[NTLUG:Discuss] Re: Anti-virus -- ClamAV = very updates, but limited Win32 "resident" features

[Bryan J. Smith]

On Sun, 2004-11-28 at 22:29, Ralph Green, Jr. wrote:
> Howdy,
>   Speaking of anti-virus software for Linux, I was asked about this on
> Saturday while visiting Tanner's.  Is ClamAV still the preferred
> anti-virus package for Linux?  Is it updated for new vulnerabilities?

Actually, ClamAV is becoming very respected for its "concentrated
leeching" of updates from the big vendors.  I.e., ClamAV is a community
development that does little R&D, but responds to new reports very
quickly -- e.g., integrating announcements by NAI faster than Symmantec
and vice-versa.

The "issue" with ClamAV is the "resident scanning."  I.e., real-time
scanning of MS IE, MS Outlook, etc...  I've seen some tie-ins, but they
are not of the same "real-time blocking" that requires extensive
Microsoft licensing/insider access.  But this only affects Win32 and
desktops.

Some of the most popular "black box border solutions" right now use
ClamAV and SPAM Assassin, and quite well.  I've been at medium-sized
(1,000+ employee) educational, government and even some larger Fortune
500 companies over the last year that are either deploying them
directly, or buying from an integrator (both big and small) of such
black box devices.

The key is that anytime you have a service that _always_ accepts data in
a "stream," like SMTP, HTTP, etc..., such as most "border" services, it
is very easy to pass through to ClamAV (as well as SPAM Assassin,
etc...).  Heck, I wouldn't be surprised if newer Samba developments can
now do this as well for SMB access -- or at least leverage underlying
kernel interfaces (e.g., Samba on Linux using the NetFilter hooks).  So
as long as it is a formal, "streamed" or other datagram/segment
transport, it is a very viable solution.

But for most Windows users who want the desktop to save them from
themselves, ClamAV doesn't provide the "resident/real-time" scanning
they are looking for.  But that has nothing to do with the "updates," of
which ClamAV does quite well.  It even has aggressive scanning
capabilities for "variants" that use similar strings/codes (although
this sometimes causes a lot of false positives).


-- 
Bryan J. Smith                                    b.j.smith at ieee.org 
-------------------------------------------------------------------- 
Subtotal Cost of Ownership (SCO) for Windows being less than Linux
Total Cost of Ownership (TCO) assumes experts for the former, costly
retraining for the latter, omitted "software assurance" costs in 
compatible desktop OS/apps for the former, no free/legacy reuse for
latter, and no basic security, patch or downtime comparison at all.