Initial reports, viewable on our website, have shown two interesting facts that we did not predict. Firstly, over 50% of the malware that we detect is phishing attacks. Most of these are found by our heuristic system, which analyses data for the techniques that phishers use, the rest are found by signatures in our database. Although many people in the security industry have been warning about phishing emails for some time, the malware authors must still think it worthwhile to attack. Sadly innocent victims are still being conned to hand over their bank and other personal details to criminals. Secondly, some very old viruses, such as SomeFool (also known as Netsky) are still very active in the field years after we first detected them. Either many PCs have no anti-virus protection, or that protection is inadequate.
Currently we publish a daily report that lists the top 10 active malware in the last 24 hours. We hope, by the end of February, to have enough data to launch a statistics page full of more information. The more data that we receive from ClamAV users, the more reports, and the better the quality of the reports, will be. To enable the submission of data to us for use in the Active Malware Report, enable SubmitDetectionStats in freshclam.conf, and LogTime and LogFile in clamd.conf.
The only private data that is transferred is an IP address, which is used to create the geographical data. The size of the data that is sent is small; it contains just the filename, malware name and time of detection. The data is sent in sets of 10 records, up to 50 records per session. For example, if you have 45 new records, then freshclam will submit 40; if 78 then it will submit the latest 50 entries; and if you have 9 records no statistics will be sent.