[Mimedefang] ClamAV effectiveness
Kees Theunissen
C.J.Theunissen at differ.nl
Fri Jun 28 15:31:55 EDT 2013
On Fri, 28 Jun 2013, David F. Skoll wrote:
>Hi,
>
>I assume a few people on this list use ClamAV. Have you noticed that
>it has become next to useless for detecting viruses? The latest rash of
>fax spams that contain EXEs inside ZIPs just seem to sail past ClamAV.
>We always hold EXEs and EXEs inside ZIPs, so our clients are safe, but
>really ClamAV is not doing its job.
Stats from one of my MX-servers over the current week (log file started
last Monday morning).
1499 Messages were rejected because ClamAV detected a variant of
Suspect.DoubleExtension-zippwd-*
30 Messages were rejected because ClamAV detected an other virus.
947 Messages were rejected because they contained .exe files with
double extensions (.doc.exe or .JPEG.exe) in a zipped attachment.
None of those were detected by ClamAV.
32 Other messages contained a .exe file in a zipped attachment.
These messages were not recognized by ClamAV but --looking over
the logs-- I'm quite sure they were malicious.
These messages were accepted but the attachment was renamed to
a ._zip extension to keep my users from opening the files by
accident.
>Are others noticing it? And if you use commercial AV software, does it
>seem to do a better job than ClamAV?
The 32 messages with zipped .exe files mentioned above were delivered
to a MS Exchange server running "Symantec Mail Security for Microsoft
Exchange". None of these messages were detected by Symantec as being
malicious. Symantec logged 7 times that the attachment was encrypted
and couldn't be scanned.
Regards,
Kees Theunissen.
--
Kees Theunissen, System and network manager, Tel: +31 (0)30 6096724
Dutch Institute For Fundamental Energy Research (DIFFER)
e-mail address: C.J.Theunissen at differ.nl
postal address: PO Box 1207, 3430 BE Nieuwegein, NL
visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL
More information about the MIMEDefang
mailing list