Hi Michael,

I made a similar inquiry last week (Signature update schedule, and
requirements for adding Signatures) - this was the responses:

My 2 cents would be that rapid traditional signature updates are not a viable solution to this long term problem. I'm pretty sure the current generation of Locky, Dridex, Nemucod, etc. ransomware is generated using millions of tiny mutations so that almost every email attachment has a unique signature. There is no way to keep up with that. ClamAV got more than a million virus samples per day, last time I inquired.
...Chris


Best Regards
Michael

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Michael and Michael,
You may want to look at sanesecurity[.]org. They have a supplemental ClamAV database that
is supposed to be better at detecting the current scourge of ransomware and malware. It
was recommended to me when I noted that ClamAV seems to miss a LOT of the current malware,
but I have not tried it yet.
...Chris 
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://w

Hello,
You can check this too : https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml?lg=en
--
Best regards,

Arnaud Jacques
SecuriteInfo.com

Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Chris,

Excellent - just installed it, and it's already working it's magic :)

Thanks for the tip!

Best Regards
Michael
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

The views and opinions expressed by Michael in the above post that
Sanesecurity possesses magic, are solely his own and do not necessarily
represent the views of the ministry of magic(tm).

Having said that.. glad they are helping...

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I'm pretty sure I saw a Unicorn appear when I ran the Install-script ;)

Best regards
Michael


_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

As for they claim above about Dridex etc being too numerous to handle,
Sane Security seems to be doing just a fine job of it. (So its just a
lame response).

Yep. An antivirus solution that to their own admission will not be
giving out signatures to real threats as there are too many, and
shouldnt be used as a realtime threat protection to real threats and
should only be used to supplement a more superior and effective AV solution.

So, tell me again, what is the point of it?

If I am already investing/relying on a more effective solution for
Zero-day threats and realtime scanning to stop being hit, why do I need
Clam? (If the more effective solution is going to get it the n for sure
Clam isnt. Like asking your one-legged Grandad to help push the car that
is currently being towed by a toe truck).

Of course, you may have chosen to not have another solution, and to ONLY
use the Clam default signatures. Then you can rely on it:

a, once the threat has already hit your system and done its damage and
b, to advise you that you have been hit so you can then use another
solution to recover/cure your (now infected) system (hopefully!)

Yeah. I Hope people that are struggling to get through the problems of
getting it to install/compile and download the updates and yet not use
3rd party signatures actually realise what ultimately they are going to
achieve.

Nada.

May they be lucky in life.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Everything about ClamAV is open source and free. Including the signatures. There
is nothing stopping any of us from filling the gaps in signatures.

dp
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I'm not sure what heuristic Sane Security uses. My original point was that a traditional signature (sigtool?)
on the current generation of malware seems to be a non-scalable idea. One million new sigs per day is not
realistic. ClamAV must evolve if it is going to remain useful. There has to be a better scheme to ID new
malware than sigtool.

Otherwise, groach is right. ClamAV is just a redundant way to scan for virus files from 2008 or see if your
latest files can generate FPs.
...Chris
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

--
Joel Esler
Manager, Talos Group




On May 23, 2016, at 1:52 PM, C.D. Cochrane <***@post.com<mailto:***@post.com>> wrote:


My 2 cents would be that rapid traditional signature updates are not a viable solution to this long term problem.
I'm pretty sure the current generation of Locky, Dridex, Nemucod, etc. ransomware is generated using millions
of tiny mutations so that almost every email attachment has a unique signature. There is no way to keep up with
that. ClamAV got more than a million virus samples per day, last time I inquired.
...Chris

As for they claim above about Dridex etc being too numerous to handle,
Sane Security seems to be doing just a fine job of it. (So its just a
lame response).

I'm not sure what heuristic Sane Security uses. My original point was that a traditional signature (sigtool?)
on the current generation of malware seems to be a non-scalable idea. One million new sigs per day is not
realistic. ClamAV must evolve if it is going to remain useful. There has to be a better scheme to ID new
malware than sigtool.

Otherwise, groach is right. ClamAV is just a redundant way to scan for virus files from 2008 or see if your
latest files can generate FPs.


Obviously going to disagree. We are pushing almost a thousand pieces of detection every four hours now, and that will only increase from here.



_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

1,000,000 unique submissions per day vs. 6000 "pieces of detection" per day. If that is
"apples" to "apples" then I'd have to say ClamAV is losing the war. If, on the
other hand, every "piece of detection" hits 200 samples then you are winning!

But based upon the lack of hits in my quarantine folder I would have to conclude
that it is a losing battle at the moment.
...Chris
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Every AV is losing. That’s why we’re working on alternative things at the same time.
--
Joel Esler
Manager, Talos Group




On May 23, 2016, at 2:15 PM, C.D. Cochrane <***@post.com<mailto:***@post.com>> wrote:


Obviously going to disagree. We are pushing almost a thousand pieces of detection
every four hours now, and that will only increase from here.

1,000,000 unique submissions per day vs. 6000 "pieces of detection" per day. If that is
"apples" to "apples" then I'd have to say ClamAV is losing the war. If, on the
other hand, every "piece of detection" hits 200 samples then you are winning!

But based upon the lack of hits in my quarantine folder I would have to conclude
that it is a losing battle at the moment.
...Chris
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http:

Are there any open-source alternatives that are better than ClamAV? We
actually attempted to use the Sophos PureMessage AV component (since
we're paying for it as part of our PureMessage license anyway). The
memory footprint was such that it demolished our MTA servers, so we had
to bag that idea.

ClamAV is fast, free, easy to integrate with just about any MTA and it's
actively developed. We've been running it for years, along with the
SaneSecurity signatures and it's been working well for us. If there's a
better alternative, I'd be interested in learning about it.

--Dave
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I'd be interested in shipping as much detection as we possibly can for ClamAV. This is a community, but I'd love to have an increase in the amount of signatures sent back to us.

--
Joel Esler
Manager, Threat Intelligence Team & Open Source
Talos Group
http://www.talosintel.com

For the record, I too am using Clam (Clamwin, actually) as the inline
email scanner for our MTA but thats only because we have subscribed to
SaneSignatures (a money donation well worth it). Without Sane the clam
default sigs are a joke (sometimes taking MONTHS to appear after the
threat release, sometimes not even there for years later. Ive proven,
all of these points, with evidence, in the past). Sane sigs, however,
made the solution better if not the BEST compared to ALL OTHER
commercial releases for trapping Zero-hour threat (they really put the
'zero hour' in to "zero hour" unlike other AV providers taking 'many
hours' (sometimes even "a day or two") to respond with their "zero hour"
signatures.

