ClamAV's strong point for me, has always been the ability to turn off just about anything causing an issue. I haven't seen this kind of fine detail ability in any AV product (commercial or free) that can match ClamAV for flexibility.
In theory, anything can mess up an AV package. ClamAV had a issue a while back with bad updates that would crash ClamAV daemon, so yes I guess technically that could be counted as an instability, even if it really had nothing to do with the actual definitions or data. Reading the list, I see a lot of talk about the URL phishing scanning causing some slow scans, but again, this can be turned off if it's causing a problem. Overall, most of the commercial AV products are "set it and forget it", which I think is never a good thing for a system admin if something goes wrong, you have no idea where to start. At least with ClamAV if something is killing the AV product (some weird Rar files, etc.) it can be turned off until a solution is found. That's why I would prefer ClamAV to others, I can see what the heck is going on and can talk with others here about the same issue without all the "product" red tape as I could call it. But to answer you question, yes those signature updates can cause serious scanning issues or false positives, it's just the nature of the beast and how you word semantics to define what "serious scanning issues" and "false positives" are. It's impossible to code an infallible AV scanning engine. Thanks, Michael Paul Kosinski wrote: > There is an article on eWeek.com today concerning "instability" in AV > software due to the impossibility of adequately testing updates when > releasing them as quickly as they are needed > (www.eweek.com/article2/0,1895,2240656,00.asp?kc=EWKNLINF010208STR3). > > As I understand it, ClamAV is perhaps unusual in that CVD updates are > purely data and do not change the executable code, so "instability" > is much less likely. On the other hand, perhaps some signature data, > especially those pertaining to phishing, contain something like > counts governing FOR loops, or worse yet, termination conditions > governing WHILE loops. In these cases, scanning could take a long > time -- or even forever -- if there were a bug. > > An even worse case would be a update with a bad data-length field, or > an improperly terminated string, either of which could cause a crash. > > So my question is, do ClamAV signature updates have the potential to > cause serious scanning problems, or is it limited to lesser problems > like false positives? (Of course, all AV scanners are prone to false > negatives on recent, or cleverly obfuscated, viruses.) > > > > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > > _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
