ClamAv no longer effective

I've been finding the successful scans with ClamAV (latest version) useless lately. It simply misses way to many viruses to be effective. I feel like I'm using an anti-virus scanner from 1995 in 2007.

I recently switched to f-prot and it has been excellent and very effective. It quickly scans any messages and managed to pickup even phishing based bank messages.

Anyone using ClamAV frustrated with the amount of virus/malware that slips through should consider making the switch to F-Prot, I install it by default for all my clients now with great success.

 

Here are some more details about the issues.


I scanned the users home directory with the following flags:
# f-prot username
# clamscan -r username

Some interesting results

Both were installed on the same server and run about 5 minutes apart. They each scanned the same users directory. At the time of the scan I was logged into a second SSH session and ran the top command to see how things were going.



Scanned with clamscan

clamscan -V
ClamAV 0.90/2780/Thu Mar 8 13:30:21 2007


Time and resources:
Time to complete scan: 17:51

Top results when scanning with high peaked clamscan 46% CPU usage. The scan took almost 18 minutes.... it's #1 in top results.

Here at nearly 8 minutes in
379 root 25 0 24444 23M 1340 R 47.7 1.1 7:43 1 clamscan

10 minutes into the scan...
379 root 25 0 24428 23M 1308 R 25.8 1.1 10:12 1 clamscan

Virus Results:
----------- SCAN SUMMARY -----------
Known viruses: 97361
Engine version: 0.90
Scanned directories: 2715
Scanned files: 14647
Infected files: 4
Data scanned: 1296.34 MB
Time: 1071.432 sec (17 m 51 s)




Scanned with f-prot,

f-prot -verno
F-PROT ANTIVIRUS
Program version: 4.6.7
Engine version: 3.16.15

VIRUS SIGNATURE FILES
SIGN.DEF created 8 March 2007
SIGN2.DEF created 8 March 2007
MACRO.DEF created 8 March 2007

Time and resources:
Time to complete scan: 1:17

Resources of f-prot were relatively low. It stayed around 8% CPU during the scan with a high peak near the end of 21% for a few seconds.

11048 root 24 0 9348 9348 820 D 9.2 0.4 0:04 1 f-prot

11048 root 25 0 9380 9380 852 R 21.7 0.4 0:11 0 f-prot


Virus Results:
it found 4 viruses and 2 suspitious files.

.scr Infection: W32/Netsky.Q@mm
.scr Infection: W32/Netsky.Q@mm
.exe Infection: W32/Mytob.ID@mm
.scr Infection: W32/Mytob.ID@mm

Results of virus scanning with f-prot:

Files: 14758
MBRs: 0
Boot sectors: 0
Objects scanned: 11267
Infected: 4
Suspicious: 2
Disinfected: 0
Deleted: 0
Renamed: 0



Final results:

F-Prot completed the same scan 16:43 minutes faster than clamav.
As you can see from the time it takes alone to scan the same data, F-prot is a sure winner.


ClamAV claims to scan against "97,361"
F-Prot claims to scan against "somewhere over 412,000"


Interesting stuff eh :D

 

F-Prot can be easliy installed so cPanel updates do not affect it in any way. It will continue to operate on its own and have its own updates when you specify, separate from cPanel's.

F-Prot is free for non commercial use. This was using their Home/workstation version. Check their site for details on different licenses available. I managed to get this working nicely with Exim.


Their coporate workstation version is available for $25...
http://www.f-prot.com/products/corporate_users/unix/linux/workstations.html

They also have a special mail version, I haven't tried it out yet but its a bit more costly, still reasonable. However they do not claim to support Exim....