Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
29 juillet 2010 4 29 /07 /juillet /2010 22:03

I had recently to deal with a compromised computer. It was though supposed to be protected by a up to date antivirus with real policies.

 

The file has been detected using Spybot S&D: ZBot. It's been a long time ago since I did not find a malware which is not a spyware/adware/rogue AV, with Spybot. Anyway...

The computer was also protected by Clam for Windows, the 'in the cloud' version of Clam AV. See: http://www.clamav.net/lang/en/about/win32/ But it did not detect anything however.

Since I like to contribute to OpenSource projects, I thought of submitting this sample that Clam was not supposed to detect. Then I was astonished to see that the online form to submit samples to Clam was complaining the sample was 'already detected' and that I should check my own Clam updates...!

Here is the screenshot:

clam_zbot_support_260710_ann.jpg

 

What's going on with Clam In The Cloud? is it less efficient than the regular ClamAV?  I still do not have any answer...

 

By the way, I was kindda disappointed to see at first that McAfee was not planning to publish an extrat.dat:

mcafee_webimmune_echantillon_Zbot_230710_ann.jpg

 

Fortunately, they did publish an extra.dat later on. Why did the WebImmune portal say 'inconclusive' and 'no Extra', so?

 

To finish about Clam, I'm gonna try to check if there are real differences between the regular ClamAV version and the 'Clam in the cloud, for Windows'.

First, let's see what VT says about the sample:

VT_sdra64.exe_010810.jpg

So, VT already scanned the sample on the 23rd... the day I submitted the sample to McAfee.

And the detections summary array confirms that Clam was supposed to detect the sample:

VT_sdra64.exe_glob_010810.jpg

 

Let me remind you that, as other people like T. Zoller said, VT uses command line versions of AV engines. I know quite well ClamAV, and yes, it is the command line version that is available by default on Linux!

Thus, ClamScan most probably detected the sample, but not the Clam 'in the cloud' version... wheras the 'in the cloud' technology was said to offer better protection in real time... (I even tried to move the sample on the HDD to see if Clam in the could would detect it, but nothing happened).

According to that example, I would say that the 'in the cloud' version may offer better protection in real time, but can also miss samples that the regular version of Clam would just detect...

Partager cet article

Repost0

commentaires