AV Engine Licence

Kevin Spicer kevins at BMRB.CO.UK
Thu Apr 1 07:57:51 IST 2004 

On Thu, 2004-04-01 at 07:30, shrek-m at gmx.de wrote:
> catched in_the_wild_viruses in the lab and via email:
> gmx.de  +  sophos  = 100%
> 1und1.de  +  symantec  = 100%
> web.de  +  clamav  = 55%
> freenet.de  +  clamav  = 55%
> short-summary:
> clamav as only av-solution is *not* recommended
> clamav has a lot of false_positive

These tests have been discussed on the clamav list.  The long and the
short of it is that these are not truly independent tests.  In the wild
doesn't necessarily mean spreading.  The clamav folks have tried to gain
access to GMX's list of samples, but haven't been sucessful (aparently
both Symantec and Sophos do have access).  It stands to reason that any
AV will have signatures for all viruses available to its signature
writers.  Its therefore not particularly fair to judge the performance
of three AV engines against a list that two of them have access to,
My real world experience (running those three scanners with MailScanner)
is that Clam occaisionally misses things, but so do Sophos and
Symantec,  On one of the recent outbreaks clam was 12hrs ahead of Sophos
and 14 ahead of Symantec with a signature - clam was responsible for
catching around 100 viruses that day whilst the commercial vendors were
getting their act together.
Ther have been problems with false positives, but these were mostly on
macro viruses.  Until recently Clam lacked an OLE2 unpacker - but that
has now been rectified.  I've also found the clam team very responsive
at removing/ correcting false positives as and when they appear.

All that said, I would still echo your advice to run a second scanner -
but not because Clam isn't good, because no vendor is perfect so using
multiple vendors spreads the risk.  Desktop anti-virus (ideally another
different brand) is also a must.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

More information about the MailScanner mailing list