> These problems were fixed a while ago. Don't know what you > are running, but > we're running 0.80 clamav-milter with clamd, no unpacking > problems, and > I would say with as much confidence as possible that nothing > gets by it.
I have to agree. I've been running ClamAV as our primary scanner with F-Prot behind it for a couple months. I had a couple of worms get through to F-Prot one day-- most likely F-Prot got their definition update out before Clam did.
Overall, Clam seems to be catching more than F-Prot did. I state that based on the number of messages that get rejected based on attachment type. That's been much less since implementing ClamAV as the scanner.
I agree entirely. ClamAV works quite well.
I run ClamAV in parallel with "brand X" AV (commercial product, ISCA certified, etc. ) on MailScanner. I'm going to restrict the naming to brand X because this is largely about how well ClamAv works, not about how well brand X works.
Every email gets scanned by both scanners, which gives me a great ability to compare the two. I can definitely prove that clam works quite well, very comparable the commercial product in an email-scanning environment.
Below are some of my statistics. These are live statistics based on scan-as-it-arrives performance.
clamav 0.80 updated hourly with freshclam using DNS queries.
"brand X" AV updated 8 times a day with wget (every 2 hours from 8am to 4pm, every 4 hours outside that)
Note: clamav performs well, but it is updated more frequently giving it an inherent edge. Then again, freshclam's lightweight nature makes this possible.
Also over 75% of the difference between the two scanners is attributable to clamav detecting phishing scams, something which aren't really viruses. "brand X" also doesn't seem to have a built in for scanning HTML code for trojan javascripts such as zerolin. If you exclude those two, the rest of the performance difference is easily accounted for by the difference update rate favoring clamav ( 8 of 506 vs 1 of 506)
Some raw statistics from the past couple weeks:
total infected messages: 708
ClamAv: caught 699
"brand X" : caught 4906 files were caught by neither AV, and detected by filename alone.
(I pick up a few highly suspect file extensions, such as *.cpl, *.wsh, etc. All were 0 byte files from defective viruses, but were obviously virus generated based on bagle-ish body text)
2 messages trapped due to rules prohibiting fragmented mime messages (bounces of viruses in these cases)
210 that clam caught but "brand X" missed
158 HTML.Phishing.*
44 Trojan.Dropper.JS.Zerolin-6
4 Worm.Bagle.AT
1 Worm.Mydoom.I (in msgXXX.txt file, part of a bounce)
3 Worm.Bagle.Gen-zippwd 1 that "brand X" caught but clamAV missed:
1 W32/[EMAIL PROTECTED] (in attached .com file)No false negatives that carried any real payload were detected during the sample period, although some 0-byte files obviously generated by a virus did sneak by, more than the 6 that got caught by filename. Since I don't expect any virus scanner to detect a virus in a 0-byte file, and the file I'm not concerned by that.
