Hi there, On Fri, 14 Aug 2020, Kurt Fitzner wrote:
I'm becoming quite disillusioned with ClamAV. In the last five years, ClamAV which is installed on my email server, has failed to detect a single piece of malware on the system before that malware ceases to be in email circulation.
In the past on this list I've made some estimates of detection rates for ClamAV. While I wouldn't go quite so far as you, I don't think they're very impressive. But then (1) I don't think the detection rates for ANY scanner are very impressive and (2) I don't think that there's anything comparable that's available on Linux for the price. :) Like you I use ClamAV to scan mail. I use a milter of my own, not the one provided with ClamAV, but the scanning engine is the same 'clamd'. I don't know what you're doing that's different from what I'm doing, but I'm having trouble understanding why our experiences of ClamAV seem to be very different. In your situation, in that time, I'd have expected ClamAV to have found at least tens and perhaps even hundreds of viruses if nothing else is blocking them. I don't worry much about viruses. The main reason I use ClamAV is to catch spam, using third-party signatures. My experience of the third- party signatures is pretty good. I routinely contribute. Do you? As most of the time mail here normally gets rejected before it reaches the 'DATA' phase of the SMTP conversation, ClamAV doesn't get a chance to scan it anyway and I normally don't hear anything from it. But if, for testing, I let it see all the traffic, in addition to quite a bit of spam it certainly finds a (very few) viruses in circulating mail. As it happens I've been doing that for a couple of months to compare two instances of clamd: https://bugzilla.clamav.net/show_bug.cgi?id=10979 in two months it found 66 phish/junk messages and 3 malware examples. The malware is nothing that I could get very excited about - it's all Windows stuff - and there _is_ vastly more criminal junk in the mail which it doesn't catch; but what it's missing is mostly 419 scams, not viruses, and that's because there simply aren't the signatures in the third-party databases for all the scams. AFAICT ClamAV _is_ actually doing what it's supposed to do, and it hasn't missed any viruses in this two month experiment. But in my situation I suppose it doesn't get to see many, so you couldn't call that a great testimonial. If I'm getting the right picture from your description you're handling larger volumes of traffic than I am, and given that with more traffic you seem to see fewer detections it makes me wonder if either there's a big difference in the texture of the traffic, which given the nature of email seems unlikely, or if there's some substantial difference in the configurations that we're using. Could you share more details?
... I remember when the submission form asked for how many other platforms detected it, and when reports actually got signatures disted out in a day.
Can anyone else offer their own experiences from submissions? The odd thread I've seen on this list has given me the impression that it's more usually a couple of days. There was a pretty good example in the last couple of days.
... Years ago someone tried to inject a malware script through my WordPress. Interestingly, this malware detected on Windows ClamAV but not in Linux ... I jumped up and down on the mailing lists at the time ...
You did: 8<---------------------------------------------------------------------- Date: Sun, 13 Dec 2015 23:32:39 -0400 From: Kurt Fitzner <[email protected]> To: ClamAV users ML <[email protected]> Subject: Re: [clamav-users] Detection in windows but not Linux Message-ID: <[email protected]> Content-Type: text/plain; charset=US-ASCII To my embarrassment, the Windows/Linux detection issue was mostly of my making. WinSCP does CR/LF translation of text files by default. The rest you can now all guess. ... 8<---------------------------------------------------------------------- It seems a little disingenuous not to mention the outcome.
ClamAV has, I'm afraid, become worse than nothing. Nothing doesn't take up memory, storage space, and execution resources but nets the same result. Nothing, by definition, doesn't come with that implied "it's better than nothing" which ClamAV does and clearly isn't.
The picture I get from a lot of the mail on this list is that people install a virus scanner because then, they think, their systems are "protected" and they don't have to do anything else. That's a very long way from the truth and ClamAV doesn't do it. But one thing it _does_ do is give you a feel for the threat. And the threat is real, you (well, at least I) can see it, and so there's obviously a need to do something about it. If you rely on a virus scanner to protect your systems because you're not going to keep them reasonably currently patched, then it doesn't matter which scanner you use - even if you use them all - your systems are going to get pwned. That's simply because there is no scanner and there isn't even any _combination_ of all the available scanners which can protect you 100%. They just can't do it. The last time I saw a comparison of scanners using some body of malware samples about which I know nothing the reporter claimed that ClamAV managed about 75% when the best scanner tested managed about 80%. Even if I believed them, I can't say that either of those figures would fill me with confidence - and if we're talking about very current threats, my estimates would be nearer 30% than 75%. Even if only one in five will get past the scan undetected, and you're seeing as much cr@p as, say, Mr. Hildebrandt is seeing, then if you're doing nothing else to protect your systems, on a good day they'll probably be compromised before breakfast.
What can be done as a community to fix this? Is there anything that can be done? Is it time to fork and abandon?
I think it's more about taking a step back to see the bigger picture, about managing expectations, and about making contributions than it is about running off in another direction. Cisco/Talos has in place a pretty good infrastructure for keeping databases updated, and they're improving the code base, if a little sporadically. Take a look at the changelog (https://github.com/Cisco-Talos/clamav-devel/commits) to see the things that are happening, and some that are on the cards. If you can suggest improvements in what's available now, then let's see them: https://bugzilla.clamav.net/describecomponents.cgi?product=ClamAV but don't underestimate the investments in time and probably hard cash that's needed just to serve the data to the ClamAV user base. In fact don't underestimate what would be needed only to support the malicious and/or clueless traffic to mirrors - there are mentions on this list. ---------------------------------------------------------------------- On Fri, 14 Aug 2020, Ralf Hildebrandt via clamav-users wrote:
I looked at my mailserver and created some statistics (Sophos & clamav) over the last week, TOP 25 detections: ... ...
Your ClamAV has seen more malware in a week than mine has seen in the approaching two decades that I've used it. One difference may I think be that I treat ClamAV very much as a backup to the other ways which I use of preventing unwanted traffic. First among those must be a dozen or so DNSBLs and a home-brewed scoring system, next I think would be a collection of bla^Hocklists of my own creation, and not forgetting the milter, which implements those features plus greylisting every mail it doesn't recognize so that a human can cast an eye over it before it's (usually) dropped in the tarpit.
I see the extensibility as a major advantage. ...
+1 -- 73, Ged. _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
