[Snort-users] Block
Paul Schmehl
pauls at ...6838...
Mon Feb 16 16:00:03 EST 2004
--On Monday, February 16, 2004 4:46 PM -0600 Frank Knobbe <frank at ...9761...>
wrote:
>
> Uhm, I'm not sure about that, Paul. I've heard from folks that caught
> new viruses with Clamav before Norton got it. Matter the fact, just
> recently there was a posting somewhere (I'm sure you've seen that since
> you are on most lists) that showed that clamav had a signature for it
> first.
>
> I have nothing but pleasant experience with clamav. I can't believe how
> well it works for being OpenSource.
I'm answering on list only because I do not want to leave the wrong
impression. clamav is certainly better than nothing, and if that's all you
can afford, then by all means use it. What I *am* saying is that testing
by the researchers at the University of Hamburg has shown that its
detection rate is *not* comparable to commercial scanners. So long as you
understand that, using clamav can be a useful part of an overall strategy
to limit exposure to viruses.
No virus scanner is perfect, and clamav will catch viruses that other
scanners will miss, and vice versa. Use of *any* gateway av scanner should
be supplemented by other strategies such as extension blocking to provide
the best possible protection.
However, anecdotal evidence notwithstanding, in controlled studies using
standard research methodology, clamav did not measure up to commercial
scanners. Please note, I am a fan of open source, and I am not trying to
discourage the use of clamav. I just think people should use software in
an informed manner.
These tests were done and published on a private list, so I cannot publish
the details. I do not know if the university will publish the details on
their website.
<http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm>
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
More information about the Snort-users
mailing list