On 02/13/2012 12:57 PM, Henri Salo wrote:
> On Mon, Feb 13, 2012 at 05:04:34AM -0500, Michael Richards wrote:
>> Do the sigmakers just waste their time sifting through tons of
>> duplicate submissions?
>
> I sure hope not. I am more than happy to help creating faster "process" for
> this if ClamAV guys can tell what they need or at least old system should be
> documented somehow. Why not create this as a open-source :) If I am correct
> the duplicates mostly come from big av-check sites. They send reports with
> old signatures and/or when they send the file it is not in fact known, but it
> is known when ClamAV guys starts to add the signature.
The duplicate submissions are not bit-to-bit identical.
Bit-to-bit identical submissions are thrown away/merged automatically early in
the process, and they don't get reported to clamav-virusdb@.
Same with files that are already detected by ClamAV.
The duplicates ("Same as") mean that ClamAV detects them _now_ with the same
virusname, but at the time
of the submission they were not detected at all.
It is easy to see why this could happen:
- if it is a file infector then we get a unique submission for each file it
infected. It is still the same malware,
and if a signature gets added to detect one particular instance of the
infection then the other infected files
should get detected as well
- if it is a polymorphic virus then each instance is unique, and depending on
how good the signature is
it may detect many instances of the malware with the same virus name
- the signature might be generic, so it detects more than one malware under
the same name
- ... etc.
Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
