Re: [Clamav-users] Small number of ClamAV known viruses ?
On Tue, 18 Jul 2006, Dennis Peterson wrote: Zvi Kave wrote: Why ClamAV has significally small number of known viruses in comparison to other AV software ? There's only a small number of viruses in the wild. MS-DOS viruses from 10 years ago are not likely to pose a problem any longer. Having them in your database only allows you to inflate your virus pattern numbers so that people who are impressed by big numbers will be impressed. Isn't that what the phishing signatures are for? Actually, it's not nearly as bad as I'd suspected... only 1069 of the 62954 signatures are for phishing. Of course, those signatures are responsible for 84% of the email that clamav blocks [1] and, based on reports in #clamav, a similar fraction of the false positives. [1] based on the past 10,000 messages blocked by clamav at my site Damian Menscher -- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Ofc:(650)253-2757 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Small number of ClamAV known viruses ?
On Tue, 2006-07-18 at 07:39 -0700, Dennis Peterson wrote: > Zvi Kave wrote: > > Why ClamAV has significally small number of known viruses > > in comparison to other AV software ? > > There's only a small number of viruses in the wild. MS-DOS viruses from > 10 years ago are not likely to pose a problem any longer. Having them in > your database only allows you to inflate your virus pattern numbers so > that people who are impressed by big numbers will be impressed. For example big memory usage numbers ;) I like big numbers in IT but I like big numbers on my bank account more -- With kind regards, Maurice Lucas TAOS-IT ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Small number of ClamAV known viruses ?
On Tue, Jul 18, 2006 at 07:39:32AM -0700, Dennis Peterson wrote: > Zvi Kave wrote: > >Why ClamAV has significally small number of known viruses > >in comparison to other AV software ? > > There's only a small number of viruses in the wild. MS-DOS viruses from > 10 years ago are not likely to pose a problem any longer. Having them in > your database only allows you to inflate your virus pattern numbers so > that people who are impressed by big numbers will be impressed. The company I work for (xs4all) runs all incoming emails through 3 different virus scanners. Currently Clamav, Sophos and F-prot. I'm keeping statistics of which scanners detect which virus. For months, clamav came out on top, detecting the most viruses in the email stream for any given day. And you should consider that we disabled the "phishing" signatures in clamav, so I'm not counting those. Plus, F-prot currently has heuristic scanning enabled, which makes it catch some badly cleaned, or truncated viruses. These statistics are from Friday June 23rd, and were typical for the months of May and June. clamd: 28311 viruses fprotd: 27459 viruses saviperl: 21569 viruses Recently, however, the other scanners have apparently caught up, and in the past two or three weeks I'm seeing the scanners in a different order every day. This is from yesterday, Monday July 17th: fprotd: 16091 viruses saviperl: 14409 viruses clamd: 14243 viruses There are a few reasons why we're scanning with multiple scanners. First, because we can: the mail platform is slightly overdimensioned :) Second, because we want to guard against false positives. What happens is, if an email comes in, and we detect a virus of which we are sure it does not (or cannot) fake the MAIL From envelope, such as macro viruses, then we reject the email with a "571 detected $virusname" If we cannot positively identify the virus as non-header-faking, then it depends on how many scanners detected the virus. If only one scanner detected the virus, then we tempfail the email: "471 possibly infected with $virusname" If two or more scanners detected the virus, we discard the email. (This happens at SMTP time, we never send a bounce because of viruses. We're using MIMEDefang with a custom perl filter to control this). Since we are sending a tempfail for certain viruses, we see a lot of remote mail servers trying over and over again, usually for days. Since I'm counting every "scan", a relatively high percentage of viruses are only "caught" by one scanner. In practice, this is usually the same message scanned several times. The numbers above are therefore not really an indication of relative performance. All in all: clamav makes a pretty good email scanner, certainly not worse than the commercial alternatives that I am using. In fact, there are very few reasons why someone wouldn't want to use clamav, even if you already have another virus scanner: it also makes a good companion to a commercial virus scanner, since not every scanner detects every virus (or virus fragment, like a truncated bounce or a badly disinfected mail, which is more common). Hope this helps. -- Jan-Pieter Cornet <[EMAIL PROTECTED]> !! Disc lamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Small number of ClamAV known viruses ?
