On Mon, Oct 23, 2006 at 08:29:20AM -0700, Dennis Peterson wrote: > >>That's not the question. The question as asked by management is "Why > >>does ClamAV report it doesn't catch this virus while these others do?" > >>and my answer is "I don't know - and the ClamAV people don't know, > >>either".
For this specific piece of malware, the answer has already been given: the sample wasn't submitted to clamav. Since the author used virustotal to scan, it is extremely likely that it was auto submitted to the clamav team (although I couldn't find a notice of that at the virustotal site?) Also, I just tested virustotal, and they are still using that development version of clamav: devel-20060426. That might skew the detection rate. (Anyone with contacts at virustotal.com?) > >>While it's the truth, neither of us looks real good now, and I haven't > >>even mentioned that nobody at ClamAV seems particularly proactive > >>about looking into it. That will remain our little secret for now. You (or your management) are asking the impossible. The ClamAV team (of which I'm not a part, I'm just a fan of the product), is depending on volunteers. There might be volunteers out there actively hunting for malware by setting up honeypots, but that is about all you can do to catch the malware, and it's by far no guarantee that you will catch all of it. So - in the end, for generic new malwares - there is no "plan" to catch and detect all new malware before it's released - because that is impossible. There even isn't a plan to catch all malware at most X hours or days after release, because even that is impossible. And, yes, while it would look good, PR-wise, to ask that reporter if the virus is still undetected and if so, ask for a submission, that single virus isn't going to make much of a difference. Maybe the virus doesn't even spread through email, making it a secondary target for clamav (see the ClamAV abstract page if you're unsure about this). > I don't have any complaints with ClamAV - I like it. I just have this > one question I'd like to see answered. It is entirely possible, for > examaple, that ClamAV did not catch this virus because the infected file > was a broken stub file that had only parts of the virus remaining. In > otherwords it wasn't malware at all because it cannot function. Some AV > tools will reject broken viruses, some don't. In my experience all AV scanners will sometimes tag broken executables, or disinfected executables, as a virus. The detection rate is just a bit worse than for non-broken executables. However, there's a grimm truth about scanners nowadays: they suck, all of them. Or at least, based on detection rate for new threats. For any modern new bit of malware out there, the guess is that there is a 15% chance that any given AV vendor catches it. That percentage is probably a bit less for the "big names" (symantec, mcafee etc) because malware authors are more likely to test their latest concoctions against those. I happened to have an executable that was not detected by clamav (nor, when released, by our other 2 commercial scanners). It has been around since at least mid-august, or so I'm told. I actually _ran_ this piece of malware on a properly isolated machine to verify it is a working virus. And I just ran it through virustotal. The result is here: http://www.xs4all.nl/~johnpc/sdbot-virustotal.png (The binary is now also in the possession of the clamav team, I explicitly uploaded it - do not mail me for a copy of the malware. I'm not posting this here to show clamav fails - this is just an example, I have other malware that is detected by clamav but not by a bunch of other scanners. This is just a random example). I do not believe this particular threat spreads through email, but, given the nature of recent malware, I cannot say for sure. I didn't disassemble it to look for an SMTP engine. Oh - one other remark. Modern malware isn't really "malware". It's more like an extended eggdrop bot, that includes a downloader, or some generic command interface that can be controlled by the bot herder. There is no "exploit" of a browser, or of other software. The only "exploit" is of wetware, because the virus comes as an executable on some P2P network called ClickHereForFreeBoozeDeliveredByHotChicks.exe. Anyone dumb enough to actually click makes for a perfect drone (or rather, his hardware). So, there aren't many angles the AV scanners can hook on to. The functionality implemented by such pieces of malware can be considered legitimate. Practicing safe software-exchange is about the only true remedy against viruses. Well, right after thinking rationally about the actions you take that put you at risk. If your management truly cares about virus protection, they would take appropriate actions like forbidding the use of the software products through which most of the infections occur. That could mean not using outlook express, or no P2P, or it could mean something more radical, like only using OpenBSD and w3m. Or something in between... -- Jan-Pieter Cornet <[EMAIL PROTECTED]> !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
