[clamav-users] Are signatures for Windows only?

Chris Pollock cpollock at embarqmail.com
Mon Apr 1 14:09:12 UTC 2019 

On Wed, 2019-03-27 at 11:07 +0000, G.W. Haywood via clamav-users wrote:
> Hi there,
> 
> On Mon, 25 Mar 2019, Joel Esler wrote:
> 
> > On Mar 25, 2019, at 12:22, G.W. Haywood via clamav-users ... wrote:
> > 
> > > ... we really only use ClamAV to scan mail.  I guess we're as
> > > untypical of a ClamAV user as you'll get.
> > 
> > Actually, from what we understand, ClamAV is mostly used to scan
> > email.
> 
> Quite so.
> 
> On Tue, 26 Mar 2019, Graeme Fowler wrote:
> 
> > We (Loughborough University) use ClamAV ...
> 
> Unfortunately when I was at Loughborough University (Electronic and
> Electrical Engineering) ClamAV did not exist.  Nor did the Internet,
> as I graduated in 1976 (*). :/
> 
> > Picking a random recent day, we had 135000 rejections, 6500 of
> > which
> > were from ClamAV. By comparison, we accepted & delivered 25000
> > messages ...
> 
> On that day's numbers it looks like ClamAV is rejecting about 5% of
> rejected mail.  Here, in fifteen months, it's rejected _less_ than
> 0.0002% (although I'll grant that both are likely poor statistics).
> 
> On Mon, 25 Mar 2019, J.R. wrote:
> 
> > Yep, other measures for me too has meant that ClamAV *might* get
> > one
> > hit a day, which typically is a 3rd party phishing signature. I'm
> > sure if ClamAV didn't catch it the email would still have been
> > flagged and deleted as spam from other measures.
> > 
> > > It's a while since I looked at this, so I did a few 'grep's on
> > > 'daily':
> > 
> > You inspired me to take a look at the signature files ...
> 
> Excellent!  I like to inspire. :)
> 
> Obviously I didn't mean that using ClamAV to scan mail is untypical,
> it's our 0.0002% detection rate which I think might be untypical.  I
> should be very concerned if I relied on *any* anti-virus package to
> stop one in twenty malicious payloads.  Not that I'm saying LU does,
> there isn't enough information here to make that call.  But my guess
> is that the typical ClamAV user feels that, if a message has been
> scanned, it's probably safe to use a mail client's GUI to read it.
> I'm pretty sure that it isn't (and my mail client doesn't have one,
> and I'm *sure* that's untypical).
> 
> On Mon, 25 Mar 2019, Joel Esler wrote:
> 
> > That?s super interesting.  I?d be interested in what the 6500
> > signatures were.  Just for a real world ?what are you seeing?
> > conversation.
> 
I run ClamAV on my incoming mail here at home in conjunction with SA. I
also run a small perl script 'clamstats.pl' that was written about
15yrs ago by Paul Venezia. So, since this is just my home system my
stats are very few since 2 Jan of this year. This is just mail that
isn't put into other folders first by Procmail. The script also makes a
nice looking .html file.

22 Virus Types Detected
------------------------------------------
SecuriteInfo.com.Spam-
8755.UNOFFICIAL(bc6d2c8f49e4e0d015           1   4.55%
SecuriteInfo.com.Spam-
5087.UNOFFICIAL(ce46beba4b24c6f8de           1   4.55%
Sanesecurity.Phishing.Fake.Coin.27586.UNOFFICIAL(0000000           1   
4.55%
SecuriteInfo.com.Spam-
5060.UNOFFICIAL(1f58b47551ff77c15a           1   4.55%
SecuriteInfo.com.Spam-
3019.UNOFFICIAL(d85fd8056a7740a8df           1   4.55%
SecuriteInfo.com.Spam-
3835.UNOFFICIAL(9a2d57fd755174de44           1   4.55%
SecuriteInfo.com.Spam-
5060.UNOFFICIAL(b7ae06a46f2943f2a5           1   4.55%
SecuriteInfo.com.Spam-
5060.UNOFFICIAL(d23a20a925aa96f9e1           1   4.55%
SecuriteInfo.com.Spam-
3019.UNOFFICIAL(fe560f6601c350dbbf           1   4.55%
SecuriteInfo.com.Spam-
5060.UNOFFICIAL(615e99ca5b46843b5e           1   4.55%
SecuriteInfo.com.Spam-
4044.UNOFFICIAL(37b28d2bbad9ed1a5f           1   4.55%
SecuriteInfo.com.Spam-
2895.UNOFFICIAL(000000000000000000           1   4.55%
SecuriteInfo.com.Spam-
5060.UNOFFICIAL(c65de330c02b18117b           1   4.55%
Sanesecurity.Phishing.Fake.Coin.27622.UNOFFICIAL(0000000           1   
4.55%
SecuriteInfo.com.Spam-
8755.UNOFFICIAL(97f0b7069e0cbad9f7           1   4.55%
SecuriteInfo.com.Spam-
3835.UNOFFICIAL(c3bb70311ce1ea7d19           1   4.55%
SecuriteInfo.com.Spam-
8755.UNOFFICIAL(5269acdb10a7bf81de           1   4.55%
SecuriteInfo.com.Spam-
3835.UNOFFICIAL(b3cfb50a01c714a5eb           1   4.55%
SecuriteInfo.com.Spam-
8755.UNOFFICIAL(b6396a22ce5637efaf           1   4.55%
SecuriteInfo.com.Spam-
3019.UNOFFICIAL(53e6ed8c5476d215ed           1   4.55%
SecuriteInfo.com.Spam-
4044.UNOFFICIAL(580e2fe07ab4a4eff6           1   4.55%
SecuriteInfo.com.Spam-
5060.UNOFFICIAL(4e9a21ef313466c6fb           1   4.55%

Not sure if this would work for a large organization since it pretty
much requires that the clamd.log not be rotated so that the correct
number of caught virus's is maintained.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
08:56:27 up 16:18, 1 user, load average: 1.55, 1.15, 1.15
Description:	Ubuntu 18.04.2 LTS, kernel 4.15.0-46-generic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190401/03580bfa/attachment.sig>

More information about the clamav-users mailing list