[clamav-users] ClamAV+exim: scanner finds not a single malware

Dave McMurtrie dave64 at andrew.cmu.edu
Mon May 23 14:39:41 EDT 2016


On Mon, 2016-05-23 at 19:52 +0200, C.D. Cochrane wrote:
> >> My 2 cents would be that rapid traditional signature updates are not a viable solution to this long term problem.
> >> I'm pretty sure the current generation of Locky, Dridex, Nemucod, etc. ransomware is generated using millions
> >> of tiny mutations so that almost every email attachment has a unique signature. There is no way to keep up with
> >> that. ClamAV got more than a million virus samples per day, last time I inquired.
> >> ...Chris
> >
> > As for they claim above about Dridex etc being too numerous to handle,
> > Sane Security seems to be doing just a fine job of it. (So its just a
> > lame response).
> 
> I'm not sure what heuristic Sane Security uses. My original point was that a traditional signature (sigtool?)
> on the current generation of malware seems to be a non-scalable idea. One million new sigs per day is not
> realistic. ClamAV must evolve if it is going to remain useful. There has to be a better scheme to ID new
> malware than sigtool.  
> 
> Otherwise, groach is right.  ClamAV is just a redundant way to scan for virus files from 2008 or see if your
> latest files can generate FPs.

Are there any open-source alternatives that are better than ClamAV?  We
actually attempted to use the Sophos PureMessage AV component (since
we're paying for it as part of our PureMessage license anyway).  The
memory footprint was such that it demolished our MTA servers, so we had
to bag that idea.

ClamAV is fast, free, easy to integrate with just about any MTA and it's
actively developed.  We've been running it for years, along with the
SaneSecurity signatures and it's been working well for us.  If there's a
better alternative, I'd be interested in learning about it.

--Dave


More information about the clamav-users mailing list