From clamav-users-bounces@lists.clamav.net Mon Sep 12 04:28:13 2005 Return-Path: X-Original-To: list@krisma.oltrelinux.com Delivered-To: list@krisma.oltrelinux.com Received: from [127.0.0.1] (krisma [127.0.0.1]) by mail.oltrelinux.com (Postfix) with ESMTP id A142511B25D; Mon, 12 Sep 2005 04:28:03 +0200 (CEST) X-Original-To: clamav-users@krisma.oltrelinux.com Delivered-To: clamav-users@krisma.oltrelinux.com Received: from daleenterprise.com (daleenterprise.com [67.78.11.229]) by mail.oltrelinux.com (Postfix) with ESMTP id 3337C11B1D6 for ; Mon, 12 Sep 2005 04:27:59 +0200 (CEST) Received: from daleenterprise.com ([127.0.0.1]) by localhost (daleenterprise.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29643-06 for ; Sun, 11 Sep 2005 22:27:56 -0400 (EDT) Received: from [10.1.100.20] (relay.mustangrestomods.com [67.78.11.226]) by daleenterprise.com (Postfix) with ESMTP id 0347DD36767 for ; Sun, 11 Sep 2005 22:27:55 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v734) In-Reply-To: <4324E2EB.60505@cubiclesoft.com> References: <4324E2EB.60505@cubiclesoft.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <5C1BDA19-F36D-45B4-8F66-2F5A8C017A30@daleenterprise.com> Content-Transfer-Encoding: 7bit From: Dale Walsh Subject: Re: [Clamav-users] Spyware detection... Date: Sun, 11 Sep 2005 22:27:55 -0400 To: ClamAV users ML X-Mailer: Apple Mail (2.734) MTA-Interface: amavisd-new-2.3.3 (20050822) at daleenterprise.com X-Spam-Scanned: using SpamAssassin 3.0.4 (2005-06-05) at daleenterprise.com X-BeenThere: clamav-users@lists.clamav.net X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ClamAV users ML List-Id: ClamAV users ML List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: clamav-users-bounces@lists.clamav.net Errors-To: clamav-users-bounces@lists.clamav.net X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at krisma.oltrelinux.com X-Spam-Status: No, hits=0.0 tagged_above=-999.0 required=6.0 tests=AWL, BAYES_50 X-Spam-Level: On Sep 11, 2005, at 10:07 PM, Thomas Hruska wrote: > I hate to crosspost, but since it appears no one reads the Win32 > list, I switched my subscription to the main users list. > > I've got ClamAV working and that is all good and fine. However, I > looked in the archives of the clamav-users list and saw that still > as of June 2005, ClamAV is completely uninterested in at least > detecting spyware. > > I have a problem with that. Here is how I define a virus: > > - A digital invasion of unwanted and undesired bits in a computer > system designed to infiltrate and change the state in the system in > a negative manner. > > Here is how I define spyware: > > - A digital invasion of unwanted and undesired bits in a computer > system designed to infiltrate and change the psychological state of > the user in a negative manner. > > Frankly, I could care less if you don't remove spyware from a > system with ClamAV. What I need is a _reputable_ scanner that > works from the command line to _detect_ if a system contains > spyware. Since ClamAV isn't apparently going to be that tool and > Google isn't turning up a reputable command-line anti-spyware > solution with sufficient options, I would appreciate a pointer to a > tool that does this. > > All I need is to have the tool tell me: > > - Yes there is spyware on the system. > OR > - No there isn't spyware on the system. > > I don't need it to disinfect/remove/whatever - simply recognize > that there is spyware, what file contains it, and display a > notification as such on stdout. > > Seems to me that this is something simple that ClamAV could easily > implement in a very short amount of time. For those who don't want > to scan for spyware, include a command-line switch to "turn off > scanning for psychological manipulators (spyware, pranks, etc.)". > However, since ClamAV is uninterested in doing anything even > remotely simple like this, I need someone to point out a > _reputable_ tool that is better than ClamAV that does psychological > manipulator scanning from the command-line - preferably open > source, but since nothing is turning up on SourceForge or Google, > I'll be impressed if someone finds anything. > > -- > Thomas Hruska What your asking for sounds simple however, how do you establish detection?? Currently what little there is that accomplishes this feat looks for specific files by name and watches specific ports in an attempt to determine what is spyware. ClamAV currently has the ability to determine these things with some additional programming but then an additional database would have to be implemented to perform the matches of files and some extra coding to watch ports for activity with the ability to either check on the calling app or from a list of ports to not watch. Then what will occur is that spyware writers will then target these ports making detection more difficult and change the name of the app. Currently you are the spyware detector, you seek out these files and examine apps that access ports that you know shouldn't have activity so if you want something, how about writing something and calling it ClamSPY??? -- Dale _______________________________________________ http://lurker.clamav.net/list/clamav-users.html