Noel Jones wrote:
At 05:50 PM 10/20/2006, Dennis Peterson wrote:
>
> Dennis Peterson wrote:
> > http://www.secureworks.com/analysis/spamthru/
> >
> > Is this hyperbole or ??? The 'no virus found' response next to
clamav is a bit
> > worrying. Somebody in management is probably going to ask about it
soon - any
> > words of wisdom I can share regarding the ClamAV tools?
> >
> > dp
>
> Not surprising really. Look at the clamav date:
> devel-20060429
> Isn't that rather old?
It is a morphing problem so the question is, is ClamAV moving with it? I
don't know and thought it worth asking. I still don't know.
Most likely no one had submitted a sample of that virus previously.
Since the author tested it on VirusTotal, it would have been auto
submitted to the clamav signature team and likely detected within hours
of his initial test. Since we don't have the exact file in question, we
can't confirm just when it was submitted or added.
Yes, clamav-devel-20060429 is a little old, although that probably isn't
a factor in this case (but we'll never know). The signature file was
apparently current at the time of the test.
Words of wisdom:
Clamav has an impressive track record of quickly detecting current
malware circulating via email. It is frequently (but certainly not
always) among the first scanners with signature updates for new
viruses. This is one such case where other products detected a virus
that clamav missed. It would have been interesting if the author had
tried rescanning the file at some regular interval to see when other
products did start to recognize it. Clamav depends on community support
for submitting undetected viruses.
This is a beautiful piece of prose and I couldn't snip a word of it. It
rarely happens that so much thought is put into a response. But one
question remains because you have not answered it, and I'll just quote
my self as I too have a way with words:
"It is a morphing problem so the question is, is ClamAV moving with it?
I don't know and thought it worth asking. I still don't know."
Apparently you don't know either, so please make the soap box available
to another who may have the answer.
dp
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
