Let's try this inline-reply thing again, apologies for last time. On 2/17/16 12:15 PM, Groach wrote: > Hello Joel > > I mentioned the Clamwin forum moderators to show that loyal people are > equally dismayed. I am well aware that you guys do not view the forum > and probably only view this mailing list but (to my own cost - as I am > about to find out with this post) this is not the easiest platform to > view and use and the world is more used to a BBS-type forum; > consequently people go to those for advice and often things can be seen > there more than what you would find in this mailing-list thingy.
This mailing list thingy has been here since the beginning of ClamAV, and is the best method of communication for us as the data is put into our inbox. As opposed to us having to remember to go log into a website every day. These mailing lists have over 10 years of history, and they seem to be working quite well. > I am > also aware thatg it is multi-platform and that was the whole thing that > prompted my 'enquiry': the muti-platform consciousness seem to have > forgotten the impact that can be felt on Wiondows platform if you dont > take care. ClamWin takes the ClamAV engine and repackages it for Windows. As I am sure you are all well aware. We can't monitor the forums/mailing lists of every subproject of ClamAV. I understand your frustration, but it's just not something I can feasibly do. > > Quote: "So when FPs are found, they are remediated as fast as we can > get to them." > > An interesting response after Ive pointed out 3 examples of FPs not > being remedied despite me sending them to you - one of them 17 months > old. Could you qualify the term "as fast as we get them..." ? I > REGULARLY upload FP's to CLamAV portal and it takes TOO long. Sure you > might have internal reasons as to why it takes longer but at the same > time people need to be given an expectation of what to expect in order > they can make a reasonable consideration as to risk (or inconvenience) > to their own systems. What you gave me were not FPs. We didn't alert on them. So, what I think you mean is FN (False Negative), which is constructive and we can generate detection for those files. We did have several recent issues with FP reporting on the website, and those have been fixed. We apologize for any inconvenience during the outage. > > Quote: "Not to say that your concerns aren’t noted, but generating > ClamAV detection is takes longer." > And this is the point of my mentioning it taking too long Understood. > > Quote: "ClamAV should trust the certificate of the file (if you have it > installed correctly) and ignore those files " > Yes, but you cant. Clearly ASSUMING such 'safety measures' doesnt work > which brought peoples machines to their knees last week. An > alternative, safer approach is needed. This problem (conviction of signed files) is exactly the reason we created the feature of Certificate Trust. I understand and comprehend what you are saying, I'm not ignoring you. But you have to understand that we expect ClamAV to work a certain way. We ship it with a recommended configuration, on by default, etc. What people do with it once it leaves ClamAV.net, we can't, and won't control. If you'd like to use a client that we make, Immunet is that suggestion. It has the same cost as ClamAV -- Free. > > And the comedy value: > Quote: " would love to have more contributions from the community in > order to increase coverage." > You are not going to increase coverage whilst you ignore the workings of > windows, its flaws, its popularity and the sensitivity it has to your > signatures. Only by accepting these elements, and modifying the focus > on to them such as....: > > * better testing before release of signatures Sorry you feel it was comedy. What, specifically, do we need to test against? I can see if we can't get those files added to the clean file repository that we do False Positive testing against before the rules are shipped. > * not assume all windows files are signed (genuine programs dont > necessarily come from Microsoft) [a] Nor do we have a copy of every file that you *may* download on the Internet to test against. Again, I'm understanding what you are saying, but there are realities in play that are difficult to overcome completely. Like the ability to have every copy of every file that may be an FP, ever. > * SPEEDIER response to FP's Understood. Your concern is noted, is being addressed, and due to a recent large problem, we've had a backlog of things to catch up to. We apologize for the error. > * change of Focus on developement: get the existing products currently > in use more stable (which includes ClamAV) rather than concetrate on > fancy websites and rewrites of products that dont currently have so many > problems. You are talking about completely separate problems, teams, and products. Surely you don't believe that the web team writes ClamAV signatures do you? There doesn't need to be a focus change on development. Existing efforts need to be modified to account for your concerns. See [a] > > .....will make it more popular instead of losing coverage. > > Im not sure from what I have read that there really is a gasp of the > situation and consequently that anything will change, just > acknowledgements and explanations why it is to be so. I've heard your concerns. You may think I don't grasp what you are saying, but I do. > > For sure nothing will change for disgruntled users that have lowered > their reliance or moved away from Clam flavours. That is unfortunate. > > Suggestion: given that there is a Clamwin flavour, and forum, then > maybe someone would like to signup and occasionally pop in day to day to > see what people are saying or thinking. How about it? I believe I addressed this above. -- Joel Esler Manager, Threat Intelligence Team & Open Source Talos Group http://www.talosintel.com _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
