Re: [Clamav-users] submit-to-publish time much too long for phishing

Wed, 29 Nov 2006 07:47:32 -0800 

Adam Stephens wrote:

On Tue, 28 Nov 2006, Dennis Peterson wrote:


Per Jessen wrote:
This is not really complaint, perhaps just an observation. On 25/11 around 1000CET I submitted a sample and again on 26/11 also around 1000 I submitted a second sample - both phishing. I've only just today around 1800CET received confirmation for both. This 
is respectively about 56 and 32 hours later.  I understand it was on a
weekend etc., but for ClamAVs phishing detection/protection to have any
meaning/reason at all, the time from submit to publish needs to be a
LOT shorter.
I'm not aware of any systems that have been disabled or rendered useless be even the most aggressive phishing scheme.
Maybe not, but the response time for samples seems pretty low for trojans, too - Our desktop scanner, Mcafee, caught a new IRC trojan in our systems on November 1st. ClamAV didn't detect it, so I submitted a sample, both direct and via TotalVirus. The sample still wasn't detected by ClamAV a week after reporting (although it was added fairly quickly after that)
It may be that the virus type required more than a single example or some other extenuating problem existed - but as you know they are often first with a solution for outbreaks. They are always among the early responders with solutions.
I appreciate that people do this for free, and I don't know if that's a typical response time - but it's worrying enough that we're looking at running a commercial scanner in parallel to clamAV.
This is absolutely a best practice. One should not rely entirely on one tool for this critical function. We use ClamAV for real time incoming and outgoing email scans and a second tool runs on all Windows servers that scans file systems because viruses can arrive in many ways. A third product runs on our customer facing servers to ensure that content is clean.
Funnily enough, the main reason we want to keep ClamAV is the SaneSecurity phishing signatures - they're excellent.
I agree - there has never been a false positive here, and the detection rate is astonishing. Steve asked recently for samples and I just don't have any to offer :) 

dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Reply via email to