Clamav signature generation

Randal, Phil prandal at HEREFORDSHIRE.GOV.UK
Fri Jan 30 10:45:55 GMT 2004

The trouble with these timings is that there is no way to automate the
collection of (say) McAfee's extra.dats (I've discussed this at length with
NAI support), so we have to go by the times updated DAT files are released
for general consumption and can be picked up "robotically".

Here, in England, ClamAv updated its patterns at 2300GMT, detected first
MyDoom at 0020GMT the next day.  McAfee's 4319 patterns were picked up at
0500GMT, 6 hours after the ClamAV update.

Furthermore, there was a variant of MyDoom.A which ClamAv picked up here at
around 1430GMT on Wednesday, but McAfee's 4319 DATs didn't.  I submitted it
to McAfee Avert and it was fixed for the 4320 DAT files (I received
confirmation from Avert and the extra.dat file by email this morning, they
must have been flooded with samples), which came out 5 hours after we'd
detected it with ClamAV.

Similarly, ClamAV picked up a copy of Mimail.s here yesterday afternoon,
McAfee's 4321 DAT files were available some 5 hours later.

I hope this puts things into perspective.


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Tony Johansson
> Sent: 29 January 2004 18:38
> Subject: Clamav signature generation
> These are the times when antivirus companies had a virus
> definition for
> Mydoom.A:
> (I dont know how accurate they are, I got them from a source
> at F-Secure)
> McAfee (BETA) 2004-01-26, 22:20
> F-Secure (BETA) 2004-01-26, 22:36
> Symantec (BETA) 2004-01-26, 23:00
> F-Secure 2004-01-26, 23:09
> F-Prot 2004-01-26, 23:30
> Trend Micro 2004-01-26, 23:35
> Norman 2004-01-27, 00:05
> Kaspersky 2004-01-27, 00:30
> At our site, Clamav found the first Mydoom.A at 2004-01-26
> 22:02, this time
> beating all the above commercial scanners. Clamav obviously
> did great this
> time, but on other occasions they have been far behind.
> Is there a way to redirect a file thats been flagged as a
> virus by one or
> more scanners but not by clamav? It could be put in a special
> quarantine or
> submitted automaticly to
> bin/sendvirus.cgi
> Clamav would have the power of all scanners supported by MailScanner,
> possibly never being beaten by more than on or two commercial
> scanners...
> One could argue that theres a moral dilemma here, using the
> output from one
> scanner to benifit another but I've seen nothing prohibiting
> this in the
> license agreements I've read.
> regards, Tony

More information about the MailScanner mailing list