|Main Archive Page > Month Archives > clamav-users archives|
On Wed, Nov 14, 2007 at 08:01:44PM +0200, Török Edwin wrote:
> Agreed, the defaults should not generate false positives, or have a very
> small chance to do so.
> The default will be changed, but not to "off", see .
That seems to be a smart thing to do, provided the implementation doesn't cause excessive overhead.
> > In fact, this very feature is the reason we are considering to stop the
> > use of ClamAV.
> You'll have the possibility to turn on only parts of the checks, see .
> Are you considering to stop using ClamAV *entirely* or just turn off
> specific features?
There are some in my company who want to stop using it entirely. The reason is that what we want is an email virus scanner, giving us an accurate indication of whether a particular email contains malware or not. However, clamav seems to shift to also detecting other kinds of unwanted email, and even into "email activism". An example is in the discussion of bug #551, especially: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=551#c2
(If someone says "this is a legitimate mail flagged by clam as malware, therefore it's a FP", you cannot say "oh but that mail uses unsafe constructs". That might be true, but it's still a legitimate mail that most users would want to receive)
I still think clamav gives a pretty good performance compared to how much it costs (note that it's not free: main costs are admin support costs and customer support calls in case of FPs. Extra hardware for the necessary CPU power is also a factor, although recent speed improvements helped a lot).
In my opinion, the default scanner should always only detect malware that constitutes an actual security threat, and that can be identified with enough certainty to cause negligible false positives.
For some people it might be nice that it also tries to detect spam and dodgy practices from legitimate but ignorant bankers or telemarketers, but as an ISP, I cannot block such emails. (But an option to block that on my mail server at home would be great!)
> > Complete lack of a standard naming scheme to distinguish
> > between viruses and phishing mails is also a factor here.
> ClamAV does have different names for malware and phish.
> See http://wiki.clamav.net/Main/MalwareNaming.
> If you know particular signatures that don't respect these rules, please
> tell us.
Well, there's an E-mail.Phishing.SMT rule. And I wonder what all those other 'E-?mail.' signatures are... There's Email.E-card, Email.Ecard, Email.hoax (how is that different from the Joke hierarchy?), etc. Even that wiki page doesn't seem like an authoritive document describing how malware is named, but more an after-the-fact list of names found to be present with a bit of explanation added.
If you're serious about detecting various kinds of unwanted email, you should have a rigid naming scheme to accurately identify the various different types.
> If you are referring to a standard naming scheme among different
> anti-virus products,
> it is an entirely different matter, and is just not possible generally.
No, I'm aware of that problem, but that's not of my concern.
> > However, spam and phishing detection has a much higher false positive
> > rate, so it's very unwise to discard the mails, and it's usually bad
> > to reject them (because of automatic bounce handling by legitimate bulk
> > mailers), so we put such mails in a special folder.
> Why does this make you wanting to drop the use of ClamAV?
> You can filter based on "virus found name", and those containing
> 'Heuristics' can go to
> your special folder.
> Or you can turn the feature entirely off.
If we do stop using clamav, it'll be because of the surprises we find after the next upgrade, or the upgrade after that. As I explained above, please keep the default scanner reliable (in terms of FPs). -- Jan-Pieter Cornet <firstname.lastname@example.org> !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html