ClamWin Anti-Virus

[Frank Bohan]

Has anyone tried out ClamWin? I am put off rather by the "How Can You Help"
section of their webpage, the first item being "Submit undetected virus
samples". How can you submit something which has not been detected?

http://www.clamwin.com/

===

Frank Bohan
¶ Man who sink in woman's arms soon have arms in woman's sink.

 

[stxol]

Has anyone tried out ClamWin? I am put off rather by the "How Can You Help"
section of their webpage, the first item being "Submit undetected virus
samples". How can you submit something which has not been detected?

http://www.clamwin.com/

===

Frank Bohan
¶ Man who sink in woman's arms soon have arms in woman's sink.

I have been using ClamWin for about six weeks and I love it. I had
previously used AntiVir Personal Edition for two years but finally got
fed up with the large, slow downloads. ClamWin is simple and intuitive
to use, and trouble-free in my experience. Compared to AntiVir, the
daily updates are very quick to download - normally less than 30
seconds. It does take a lot longer to scan my hard drive - 60+ minutes.
But this is not a problem, since scans can be scheduled for a time
that the computer is not needed.

 

[Sparky]

I have been using ClamWin for about six weeks and I love it. <stuff deleted>

Yea;

I use it too but, really, the OP's statement stands: "How can you
submit something which has not been detected?" To be frank, I look at
this as playing a virtual russian-roulette w/a single slug.

Of course, I'd like to be proven wrong.

-Sparky

 

[mike ring]

Has anyone tried out ClamWin? I am put off rather by the "How Can You
Help" section of their webpage, the first item being "Submit
undetected virus samples". How can you submit something which has not
been detected?

http://www.clamwin.com/

I tried it on my second box, and it stopped the computer waking up after
going into power saving. (98SE)

Back to Antivir

mike

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Has anyone tried out ClamWin? I am put off rather by the "How Can
You Help" section of their webpage, the first item being "Submit
undetected virus samples". How can you submit something which has
not been detected?

http://www.clamwin.com/

The only time ClamAv has been rigorously tested was in Uni-Hamburg's
VTC tests last year, and they rated it "useless" because of its poor
detection rates. The version tested was from late 2003, and it is
certainly better now than it was then. (E.g., unlike then, it can now
detect macro viruses.) But until it has a decent track record in
rigorous testing, IMO it would be very unwise to rely on it.

 

[Anti_Freak_Machine]

Has anyone tried out ClamWin? I am put off rather by the "How Can You Help"
section of their webpage, the first item being "Submit undetected virus
samples". How can you submit something which has not been detected?

http://www.clamwin.com/

===

Frank Bohan
¶ Man who sink in woman's arms soon have arms in woman's sink.

I use it as a backup scanner (WinXP) with no problems whatsoever. It
does scan slow but you can speed it up by excluding certain file types.
I have it exclude mpgs, mp3s, etc...

The undetected virus samples refer to files you suspect of being
malware. Most AVs ask you to help out in this area. Go to your favorite
AV homepage and look for yourself
I found this munged list after searching alt.comp.virus to illustrate
the point:
CAI (IPE), Vet: (e-mail address removed)
Eset (NOD32): (e-mail address removed)
Frisk (F-Prot): (e-mail address removed)
F-Secure: (e-mail address removed)
H+BEDV (AntiVir): (e-mail address removed)
Kaspersky (AVP): (e-mail address removed)
NAI (McAfee): (e-mail address removed)
Norman: (e-mail address removed)
Panda: (e-mail address removed)
Sophos: (e-mail address removed)
Symantec (Norton): (e-mail address removed)
Trend: (e-mail address removed)


Oh and to answer your question about submitting files that have not been
detected, [example 1] there are people that watch usenet for the various
*.scr, *pif, etc..type files that like to show up here and test them
against their anti-virus programs. Undetected ones get submitted to
several AV companies as they are found.
[example 2] When troubleshooting a computer, techs sometimes come across
a mystery executable, these usually get submitted.

 

[Maatt]

Has anyone tried out ClamWin? I am put off rather by the "How Can You Help"
section of their webpage, the first item being "Submit undetected virus
samples". How can you submit something which has not been detected?

http://www.clamwin.com/

===

Frank Bohan
¶ Man who sink in woman's arms soon have arms in woman's sink.

