Sunday, March 2, 2008

Detecting virii, false-positives, and getting signatures

I help out the ClamAV dev team as much as I can when I find a virus/trojan/PUA/worm that is not detected by ClamAV, but is detected by others. The first thing I usually do is stick the infected file(s) on a thumb drive and transfer the files over to my laptop. It runs Linux, so there is no real chance of it becoming infected. I upload the file(s) to both and and have them scan the file. They use many different AV programs to scan the file and will send the results to any AV distributor that had either incomplete or no detection of the malware at hand. After that, I have the (generic) name of the malware, who recognises it, and a sample of it. I will take these samples and upload them to ClamAV so the dev team can get a signature out for the malware as soon as possible. Sometimes though, I do run into false-positives, which is when the AV at hand falsely detects a virus in a clean file. When this happens, I do the same first step as I do with an undetected piece of malware. Upload it to either Jotti or VirusTotal and see how it is detected and by whom it is detected. If it is just ClamAV, I will just email the list, give them my findings, and be on my merry. For the rest, the information will be sent to them from VirusTotal or Jotti, so I need not worry.

1 comment:

  1. FYI: the only legitimate plural of virus is viruses.

    Viri means many men, being a plural form of Vir, and virii roughly translates as "I don't speak latin" (o: