We just put some new hardware in place and we are using the latest version of MailScanner which allows us to use both Sophos and ClamAV. Since we started evaluating ClamAV (about the time of the MyDoom outbreak), clam has had updates between two and eight hours faster than Sophos. We have yet to find a case where Sophos caught something that ClamAV missed, although with Sophos' funky counting scheme (Sophos counts the zip file and any files in the zip files), it is difficult to tell just by the logs. So, admittedly it's a small sample, but definitely hard to ignore.* On 04-03-28, Tomasz Kojm wrote:Now they say that Symantec and Sophos caught 100% of all the viruses, and ClamAV only got 54%!At least Symantec has full access to all WildList.org virus samples because that "independent" organization was founded, among others, by the members of the SARC staff.After the infamous article about ClamAV in heise.de (in which they criticized Web.de for using our software) we contacted WildList.org (on Sat, 06 Dec 2003 10:56:33 +0100) but never received any answer. Personally, I don't consider that test independent. Expecially that '100%' for Sophos and Symantec is rather surprising, because we have many samples (including recent ones) that are missed by both of them. Anyway, I think not only ClamAV but also WildList.org and the famous German A-V specialist should refresh their ItW collection.I agree with this entirely. I've actually had the experience of testing both Sophos and ClamAV (Sophos at my "day job", www.physics.arizona.edu, and ClamAV at my "night job", www.bigmannetworks.com). It's been my experience that new identities show up much sooner to the ClamAV db (via freshclam) than they do to the Sophos server. It's also been my experience that ClamAV has caught a lot more viri than Sophos has over the last 3 months (which, honestly, is the only timeframe I've had both running ;-) I have no hard numbers, but at my "day job" I'd say I personally get about 5-10 viri per day that Sophos misses and and I've gotten 1 that passed through ClamAV over the last month (hello encrypted zip!) BTW: These are both MTA filtration systems. I haven't yet tried ClamAV running on a desktop or other server env ;-)
I missed what started this thread; can someone send the link that spawned this discussion?
Keep up the great work! Thanks,
Geoff
