On 2/28/2011 12:17 PM, Royce Williams wrote: > On Mon, Feb 28, 2011 at 7:39 AM, Bowie Bailey <bowie_bai...@buc.com> wrote: >> ClamAV 0.96 was released in April of 2010. How much time do you need to >> schedule an upgrade? If my servers were still running an old version a >> month after an update, I would consider it a serious problem. AV >> programs need to be kept up to date in order to provide the best protection. > All, please realize that I'm trying to be constructive here - just > exploring the options. I realize that today's problem was unexpected > fallout, not a planned breakage. And Edwin really helped us when we > had a FreeBSD-specific memory problem, getting on one of our systems > directly, investigating, and creating a patch on the spot -- so I'm a > huge fan of the team and its efforts.
I realize that. My apologies if my reply came across a bit harsh. > Bowie - ah, to clarify: we were running 0.96.2, so we were still > bitten by the outage last week (but not the one today). Your answer > implied that you thought we were running 0.95.x, which we were not. > My apologies for not being clear. Yes, I was assuming you were running 0.95. I forgot that the last issue affected 0.96. My servers are running 0.97, so I have not been directly affected. But signature issues affecting 0.96 should be very rare at this point. The main point of argument here seems to be that the new sigs are no longer tested against 0.95. > But if it's not EOL, some shops are dramatically short-handed enough > that "if it ain't broke, don't fix it" is sometimes not just a good > rule of thumb, but the only feasible option. :-) Depending on your > definition of "an old version", upgrading within a month every time a > "new version" comes out -- when the old one is not EOL -- could even > be considered reckless. :-) My definition of "an old version" depends on the software. For some software, updates are not critical. You do them when you have time or if you need new features. But for anti-virus and anti-spam software, updates are critical. If not kept up to date, they rapidly decrease in usefulness. Having an old version is much better than nothing... right up to the point where one of the newer viruses gets through. Personally, I try to update Clam within a week after the update is released. > Tomasz' point about some folks preferring to have ClamAV "working" > than actually detecting malware is an oversimplification. Having > 99.99% of signatures work when something breaks is better than having > to turn the whole thing off - which is exactly what my shop had to do > last week. In other words: we couldn't detect *any* malware, which in > my mind is worse. I agree. And so does Tomasz, which is why the newer versions attempt to make sure the new DB will work before restarting. Unfortunately, you have to upgrade to get this functionality... > I see the larger point -- that enabling a good admin to do a graceful > upgrade a few hours later also enables a bad admin to put off an > upgrade for months. I'm not sure how to resolve that, but I do know > that even a few hours' worth of breathing room can make the difference > between unrevertable upgrades and a more proper, sysadminly process. > Will bad admins abuse a grace period? Probably. But it would also > help good admins to the Right Thing. Well, I have to point out here that 0.97 has been available for 3 weeks now. :) -- Bowie _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
