[clamav-users] Are signatures for Windows only?

G.W. Haywood clamav at jubileegroup.co.uk
Mon Mar 25 15:20:50 EDT 2019

Hi there,

On Mon, 25 Mar 2019, J.R. wrote:

> ... I've seen an increasing amount of people posting about their
> non-windows platforms that are scanning their *entire* system ...

People have been doing that kind of thing for years, I'm not sure how
much it's increasing.  Most of the time it seems to me they don't know
why they're doing it nor even, if there is something in there to find,
how likely it is that a ClamAV scan will find it.  You often see scans
of /proc/, /dev/ and the like - which is only going to cause problems,
not solve them.  If for example you're hosting files for Windows hosts
on non-windows platforms there's certainly a case for scanning shared
data areas, but I don't know how representative that is of the typical
ClamAV user.  Although we share files with Windows platforms we really
only use ClamAV to scan mail.  I guess we're as untypical of a ClamAV
user as you'll get.  The main reason we use ClamAV is for third-party
databases such as the excellent set produced by Steve at Sanesecurity
(once again, thanks, Steve).  Even so, ever since we took to rejecting
mail based on things like geography it really is just the occasional
catch.  With an average incoming rate of mail of ca. 1200 attempts per
day(*), since January 2018 I've seen one genuine catch by ClamAV.  As
it happens it was a malicious Word document, cunningly disguised as a
statement of account from a local hotel.  As it happens we don't have
an account with that hotel - and we don't use Word, nor even Windows.

(*) After firewalling, 15 percent actually get to connect to port 25.

> I'm wondering if it is just a waste of CPU cycles, or if there are
> actual signatures that could detect anything on those platforms
> (that are not windows related)?

People do all sorts of daft things.  A lot of what they do wastes CPU
(and the associated energy, which I think thesedays is more important)
but one can't really deny that there might be the occasional surprise.
Very occasional indeed, however, in the case of most *nix boxes, and I
can't remember the last time I scanned a Linux box using ClamAV or any
other package.  At the time I didn't expect to find anything, I think
it was an experiment just to see how many false positives it gave and
how long it took.

It's a while since I looked at this, so I did a few 'grep's on 'daily':

mail6:/etc/mail/clamav# >>> wc daily.cld
1531682   1534564 117369856 daily.cld
mail6:/etc/mail/clamav# >>> grep -ai Win daily.cld | wc
  853283  853326 66772035
mail6:/etc/mail/clamav# >>> grep -ai Andr daily.cld | wc
  255329  255329 18510754
mail6:/etc/mail/clamav# >>> grep -ai doc daily.cld | wc
  154521  154584 11340974
mail6:/etc/mail/clamav# >>> grep -ai unix daily.cld | wc
   86435   86437 6496632
mail6:/etc/mail/clamav# >>> grep -ai java daily.cld | wc
   38254   38260 2686509
mail6:/etc/mail/clamav# >>> grep -ai OSX daily.cld | wc
   35652   35652 2531765
mail6:/etc/mail/clamav# >>> grep -ai PDF daily.cld | wc
   11133   11147  801891
mail6:/etc/mail/clamav# >>> grep -ai xls daily.cld | wc
   10227   10227  748439
mail6:/etc/mail/clamav# >>> grep -ai Phish daily.cld | wc
    3257    3257 1348569
mail6:/etc/mail/clamav# >>> grep -ai linux daily.cld | wc
       2       2     296

All right, I ran that last one as a bit of a joke but you can see
where the biggest problems are.



More information about the clamav-users mailing list