# grep FOUND /var/log/clamav/clamd.log* |grep -c UNOFFICIAL 80 # grep FOUND /var/log/clamav/clamd.log* |grep -v -c UNOFFICIAL 0 # grep FOUND /var/log/clamav/clamd.log* |grep -c -i sanesecurity 38 # grep FOUND /var/log/clamav/clamd.log* |grep -c -i winnow 42
My logs go back only to January, but this is a typical pattern for the last 7 years or so. Notice that official sigs have not found anything. Important too to know that because of cpu cost scanning is the last thing done to test mail and that most rejections happen prior and scanning isn't performed. In terms of effectiveness, proactive prevention using hosts.deny, iptables, sendmail access, j-chkmail milter (includes regex, urlbl, heuristics, spam traps), IP reputation, and reactive denial with deny-hosts utility, fail2ban, manual scanning of log reports.
I've not looked at the code to see if ClamAV has a signature order (theirs first then "unofficial") but it is certainly possible that if Sane Security signatures were not installed that ClamAV signatures may get more hits.
dp On 2/22/16 6:34 AM, Groach wrote:
FWIW, if I may offer opinion: I would agree with Alex with the need to source out better unofficial databases (such as sanesecurity, securiteinfo etc):
_______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
