any
> > words of wisdom I can share regarding the ClamAV tools?
> >
> > dp
>
> Not surprising really. Look at the clamav date:
> devel-20060429
> Isn't that rather old?
It is a morphing problem so the question is, is ClamAV
moving with it? I
don't know and thought it worth asking. I still don't know.
Most likely no one had submitted a sample of that virus
previously. Since the author tested it on VirusTotal, it
would have been auto submitted to the clamav signature team
and likely detected within hours of his initial
test. Since we don't have the exact file in question, we
can't confirm just when it was submitted or added.
Yes, clamav-devel-20060429 is a little old, although that
probably isn't a factor in this case (but we'll never
know). The signature file was apparently current at the
time of the test.
Words of wisdom:
Clamav has an impressive track record of quickly detecting
current malware circulating via email. It is frequently
(but certainly not always) among the first scanners with
signature updates for new viruses. This is one such case
where other products detected a virus that clamav
missed. It would have been interesting if the author had
tried rescanning the file at some regular interval to see
when other products did start to recognize it. Clamav
depends on community support for submitting undetected viruses.
--
Noel Jones
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
