The sigtool controversy
I asked a few of the big anti-virus companies about ClamAntiVirus, and especially about their controversial "sigtool" program. Sigtool allows users to make their own signatures based on the detection behavior in another scanner. They basically do a progressive truncation of the file being scanned until they have the smallest portion from which the scanner will find the virus, and that is the signature. This capability was what originally interested me about ClamVirus because its basically stealing other companies work. In fact, some anti-virus companies now prohibit such behavior as part of their licenses and the sigtool docs warn you to check the license for such a restriction. The ClamAntiVirus docs also say that this is not the method they use to develop "official" distributions of signatures.Check out eWEEK.coms Linux & Open Source Center at http://linux.eweek.com for the latest open-source news, reviews and analysis. I scanned the ClamAntiVirus database for a virus I knew to be polymorphic (MiMail.Q) and its in there. Furthermore, the signature (which the database will happily show you) is not a simple hexadecimal constant, but contains sequences like "90*9090????90??9090*." Hmmm ... Those look like wildcards. Probably input to a regular expression parser. So ClamAntiVirus is more capable than I was originally led to believe by one anti-virus company and third parties, but I still suspect its not as sophisticated as the commercial products, which use such techniques as instruction frequency detection as well as simple pattern detection. We dont know because there are no numbersat least not recently. ClamAntiVirus has a lot of the basic functionality of commercial anti-virus systems, but not all of it. It cant disinfect files, although I consider this a minor problem. Viruses dont infect files anymore, they create their own files. The techniques used to infect files are too easy to detect. Clearly the biggest need these days in an anti-virus system is for scanning e-mail, and heres where ClamAntiVirus scares me. According to the manual, mail support is turned off by default because it "is still under development and may cause stability problems." Yikes! In certain circles ClamAntiVirus is highly respected, but thats at least partially for lack of anything else to respect. And as a second or third scanner, its basically no-loseunless it has false positives. According to Steve Stern, manager of the WUGNET VirusCentral Forum, both SourceForge.net and CompuServe use ClamAntiVirus to scan e-mail. Is that all they use to test? At this point, with no real objective data to compare it with anything elsenot even the wild listand with mail server support still officially unfinished, its hard to see how you could rely on it for a real organization, unless you actually have no budget. Im rooting for them in a way and perhaps a successful ClamAntiVirus could put pricing pressure on the Symantecs and McAfees of the world, who have raised their prices pretty consistently over the years and made it more difficult to protect ourselves. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.
The other method is either not documented or too simplistic to take seriously. The documentation basically tells you to go into a hex editor and find a sufficiently unique string. Theres a lot more to it. Even just relying on a single static string would mean that ClamAntiVirus couldnt find any polymorphic viruses, and there are a lot of polymorphic viruses. Incidentally, the sigtool automated detection specifically cant find polymorphic viruses. But ClamAntiVirus appears to be able to do polymorphic detection.