On 30/05/12 23:17, G.W. Haywood wrote:
>
>> Wouldn't more spamtraps that feed virus samples directly to AV
>> analysts help?
>
> Are you new to this? :)  Just think about the numbers involved. 

I think you're been a bit harsh there. I read it as saying that antispam
systems catch a lot of malware (because the same infected hosts used to
send malware are also used to send spam). Cedrich asked why doesn't
clamav use antispam traps as a mechanism to pick up binaries that will
99.99% of the time be malware. That way it's a "free" input source of
new malware to be tracked

Sounds like a good idea to me - I know most AV companies do just that so
I'm sort of surprised that ClamAV isn't (is that true?)

Tell you what - could this be turned into a "community" project? What if
instead of ClamAV staff running spampots, all of us out there running
edge mail protection ran (hourly) cronjobs to parse our quarantines for
spam that contained Window binaries, run clamav over it (probably for a
2nd time) just in case it's already been picked up - and then feed new
files back to Clamav.net for further analysis? Really quite doable at
the "client" end - but could cause some serious load on Clamav.net if it
was popular...  We'd have to have individual accounts so that dickheads
uploading notepad.exe can be tracked and blocked, maybe a "must be seen
by >10 clients" rule needs to be in place to reduce the FPs too, but of
course they'd need to be reviewed by someone eventually.  Could we even
cross-check  checksums against (say) virustotal.com in an automated
fashion so that only files marked as malware by another product end up
in the final human-facing queue?

I'm sure ClamAV staff would like a "too large" corpus of malware than
"too little"?
 

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to