[Mimedefang] Which AV package are most people using with MimeDefang?

Nels Lindquist nlindq at maei.ca
Wed Oct 23 12:47:01 EDT 2002 

On 23 Oct 2002 at 11:11, David F. Skoll wrote:

> Has anyone tried this experiment?
> 
> - Install ClamAV with the clamd daemon and freshclam.
> - Block all the dangerous extensions with MD.
> - Wait a month or two and see if *anything* gets past that would have
>   been trapped by a commercial virus scanner.

I don't think this is really a fair test. :-)

I'm quite willing to concede that one could even drop all AV scanning 
entirely, block all dangerous extensions with MD, and never be 
infected--at least, not through a protected mail relay.  

However, as with all things security related, there's a tradeoff 
between security and convenience.  For many users--especially non-
technical ones--the most convenient and intuitive way to transfer 
files from one person to another over the Internet (or even to the 
person at the next desk, despite their 100Mb LAN connection... 
*sigh*) is through an e-mail attachment.

Fact is, a very high percentage (99%+, I'd say) of Word documents, 
Excel spreadsheets, etc. which are transmitted via e-mail have a 
legitimate purpose and are completely free of viruses.  Are there 
other ways to transfer those files?  Of course.  Are they as 
convenient?  Probably not.

We therefore employ an e-mail virus scanner for a very specific 
purpose--to close the gap between security and convenience.  We've 
relaxed the MD "qurantine" list somewhat to allow certain types of 
files through, but we first scan those files to reduce the risk.
 
> I have my doubts.  I think the (commercial) virus-scanning industry is
> a big ripoff, 

There's some truth to that, though I believe it to be less true today 
than it was in the days before macro viruses and mass-email viruses.  
I agree that there's a lot of hype and fearmongering in the A/V 
industry.  Still, virus scanners are demonstrably effective.  And 
given the number of vendors out there, based in many different 
countries around the world, all operating in a free market, I'm not 
convinced that they've all sat down together and conspired to rip us 
off. :-)

> and MD's default filter in combination with clamd is probably every bit
> as good as a commercial package. 

This is the part that I don't think is fair.  MD filtering in 
combination with *any* virus scanner, commercial or otherwise, is 
more secure than that virus scanner on its own.  The more interesting 
question is whether or not ClamAV is as effective as a commercial 
virus scanner.  (I'll point out here that ClamAV is a relative 
newcomer to the A/V scene.  Open Antivirus, being Java based, was 
just too slow for the task at hand.)

Is an open, collaboritive, volunteer model for collecting new viruses 
in the wild and providing timely and effective updates better than an 
equivalent commercial model?  I don't know.  If the answer is yes, 
then I would definitely consider switching.

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.

More information about the MIMEDefang mailing list