On 30/05/12 23:17, G.W. Haywood wrote: > >> Wouldn't more spamtraps that feed virus samples directly to AV >> analysts help? > > Are you new to this? :) Just think about the numbers involved.
I think you're been a bit harsh there. I read it as saying that antispam systems catch a lot of malware (because the same infected hosts used to send malware are also used to send spam). Cedrich asked why doesn't clamav use antispam traps as a mechanism to pick up binaries that will 99.99% of the time be malware. That way it's a "free" input source of new malware to be tracked Sounds like a good idea to me - I know most AV companies do just that so I'm sort of surprised that ClamAV isn't (is that true?) Tell you what - could this be turned into a "community" project? What if instead of ClamAV staff running spampots, all of us out there running edge mail protection ran (hourly) cronjobs to parse our quarantines for spam that contained Window binaries, run clamav over it (probably for a 2nd time) just in case it's already been picked up - and then feed new files back to Clamav.net for further analysis? Really quite doable at the "client" end - but could cause some serious load on Clamav.net if it was popular... We'd have to have individual accounts so that dickheads uploading notepad.exe can be tracked and blocked, maybe a "must be seen by >10 clients" rule needs to be in place to reduce the FPs too, but of course they'd need to be reviewed by someone eventually. Could we even cross-check checksums against (say) virustotal.com in an automated fashion so that only files marked as malware by another product end up in the final human-facing queue? I'm sure ClamAV staff would like a "too large" corpus of malware than "too little"? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
