On Fri, 31 Jan 2003, jef moskot wrote:
> Date: Fri, 31 Jan 2003 14:55:20 -0500 (EST)
> From: jef moskot <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: [clamav-users] Signature updates: Where from?
>
> Dave Sill writes:
> > If you're running ClamAV in addition to a commercial scanner, or using
> > it to filter out junk e-mail messages, then its database is complete
> > enough, is updated regularly enough, and clamscan is reliable enough.
>
> In our experience, 98% of all intercepted messages are Klez variants,
> which ClamAV nabs quite successfully.
>
> A few of the weirder Word macros and such might slip thru, but simply
> stemming the tide of Klez messages is worth the price of admission right
> there. (If you encounter samples that Clam doesn't currently detect,
> you can submit them and help improve the database.)
>
> The database is updated quickly in response to new viruses, so your only
> real threat is obscure old viruses. These have not been a significant
> issue for us.
>
> As Dave mentioned, it's not 100% protection, but if your choices are: 1)
> do nothing, 2) use ClamAV, or 3) pay tons of money for a commercial
> product in an environment where you're short on funds...it's a real
> no-brainer.
We use clamd and it typically detects on the average of several hundred to
several thousand viruses in our email traffic per hour. We deliver
roughly anywhere from 200,000 to 500,000 or more emails per day to users
here at UD.
Attached to the bottom of this message is a list of counts for particular
viruses we found during roughly the last 3 week period counts we've
stripped just in the last 3 weeks.
You can make your own conclusions about whether ClamAV is "up to par" with
other virus scanners. Unfortunately, by design, no virus scanner that
doesn't just strip "suspicious" executables or code will stop a brand new
virus. You have to be "lucky" enough to not be one of the first
recipients and you have to be lucky enough to get a signature before you
start receiving the virus. I don't think we have been bothered by any
"lag-time" in getting signature updates, every vendor has their own
annoyed users who claim the company isn't getting them the latest
signatures in a timely manner. However, being able to stop the majority
of viruses already out there, the ones that just keep coming in (thanks
Yahoo!), for the cost of a "speedy" computer system (we use a single Sun
V880), at no software licensing cost, is a BIG WIN in anybody's book, IMO.
ClamAV integrates easily into existing tools we use like sendmail and
MIMEDefang + SpamAssassin. There are lots of companies out there that
will charge you huge fees (with insane ongoing licenses fees, per-user
charges, per-CPU-per-month fees, black-box or custom hardware costs, etc.)
for software that isn't really "better" (or for that matter, significantly
different) than what you can get and build yourself, for free. They might
package it up nicely and make it sound really good tho'...
Just my 2 cents...
Ed
p.s. While I was typing this email, clamd caught another 75 messages
coming into UD mailboxes that were infected with Klez...
Ed Phillips <[EMAIL PROTECTED]> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l [EMAIL PROTECTED] for PGP public key
2 Kit/VCL FOUND
2 VBS.Redlof.Encoded FOUND
2 W32/Blakan FOUND
2 W32/Joke.HHold FOUND
2 W32/Nimda.eml FOUND
2 W95.Matrix.SCR FOUND
2 WScr.Unsafe.D FOUND
2 Worm/BadTrans.B1 FOUND
2 Worm/Gibe.1 FOUND
4 CIH #2 FOUND
4 Mid/Kakworm-Z FOUND
4 VBS.SST-A #3 FOUND
4 W32/Magistr.B1 FOUND
4 W95/Hybris.PI.004 FOUND
4 W97M/Class.B FOUND
4 WM97/Marker FOUND
6 W32/Magistr.B2 FOUND
6 W32/Magistr.B4 FOUND
8 W97/Marker FOUND
10 W32/Hybris.C FOUND
12 W32/Magistr.B3 FOUND
12 W32/Magistr.B6 FOUND
36 W32/Magistr.B5 FOUND
36 W32/Nimda.html FOUND
42 W32/Brid.Worm FOUND
42 Worm/Klez.E FOUND
48 W95/Hybris.PI.001 FOUND
78 W95/Hybris.PI.002 FOUND
82 Lirva FOUND
104 W32/Magistr.A FOUND
106 W95/Hybris.PI.000 FOUND
112 Worm/Lentin.E FOUND
150 W98/Hybris.E FOUND
156 W32/Magistr.B FOUND
208 Lirva-C FOUND
218 Lirva-B FOUND
224 W32/BugBear.A FOUND
454 W95/Hybris.PI.003 FOUND
2528 Sircam FOUND
2854 W32/Yaha.g.dam FOUND
3650 Yaha.K FOUND
3718 Worm.Sobig.A FOUND
57024 Worm/Klez.H FOUND
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
