Dennis Peterson wrote:
Adam Stephens wrote:
On Tue, 28 Nov 2006, Dennis Peterson wrote:
Per Jessen wrote:
This is not really complaint, perhaps just an observation. On 25/11
around 1000CET I submitted a sample and again on 26/11 also
around 1000 I submitted a second sample - both phishing. I've only
just today around 1800CET received confirmation for both. This
is respectively about 56 and 32 hours later. I understand it was on a
weekend etc., but for ClamAVs phishing detection/protection to have any
meaning/reason at all, the time from submit to publish needs to be a
LOT shorter.
I'm not aware of any systems that have been disabled or rendered
useless be even the most aggressive phishing scheme.
Maybe not, but the response time for samples seems pretty low for
trojans, too - Our desktop scanner, Mcafee, caught a new IRC trojan in
our systems on November 1st. ClamAV didn't detect it, so I submitted a
sample, both direct and via TotalVirus. The sample still wasn't
detected by ClamAV a week after reporting (although it was added
fairly quickly after that)
It may be that the virus type required more than a single example or
some other extenuating problem existed - but as you know they are often
first with a solution for outbreaks. They are always among the early
responders with solutions.
I appreciate that people do this for free, and I don't know if that's
a typical response time - but it's worrying enough that we're looking
at running a commercial scanner in parallel to clamAV.
This is absolutely a best practice. One should not rely entirely on one
tool for this critical function. We use ClamAV for real time incoming
and outgoing email scans and a second tool runs on all Windows servers
that scans file systems because viruses can arrive in many ways. A third
product runs on our customer facing servers to ensure that content is
clean.
Funnily enough, the main reason we want to keep ClamAV is the
SaneSecurity phishing signatures - they're excellent.
I agree - there has never been a false positive here, and the detection
rate is astonishing. Steve asked recently for samples and I just don't
have any to offer :)
dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Has anyone ever considered an anti-spam solution for these phish emails?
I do realize that ClamAV uses quite a bit less resources than say
SpamAssassin at detecting the same phish -- but really, if your users
are being let down by the 'time it takes to get a phish sig' then isn't
about time their network/mail admin looked into added levels of
detection? Which brings me to my next question: Do you do spam filtering
for your custs? and: If not, why not?
I think the amount of spam they receive is far worse than the amounts of
phishing emails they receive (I see far more spam verses phish, even
phish plus virus is far less than spam.)
I don't have solid numbers to do on (do keep very many stats, as I'm the
only IT guy here, and I can hash out some stats when the budget needs to
be adjusted for new hardware.)
I've found clam to be reactive to phishs, I've found SpamAssassin to be
proactive...
BTW, keep up the good work Clam guys, I run 2 AV scanners in line, the
other scanner has nothing to do because of the excellent virus detection
provided at the best possible price. :-)
--
James
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
