[Mimedefang] ClamAV effectiveness (was Re: MIMEDefang Digest, Vol 132, Issue 3)

[David F. Skoll]

On Thu, 18 Sep 2014 17:33:44 +0100 (BST)
G.W. Haywood mimedef...@jubileegroup.co.uk wrote:

 In my opinion ClamAV is more or less useless for anything other than
 the phishing signatures etc. for which I use it.

Seconded.  ClamAV has become almost completely useless since the
Sourcefire and then Cicso acquisition.  It's a fine engine, but signatures
are awful.

On our hosted anti-spam service, we outright block executables as well
as executables contained within archive files like ZIP, ARJ, .tar.gz, etc.

If you want to do this, see the lsar package that can scan many types
of archives and extract filenames.  It's packaged with Debian and home page
is http://unarchiver.c3.cx/commandline

Regards,

David.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] ClamAV effectiveness (was Re: MIMEDefang Digest, Vol 132, Issue 3)

[David F. Skoll]

On Thu, 18 Sep 2014 14:17:13 -0500
Richard Laager rlaa...@wiktel.com wrote:

 Is there a virus scanner you'd recommend for use with MIMEDefang on
 Linux?

No, not really.  I'd recommend not running Windows which reduces your
exposure to viruses by 99%.

And rather than any sort of virus scanner, I'd simply block all EXE,
SCR, PIF, etc. files completely, including if they're inside archive
files.

Any signature-based virus scanner is going to miss new viruses by
definition.

Regards,

David.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang