[clamav-users] Are signatures for Windows only?

G.W. Haywood clamav at jubileegroup.co.uk
Wed Mar 27 07:07:57 EDT 2019


Hi there,

On Mon, 25 Mar 2019, Joel Esler wrote:

> On Mar 25, 2019, at 12:22, G.W. Haywood via clamav-users ... wrote:
>
> > ... we really only use ClamAV to scan mail.  I guess we're as
> > untypical of a ClamAV user as you'll get.
> 
> Actually, from what we understand, ClamAV is mostly used to scan email.

Quite so.

On Tue, 26 Mar 2019, Graeme Fowler wrote:

> We (Loughborough University) use ClamAV ...

Unfortunately when I was at Loughborough University (Electronic and
Electrical Engineering) ClamAV did not exist.  Nor did the Internet,
as I graduated in 1976 (*). :/

> Picking a random recent day, we had 135000 rejections, 6500 of which
> were from ClamAV. By comparison, we accepted & delivered 25000
> messages ...

On that day's numbers it looks like ClamAV is rejecting about 5% of
rejected mail.  Here, in fifteen months, it's rejected _less_ than
0.0002% (although I'll grant that both are likely poor statistics).

On Mon, 25 Mar 2019, J.R. wrote:

> Yep, other measures for me too has meant that ClamAV *might* get one
> hit a day, which typically is a 3rd party phishing signature. I'm
> sure if ClamAV didn't catch it the email would still have been
> flagged and deleted as spam from other measures.
> 
> > It's a while since I looked at this, so I did a few 'grep's on 'daily':
> 
> You inspired me to take a look at the signature files ...

Excellent!  I like to inspire. :)

Obviously I didn't mean that using ClamAV to scan mail is untypical,
it's our 0.0002% detection rate which I think might be untypical.  I
should be very concerned if I relied on *any* anti-virus package to
stop one in twenty malicious payloads.  Not that I'm saying LU does,
there isn't enough information here to make that call.  But my guess
is that the typical ClamAV user feels that, if a message has been
scanned, it's probably safe to use a mail client's GUI to read it.
I'm pretty sure that it isn't (and my mail client doesn't have one,
and I'm *sure* that's untypical).

On Mon, 25 Mar 2019, Joel Esler wrote:

> That?s super interesting.  I?d be interested in what the 6500
> signatures were.  Just for a real world ?what are you seeing?
> conversation.

As Micah said:

On Tue, 26 Mar 2019, Micah Snyder wrote:

> We had hoped to re-implement it for 0.102.  I'm still crossing my
> fingers that we can get it done

It could be valuable to us to have the fed back information published
but you can see how it might be valuable to the wrong people too.

> but we've lost a lot of time working on improving ClamAV code
> quality and security.

That's not lost time.  It's time well used. :)

-- 

73,
(*) G.W. Haywood, BSc (1st hons 1976), CEng, MIET, MRIN.


More information about the clamav-users mailing list