[clamav-users] ClamAV+exim: scanner finds not a single malware

[Groach]

On 23/05/2016 20:39, Dave McMurtrie wrote:
> On Mon, 2016-05-23 at 19:52 +0200, C.D. Cochrane wrote:
> ClamAV is fast, free, easy to integrate with just about any MTA and 
> it's actively developed. We've been running it for years, along with 
> the SaneSecurity signatures and it's been working well for us. If 
> there's a better alternative, I'd be interested in learning about it.
For the record, I too am using Clam (Clamwin, actually) as the inline 
email scanner for our MTA but thats only because we have subscribed to 
SaneSignatures (a money donation well worth it). Without Sane the clam 
default sigs are a joke (sometimes taking MONTHS to appear after the 
threat release, sometimes not even there for years later.  Ive proven, 
all of these points, with evidence, in the past).  Sane sigs, however, 
made the solution better if not the BEST compared to ALL OTHER 
commercial releases for trapping Zero-hour threat (they really put the 
'zero hour' in to "zero hour" unlike other AV providers taking 'many 
hours' (sometimes even "a day or two") to respond with their "zero hour" 
signatures.

The one lesson I did learn though was never to automatically quarantine 
or delete 'infected' files (put it in REPORT ONLY scan mode).  
Historically Clam sigs had far too many False Positives which famously 
culminated in disabling complete systems earlier this year (windows 
specifically) because they deleted system DLL files and other genuine 
programs - even its own Clam program! (Admittedly, since March, the rate 
of FP's seem to have been reduced.  Whether thats because of the new 
signature format or what I dont know).