Giampaolo
If you want some extra coverage you might try the
signatures at http://sanesecurity.com. Besides
all the great rules there, our winnow signatures,
which are included, detect malware not yet in
clamav as well as urls to malware. Current direct
signatures are mapped to other AV systems at
http://www.oitc.com/winnow/clamsigs/MalwareSignatures.html
Samples can be sent to virus-samples at oitc.com
Tom
At 10:55 PM +0200 9/15/09, Giampaolo Tomassoni wrote:
> The answer is very simply, resources.
The submission interface receives around 20,000 unique samples a day,
which
exceeds the number of signatures that can be produced in a day by the
sigmakers. This forces us to prioritize by what we are seeing the
most of
in a given time period, as those are most likely the prevalent threats.
If you, or anyone else in the ClamAV community is interested in writing
signatures to help improve some of the response times feel free to
contact
me off list.
Cheers
-matt
Concise and clear.
Matt, thank you very much: this wipes my doubts about submission policies
and the like.
Giampaolo
On Mon, Sep 14, 2009 at 12:51 PM, Giampaolo Tomassoni <
giampa...@tomassoni.biz> wrote:
> Hi,
>
> I occasionally submit virus samples to ClamAV through the official
> submission page.
>
> Before submission I also check these viruses with VirusTotal, where
at
> least
> a bunch of AV products do often detect my samples as malware.
>
> If this happens, I also add a link to the VirusTotal's analysis page
> regarding the sample I'm submitting in the "Enter a short description
of
> the
> virus" field of the submission form.
>
> This was used to work, and soon or later I was used to be notified of
the
> inclusion in the ClamAV database of a new detection pattern suitable
for my
> sample.
>
> It is months, however, that I don't receive notifications anymore
regarding
> my submissions. Also, it seems to me that recently submissions are
quite
> ignored. In example, in September 9 I reported to ClamAV a malware
which is
> still not recognized, while it is by 30 out of 41 AV products in
> VirusTotal...
>
> See:
>
>
http://www.virustotal.com/analisis/716704eb975160cf84c110e6510bb45ce983
7a774
> dcdee6136867b4c03f4981e-
1252908923<http://www.virustotal.com/analisis/716704eb975160cf84c110e65
10bb45ce9837a774%0Adcdee6136867b4c03f4981e-1252908923>.
>
> Anybody could explain what's going on with submissions? I can't find
any
> reliable reference to changes in the submission policies or the like.
I
> could only find this thread from this ML
>
>
http://lurker.clamav.net/message/20081025.142726.40535408.en.html
>
> in which basically Bräckelmann is trying to figure out the same I am.
But
> no
> reply to his question...
>
> Thank you,
>
> Giampaolo
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit
http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
--
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
_______________________________________________
Help us build a comprehensive ClamAV guide: visit
http://wiki.clamav.net
http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
