The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ClamAv no longer effective

Discussion in 'General Discussion' started by ramprage, Mar 8, 2007.

  1. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I've been finding the successful scans with ClamAV (latest version) useless lately. It simply misses way to many viruses to be effective. I feel like I'm using an anti-virus scanner from 1995 in 2007.

    I recently switched to f-prot and it has been excellent and very effective. It quickly scans any messages and managed to pickup even phishing based bank messages.

    Anyone using ClamAV frustrated with the amount of virus/malware that slips through should consider making the switch to F-Prot, I install it by default for all my clients now with great success.
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    What's the latest version are we talking about here? The latest version embedded in the cPanel/WHM, or v0.90.1 at http://www.clamav.net/
    How can you support your claim? Did you report the viruses slipped through to clamAv bugzilla at: https://wwws.clamav.net/bugzilla/
     
  3. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Here are some more details about the issues.


    I scanned the users home directory with the following flags:
    # f-prot username
    # clamscan -r username

    Some interesting results

    Both were installed on the same server and run about 5 minutes apart. They each scanned the same users directory. At the time of the scan I was logged into a second SSH session and ran the top command to see how things were going.



    Scanned with clamscan

    clamscan -V
    ClamAV 0.90/2780/Thu Mar 8 13:30:21 2007


    Time and resources:
    Time to complete scan: 17:51

    Top results when scanning with high peaked clamscan 46% CPU usage. The scan took almost 18 minutes.... it's #1 in top results.

    Here at nearly 8 minutes in
    379 root 25 0 24444 23M 1340 R 47.7 1.1 7:43 1 clamscan

    10 minutes into the scan...
    379 root 25 0 24428 23M 1308 R 25.8 1.1 10:12 1 clamscan

    Virus Results:
    ----------- SCAN SUMMARY -----------
    Known viruses: 97361
    Engine version: 0.90
    Scanned directories: 2715
    Scanned files: 14647
    Infected files: 4
    Data scanned: 1296.34 MB
    Time: 1071.432 sec (17 m 51 s)




    Scanned with f-prot,

    f-prot -verno
    F-PROT ANTIVIRUS
    Program version: 4.6.7
    Engine version: 3.16.15

    VIRUS SIGNATURE FILES
    SIGN.DEF created 8 March 2007
    SIGN2.DEF created 8 March 2007
    MACRO.DEF created 8 March 2007

    Time and resources:
    Time to complete scan: 1:17

    Resources of f-prot were relatively low. It stayed around 8% CPU during the scan with a high peak near the end of 21% for a few seconds.

    11048 root 24 0 9348 9348 820 D 9.2 0.4 0:04 1 f-prot

    11048 root 25 0 9380 9380 852 R 21.7 0.4 0:11 0 f-prot


    Virus Results:
    it found 4 viruses and 2 suspitious files.

    .scr Infection: W32/Netsky.Q@mm
    .scr Infection: W32/Netsky.Q@mm
    .exe Infection: W32/Mytob.ID@mm
    .scr Infection: W32/Mytob.ID@mm

    Results of virus scanning with f-prot:

    Files: 14758
    MBRs: 0
    Boot sectors: 0
    Objects scanned: 11267
    Infected: 4
    Suspicious: 2
    Disinfected: 0
    Deleted: 0
    Renamed: 0



    Final results:

    F-Prot completed the same scan 16:43 minutes faster than clamav.
    As you can see from the time it takes alone to scan the same data, F-prot is a sure winner.


    ClamAV claims to scan against "97,361"
    F-Prot claims to scan against "somewhere over 412,000"


    Interesting stuff eh :D
     
    #3 ramprage, Mar 8, 2007
    Last edited: Mar 8, 2007
  4. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Is there a simple way to implement it on the server so that its updateable without Cpanel removing all changes or overwriting things when it does UPCP?.

    What if anything did Fprot cost you ?
     
  5. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    If you like F-Prot for its speed or any other reason, that's fine. Every application/service/program is unique for many things including its layout, architecture, functions, and configuration. Now, ClamAv is a very powerful AntiVirus toolkit. I googled for information about the two viruses listed in this thread and found the following:

    Symantec Security
    As of April 11, 2004, due to a decrease in submission rate, Symantec Security Response has downgraded W32.Netsky.Q@mm from a Category 3 level threat to a Category 2 threat. http://www.symantec.com/security_response/writeup.jsp?docid=2004-032913-5722-99

    MsAfee
    Risk Assessment: Low
    Applies to locally exploitable vulnerabilities that, when successfully leveraged, do not result in a permanent compromise of the attacked systems. http://vil.nai.com/vil/content/v_139261.htm

    Personally, I still believe ClamAv is a great application, and no intention to switch to any other AntiVirus toolkit at present.
     
    #5 AndyReed, Mar 8, 2007
    Last edited: Mar 8, 2007
  6. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    But what does that have to do with the performance or database size of Fprot?. Even if a virus threat is downgraded, if you get the virus its still infected, regardless of whether the threat level is decreased. From the OP's post it would seem that Fprot is a much better scanner, both faster and with a bigger virus database.
     
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    F-Prot can be easliy installed so cPanel updates do not affect it in any way. It will continue to operate on its own and have its own updates when you specify, separate from cPanel's.

    F-Prot is free for non commercial use. This was using their Home/workstation version. Check their site for details on different licenses available. I managed to get this working nicely with Exim.


    Their coporate workstation version is available for $25...
    http://www.f-prot.com/products/corporate_users/unix/linux/workstations.html

    They also have a special mail version, I haven't tried it out yet but its a bit more costly, still reasonable. However they do not claim to support Exim....
     
  8. 0xyGens

    0xyGens Registered

    Joined:
    Apr 18, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    have u centOS 4.4
     
Loading...

Share This Page