Jan-Pieter Cornet wrote:
On 2011 Jan 3, at 1:46 , TR Shaw wrote:
On Jan 2, 2011, at 7:12 PM, Bob Traktman wrote:
Is there any reason not to keep ClamAv and Sophos Anti-Virus -- both active?
None whatsoever. Defense in depth is a good thing.
Probably not. However, a contemplation...
It's like a plane. Planes can have 1 engine, or 2, or even more, but usually
not more than 4. Why not 8 engines? 100?
Plane engines have two failure modes:
1) they stop working. If that engine is all you got, you're in deep doodoo.
That's why an extra engine is convenient.
2) The engine explodes, taking the plane with it (fortunately, much less
likely).
If you have multiple engines, you reduce the chance of a crash because of
failure 1, but you increase the chance of a crash in case of failure 2. So
there's a balance to be found.
There is another problem with multiple engines. If you have, say, 4
engines, the plane will be heavier and part of the power of engines
will be used just to carry redundant engines.
Back to virus scanners, adding more virus scanners means more CPU
cycles will be needed, scanning will take longer, ...
The same goes for virus scanners. Failure mode 1 would be a virus scanner not
detecting a virus. Failure mode 2 (less likely) would be a false positive, or
worse, an exploit causing your server to be hacked.
Personally, I find two or three virus scanners to be the sweet spot. If
programmed correctly, it even gives you some protection against false
positives, because you can treat files/emails that are only recognized by one
scanner differently from the ones that are recognized by multiple scanners. For
example quarantine in the first case, and remove in the second case. (This
requires custom programming, of course).
--
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
