ClamAv no longer effective

[ramprage]

I've been finding the successful scans with ClamAV (latest version) useless lately. It simply misses way to many viruses to be effective. I feel like I'm using an anti-virus scanner from 1995 in 2007.

I recently switched to f-prot and it has been excellent and very effective. It quickly scans any messages and managed to pickup even phishing based bank messages.

Anyone using ClamAV frustrated with the amount of virus/malware that slips through should consider making the switch to F-Prot, I install it by default for all my clients now with great success.

 

[AndyReed]

I've been finding the successful scans with ClamAV (latest version) useless lately.

What's the latest version are we talking about here? The latest version embedded in the cPanel/WHM, or v0.90.1 at http://www.clamav.net/
How can you support your claim? Did you report the viruses slipped through to clamAv bugzilla at: https://wwws.clamav.net/bugzilla/

 

[ramprage]

Here are some more details about the issues.


I scanned the users home directory with the following flags:
# f-prot username
# clamscan -r username

Some interesting results

Both were installed on the same server and run about 5 minutes apart. They each scanned the same users directory. At the time of the scan I was logged into a second SSH session and ran the top command to see how things were going.



Scanned with clamscan

clamscan -V
ClamAV 0.90/2780/Thu Mar 8 13:30:21 2007


Time and resources:
Time to complete scan: 17:51

Top results when scanning with high peaked clamscan 46% CPU usage. The scan took almost 18 minutes.... it's #1 in top results.

Here at nearly 8 minutes in
379 root 25 0 24444 23M 1340 R 47.7 1.1 7:43 1 clamscan

10 minutes into the scan...
379 root 25 0 24428 23M 1308 R 25.8 1.1 10:12 1 clamscan

Virus Results:
----------- SCAN SUMMARY -----------
Known viruses: 97361
Engine version: 0.90
Scanned directories: 2715
Scanned files: 14647
Infected files: 4
Data scanned: 1296.34 MB
Time: 1071.432 sec (17 m 51 s)




Scanned with f-prot,

f-prot -verno
F-PROT ANTIVIRUS
Program version: 4.6.7
Engine version: 3.16.15

VIRUS SIGNATURE FILES
SIGN.DEF created 8 March 2007
SIGN2.DEF created 8 March 2007
MACRO.DEF created 8 March 2007

Time and resources:
Time to complete scan: 1:17

Resources of f-prot were relatively low. It stayed around 8% CPU during the scan with a high peak near the end of 21% for a few seconds.

11048 root 24 0 9348 9348 820 D 9.2 0.4 0:04 1 f-prot

11048 root 25 0 9380 9380 852 R 21.7 0.4 0:11 0 f-prot


Virus Results:
it found 4 viruses and 2 suspitious files.

.scr Infection: W32/[email protected]
.scr Infection: W32/[email protected]
.exe Infection: W32/[email protected]
.scr Infection: W32/[email protected]

Results of virus scanning with f-prot:

Files: 14758
MBRs: 0
Boot sectors: 0
Objects scanned: 11267
Infected: 4
Suspicious: 2
Disinfected: 0
Deleted: 0
Renamed: 0



Final results:

F-Prot completed the same scan 16:43 minutes faster than clamav.
As you can see from the time it takes alone to scan the same data, F-prot is a sure winner.


ClamAV claims to scan against "97,361"
F-Prot claims to scan against "somewhere over 412,000"


Interesting stuff eh :D

 

[nyjimbo]

Interesting stuff eh :D

Is there a simple way to implement it on the server so that its updateable without Cpanel removing all changes or overwriting things when it does UPCP?.

What if anything did Fprot cost you ?

 

[AndyReed]

If you like F-Prot for its speed or any other reason, that's fine. Every application/service/program is unique for many things including its layout, architecture, functions, and configuration. Now, ClamAv is a very powerful AntiVirus toolkit. I googled for information about the two viruses listed in this thread and found the following:

Symantec Security
As of April 11, 2004, due to a decrease in submission rate, Symantec Security Response has downgraded [email protected] from a Category 3 level threat to a Category 2 threat. http://www.symantec.com/security_response/writeup.jsp?docid=2004-032913-5722-99

MsAfee
Risk Assessment: Low
Applies to locally exploitable vulnerabilities that, when successfully leveraged, do not result in a permanent compromise of the attacked systems. http://vil.nai.com/vil/content/v_139261.htm

Personally, I still believe ClamAv is a great application, and no intention to switch to any other AntiVirus toolkit at present.

 

[nyjimbo]

I googled for information about the two viruses listed in this thread and found the following:.....

But what does that have to do with the performance or database size of Fprot?. Even if a virus threat is downgraded, if you get the virus its still infected, regardless of whether the threat level is decreased. From the OP's post it would seem that Fprot is a much better scanner, both faster and with a bigger virus database.

 

[ramprage]

Is there a simple way to implement it on the server so that its updateable without Cpanel removing all changes or overwriting things when it does UPCP?.

What if anything did Fprot cost you ?

F-Prot can be easliy installed so cPanel updates do not affect it in any way. It will continue to operate on its own and have its own updates when you specify, separate from cPanel's.

F-Prot is free for non commercial use. This was using their Home/workstation version. Check their site for details on different licenses available. I managed to get this working nicely with Exim.


Their coporate workstation version is available for $25...
http://www.f-prot.com/products/corporate_users/unix/linux/workstations.html

They also have a special mail version, I haven't tried it out yet but its a bit more costly, still reasonable. However they do not claim to support Exim....

 

[0xyGens]

have u centOS 4.4