clamav-users September 2009 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] Submission policies

Re: [Clamav-users] Submission policies

From: Matt Watchinski <mwatchinski_at_nospam>
Date: Tue Sep 15 2009 - 18:55:22 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>


The answer is very simply, resources.

The submission interface receives around 20,000 unique samples a day, which exceeds the number of signatures that can be produced in a day by the sigmakers. This forces us to prioritize by what we are seeing the most of in a given time period, as those are most likely the prevalent threats.

If you, or anyone else in the ClamAV community is interested in writing signatures to help improve some of the response times feel free to contact me off list.

Cheers
-matt

On Mon, Sep 14, 2009 at 12:51 PM, Giampaolo Tomassoni < Giampaolo@tomassoni.biz> wrote:

> Hi,
>
> I occasionally submit virus samples to ClamAV through the official
> submission page.
>
> Before submission I also check these viruses with VirusTotal, where at
> least
> a bunch of AV products do often detect my samples as malware.
>
> If this happens, I also add a link to the VirusTotal's analysis page
> regarding the sample I'm submitting in the "Enter a short description of
> the
> virus" field of the submission form.
>
> This was used to work, and soon or later I was used to be notified of the
> inclusion in the ClamAV database of a new detection pattern suitable for my
> sample.
>
> It is months, however, that I don't receive notifications anymore regarding
> my submissions. Also, it seems to me that recently submissions are quite
> ignored. In example, in September 9 I reported to ClamAV a malware which is
> still not recognized, while it is by 30 out of 41 AV products in
> VirusTotal...
>
> See:
>
> http://www.virustotal.com/analisis/716704eb975160cf84c110e6510bb45ce9837a774
> dcdee6136867b4c03f4981e-1252908923<http://www.virustotal.com/analisis/716704eb975160cf84c110e6510bb45ce9837a774%0Adcdee6136867b4c03f4981e-1252908923>.
>
> Anybody could explain what's going on with submissions? I can't find any
> reliable reference to changes in the submission policies or the like. I
> could only find this thread from this ML
>
> http://lurker.clamav.net/message/20081025.142726.40535408.en.html
>
> in which basically Bräckelmann is trying to figure out the same I am. But
> no
> reply to his question...
>
> Thank you,
>
> Giampaolo
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
-- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml