[clamav-users] ClamAV+exim: scanner finds not a single malware

Joel Esler jesler at cisco.com
Mon May 23 14:41:45 EDT 2016


On Mon, May 23, 2016 at 06:39:41PM +0000, Dave McMurtrie wrote:
>On Mon, 2016-05-23 at 19:52 +0200, C.D. Cochrane wrote:
>> >> My 2 cents would be that rapid traditional signature updates are not a viable solution to this long term problem.
>> >> I'm pretty sure the current generation of Locky, Dridex, Nemucod, etc. ransomware is generated using millions
>> >> of tiny mutations so that almost every email attachment has a unique signature. There is no way to keep up with
>> >> that. ClamAV got more than a million virus samples per day, last time I inquired.
>> >> ...Chris
>> >
>> > As for they claim above about Dridex etc being too numerous to handle,
>> > Sane Security seems to be doing just a fine job of it. (So its just a
>> > lame response).
>>
>> I'm not sure what heuristic Sane Security uses. My original point was that a traditional signature (sigtool?)
>> on the current generation of malware seems to be a non-scalable idea. One million new sigs per day is not
>> realistic. ClamAV must evolve if it is going to remain useful. There has to be a better scheme to ID new
>> malware than sigtool.
>>
>> Otherwise, groach is right.  ClamAV is just a redundant way to scan for virus files from 2008 or see if your
>> latest files can generate FPs.
>
>Are there any open-source alternatives that are better than ClamAV?  We
>actually attempted to use the Sophos PureMessage AV component (since
>we're paying for it as part of our PureMessage license anyway).  The
>memory footprint was such that it demolished our MTA servers, so we had
>to bag that idea.
>
>ClamAV is fast, free, easy to integrate with just about any MTA and it's
>actively developed.  We've been running it for years, along with the
>SaneSecurity signatures and it's been working well for us.  If there's a
>better alternative, I'd be interested in learning about it.


I'd be interested in shipping as much detection as we possibly can for ClamAV.  This is a community, but I'd love to have an increase in the amount of signatures sent back to us.

--
Joel Esler
Manager, Threat Intelligence Team & Open Source
Talos Group
http://www.talosintel.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160523/155906bb/attachment.sig>


More information about the clamav-users mailing list