The one lesson I did learn though was never to automatically quarantine
or delete 'infected' files (put it in REPORT ONLY scan mode).
Historically Clam sigs had far too many False Positives which famously
culminated in disabling complete systems earlier this year (windows
specifically) because they deleted system DLL files and other genuine
programs - even its own Clam program! (Admittedly, since March, the rate
of FP's seem to have been reduced. Whether thats because of the new
signature format or what I dont know).
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Several reasons. Partly because of your concerns which brought things to our attention. False Positive reports are important!

--
Joel Esler
Manager, Threat Intelligence Team & Open Source
Talos Group
http://www.talosintel.com

Positive responses to peoples concerns are always worthy of recognition
and credit where credit is due. Thank you for addressing them. Nice to
hear..
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reluctantly, I am forced to agree WRT incoming detections. Using that
procmail recipe I sent earlier today, the date on
my /var/spool/mail/virii file is Mar 31st, and its now the last week of
May. Several have been identified as they sail thru my spam tree, but
they got there by getting past that procmail recipe.
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello everyone,
Thanks from the other Michael, too - this seems to work quite well from
what I can say after 18 hours with the additional signatures. Finally,
ClamAV detects some viruses.

Cheers, Michael
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,
I'll disagree too, since ClamAV here sees approximately one virus per
annum (and as far as I'm concerned, whether or not ClamAV detects the
virus that it sees is really not an issue). For some explanation see

http://marc.info/?l=clamav-users&m=141245133506824&w=2

So our recent improvements and detection have not produced any different result in the field?

Sent from my Apple Watch
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I have several viruses on file that I have accumulated over the last two years or so. I will do a test to see which ones are detected and I will post the results here.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

24 files, ALL OF THEM are viruses of some sort or another (including 1
which is the eicar test virus).

ClamAV database:


----------- SCAN SUMMARY -----------
Known viruses: 4397481
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 24
**Infected files: 10**

Data scanned: 5.27 MB
Data read: 1.48 MB (ratio 3.57:1)
Time: 15.429 sec (0 m 15 s)

--------------------------------------
Completed
--------------------------------------

10. Just 10. Out of 24. And these are all OLD viruses (minimum 2
months old except 1).


But with SANE DEFINITIONS:

----------- SCAN SUMMARY -----------
Known viruses: 4512349
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 24
**Infected files: 23**

Data scanned: 3.92 MB
Data read: 1.48 MB (ratio 2.65:1)
Time: 17.409 sec (0 m 17 s)

--------------------------------------
Completed
--------------------------------------

Says it all really. I leave you to make your own conclusions.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

In case you are wondering, and for fairness of evaluation, here are the
files, and their dates:


C:\Users\User>dir "Z:\ACCESS tests\VIRUSES-take_care_DO_NOT_RUN" /o:d
Volume in drive Z is DATAPART1
Volume Serial Number is C4AC-61ED

Directory of Z:\ACCESS tests\VIRUSES-take_care_DO_NOT_RUN

18/06/2004 16:26 68 eicar.com
01/08/2014 11:02 9,645 Ar01_Annual_Return.zip
01/08/2014 11:12 10,623 Incident_6256120.zip
24/09/2014 13:40 49,152 contention_111924953056769_6STQZ57.txt
24/09/2014 13:40 49,152 contention_111924953056769_6STQZ57.exe
24/09/2014 21:13 32,440 contention_111924953056769_6STQZ57.rar
30/09/2014 12:58 33,816 order_20140930_56311643656.zip
02/11/2015 15:19 103,936 PORDER.DOC
02/11/2015 19:30 36,556 PORDER.7z
03/11/2015 12:05 7,543 IMPORTANT NOTICE.eml
03/11/2015 12:06 141,973 New Purchase Order for CTY TM PHUC
LOC TNHH.eml
03/11/2015 12:07 3,140 New Monthly estatement is ready -
MBNA.eml
04/11/2015 21:59 31,601 Purchase Order 0000035394.7z
07/01/2016 14:19 7,349 Asia_Cn domain name & Internet
Keyword.eml
07/01/2016 14:19 9,008 Remittance Advisory Email.eml
07/01/2016 14:19 13,554 SPAM filter not applied ( Fwd BUY
CILAIS & VIGARA -73% Discount! 1 day shipping!).em
07/01/2016 14:19 25,392 [SPAM] [5.2] Missed package delivery.eml
07/01/2016 14:19 292,225 [SPAM] [5.7] Remittance Advice for
407.74 GBP.eml
15/01/2016 09:19 254,976 NA8T3OCYI2W8.doc
30/01/2016 20:41 2,336 Inflame your impulse to maximum_POP.eml
24/02/2016 22:34 2,262 invoice_copy_20162743.zip
07/04/2016 09:49 168,379 7193113168.doc
07/04/2016 09:49 182,289 6615166920.doc
26/05/2016 08:09 124,610 4_218_66.dot
28/05/2016 18:14 <DIR> .
28/05/2016 18:14 <DIR> ..
24 File(s) 1,592,025 bytes
2 Dir(s) 193,649,790,976 bytes free


----------------- ORIGINAL MESSAGE -----------

24 files, ALL OF THEM are viruses of some sort or another (including 1
which is the eicar test virus).

ClamAV database:


----------- SCAN SUMMARY -----------
Known viruses: 4397481
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 24
**Infected files: 10**

Data scanned: 5.27 MB
Data read: 1.48 MB (ratio 3.57:1)
Time: 15.429 sec (0 m 15 s)

--------------------------------------
Completed
--------------------------------------

10. Just 10. Out of 24. And these are all OLD viruses (minimum 2
months old except 1).


But with SANE DEFINITIONS:

----------- SCAN SUMMARY -----------
Known viruses: 4512349
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 24
**Infected files: 23**

Data scanned: 3.92 MB
Data read: 1.48 MB (ratio 2.65:1)
Time: 17.409 sec (0 m 17 s)

--------------------------------------
Completed
--------------------------------------

Says it all really. I leave you to make your own conclusions.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Are these true viruses or otherwise harmful (and if so how is that known) or
does the list include messages that are unwanted junk mail? If junk mail, which
is subjective, there will always be differences between vendor signatures
because nobody agrees about what is and is not junk mail.

dp
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

They are all virus attachments (some still attached to emails, some
detached from the email and simply saved as the attachment) with
exception of the one 'viagra cialis....eml' which is a link to an
unwanted website.

If you want to determine how damaging, Im quite happy to send them to
you if you doubt me. (Go on....put your faith in ClamAV!)
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello Joel,
If you're asking me, I think you're asking the wrong person. As I
explained in my October 2014 message, I filter out the vast majority
of the ***@p before clamd gets a chance to look at it. For example the
server log extract below shows that of the just under 210,000 message
attempts processed in sixteen months (more than 90% of which would be
unwanted), only 42 got as far as being looked at and flagged by clamd.

If what I've shown here is representative (and I've no way of knowing
if it is), then in the last year or so the mix seems to have changed
somewhat. The detections also seem to bunch, so it looks like there
are distinct 'campaigns'. I probably nail the campaigns manually (a
TARPIT rule or something :) if and when I spot them in the logs, and
the statistics aren't very good with such small numbers anyway.

mail5:/var/log/system_logs# >>> find 201[56] -name 'mail.info.*' | xargs grep NOQUEUE | wc -l
209327

mail5:/var/log/system_logs# >>> find 201[56] -name 'mail.info.*' | sort | xargs grep FOUND
2015/2015.01/mail.info.1:Jan 9 19:01:33 mail5 clamd[25353]: fd[10]: SecuriteInfo.com.Spammer.bilder-upload.eu.UNOFFICIAL FOUND
2015/2015.01/mail.info.1:Jan 11 05:37:18 mail5 clamd[25353]: fd[10]: SecuriteInfo.com.Spammer.dreamhostps.com.UNOFFICIAL FOUND
2015/2015.01/mail.info.1:Jan 11 10:09:33 mail5 clamd[25353]: fd[10]: SecuriteInfo.com.Spammer.dreamhostps.com.UNOFFICIAL FOUND
2015/2015.01/mail.info.1:Jan 13 19:01:22 mail5 clamd[25353]: fd[10]: SecuriteInfo.com.Spammer.bilder-upload.eu.UNOFFICIAL FOUND
2015/2015.02/mail.info.1:Feb 7 12:01:22 mail5 clamd[25353]: fd[10]: Sanesecurity.Porn.7849.UNOFFICIAL FOUND
2015/2015.02/mail.info.1:Feb 7 18:09:22 mail5 clamd[25353]: fd[10]: Sanesecurity.Scam4.1455.UNOFFICIAL FOUND
2015/2015.02/mail.info.1:Feb 11 18:43:01 mail5 clamd[25353]: fd[10]: Heuristics.Phishing.Email.SpoofedDomain FOUND
2015/2015.02/mail.info.1:Feb 19 02:29:35 mail5 clamd[25353]: fd[10]: Heuristics.Encrypted.PDF FOUND
2015/2015.03/mail.info.1:Mar 3 22:05:28 mail5 clamd[25353]: fd[10]: Sanesecurity.Junk.37650.UNOFFICIAL FOUND
2015/2015.03/mail.info.1:Mar 16 15:17:25 mail5 clamd[25353]: fd[10]: Sanesecurity.Scam4.1604.UNOFFICIAL FOUND
2015/2015.03/mail.info.1:Mar 24 07:30:00 mail5 clamd[25353]: fd[10]: Sanesecurity.Junk.28723.UNOFFICIAL FOUND
2015/2015.04/mail.info.1:Apr 7 04:51:38 mail5 clamd[25353]: fd[10]: SecuriteInfo.com.Spammer.elasticemail.com.UNOFFICIAL FOUND
2015/2015.04/mail.info.1:Apr 7 08:51:08 mail5 clamd[25353]: fd[10]: SecuriteInfo.com.Spammer.elasticemail.com.UNOFFICIAL FOUND
2015/2015.05/mail.info.1:May 14 18:45:38 mail5 clamd[25353]: fd[10]: Heuristics.Phishing.Email.SpoofedDomain FOUND
2015/2015.06/mail.info.1:Jun 19 19:01:32 mail5 clamd[25353]: fd[10]: ScamNailer.Phish.user_AT_email.com.UNOFFICIAL FOUND
2015/2015.07/mail.info.1:Jul 30 08:46:12 mail5 clamd[27435]: fd[10]: Heuristics.Encrypted.PDF FOUND
2015/2015.08/mail.info.1:Aug 14 18:43:35 mail5 clamd[27435]: fd[10]: Heuristics.Phishing.Email.SpoofedDomain FOUND
2015/2015.09/mail.info.1:Sep 25 14:44:32 mail5 clamd[27435]: fd[10]: Heuristics.Encrypted.PDF FOUND
2015/2015.10/mail.info.1:Oct 2 09:35:40 mail5 clamd[27435]: fd[10]: Heuristics.Encrypted.PDF FOUND
2015/2015.10/mail.info.1:Oct 29 16:40:39 mail5 clamd[27435]: fd[10]: Heuristics.Encrypted.PDF FOUND
2015/2015.11/mail.info.1:Nov 13 18:41:19 mail5 clamd[27435]: fd[10]: Heuristics.Phishing.Email.SpoofedDomain FOUND
2015/2015.11/mail.info.1:Nov 18 02:27:08 mail5 clamd[27435]: fd[10]: Heuristics.Encrypted.PDF FOUND
2015/2015.12/mail.info.1:Dec 8 02:34:53 mail5 clamd[27435]: fd[10]: Heuristics.Encrypted.PDF FOUND
2015/2015.12/mail.info.1:Dec 9 09:24:25 mail5 clamd[27435]: fd[10]: Heuristics.Encrypted.PDF FOUND
2016/2016.01/mail.info.1:Jan 12 03:17:22 mail5 clamd[27435]: fd[10]: Heuristics.Encrypted.PDF FOUND
2016/2016.01/mail.info.1:Jan 25 23:28:40 mail5 clamd[27435]: fd[10]: Sanesecurity.Malware.25445.JsHeur.UNOFFICIAL FOUND
2016/2016.01/mail.info.1:Jan 26 11:43:37 mail5 clamd[27435]: fd[10]: ScamNailer.Phish.account_AT_gmail.com.UNOFFICIAL FOUND
2016/2016.01/mail.info.1:Jan 26 23:16:15 mail5 clamd[27435]: fd[10]: Heuristics.Encrypted.PDF FOUND
2016/2016.02/mail.info.1:Feb 1 16:48:37 mail5 clamd[27435]: fd[10]: Heuristics.Encrypted.PDF FOUND
2016/2016.02/mail.info.1:Feb 1 22:05:17 mail5 clamd[27435]: fd[10]: Sanesecurity.Junk.51851.UNOFFICIAL FOUND
2016/2016.02/mail.info.1:Feb 7 07:46:07 mail5 clamd[27435]: fd[10]: Sanesecurity.Junk.51838.UNOFFICIAL FOUND
2016/2016.02/mail.info.1:Feb 8 08:06:51 mail5 clamd[27435]: fd[10]: Sanesecurity.Junk.50759.UNOFFICIAL FOUND
2016/2016.02/mail.info.1:Feb 12 18:37:21 mail5 clamd[27435]: fd[10]: Heuristics.Phishing.Email.SpoofedDomain FOUND
2016/2016.03/mail.info.1:Mar 15 13:26:03 mail5 clamd[27435]: fd[10]: Heuristics.Encrypted.PDF FOUND
2016/2016.03/mail.info.1:Mar 18 16:43:43 mail5 clamd[27435]: fd[10]: Heuristics.Encrypted.PDF FOUND
2016/2016.03/mail.info.1:Mar 29 18:15:44 mail5 clamd[27435]: fd[10]: Sanesecurity.Jurlbl.773dc6.UNOFFICIAL FOUND
2016/2016.03/mail.info.1:Mar 29 18:15:44 mail5 clamd[27435]: fd[10]: Sanesecurity.Jurlbl.773dc6.UNOFFICIAL FOUND
2016/2016.03/mail.info.1:Mar 29 18:15:45 mail5 clamd[27435]: fd[10]: Sanesecurity.Jurlbl.773dc6.UNOFFICIAL FOUND
2016/2016.03/mail.info.1:Mar 31 08:45:15 mail5 clamd[27435]: fd[10]: Heuristics.Encrypted.PDF FOUND
2016/2016.04/mail.info.1:Apr 20 08:21:54 mail5 clamd[15188]: fd[10]: Heuristics.Encrypted.PDF FOUND
2016/2016.04/mail.info.1:Apr 28 01:05:36 mail5 clamd[15188]: fd[10]: Sanesecurity.Malware.25690.ZipHeur.UNOFFICIAL FOUND
2016/2016.04/mail.info.1:Apr 29 02:30:59 mail5 clamd[15188]: fd[10]: Heuristics.Encrypted.PDF FOUND

