Hi - thanks to everyone for the replies. I have seen 2 replies now and it may well be that I have not been clear enough because both are at cross purposes.
Unfortunately I don't have further time to invest in this topic but I do hope that someone at ClamAV sees value in the suggestions. If not, well such is life. -----Original Message----- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Simon Hobson Sent: 12 January 2013 06:32 PM To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] Virus names - a rose by any name? "Pancho" wrote: >While I understand the comment, it makes it risky I believe from a >security perspective to tell users anything more than " file contains virus". > >I say this because if we find a virus and provide the message "file >contains virus with name <ClamAV proprietary virus name XYZ>" then >malicious users can effectively deduce our virus engine simply by using the custom name. >See the site http://virusscan.jotti.org/en for a very easy illustration >of how to do this. > >Once the malicious user knows this again, it is a fairly >straightforward thing for them to test exploits against a site like >jotti until they find one not detected by ClamAV - then submit that >exploit to our site knowing that it will successfully bypass our anti virus. AFAIK ClamAV doesn't tell outside users anything - that is up to the software that calls it and the administrator that set it up. For example, suppose we are using ClamAV to scan inbound mail - using Amavis as integration software as that's a fairly common setup. So when the email is submitted by the outside MTA, our MTA hands off the message the Amavis, and Amavis (amongst other things) halds it off to ClamAV. The response sent to the outside MTA can be anything from "message blocked" at one extreme to "ClamAV found XXX" at the other - and where in that spectrum is down to not just ClamAV (which should correctly identify what it found IMO), but also the config of Amavis and the config of our MTA. Of course, what is reported to the outside MTA can be different to what is logged in our mail log. We may just report "blocked" to outside while logging full details (as is usually the case) in the mail log so that the administrator has more information if the reason is queried. Much the same applies if you scan innbound file on a web site that allows uploads - what ClamAV reports to your software, and what your software reports to the end user may be different things. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