Rob MacGregor wrote: On 7/18/06, Nigel Horne <[EMAIL PROTECTED]> wrote: TK may disagree with me on this, but I have the feeling that the above statement is not true. I believe (TK may correct me on this) that it would be better to say that it has evolved into the state where is it mostly an email virus scanner. But "designed to be an email ... scanner", I'm not so sure. But hey ho, my memory ain't what it used to be. Quoting from the About page on the ClamAV site: The main purpose of this software is the integration with mail servers (attachment scanning). Your point being? -- Nigel Horne. Arranger, Adjudicator, Band Trainer, Composer, Tutor, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Small number of ClamAV known viruses ?
On 7/18/06, Nigel Horne <[EMAIL PROTECTED]> wrote: TK may disagree with me on this, but I have the feeling that the above statement is not true. I believe (TK may correct me on this) that it would be better to say that it has evolved into the state where is it mostly an email virus scanner. But "designed to be an email ... scanner", I'm not so sure. But hey ho, my memory ain't what it used to be. Quoting from the About page on the ClamAV site: The main purpose of this software is the integration with mail servers (attachment scanning). -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Small number of ClamAV known viruses ?
Tomasz Kojm wrote: Well, it was initially designed as an addition to mail scanners such as AMaViS and also a supplement to OpenAntiVirus which was lacking a command line scanner. Ah yes, I'd forgotten OpenAntiVirus and the connection there. -- Nigel Horne. Arranger, Adjudicator, Band Trainer, Composer, Tutor, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Small number of ClamAV known viruses ?
On Tue, 18 Jul 2006 16:05:34 +0100 Nigel Horne <[EMAIL PROTECTED]> wrote: > Jim Maul wrote: > > > Not to mention that clamav was designed to be an email virus scanner. > > TK may disagree with me on this, but I have the feeling that the > above statement is not true. > > I believe (TK may correct me on this) that it would be better to say > that it has evolved into the state where is it mostly > an email virus scanner. But "designed to be an email ... scanner", I'm > not so sure. But hey ho, my memory ain't what it used to be. Well, it was initially designed as an addition to mail scanners such as AMaViS and also a supplement to OpenAntiVirus which was lacking a command line scanner. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Jul 18 17:38:28 CEST 2006 signature.asc Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Small number of ClamAV known viruses ?
Jim Maul wrote: Not to mention that clamav was designed to be an email virus scanner. TK may disagree with me on this, but I have the feeling that the above statement is not true. I believe (TK may correct me on this) that it would be better to say that it has evolved into the state where is it mostly an email virus scanner. But "designed to be an email ... scanner", I'm not so sure. But hey ho, my memory ain't what it used to be. -Jim -Nigel ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Small number of ClamAV known viruses ?
Zvi Kave wrote: Why ClamAV has significally small number of known viruses in comparison to other AV software ? There's only a small number of viruses in the wild. MS-DOS viruses from 10 years ago are not likely to pose a problem any longer. Having them in your database only allows you to inflate your virus pattern numbers so that people who are impressed by big numbers will be impressed. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Small number of ClamAV known viruses ?
Daniel J McDonald wrote: On Tue, 2006-07-18 at 17:11 +0200, Zvi Kave wrote: Why ClamAV has significally small number of known viruses in comparison to other AV software ? I don't think that's true. 62 thousand signatures is a healthy amount. main.cvd is up to date (version: 39, sigs: 58116, f-level: 8, builder: tkojm) daily.cvd is up to date (version: 1601, sigs: 3715, f-level: 8, builder: ccordes) But if you have samples that clamav is not finding, you are welcome to submit them. Not to mention that clamav was designed to be an email virus scanner. Including signatures of viruses that are not transported through email would be a waste of time and resources for the scope of this project. If you enjoy the warm cozy feeling of your scanner being able to detect 10 year old dos viruses or some such thing, then perhaps you should choose a different scanner. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Small number of ClamAV known viruses ?
On Tue, 2006-07-18 at 17:11 +0200, Zvi Kave wrote: > Why ClamAV has significally small number of known viruses > in comparison to other AV software ? I don't think that's true. 62 thousand signatures is a healthy amount. main.cvd is up to date (version: 39, sigs: 58116, f-level: 8, builder: tkojm) daily.cvd is up to date (version: 1601, sigs: 3715, f-level: 8, builder: ccordes) But if you have samples that clamav is not finding, you are welcome to submit them. -- Daniel J McDonald, CCIE #2495, CNX, CISSP #78281 Austin Energy gpg Key: http://austinnetworkdesign.com/pgp.key Key fingerprint = B527 F53D 0C8C D38B DCC7 901D 2F19 A13A 22E8 A76A ___ http://lurker.clamav.net/list/clamav-users.html
