At 3:04 PM +0100 12/3/09, Jan Pieter Cornet wrote:
On Tue, Nov 24, 2009 at 04:17:50PM -0400, Robin wrote:
I am administering 7 Debian based LAMP servers and am working to get
anti-virus to scan uploads as they happen. Since I am a lone sheep in
the Microsoft wild of a larger organization I need to prove that Clam
is up for the task and at least at par with commercial A/V such as
McAfee Commandline Scanner.
I have found a few articles stating that Clam is in some cases
superior to most of the commercial counterparts.
I am looking for feedback and thoughts on this so I can bring my case
to the powers that we do not need to dish out $$ to provide virus
protection.
Your responses are likely to be biased by asking clamav-users :)
So let me give a slightly more negative argument. ClamAV used to be
quite fast in responding to virus threats, but is currently pretty slow
in response to email viruses. We use ClamAV only to scan email on an
SMTP server(farm) (approx 3E7 msgs/day).
We run 3 virus scanners, and I get daily statistics on the number of
viruses catched by each scanner, detailing exactly which viruses were
found by which scanner.
For at least half a year, clamav has been the slowest to respond to new
threats, usually taking at least a day, sometimes two days, to catch up.
The number of viruses that ClamAV finds that the others don't, is
negligible (a handful a day, and those are usually marked as spam
anyway).
That said, we only use the standard databases, and we disabled phishing
heuristics (too much false positives). Scanning accuracy might improve
if you add other malware databases. But I don't want to spend too much
CPU and memory on ClamAV.
Note that this isn't a complaint - I realise I get what I pay for, but
given that admin time isn't free either, ClamAV is definately worse than
commercial AV products, even if you consider performance/price ratio.
Be aware that YMMV.
Jan-Pieter,
I would suggest that a selected group of unofficial signature files
can dramatically improve performance without causing too much CPU and
memory usage.
For example, these third party signatures detected the recent zeus
outbreaks (not to mention the google jobs, IRS and others) in one
case before any other AV vendor and usually the same time as 2-3.
Just my 2cents,
Tom
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
