On Wed, 2019-03-27 at 11:07 +0000, G.W. Haywood via clamav-users wrote: > Hi there, > > On Mon, 25 Mar 2019, Joel Esler wrote: > > > On Mar 25, 2019, at 12:22, G.W. Haywood via clamav-users ... wrote: > > > > > ... we really only use ClamAV to scan mail. I guess we're as > > > untypical of a ClamAV user as you'll get. > > > > Actually, from what we understand, ClamAV is mostly used to scan > > email. > > Quite so. > > On Tue, 26 Mar 2019, Graeme Fowler wrote: > > > We (Loughborough University) use ClamAV ... > > Unfortunately when I was at Loughborough University (Electronic and > Electrical Engineering) ClamAV did not exist. Nor did the Internet, > as I graduated in 1976 (*). :/ > > > Picking a random recent day, we had 135000 rejections, 6500 of > > which > > were from ClamAV. By comparison, we accepted & delivered 25000 > > messages ... > > On that day's numbers it looks like ClamAV is rejecting about 5% of > rejected mail. Here, in fifteen months, it's rejected _less_ than > 0.0002% (although I'll grant that both are likely poor statistics). > > On Mon, 25 Mar 2019, J.R. wrote: > > > Yep, other measures for me too has meant that ClamAV *might* get > > one > > hit a day, which typically is a 3rd party phishing signature. I'm > > sure if ClamAV didn't catch it the email would still have been > > flagged and deleted as spam from other measures. > > > > > It's a while since I looked at this, so I did a few 'grep's on > > > 'daily': > > > > You inspired me to take a look at the signature files ... > > Excellent! I like to inspire. :) > > Obviously I didn't mean that using ClamAV to scan mail is untypical, > it's our 0.0002% detection rate which I think might be untypical. I > should be very concerned if I relied on *any* anti-virus package to > stop one in twenty malicious payloads. Not that I'm saying LU does, > there isn't enough information here to make that call. But my guess > is that the typical ClamAV user feels that, if a message has been > scanned, it's probably safe to use a mail client's GUI to read it. > I'm pretty sure that it isn't (and my mail client doesn't have one, > and I'm *sure* that's untypical). > > On Mon, 25 Mar 2019, Joel Esler wrote: > > > That?s super interesting. I?d be interested in what the 6500 > > signatures were. Just for a real world ?what are you seeing? > > conversation. > I run ClamAV on my incoming mail here at home in conjunction with SA. I also run a small perl script 'clamstats.pl' that was written about 15yrs ago by Paul Venezia. So, since this is just my home system my stats are very few since 2 Jan of this year. This is just mail that isn't put into other folders first by Procmail. The script also makes a nice looking .html file.
22 Virus Types Detected ------------------------------------------ SecuriteInfo.com.Spam- 8755.UNOFFICIAL(bc6d2c8f49e4e0d015 1 4.55% SecuriteInfo.com.Spam- 5087.UNOFFICIAL(ce46beba4b24c6f8de 1 4.55% Sanesecurity.Phishing.Fake.Coin.27586.UNOFFICIAL(0000000 1 4.55% SecuriteInfo.com.Spam- 5060.UNOFFICIAL(1f58b47551ff77c15a 1 4.55% SecuriteInfo.com.Spam- 3019.UNOFFICIAL(d85fd8056a7740a8df 1 4.55% SecuriteInfo.com.Spam- 3835.UNOFFICIAL(9a2d57fd755174de44 1 4.55% SecuriteInfo.com.Spam- 5060.UNOFFICIAL(b7ae06a46f2943f2a5 1 4.55% SecuriteInfo.com.Spam- 5060.UNOFFICIAL(d23a20a925aa96f9e1 1 4.55% SecuriteInfo.com.Spam- 3019.UNOFFICIAL(fe560f6601c350dbbf 1 4.55% SecuriteInfo.com.Spam- 5060.UNOFFICIAL(615e99ca5b46843b5e 1 4.55% SecuriteInfo.com.Spam- 4044.UNOFFICIAL(37b28d2bbad9ed1a5f 1 4.55% SecuriteInfo.com.Spam- 2895.UNOFFICIAL(000000000000000000 1 4.55% SecuriteInfo.com.Spam- 5060.UNOFFICIAL(c65de330c02b18117b 1 4.55% Sanesecurity.Phishing.Fake.Coin.27622.UNOFFICIAL(0000000 1 4.55% SecuriteInfo.com.Spam- 8755.UNOFFICIAL(97f0b7069e0cbad9f7 1 4.55% SecuriteInfo.com.Spam- 3835.UNOFFICIAL(c3bb70311ce1ea7d19 1 4.55% SecuriteInfo.com.Spam- 8755.UNOFFICIAL(5269acdb10a7bf81de 1 4.55% SecuriteInfo.com.Spam- 3835.UNOFFICIAL(b3cfb50a01c714a5eb 1 4.55% SecuriteInfo.com.Spam- 8755.UNOFFICIAL(b6396a22ce5637efaf 1 4.55% SecuriteInfo.com.Spam- 3019.UNOFFICIAL(53e6ed8c5476d215ed 1 4.55% SecuriteInfo.com.Spam- 4044.UNOFFICIAL(580e2fe07ab4a4eff6 1 4.55% SecuriteInfo.com.Spam- 5060.UNOFFICIAL(4e9a21ef313466c6fb 1 4.55% Not sure if this would work for a large organization since it pretty much requires that the clamd.log not be rotated so that the correct number of caught virus's is maintained. -- Chris KeyID 0xE372A7DA98E6705C 31.11972; -97.90167 (Elev. 1092 ft) 08:56:27 up 16:18, 1 user, load average: 1.55, 1.15, 1.15 Description: Ubuntu 18.04.2 LTS, kernel 4.15.0-46-generic
signature.asc
Description: This is a digitally signed message part
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml