[Snort-users] Block

Paul Schmehl pauls at ...6838...
Mon Feb 16 16:00:03 EST 2004

--On Monday, February 16, 2004 4:46 PM -0600 Frank Knobbe <frank at ...9761...> 
> Uhm, I'm not sure about that, Paul. I've heard from folks that caught
> new viruses with Clamav before Norton got it. Matter the fact, just
> recently there was a posting somewhere (I'm sure you've seen that since
> you are on most lists) that showed that clamav had a signature for it
> first.
> I have nothing but pleasant experience with clamav. I can't believe how
> well it works for being OpenSource.

I'm answering on list only because I do not want to leave the wrong 
impression.  clamav is certainly better than nothing, and if that's all you 
can afford, then by all means use it.  What I *am* saying is that testing 
by the researchers at the University of Hamburg has shown that its 
detection rate is *not* comparable to commercial scanners.  So long as you 
understand that, using clamav can be a useful part of an overall strategy 
to limit exposure to viruses.

No virus scanner is perfect, and clamav will catch viruses that other 
scanners will miss, and vice versa.  Use of *any* gateway av scanner should 
be supplemented by other strategies such as extension blocking to provide 
the best possible protection.

However, anecdotal evidence notwithstanding, in controlled studies using 
standard research methodology, clamav did not measure up to commercial 
scanners.  Please note, I am a fan of open source, and I am not trying to 
discourage the use of clamav.  I just think people should use software in 
an informed manner.

These tests were done and published on a private list, so I cannot publish 
the details.  I do not know if the university will publish the details on 
their website.


Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-users mailing list