ClamAV: maybe not so useless?

Discussion in 'other anti-virus software' started by Gullible Jones, Aug 1, 2014.

Thread Status:
Not open for further replies.
  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    ClamWin has an awful reputation from what I've seen, and probably deserved.

    However, the Linux version (deployed from a live CD) may be decent for second opinions IMO. Today I got to see it detect the CompuTrace commercial rootkit by heuristics. Most of the AVs on VirusTotal fail to flag that one, by either signatures or heuristic detection.

    I wouldn't trust it as my only tool (but then I wouldn't trust anything as my only tool). Still, it might be handy for finding likely malicious files. I would just suggest not enabling PUA detection first thing, because that will flag every packed binary on your system (and there are a lot of those on a typical Windows install).

    Anyway just thought I'd put that out there; especially given the state of most commercial AV live CDs.
     
  2. guest

    guest Guest

    ClamAV gave me FPs while having low detection rate. It's just not sensible. I have no idea how it is on Linux systems/Linux boot environment, but on Windows it's just meh.
     
    Last edited by a moderator: Aug 2, 2014
  3. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,501
    Location:
    .
    I've never used Clam AV...;)
     
  4. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    Even a blind squirrel finds a nut once in a while
     
  5. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    574
    Location:
    The Outer Limits
    Observed from your magnificent treehouse no doubt.

    Regards Eck:)
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    LOL :p
     
  7. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    its just the worst AV but its opensource so the most trustful.
     
  8. entropism

    entropism Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    500
    So an AV with an awful rep for detection, and an awful rep for finding false positives, was the ONLY AV that found a potential threat? Sir, I do believe that's called a false positive.
     
  9. Inside Out

    Inside Out Registered Member

    Joined:
    Sep 17, 2013
    Posts:
    421
    Location:
    Pangea
    Given his posts, I think he's savvy enough to make sure it's not, but even a broken clock is right twice a day in that case.
     
  10. FOXP2

    FOXP2 Guest

    Well, as Gullible J noted in the OP, it's good enough for Virus Total. :thumb:
     
  11. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    No, not an FP, but a "legitimate" commercial rootkit by the makers of LoJack, which is implemented in the BIOS firmware of some Dell machines (among others). And it is supposed to allow at least some amount of remote administration. If you're using it, fine! But for an organization that is not using it, and leaves it enabled, it is a potential backdoor.

    And other AVs do detect it. But most don't (probably to avoid alarming end users).

    What impressed me though was the heuristic detection of a patched executable. You wouldn't think that EXE was tampered with unless you dumped its internal strings (and noticed all the HTTP stuff that definitely doesn't belong in a filesystem checker program).
     
  12. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    given the open source nature of clamav im not surprised it goes specifically after commercial rootkits.
     
  13. 93036

    93036 Registered Member

    Joined:
    Sep 22, 2011
    Posts:
    110
    Isn't ClamAV the only portable choice for a pendrive?
     
  14. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    I don't think so; some proprietary live AV distros may be installable to a pen drive. But I would not recommend using a pen drive to clean out compromised machines in any case. Not because of BadUSB/Rakshasa/whatever, mind, but because of the possibility for human error. IMO read/write flash media don't belong in proximity to a rooted OS.

    My bigger problem with proprietary live AV solutions is that their hardware support tends to be godawful. For some reason they've almost always got badly configured or obsolete kernels, old versions of X11, weird GUIs cobbled together from ancient DirectFB versions of GTK or Qt, etc. etc.
     
  15. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    1 : ClamAV is not a real-time scanner, it is a on-demand scanner .
    So, of course it wont protect you from being an idiot visiting sites you shouldn't go near and
    it wont catch all that stupid java-scripted crap you allow every site in the world to run on your computer .
    2 : How do other AV's get those 'great detection-rates' ?
    Mostly by scanning for all viruses known to the maker of the scanner, including ancient amiga-viruses and
    all the other viruses that cant do **** on a modern PC .
    3 : ALL AV's suck more ore less, it's the wrong 'solution' to the real virus-problem .
     
  16. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @Enigm: I'm not interested in realtime AV software in this case, more in "forensic" AV software, for helping to determine the nature and extent of a suspected compromise.

    Also, three words: "watering hole attack." See this for instance:

    http://labs.bromium.com/2014/02/21/the-wild-wild-web-youtube-ads-serving-malware/

    As for JS blocking, I consider that a necessity when using Gecko browsers, and highly desirable in other browsers (though I've yet to find a JS blocker as powerful and friendly as Noscript). However, I wonder at times if a complex JS blocker could not itself present attack surface, since it has to do some HTML parsing:

    https://www.wilderssecurity.com/thr...without-making-the-blocker-vulnerable.366823/
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.