[clamav-users] ClamAV+exim: scanner finds not a single malware

Joel Esler jesler at cisco.com
Mon May 23 15:21:09 EDT 2016


On Mon, May 23, 2016 at 08:56:57PM +0200, Groach wrote:
>On 23/05/2016 20:39, Dave McMurtrie wrote:
>>On Mon, 2016-05-23 at 19:52 +0200, C.D. Cochrane wrote:
>>ClamAV is fast, free, easy to integrate with just about any MTA and 
>>it's actively developed. We've been running it for years, along with 
>>the SaneSecurity signatures and it's been working well for us. If 
>>there's a better alternative, I'd be interested in learning about 
>>it.
>For the record, I too am using Clam (Clamwin, actually) as the inline 
>email scanner for our MTA but thats only because we have subscribed to 
>SaneSignatures (a money donation well worth it). Without Sane the clam 
>default sigs are a joke (sometimes taking MONTHS to appear after the 
>threat release, sometimes not even there for years later.  Ive proven, 
>all of these points, with evidence, in the past).  Sane sigs, however, 
>made the solution better if not the BEST compared to ALL OTHER 
>commercial releases for trapping Zero-hour threat (they really put the 
>'zero hour' in to "zero hour" unlike other AV providers taking 'many 
>hours' (sometimes even "a day or two") to respond with their "zero 
>hour" signatures.
>
>The one lesson I did learn though was never to automatically 
>quarantine or delete 'infected' files (put it in REPORT ONLY scan 
>mode).  Historically Clam sigs had far too many False Positives which 
>famously culminated in disabling complete systems earlier this year 
>(windows specifically) because they deleted system DLL files and other 
>genuine programs - even its own Clam program! (Admittedly, since 
>March, the rate of FP's seem to have been reduced.  Whether thats 
>because of the new signature format or what I dont know).

Several reasons.  Partly because of your concerns which brought things to our attention.  False Positive reports are important! 

--
Joel Esler
Manager, Threat Intelligence Team & Open Source
Talos Group
http://www.talosintel.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160523/5201e8f2/attachment.sig>


More information about the clamav-users mailing list