OT - Multiple Virus Scanners

Peter Peters P.G.M.Peters at utwente.nl
Tue Aug 15 08:55:33 IST 2006

Hash: SHA1

John Rudd wrote on 15-8-2006 9:26:

> My opinion is: if you can run 2, do it.  Always good to have an extra
> layer of defense, but don't cause more overhead than you need to.
> ClamAV is a _great_ choice for your first pass.

Until recently we only had F-prot. Since this month we also use ClamAV.
ClamAV gets more viruses than F-prot but they are mainly phishing
attacks. Like this:
ClamAV Module: msg-7834-833.html was infected: HTML.Phishing.Bank-626

Other viruses are detected by both but F-prot often doesn't know what
virus it is:
F-Prot: ./k7F3rsPS018425/Thomas.zip->bvpqirlyfk.exe  could be a
suspicious file (encrypted program in archive)
While ClamAV mentions:
ClamAV Module: msg-9011-774.html was infected: Worm.Bagle

When only F-prot finds one it is usually an unknown virus too:
F-Prot: ./k7F6ORPR032693/Ebay-Rechnung.pdf.zip->Ebay-Rechnung.pdf.exe
could be infected with an unknown virus

Of the 106 viruses detected today on one of our systems 56 were detected
by both, 48 only by ClamAV and 2 only by F-prot. Of those 48 detected by
 only ClamAV only 1 was not a phishing attack. That one was infected
with Worm.Lovgate.X (ClamAV name).

- --
Peter Peters, senior beheerder (Security)
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe
Version: GnuPG v1.4.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the MailScanner mailing list