On Tue, 29 Apr 2003 [EMAIL PROTECTED] wrote:
> Thank you!
>
> Why is the date listed below more than 5 months old?
>
> Ok... so I guess there's quite a large discrepancy... most commercial AV
> have tens of thousands of signatures. For example, RAV has 77000 signatures.
Because they keep every virus sig they made for any platform (DOS 3.3,
Amiga, TRS-80) since the dawn of time, so they can say they detect 77000
viruses. Marketing Hype.
> Is there any chance that clamAV will "catch up" anytime soon?
No real need to. Just because they have more sigs doesn't mean they'll
catch any particular current virus any better than ClamAV. Here's the
distribution of viruses we've seen over the last 6 months with ClamAV,
while processing anywhere from 100,000 to 300,000 messages per day on our
central email delivery system:
2 Joke.CokeGift FOUND
2 Joke.Schmilz FOUND
2 Kit/VCL FOUND
2 TR.IWorm.MTX FOUND
2 W2000M/Thus.B.Macro FOUND
2 W32/Nimda.eml FOUND
2 W97M/VMPCK FOUND
2 Worm/Fbound.C FOUND
3 W32/Gop FOUND
4 CIH #2 FOUND
4 ClamAV-Test-Signature FOUND
4 Mid/Kakworm-Z FOUND
4 VBS.SST-A #3 FOUND
4 W32/Joke.HHold FOUND
4 W97M/Class.B FOUND
4 Worm/BadTrans.B1 FOUND
5 W32.FunLove.4099 FOUND
6 Joke.SmallPenis FOUND
6 W32/Blakan FOUND
6 W32/Joke.Jep FOUND
8 Oror-fam FOUND
10 TR.Sub7.Bonus.Srv FOUND
11 WM97/Marker FOUND
12 Worm.Yaha-L FOUND
12 Yaha.R FOUND
14 HTML/Winevar FOUND
14 W32/Worm.Winevar FOUND
14 WScr.Unsafe.D FOUND
15 VBS/Redlof-A FOUND
16 TR.Happy99/SKA FOUND
18 W32/Goner-A FOUND
18 W32/Magistr.B2 FOUND
18 W95/Hybris.PI.004 FOUND
20 Eicar-Test-Signature FOUND
20 V5M.Unstable FOUND
20 W32/Magistr.B1 FOUND
26 W32/Hybris.C FOUND
32 W32/Magistr.B4 FOUND
34 VBS.Redlof.Encoded FOUND
34 W32/Magistr.B3 FOUND
40 W95.Matrix.SCR FOUND
40 WM/Thus.B FOUND
48 W32/Magistr.B6 FOUND
48 W97/Marker FOUND
56 VBS.LoveLetter.D FOUND
62 W32/Nimda.html FOUND
82 Lirva FOUND
108 Worm.Ganda-A FOUND
138 W32/Magistr.B5 FOUND
140 Worm/Gibe.1 FOUND
160 W95/Hybris.PI.000 FOUND
160 Worm/Lentin.E FOUND
166 W95/Hybris.PI.001 FOUND
169 Worm/Klez.E FOUND
240 W32/Magistr.A FOUND
264 W95/Hybris.PI.002 FOUND
290 Lirva-B FOUND
302 Lirva-C FOUND
435 Yaha.P FOUND
506 W32/BugBear.A FOUND
526 W32/Magistr.B FOUND
528 W98/Hybris.E FOUND
796 Worm.Gibe.B FOUND
829 W32/Brid.Worm FOUND
2184 W95/Hybris.PI.003 FOUND
3846 Worm.Sobig.A FOUND
6536 Exploit.IFrame FOUND
9894 W32/Yaha.g.dam FOUND
10354 Sircam FOUND
10980 Yaha.K FOUND
119974 Exploit.IFrame.HTML FOUND
182089 Worm/Klez.H FOUND
Amazingly short list for a University with no firewalls, students and
staff installing computers and hooking them to the network without any
security requirements or checks, etc. Note the major percentage of our
total virus counts are in the top-ten at the bottom of the list (Yep,
that's 182,089 copies of Klez.H stripped out of email attachments!).
If your looking for a perfect solution, you won't find one - commercial or
free. And since you can't have a perfect solution, then why pay serious
money for one - so you can say, "Well, it's supposed to be the best..."?
The commercial solutions may have less lag time getting the virus sigs
out, but _any_ lag means you will be unprotected for some amount of time -
and with some of the recent worms/viruses, it only takes a single copy on
one machine in your network and you have a serious problem. So, you still
have to use manual "common sense" methods, even though you have the
"best" virus scanners: don't open programs found in email, don't download
programs from suspicious sites, isolate and clean up virus messes as
they're found, keep machines pathed up with the latest security fixes,
etc. Meanwhile, you wait for the next batch of sigs from the company you
paid all the money to... and more new viruses are coming in... undetected.
I think there is a common misconception at work here: Virus scanners stop
"all" viruses. That's wrong. Virus scanners stop "known" viruses, using
pattern matching techniques. If a hacker is going to unleash a virus,
certainly they would have the common sense to make a NEW virus that is
undetectable (at least until someone makes a signature for it)... ;-)
Ed
Ed Phillips <[EMAIL PROTECTED]> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l [EMAIL PROTECTED] for PGP public key
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
