Mailing List Archive

> The second number is a count of all ".exe" files, so it's conceivable some
> are not viruses, but the vast majority are... the number is off by at most 1%.
> It seems that over 80% of the viruses passing through our servers are
> completely missed by ClamAV. Opinions? Experiences?
>

If it's your opinion that 99% of .exe files are viruses, then
configure your mail server to block .exe files.

N

> Regards,
>
> David.
>
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net



--
Nick Johnson
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Nick Johnson <npjohnso@cs.princeton.edu> wrote:

> If it's your opinion that 99% of .exe files are viruses, then
> configure your mail server to block .exe files.

Yes, I already do that... but isn't that a bit of a copout? If ClamAV
is missing 80% of the viruses that we receive, it's not terribly useful,
is it?

Regards,

David.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

I should mention that I am not a clamav developer, just some guy on the list.

On Fri, Oct 11, 2013 at 10:00 AM, David F. Skoll <dfs@roaringpenguin.com> wrote:
> Yes, I already do that... but isn't that a bit of a copout? If ClamAV
> is missing 80% of the viruses that we receive, it's not terribly useful,
> is it?
>

Here are some devil's advocate arguments against your conclusion:

(1) You're measuring effectiveness against your assumption that 99% of
.exe files in email have malware. Although I agree with that
assumption, it should really be validated (perhaps with another AV
program) before we accept it as truth and declare that clamav has 80%
false negatives.

(2) You are confusing two different metrics. One is the % of .exe
files which clamav declares clean. The other is the % of malware
which clamav declares clean. These are different because one malware
could appear in several .exe files.

When a new malware appears, there is a brief window during which
signature-based detection schemes (from ANY vendor) cannot find it.

It's entirely possible that there is ONE new malware that appears in
137K .exe files sampled in 'a few days'. In that case, clamav would
identify all but one malware, yet the statistics look very bad because
that ONE undetectable malware appeared 137K times. So, I would ask:
of these 137K .exe files, are they all identical? Perhaps you could
report the number of distinct file sizes or number of distinct
md5sums.


--
Nick Johnson
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Antivirus is a cop out anyway since it is essentially a reactive solution.

It is simple to write custom payloads to be sent that aren't detected by
AV. AV catches the low hanging fruit.


On Fri, Oct 11, 2013 at 9:41 AM, Nick Johnson <npjohnso@cs.princeton.edu>wrote:

> I should mention that I am not a clamav developer, just some guy on the
> list.
>
> On Fri, Oct 11, 2013 at 10:00 AM, David F. Skoll <dfs@roaringpenguin.com>
> wrote:
> > Yes, I already do that... but isn't that a bit of a copout? If ClamAV
> > is missing 80% of the viruses that we receive, it's not terribly useful,
> > is it?
> >
>
> Here are some devil's advocate arguments against your conclusion:
>
> (1) You're measuring effectiveness against your assumption that 99% of
> .exe files in email have malware. Although I agree with that
> assumption, it should really be validated (perhaps with another AV
> program) before we accept it as truth and declare that clamav has 80%
> false negatives.
>
> (2) You are confusing two different metrics. One is the % of .exe
> files which clamav declares clean. The other is the % of malware
> which clamav declares clean. These are different because one malware
> could appear in several .exe files.
>
> When a new malware appears, there is a brief window during which
> signature-based detection schemes (from ANY vendor) cannot find it.
>
> It's entirely possible that there is ONE new malware that appears in
> 137K .exe files sampled in 'a few days'. In that case, clamav would
> identify all but one malware, yet the statistics look very bad because
> that ONE undetectable malware appeared 137K times. So, I would ask:
> of these 137K .exe files, are they all identical? Perhaps you could
> report the number of distinct file sizes or number of distinct
> md5sums.
>
>
> --
> Nick Johnson
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>



--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

On Oct 11, 2013, at 10:00 AM, David F. Skoll <dfs@roaringpenguin.com> wrote:

> Nick Johnson <npjohnso@cs.princeton.edu> wrote:
>
>> If it's your opinion that 99% of .exe files are viruses, then
>> configure your mail server to block .exe files.
>
> Yes, I already do that... but isn't that a bit of a copout? If ClamAV
> is missing 80% of the viruses that we receive, it's not terribly useful,
> is it?

It helps the ClamAV tremendously if these files are submitted to the ClamAV team for analysis.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
AEGIS Intelligence Lead
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

On Sat, 12 Oct 2013 12:00:02 +0200
clamav-devel-request@lists.clamav.net wrote:

> Date: Fri, 11 Oct 2013 10:41:33 -0400
> From: Nick Johnson <npjohnso@cs.princeton.edu>

> (1) You're measuring effectiveness against your assumption that 99% of
> .exe files in email have malware. Although I agree with that
> assumption, it should really be validated (perhaps with another AV
> program) before we accept it as truth and declare that clamav has 80%
> false negatives.

It's validated by eye; I look at the message subjects and they are obviously
viruses.

> (2) You are confusing two different metrics. One is the % of .exe
> files which clamav declares clean. The other is the % of malware
> which clamav declares clean. These are different because one malware
> could appear in several .exe files.

It's of academic interest; Clam is leaking like a sieve and our customers
are not particularly interested in the reasons.

> When a new malware appears, there is a brief window during which
> signature-based detection schemes (from ANY vendor) cannot find it.

Absolutely.

> It's entirely possible that there is ONE new malware that appears in
> 137K .exe files sampled in 'a few days'.

Possible.

> In that case, clamav would
> identify all but one malware, yet the statistics look very bad because
> that ONE undetectable malware appeared 137K times. So, I would ask:
> of these 137K .exe files, are they all identical? Perhaps you could
> report the number of distinct file sizes or number of distinct
> md5sums.

I will have to run that analysis next week. I suspect they are not all
identical, but I suspect too that there's a clump of a few or a few dozen
distinct viruses.

> From: Joel Esler <jesler@sourcefire.com>
> It helps the ClamAV tremendously if these files are submitted to the
> ClamAV team for analysis.

Do you have an efficient mechanism for submitting hundreds or thousands
of files? I can dedupe them and submit, but it has to be something
semi-automated; please reply off-list if you have such a mechanism.

Regards,

David.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net