As you can see below the number of messages quarantined by MIMEDefang
(the last milter in the chain) has dropped drastically in the last few
years - note that 2016 is only four months long so far, but even so it
points to big changes in the threat landscape:

mail5:/var/spool/MD-Quarantine# >>> for i in 2013 2014 2015 2016 ; do ls -l --full-time | grep $i- | wc -l ; done
318
101
90
6

HTH

Trying to get useful information from your posts - would it be possible to show
the official and unofficial signatures that returned positive detection?

dp
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

No problem.

Here are the scan results from the log (remember I have already given
you a list of the files being scanned earlier):

CLAMAV only:

Scan Started Sat May 28 17:06:36 2016
-------------------------------------------------------------------------------


D:\DecroData\ACCESS
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\eicar.com:
Eicar-Test-Signature FOUND
D:\DecroData\ACCESS
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\Incident_6256120.zip:
Win.Trojan.Generickd-494 FOUND
D:\DecroData\ACCESS
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\PORDER.7z:
Doc.Trojan.Locky-1 FOUND
D:\DecroData\ACCESS
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\PORDER.DOC:
Doc.Trojan.Locky-1 FOUND
D:\DecroData\ACCESS
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\Purchase Order
0000035394.7z: Win.Trojan.Downloader-66488 FOUND
D:\DecroData\ACCESS
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\[SPAM] [5.2] Missed
package delivery.eml: Win.Trojan.Generickd-2728 FOUND
D:\DecroData\ACCESS
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\Ar01_Annual_Return.zip:
Win.Trojan.Generickd-513 FOUND
D:\DecroData\ACCESS
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\contention_111924953056769_6STQZ57.exe:
Win.Trojan.Dalexis-23 FOUND
D:\DecroData\ACCESS
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\contention_111924953056769_6STQZ57.rar:
Win.Trojan.Dalexis-23 FOUND
D:\DecroData\ACCESS
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\contention_111924953056769_6STQZ57.txt:
Win.Trojan.Dalexis-23 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 4397481
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 24
Infected files: 10
Data scanned: 5.27 MB
Data read: 1.48 MB (ratio 3.57:1)
Time: 15.429 sec (0 m 15 s)




with SANE defs:

Scan Started Sat May 28 17:13:36 2016
-------------------------------------------------------------------------------


D:\DecroData\ACCESS tests\VirusTestFolder\4_218_66.dot:
Sanesecurity.Rogue.0hr.20160526-1142.MacroImg.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\6615166920.doc:
Sanesecurity.Badmacro.Doc.shellv.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\7193113168.doc:
Sanesecurity.Badmacro.Doc.shellv.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\Ar01_Annual_Return.zip:
Win.Trojan.Generickd-513 FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\Asia_Cn domain name & Internet
Keyword.eml: Sanesecurity.Junk.12090.UNOFFICIAL FOUND
D:\DecroData\ACCESS
tests\VirusTestFolder\contention_111924953056769_6STQZ57.exe:
Sanesecurity.Malware.ExeHeur.24328.UNOFFICIAL FOUND
D:\DecroData\ACCESS
tests\VirusTestFolder\contention_111924953056769_6STQZ57.rar:
Sanesecurity.Malware.ExeHeur.24328.UNOFFICIAL FOUND
D:\DecroData\ACCESS
tests\VirusTestFolder\contention_111924953056769_6STQZ57.txt:
Sanesecurity.Malware.ExeHeur.24328.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\eicar.com:
Eicar-Test-Signature FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\Incident_6256120.zip:
Sanesecurity.Foxhole.Zip_scr.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\Inflame your impulse to
maximum_POP.eml: Sanesecurity.Jurlbl.cbc8b5.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\invoice_copy_20162743.zip:
Sanesecurity.Foxhole.Zip_fs211.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\NA8T3OCYI2W8.doc:
Sanesecurity.Badmacro.Doc.badps1.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\New Monthly estatement is
ready - MBNA.eml: Sanesecurity.Jurlbl.5c480f.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\New Purchase Order for CTY TM
PHUC LOC TNHH.eml: Sanesecurity.Malware.25166.AceHeur.Exe.UNOFFICIAL FOUND
D:\DecroData\ACCESS
tests\VirusTestFolder\order_20140930_56311643656.zip:
Sanesecurity.Foxhole.Zip_Exenum.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\PORDER.7z: Doc.Trojan.Locky-1
FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\PORDER.DOC: Doc.Trojan.Locky-1
FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\Purchase Order 0000035394.7z:
Sanesecurity.Badmacro.Doc.shellv3.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\Remittance Advisory Email.eml:
Sanesecurity.Malware.25157.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\SPAM filter not applied (
Fwd BUY CILAIS & VIGARA -73% Discount! 1 day shipping!).eml:
Sanesecurity.Junk.31186.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\[SPAM] [5.2] Missed package
delivery.eml: Win.Trojan.Generickd-2728 FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\[SPAM] [5.7] Remittance Advice
for 407.74 GBP.eml: Sanesecurity.Malware.24631.XlsHeur.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 4512349
Engine version: 0.99.1
Scanned directories: 1
Scanned files: 24
Infected files: 23
Data scanned: 3.92 MB
Data read: 1.48 MB (ratio 2.65:1)
Time: 17.206 sec (0 m 17 s)
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

