Mailing List Archive

Are there test results for ClamAV and which malware is supported
Dear ClamAV-Team,

I have a general question to ClamAV regarding how good ClamAV is.

In the internet there are lot of tests with other known products but I cannot find any for ClamAV.
So, are there any tests or reviews?

My second question is: Which malwares are in ClamAVs database, only for Linux or also for Windows and Android, etc.?
Is there a list where you can see all "supported" malwares?

Thanks a lot for your feedback :-)

Best regards
Julia
Re: Are there test results for ClamAV and which malware is supported [ In reply to ]
Hi there,

On Thu, 6 Oct 2022, Julia - via clamav-users wrote:

> I have a general question to ClamAV regarding how good ClamAV is.

It's a good question. Most people seem not to ask it.

> In the internet there are lot of tests with other known products but
> I cannot find any for ClamAV. So, are there any tests or reviews?

I'm slightly surprised you can't find any reviews. I've seen a few
which I wasn't really looking for, and just now when I ran the search
"ClamAV review" there were at least dozens of hits, too many to count.

There are Wikipedia articles, for example

https://en.wikipedia.org/wiki/Comparison_of_antivirus_software

which might help your research.

For any individual ClamAV user the value of reviews is debatable for
several reasons. For example there are many options in the ClamAV
configuration; a reviewer might choose options which are different
from those which you choose; a reviewer might have an axe to grind
which you don't; you might be interested in only particular kinds of
threats. Every installation is different. I only scan mail, I never
scan filesystems; others only scan filesystems and never mail. Some
people run Windows boxes, I (usually) don't.

I'd say it's better to make your own assessment of the effectiveness
in real use. You can find some of my own assessments in the mailing
list archives.

> My second question is: Which malwares are in ClamAVs database, only
> for Linux or also for Windows and Android, etc.?

Any and every kind of malware is a candidate for inclusion in the
'Official' ClamAV signature database. ClamAV relies a great deal on
signatures; although it has other ways of detecting threats it can
never really be very much better than the signature database that it's
using but anyone can submit samples of malware to the ClamAV malware
team - indeed everyone is encouraged to do that. There are numerous
what we call "third-party" signature databases, each of which has its
own set of guidelines. Currently there are 81 files in our ClamAV
database and only three of them are the ClamAV 'official' files.

> Is there a list where you can see all "supported" malwares?

Be careful what you wish for, there are around ten million of them.

Most files in the signature databases are plain text, and most of them
have one signature per line. Many of the lines contain the "name" of
the malware or threat or whatever it is. They aren't all malware, and
the name won't mean very much, it's more or less just an identifier.
It isn't going to be very educational but you can just read them, or
you can for example run 'grep' on a file to count the numbers of some
words contained in it such as 'Win.' (not 'Windows'):

$ grep -a 'Win\.' daily.cld | wc -l
323501

Try also for example 'Pdf' and 'Doc'.

Naming of threats is a perennial problem, there are usually several
names for each threat, some of which are used by several anti-virus
vendors and some by only one or two.

Can you paint us a picture of your application?

--

73,
Ged.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: Are there test results for ClamAV and which malware is supported [ In reply to ]
Some tidbits from me. I do not speak for Cisco.

> On Oct 6, 2022, at 5:21 PM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hi there,
>
> On Thu, 6 Oct 2022, Julia - via clamav-users wrote:
>
>> I have a general question to ClamAV regarding how good ClamAV is.
>
> It's a good question. Most people seem not to ask it.

It’s because AV Comparative tests want to charge the vendors to do the test. That’s how they make their money, off of selling the test to the vendors for the vendors to prove how good they are, and then they charge YOU the public for the results of the test. ClamAV doesn’t participate in said tests because of that. Well, speaking from when I was in charge of the project, which I haven’t been in quite some time now.


>> In the internet there are lot of tests with other known products but
>> I cannot find any for ClamAV. So, are there any tests or reviews?
>
> I'm slightly surprised you can't find any reviews. I've seen a few
> which I wasn't really looking for, and just now when I ran the search
> "ClamAV review" there were at least dozens of hits, too many to count.
>
> There are Wikipedia articles, for example
>
>
https://en.wikipedia.org/wiki/Comparison_of_antivirus_software?

Unfortunately, I see some errors in this already, not only for ClamAV, but for other vendors as well. Alas, the problem with crowd sorted encyclopedias.

>
> which might help your research.
>
> For any individual ClamAV user the value of reviews is debatable for
> several reasons. For example there are many options in the ClamAV
> configuration; a reviewer might choose options which are different
> from those which you choose; a reviewer might have an axe to grind
> which you don't; you might be interested in only particular kinds of
> threats. Every installation is different. I only scan mail, I never
> scan filesystems; others only scan filesystems and never mail. Some
> people run Windows boxes, I (usually) don't.
>
> I'd say it's better to make your own assessment of the effectiveness
> in real use. You can find some of my own assessments in the mailing
> list archives.

???????? this assessment is ultimately correct, and spoken by someone who has obviously spent some time in the industry. Effectiveness is different for everyone. What is effective for you, may not be effective for someone else who has a completely different OS and security posture make up.


>
>> My second question is: Which malwares are in ClamAVs database, only
>> for Linux or also for Windows and Android, etc.?
>
> Any and every kind of malware is a candidate for inclusion in the
> 'Official' ClamAV signature database. ClamAV relies a great deal on
> signatures; although it has other ways of detecting threats it can
> never really be very much better than the signature database that it's
> using but anyone can submit samples of malware to the ClamAV malware
> team - indeed everyone is encouraged to do that. There are numerous
> what we call "third-party" signature databases, each of which has its
> own set of guidelines. Currently there are 81 files in our ClamAV
> database and only three of them are the ClamAV 'official' files.

Correct. ClamAV covers all kinds of malware, OS independent.


>
>> Is there a list where you can see all "supported" malwares?
>
> Be careful what you wish for, there are around ten million of them.
>
> Most files in the signature databases are plain text, and most of them
> have one signature per line. Many of the lines contain the "name" of
> the malware or threat or whatever it is. They aren't all malware, and
> the name won't mean very much, it's more or less just an identifier.
> It isn't going to be very educational but you can just read them, or
> you can for example run 'grep' on a file to count the numbers of some
> words contained in it such as 'Win.' (not 'Windows'):
>
> $ grep -a 'Win\.' daily.cld | wc -l
> 323501
>
> Try also for example 'Pdf' and 'Doc'.
>
> Naming of threats is a perennial problem, there are usually several
> names for each threat, some of which are used by several anti-virus
> vendors and some by only one or two.

Largely the system that creates the names for ClamAV detection is automated and is based off of the most prevalent names that other vendors give it, from what I understand.