[Mimedefang] ClamAV effectiveness
John Nemeth
jnemeth at cue.bc.ca
Mon Jul 1 21:46:54 EDT 2013
On Jun 28, 9:31pm, Kees Theunissen wrote:
} On Fri, 28 Jun 2013, David F. Skoll wrote:
}
} >I assume a few people on this list use ClamAV. Have you noticed that
} >it has become next to useless for detecting viruses? The latest rash of
} >fax spams that contain EXEs inside ZIPs just seem to sail past ClamAV.
} >We always hold EXEs and EXEs inside ZIPs, so our clients are safe, but
} >really ClamAV is not doing its job.
}
} Stats from one of my MX-servers over the current week (log file started
} last Monday morning).
}
} 1499 Messages were rejected because ClamAV detected a variant of
} Suspect.DoubleExtension-zippwd-*
}
} 30 Messages were rejected because ClamAV detected an other virus.
}
} 947 Messages were rejected because they contained .exe files with
} double extensions (.doc.exe or .JPEG.exe) in a zipped attachment.
} None of those were detected by ClamAV.
Do you perform this test before checking for viruses? I know
I would, as a simple test to catch low hanging fruit like this is
always going to run much faster then a virus scanner.
} 32 Other messages contained a .exe file in a zipped attachment.
} These messages were not recognized by ClamAV but --looking over
} the logs-- I'm quite sure they were malicious.
} These messages were accepted but the attachment was renamed to
} a ._zip extension to keep my users from opening the files by
} accident.
}
} >Are others noticing it? And if you use commercial AV software, does it
} >seem to do a better job than ClamAV?
}
} The 32 messages with zipped .exe files mentioned above were delivered
} to a MS Exchange server running "Symantec Mail Security for Microsoft
} Exchange". None of these messages were detected by Symantec as being
} malicious. Symantec logged 7 times that the attachment was encrypted
} and couldn't be scanned.
}
}-- End of excerpt from Kees Theunissen
More information about the MIMEDefang
mailing list