[clamav-users] ClamAV+exim: scanner finds not a single malware

Joel Esler (jesler) jesler at cisco.com
Sat May 28 22:46:51 EDT 2016


A.  I wish I had a fan club
B.  Thank you for your input.
C.  We'll do better.

--
Joel Esler
Manager, Talos Group
Sent from my iPad

On May 28, 2016, at 7:37 PM, Groach <groachmail-stopspammingme at yahoo.com<mailto:groachmail-stopspammingme at yahoo.com>> wrote:

Ooh, Joel, Im going to enjoys replying to this one.......

On 28/05/2016 23:42, Joel Esler (jesler) wrote:
Groach,

If you hate the project so much....
I dont hate he product.  Only last week (if you care to read back) I declared how the product WITH THE AID OF 3RD PARTY SIGNATURES made it almost the best product out there for ZERO-HOUR threats.  And with this reason, and CONSEQUENTLY the sheer fact I keep the product in operation for the last 3 years, shows that I do not hate the product.  Nor would you see my very blatant advertising for it (as recommendation) in my signature here: https://www.hmailserver.com/forum/index.php (it wont take long for you to see).

......that you have to complain during every thread .....

I dont.  Look back and I have hardly responded to any.  I came on in March (maybe February) after that fiasco with the windows system-killing signature issued back at the time.  And I have involved myself to about 4 or 5 threads since.  FOUR.  However, what I have done is not relent on the point I was making at the time.  In the initial thread you were pretty dismissive of the problem ("we cant test everything", "we are working on other things", "we havent had many complaints" etc etc) and therefore, yes, it got pretty intense for you because such an attitude to a genuine users 'feedback' about the damage your product did was outrageous and I wouldnt let it go. It was for this reason you remember very clearly. And rather than sling mud at you I decided to battle on to get the point across until you DID finally acknowledge there were issues to be addressed.  And let me remind you that only earlier this week you acknowledged that my complaint and issues raised were partly responsible for the work you have done recently.

and refuse to help and be constructive by providing files,

NOW I feel I want to swear at you!  Reminder:  I spent 2 YEARS regularly sending in reports and files for inoculation by the ClamAV team as well as the endless stream of False Positives.  These reports were done almost DAILY.  And it was the observation that despite sending these reports in nothing actually got done that made me so aware of the poor performance of the product and the teams dealing with the signatures.  So you can take your claims of me 'not providing files' and stick them in the hole you left where your up-to-date EFFECTIVE signatures should be!

or signatures for those files (which is just plain productive),....

NO!  YOU provide the signatures!  I gave you the files, and the false positives!  And now you are saying I need to give the signatures too?!  "Here, have an engine, receive a threat, analyse it, generate a signature to protect yourself  and let us have a copy please too (oh, and dont forget to pay the ransom to get your system back from the Cryptolocker virus that we failed to stop for you)". REALLY?!!  Is that how you want to maintain an Antivirus Solution? (Obviously, yes.  It does explain why they are so ineffective).

then perhaps you need to seek assistance elsewhere.

I dont need assistance.  I KNOW the usefulness (or lack of) of ClamAV and its definitions.  My posts reminding of their performance were a reminder to help others who THINK they are getting a protected system by relying on Clam (only) signatures.  THIS is what I call being helpful.  I dont think telling a 'user' of an ineffective system to stop complaining about it and keep quiet' any form of assistance whatsoever.

I am all for trying to help everyone on this list, as long as people on this list attempt to help us, but just being honest, this method of engagement is not helpful.

And there we have it.  You dont even know what is helpful and what isnt.

a,  I was responding to OTHER people who showed interest, requested information from me (DP) and actually had nothing to do with you and
b, On 28/05/2016 17:03, Joel Esler (jesler) wrote:
So our recent improvements and detection have not produced any different result in the field?
I was doing a test for YOU to see and conclude yourself!  Dont bark at me when you dont like the results given back to you.

c,  WE are ENTITLED to share our experiences and offer guides to those that want it even if it is not what JOEL ESLER - deny-er of problems, wants to hear.  If my complaints about your signatures, demonstrations of their ineffectiveness and highlighter of your denial to problems helps others to move on to employing 3rd party signatures (or move away from Clam completely) to simply ensure their system is protected as they expect it to be then I consider MY JOB as a helpful 'assistant'  done.  Perhaps its something you should take note of.


