[clamav-users] clamd server '/var/run/clamd.amavisd/clamd.sock' gave '' response
Dennis Peterson
dennispe at inetnw.com
Mon Feb 22 16:30:29 UTC 2016
# grep FOUND /var/log/clamav/clamd.log* |grep -c UNOFFICIAL
80
# grep FOUND /var/log/clamav/clamd.log* |grep -v -c UNOFFICIAL
0
# grep FOUND /var/log/clamav/clamd.log* |grep -c -i sanesecurity
38
# grep FOUND /var/log/clamav/clamd.log* |grep -c -i winnow
42
My logs go back only to January, but this is a typical pattern for the last 7
years or so. Notice that official sigs have not found anything. Important too to
know that because of cpu cost scanning is the last thing done to test mail and
that most rejections happen prior and scanning isn't performed. In terms of
effectiveness, proactive prevention using hosts.deny, iptables, sendmail access,
j-chkmail milter (includes regex, urlbl, heuristics, spam traps), IP reputation,
and reactive denial with deny-hosts utility, fail2ban, manual scanning of log
reports.
I've not looked at the code to see if ClamAV has a signature order (theirs first
then "unofficial") but it is certainly possible that if Sane Security signatures
were not installed that ClamAV signatures may get more hits.
dp
On 2/22/16 6:34 AM, Groach wrote:
> FWIW, if I may offer opinion: I would agree with Alex with the need to source
> out better unofficial databases (such as sanesecurity, securiteinfo etc):
More information about the clamav-users
mailing list