I've been using ClamWin in conjuction with Sophos and AVG for a few
weeks now, although ClamWin seems to lack 'on-access' scanning it picks
up all the same stuff as the others when it does scan the files. I
agree the updates are much quicker than AVG and much less intrusive. I
do like the fact that ClamWin can email its results to me though.

Maatt

 

[Toad]

Has anyone tried out ClamWin? I am put off rather by the "How Can You Help"

section of their webpage, the first item being "Submit undetected virus
samples". How can you submit something which has not been detected?

http://www.clamwin.com/

===

Frank Bohan
¶ Man who sink in woman's arms soon have arms in woman's sink.

I tried it not long ago and it leaked memory like crazy and was
slowwww.

Toad

 

[David H. Lipman]

|
| I tried it not long ago and it leaked memory like crazy and was
| slowwww.
|
| Toad
|

It also has a limited library ~30,000 infectors.

McAfee has a library of ~121,000 infectors.

TrendMicro has a library of ~98,000 infectors.

 

[ms]

I tried it on my second box, and it stopped the computer waking up after
going into power saving. (98SE)

Back to Antivir

mike

Maybe it has trouble with W98SE. For me, it only ran once, never again. I
also stuck with AntiVir.

Mike Sa

 

[Steve Basford]

It also has a limited library ~30,000 infectors.
McAfee has a library of ~121,000 infectors.
TrendMicro has a library of ~98,000 infectors.

Yep, you're correct but does that *really* matter:

a) how may 1991 dos viruses do you get emailed to you

b) try using Jotti/VirusTotal to submit two or three malwares, you'll
see that ClamAv does a pretty good job of picking up recent viruses, in
some cases it's beats Mcafee and Trend...

eg: one test sample: loader2.ocx (sorry about word wrap):

AntiVir 6.30.0.7 04.07.2005 TR/Dldr.Agent.EX
AVG 718 04.07.2005 no virus found
BitDefender 7.0 04.07.2005 no virus found

ClamAV devel-20050307 04.07.2005 Trojan.Downloader.Agent-86

DrWeb 4.32b 04.07.2005 Trojan.DownLoader.2106
eTrust-Iris 7.1.194.0 04.07.2005 no virus found
eTrust-Vet 11.7.0.0 04.07.2005 no virus found
Fortinet 2.51 04.07.2005 W32/Agent.EX-tr
F-Prot 3.16a 04.07.2005 no virus found
Ikarus 2.32 04.07.2005 Trojan-Downloader.Win32.Agent.EX
Kaspersky 4.0.2.24 04.07.2005
Trojan-Downloader.Win32.Agent.ex

McAfee 4464 04.07.2005 no virus found

NOD32v2 1.1049 04.06.2005 Win32/TrojanDownloader.Agent.EX
Norman 5.70.10 04.06.2005 no virus found
Panda 8.02.00 04.07.2005 Trj/CWinning.A
Sybari 7.5.1314 04.07.2005 no virus found
Symantec 8.0 04.07.2005 no virus found

So, the above example shows that having the biggest library doesn't *always*
help...

At the end of the day, Kaspersky has the best detection rate but it's all
about having a layered approach to security.

Note:
Jotti Virusscan: http://virusscan.jotti.org/
VirusTotal: http://www.virustotal.com/xhtml/index_en.html

 

[David H. Lipman]