To be honest right now, I'm interested in threats coming out more recently. While yes, your concern is valid, I'd like to hear from someone with a more recent test set.

--
Joel Esler
iPhone

On May 28, 2016, at 12:13 PM, Groach <groachmail-***@yahoo.com<mailto:groachmail-***@yahoo.com>> wrote:

24 files, ALL OF THEM are viruses of some sort or another (including 1 which is the eicar test virus).

ClamAV database:


----------- SCAN SUMMARY -----------
Known viruses: 4397481
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 24
**Infected files: 10**

Data scanned: 5.27 MB
Data read: 1.48 MB (ratio 3.57:1)
Time: 15.429 sec (0 m 15 s)

--------------------------------------
Completed
--------------------------------------

10. Just 10. Out of 24. And these are all OLD viruses (minimum 2 months old except 1).


But with SANE DEFINITIONS:

----------- SCAN SUMMARY -----------
Known viruses: 4512349
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 24
**Infected files: 23**

Data scanned: 3.92 MB
Data read: 1.48 MB (ratio 2.65:1)
Time: 17.409 sec (0 m 17 s)

--------------------------------------
Completed
--------------------------------------

Says it all really. I leave you to make your own conclusions.





On 28/05/2016 16:00, G.W. Haywood wrote:
Hi there,

On Mon, 23 May 2016, C.D. Cochrane wrote:

... ClamAV is just ...

and on Mon, 23 May 2016, Joel Esler wrote:

Obviously going to disagree. ...

I'll disagree too, since ClamAV here sees approximately one virus per
annum (and as far as I'm concerned, whether or not ClamAV detects the
virus that it sees is really not an issue). For some explanation see

http://marc.info/?l=clamav-users&m=141245133506824&w=2


_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Ooh, Joel, Im going to enjoys replying to this one.......
I dont hate he product. Only last week (if you care to read back) I
declared how the product WITH THE AID OF 3RD PARTY SIGNATURES made it
almost the best product out there for ZERO-HOUR threats. And with this
reason, and CONSEQUENTLY the sheer fact I keep the product in operation
for the last 3 years, shows that I do not hate the product. Nor would
you see my very blatant advertising for it (as recommendation) in my
signature here: https://www.hmailserver.com/forum/index.php (it wont
take long for you to see).
I dont. Look back and I have hardly responded to any. I came on in
March (maybe February) after that fiasco with the windows system-killing
signature issued back at the time. And I have involved myself to about
4 or 5 threads since. FOUR. However, what I have done is not relent on
the point I was making at the time. In the initial thread you were
pretty dismissive of the problem ("we cant test everything", "we are
working on other things", "we havent had many complaints" etc etc) and
therefore, yes, it got pretty intense for you because such an attitude
to a genuine users 'feedback' about the damage your product did was
outrageous and I wouldnt let it go. It was for this reason you remember
very clearly. And rather than sling mud at you I decided to battle on to
get the point across until you DID finally acknowledge there were issues
to be addressed. And let me remind you that only earlier this week you
acknowledged that my complaint and issues raised were partly responsible
for the work you have done recently.
NOW I feel I want to swear at you! Reminder: I spent 2 YEARS regularly
sending in reports and files for inoculation by the ClamAV team as well
as the endless stream of False Positives. These reports were done
almost DAILY. And it was the observation that despite sending these
reports in nothing actually got done that made me so aware of the poor
performance of the product and the teams dealing with the signatures.
So you can take your claims of me 'not providing files' and stick them
in the hole you left where your up-to-date EFFECTIVE signatures should be!
NO! YOU provide the signatures! I gave you the files, and the false
positives! And now you are saying I need to give the signatures too?!
"Here, have an engine, receive a threat, analyse it, generate a
signature to protect yourself and let us have a copy please too (oh,
and dont forget to pay the ransom to get your system back from the
Cryptolocker virus that we failed to stop for you)". REALLY?!! Is that
how you want to maintain an Antivirus Solution? (Obviously, yes. It
does explain why they are so ineffective).
I dont need assistance. I KNOW the usefulness (or lack of) of ClamAV
and its definitions. My posts reminding of their performance were a
reminder to help others who THINK they are getting a protected system by
relying on Clam (only) signatures. THIS is what I call being helpful.
I dont think telling a 'user' of an ineffective system to stop
complaining about it and keep quiet' any form of assistance whatsoever.
And there we have it. You dont even know what is helpful and what isnt.

a, I was responding to OTHER people who showed interest, requested
information from me (DP) and actually had nothing to do with you and
I was doing a test for YOU to see and conclude yourself! Dont bark at
me when you dont like the results given back to you.

c, WE are ENTITLED to share our experiences and offer guides to those
that want it even if it is not what JOEL ESLER - deny-er of problems,
wants to hear. If my complaints about your signatures, demonstrations
of their ineffectiveness and highlighter of your denial to problems
helps others to move on to employing 3rd party signatures (or move away
from Clam completely) to simply ensure their system is protected as they
expect it to be then I consider MY JOB as a helpful 'assistant' done.
Perhaps its something you should take note of.


Case in point:

You have just said the list I provided was not up to date. Ooh, thats
ok then, as long as the users get infected by OLD viruses, they should
be happy.

Most of those files that failed detection by your product I REPORTED TO
CLAM at the time. Yes, even the ones that are 2 years old. And the
first file in the list are only 3 days old. So somewhere between 2
years and 3 days old, still not being detected - when exactly do you
want a valid file to be detected and therefore see Clam as successful?
Before its released? Or another couple of years??

