Hi there, On Fri, 5 Dec 2008 a self-confessed ClamAV Newbie wrote:
> I has been remarkably hard to find what malware are in Clamav's > Definitions List. This is an Open Source project. Have you considered sending a patch for the documentation? http://www.clamav.net/doc/latest/ > At last having a way to search for Mac malware I put in the name of > the Trojan discovered last week, officially called "OSX.Lamzev.A", Please let us know what organization produces the "official" names for malware so that the rest of us can use them too. :) > aka "OSX.TrojanKit.Malez" by Intego. It's not there. Clamav has not > caught up with it, presumably because no one has provided them with a > definition for it yet. Your presumption seems likely correct. "No one" would, er, include you. > This most likely is because Clamav is not a member of the group of > commercial Mac anti-malware providers No, it's because "no one" who cares enough about the Mac viruses has submitted the definitions. That's probably because Mac users have in general been fairly laid-back about the virus situation, with good reason, but as you quite rightly say there are a very few examples of active Mac malware out there, and things like phishing affect us all (to quote one of the contributors to this List, ClamAV kicks serious butt in this area - but that is likely of interest only to those of us running mail servers). > I did find one and only one of the current three Mac malware in the > database. That malware is known officially as Trojan OSX.RSPlug. The > Clamav definitions database mistakenly calls it OSX.DNSChanger. You need to come to terms with the fact that people can, and do, call malware whatever they like. It's a known problem and the probability is that it will remain so for the forseeable. It's obviously less of a problem if there are three or four targets (Mac) than if there are half a million (Windows). > I have to assume that this definition is only for the 'A' variant of > this Trojan. [snip] If my assumption is correct You are of course free to assume whatever you like in this regard, but I don't see any point in idly speculating on assumptions which haven't been validated. Do your homework first, then give us the facts. Even better, submit samples. > We are currently up to the 'E' variant. My guess is that variants > 'B' through 'E' are NOT detected by Clamav. As I said: instead of speculating, do some tests and submit samples. It's trivially easy, and quicker than writing 400+ word emails. > What then is the benefit of Clamav on the Mac platform? You alluded to the main benefit in your own mail, and in any case I think that's been well answered already. > With the appearance of Trojan OSX.RSPlug.A it was hoped that Clamav > could be a free and up-to-date method of removing all Mac malware as > well. Apparently this is not the case so far. I don't know who was hoping that. If instead of persistently pounding the net you read the ClamAV docs you'd know that ClamAV is not designed to remove malware. You would know that it can delete files which contain malware, if such are found, but there is also a warning: "Be careful". :) More usually ClamAV will just tell you about things and the ball is then firmly in your court - as it is now, with finding and submitting samples if you want something to happen and no-one else is particularly bothered. > I am going to write directly to the folks in development to discuss > the possibility of obtaining and providing to them up-to-date Mac > malware definitions. Apparently your pounding of the net didn't extend to reading the ClamAV documentation. The facility already exists: http://www.clamav.net/sendvirus/ > I personally have no access to any Mac malware. I may know someone > who does and I will write to him as well for advice. I'd like to > help get the ball rolling. If the malware is a big problem then one would imagine that copies won't be very hard to come by. Submitting samples is no big deal. -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
