Antivirus is a cop out anyway since it is essentially a reactive solution. It is simple to write custom payloads to be sent that aren't detected by AV. AV catches the low hanging fruit.
On Fri, Oct 11, 2013 at 9:41 AM, Nick Johnson <npjoh...@cs.princeton.edu>wrote: > I should mention that I am not a clamav developer, just some guy on the > list. > > On Fri, Oct 11, 2013 at 10:00 AM, David F. Skoll <d...@roaringpenguin.com> > wrote: > > Yes, I already do that... but isn't that a bit of a copout? If ClamAV > > is missing 80% of the viruses that we receive, it's not terribly useful, > > is it? > > > > Here are some devil's advocate arguments against your conclusion: > > (1) You're measuring effectiveness against your assumption that 99% of > .exe files in email have malware. Although I agree with that > assumption, it should really be validated (perhaps with another AV > program) before we accept it as truth and declare that clamav has 80% > false negatives. > > (2) You are confusing two different metrics. One is the % of .exe > files which clamav declares clean. The other is the % of malware > which clamav declares clean. These are different because one malware > could appear in several .exe files. > > When a new malware appears, there is a brief window during which > signature-based detection schemes (from ANY vendor) cannot find it. > > It's entirely possible that there is ONE new malware that appears in > 137K .exe files sampled in 'a few days'. In that case, clamav would > identify all but one malware, yet the statistics look very bad because > that ONE undetectable malware appeared 137K times. So, I would ask: > of these 137K .exe files, are they all identical? Perhaps you could > report the number of distinct file sizes or number of distinct > md5sums. > > > -- > Nick Johnson > _______________________________________________ > http://lurker.clamav.net/list/clamav-devel.html > Please submit your patches to our Bugzilla: http://bugs.clamav.net > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
