Hello
Ok, in short you know about the disaster last week where a single
signature was issued by ClamAV that literally BROKE peoples windows
systems (PC's, Servers....). Many suffered, some reported and I myself
was one that had my mail server halted in its tracks (and my business's
email operation) due to the rogue definition wrongly removing various
EXE and DLL's.
http://forums.clamwin.com/viewtopic.php?p=18970#18970
http://forums.clamwin.com/viewtopic.php?t=4368
This prompted the usual 'loyal' moderators of Clamwin forum to declare
that "ClamAV doesnt test signatures on windows systems" and that it is
dangerous to use it as such (suggesting a more liable product should be
sought).
This comes after a year of me constantly suffering False Positives with
their definitions (often but not limited to to the same range of files
and programs) often changing the 'signature' and becoming a new False
Positive just days after rectifying a report of an old one. And this is
if you are luckily enough to get the FP rectified in the first place:
FYI:
https://www.virustotal.com/en/file/ca8ee2783cdfe60ebcfbe1991ffbd952dc7c2bbab375b1e0f8f85b2a32d5a803/analysis/1455646006/
3?½ months old
https://www.virustotal.com/en/file/14aff6171866b62575af7f71febd172727503aef58182443d7ebdca11d61a458/analysis/1455646242/
17 months old!
https://www.virustotal.com/en/file/fcc639ddaf9b671fd1efdd70ad5a9358a18e9b3acd0e89f819a561933583c178/analysis/1455646471/
2½ months old.
All were uploaded to Clam as viruses (after being tested on VT) by me at
the time of receiving them. Can you imagine the damage done in 17 months
by those reliant on Clam?
You can see further 'testing' I did to prove the effectivity of Clam
signature team on dealing with FPs here:
http://forums.clamwin.com/viewtopic.php?p=18890#18890 which (if you
follow that thread) went on to show it took 12 days for them all to be
rectified.
After this test, the frustration of the recent years of keep repeating
the FP reports (usually for the same programs) with different
signatures, and then the recent mail server killing weekend, I concluded
that Clam on windows system is just one broken rung above the ground of
useless (and equally as precarious) concluding that it must only ever be
run in REPORT MODE, to have 'Memory Scan' turned off (in the case of
Clamwin) and to be any use must be supplemented by decent 3rd party
signatures such as Sanesecurity that issue signatures for REAL threats,
in a decent worthy time that they might actually serve to protect
(instead of being issued days, weeks or MONTHS (or never!) after the
threat was released and at its most dangerous)
I now only use ClamAV (WITH Sane definitions to make it effective!) as
an incoming mail scanner and leave all other levels of antivirus
security in the hands of the professional suppliers (Bitdefender, Avira,
etc) and find it impossible to recommend it any more for any other form
of protection.
Many people will have been stung by last weeks events and have been
turned off from the product - as a parent company CISCO should be
concerned about this.
This post isnt just here for a moan, it is here for a point of view and
genuine questions of concern that I would like to hear responses for
(specifically from Joel and any one that considers themselves
responsible for Clam):
1, Given that the Linix world usually (narrow mindedly) declares itself
as a superior and safer OS to windows in that "it doesnt get virus
attacks", and therefore antivirus software really has a purpose for
defending against WINDOWS attacks, then why oh why aren they more
embracing and open-minded to the plight of the windows user (being more
responsive and proactive)
2, HOW CAN CISCO allow such a sloppy definitions be issued that
potentially KILLS systems? If this was a corporation, where the
customers had PAID for their services, they would be in a world of
trouble. It certainly doesnt do Cisco's reputation any good at all (and
it seems they do not care). Now does it do Clam's reputation any good.
Why is there not any quality control ?
3, Why are signatures not tested against known windows systems before
being issued? (Im sure Cisco can provide a server in a corner of a room
that has the standard instllation files of the various windows versions
on it).
4, Absolving yourselves from any liability of damage caused by using
Clam or its various incarnations (in some EULA) does not absolve you
from responsibility of care. Do you agree?
Remember, this is about ClamAV signatures and a question of
responsibility of those signatures by the owning company, so the point
of me and others using the Clamwin port is irrelevant.
I look forward to some considered response.
Jim
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
