On Tue, Jul 18, 2006 at 07:39:32AM -0700, Dennis Peterson wrote:
> Zvi Kave wrote:
> >Why ClamAV has significally small number of known viruses
> >in comparison to other AV software ?
>
> There's only a small number of viruses in the wild. MS-DOS viruses from
> 10 years ago are not likely to pose a problem any longer. Having them in
> your database only allows you to inflate your virus pattern numbers so
> that people who are impressed by big numbers will be impressed.
The company I work for (xs4all) runs all incoming emails through 3
different virus scanners. Currently Clamav, Sophos and F-prot. I'm
keeping statistics of which scanners detect which virus.
For months, clamav came out on top, detecting the most viruses in
the email stream for any given day. And you should consider that we
disabled the "phishing" signatures in clamav, so I'm not counting those.
Plus, F-prot currently has heuristic scanning enabled, which makes it
catch some badly cleaned, or truncated viruses.
These statistics are from Friday June 23rd, and were typical for
the months of May and June.
clamd: 28311 viruses
fprotd: 27459 viruses
saviperl: 21569 viruses
Recently, however, the other scanners have apparently caught up,
and in the past two or three weeks I'm seeing the scanners in
a different order every day. This is from yesterday, Monday July 17th:
fprotd: 16091 viruses
saviperl: 14409 viruses
clamd: 14243 viruses
There are a few reasons why we're scanning with multiple scanners.
First, because we can: the mail platform is slightly overdimensioned :)
Second, because we want to guard against false positives. What happens
is, if an email comes in, and we detect a virus of which we are
sure it does not (or cannot) fake the MAIL From envelope, such as
macro viruses, then we reject the email with a "571 detected $virusname"
If we cannot positively identify the virus as non-header-faking,
then it depends on how many scanners detected the virus. If only
one scanner detected the virus, then we tempfail the email:
"471 possibly infected with $virusname"
If two or more scanners detected the virus, we discard the email.
(This happens at SMTP time, we never send a bounce because of viruses.
We're using MIMEDefang with a custom perl filter to control this).
Since we are sending a tempfail for certain viruses, we see a lot
of remote mail servers trying over and over again, usually for days.
Since I'm counting every "scan", a relatively high percentage of
viruses are only "caught" by one scanner. In practice, this is
usually the same message scanned several times. The numbers above
are therefore not really an indication of relative performance.
All in all: clamav makes a pretty good email scanner, certainly not
worse than the commercial alternatives that I am using.
In fact, there are very few reasons why someone wouldn't want to use
clamav, even if you already have another virus scanner: it also makes a
good companion to a commercial virus scanner, since not every scanner
detects every virus (or virus fragment, like a truncated bounce or a
badly disinfected mail, which is more common).
Hope this helps.
--
Jan-Pieter Cornet <[EMAIL PROTECTED]>
!! Disc lamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs. !!
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
