Using ClamAV as a general purpose scanner

[kurt wismer]

Could you point me to some statement I have made "pushing" it to people?
In fact, I think I have only mentioned ClamWin specifically in the
context of pointing out that Clam is already available as a general
purpose AV tool for Windows.

All I have argued against is the negative comments based on old test
results

until there is a few years worth of positive test results, those
negative comments will continue... they continued with NAV an they will
continue with clam... if you don't like that clamav is held to the same
standards as everybody else, well boo hoo...

or someone's "opinion" that the open source movement is
incapable of addressing the areas of weakness that still remain.

either the people involved don't have the knowledge/experience, or they
move at a glacial pace... it's been years and they still, apparently,
are doing dumb string scanning (as evidenced by your recent comments
about what you can do with the eicar string and a word document)...

I even
published an article on my own website at
http://www.tech-pro.net/clamav.html that pointed out some of these
weaknesses.

I have, however, given it credit for areas in which it appears to be
successful, viz: as a scanner for mail servers. If that constitutes
"endorsement" then I guess the meaning of the word must have changed
while I slept.

you have in fact endorsed it and continue to endorse it for the
purposes of scanning at the mail server level... you keep arguing that
all these admins who say it works proves it's performing well in the
real world...

 

[kurt wismer]

But I thought we were discussing whether Clam was suitable for use
*now*, therefore one might easily assume that these comments represented
the poster's opinion in its performance now, and not more than a year ago.

it is not suitable until it has a proven track record...

[snip]

I tend to agree, although if you are as picky with words as you were
with me just now, nothing stated on the site is actually untrue, and
they aren't suggesting that anyone should trust it as their only virus
scanner.

are they warning people not to trust it as their only scanner?

given that people generally only use one scanner, if they use clam they
will be trusting it as their only scanner unless someone specifically
warns them against it...

 

[kurt wismer]

People who run Linux servers are, by definition, a lot more techno-savvy
than some of the sysadmins on Windows boxes.

non-sequitur... techno-savvy and virus-savvy are two different things...

I doubt if there is anyone
using Clam on a server who doesn't know how to submit a sample for
checking.

sure, but do they bother?

Yes, but the nature of test results is that they make people focus on
the negatives. AV companies are so paranoiac about them because they
know that a product that detects, say, 99.8% of the test samples will be
judged as superior to one that detects, say 97%. Which, technically, it
is. But that missing 2.8% might be things that a user is extremely
unlikely to encounter, and there might be other things, like a better
UI, a lower resource usage or lower cost, that makes the less well
performing scanner actually a better overall product.

actually, that missing 2.8% is within natural variation of scanner
ranking and can easily reverse in a month or 2... the different isn't
significant enough to pay attention to...

clam doesn't get to boast so small a gap, however...

By basing one's assessment of Clam solely on its deficiencies, you make
it seem much worse than it actually manages to be in practice.

correction - 'make it seem much worse than it *appears* to be in
practice'...

evaluating security products is like that... you can't rely on
superficial observations - you need to be scientifically rigorous
because security failures are not always obvious enough to show up any
other way...

Agreed. I think Clam, as it stands now, is not suitable for being used
as the *sole* protection method against viruses. It needs the ability to
detect polymorphics, improved macro virus detection, and fewer false
alarms, before it could take on that responsibility. In conjunction with
other tools for detecting possible viruses it may still be capable of
performing a useful role, however, bearing in mind that currently
superior solutions may be inapplicable due to cost or licensing reasons.

as far as i'm concerned it is unsuitable for use in any production
system - period... as far as monetary concerns go - people would be far
better off doing strict content filtering rather than virus scanning at
the mail server level, and for desktops there are already plenty of free
or inexpensive choices (and bulk discounts) out there...

 

[kurt wismer]

Well, that's all most of us have about most things. I really would like
to know how well the *current* build of Clam does at detecting viruses
that are ITW now. However, I'm not going to jump to any conclusion based
on the performance of a build that is more than a year old. There have
been a lot of changes since then, as the release history shows.

without independent test results to back them up those release history
items mean nothing...

without a proven track record, clamav is unsuitable for production
systems... it's performance *was* bad and we have no proof to say
that's it's since become good or is likely to stay good...

 

[Roger Wilco]

are they warning people not to trust it as their only scanner?

given that people generally only use one scanner, if they use clam they
will be trusting it as their only scanner unless someone specifically
warns them against it...

Hmmm, the ClamWin page said they use the ClamAV engine IIRC and that the
defs are updated by the ClamAV team. The ClamAV page says they detect a
whopping 30,000 viruses worms and trojans - while this may be adequate
for the usual suspects in the e-mail vector I don't think it is agequate
for GP use. I see in A.C.V. that Mr. Lipman has recommended it to a user
without warning that it is inadequate for this usage. Does he know
something we don't about ClamWin?

