Hi there,
On Mon, 14 Feb 2022, Marc wrote:
>> I keep running into reservations about clamAV. It is often claimed that
>> clamAV has a poor detection rate compared to other solutions. I then often
>> lack an answer based on hard facts. Do you also have this problem? If so,
>> is there good data somewhere to compare clamAV with other solutions?
>
> I was recently thinking exactly the same. I even tried searching for
> some test results, but found nothing significant.
See for example
https://lists.clamav.net/pipermail/clamav-users/2021-June/011344.html There are other posts in the archives for more data. I can't say how
good it all is, but after you've seen it if you're still interested I
can explain how I collected it. It's entirely from scanning mail, so
it might not be relevant to your own situations. I can't remember the
last time I scanned a filesystem, it wouldn't have been one of ours in
any case.
There are quite a few blog/magazine articles online about all manner
of things related to virus scanning. I'd treat them with reservation
as in my view most of them are written as vehicles for advertising to
produce revenue for the authors.
>> Or do you have good arguments with which you have convinced?
>
> Having something is always better than nothing, as long as you keep
> in mind that virus scanning processes is always a few steps
> behind. Thus if someone targets you specifically, they are useless.
> I see them more like to prevent accidental spreading, which is
> probably the most common scenario.
In my view, in most cases, scanning filesystems for viruses is more or
less a waste of security effort (if you find it, it's already there!)
which could be applied elsewhere with much better effect. Yes, if you
operate a file-sharing service or something similar then you are going
to be a target, and you'll need to scan everything that's uploaded and
I suggest do a lot more than that too. But people (and even otherwise
apparently sane people, who write things like best practice documents
for the government) seem to have fallen into a kind of Windows-based
group-think which says you need to scan for viruses no matter what.
Unfortunately the best scanners struggle to get a hit rate better than
about 80% so if for example you get more than a few dozen emails every
day then you can be pretty sure that you'll miss a few every week (the
vast majority of emails being scams or viruses). Not all of those you
miss will result in compromise, but now if scanning is all you do to
protect yourself you're trusting to dumb luck. The luck will run out,
so take proper security precautions or you are certainly going to be
compromised eventually. There's a lot of good advice out there which
can be had for the price of a search engine query.
We don't use ClamAV to scan for viruses here. We use it to scan mail
for junk. With our own relatively few Yara rules (a couple of dozen,
as compared with ~8 million signatures) it's fairly effective and it
makes a big contribution to our automated spam and threat reporting.
We do see a few examples of malware daily, but they aren't a concern;
nobody here is going to run a random executable from an email nor put
a USB stick that they found in the car park into their computer.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml