Posted on October 4, 2024
ClamAV. How Effective it is? A look into its Detection Rate.
ClamAV is an open-source antivirus software initially developed in 2001 by Tomasz Kojm to provide free virus detection for Unix systems. Its primary purpose was to detect malicious software in email gateways, but its versatility soon led to broader usage in multiple platforms, including Linux and Windows. ClamAV quickly became known for its community-driven model, allowing users to contribute to its malware detection database, keeping it updated with the latest threats. In 2007, Sourcefire acquired ClamAV to enhance its security portfolio. Later, in 2013, Cisco Systems acquired Sourcefire, and with it, ClamAV, integrating it into Cisco’s broader cybersecurity offerings.
ClamAV, though popular as a free, open-source antivirus solution, has several limitations that contribute to its relatively low detection rate, particularly compared to modern, comprehensive security solutions. Initially designed for email gateways, its architecture is rule-based, relying on static signatures to detect known threats rather than employing advanced heuristic or behavioral analysis. This limits its ability to identify new or evolving malware strains.
Additionally, ClamAV operates on a single CPU, which hampers its performance and efficiency, particularly when scanning large volumes of files or systems. It also lacks dynamic scanning capabilities, meaning it doesn’t monitor files or processes in real-time, nor can it respond to suspicious activity as it happens. This absence of endpoint detection and response (EDR) features further limits its effectiveness in environments where sophisticated, proactive defenses are necessary. ClamAV’s focus on simplicity and open-source accessibility makes it valuable for certain use cases, but these design choices contribute to its relatively limited detection capabilities.
Its common to see reports, where ClamAV performs poorly on recent Malware Dataset, with its default rule set. Its because of this, we took it for a spin and tried to perform our own evaluation.
We used two datasources for this analysis:
- A dataset of Malware put together by another Project, used to train the malware AI Model.
- Fresh Malware Samples Downloaded with our tool, Daily Dose of Malware.
We first collected the Malware Dataset put together by the team of HydraDragonAV. This dataset is around 26G and has 50K malware samples. I randomly select a set of 1000 out of this samples, and get a detection rate of around 96 percent. Later another smaller sample of 100 got a detection rate of around 94%.
robert@malware-lab:~/dataset$ du --max-depth=1 -h
26G ./datamaliciousorder
robert@malware-lab:~/dataset$ 7z x datamaliciousorder.7z
7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
64-bit locale=C.UTF-8 Threads:4 OPEN_MAX:1024
Scanning the drive for archives:
1 file, 7739089220 bytes (7381 MiB)
robert@malware-lab:~/dataset$ ls -lah | wc -l
53139
robert@malware-lab:~/subset$ ls | shuf | head -n 1000 | parallel "cp {} subset/"
robert@malware-lab:~/subset$ ls -lah | wc -l
1003
robert@malware-lab:~$ ls -lah
...
-rw-rw-r-- 1 robert robert 2.5M Sep 29 15:43 VirusShareTrojanSiggen1961528_6_1.vir
-rw-rw-r-- 1 robert robert 3.3M Sep 29 15:43 VirusShareTrojanVbCrypt250_2.vir
-rw-rw-r-- 1 robert robert 583K Sep 29 15:43 VirusShareWin32HLLWLant_21_1.vir
robert@malware-lab:~$ clamscan *
----------- SCAN SUMMARY -----------
Known viruses: 8698991
Engine version: 1.0.7
Scanned directories: 0
Scanned files: 99
Infected files: 94
Data scanned: 45.52 MB
Data read: 48.90 MB (ratio 0.93:1)
Time: 84.772 sec (1 m 24 s)
Start Date: 2024:10:04 18:59:40
End Date: 2024:10:04 19:01:04
This numbers look a bit too good, and look suspicious. There are multiple previous reports, such as this Analysis from Splunk, where the detection rate was reported to be around 60%.
We then decided to collect a fresh set of Malware Samples, from our tool, and run it through ClamAV with the default ruleset, and evaluate the effectiveness there.
robert@malware-lab:~/your-daily-dose-malware/Downloaded-Malwares/subset$ clamscan *
Loading: 18s, ETA: 0s [========================>] 8.70M/8.70M sigs
Compiling: 4s, ETA: 0s [========================>] 41/41 tasks
/home/robert/your-daily-dose-malware/Downloaded-Malwares/subset/022c8a1e18ce200f388c24ec8c8ad3cbd493afd851822558016fddde688c9b35.exe: Empty file
/home/robert/your-daily-dose-malware/Downloaded-Malwares/subset/045ebac9be39cdf940790eee8267d9b69710c39808e41368ca42ee4d3c890079.exe: Win.Packed.Zard-10035522-0 FOUND
/home/robert/your-daily-dose-malware/Downloaded-Malwares/subset/068d53785a0b43ef01fdeb40f9ae7168190bc094414173eb5f964f74e979d0d8.exe: OK
----------- SCAN SUMMARY -----------
Known viruses: 8698991
Engine version: 1.0.7
Scanned directories: 0
Scanned files: 85
Infected files: 29
Data scanned: 125.14 MB
Data read: 109.86 MB (ratio 1.14:1)
Time: 137.788 sec (2 m 17 s)
Start Date: 2024:10:04 18:33:56
End Date: 2024:10:04 18:36:14The detection rate is around 35%, which coincides with reports from other sources.
Moving forward we will continue evaluating this, in an automatic way against fresh malware samples, and we will report the comparison against other “Free” Leading AV from Commercial providers. We will also look into other alternative rulesets, that might increase this detection rate, however we consider the Rule based approach to be obsolete.