 

[Julian]

anecdotal evidence doesn't generally prove anything - that's why it's
distinguished from other types of evidence... as for the admins who
claim it's detecting worms, i say how do we know they were real worms?
how do we know they were still viable? how do we know they weren't
neutered in transit before getting to those mail servers?

answer: we don't...

There's a saying "a million people can't be wrong." To which you'd
presumably reply, "they could be, if there is no scientific evidence to
prove they are right."

Let's just agree to differ.

 

[Julian]

message id <[email protected]> - it actually had to do
with clammail...

That's not a g. p. scanner. There is plenty of anecdotal evidence (which
you don't accept) that Clam does a perfectly good job as a mail scanner,
so I don't see what is wrong with recommending it for that specific
task, especially to someone who is already using another g. p. scanner.

until there is a few years worth of positive test results, those
negative comments will continue... they continued with NAV an they will
continue with clam... if you don't like that clamav is held to the same
standards as everybody else, well boo hoo...

Just because NAV was given a bad name for years doesn't make it right.
People often have hidden agendas, and I expect a lot of people slag off
Norton because they don't like Symantec. Thats why (right or wrong) I
tend to suspect an anti-open source agenda in some of the comments
against Clam.

either the people involved don't have the knowledge/experience, or they
move at a glacial pace... it's been years and they still, apparently,
are doing dumb string scanning (as evidenced by your recent comments
about what you can do with the eicar string and a word document)...

They are making some rapid improvements. The latest version picks up
more macro viruses than the one I tested with a couple of weeks back did.

you have in fact endorsed it and continue to endorse it for the
purposes of scanning at the mail server level... you keep arguing that
all these admins who say it works proves it's performing well in the
real world...

I think it does, *in that application*. But I agree that it doesn't seem
to be ready for use as someone's sole g. p. scanner just yet.

 

[Julian]

it is not suitable until it has a proven track record...

.... and in order to have a proven record, people have to start to use
it. Chicken and egg.

are they warning people not to trust it as their only scanner?

given that people generally only use one scanner, if they use clam they
will be trusting it as their only scanner unless someone specifically
warns them against it...

No they are not. But I am not going to try to defend this. The person or
people who have developed the ClamWin user interface are not the same
ones who are developing the ClamAV virus scanner. It is nothing more
than an interface to let you do on-demand scans with Clam, without using
a command prompt.

I also have developed (or adapted an existing) interface to work with
ClamAV. It's a lot more sophisticated than ClamWin, and has some change
detection capabilities that provide another way to detect possible viral
activity. But I'm not intending to make it available to the public at
large just at the moment.

 

[Julian]

without independent test results to back them up those release history
items mean nothing...

without a proven track record, clamav is unsuitable for production
systems... it's performance *was* bad and we have no proof to say
that's it's since become good or is likely to stay good...

I think we're in danger of entering an endless loop where we continue to
re-state our opposing positions, so let's just agree to differ.

 

[Art]

They are making some rapid improvements. The latest version picks up
more macro viruses than the one I tested with a couple of weeks back did.

I recently scanned a unscientific collection of alleged macro virus
infected files. Real scanners such as KAV, McAfee and F-Prot only
alerted on on about 43 files in the collection. Clam alerted on 243.

Now, I'm not going to bother sending 200 samples of likely crud to av
vendors in a attempt to prove that clam is doing nothing but a simple
minded sig scan, detecting crud, and false alarming. I'm not going to
bother to attempt to prove that Clam's developers probably just add
sigs for any old crud samples sent to them. I'll leave that exercise
to those who have a interest in Clam


http://home.epix.net/~artnpeg

 

[Trog]

I recently scanned a unscientific collection of alleged macro virus
infected files. Real scanners such as KAV, McAfee and F-Prot only
alerted on on about 43 files in the collection. Clam alerted on 243.

Now, I'm not going to bother sending 200 samples of likely crud to av
vendors in a attempt to prove that clam is doing nothing but a simple
minded sig scan, detecting crud, and false alarming. I'm not going to
bother to attempt to prove that Clam's developers probably just add
sigs for any old crud samples sent to them. I'll leave that exercise
to those who have a interest in Clam

Please send those samples to me, and I will rectify any problems, or
tell you if they are actully infected.

If you want to authenticate me, my PGP key is on the ClamAV website in
the Contacts->team section.

-trog
trog ^ uncon.org

 

[Julian]

I recently scanned a unscientific collection of alleged macro virus
infected files. Real scanners such as KAV, McAfee and F-Prot only
alerted on on about 43 files in the collection. Clam alerted on 243.

Now, I'm not going to bother sending 200 samples of likely crud to av
vendors in a attempt to prove that clam is doing nothing but a simple
minded sig scan, detecting crud, and false alarming. I'm not going to
bother to attempt to prove that Clam's developers probably just add
sigs for any old crud samples sent to them. I'll leave that exercise
to those who have a interest in Clam


http://home.epix.net/~artnpeg

All of the macro viruses I tested it with had been detected by other
scanners. I recently reran the tests using the latest build available on
Windows and it now detects about 90% of these samples. I've sent the
ones it didn't detect to trog.

I also see that they are going to fix the problem of false Eicar detections.

Clam keeps on getting better, but no thanks to those who just sit in
their armchairs and rubbish it.

 

[Art]

All of the macro viruses I tested it with had been detected by other
scanners. I recently reran the tests using the latest build available on
Windows and it now detects about 90% of these samples. I've sent the
ones it didn't detect to trog.

I also see that they are going to fix the problem of false Eicar detections.

Clam keeps on getting better, but no thanks to those who just sit in
their armchairs and rubbish it.

Frankly, I have better things to do. Been there and done that with
sending samples to clam's developers and other other av vendors.
So I'm leaving that to those who have an interest, as I said. I am
interested enough though to look forward to the results of the next
test at VTC or elsewhere. I do hope we see the improvements you
believe exist.


http://home.epix.net/~artnpeg

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

... and in order to have a proven record, people have to start to
use it.

No they don't. What was under discussion was a proven track record in
rigorous testing, not a track record of users singing its praises.

Chicken and egg.

Nope.

 

[Roger Wilco]

Yes, I'm aware that the EICAR test is only supposed to be detected in
that specific instance, Roger. I think Clam is basically working like
other scanners do with the crap detector enabled.

I just tried putting the Eicar string into an email header and scanning
it, and it was detected. So now you know how to have a little fun with
anyone who uses Clam on their mailserver. ;-)

Unfortunately I can think of some ways to have "fun" with those who use
it as a general purpose AV too.

 

[kurt wismer]

That's not a g. p. scanner. There is plenty of anecdotal evidence (which
you don't accept) that Clam does a perfectly good job as a mail scanner,
so I don't see what is wrong with recommending it for that specific
task, especially to someone who is already using another g. p. scanner.

so then you think a mail scanner should only scan for malware that uses
email as an infection vector by design and just ignore the possibility
that one will encounter malware that uses it by chance?

sorry, but a mail scanner needs the same detection capabilities as a
general purpose scanner... conventional viruses spread from computer to
computer by the sharing of infected materials - and email happens to be
one of the more popular ways for individuals to transfer files to one
another...

Just because NAV was given a bad name for years doesn't make it right.

occam's razor says otherwise... we have evidence that it's performance
was very bad... without evidence that it's performance has become very
good occam's razor requires that we consider it's status relatively
unchanged... to hypothesize that it is now much better without evidence
is not logical...

People often have hidden agendas, and I expect a lot of people slag off
Norton because they don't like Symantec.

let met assure you right now, i have no hidden agenda now nor did i
when i was criticizing NAV for it's bad performance years ago...

Thats why (right or wrong) I
tend to suspect an anti-open source agenda in some of the comments
against Clam.

that's pretty absurd... check how many of those anti-clam comments came
from people using mozilla, people who are proponents of open office
and/or linux, etc... your assumptions don't do you justice...

They are making some rapid improvements. The latest version picks up
more macro viruses than the one I tested with a couple of weeks back did.

that could simply be an addition of signatures... a lack of signatures
was not clam's only problem...

I think it does, *in that application*. But I agree that it doesn't seem
to be ready for use as someone's sole g. p. scanner just yet.

a mail scanner needs to have the same detection capabilities as a
general purpose scanner because just about everything a general purpose
scanner can detect can be inadvertently shared by people over email...

 

[kurt wismer]

.... and in order to have a proven record, people have to start to use
it. Chicken and egg.

false - it gets a proven track record in scientifically rigorous
independent testing...

 

[kurt wismer]

Hmmm, the ClamWin page said they use the ClamAV engine IIRC and that the
defs are updated by the ClamAV team. The ClamAV page says they detect a
whopping 30,000 viruses worms and trojans - while this may be adequate
for the usual suspects in the e-mail vector I don't think it is agequate
for GP use.

i don't think it's adequate even for email scanning... maybe if you're
only interested in the viruses/worms that *spread themselves* by email,
but that's not really the only thing you're likely to see in email...

I see in A.C.V. that Mr. Lipman has recommended it to a user
without warning that it is inadequate for this usage. Does he know
something we don't about ClamWin?

probably not... go chastise him if you like...

 

[kurt wismer]

There's a saying "a million people can't be wrong." To which you'd
presumably reply, "they could be, if there is no scientific evidence to
prove they are right."

no, i'd probably reply "how many people voted for bush, again?"...

and then i might point you at a description of the logical fallacy
known as 'argumentum ad populum'...

Let's just agree to differ.

if you insist - but only in those circumstances where doing so doesn't
compromise the greater good...