Snort mailing list archives
Re: Block
From: Paul Schmehl <pauls () utdallas edu>
Date: Mon, 16 Feb 2004 17:55:47 -0600
--On Monday, February 16, 2004 4:46 PM -0600 Frank Knobbe <frank () knobbe us> wrote:
Uhm, I'm not sure about that, Paul. I've heard from folks that caught new viruses with Clamav before Norton got it. Matter the fact, just recently there was a posting somewhere (I'm sure you've seen that since you are on most lists) that showed that clamav had a signature for it first. I have nothing but pleasant experience with clamav. I can't believe how well it works for being OpenSource.
I'm answering on list only because I do not want to leave the wrong impression. clamav is certainly better than nothing, and if that's all you can afford, then by all means use it. What I *am* saying is that testing by the researchers at the University of Hamburg has shown that its detection rate is *not* comparable to commercial scanners. So long as you understand that, using clamav can be a useful part of an overall strategy to limit exposure to viruses.
No virus scanner is perfect, and clamav will catch viruses that other scanners will miss, and vice versa. Use of *any* gateway av scanner should be supplemented by other strategies such as extension blocking to provide the best possible protection.
However, anecdotal evidence notwithstanding, in controlled studies using standard research methodology, clamav did not measure up to commercial scanners. Please note, I am a fan of open source, and I am not trying to discourage the use of clamav. I just think people should use software in an informed manner.
These tests were done and published on a private list, so I cannot publish the details. I do not know if the university will publish the details on their website.
<http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm> Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort logging way too much Ochronus (Feb 13)
- Re: Snort logging way too much Martin Roesch (Feb 13)
- Re[2]: Snort logging way too much Ochronus (Feb 13)
- Message not available
- Re[2]: Snort logging way too much Ochronus (Feb 15)
- Block Israel_Guadalupe_Lopez_Mascorro . . /Administracion/Jalisco (Feb 16)
- Message not available
- Re: Block Matt Kettler (Feb 16)
- Re: Block Paul Schmehl (Feb 16)
- Re: Block Frank Knobbe (Feb 16)
- Re: Block Paul Schmehl (Feb 16)
- Re[2]: Snort logging way too much Ochronus (Feb 13)
- Re: Block Frank Knobbe (Feb 16)
- Re: Block Brian (Feb 16)
- Re: Block Matt Kettler (Feb 17)
- Re: Snort logging way too much Martin Roesch (Feb 13)