On Fri, October 3, 2014 12:19 pm, Tim Smith wrote: > > Over the last 24-48 hours, I submitted a number of email attachments. > RAR files that contained viruses. > > Running one or two of them through VirusTotal today, I see ClamAV have > *STILL* not managed to produce virus definitions for them !
> Looking forward to hearing the reasons why ! Hi Tim, Although I can't speak for the ClamAV team, I will say this... it's time and people to analyse the sheer number of samples being received. ...but before you even get to that stage, it de-duping, sorting the wheat from the chaff....all of which takes time. >From a Sanesecurity point of view, here's the amount of updates pushed out today... http://pastebin.com/Z07NvcEe Ok some are spam related but the Sanesecurity.Rogue.0hr and Sanesecurity.Malware.24411.ZipHeur are malware related. Now, the Sanesecurity.Rogue.0hr are hashes of malware, updated hourly, and pretty much automatic...the Sanesecurity.Malware ones are generated manually, while I've awake of course... ;) But.. you need something to fix the stuff in between, foxhole databases, are helping in that direction... foxhole_all.cdb: blocks dangerous attachments in Zips etc.. but may be too aggressive. foxhole_generic.cdb: as above but ONLY for double extension/hidden extension foxhole_filename.cdb: will block known dangerous single extensions, in Zips etc, it's quite empty at the moment but I've got a huge update coming shortly to massively improve this. Douglas from the ClamAV Team is adding sigs like Zip.Suspect.ExecutableFax-zippwd-1, which like the foxhole sigs, look at the Zip filename and use a bit of common sense on the name, in order to block it... and it's all helping, to minimise the missed ones and save times on the 0 hour analysing The ClamAV engine is flexible and opensource and without it, Sanesecurity sigs certainly wouldn't be here without it, so I'm all for it's defence.... One thing though about update frequency, to some people it don't matter that much...here's an interesting poll on my website.. How often does freshclam update? Every Day (35%, 20 Votes) Every Hour (25%, 14 Votes) Every Four Hours (18%, 10 Votes) Every 30 mins (12%, 7 Votes) Every 15 mins (10%, 6 Votes) Total Voters: 57 Really? Every Day? <faint> You can, of course email the missed RAR samples to: samples ATTTTTT sanesecurity.me.uk Slightly off topic, does anyone have a folder full of saved malware zips/rars etc. they have kept over the past xxx months, if so can U contact me off-list... Cheers, Steve Sanesecurity.com _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
