https://lwn.net/Articles/598587/ This is a special feed containing comments posted to the individual LWN article titled "ClamAV 0.98.3 adds features and asks for statistics". en-us Sat, 20 Sep 2025 08:11:32 +0000 Sat, 20 Sep 2025 08:11:32 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/598940/ https://lwn.net/Articles/598940/ wahern <div class="FormattedComment"> ClamAV's signature engine can detect polymorphic viruses and trojans. It's not just based on checksums. Signatures can be actual programs that are compiled to a special byte code and which inspect the binary at run-time.<br> <p> The problem is one of man power. There aren't enough people to write good signature logic, as opposed to automated checksumming.<br> <p> Solutions like FireEye are better in this regard, but also quite limited. You have to open each attachment in several dozen VMs, representing all the common combinations of operating systems and applications. That doesn't scale, but also buffer overflows and privilege escalation are hardly the biggest problem, although that's primarily the vector that FireEye attempts to detect. There are a ton of ways to leak valuable data through more innocuous channels<br> <p> ClamAV isn't antiquated, we've just hit the limit of what we can accomplish without focusing on writing better, less bug prone software. ClamAV won't go away. How stupid would you look if one of your users were infected with a 2-year-old attachment virus? But now our efforts are more spread out.<br> <p> </div> Thu, 15 May 2014 21:17:23 +0000 https://lwn.net/Articles/598829/ https://lwn.net/Articles/598829/ dskoll <p>ClamAV could fill an important role, but the default Clam signatures detect almost nothing. We block thousands of pieces of malware based on filename extensions that ClamAV misses. <p>The SaneSecurity signatures help a bit, but those have their own problem: The false-positive rate is unacceptably high. Thu, 15 May 2014 13:42:45 +0000 https://lwn.net/Articles/598760/ https://lwn.net/Articles/598760/ Trou.fr <div class="FormattedComment"> It is interesting to see that ClamAV is still considered as a tool worth something. Antiviruses in general are more and more useless against modern malware which mutates so often the detection engines cannot follow the flow.<br> <p> Using ClamAV with its antique engine and approach is probably worse than not using anything : it has been quite vulnerable in the past and probably opens more attack surface than it protects.<br> <p> It is (really) time to move away from AV, completely. <br> </div> Thu, 15 May 2014 08:50:28 +0000