On Mon, 2016-05-23 at 19:52 +0200, C.D. Cochrane wrote: > >> My 2 cents would be that rapid traditional signature updates are not a > >> viable solution to this long term problem. > >> I'm pretty sure the current generation of Locky, Dridex, Nemucod, etc. > >> ransomware is generated using millions > >> of tiny mutations so that almost every email attachment has a unique > >> signature. There is no way to keep up with > >> that. ClamAV got more than a million virus samples per day, last time I > >> inquired. > >> ...Chris > > > > As for they claim above about Dridex etc being too numerous to handle, > > Sane Security seems to be doing just a fine job of it. (So its just a > > lame response). > > I'm not sure what heuristic Sane Security uses. My original point was that a > traditional signature (sigtool?) > on the current generation of malware seems to be a non-scalable idea. One > million new sigs per day is not > realistic. ClamAV must evolve if it is going to remain useful. There has to > be a better scheme to ID new > malware than sigtool. > > Otherwise, groach is right. ClamAV is just a redundant way to scan for virus > files from 2008 or see if your > latest files can generate FPs.
Are there any open-source alternatives that are better than ClamAV? We actually attempted to use the Sophos PureMessage AV component (since we're paying for it as part of our PureMessage license anyway). The memory footprint was such that it demolished our MTA servers, so we had to bag that idea. ClamAV is fast, free, easy to integrate with just about any MTA and it's actively developed. We've been running it for years, along with the SaneSecurity signatures and it's been working well for us. If there's a better alternative, I'd be interested in learning about it. --Dave _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