From: "Steve Basford" <[email protected]>


|
| Yep, you're correct but does that *really* matter:
|
| a) how may 1991 dos viruses do you get emailed to you
|
| b) try using Jotti/VirusTotal to submit two or three malwares, you'll
| see that ClamAv does a pretty good job of picking up recent viruses, in
| some cases it's beats Mcafee and Trend...
|
| eg: one test sample: loader2.ocx (sorry about word wrap):
|
| AntiVir 6.30.0.7 04.07.2005 TR/Dldr.Agent.EX
| AVG 718 04.07.2005 no virus found
| BitDefender 7.0 04.07.2005 no virus found
|
| ClamAV devel-20050307 04.07.2005 Trojan.Downloader.Agent-86
|
| DrWeb 4.32b 04.07.2005 Trojan.DownLoader.2106
| eTrust-Iris 7.1.194.0 04.07.2005 no virus found
| eTrust-Vet 11.7.0.0 04.07.2005 no virus found
| Fortinet 2.51 04.07.2005 W32/Agent.EX-tr
| F-Prot 3.16a 04.07.2005 no virus found
| Ikarus 2.32 04.07.2005 Trojan-Downloader.Win32.Agent.EX
| Kaspersky 4.0.2.24 04.07.2005
| Trojan-Downloader.Win32.Agent.ex
|
| McAfee 4464 04.07.2005 no virus found
|
| NOD32v2 1.1049 04.06.2005 Win32/TrojanDownloader.Agent.EX
| Norman 5.70.10 04.06.2005 no virus found
| Panda 8.02.00 04.07.2005 Trj/CWinning.A
| Sybari 7.5.1314 04.07.2005 no virus found
| Symantec 8.0 04.07.2005 no virus found
|
| So, the above example shows that having the biggest library doesn't *always*
| help...
|
| At the end of the day, Kaspersky has the best detection rate but it's all
| about having a layered approach to security.
|
| Note:
| Jotti Virusscan: http://virusscan.jotti.org/
| VirusTotal: http://www.virustotal.com/xhtml/index_en.html

You'd be surprised how many of the FORM or NYB (TRUE viruses) I have seen well after I
thought they were lond since dead.

a) Email is NOT the only way to receive an infector

b) I won't use Jotti because he keeps the infectors for personal reasons and only has a
handful of scanners. Virus Total on the other hand has 17 AV vendor scanners on board
/*_and more importantly_*/, the samples provided to Virus Total are subsequently provided to
the 17 virus vendor participants. To add to it, I have submitted samples to Virus Total
where Clam AV did catch it. For example on 11/12/04 I submitted "wburgm.exe" to Virus Total
that was a SDbot variant. ClamAv failed to flag itwhile BirtDefender, Kaspersky, NOD32,
Norman and Sybari did. There there was a "bla.exe" sample that was a "w32/Dowloader.small"
type Trojan. Again, ClamAV failed. Then there was the "drvstat16.exe" submitted on Jan 2,
05 which was a "W32/Backdoor" variant that ClamAv failed to flag.

Humm, I see the Jotti web site just /*CHANGED*/ the wording on the web page ! He must have
read my thread in a.c.a-v and then reworded the web page accordingly.

 

[Steve Basford]

handful of scanners. Virus Total on the other hand has 17 AV vendor scanners on board
/*_and more importantly_*/, the samples provided to Virus Total are subsequently provided to
the 17 virus vendor participants.

Actually, Jotti does supply all vendors his virus samples, see how many samples
got added to ClamAV via the Jotti site, in this post alone:
http://lurker.clamav.net/message/20050405.060849.10bdf692.en.html

You're correct about VirusTotal having 17 scanners, but 13 for Jotti isn't too
bad Note that Jotti would have had 14 but Mcafee asked Jotti to remove
their scanner from this site quite some time ago.

Basically, I too submit samples via Jotti and VirusTotal and the work they both
do for free.....is certainly appreciated.

Anyway, thanks for the chat... I'll stop now before we get even more off topic
in the freeware newsgroup

Cheers,

Steve

 

[null]

| I tried it not long ago and it leaked memory like crazy and was
| slowwww.

It also has a limited library ~30,000 infectors.

McAfee has a library of ~121,000 infectors.

TrendMicro has a library of ~98,000 infectors.

Is that all? I see F-Prot is claiming it detects nealry 150,000.

Art

http://home.epix.net/~artnpeg

 

[David H. Lipman]

| On Thu, 07 Apr 2005 03:29:47 GMT, "David H. Lipman"
|
| >| I tried it not long ago and it leaked memory like crazy and was
| >| slowwww.
| >
| >It also has a limited library ~30,000 infectors.
| >
| >McAfee has a library of ~121,000 infectors.
| >
| >TrendMicro has a library of ~98,000 infectors.
|
| Is that all? I see F-Prot is claiming it detects nealry 150,000.
|
| Art
|
| http://home.epix.net/~artnpeg


Hi Art:

Well that just helps prove my point.
ClamAV is only ~30,000 that's ~1/5 of F-Prot library !

