[clamav-users] clamd server '/var/run/clamd.amavisd/clamd.sock' gave '' response

Groach groachmail-stopspammingme at yahoo.com
Mon Feb 22 17:06:31 UTC 2016 

I dont think there is any 'cause' to be had (that the unofficial 
signatures found threats and that the official ones didnt) other than 
ClamAV signatures are too few, too ineffective and more importantly too 
late.

I ran AV for 3 years as an inline mail scanner and it didnt catch a 
single threat in my emails.  Not one SINGLE one. In 3 years! (Although 
there were WAY too many false positives when scanning my hard drives 
(almost daily.)   In November, after some testing, I decided on 
implementing and using Sane signatures and the difference was immediate 
within the FIRST HOUR of turning them on.  Now we must have on average 
at least 5 of 6 emails DAILY with threats attached to them and they get 
caught immediately by the unofficial signatures. The daily threat of 
'bad-macro' in Office documents (cryptolocking) was caught at retrieval 
and never got through to the users (thereby removing the risk of them 
stupidly opening it, enabling macros in Office, and wondering how pretty 
that red "you have been encrypted, send us your money" screen looks). 
These emails were always coming in almost daily before implementing Sane 
but ClamAV definitions just didnt have any clue (or urgency!) on dealing 
with them. In 3 months only 2 email threats managed to come in just 
before my hourly definition update and therefore got through.

So I have no doubt, that even if ClamAV definitions took priority in the 
database, it wouldnt have mattered as they had the efficacy of wearing 
sandals for rain boots.

On 22/02/2016 17:30, Dennis Peterson wrote:
> # grep FOUND /var/log/clamav/clamd.log* |grep -c UNOFFICIAL
> 80
> # grep FOUND /var/log/clamav/clamd.log* |grep -v -c UNOFFICIAL
> 0
> # grep FOUND /var/log/clamav/clamd.log* |grep -c -i sanesecurity
> 38
> # grep FOUND /var/log/clamav/clamd.log* |grep -c -i winnow
> 42
>
> My logs go back only to January, but this is a typical pattern for the 
> last 7 years or so. Notice that official sigs have not found anything. 
> Important too to know that because of cpu cost scanning is the last 
> thing done to test mail and that most rejections happen prior and 
> scanning isn't performed. In terms of effectiveness, proactive 
> prevention using hosts.deny, iptables, sendmail access, j-chkmail 
> milter (includes regex, urlbl, heuristics, spam traps), IP reputation, 
> and reactive denial with deny-hosts utility, fail2ban, manual scanning 
> of log reports.
>
> I've not looked at the code to see if ClamAV has a signature order 
> (theirs first then "unofficial") but it is certainly possible that if 
> Sane Security signatures were not installed that ClamAV signatures may 
> get more hits.
>
> dp
>
> On 2/22/16 6:34 AM, Groach wrote:
>> FWIW, if I may offer opinion:  I would agree with Alex with the need 
>> to source out better unofficial databases (such as sanesecurity, 
>> securiteinfo etc):
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list