[Mimedefang] ClamAV effectiveness

[Kees Theunissen]

On Fri, 28 Jun 2013, David F. Skoll wrote:

>Hi,
>
>I assume a few people on this list use ClamAV.  Have you noticed that
>it has become next to useless for detecting viruses?  The latest rash of
>fax spams that contain EXEs inside ZIPs just seem to sail past ClamAV.
>We always hold EXEs and EXEs inside ZIPs, so our clients are safe, but
>really ClamAV is not doing its job.

Stats from one of my MX-servers over the current week (log file started
last Monday morning).

1499  Messages were rejected because ClamAV detected a variant of
      Suspect.DoubleExtension-zippwd-*

  30  Messages were rejected because ClamAV detected an other virus.

 947  Messages were rejected because they contained .exe files with
      double extensions (.doc.exe or .JPEG.exe) in a zipped attachment.
      None of those were detected by ClamAV.

  32  Other messages contained a .exe file in a zipped attachment.
      These messages were not recognized by ClamAV but --looking over
      the logs-- I'm quite sure they were malicious.
      These messages were accepted but the attachment was renamed to
      a ._zip extension to keep my users from opening the files by
      accident.

>Are others noticing it?  And if you use commercial AV software, does it
>seem to do a better job than ClamAV?

The 32 messages with zipped .exe files mentioned above were delivered
to a MS Exchange server running "Symantec Mail Security for Microsoft
Exchange". None of these messages were detected by Symantec as being
malicious. Symantec logged 7 times that the attachment was encrypted
and couldn't be scanned.


Regards,

Kees Theunissen.

-- 
Kees Theunissen,  System and network manager,   Tel: +31 (0)30 6096724
Dutch Institute For Fundamental Energy Research (DIFFER)
e-mail address:   C.J.Theunissen at differ.nl
postal address:   PO Box 1207, 3430 BE Nieuwegein, NL
visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL