Jump to content

Does Clamav And Immunet Have Same Cloud Definitions?


christhomas

Recommended Posts

  • 1 month later...

At http://blog.immunet.com/blog/2010/3/7/how-immunet-detects-threats-in-a-nutshell.html :

 

3. … For each of these collected (and verified malicious files) we generate a signature. …

 

We share detections and files.

 

Please: are the new signatures that are generated by Immunet all added to the ClamAV Virus Databases? Or will some signatures be proprietary to Immunet?

Link to comment
Share on other sites

At http://blog.immunet.com/blog/2010/3/7/how-immunet-detects-threats-in-a-nutshell.html :

 

 

 

 

 

Please: are the new signatures that are generated by Immunet all added to the ClamAV Virus Databases? Or will some signatures be proprietary to Immunet?

 

I am not sure I understand your question. Are you asking if we migrate our detections back to the Unix version of ClamAV's sig db? No, currently we do not.

 

al

Link to comment
Share on other sites

Guest Tyler Dami

I am not sure I understand your question. Are you asking if we migrate our detections back to the Unix version of ClamAV's sig db? No, currently we do not.

 

al

Al,

Clam Av seams to think that you do... I'm confused

 

http://www.clamav.net/index.php?s=upgrading&lang=en

 

Does ClamAV for Windows detect the same things as ClamAV?

 

A9. The short answer is ‘Yes’ it does. We continually updated Immunet’s database with our detected samples and false positives, and they do the same for us. This allows us to have detection ‘parity’, IE if ClamAV detects it so does ClamAV for Windows. Additionally, users of ClamAV for Windows will get the same virus and malware names they are use to getting in other ClamAV products.

 

The long answer is that Immunet’s On Access (when you open, copy, etc a file) file monitor only deals with PE files in this initial version. This means that files like PDF’s or Documents that ClamAV would normally detect won’t be scanned by this initial version. In future version that include the ClamAV engine locally these types of parity issues will be resolved.

Link to comment
Share on other sites

I'm trying to reconcile just a few things:

 

the relationship between TETRA and BitDefender

http://www.wilderssecurity.com/showpost.php?p=1724071

http://www.wilderssecurity.com/showpost.php?p=1728792'>http://www.wilderssecurity.com/showpost.php?p=1728792'>http://www.wilderssecurity.com/showpost.php?p=1728792

 

… continually updated Immunet’s database with our detected samples and false positives, and they do the same for us.

http://www.clamav.net/lang/en/support/faq/faq-win32/

 

Immunet / ClamAV continue to to exhange definitions, which are included in the cloud engines

— http://www.wilderssecurity.com/showpost.php?p=1728792

 

We process (create cloud definitions) for 17,500 files a day

http://blog.immunet.com/blog/2010/2/17/the-immunet-protect-ethos-engine-a-week-in-the-life.html

 

I don't imagine Immunet Corporation adding 17,500 files definitions a day to ClamAV databases ;) but

I do wonder about the mutual benefits. Just curiosity.


 

I'm primarily a user of Mac OS X (occasionally with CrossOver or another flavour of Wine), secondarily I look after a few Windows boxes, and amongst other things re: http://forum.immunet.com/index.php?/topic/139-mac-support/page__view__findpost__p__1649 I wonder:

 

a) do any of the three current engines (ETHOS, SPERO, TETRA) make any use of signatures from ClamAV databases?

 

B) does investment in Immunet Protect ultimately benefit other communities/products that use ClamAV databases?

 

— if the answer is yes, then that would be (for me) a great incentive to purchase and recommend Immunet Protect.

 

From http://www.wilderssecurity.com/showpost.php?p=1658729 and from http://www.wilderssecurity.com/showpost.php?p=1728792 I understand that ClamAV may eventually move in a different direction from Immunet Protect but for now, I'd like to put my money and my mouth in the direction of products that take the most co-operative approach.

Link to comment
Share on other sites

I don't imagine Immunet Corporation adding 17,500 definitions a day to ClamAV databases ;) but

I do wonder about the mutual benefits. … 

 

a) do any of the three current engines (ETHOS, SPERO, TETRA) make any use of signatures from ClamAV databases?

 

B) does investment in Immunet Protect ultimately benefit other communities/products that use ClamAV databases?

 

In the clamav.net area:

 

A4. The current roadmap includes adding ClamAV 0.96.3 as an additional engine in the ClamAV for Windows 3.0 product. This product will be released in November 2010. This will allow end users to use the more than 750K signatures in the current ClamAV for Unix db …

http://www.clamav.net/lang/en/support/faq/faq-win32/

— a useful answer, and I can do some reading between the lines, but what's in between doesn't answer my question (a).

