How capable is ClamAV?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

How capable is ClamAV?

pinguin74
What is your opinion about the strength of ClamAV?

I am especially concerned about active, malicious content hidden in
documents like PDF or LibreOffice data files.

Does ClamAV have some serious heuristics?

Of course I know, anti virus tools only can offer limited protection.

Thanks


signature.asc (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How capable is ClamAV?

Carlos E. R.-2
On 2014-09-14 17:18, pinguin74 wrote:
> What is your opinion about the strength of ClamAV?

I now and then I receive malware in email it does not detect. Sometimes
Avira does. And other times it is the other way round.

I never detected anything in suspicious docs, but I don't know if
because they were clean, or because the scanner failed to detect.

--
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)


signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How capable is ClamAV?

pinguin74
Am 14.09.2014 17:53, schrieb Carlos E. R.:
> On 2014-09-14 17:18, pinguin74 wrote:
>> What is your opinion about the strength of ClamAV?
>
> I now and then I receive malware in email it does not detect. Sometimes
> Avira does. And other times it is the other way round.
>
> I never detected anything in suspicious docs, but I don't know if
> because they were clean, or because the scanner failed to detect.

Well, maybe antivirus tools really are not much better than a placebo...
I just hoped, ClamAV may have a good heuristic system....





signature.asc (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How capable is ClamAV?

Carlos E. R.-2
On 2014-09-14 21:06, pinguin74 wrote:
> Am 14.09.2014 17:53, schrieb Carlos E. R.:


> Well, maybe antivirus tools really are not much better than a placebo...
> I just hoped, ClamAV may have a good heuristic system....

They do detect things, but certainly not all. Only known things. And
there are a lot of malwares... You probably have to use several engines.

How good is clamav at heuristics, I really don't know.

I only use the antivirus on Linux to know what I get on email, not for
real - any executable gets banned on sight. Docs that do not come
directly from friends, unrequested, are very suspect, I don't open them.
If I have to, there are doc converters that do not know how to translate
scripts.

--
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)


signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How capable is ClamAV?

Anton Aylward-2
In reply to this post by Carlos E. R.-2
On 09/14/2014 11:53 AM, Carlos E. R. wrote:
> On 2014-09-14 17:18, pinguin74 wrote:
>> > What is your opinion about the strength of ClamAV?
> I now and then I receive malware in email it does not detect. Sometimes
> Avira does. And other times it is the other way round.

I'm curious as to what that malware might be?
Was it something that was Windows-specific or might it have some effect
on Linux?

--
     /"\
     \ / ASCII Ribbon Campaign
      X  Against HTML Mail
     / \

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How capable is ClamAV?

Carlos E. R.-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2014-09-15 14:06, Anton Aylward wrote:
> On 09/14/2014 11:53 AM, Carlos E. R. wrote:
>> On 2014-09-14 17:18, pinguin74 wrote:
>>>> What is your opinion about the strength of ClamAV?
>> I now and then I receive malware in email it does not detect.
>> Sometimes Avira does. And other times it is the other way round.
>
> I'm curious as to what that malware might be? Was it something that
> was Windows-specific or might it have some effect on Linux?

So far, Windows specific, and very little.

my amavis simply bans any exe file in attachments, even inside zips,
and they are apparently not scanned then by the antivirus. I see I get
some of them.

Mail positives detected by the antivirus itself are scarce, none this
year unless I goofed somewhere (I have to check).

Otherwise, I got:

    Email.Trojan-277
    virus Email.Trojan-277
    Email.Trojan-303, Trojan.Spy.Zbot-566
    Email.Trojan-280, Suspect.Trojan.Generic.FD-1
    Email.Trojan-280, BC.Heuristic.Trojan.SusPacked.BF-6.B
    BC.Heuristic.Trojan.SusPacked.BF-6.A


Amavis does not, afaik, create a log of the malware that it filters.
What, from, to, date, subject, would be nice.


And, by the way, Avira antivir has moved out of the Linux business, so
the only free antivirus that I know in Linux that still works is clamav.


My "banned" mail folder contains entries now and then with zip
archives, that I guess might contain PDFs or DOCs. I would have to
manually look inside. Let me see...

Invoice_8990040.zip  -->  Invoice_24042014.scr
        PE32 executable (GUI) Intel 80386, for MS Windows
        clamscan  --> clean.

VoiceMail.zip --> VOICE347-643-6325.scr
        PE32 executable (GUI) Intel 80386, for MS Windows
        clamscan  --> clean.

invoice 7941461.zip  --> invoice 8820122/invoice 8820122.exe
        PE32 executable (GUI) Intel 80386, for MS Windows
        clamscan, antivir  --> clean.


So you see, clamav in those cases would have been totally useless, 3
of 3. It is amavis which bans them simly because they are
executable... Most claim to be a document, but they are runable files
inside zips. I don't see a .doc file, but then I have not opened all zips.

If I got those emails in Windows, and I be using clamav or avira, I
could be hosed... except that I do not click to open unrequested zips.

- --
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlQW4B0ACgkQtTMYHG2NR9WoBgCgiWnMSC3EIpvw6Jmhb2zh7xP6
gqUAn2Rlagm0Md7KMIk13xnx0Z7J2SmU
=13KW
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How capable is ClamAV?

Carlos E. R.-2
On 2014-09-15 14:48, Carlos E. R. wrote:
> On 2014-09-15 14:06, Anton Aylward wrote:


>> I'm curious as to what that malware might be? Was it something that
>> was Windows-specific or might it have some effect on Linux?
>
> So far, Windows specific, and very little.

Just now I noticed a post sent to the Project mail list, with subject:

[opensuse-project] Important ©: We noticed unusual activity in your
PayPal account (Ref #PP-003-381-679-869)

What is different is that the attachment is an html file. I saved it to
a file to check. Clamav says "clean", but it does contain javascript
code... I'd bet a beer (about my limit on sure bets) that it is malware.

I have no idea what it does, but I'm curious. Javascript can run in
Thunderbird without asking... (although I can't find in the preferences
where to enable/disable that).

--
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)


signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How capable is ClamAV?

Carlos E. R.-2
On 2014-09-15 16:06, Carlos E. R. wrote:

> I have no idea what it does, but I'm curious. Javascript can run in
> Thunderbird without asking... (although I can't find in the preferences
> where to enable/disable that).

Apparently javascript can not be enabled for email, but is enabled by
default for RSS feeds. The setting is in about:config, named
"javascript.enabled" - which is confusing because it does not apply to
email at all.

http://www.ghacks.net/2012/01/21/how-to-make-thunderbird-more-secure/
http://www.ghacks.net/2010/06/30/thunderbird-3-javascript-whats-the-deal/

--
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)


signature.asc (205 bytes) Download Attachment