Posted on October 4, 2024
ClamAV. How Effective it is? A look into its Detection Rate.
ClamAV is an open-source antivirus software initially developed in 2001 by Tomasz Kojm to provide free virus detection for Unix systems. Its primary purpose was to detect malicious software in email gateways, but its versatility soon led to broader usage in multiple platforms, including Linux and Windows. ClamAV quickly became known for its community-driven model, allowing users to contribute to its malware detection database, keeping it updated with the latest threats. In 2007, Sourcefire acquired ClamAV to enhance its security portfolio. Later, in 2013, Cisco Systems acquired Sourcefire, and with it, ClamAV, integrating it into Cisco’s broader cybersecurity offerings.
ClamAV, though popular as a free, open-source antivirus solution, has several limitations that contribute to its relatively low detection rate, particularly compared to modern, comprehensive security solutions. Initially designed for email gateways, its architecture is rule-based, relying on static signatures to detect known threats rather than employing advanced heuristic or behavioral analysis. This limits its ability to identify new or evolving malware strains.
Additionally, ClamAV operates on a single CPU, which hampers its performance and efficiency, particularly when scanning large volumes of files or systems. It also lacks dynamic scanning capabilities, meaning it doesn’t monitor files or processes in real-time, nor can it respond to suspicious activity as it happens. This absence of endpoint detection and response (EDR) features further limits its effectiveness in environments where sophisticated, proactive defenses are necessary. ClamAV’s focus on simplicity and open-source accessibility makes it valuable for certain use cases, but these design choices contribute to its relatively limited detection capabilities.
Its common to see reports, where ClamAV performs poorly on recent Malware Dataset, with its default rule set. Its because of this, we took it for a spin and tried to perform our own evaluation.
We used two datasources for this analysis:
- A dataset of Malware put together by another Project, used to train the malware AI Model.
- Fresh Malware Samples Downloaded with our tool, Daily Dose of Malware.
We first collected the Malware Dataset put together by the team of HydraDragonAV. This dataset is around 26G and has 50K malware samples. I randomly select a set of 1000 out of this samples, and get a detection rate of around 96 percent. Later another smaller sample of 100 got a detection rate of around 94%.
robert@malware-lab:~/dataset$ du --max-depth=1 -h
26G ./datamaliciousorder
robert@malware-lab:~/dataset$ 7z x datamaliciousorder.7z
7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
64-bit locale=C.UTF-8 Threads:4 OPEN_MAX:1024
Scanning the drive for archives:
1 file, 7739089220 bytes (7381 MiB)
robert@malware-lab:~/dataset$ ls -lah | wc -l
53139
robert@malware-lab:~/subset$ ls | shuf | head -n 1000 | parallel "cp {} subset/"
robert@malware-lab:~/subset$ ls -lah | wc -l
1003
robert@malware-lab:~$ ls -lah
...
-rw-rw-r-- 1 robert robert 2.5M Sep 29 15:43 VirusShareTrojanSiggen1961528_6_1.vir
-rw-rw-r-- 1 robert robert 3.3M Sep 29 15:43 VirusShareTrojanVbCrypt250_2.vir
-rw-rw-r-- 1 robert robert 583K Sep 29 15:43 VirusShareWin32HLLWLant_21_1.vir
robert@malware-lab:~$ clamscan *
----------- SCAN SUMMARY -----------
Known viruses: 8698991
Engine version: 1.0.7
Scanned directories: 0
Scanned files: 99
Infected files: 94
Data scanned: 45.52 MB
Data read: 48.90 MB (ratio 0.93:1)
Time: 84.772 sec (1 m 24 s)
Start Date: 2024:10:04 18:59:40
End Date: 2024:10:04 19:01:04
This numbers look a bit too good, and look suspicious. There are multiple previous reports, such as this Analysis from Splunk, where the detection rate was reported to be around 60%.
