The ClamAV Community Threat Tracking System sends summary data to our server about the malware detected on your system. Freshclam usually sends the data when you update your signatures. You can also use freshclam’s –submit-stats option to submit statistics without updating the signature database.
The ClamAV team and Sourcefire VRT use the data to determine the most active malware in real-time and to monitor activity based on historical trends. We will make all of our findings public.
Yes! The amount of analysis that we can publish depends on the amount of data that we receive. We need enough data to have confidence in any conclusions drawn; so as more users submit more data we can publish more analyses.
Look in your freshclam.conf (usually located in /usr/local/etc/freshclam.conf) for the entry “SubmitDetectionStats” and ensure it is enabled and points to your clamd.conf, for example “SubmitDetectionStats /usr/local/etc/clamd.conf”. When you enable SubmitDetectionStats freshclam will fetch the latest statistics from clamd and submit them to our server.
Get a HostID (see following FAQs) for each of your ClamAV installations and add the directive “DetectionStatsHostID XXXX” (where XXXX is your HostID) to your freshclam.conf. You will be able to view the data submitted by your ClamAV installation anytime by logging on http://www.stats.clamav.net.
A HostID is a unique identifier which helps us tracking data submissions from individual ClamAV installations.
You can get your own HostID by logging on http://www.stats.clamav.net and clicking on “Add new host”
Freshclam sends the data to stats.clamav.net using HTTP (POST) port 80.
File name, malware name, and time of detection for each malware that is detected.
None, other than the public IP address that freshclam is using to contact our server.
No. We only make our trend analyses available to third parties. We do not charge for these analyses, we provide them as a service to the Open Source Community.
The more data that we receive, the better the quality of the analyses since the analyses are based on more statistically significant data sets. You will be contributing back to the Open Source Community.
Yes. It is common practice within the security industry to gather and use such data.
To optimize the submission process and to reduce the load on our servers, freshclam submits the data in sets of 10 records, up to 50 in one session. Thus if you have 45 new records, then it will submit 40; if you have 78 then it will submit the latest 50 entries; and if you have only 9 records freshclam won’t submit any.
Clamd’s logfile is the data source (see the LogFile setting in clamd.conf). In principle, any program that writes correct records to that file will generate data usable by freshclam, but most users will need to be using clamd to make use of this feature. For example, freshclam will not submit malware detected by clamscan because clamscan does not write to the logfile.