Link to comment
Share on other sites

Al,

Clam Av seams to think that you do... I'm confused

 

http://www.clamav.net/index.php?s=upgrading&lang=en

 

This means that files like PDF’s or Documents that ClamAV would normally detect won’t be scanned by this initial version. In future version that include the ClamAV engine locally these types of parity issues will be resolved.

 

Tyler, it's on how you are reading it I think. Because our current version of Free only convicts PE files there will not be parity on the convictions. I would say it is *very* close but not precisely the same and it won't be until we ship the ClamAV for Windows 3.0 in the winter.

Currently the Unix version is able to convict more formats than PE files.

 

al

Link to comment
Share on other sites

In the clamav.net area:

— a useful answer, and I can do some reading between the lines, but what's in between doesn't answer my question (a).

 

You ask if any of the current engines use ClamAV sigs. Yes, they do is the short answer. We base our detections off the same files though, not their signatures as such. As we both have different signature formats right now we do not make use of their straight sigs. Both ETHOS and SPERO make heavy use of files from the ClamAV community.

 

al

Link to comment
Share on other sites

 

B) does investment in Immunet Protect ultimately benefit other communities/products that use ClamAV databases?

 

 

 

Hmm. Well, I suppose it does because it allows the Clam team to actually deliver a free Windows based product of their own which their community can use. Porting the libclamv engine to windows is not cheap and it has to be funded somehow.

 

al

Link to comment
Share on other sites

Currently the Unix version is able to convict more formats than PE files.

 

(OT: I guess that something similar might currently be said of ClamWin.)

 

… allows the Clam team to actually deliver a free Windows based product of their own which their community can use. Porting the libclamv engine to windows is not cheap and it has to be funded somehow.

 

That's a smart enough reason for me to put some £ or $ in the Immunet/ClamAV direction. Eventually some ripple effect, which I wouldn't want to quantify, for users on other platforms.

 

… if we migrate our detections back to the Unix version of ClamAV's sig db? No, currently we do not.

 

OK, that's the only bit that didn't immediately gel with the ClamAV line "continually updated Immunet’s database with our detected samples and false positives, and they do the same for us". It's an interpretation issue, wrongly assuming (sorry) that answer #9 implied signatures as well.

 

I reckon the ClamAV for Windows page should add another Q&A pair re: the signature formats, along the lines of your answer …

 

… if any of the current engines use ClamAV sigs. Yes … detections off the same files … different signature formats right now we do not make use of their straight sigs.

 

… and eventually (not right now) give a hint of how the signatures situation may change as 3.x approaches.

 

For now: the 2.x situation has become pretty much all clear to me. Many thanks!

Link to comment
Share on other sites

 

… and eventually (not right now) give a hint of how the signatures situation may change as 3.x approaches.

 

For now: the 2.x situation has become pretty much all clear to me. Many thanks!

 

When 3.0 ships for ClamAV for Windows both our and their sig formats will be in play. The ClamAV team is shooting for November to get it done. Right now, that date looks good.

 

al

Link to comment
Share on other sites

  • 4 weeks later...

OK, I am afraid I do not understand the question. Can you clarify for me a little?

 

al

 

sure :)

 

Productname: ClamAV for Windows PLUS Antivirus

That's the url I get if I click on the installed client to upgrade:

http://store.sourcefire.com/plus/a/index.html

 

Productname: Immunet Protect PLUS Antivirus

And this is the link on the Immunet homepage:

http://www.immunet.com/main/index3.html

and there in products:

http://www.immunet.com/plus/index.html

 

Well, the screenshots are the same on Immunet, which I didn't notice before :/

 

So it's the same product and does support ClamAV for UNIX?

Link to comment
Share on other sites

sure :)

 

Productname: ClamAV for Windows PLUS Antivirus

That's the url I get if I click on the installed client to upgrade:

http://store.sourcefire.com/plus/a/index.html

 

Productname: Immunet Protect PLUS Antivirus

And this is the link on the Immunet homepage:

http://www.immunet.com/main/index3.html

and there in products:

http://www.immunet.com/plus/index.html

 

Well, the screenshots are the same on Immunet, which I didn't notice before :/

 

So it's the same product and does support ClamAV for UNIX?

 

 

They are both the same product and all non-generic Clam detections are supported in it. In November or thereabouts we will also let you run a straight Clam engine to write your own signatures as well.

 

al

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...