We then decided to collect a fresh set of Malware Samples, from our tool, and run it through ClamAV with the default ruleset, and evaluate the effectiveness there.
robert@malware-lab:~/your-daily-dose-malware/Downloaded-Malwares/subset$ clamscan *
Loading: 18s, ETA: 0s [========================>] 8.70M/8.70M sigs
Compiling: 4s, ETA: 0s [========================>] 41/41 tasks
/home/robert/your-daily-dose-malware/Downloaded-Malwares/subset/022c8a1e18ce200f388c24ec8c8ad3cbd493afd851822558016fddde688c9b35.exe: Empty file
/home/robert/your-daily-dose-malware/Downloaded-Malwares/subset/045ebac9be39cdf940790eee8267d9b69710c39808e41368ca42ee4d3c890079.exe: Win.Packed.Zard-10035522-0 FOUND
/home/robert/your-daily-dose-malware/Downloaded-Malwares/subset/068d53785a0b43ef01fdeb40f9ae7168190bc094414173eb5f964f74e979d0d8.exe: OK
----------- SCAN SUMMARY -----------
Known viruses: 8698991
Engine version: 1.0.7
Scanned directories: 0
Scanned files: 85
Infected files: 29
Data scanned: 125.14 MB
Data read: 109.86 MB (ratio 1.14:1)
Time: 137.788 sec (2 m 17 s)
Start Date: 2024:10:04 18:33:56
End Date: 2024:10:04 18:36:14The detection rate is around 35%, which coincides with reports from other sources.
Moving forward we will continue evaluating this, in an automatic way against fresh malware samples, and we will report the comparison against other “Free” Leading AV from Commercial providers. We will also look into other alternative rulesets, that might increase this detection rate, however we consider the Rule based approach to be obsolete.
Posted on September 17, 2024
Daily Dose of Malware
In Malware Research, Model Training and evaluation you always are in the need of Fresh Malware Samples. We created a tool to automate this process, and provide Researchers Fresh Malware Samples. Our vision is this tool will help democratize the development of AI models against Malware.
Read More
Posted on September 14, 2024
Tutorial HowTo Install ClamAV in Ubuntu.
We recently decided to look into one of the most well known Open Source Antivirus Available. ClamAV.
ClamAV is an open-source antivirus engine that was initially released in 2001 by Tomasz Kojm, designed for detecting a wide range of malware, including viruses, trojans, and other malicious software. Originally developed for Unix-based systems, ClamAV quickly gained popularity due to its effectiveness in scanning email gateways and files. Over time, it expanded to support Windows and macOS, making it a versatile tool across different platforms. The project was acquired by Sourcefire in 2007, and later by Cisco in 2013, which helped further develop and maintain its capabilities. ClamAV offers on-demand scanning, a multi-threaded daemon for better performance, and an automatic signature update system to ensure protection against new threats. Its flexible command-line interface and integration capabilities make it a popular choice in open-source and enterprise environments, especially where automation and customization are essential.
While ClamAV is a widely used open-source antivirus, it has notable limitations in terms of detection rates and performance compared to commercial antivirus solutions. Its detection rate is generally lower, often struggling with more sophisticated and newer malware, particularly zero-day threats. Additionally, ClamAV’s scanning process can be slow, especially when dealing with large volumes of files or high-traffic environments, due to its resource-heavy nature. Its reliance on signature-based detection also means it is less effective against polymorphic and fileless malware, which require more advanced heuristic or behavioral analysis. Though regularly updated, the slower speed of updates and occasional false positives further reduce its effectiveness in environments requiring top-tier security. Despite these limitations, ClamAV remains a valuable tool for basic antivirus needs, especially in open-source and customizable environments.
We will try to install it for Ubuntu to Evaluate it.
└──╼ $sudo apt-get install clamav clamav-daemon
└──╼ $clamscan --version
ClamAV 1.0.5/27398/Sat Sep 14 10:42:15 2024
Stop the service to run an update of the database definitions
└──╼ $sudo systemctl stop clamav-freshclam└──╼ $sudo freshclam
Sun Sep 15 00:36:51 2024 -> ClamAV update process started at Sun Sep 15 00:36:51 2024
Sun Sep 15 00:36:51 2024 -> daily.cld database is up-to-date (version: 27398, sigs: 2066825, f-level: 90, builder: raynman)
Sun Sep 15 00:36:51 2024 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Sun Sep 15 00:36:51 2024 -> bytecode.cvd database is up-to-date (version: 335, sigs: 86, f-level: 90, builder: raynman)
Start the service again
└──╼ $sudo systemctl start clamav-freshclam
Posted on September 8, 2024
The Alliance is formed.
A group of Security Researchers, Volunteers, Security Engineers and Enthusiast joined to embark on the mission of fighting malware and Cyber Crime through Open Source.
The Security Industry is riddle with problems. Many of the problems come from Commercial Interest in Vendors, obscurity, licensing and pricing practices. We believe Open Source can play a significant role in the fight against Malware and Crime and revolutionize the traditional way the industry approaches such problems.
To join the fight find us in Github, or join other of our Media Channels.