[Mimedefang] ClamAV effectiveness

[John Nemeth]

On Jun 28,  9:31pm, Kees Theunissen wrote:
} On Fri, 28 Jun 2013, David F. Skoll wrote:
} 
} >I assume a few people on this list use ClamAV.  Have you noticed that
} >it has become next to useless for detecting viruses?  The latest rash of
} >fax spams that contain EXEs inside ZIPs just seem to sail past ClamAV.
} >We always hold EXEs and EXEs inside ZIPs, so our clients are safe, but
} >really ClamAV is not doing its job.
} 
} Stats from one of my MX-servers over the current week (log file started
} last Monday morning).
} 
} 1499  Messages were rejected because ClamAV detected a variant of
}       Suspect.DoubleExtension-zippwd-*
} 
}   30  Messages were rejected because ClamAV detected an other virus.
} 
}  947  Messages were rejected because they contained .exe files with
}       double extensions (.doc.exe or .JPEG.exe) in a zipped attachment.
}       None of those were detected by ClamAV.

     Do you perform this test before checking for viruses?  I know
I would, as a simple test to catch low hanging fruit like this is
always going to run much faster then a virus scanner.

}   32  Other messages contained a .exe file in a zipped attachment.
}       These messages were not recognized by ClamAV but --looking over
}       the logs-- I'm quite sure they were malicious.
}       These messages were accepted but the attachment was renamed to
}       a ._zip extension to keep my users from opening the files by
}       accident.
} 
} >Are others noticing it?  And if you use commercial AV software, does it
} >seem to do a better job than ClamAV?
} 
} The 32 messages with zipped .exe files mentioned above were delivered
} to a MS Exchange server running "Symantec Mail Security for Microsoft
} Exchange". None of these messages were detected by Symantec as being
} malicious. Symantec logged 7 times that the attachment was encrypted
} and couldn't be scanned.
} 
}-- End of excerpt from Kees Theunissen