On 2011 Jan 3, at 1:46 , TR Shaw wrote: > On Jan 2, 2011, at 7:12 PM, Bob Traktman wrote: >> Is there any reason not to keep ClamAv and Sophos Anti-Virus -- both active? > > None whatsoever. Defense in depth is a good thing.
Probably not. However, a contemplation... It's like a plane. Planes can have 1 engine, or 2, or even more, but usually not more than 4. Why not 8 engines? 100? Plane engines have two failure modes: 1) they stop working. If that engine is all you got, you're in deep doodoo. That's why an extra engine is convenient. 2) The engine explodes, taking the plane with it (fortunately, much less likely). If you have multiple engines, you reduce the chance of a crash because of failure 1, but you increase the chance of a crash in case of failure 2. So there's a balance to be found. The same goes for virus scanners. Failure mode 1 would be a virus scanner not detecting a virus. Failure mode 2 (less likely) would be a false positive, or worse, an exploit causing your server to be hacked. Personally, I find two or three virus scanners to be the sweet spot. If programmed correctly, it even gives you some protection against false positives, because you can treat files/emails that are only recognized by one scanner differently from the ones that are recognized by multiple scanners. For example quarantine in the first case, and remove in the second case. (This requires custom programming, of course). -- Jan-Pieter Cornet <[email protected]> "People are continuously reinventing the flat tyre". _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