And going back to earlier in the thread I am not the only one. Quote G.W
Haywood:

"I'll disagree too, since ClamAV here sees approximately one virus per
annum "

and Im sure you dont have to look very hard for others to have the same
experience. This maillist is full of people saying "Ive reported but
still its not added...." type complaints. (And where its not added, its
missing and threats go undetected).

In other words, Mr Manager, if you dont want me (and others)
complaining about the product, then dont give me anything to complain about.

(p.s Note for the Joel Esler fan club: Dont bother trying to defend, Im
sure he is big enough to fight his own battles and Im pretty thick
skinned. I have my system working with 3rd party signatures and no
better than to rely on it to save it (its supplementary to other AV
features) and if you are believer of the usefulness of this product,
rely on it without other suuplementds and say my FACTS above are wrong
then you really a fool to yourself.)

Your welcome!
Most of those files that failed detection by your product I REPORTED TO
CLAM at the time. Yes, even the ones that are 2 years old. And the
first file in the list are only 3 days old. So somewhere between 2
years and 3 days old, still not being detected - when exactly do you
want a valid file to be detected and therefore see Clam as successful?
Before its released? Or another couple of years??
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Wow groach, no punches pulled! I have submitted more than 200 virus samples (and confirmed on VT) since January 2015. The majority are still undetected by native ClamAV. I can provide more precise numbers and details on Monday when I get back to my quarantine server, if it is actually helpful to someone.

I can also confirm that I have noticed a distinct uptick in the number of old viruses recently being added to ClamAV's official list. Progress is being made at a faster rate now than it was earlier in the year.

But, as I attempted to point out on another thread and groach stated pretty clearly. It really does not matter whether ClamAV adds the item 2 days later or 2 years later. They already got through.
...Chris
 
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#m

A. I wish I had a fan club
B. Thank you for your input.
C. We'll do better.

--
Joel Esler
Manager, Talos Group
Sent from my iPad

On May 28, 2016, at 7:37 PM, Groach <groachmail-***@yahoo.com<mailto:groachmail-***@yahoo.com>> wrote:

Ooh, Joel, Im going to enjoys replying to this one.......

On 28/05/2016 23:42, Joel Esler (jesler) wrote:
Groach,

If you hate the project so much....
I dont hate he product. Only last week (if you care to read back) I declared how the product WITH THE AID OF 3RD PARTY SIGNATURES made it almost the best product out there for ZERO-HOUR threats. And with this reason, and CONSEQUENTLY the sheer fact I keep the product in operation for the last 3 years, shows that I do not hate the product. Nor would you see my very blatant advertising for it (as recommendation) in my signature here: https://www.hmailserver.com/forum/index.php (it wont take long for you to see).

......that you have to complain during every thread .....

I dont. Look back and I have hardly responded to any. I came on in March (maybe February) after that fiasco with the windows system-killing signature issued back at the time. And I have involved myself to about 4 or 5 threads since. FOUR. However, what I have done is not relent on the point I was making at the time. In the initial thread you were pretty dismissive of the problem ("we cant test everything", "we are working on other things", "we havent had many complaints" etc etc) and therefore, yes, it got pretty intense for you because such an attitude to a genuine users 'feedback' about the damage your product did was outrageous and I wouldnt let it go. It was for this reason you remember very clearly. And rather than sling mud at you I decided to battle on to get the point across until you DID finally acknowledge there were issues to be addressed. And let me remind you that only earlier this week you acknowledged that my complaint and issues raised were partly responsible f
or the work you have done recently.

and refuse to help and be constructive by providing files,

NOW I feel I want to swear at you! Reminder: I spent 2 YEARS regularly sending in reports and files for inoculation by the ClamAV team as well as the endless stream of False Positives. These reports were done almost DAILY. And it was the observation that despite sending these reports in nothing actually got done that made me so aware of the poor performance of the product and the teams dealing with the signatures. So you can take your claims of me 'not providing files' and stick them in the hole you left where your up-to-date EFFECTIVE signatures should be!

or signatures for those files (which is just plain productive),....

NO! YOU provide the signatures! I gave you the files, and the false positives! And now you are saying I need to give the signatures too?! "Here, have an engine, receive a threat, analyse it, generate a signature to protect yourself and let us have a copy please too (oh, and dont forget to pay the ransom to get your system back from the Cryptolocker virus that we failed to stop for you)". REALLY?!! Is that how you want to maintain an Antivirus Solution? (Obviously, yes. It does explain why they are so ineffective).

then perhaps you need to seek assistance elsewhere.

I dont need assistance. I KNOW the usefulness (or lack of) of ClamAV and its definitions. My posts reminding of their performance were a reminder to help others who THINK they are getting a protected system by relying on Clam (only) signatures. THIS is what I call being helpful. I dont think telling a 'user' of an ineffective system to stop complaining about it and keep quiet' any form of assistance whatsoever.

I am all for trying to help everyone on this list, as long as people on this list attempt to help us, but just being honest, this method of engagement is not helpful.

And there we have it. You dont even know what is helpful and what isnt.

a, I was responding to OTHER people who showed interest, requested information from me (DP) and actually had nothing to do with you and
b, On 28/05/2016 17:03, Joel Esler (jesler) wrote:
So our recent improvements and detection have not produced any different result in the field?
I was doing a test for YOU to see and conclude yourself! Dont bark at me when you dont like the results given back to you.

c, WE are ENTITLED to share our experiences and offer guides to those that want it even if it is not what JOEL ESLER - deny-er of problems, wants to hear. If my complaints about your signatures, demonstrations of their ineffectiveness and highlighter of your denial to problems helps others to move on to employing 3rd party signatures (or move away from Clam completely) to simply ensure their system is protected as they expect it to be then I consider MY JOB as a helpful 'assistant' done. Perhaps its something you should take note of.


Case in point:

You have just said the list I provided was not up to date. Ooh, thats ok then, as long as the users get infected by OLD viruses, they should be happy.

Most of those files that failed detection by your product I REPORTED TO CLAM at the time. Yes, even the ones that are 2 years old. And the first file in the list are only 3 days old. So somewhere between 2 years and 3 days old, still not being detected - when exactly do you want a valid file to be detected and therefore see Clam as successful? Before its released? Or another couple of years??

And going back to earlier in the thread I am not the only one. Quote G.W Haywood:

"I'll disagree too, since ClamAV here sees approximately one virus per annum "

and Im sure you dont have to look very hard for others to have the same experience. This maillist is full of people saying "Ive reported but still its not added...." type complaints. (And where its not added, its missing and threats go undetected).

