Hi there,
On Jun 13, 2017, at 06:53, Paul Moreno <p...@paulmoreno.net> wrote:
I'm in the process of providing a recommendation to a client on the
use of ClamAV. ...
As it stands now, the client get massive amounts of false
positives with seemingly no trigger. I'm working on sifting
through log files to see if there's a reason for it or if this
specific environment isn't suited to use this as a scanner.
You will get more useful help if you describe the system(s) in which
you find the use of ClamAV problematic. I don't understand "seemingly
no trigger" - of course there's a trigger, and I wonder how difficult
it can be to find it. I don't understand in what ways you think the
"specific environment" might be unsuited to scanning by what is after
all a pretty straightforward process. Well-defined data are passed to
a well-defined scanning engine which tells you if it found something,
based on fairly simple rules. On a Linux box it's possible to scan
things which should not be scanned and that could cause problems.
On Tue, 13 Jun 2017, Paul Moreno wrote:
On 13 Jun 2017, at 12:57, Joel Esler (jesler) <jes...@cisco.com> wrote:
Plus reports of those false positives would be fantastic.
There are so many it's proven difficult to recommend the use of ClamAV.
Not a terribly useful reply to Mr. Esler's very reasonable request;
and from that statement one perhaps might be forgiven for supposing
that instead of trying to form a conclusion from the evidence, you're
trying to find an argument to justify a conclusion already reached.
... I've read in various forums and online material, ClamAV appears
to be better suited for mail systems, such as postfix, and Windows
hosts.
The people here on this list use ClamAV, or work on it, or both. Some
have been using it for a many years. I've been using it continuously
since April 2005 on several mail servers.
Be very wary of "various forums and online material" because there's a
lot of nonsense in those sources. My wife and I frequently fall about
laughing at the 'science and technical' journalism which is published
by the British Broadcasting Corporation, for example. And I think the
BBC has an annual income in the region of eight billion US dollars, so
you might expect that they could afford to employ somebody competent.
Can anyone comment on the reliability and accuracy of using
it on a Linux operating system?
I don't routinely scan Linux boxes for anything, but I'm fortunate in
that I have very good control over what gets put on ours. On the odd
occasion that I've used ClamAV to scan a Linux box it's found nothing
(and nothing was expected). This is my experience, in my situation,
over two decades, with at least a couple of dozen running at any one
time and I suppose of the order of a couple of hundred Linux boxes in
total. At the moment Nagios says it's monitoring 26 linux boxes, and
314 services.
You could search the archives of this list for statistics, I've posted
a few myself. My experience is that it's moderately reliable, but you
will probably only find anything if you use a lot of the "unofficial"
signatures, and almost anything else will be false positives. This is
scanning mail for small businesses including my own, which is the only
one of them where Windows boxes are not used at all. Despite the fact
that we have no Windows boxes we scan all mail using signatures from a
range of sources, including signatures for Windows-only malware. From
many years of trawling through logs I can say with certainty that it's
far more important to control the sources of the data than it is to be
able to scan the said data for nastiness. We have a list of about 120
countries from which all packets are dropped using GeoIP. A few other
choice filters leaves ClamAV with very little work to do. If there is
in fact anything nasty in there, it's toss a coin if you'll find it by
scanning it with ANY of the available packages anyway. If it's a zero
day nasty there's a good chance it's worse than that.
Mr. Scalio makes important points:
(1) someone put a bunch of EICAR files in place ...
(2) a false positive ... ensure it really is a false positive) and
(3) filling up ... we didn't exclude the quarantine directory
Essentially this is all human error, and the last one at least is
capable of doing as much damage as much of the malicious software that
you'll be looking for. I'd probably also mention that ClamAV uses a
lot of memory, and that could cause problems of its own. Make sure
that your systems aren't at greater risk from their protection than
they are from the attackers.
and lastly
Using AV doesn't exempt you from ensuring systems are hardened ...
Amen to that. Fortunately it's relatively straightforward on Linux.
I understand Linux "malware" would ...
You haven't yet given enough information to convince me, at least,
that Linux malware is all you'll be concerned with. Although I grant
they do exist, it will be an unusual system which connects with no
Windows machines at all. I think the last one I worked on occupied
Hangar 9 at A.E.R.E. Harwell in the late 1970s. If uncontrolled
Windows boxes are going to be able to send data to or receive data
from a system, then there's probably a case for scanning said data for
malicious code of ANY description. You really don't want to be in the
position of delivering Windows malware from a Linux box and having to
explain to an irate Windows user or customer (or your about-to-be-ex-
employer) why you didn't bother scanning it for malware.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