Case in point:

You have just said the list I provided was not up to date.  Ooh, thats ok then, as long as the users get infected by OLD viruses, they should be happy.

Most of those files that failed detection by your product I REPORTED TO CLAM at the time.  Yes, even the ones that are 2 years old.  And the first file in the list are only 3 days old.  So somewhere between 2 years and 3 days old, still not being detected - when exactly do you want a valid file to be detected and therefore see Clam as successful?  Before its released? Or another couple of years??

And going back to earlier in the thread I am not the only one. Quote G.W Haywood:

"I'll disagree too, since ClamAV here sees approximately one virus per annum "

and Im sure you dont have to look very hard for others to have the same experience.  This maillist is full of people saying "Ive reported but still its not added...." type complaints.  (And where its not added, its missing and threats go undetected).

In other words, Mr Manager,  if you dont want me (and others) complaining about the product, then dont give me anything to complain about.

(p.s Note for the Joel Esler fan club:  Dont bother trying to defend, Im sure he is big enough to fight his own battles and Im pretty thick skinned.  I have my system working with 3rd party signatures and no better than to rely on it to save it (its supplementary to other AV features) and if you are believer of the usefulness of this product, rely on it without other suuplementds and say my FACTS above are wrong then you really a fool to yourself.)

Your welcome!



On 28/05/2016 23:38, Joel Esler (jesler) wrote:
To be honest right now, I'm interested in threats coming out more recently.  While yes, your concern is valid, I'd like to hear from someone with a more recent test set.
Most of those files that failed detection by your product I REPORTED TO CLAM at the time.  Yes, even the ones that are 2 years old.  And the first file in the list are only 3 days old.  So somewhere between 2 years and 3 days old, still not being detected - when exactly do you want a valid file to be detected and therefore see Clam as successful?  Before its released? Or another couple of years??

On May 28, 2016, at 12:13 PM, Groach <groachmail-stopspammingme at yahoo.com<mailto:groachmail-stopspammingme at yahoo.com><mailto:groachmail-stopspammingme at yahoo.com>> wrote:

24 files, ALL OF THEM are viruses of some sort or another (including 1 which is the eicar test virus).

ClamAV database:


----------- SCAN SUMMARY -----------
Known viruses: 4397481
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 24
**Infected files: 10**

Data scanned: 5.27 MB
Data read: 1.48 MB (ratio 3.57:1)
Time: 15.429 sec (0 m 15 s)

--------------------------------------
Completed
--------------------------------------

10.  Just 10.  Out of 24.  And these are all OLD viruses (minimum 2 months old except 1).


But with SANE DEFINITIONS:

----------- SCAN SUMMARY -----------
Known viruses: 4512349
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 24
**Infected files: 23**

Data scanned: 3.92 MB
Data read: 1.48 MB (ratio 2.65:1)
Time: 17.409 sec (0 m 17 s)

--------------------------------------
Completed
--------------------------------------

Says it all really.  I leave you to make your own conclusions.





On 28/05/2016 16:00, G.W. Haywood wrote:
Hi there,

On Mon, 23 May 2016, C.D. Cochrane wrote:

... ClamAV is just ...

and on Mon, 23 May 2016, Joel Esler wrote:

Obviously going to disagree. ...

I'll disagree too, since ClamAV here sees approximately one virus per
annum (and as far as I'm concerned, whether or not ClamAV detects the
virus that it sees is really not an issue).  For some explanation see

http://marc.info/?l=clamav-users&m=141245133506824&w=2


_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



More information about the clamav-users mailing list