Here is a basic overview of what happens when you submit a file to ClamAV. 1. File is compared to our other samples to see if its a duplicate. 2. File is scanned with clamav and other scanners to see if it's already detected 3. File is added to our Zoo and marked as a user submission.
We try and prioritize user submissions, however, we take in about 3 gigs of raw files a day. 4. Next the files are essentially placed in a queue to be looked at. 5. Sigmakers (~5 or so people total who actively write signatures), pick the files they would like to work on. Usually in large batches, sometimes 20K or more files at a time. 6. Then the sigmakers do there thing, their process is summarized here. Each sigmaker has there own personal way of doing this, but here are the major steps. a. Determine the type of file and packer the sample uses. b. Determine if ClamAv can properly unpack the file if necessary. c. Determine if the file is actually bad. Using either live installs, idapro, debugger, disassembler, etc. d. Determine if ClamAV is capable of detecting the file with its current detection capabilities e. If so write the signature, If not open a functionality bug for the ClamAv dev team for help. f. Publish the signature. If your interested in speeding up the process, learning how to do malware analysis would help. We even train if your interested. Contact me off list if your interested. Min requirements 1. A PC you can mess up / or vmware 2. Copy of IDA pro 3. Basic understanding of how WinDBG or Ollydbg or some debugger works. 4. Basic assembly knowledge. 5. Basic C knowledge 6. A lot of free time. 7. Gotta love taking apart malware. If your not interested you can just add simple md5 sigs to your signature databases and/or your own sigs. Info on how to do that: http://www.clamav.net/doc/latest/signatures.pdf Hopefully that explains how it works. Cheers, -matt On Wed, Dec 24, 2008 at 8:15 AM, Plamen Vassilev <[email protected]>wrote: > Hello list, > > Although I've been subscribed to this list from Nov 2006, I have not seen a > clear explanation about the process that takes place from virus sample > submission to the moment that virus definition takes place into the > official > virusdb and clamscan starts actually detecting the submitted malware. The > reason for this post is that I submitted several files few weeks ago, of > what > seems to be a rootkit. Namely the files: > soxpeca.exe > noytcyr.exe > tdydowkc.exe > roytctm.exe > mabidwe.exe > and > afisicx.exe > Googling for all of them returns results firmly pointing at malware origin. > For example here[0] is a discussion started from an infected person, trying > to clean his windows 2003 server. To this day clamscan does not detect any > of > these infections. I do not want this to go out as a rant, rather I would > like > to know - what can I personally do to speed up the process of detection for > this (and future) malware besides just reporting and submitting it? Some > premature analysis for example? And in this particular case, if clamscan > will > not detect these threats, can I build my own virus definitions that detects > those infections and merge them with clamav ones? Maybe there was such a > discussion and I've overlooked it? Any pointers will be much appreciated, > and > sorry for any bad wording - I am not a native English speaker. > > [0] > > http://www.geekstogo.com/forum/Rootkit-Trojan-soxpeca-madibwe-noytcyr-roytctm-afisicx-tdydowkc-t220440.html > > -- > regards > Plamen Vassilev > Software Engineer & System Administrator > > Bulgaria, Varna > T: +359 5105 4155 > C: +359 899 989647 > ICQ: 73027127 > Skype: plamen.vassilev > E: [email protected] > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > -- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
