Dennis Peterson wrote:
JamesDR wrote:
Dennis Peterson wrote:
Adam Stephens wrote:
On Tue, 28 Nov 2006, Dennis Peterson wrote:
Per Jessen wrote:
This is not really complaint, perhaps just an observation. On
25/11 around 1000CET I submitted a sample and again on 26/11 also
around 1000 I submitted a second sample - both phishing. I've only
just today around 1800CET received confirmation for both. This
is respectively about 56 and 32 hours later. I understand it was
on a
weekend etc., but for ClamAVs phishing detection/protection to
have any
meaning/reason at all, the time from submit to publish needs to be a
LOT shorter.
I'm not aware of any systems that have been disabled or rendered
useless be even the most aggressive phishing scheme.
Maybe not, but the response time for samples seems pretty low for
trojans, too - Our desktop scanner, Mcafee, caught a new IRC trojan
in our systems on November 1st. ClamAV didn't detect it, so I
submitted a sample, both direct and via TotalVirus. The sample still
wasn't detected by ClamAV a week after reporting (although it was
added fairly quickly after that)
It may be that the virus type required more than a single example or
some other extenuating problem existed - but as you know they are
often first with a solution for outbreaks. They are always among the
early responders with solutions.
I appreciate that people do this for free, and I don't know if
that's a typical response time - but it's worrying enough that we're
looking at running a commercial scanner in parallel to clamAV.
This is absolutely a best practice. One should not rely entirely on
one tool for this critical function. We use ClamAV for real time
incoming and outgoing email scans and a second tool runs on all
Windows servers that scans file systems because viruses can arrive in
many ways. A third product runs on our customer facing servers to
ensure that content is clean.
Funnily enough, the main reason we want to keep ClamAV is the
SaneSecurity phishing signatures - they're excellent.
I agree - there has never been a false positive here, and the
detection rate is astonishing. Steve asked recently for samples and I
just don't have any to offer :)
dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Has anyone ever considered an anti-spam solution for these phish
emails? I do realize that ClamAV uses quite a bit less resources than
say SpamAssassin at detecting the same phish -- but really, if your
users are being let down by the 'time it takes to get a phish sig'
then isn't about time their network/mail admin looked into added
levels of detection? Which brings me to my next question: Do you do
spam filtering for your custs? and: If not, why not?
I do. I use a milter (J-Chkmail) that provides several layers of
anti-spam management: Regular expressions, SURBL support, RBL support,
behavior analysis, grey listing, Bayesian filtering, DNS MX analysis,
attachment suffix (pif, com, exe, etc) detection, file name regex
analysis, and it also is the interface between Sendmail and ClamAV. The
combination of J-Chkmail and ClamAV is very effective.
The advantage of phishing detection in ClamAV is that it puts a lot of
people on the problem so that we all benefit. Any changes to my local
filter management requires my time and benefits only me.
I think the amount of spam they receive is far worse than the amounts
of phishing emails they receive (I see far more spam verses phish,
even phish plus virus is far less than spam.)
I don't have solid numbers to do on (do keep very many stats, as I'm
the only IT guy here, and I can hash out some stats when the budget
needs to be adjusted for new hardware.)
I've found clam to be reactive to phishs, I've found SpamAssassin to
be proactive...
How does it do this?
Proactive may not be the best word here, but since it uses regex and
several rules applied to an email, it isn't reliant upon a single sig to
detect a 'bad' mail. So in a way, what matched in the past, has a good
chance of matching in the near future (as far as spam goes) at least
this has been my experience.
BTW, keep up the good work Clam guys, I run 2 AV scanners in line, the
other scanner has nothing to do because of the excellent virus
detection provided at the best possible price. :-)
Ditto.
dp
--
James
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