In other words, Mr Manager, if you dont want me (and others) complaining about the product, then dont give me anything to complain about.

(p.s Note for the Joel Esler fan club: Dont bother trying to defend, Im sure he is big enough to fight his own battles and Im pretty thick skinned. I have my system working with 3rd party signatures and no better than to rely on it to save it (its supplementary to other AV features) and if you are believer of the usefulness of this product, rely on it without other suuplementds and say my FACTS above are wrong then you really a fool to yourself.)

Your welcome!



On 28/05/2016 23:38, Joel Esler (jesler) wrote:
To be honest right now, I'm interested in threats coming out more recently. While yes, your concern is valid, I'd like to hear from someone with a more recent test set.
Most of those files that failed detection by your product I REPORTED TO CLAM at the time. Yes, even the ones that are 2 years old. And the first file in the list are only 3 days old. So somewhere between 2 years and 3 days old, still not being detected - when exactly do you want a valid file to be detected and therefore see Clam as successful? Before its released? Or another couple of years??

On May 28, 2016, at 12:13 PM, Groach <groachmail-***@yahoo.com<mailto:groachmail-***@yahoo.com><mailto:groachmail-***@yahoo.com>> wrote:

24 files, ALL OF THEM are viruses of some sort or another (including 1 which is the eicar test virus).

ClamAV database:


----------- SCAN SUMMARY -----------
Known viruses: 4397481
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 24
**Infected files: 10**

Data scanned: 5.27 MB
Data read: 1.48 MB (ratio 3.57:1)
Time: 15.429 sec (0 m 15 s)

--------------------------------------
Completed
--------------------------------------

10. Just 10. Out of 24. And these are all OLD viruses (minimum 2 months old except 1).


But with SANE DEFINITIONS:

----------- SCAN SUMMARY -----------
Known viruses: 4512349
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 24
**Infected files: 23**

Data scanned: 3.92 MB
Data read: 1.48 MB (ratio 2.65:1)
Time: 17.409 sec (0 m 17 s)

--------------------------------------
Completed
--------------------------------------

Says it all really. I leave you to make your own conclusions.





On 28/05/2016 16:00, G.W. Haywood wrote:
Hi there,

On Mon, 23 May 2016, C.D. Cochrane wrote:

... ClamAV is just ...

and on Mon, 23 May 2016, Joel Esler wrote:

Obviously going to disagree. ...

I'll disagree too, since ClamAV here sees approximately one virus per
annum (and as far as I'm concerned, whether or not ClamAV detects the
virus that it sees is really not an issue). For some explanation see

http://marc.info/?l=clamav-users&m=141245133506824&w=2


_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Probably worth pointing out that the black hats have an excellent tool at their
disposal to test their day zero viruses and that would be Virus Total which
happens to use ClamAV among others. It's not a fair fight when we give them the
means to defeat us.

dp
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It should be obvious although not mentioned that everyone who uses
clamav is your fan club. I am a fan.

I also believe that clamav is an open source project? So if someone
doesn't like this product then they might submit a patch for improve
features or functionality?

If this is true, then bitching is unproductive. Else put your code
where your mouth is.

Kristen

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAldKpgkACgkQUytlwtz3/lCC7QCgro78UlExpr9AHC+SY6nSjGIT
yboAn06y/zxIocrFFLEwOe0Z/yDuYJYM
=xA3u
-----END PGP SIGNATURE-----
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I agree. So, all you people that dont like the product and it features
of ClamAV, come on and put your hands up, stop bitching and submit your
own patches. (Although the slight flaw in the statement is the
assumption that all users have the ability to code and fix the product.
If everyone that drives a car had the ability to fix them too, there
wouldnt be any service garages would there. And not being skilled enough
to fix the car themselves doesnt mean they have to accept the
ineffective brakes 'as a feature'. In reality, of course, most people
are simply too busy running an IT department or mail server to learn
such new skills and leaves coding to CODERS.)

And, army of disgruntled coders, whilst youre at it, maybe you can also
help to solve the REAL PROBLEM of the signatures out too (effectivity
and frequency). Then the rest of us that like Clam (for its opportunity
to employ more useful 3rd party signature) can also benefit. After all,
of Sane security can make effective signatures, as a one man unfunded
operation, then why oh why cant a CISCO-backed 'company' with its code
open to the worlds programmers not do the same? (Irony, anyone?)
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

This is too true. But is it possible that over time Virus Total/ClamAV results get
so good that black hats give up? Sadly, seems to be an argument in favor of
closed source.
...Chris
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://w

I don't normally respond to this type of thread but felt compelled to
add my 2p worth of experience.

I love open source software and have run ClamAV on my own mail server
for as long as I care to remember. I was also an active member of the
anti-malware research community for a considerable time.

IMHO anti-virus products lost the battle a long time ago - it is simply
not realistic to expect ANY company, commercial or open source, to be
able to produce signatures for the number of new virus samples that
emerge in a timely fashion. It has been this way for a long time. The
numbers bear this out. A new paradigm is needed. I once hoped heuristic
detection might have been the way forward but this doesn't seem to have
produced the required results either.

This led me to conclude that all anti-virus products are essentially
ineffective. Submitting samples I collect that hit my mail server spam
traps to Virus Total support this conclusion (YMMV). Detection rates are
abysmal at the time I collect the samples.

For me, as for others who have posted in this thread, the solution is
simple - I simply do not permit executable code to pass through my mail
servers. I can not think of a case where allowing executable code to be
distributed by email outweighs the risks. Where is does, and the user
can make a genuine risk-assessed case, it is easy enough to add case by
case exceptions for individual users. Problem solved, at least from the
mail server prospective.

Admittedly I am operating at the lower end of the market where it is
easy for me to impose such unilateral policies, but I would make the
same case all the way up to large corporates and ISPs. No reason an ISP
can't operate the same default policy and provide a mechanism to allow
users to opt out if they find the need to send executable code by email
(some large ISPs block outbound tcp25 connections to address spam issues
so they can do it when they want to). And given the numerous recent
examples of large corporations suffering costly data leaks, even they
should now be willing to take security concerns more seriously rather
than scoffing at IT departments always trying to impose more restrictive
(paranoid) working practices.

