Hi there,
On Fri, 14 Aug 2020, Kurt Fitzner wrote:
> I'm becoming quite disillusioned with ClamAV. In the last five years,
> ClamAV which is installed on my email server, has failed to detect a
> single piece of malware on the system before that malware ceases to be
> in email circulation.
In the past on this list I've made some estimates of detection rates
for ClamAV. While I wouldn't go quite so far as you, I don't think
they're very impressive. But then (1) I don't think the detection
rates for ANY scanner are very impressive and (2) I don't think that
there's anything comparable that's available on Linux for the price. :)
Like you I use ClamAV to scan mail. I use a milter of my own, not the
one provided with ClamAV, but the scanning engine is the same 'clamd'.
I don't know what you're doing that's different from what I'm doing,
but I'm having trouble understanding why our experiences of ClamAV
seem to be very different. In your situation, in that time, I'd have
expected ClamAV to have found at least tens and perhaps even hundreds
of viruses if nothing else is blocking them.
I don't worry much about viruses. The main reason I use ClamAV is to
catch spam, using third-party signatures. My experience of the third-
party signatures is pretty good. I routinely contribute. Do you?
As most of the time mail here normally gets rejected before it reaches
the 'DATA' phase of the SMTP conversation, ClamAV doesn't get a chance
to scan it anyway and I normally don't hear anything from it. But if,
for testing, I let it see all the traffic, in addition to quite a bit
of spam it certainly finds a (very few) viruses in circulating mail.
As it happens I've been doing that for a couple of months to compare
two instances of clamd:
https://bugzilla.clamav.net/show_bug.cgi?id=10979 in two months it found 66 phish/junk messages and 3 malware examples.
The malware is nothing that I could get very excited about - it's all
Windows stuff - and there _is_ vastly more criminal junk in the mail
which it doesn't catch; but what it's missing is mostly 419 scams, not
viruses, and that's because there simply aren't the signatures in the
third-party databases for all the scams. AFAICT ClamAV _is_ actually
doing what it's supposed to do, and it hasn't missed any viruses in
this two month experiment. But in my situation I suppose it doesn't
get to see many, so you couldn't call that a great testimonial.
If I'm getting the right picture from your description you're handling
larger volumes of traffic than I am, and given that with more traffic
you seem to see fewer detections it makes me wonder if either there's
a big difference in the texture of the traffic, which given the nature
of email seems unlikely, or if there's some substantial difference in
the configurations that we're using. Could you share more details?
> ... I remember when the submission form asked for how many other
> platforms detected it, and when reports actually got signatures
> disted out in a day.
Can anyone else offer their own experiences from submissions? The odd
thread I've seen on this list has given me the impression that it's
more usually a couple of days. There was a pretty good example in the
last couple of days.
> ... Years ago someone tried to inject a malware script through my
> WordPress. Interestingly, this malware detected on Windows ClamAV
> but not in Linux ...
> I jumped up and down on the mailing lists at the time ...
You did:
8<----------------------------------------------------------------------
Date: Sun, 13 Dec 2015 23:32:39 -0400
From: Kurt Fitzner <kurt+clamav@va1der.ca>
To: ClamAV users ML <clamav-users@lists.clamav.net>
Subject: Re: [clamav-users] Detection in windows but not Linux
Message-ID: <2c716a34b02cc7ceb1b35bd986a584ab@va1der.ca>
Content-Type: text/plain; charset=US-ASCII
To my embarrassment, the Windows/Linux detection issue was mostly of my
making. WinSCP does CR/LF translation of text files by default. The rest
you can now all guess. ...
8<----------------------------------------------------------------------
It seems a little disingenuous not to mention the outcome.
> ClamAV has, I'm afraid, become worse than nothing. Nothing doesn't take
> up memory, storage space, and execution resources but nets the same
> result. Nothing, by definition, doesn't come with that implied "it's
> better than nothing" which ClamAV does and clearly isn't.
The picture I get from a lot of the mail on this list is that people
install a virus scanner because then, they think, their systems are
"protected" and they don't have to do anything else. That's a very
long way from the truth and ClamAV doesn't do it. But one thing it
_does_ do is give you a feel for the threat. And the threat is real,
you (well, at least I) can see it, and so there's obviously a need to
do something about it.
If you rely on a virus scanner to protect your systems because you're
not going to keep them reasonably currently patched, then it doesn't
matter which scanner you use - even if you use them all - your systems
are going to get pwned. That's simply because there is no scanner and
there isn't even any _combination_ of all the available scanners which
can protect you 100%. They just can't do it. The last time I saw a
comparison of scanners using some body of malware samples about which
I know nothing the reporter claimed that ClamAV managed about 75% when
the best scanner tested managed about 80%. Even if I believed them, I
can't say that either of those figures would fill me with confidence -
and if we're talking about very current threats, my estimates would be
nearer 30% than 75%. Even if only one in five will get past the scan
undetected, and you're seeing as much cr@p as, say, Mr. Hildebrandt
is seeing, then if you're doing nothing else to protect your systems,
on a good day they'll probably be compromised before breakfast.
> What can be done as a community to fix this? Is there anything that can
> be done? Is it time to fork and abandon?
I think it's more about taking a step back to see the bigger picture,
about managing expectations, and about making contributions than it is
about running off in another direction. Cisco/Talos has in place a
pretty good infrastructure for keeping databases updated, and they're
improving the code base, if a little sporadically. Take a look at the
changelog (
https://github.com/Cisco-Talos/clamav-devel/commits) to see
the things that are happening, and some that are on the cards. If you
can suggest improvements in what's available now, then let's see them:
https://bugzilla.clamav.net/describecomponents.cgi?product=ClamAV but
don't underestimate the investments in time and probably hard cash
that's needed just to serve the data to the ClamAV user base. In fact
don't underestimate what would be needed only to support the malicious
and/or clueless traffic to mirrors - there are mentions on this list.
----------------------------------------------------------------------
On Fri, 14 Aug 2020, Ralf Hildebrandt via clamav-users wrote:
> I looked at my mailserver and created some statistics (Sophos &
> clamav) over the last week, TOP 25 detections:
> ...
> ...
Your ClamAV has seen more malware in a week than mine has seen in the
approaching two decades that I've used it. One difference may I think
be that I treat ClamAV very much as a backup to the other ways which I
use of preventing unwanted traffic. First among those must be a dozen
or so DNSBLs and a home-brewed scoring system, next I think would be a
collection of bla^Hocklists of my own creation, and not forgetting the
milter, which implements those features plus greylisting every mail it
doesn't recognize so that a human can cast an eye over it before it's
(usually) dropped in the tarpit.
> I see the extensibility as a major advantage. ...
+1
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml