Thursday, February 19, 2009

The ClamAV Active Malware Report

The ClamAV Active Malware Report that was introduced in ClamAV 0.94.1 uses freshclam to send summary data to our server about the malware that has been detected. This data is then used to generate real-time reports on active malware. These reports, along with geographical and historic trends, will be published on

Initial reports, viewable on our website, have shown two interesting facts that we did not predict. Firstly, over 50% of the malware that we detect is phishing attacks. Most of these are found by our heuristic system, which analyses data for the techniques that phishers use, the rest are found by signatures in our database. Although many people in the security industry have been warning about phishing emails for some time, the malware authors must still think it worthwhile to attack. Sadly innocent victims are still being conned to hand over their bank and other personal details to criminals. Secondly, some very old viruses, such as SomeFool (also known as Netsky) are still very active in the field years after we first detected them. Either many PCs have no anti-virus protection, or that protection is inadequate.

Currently we publish a daily report that lists the top 10 active malware in the last 24 hours. We hope, by the end of February, to have enough data to launch a statistics page full of more information. The more data that we receive from ClamAV users, the more reports, and the better the quality of the reports, will be. To enable the submission of data to us for use in the Active Malware Report, enable SubmitDetectionStats in freshclam.conf, and LogTime and LogFile in clamd.conf.

The only private data that is transferred is an IP address, which is used to create the geographical data. The size of the data that is sent is small; it contains just the filename, malware name and time of detection. The data is sent in sets of 10 records, up to 50 records per session. For example, if you have 45 new records, then freshclam will submit 40; if 78 then it will submit the latest 50 entries; and if you have 9 records no statistics will be sent.


  1. Hi,
    I been reading the clamav source for quit some time. I also been investigating some other anti-virus like XYZ (i cant mention specific name for security reasons). I figure it out some basic methodology using by anti-virus products which are as follows:-
    1. Signature based scanning .
    2. Algorithmic detection (which mainly covers some of variant ).
    3. General purpose monitors.
    4. Access control shells.
    5. Heuristics binary analysis.

    Please correct me if i miss anything.

    I was camparing ClamAV with other anti-virus products(commercial). I have been able to found some false positive in some other commercial anti-virus
    For example, i been successfully modified a target WIN x86 binary to generate false positive of anti-virus and then frame a comparative study of scanning tehniques.
    Results says that on a respective binary some other commercial anti-virus gives some false positive while scanning that respective binary.
    That binary is nothing but false sections are embedded into it and just compressed with UPX packer.
    But the clamA response was far most appreciable than others.

    So, my focus turn to the clamAV peheader and pe-executable scanning api. After a short investigating the behaviuor of clamAV i figure it out there can be some more advancement of those API for scanning infection inside the Win PE executable file. The api are [cli_peheader] and [cli_scanpe].
    i believe there are some sort of other techniques for infecting Win PE executable which are not consider while writing clamAV. [Please reply with some sort of technical idea regarding this. If i m wrong point out the areas for which those two api is working correctly and with corresponding limitation].

    For example,
    A PE file can be infected in various ways which are as follows:--
    1. No. of sections more than 100 and embedded code inside it.
    2. Adding new object to the object table and the pointing Entry poiint RVA to this new object.
    3. Modifiying raw data by increasing few bytes. etc
    [Please point out other methods or i made a mistakes regarding PE infection].

    These all above techinques can be done for exploiting or bypassing Anti-virus or for triggering false poisitive from AV.
    My point is that what sort or techniques incorporated in ClamAV for handling such techniques. I may not be able to point out all methods of PE infection but some others could be like packing virus code inside a executable which may be packed with other packers[ point it out if i m wrong].
    I m pretty much sure about the areas of polymorphic and metamorphic virus which are not fully covered by clamAV .

    Virus code can be packed with the following known packer:--
    1. UPX
    2. FSG
    3. Petite
    4. Crinkler
    5. Win32
    6. WWPack32
    7 ASPACK
    8. ASPR
    9 MEW
    10. MPRESS
    11. PKLite32
    12. Shrinker32
    13. Upack
    14 PESpin etc
    [Please report me if other exits]

    I have no idea what is the ClamAV support for such packer. All i know clamAV support UPX , MEW packer.
    My point is, what are the measures taken by clamAV for handling suck huge packer facilities and what are measure clamAv have taken for
    upcoming packers. Is there is any generic rule for Alerting user in packer are unkown. I guess it do exist but how will clamAV confirm for non-existence of viral code inside it.
    [Please reply with full technical point regarding each issue.]

    i may have not done complete Virus infection issue. but as far as i could do i pointed out pretty much.
    i need a handfull reply on this matter.

    [Please reply covering each issue if not please make a point regarding each issue.. I urge developers of ClamAV to take this discussion healthy and appreciable].
    [For non-clamAv user , reply with some sort of proof if available or just make a point in brief or point to other discussion which are applicable to my views.]

  2. Hello Friends, E-mail Server running on Solaris 9 with sendmail was running fine with clamav-0.94.2. Upon trying with clamav-0.96 I am not able to get the e-mail scanned. Please let me know the startup commands. Someone can give me a copy of running verion of clamav-milter.conf.
    Regards, Rajan