MailScanner 101, take two.

Kevin Spicer kevins at BMRB.CO.UK
Thu Jul 3 19:34:25 IST 2003


>  So, how satisfied have you ClamAV users been
>  with the pattern updates?  Do they come in in a timely fashion?

I'm not sure  you need a big statistical sample to determine that their
updates aren't as timely as they could be (You would ned a big sample to
determine that their updates are good however).

In my experience Clam has some good features but also some serious
limitations...

Can't disinfect files (not such a big problem with the current crop of
viruses which don't actually infect current files)

Updates are not as swift as many commercial vendors.  Most of the recent
fast-spreading viruses I've seen picked up by Sophos hours or even days
before clam (although I did see one varient that was caught by clam
before Sophos). I saw somewhere (their mailing list/ site I think) that
they aim to update their definitions several times a week (I like mine
updated several times a day - whenever a new virus appears)

Their site hasn't been the most reliable, but there are more mirrors now
and the latest versions automatically use the mirrors.

Several of us experienced problems over the last few days with clam
updates failing and completely stopping MailScanner.

I believe I've said this before, and I'll probably say it again, Clam is
useful as a second virus scanner (for insurance should the first pack
up) but at the moment you should still use a commercial solution.

Is an aside its interesting how Clam gets its definitions, their is a
tool in the clam distribution for generating signatures which relies on
it being fed a known infected file, it then feeds portions of the file
into a commercial virus scanner until it finds the exact portion of the
file that generates a hit on the commercial scanner.  The definition is
then generated from this portion.  I don't know if they do any other
virus research, but this did strike me as perhaps a little cheeky
(although I would guess the commercial vendors probably monitor each
others definitions quite closely).




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.



More information about the MailScanner mailing list