The sigtool controversy

By Larry Seltzer  |  Posted 2004-08-09 Print this article Print

I asked a few of the big anti-virus companies about ClamAntiVirus, and especially about their controversial "sigtool" program. Sigtool allows users to make their own signatures based on the detection behavior in another scanner. They basically do a progressive truncation of the file being scanned until they have the smallest portion from which the scanner will find the virus, and that is the signature.

This capability was what originally interested me about ClamVirus because its basically stealing other companies work. In fact, some anti-virus companies now prohibit such behavior as part of their licenses and the sigtool docs warn you to check the license for such a restriction. The ClamAntiVirus docs also say that this is not the method they use to develop "official" distributions of signatures.

The other method is either not documented or too simplistic to take seriously. The documentation basically tells you to go into a hex editor and find a sufficiently unique string. Theres a lot more to it. Even just relying on a single static string would mean that ClamAntiVirus couldnt find any polymorphic viruses, and there are a lot of polymorphic viruses. Incidentally, the sigtool automated detection specifically cant find polymorphic viruses. But ClamAntiVirus appears to be able to do polymorphic detection.

Check out eWEEK.coms Linux & Open Source Center at for the latest open-source news, reviews and analysis. I scanned the ClamAntiVirus database for a virus I knew to be polymorphic (MiMail.Q) and its in there. Furthermore, the signature (which the database will happily show you) is not a simple hexadecimal constant, but contains sequences like "90*9090????90??9090*." Hmmm ... Those look like wildcards. Probably input to a regular expression parser. So ClamAntiVirus is more capable than I was originally led to believe by one anti-virus company and third parties, but I still suspect its not as sophisticated as the commercial products, which use such techniques as instruction frequency detection as well as simple pattern detection. We dont know because there are no numbers—at least not recently.

ClamAntiVirus has a lot of the basic functionality of commercial anti-virus systems, but not all of it. It cant disinfect files, although I consider this a minor problem. Viruses dont infect files anymore, they create their own files. The techniques used to infect files are too easy to detect.

Clearly the biggest need these days in an anti-virus system is for scanning e-mail, and heres where ClamAntiVirus scares me. According to the manual, mail support is turned off by default because it "is still under development and may cause stability problems." Yikes!

In certain circles ClamAntiVirus is highly respected, but thats at least partially for lack of anything else to respect. And as a second or third scanner, its basically no-lose—unless it has false positives. According to Steve Stern, manager of the WUGNET VirusCentral Forum, both and CompuServe use ClamAntiVirus to scan e-mail. Is that all they use to test?

At this point, with no real objective data to compare it with anything else—not even the wild list—and with mail server support still officially unfinished, its hard to see how you could rely on it for a real organization, unless you actually have no budget. Im rooting for them in a way and perhaps a successful ClamAntiVirus could put pricing pressure on the Symantecs and McAfees of the world, who have raised their prices pretty consistently over the years and made it more difficult to protect ourselves.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms Security Center at for the latest security news, reviews and analysis.

Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel