[clamav-users] ClamAV+exim: scanner finds not a single malware

Ned Slider ned at unixmail.co.uk
Sun May 29 07:08:21 EDT 2016

On 29/05/16 10:22, Groach wrote:
> On 29/05/2016 10:19, kristen R wrote:
>> It should be obvious although not mentioned that everyone who uses
>> clamav is your fan club. I am a fan.
>> I also believe that clamav is an open source project? So if someone
>> doesn't like this product then they might submit a patch for improve
>> features or functionality?
>> If this is true, then bitching is unproductive. Else put your code
>> where your mouth is.
>> Kristen
> I agree.  So, all you people that dont like the product and it features
> of ClamAV, come on and put your hands up, stop bitching and submit your
> own patches. (Although the slight flaw in the statement is the
> assumption that all users have the ability to code and fix the product.
> If everyone that drives a car had the ability to fix them too, there
> wouldnt be any service garages would there. And not being skilled enough
> to fix the car themselves doesnt mean they have to accept the
> ineffective brakes 'as a feature'.  In reality, of course, most people
> are simply too busy running an IT department or mail server to learn
> such new skills and leaves coding to CODERS.)
> And, army of disgruntled coders, whilst youre at it, maybe you can also
> help to solve the REAL PROBLEM of the signatures out too (effectivity
> and frequency).  Then the rest of us that like Clam (for its opportunity
> to employ more useful 3rd party signature) can also benefit.  After all,
> of Sane security can make effective signatures, as a one man unfunded
> operation, then why oh why cant a CISCO-backed 'company' with its code
> open to the worlds programmers not do the same?  (Irony, anyone?)

I don't normally respond to this type of thread but felt compelled to 
add my 2p worth of experience.

I love open source software and have run ClamAV on my own mail server 
for as long as I care to remember. I was also an active member of the 
anti-malware research community for a considerable time.

IMHO anti-virus products lost the battle a long time ago - it is simply 
not realistic to expect ANY company, commercial or open source, to be 
able to produce signatures for the number of new virus samples that 
emerge in a timely fashion. It has been this way for a long time. The 
numbers bear this out. A new paradigm is needed. I once hoped heuristic 
detection might have been the way forward but this doesn't seem to have 
produced the required results either.

This led me to conclude that all anti-virus products are essentially 
ineffective. Submitting samples I collect that hit my mail server spam 
traps to Virus Total support this conclusion (YMMV). Detection rates are 
abysmal at the time I collect the samples.

For me, as for others who have posted in this thread, the solution is 
simple - I simply do not permit executable code to pass through my mail 
servers. I can not think of a case where allowing executable code to be 
distributed by email outweighs the risks. Where is does, and the user 
can make a genuine risk-assessed case, it is easy enough to add case by 
case exceptions for individual users. Problem solved, at least from the 
mail server prospective.

Admittedly I am operating at the lower end of the market where it is 
easy for me to impose such unilateral policies, but I would make the 
same case all the way up to large corporates and ISPs. No reason an ISP 
can't operate the same default policy and provide a mechanism to allow 
users to opt out if they find the need to send executable code by email 
(some large ISPs block outbound tcp25 connections to address spam issues 
so they can do it when they want to). And given the numerous recent 
examples of large corporations suffering costly data leaks, even they 
should now be willing to take security concerns more seriously rather 
than scoffing at IT departments always trying to impose more restrictive 
(paranoid) working practices.

Where ClamAV should (or could) have an advantage over it's closed source 
relatives is in the sheer number of volunteers the project has the 
potential to mobilise. The ClamAV Project has the potential to mobilise 
a huge army of open source volunteers, all writing and sharing community 
signatures for the samples they collect. The framework to do this 
already exists. Would this be enough to represent timely and efficient 
detection of threats, who knows, but it is a potential resource that is 
simply not available to commercial AV companies. The samples are there, 
everyone is willing to share them, but no one company has the resources 
to protect their users from all of them due to the sheer volume. So the 
industry needs to develop a new way of working or it will die - either 
it collaborates (a concept already embraced by the Open Source 
community) or it comes up with a new way to protect it's users (e.g, 
heuristics), or people will stop paying an annual fee for a product that 
fails to protect them (I would rather spend that money of user education 
than an ineffective AV product).

In reality the AV industry died for me some while ago with the 
realisation I am simply unable to rely on the product to produce 
anything resembling acceptable levels of performance. Harsh maybe, but 
IMHO it's simply not fit for purpose. As I mentioned above, as a 
postmaster I solved the problem by simply not allowing executable 
attachments. I do still run ClamAV on my mail servers, it uses few CPU 
cycles, detects nothing but I figure it does no harm so why mess with a 
system that isn't broken and has worked for years.

More information about the clamav-users mailing list