 

[/3iff //ullinz]

| On Thu, 07 Apr 2005 03:29:47 GMT, "David H. Lipman"
|
| >| I tried it not long ago and it leaked memory like crazy and was
| >| slowwww.
| >
| >It also has a limited library ~30,000 infectors.
| >
| >McAfee has a library of ~121,000 infectors.
| >
| >TrendMicro has a library of ~98,000 infectors.
|
| Is that all? I see F-Prot is claiming it detects nealry 150,000.
|
| Art
|
| http://home.epix.net/~artnpeg


Hi Art:

Well that just helps prove my point.
ClamAV is only ~30,000 that's ~1/5 of F-Prot library !

hi "lippy":

fprot sports a lazy crew which never seems to get around to removing
archaic virii which has long-since ceased to be in the wild.

hth!

 

[David H. Lipman]

From: "/3iff //ullinz" <[email protected]>

| On Fri, 08 Apr 2005 18:44:38 GMT, "David H. Lipman"

|> On Thu, 07 Apr 2005 03:29:47 GMT, "David H. Lipman"
|>
|>>> I tried it not long ago and it leaked memory like crazy and was
|>>> slowwww.
|>
|> Is that all? I see F-Prot is claiming it detects nealry 150,000.
|>
|> Art
|>
|> http://home.epix.net/~artnpeg

| hi "lippy":
|
| fprot sports a lazy crew which never seems to get around to removing
| archaic virii which has long-since ceased to be in the wild.
|
| hth!
|
| --
| "Objection is when I say: this doesn't suit me.
| Resistance is when I make sure that what doesn't
| suit me never happens again" --Ulrike Meinhof
|

Hello fellow Verizonite !

Archaic has no meaning except in the false perception that there is such terminology as
'viri' or 'virii'.
There is no such terminology as the plural for virus is viruses -- period !

 

[David]

From: "/3iff //ullinz" <[email protected]>

| On Fri, 08 Apr 2005 18:44:38 GMT, "David H. Lipman"

|
| fprot sports a lazy crew which never seems to get around to removing
| archaic virii which has long-since ceased to be in the wild.
|
| hth!
|

Thank goodness. F-Prot was always able to detect virii that others
could not. Just because it has not been seen in some time does not
mean that it is extinct. Some idiot might try to revive it just for
fun.

Archaic has no meaning except in the false perception that there is such terminology as
'viri' or 'virii'.
There is no such terminology as the plural for virus is viruses -- period !

Perhaps you should learn Latin instead of trying to impose
Americanisms on everyone. "Virii" is the correct form of the plural
for the word "virus".

 

[Gordon Darling]

Perhaps you should learn Latin instead of trying to impose Americanisms
on everyone. "Virii" is the correct form of the plural for the word
"virus".

NO it isn't and this argument has been going on for over twenty years.

"In the English language, the normal plural of "virus" is "viruses". This
form of the plural is correct, and used most frequently, both when
referring to a biological virus and when referring to a computer virus.

The forms "viri" and "virii" are also used as a plural, although less
frequently. There is disagreement over whether these forms should be
considered correct."

en.wikipedia.org/wiki/Virus_(plural)

In computer terms it is ALWAYS "viruses".

Regards
Gordon

 

[David]

NO it isn't and this argument has been going on for over twenty years.

"In the English language, the normal plural of "virus" is "viruses".

You omitted the descriptor "American" from in front of the word
English in the above statement.

This
form of the plural is correct, and used most frequently, both when
referring to a biological virus and when referring to a computer virus.

The forms "viri" and "virii" are also used as a plural, although less
frequently. There is disagreement over whether these forms should be
considered correct."

The correct format, from my Latin days is "virii"

en.wikipedia.org/wiki/Virus_(plural)

In computer terms it is ALWAYS "viruses".

In American terms it is always "viruses". In the rest of the world
your mileage may vary considerably.

I consider that this is similar to the argument over the term
"Billion". In England and most other English speaking countries the
term "Billion" referred to a million million. Along come the USA'ans
and their stress that they are ALWAYS right and soon the whole world
is using the term to mean a thousand million. Trust the Yanks to try
to big-note themselves so that they appear richer than they really
are.