Okay, so this is a long email, let me respond inline:
-- Joel Esler Manager, Talos Group On Feb 17, 2016, at 9:40 AM, Groach <groachmail-stopspammin...@yahoo.com<mailto:groachmail-stopspammin...@yahoo.com>> wrote: Hello Ok, in short you know about the disaster last week where a single signature was issued by ClamAV that literally BROKE peoples windows systems (PC's, Servers....). Many suffered, some reported and I myself was one that had my mail server halted in its tracks (and my business's email operation) due to the rogue definition wrongly removing various EXE and DLL's. http://forums.clamwin.com/viewtopic.php?p=18970#18970 http://forums.clamwin.com/viewtopic.php?t=4368 This prompted the usual 'loyal' moderators of Clamwin forum to declare that "ClamAV doesnt test signatures on windows systems" and that it is dangerous to use it as such (suggesting a more liable product should be sought). The platform doesn’t matter. Our engine runs on multiple platforms, but the detection is the same regardless of platform. (I’m not being pedantic here, just making a general statement about signatures work across platforms). This comes after a year of me constantly suffering False Positives with their definitions (often but not limited to to the same range of files and programs) often changing the 'signature' and becoming a new False Positive just days after rectifying a report of an old one. And this is if you are luckily enough to get the FP rectified in the first place: FYI: https://www.virustotal.com/en/file/ca8ee2783cdfe60ebcfbe1991ffbd952dc7c2bbab375b1e0f8f85b2a32d5a803/analysis/1455646006/ 3?½ months old https://www.virustotal.com/en/file/14aff6171866b62575af7f71febd172727503aef58182443d7ebdca11d61a458/analysis/1455646242/ 17 months old! https://www.virustotal.com/en/file/fcc639ddaf9b671fd1efdd70ad5a9358a18e9b3acd0e89f819a561933583c178/analysis/1455646471/ 2½ months old. All were uploaded to Clam as viruses (after being tested on VT) by me at the time of receiving them. Can you imagine the damage done in 17 months by those reliant on Clam? You can see further 'testing' I did to prove the effectivity of Clam signature team on dealing with FPs here: http://forums.clamwin.com/viewtopic.php?p=18890#18890 which (if you follow that thread) went on to show it took 12 days for them all to be rectified. To be honest, I don’t know if anyone on the ClamAV team monitors the clamwin forums. That’s why we have the mailing lists. After this test, the frustration of the recent years of keep repeating the FP reports (usually for the same programs) with different signatures, and then the recent mail server killing weekend, I concluded that Clam on windows system is just one broken rung above the ground of useless (and equally as precarious) concluding that it must only ever be run in REPORT MODE, to have 'Memory Scan' turned off (in the case of Clamwin) and to be any use must be supplemented by decent 3rd party signatures such as Sanesecurity that issue signatures for REAL threats, in a decent worthy time that they might actually serve to protect (instead of being issued days, weeks or MONTHS (or never!) after the threat was released and at its most dangerous) I now only use ClamAV (WITH Sane definitions to make it effective!) as an incoming mail scanner and leave all other levels of antivirus security in the hands of the professional suppliers (Bitdefender, Avira, etc) and find it impossible to recommend it any more for any other form of protection. Many people will have been stung by last weeks events and have been turned off from the product - as a parent company CISCO should be concerned about this. This post isnt just here for a moan, it is here for a point of view and genuine questions of concern that I would like to hear responses for (specifically from Joel and any one that considers themselves responsible for Clam): 1, Given that the Linix world usually (narrow mindedly) declares itself as a superior and safer OS to windows in that "it doesnt get virus attacks", and therefore antivirus software really has a purpose for defending against WINDOWS attacks, then why oh why aren they more embracing and open-minded to the plight of the windows user (being more responsive and proactive) Well the notion that Linux users don’t have malware is incorrect, as we should know. I’ve dealt with over a million ELF binaries in the past 6 months or so. Granted, some of that is APK, but still. The fact is that we have several products here at Cisco, we have a commercial product, a free AV product, and ClamAV. The Free AV product I am referring to is Immunet. (Which we will be releasing a new version of, soon.) The commercial product, we call AMP. We produce signatures for ClamAV several times a day. Much of this detection is automated, yes, but what you don’t see, behind the scenes is the massive, MASSIVE rewrite of the system that manages the Signatures on the backend that has been going on for awhile now, another thing you may not realize is, everything that the Talos group here at Cisco writes coverage for, in another product (Snort), also receives ClamAV coverage. So, yes, there are a bunch of projects up in the air. Not to say that your concerns aren’t noted, but generating ClamAV detection is takes longer. 2, HOW CAN CISCO allow such a sloppy definitions be issued that potentially KILLS systems? If this was a corporation, where the customers had PAID for their services, they would be in a world of trouble. It certainly doesnt do Cisco's reputation any good at all (and it seems they do not care). Now does it do Clam's reputation any good. Why is there not any quality control ? There is. But we don’t have a copy of every file in the world. So when FPs are found, they are remediated as fast as we can get to them. 3, Why are signatures not tested against known windows systems before being issued? (Im sure Cisco can provide a server in a corner of a room that has the standard instllation files of the various windows versions on it). The suggestion is noted, it would be a good idea to take the standard signed binaries from windows and put them in our clean file repository, however, ClamAV should trust the certificate of the file (if you have it installed correctly) and ignore those files anyway. 4, Absolving yourselves from any liability of damage caused by using Clam or its various incarnations (in some EULA) does not absolve you from responsibility of care. Do you agree? We understand that there are millions of users out there that depend on our free solution to provide them coverage. We invest a ton of money, time, effort, and people into the project and would love to have more contributions from the community in order to increase coverage. Personally, I’d love to have Sanesecurity bring over their detection base and let us sign and distribute it through our mirror infrastructure. More detection would get out that way. One of the reasons we created the community signature program, which a lot of people participate in, and we thank every single one of them. Remember, this is about ClamAV signatures and a question of responsibility of those signatures by the owning company, so the point of me and others using the Clamwin port is irrelevant. I look forward to some considered response. Jim _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