Where ClamAV should (or could) have an advantage over it's closed source
relatives is in the sheer number of volunteers the project has the
potential to mobilise. The ClamAV Project has the potential to mobilise
a huge army of open source volunteers, all writing and sharing community
signatures for the samples they collect. The framework to do this
already exists. Would this be enough to represent timely and efficient
detection of threats, who knows, but it is a potential resource that is
simply not available to commercial AV companies. The samples are there,
everyone is willing to share them, but no one company has the resources
to protect their users from all of them due to the sheer volume. So the
industry needs to develop a new way of working or it will die - either
it collaborates (a concept already embraced by the Open Source
community) or it comes up with a new way to protect it's users (e.g,
heuristics), or people will stop paying an annual fee for a product that
fails to protect them (I would rather spend that money of user education
than an ineffective AV product).

In reality the AV industry died for me some while ago with the
realisation I am simply unable to rely on the product to produce
anything resembling acceptable levels of performance. Harsh maybe, but
IMHO it's simply not fit for purpose. As I mentioned above, as a
postmaster I solved the problem by simply not allowing executable
attachments. I do still run ClamAV on my mail servers, it uses few CPU
cycles, detects nothing but I figure it does no harm so why mess with a
system that isn't broken and has worked for years.



_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Yes, this is my approach too. There is not one single approach that is
100% effective - I think there is a combination of things that
collectively provide the best solution.

I have (in order):

At mailserver inbound level:
a, disallowed regular known executable/scripting attachments (.JS, .VB,
.CMD, .EXE. DOCM etc including compressed files that may hide them eg
.ZIP, .7Z etc). This should do the majority of the work as singularly
AV solutions cannot be trusted.
b, Scan with Clam + Sane defs (hopefully catches anything else that gets
missed above - recently they have started releasing .DOT files. Sneaky.)
c, Gets run through spamassassin - hopefully between this and (b) any
emails to known dodgy and dangerous sites gets eliminated too.

At client PC level:
d, install commercial solution (with proven track record, Bitdefender is
my choice) on EACH client PC - hopefully this also serves to help
protect against rogue BROWSING/download dangers.
e, Disable Macro Execution on all Windows-based MS OFFICE installs on
client machines (you just cant trust users - education fails to convince
them that it WILL be THEIR problem if they run something they shouldnt
be doing)

(Oh, and Im sure some smart-arse will add I should be ditching windows
and use only Linux or Mac's for clients. Those people need to get real!!)

As a side note: is anyone surprised a virus hasnt been released,
embedded in a 'password protected' Zip file (to fool AV scans) with the
body of the email sayuing something like "to fight against viruses and
to protect you, it is password protected. Your password is: ABC123" ?
That is bound to fool some users, aint it. (Or has this already been
done and I havent seen it)?
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Have you submitted the one that got through to ***@sanesecurity.me.uk?

James.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Erm, I dont know FOR SURE but probably (I usually do).

However, having just looked at it it isnt actually a virus/attachment,
its a PHISHING email (Claiming to be from a UK high street bank - see
below) with a link to a dodgy site. So Im not sure its valid for his AV
definitions (and thats the reason he hasnt included it).

IMPORTANT NOTICE.eml :

TSB is continually attempting to guarantee security by frequently
screening the records in our systems.
We as of late assessed your record, and we require more data to help
us give you secure administration.
Until we can gather this data, your right to gain entrance to your
online access will be restricted or ended.
We want to restore your right to gain your online access at the
earliest opportunity, and we apologize for the inconvenience.
You are required to follow a straight forward and simple process to
restore your online access.

Proceed to the verification process. <<<<< THIS IS THE DODGY LINK

Thank you for banking with us.

Yours sincerely,
Online Service Department,
Customer Support.
TSB ONLINE BANKING TEAM.






_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I've seen a couple of those, although none recently. I don't recall if
I archived a copy for reference or not.

-kgd
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Haven't seen those in a couple years. They were big in the late 90's.

--
Joel Esler
iPhone

On May 30, 2016, at 10:21 AM, Kris Deugau <***@vianet.ca<mailto:***@vianet.ca>> wrote:

Groach wrote:
As a side note: is anyone surprised a virus hasnt been released,
embedded in a 'password protected' Zip file (to fool AV scans) with the
body of the email sayuing something like "to fight against viruses and
to protect you, it is password protected. Your password is: ABC123" ?
That is bound to fool some users, aint it. (Or has this already been
done and I havent seen it)?

I've seen a couple of those, although none recently. I don't recall if
I archived a copy for reference or not.

-kgd
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Im quite surprised really. It seems the logical thing to do to fool
inbound mail AV scanners leaving onus on the naive/stupid (delete as
applicable) end user.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Users are so trained to not open those now, they are defeated, plus conviction of the file is pretty easy generically.

The ones going around right now with the JavaScript inside of zip files are much more dynamic.

--
Joel Esler
iPhone

On May 30, 2016, at 11:17 AM, Groach <groachmail-***@yahoo.com<mailto:groachmail-***@yahoo.com>> wrote:

Im quite surprised really. It seems the logical thing to do to fool inbound mail AV scanners leaving onus on the naive/stupid (delete as applicable) end user.



On 30/05/2016 16:48, Joel Esler (jesler) wrote:
Haven't seen those in a couple years. They were big in the late 90's.

--
Joel Esler
iPhone

On May 30, 2016, at 10:21 AM, Kris Deugau <***@vianet.ca<mailto:***@vianet.ca><mailto:***@vianet.ca>> wrote:

Groach wrote:
As a side note: is anyone surprised a virus hasnt been released,
embedded in a 'password protected' Zip file (to fool AV scans) with the
body of the email sayuing something like "to fight against viruses and
to protect you, it is password protected. Your password is: ABC123" ?
That is bound to fool some users, aint it. (Or has this already been
done and I havent seen it)?

I've seen a couple of those, although none recently. I don't recall if
I archived a copy for reference or not.

-kgd
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Indeed. Actually my thought/point was about the password protection
aspect of the zip file hiding/encrypting whatever flavour of virus it
holds within (to fool scanners). Its true most educated people wont
open them but not everyone is educated. It only takes 1 numbskull to
be fooled and open it for it to be then sent out to god knows how many
thousands.

I guess the art (and moral reasons) for sending viruses and spam out is
lost on me anyway so I guess I have got no chance of understanding (or
agreeing to) their choice of delivery methods.

Scourge of the earth, they are.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Password protection requires a little bit of typing, which gives the victim a little more time to think,
and possibly just enough time to do the right thing. Virus writers just want dumb users who click,
click, click as fast as possible, until it's too late.
...Chris
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

That explains Facebook's popularity.

dp
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Talking of the scourge of the earth.....


_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml