'Re: [Clamav-devel] ClamAV effectiveness'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       clamav-devel
Subject:    Re: [Clamav-devel] ClamAV effectiveness
From:       "David F. Skoll" <dfs () roaringpenguin ! com>
Date:       2013-10-12 15:18:49
Message-ID: 20131012111849.5c86697d () shishi ! roaringpenguin ! com
[Download RAW message or body]

On Sat, 12 Oct 2013 12:00:02 +0200
clamav-devel-request@lists.clamav.net wrote:

> Date: Fri, 11 Oct 2013 10:41:33 -0400
> From: Nick Johnson <npjohnso@cs.princeton.edu>

> (1) You're measuring effectiveness against your assumption that 99% of
> .exe files in email have malware.  Although I agree with that
> assumption, it should really be validated (perhaps with another AV
> program) before we accept it as truth and declare that clamav has 80%
> false negatives.

It's validated by eye; I look at the message subjects and they are obviously
viruses.

> (2) You are confusing two different metrics.  One is the % of .exe
> files which clamav declares clean.  The other is the % of malware
> which clamav declares clean.  These are different because one malware
> could appear in several .exe files.

It's of academic interest; Clam is leaking like a sieve and our customers
are not particularly interested in the reasons.

> When a new malware appears, there is a brief window during which
> signature-based detection schemes (from ANY vendor) cannot find it.

Absolutely.

> It's entirely possible that there is ONE new malware that appears in
> 137K .exe files sampled in 'a few days'.

Possible.

> In that case, clamav would
> identify all but one malware, yet the statistics look very bad because
> that ONE undetectable malware appeared 137K times.  So, I would ask:
> of these 137K .exe files, are they all identical?  Perhaps you could
> report the number of distinct file sizes or number of distinct
> md5sums.

I will have to run that analysis next week.  I suspect they are not all
identical, but I suspect too that there's a clump of a few or a few dozen
distinct viruses.

> From: Joel Esler <jesler@sourcefire.com>
> It helps the ClamAV tremendously if these files are submitted to the
> ClamAV team for analysis.

Do you have an efficient mechanism for submitting hundreds or thousands
of files?  I can dedupe them and submit, but it has to be something
semi-automated; please reply off-list if you have such a mechanism.

Regards,

David.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic