[clamav-users] ClamAV in production environment

Groach groachmail-stopspammingme at yahoo.com
Wed Jun 1 12:11:55 UTC 2016 

Interesting.  Asking a CLamAV mailing list how 'reliable' CLamAV is and 
whether it should be recommednded. (I wonder what kind of answers you 
were expecting to receive).

Well, luckily, I am here and I have experience and no loyalty whatsoever 
so will offer an unbiased opinion.

Answer:

DONT!  Dont rely on its default signatures as an inline scanner for 
anything that you consider remotely/mildly important to be protected.  
At best it will protect/detect SOME threats several days (eventually) 
after the initial threat, at worst never.

All is not lost though.  The one good thing about Clam is that it does 
have the ability for you to use 3rd party signatures (as well as 
creating your own if you feel so inclined).  There are 2 main 
contributor 3rd part signature providers ('securiteinfo' and 'Sane 
Security') and with one or both of those you will make the product 
better than acceptable.

I use Sane Security and after many tests and running it I concluded that 
with its defintions it exceeds all other commercial offerings for ZERO 
hour threats (and I mean zero "HOUR", not day).

Obviously the main threats to your system are new ones so inoculation to 
zero-hour threats are of the utmost importance (more than old threats) 
but having them is no good if your system doesnt ACTUALLY DOWNLOAD them 
in time. Sane does 1 our updates as opposed to most other solutions that 
do once a day.

Clam does have some good features regarding of its technicalities (how 
it does things) apparently but all of this is worthless if your 
signatures are old.

Just so you know:  I use Clam(win) + Sane as an INLINE scanner to a 
mailserver along with other precautions (blacklisting of certain 
attachments etc) and consider it to be as safe as it will every be. I 
also then supplement by ensuring a more steadfast trustworthy commercial 
product (Bitdefender, in my case) exists on the end-user/client 
machines. This should be a similar scenario to what you should employ 
for upload/attachment checking.  BUT YOU MUST USE THE 3RD PARTY 
SIGNATURES.  You have been warned.

Without the 3rd party signatures, you might as well not use it and you 
will become very unpopular with your "sensitive customer" very quickly 
when they are being asked to pay a ransom to unlock their system (so 
dont waste your time).  Commercial products, although stronger on their 
signature detections, have the same flaw in their update time.  So you 
could be wasting time (and creating a problem) if you rely on waiting 8 
hours for a new threat to be detected.

You can of course always lookup other independent reviews on the 
internet (such as https://www.av-test.org/)

That's my opinion, humble as it is, and I stick by it.

Regards



On 01/06/2016 13:53, Eljai Mohammed wrote:
> Dear All,
>
> Within the framework of a project for a sensitive client, we would like to
> put in place clamAV in order to scan the users’ uploaded files through a
> web interface.
>
> Accordingly, we would like to know:
> - To what extent is clamAV reliable?
> - Do you recommend it in a production environment? If yes, do you have
> references that use it in production?
> - Does it worth a paid anti-virus? (KasperSky or Symantec)?
>
> Thank you !
>
> Best regards,
>
> Mohammed EL JAI.
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list