On Tue, 22 Mar 2005, Rob MacGregor wrote: > From: Rob MacGregor <[EMAIL PROTECTED]> > To: ClamAV users ML <clamav-users@lists.clamav.net> > Date: Tue, 22 Mar 2005 09:58:17 +0000 > Subject: Re: [Clamav-users] Report Phishing attacks? > Reply-To: ClamAV users ML <clamav-users@lists.clamav.net> > > On Mon, 21 Mar 2005 17:01:48 -0400, Samuel Benzaquen <[EMAIL PROTECTED]> > wrote: > > > > I can also say that they don't want to compete against > > commercial AV vendors as I have read here 2^32 times that we > > should use not _only_ clamav, but a list of AVs to improve the > > chances to catch malware. > > Best practice for security always involves defence in depth. > Basing all your protection on a single AV product, given that > *none* of them are 100% effective, would be short sighted (and > particularly given the current spate of attacks on AV products).
I believe this is what the commercial anti-virus company, MessageLabs, does. When I spoke to them a few years ago, they had licenses for five anti-virus products. Messages were fed through the three they considered the best. > Personally, I use clamav as the first line of defence. It's rare > for anything to slip through, but it happens (well, twice so far - > and in each case by the time I reviewed the situation a signature > had already been released). We've a site licence for Sophos so I've been using this on our mail servers for some time. I've just started using ClamAV in addition to Sophos and I'm very favourably impressed. Statistics for the viruses detected for the past week, 15th March to 21st March, are appended below. The table shows a significant number of phishing attempts being rejected. ClamAV also seems to be picking up everything that Sophos detects. I'll have to start quarantining suspect material that's only detected by one virus scanner. For example: Virus Count ----- ----- Worm.Lovgate.Z ClamAV 29 Worm.Mydoom.M ClamAV 21 Worm.Lovgate.X ClamAV 2 Worm.Mytob.C-2 ClamAV 2 Worm.SomeFool.N ClamAV 2 Worm.SomeFool.Gen-1 ClamAV 1 Worm.SomeFool.P ClamAV 1 where stuff is only being detected by ClamAV would warrant closer inspection. Viruses detected between 15th March 2005 and 21st March 2005 ------------------------------------------------------------ Virus Count ----- ----- W32/Netsky-P ClamAV/Sophos 640 W32/Netsky-D ClamAV/Sophos 485 W32/MyDoom-O ClamAV/Sophos 150 HTML.Phishing.Bank-1 ClamAV 126 W32/Lovgate-V ClamAV/Sophos 47 W32/Bagle-BK ClamAV/Sophos 40 W32/MyDoom-N ClamAV/Sophos 37 W32/Bagle-Zip ClamAV/Sophos 30 W32/Netsky-Q ClamAV/Sophos 30 Worm.Lovgate.Z ClamAV 29 HTML.Phishing.Bank-107 ClamAV 27 W32/Bagle-AG ClamAV/Sophos 26 W32/Netsky-AE ClamAV/Sophos 23 Worm.Mydoom.M ClamAV 21 W32/Gibe-F ClamAV/Sophos 20 HTML.Phishing.Bank-83 ClamAV 17 HTML.Phishing.Postcard-3 ClamAV 16 W32/Lovgate-X ClamAV/Sophos 16 W32/Netsky-X ClamAV/Sophos 16 W32/Bagle-AI ClamAV/Sophos 15 HTML.Phishing.Bank-60 ClamAV 13 W32/Bagle-N ClamAV/Sophos 13 HTML.Phishing.Pay-14 ClamAV 12 W32/Netsky-AB ClamAV/Sophos 12 W32/Netsky-Y ClamAV/Sophos 12 W32/MyDoom-AR ClamAV/Sophos 9 HTML.Phishing.Auction-16 ClamAV 8 HTML.Phishing.Auction-28 ClamAV 8 HTML.Phishing.Bank-52 ClamAV 8 W32/Bagle-AF ClamAV/Sophos 8 W32/Lovgate-AJ ClamAV/Sophos 8 HTML.Phishing.Bank-106 ClamAV 7 HTML.Phishing.Bank-49 ClamAV 7 W32/Netsky-C ClamAV/Sophos 7 W32/NetskyD-Dam ClamAV/Sophos 7 W32/Zafi-D ClamAV/Sophos 7 HTML.Phishing.Bank-131 ClamAV 6 HTML.Phishing.Bank-57 ClamAV 6 HTML.Phishing.Bank-98 ClamAV 6 W32/Netsky-B ClamAV/Sophos 5 W32/Netsky-J ClamAV/Sophos 5 W32/Sober-K ClamAV/Sophos 5 HTML.Phishing.Auction-17 ClamAV 4 HTML.Phishing.Auction-19 ClamAV 4 HTML.Phishing.Pay-11 ClamAV 4 HTML.Phishing.Pay-6 ClamAV 4 HTML.Phishing.Pay-8 ClamAV 4 W32/Kriz ClamAV/Sophos 4 W32/Netsky-Z ClamAV/Sophos 4 W32/NetskyP-Dam ClamAV/Sophos 4 HTML.Phishing.Auction-27 ClamAV 3 HTML.Phishing.Auction-36 ClamAV 3 HTML.Phishing.Bank-121 ClamAV 3 HTML.Phishing.Bank-79 ClamAV 3 W32/Bagle-AU ClamAV/Sophos 3 W32/Lovgate-F ClamAV/Sophos 3 W32/Netsky-AD ClamAV/Sophos 3 HTML.Phishing.Auction-14 ClamAV 2 HTML.Phishing.Auction-32 ClamAV 2 HTML.Phishing.Bank-3 ClamAV 2 HTML.Phishing.Bank-78 ClamAV 2 HTML.Phishing.Bank-81 ClamAV 2 HTML.Phishing.Pay-12 ClamAV 2 VBS/Redlof-A ClamAV/Sophos 2 W32/Bagz-D ClamAV/Sophos 2 W32/Dumaru-AK ClamAV/Sophos 2 W32/Flcss ClamAV/Sophos 2 W32/Klez-H ClamAV/Sophos 2 W32/Mabutu-A ClamAV/Sophos 2 W32/NetskyZ-Dam ClamAV/Sophos 2 W32/Rox-A ClamAV/Sophos 2 Worm.Lovgate.X ClamAV 2 Worm.Mytob.C-2 ClamAV 2 Worm.SomeFool.N ClamAV 2 HTML.Phishing.Auction-33 ClamAV 1 HTML.Phishing.Auction-40 ClamAV 1 HTML.Phishing.Bank-119 ClamAV 1 HTML.Phishing.Bank-129 ClamAV 1 HTML.Phishing.Bank-28 ClamAV 1 HTML.Phishing.Bank-68 ClamAV 1 HTML.Phishing.Bank-70 ClamAV 1 HTML.Phishing.Pay-1 ClamAV 1 W32/Bagle-AA ClamAV/Sophos 1 W32/Bagz-E ClamAV/Sophos 1 W32/Bugbear-B ClamAV/Sophos 1 W32/Bugbear-Dam ClamAV/Sophos 1 W32/Bugbear-F ClamAV/Sophos 1 W32/Lovgate-AD ClamAV/Sophos 1 W32/Lovgate-W ClamAV/Sophos 1 W32/Netsky-Dam ClamAV/Sophos 1 W32/Nyxem-C ClamAV/Sophos 1 Worm.SomeFool.Gen-1 ClamAV 1 Worm.SomeFool.P ClamAV 1 -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101 _______________________________________________ http://lurker.clamav.net/list/clamav-users.html