[Dshield] AntiVirus Pattern Release Stats

Eric Peters epeters at pcthome.com
Fri Mar 4 17:04:02 GMT 2005

HH>ClamAV (it is free and will
run on Linux mail servers or firewalls) does much better than I would

ClamAV also has clients for winblows as well...

ClamAV in conjunction with mailscanner = you could not ask for a better 
mailgateway (virus and spam scanner) not only that ClamAV beats out the 
big boys in releasing virus sigs, my lil exchange server has not seen 
spam, phishing nor a virus since the mail gateway has been in place. Now 
if I can get the execs to go for OpenExchange I'm all set.


Henry Hertz Hobbit wrote:
> On Thu, 2005-03-03 at 09:44, Holmes, Alan wrote:
>>Is anyone aware of a website or other resource that tracks
>>and has reports on the timeliness with which antivirus
>>companies make virus definitions available?
> I just read this the other day from the PC Magazine Security
> list.  I am trying to remember the site.  Start with these:
> http://www.av-test.org/
> http://list.virus.org/
> http://list.virus.org/Top_List.html
>>The reason I ask is I am very frustrated with our current
>>antivirus vendor as they are ROUTINELY at the bottom of the
>>list for pattern releases of the vendors that I check when a
>>new threat is detected.
> I think mine and other people's advice has been succinct and to the
> point.  We all advise AGAINST A ONE VENDOR solution.  Use one vendor at
> the edge firewall, another vendor at the mail server (Outlook Exchange
> if that is what you want to use), and yet another vendor at the
> desktop.  Why are we so audacious to give this advice?  Because as much
> as you would like to say this or that about any particular AV vendor,
> their research methods vary.  Here is one for you to look at:
> http://www.pcmag.com/article2/0,1759,1745668,00.asp
> (if you subscribe to PCMag's security newsletter you will get this list
> every week or something like that, and usually who was first will be
> given).
> Normally, Norman doesn't head the chart.  ClamAV (it is free and will
> run on Linux mail servers or firewalls) does much better than I would
> suspect.  Over the long haul, Kaspersky, Symantec, McAfee, Sophos, and
> others (I really am NOT picking these out of the air, and you cannot
> discuss this intelligently without including Trend Micro, Panda,
> F-Secure and the others) are right in the hunt for first place, but on
> any given day the top leaders (averaged out over a month, three months,
> six months, or a year) can FAIL DISMALLY!  Further, on any given day one
> of the little guys can trump the others.  Further, Beta Definitions may
> save your keester!  In all respects, a multi-vendor approach is the
> best, since one may fail, and the others will catch it.
> Having said that, I would look seriously that at least one of the top
> Beta Definition Detection Vendors be included in the mix of the three
> (or two if your edge firewall is also the main outgoing mail server). 
> If you are a truly big site, I would use yet a fourth AV vendor on all
> your secondary mail servers.
> I would like to say that I am not going to say this again, but I know I
> and others will.  The best defense against viruses is a multi vendor
> solution.  It truly is like playing the stock market - DIVERSIFY.  All
> AV vendors will fight against you doing this.  They want to install a
> completely integrated solution.  I am warning you in advance.
>>For example, the other day when the new Bagel/Beagle/ToSoo variant
>>broke, I saw some vendors had detection available at 10:30PM my
>>time on Sunday while the vendor we use didn't have detection
>>available until almost 11:00AM the following day after several of
>>our users had already received it in their email.  This, of course,
>>created a lot of headaches and extra work.
> See the previous statements.  I have studied this very issue extensively
> from Linux where we have a grand total of less than a dozen or so virii.
> I have yet to see any of them for eight years.  For that matter, the
> only way I can get a virus through Comcast is to bzip2 it.  If you are
> stupid enough to read your email as root (thinking of versions of Linux
> like Lindows), there would be a lot more Linux nasties.  I do NOT read
> email as root.  Neither do most Linux users.  Linux has a strongly
> protective file system (it's file system is its DACL) that makes the
> propagation of viruses very difficult.  ClamAV isn't primarily
> protecting Linux - it is protecting Windows machines, and normally from
> Linux.
>>I'm looking to use this type of data as a justification for ditching
>>our current vendor.
>>Thanks for any input anyone can offer.
> Dump away, but I would like a PRIVATE reply (not to the newsgroup)
> on the AV vendor you are dumping.  The reason I say this is that very
> few AV vendors raise my hackles.  The only one that does is Symantec,
> but NOT because they don't do a good job of detecting virii (they do an
> excellent job).  They are also a very good neighbor in a lot of ways,
> with removal tools and TONS of information.  I don't like them because
> if things get out of whack you have to reinstall, and they leave crap
> all over in the registry that needs to be cleaned out before you install
> again.  This also holds if you are replacing NAV with another AV
> vendor's product OR if you are just reinstalling.  Putting them on the
> firewall or mailserver is okay but unless you want to map out ALL of the
> registry entries and put them in a *.reg file to remove (actually, maybe
> somebody has done it and I haven't seen it) I don't like them on the
> desktop (they also slow the machine down CONSIDERABLY).   With mine and
> others complaints on this, I think Symantec may even have done this by
> now.  Part of the reason they don't do it is to prevent their program
> from being disabled.  They, McAfee, and the other top AV vendors have
> bulls eyes on their products for the nasty vendors to try and disable
> them.
> You could move to Linux and kiss the AV problem goodbye (and inherit yet
> another set of problems, not the least of which is learning a completely
> new language).

More information about the list mailing list