From: Duncan Hill [mailto:[EMAIL PROTECTED] > > On Wednesday 23 Nov 2005 15:07, Bowie Bailey wrote: > > It's always good to have multiple layers. We have ClamAV on the mail > > server and Symantec Corporate Edition on the desktops. I haven't had > > any problems with Clam. We had a few Sober.U get through before the > > definitions updated, but that's expected with a new virus on any AV > > program (unfortunately). > > A minor counter-point. > > $dayjob involves scanning the mail for quite a few people for > viruses and spam. We have 4 commercial AV engines, acting as > defense in depth. Viruses still make it past. > > I just tested an early copy of Sober-Z/U/whatever-it-is that made it > past all 4 against an out-of-date (over 2 weeks) copy of NOD32, with > only heuristics engaged. It caught it. Granted, it's the same > family of virus, but it's still somewhat impressive. > > Heuristics aren't everything, but they do work damn well some times :)
Agreed. Our desktops with SAV have heuristics enabled. None of the Sober viruses made it onto a desktop where they could have been scanned, so I don't know if SAV would have caught it or not. My points in the previous email were just: 1) ClamAV works very well here, so if it's missing a whole group of viruses for someone, there's probably something else going on. 2) It's normal for any AV program to miss a few at the beginning of an outbreak. Heuristics can help with point 2, but you can't depend on them. Bowie
