Re: [Mimedefang] ClamAV effectiveness
Hi there, On Fri, 19 Sep 2014, David F. Skoll wrote: 4. ClamAV effectiveness (was Re: MIMEDefang Digest, Vol 132, Issue 3) Oops. Sorry about that. :/ Mr. Skoll also wrote: On Thu, 18 Sep 2014 17:33:44 +0100 (BST) "G.W. Haywood" wrote: In my opinion ClamAV is more or less useless for anything other than the phishing signatures etc. for which I use it. Seconded. ClamAV has become almost completely useless since the Sourcefire and then Cicso acquisition. It's a fine engine, but signatures are awful. On our hosted anti-spam service, we outright block executables as well as executables contained within archive files like ZIP, ARJ, .tar.gz, etc. I call sub filter_bad_filename() in sub filter() and sub filter_multipart() and REJECT the message if it doesn't pass muster. # Doesn't everybody do this? sub filter_bad_filename ($) { my($entity) = @_; my($bad_exts, $re); $bad_exts = $long_list_of_bad_extensions . '(|\{[^\}]+\})'; $re = '\.' . $bad_exts . '\.*$'; return 1 if (re_match($entity, $re)); # Note: Install Archive::Zip on this server! if (re_match($entity, '\.zip$') and $Features{"Archive::Zip"}) { my $bh = $entity->bodyhandle(); if (defined($bh)) { my $path = $bh->path(); if (defined($path)) { return re_match_in_zip_directory($path, $re); } } } return 0; } Mr. Skoll wrote further: On Thu, 18 Sep 2014 14:17:13 -0500 Richard Laager wrote: > Is there a virus scanner you'd recommend for use with MIMEDefang on Linux? ... I'd recommend not running Windows which reduces your exposure to viruses Seconded. by 99%. I respectfully disagree with the 99%. I'm sure it's more than that. :) -- 73, Ged. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV effectiveness (was Re: MIMEDefang Digest, Vol 132, Issue 3)
On Thu, 18 Sep 2014 14:17:13 -0500 Richard Laager wrote: > Is there a virus scanner you'd recommend for use with MIMEDefang on > Linux? No, not really. I'd recommend not running Windows which reduces your exposure to viruses by 99%. And rather than any sort of virus scanner, I'd simply block all EXE, SCR, PIF, etc. files completely, including if they're inside archive files. Any signature-based virus scanner is going to miss new viruses by definition. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV effectiveness (was Re: MIMEDefang Digest, Vol 132, Issue 3)
On Thu, 2014-09-18 at 12:45 -0400, David F. Skoll wrote: > ClamAV has become almost completely useless since the > Sourcefire and then Cicso acquisition. It's a fine engine, but signatures > are awful. Is there a virus scanner you'd recommend for use with MIMEDefang on Linux? -- Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] ClamAV effectiveness (was Re: MIMEDefang Digest, Vol 132, Issue 3)
On Thu, 18 Sep 2014 17:33:44 +0100 (BST) "G.W. Haywood" wrote: > In my opinion ClamAV is more or less useless for anything other than > the phishing signatures etc. for which I use it. Seconded. ClamAV has become almost completely useless since the Sourcefire and then Cicso acquisition. It's a fine engine, but signatures are awful. On our hosted anti-spam service, we outright block executables as well as executables contained within archive files like ZIP, ARJ, .tar.gz, etc. If you want to do this, see the "lsar" package that can scan many types of archives and extract filenames. It's packaged with Debian and home page is http://unarchiver.c3.cx/commandline Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV effectiveness
Hallo, Andrew, Du meintest am 11.10.13: > I have to agree that ClamAV seems well behind other software > packages. > I do get a numbers of attachments e-mail to me which I then check via > https://www.virustotal.com and they are then reported as a virus. I'd first test for "*.exe" or "zipped *.exe"; it's more reliable and a lot faster for declaring those attachments as "suspicious". Viele Gruesse! Helmut ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV effectiveness
I have to agree that ClamAV seems well behind other software packages. I do get a numbers of attachments e-mail to me which I then check via https://www.virustotal.com and they are then reported as a virus. ClamAV is open source so I guess it does a good job for us people who can't purchase a commercial package. Andrew On 10/11/13 00:36, wbr...@e1b.org wrote: DFS wrote on 10/10/2013 12:08:04 PM: Has anyone noticed that ClamAV does a pretty poor job lately of catching viruses? Here are a few days' worth of statistics from a reasonably-busy mail server cluster: Not seeing it being caught by Symantec or McAfee on mail servers behind our CanIt system either, so it's not just ClamAV. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Andrew Watkins * Birkbeck, University of London * Computer Science * * UKOUG Solaris SIG Co-Chair * http://notallmicrosoft.blogspot.com/ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV effectiveness
DFS wrote on 10/10/2013 12:08:04 PM: > Has anyone noticed that ClamAV does a pretty poor job lately of > catching viruses? Here are a few days' worth of statistics from a > reasonably-busy mail server cluster: Not seeing it being caught by Symantec or McAfee on mail servers behind our CanIt system either, so it's not just ClamAV. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] ClamAV effectiveness
Hi, all, Has anyone noticed that ClamAV does a pretty poor job lately of catching viruses? Here are a few days' worth of statistics from a reasonably-busy mail server cluster: Total messages scanned: 25 814 586 Viruses detected by ClamAV: 32 147 Viruses missed by ClamAV:137 231 The second number is a count of all ".exe" files, so it's conceivable some are not viruses, but the vast majority are... the number is off by at most 1%. It seems that over 80% of the viruses passing through our servers are completely missed by ClamAV. Opinions? Experiences? Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang