We have spamtraps and tons of other collection mechanisms, which bring in a little over 100k samples a day. While obviously not perfect, as pointed out in the beginning of this thread, is pretty good. If anyone is interested in automating up sample submission of stuff we missed like Jason is suggesting, please feel free to contact me offlist and I'll provide automated ways for sending us samples.
Cheers, -matt On Wed, May 30, 2012 at 7:29 PM, Jason Haar <jason_h...@trimble.com> wrote: > On 30/05/12 23:17, G.W. Haywood wrote: >> >>> Wouldn't more spamtraps that feed virus samples directly to AV >>> analysts help? >> >> Are you new to this? :) Just think about the numbers involved. > > I think you're been a bit harsh there. I read it as saying that antispam > systems catch a lot of malware (because the same infected hosts used to > send malware are also used to send spam). Cedrich asked why doesn't > clamav use antispam traps as a mechanism to pick up binaries that will > 99.99% of the time be malware. That way it's a "free" input source of > new malware to be tracked > > Sounds like a good idea to me - I know most AV companies do just that so > I'm sort of surprised that ClamAV isn't (is that true?) > > Tell you what - could this be turned into a "community" project? What if > instead of ClamAV staff running spampots, all of us out there running > edge mail protection ran (hourly) cronjobs to parse our quarantines for > spam that contained Window binaries, run clamav over it (probably for a > 2nd time) just in case it's already been picked up - and then feed new > files back to Clamav.net for further analysis? Really quite doable at > the "client" end - but could cause some serious load on Clamav.net if it > was popular... We'd have to have individual accounts so that dickheads > uploading notepad.exe can be tracked and blocked, maybe a "must be seen > by >10 clients" rule needs to be in place to reduce the FPs too, but of > course they'd need to be reviewed by someone eventually. Could we even > cross-check checksums against (say) virustotal.com in an automated > fashion so that only files marked as malware by another product end up > in the final human-facing queue? > > I'm sure ClamAV staff would like a "too large" corpus of malware than > "too little"? > > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +1 408 481 8171 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml -- Matthew Watchinski V.P. Vulnerability Research (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-blog.snort.org && http://www.snort.org/vrt/ _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
