Some tidbits from me. I do not speak for Cisco.
> On Oct 6, 2022, at 5:21 PM, G.W. Haywood via clamav-users
> <clamav-users@lists.clamav.net> wrote:
>
> Hi there,
>
> On Thu, 6 Oct 2022, Julia - via clamav-users wrote:
>
>> I have a general question to ClamAV regarding how good ClamAV is.
>
> It's a good question. Most people seem not to ask it.
It’s because AV Comparative tests want to charge the vendors to do the test.
That’s how they make their money, off of selling the test to the vendors for
the vendors to prove how good they are, and then they charge YOU the public for
the results of the test. ClamAV doesn’t participate in said tests because of
that. Well, speaking from when I was in charge of the project, which I haven’t
been in quite some time now.
>> In the internet there are lot of tests with other known products but
>> I cannot find any for ClamAV. So, are there any tests or reviews?
>
> I'm slightly surprised you can't find any reviews. I've seen a few
> which I wasn't really looking for, and just now when I ran the search
> "ClamAV review" there were at least dozens of hits, too many to count.
>
> There are Wikipedia articles, for example
>
>
https://en.wikipedia.org/wiki/Comparison_of_antivirus_software
Unfortunately, I see some errors in this already, not only for ClamAV, but for
other vendors as well. Alas, the problem with crowd sorted encyclopedias.
>
> which might help your research.
>
> For any individual ClamAV user the value of reviews is debatable for
> several reasons. For example there are many options in the ClamAV
> configuration; a reviewer might choose options which are different
> from those which you choose; a reviewer might have an axe to grind
> which you don't; you might be interested in only particular kinds of
> threats. Every installation is different. I only scan mail, I never
> scan filesystems; others only scan filesystems and never mail. Some
> people run Windows boxes, I (usually) don't.
>
> I'd say it's better to make your own assessment of the effectiveness
> in real use. You can find some of my own assessments in the mailing
> list archives.
👆🏼 this assessment is ultimately correct, and spoken by someone who has
obviously spent some time in the industry. Effectiveness is different for
everyone. What is effective for you, may not be effective for someone else who
has a completely different OS and security posture make up.
>
>> My second question is: Which malwares are in ClamAVs database, only
>> for Linux or also for Windows and Android, etc.?
>
> Any and every kind of malware is a candidate for inclusion in the
> 'Official' ClamAV signature database. ClamAV relies a great deal on
> signatures; although it has other ways of detecting threats it can
> never really be very much better than the signature database that it's
> using but anyone can submit samples of malware to the ClamAV malware
> team - indeed everyone is encouraged to do that. There are numerous
> what we call "third-party" signature databases, each of which has its
> own set of guidelines. Currently there are 81 files in our ClamAV
> database and only three of them are the ClamAV 'official' files.
Correct. ClamAV covers all kinds of malware, OS independent.
>
>> Is there a list where you can see all "supported" malwares?
>
> Be careful what you wish for, there are around ten million of them.
>
> Most files in the signature databases are plain text, and most of them
> have one signature per line. Many of the lines contain the "name" of
> the malware or threat or whatever it is. They aren't all malware, and
> the name won't mean very much, it's more or less just an identifier.
> It isn't going to be very educational but you can just read them, or
> you can for example run 'grep' on a file to count the numbers of some
> words contained in it such as 'Win.' (not 'Windows'):
>
> $ grep -a 'Win\.' daily.cld | wc -l
> 323501
>
> Try also for example 'Pdf' and 'Doc'.
>
> Naming of threats is a perennial problem, there are usually several
> names for each threat, some of which are used by several anti-virus
> vendors and some by only one or two.
Largely the system that creates the names for ClamAV detection is automated and
is based off of the most prevalent names that other vendors give it, from what
I understand.
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat