Rob Tillyard

Q: clamav installation outdated

While investigating why our e-mail server lets lots of suspicious files through I found these comments in the log file.

 

I only installed the server six days ago and it has all updates installed. It appears that there is a 0.99 version available on the clamav website but that hasn't made it into Server 5 as yet.

 

We want to replace a 10.5 server with 10.11 running Server 5 but some internally are asking if clam is up to the job as they report it has one of the lowest detection rates at 36%. I'm wondering if it was to be updated would it find more?

 

Regards, Rob.

 

Mon Feb 22 14:18:47 2016 -> --------------------------------------

Mon Feb 22 14:18:47 2016 -> freshclam daemon 0.98.7 (OS: darwin13.0, ARCH: x86_64, CPU: x86_64)

Mon Feb 22 14:18:47 2016 -> ClamAV update process started at Mon Feb 22 14:18:47 2016

Mon Feb 22 14:18:47 2016 -> WARNING: Your ClamAV installation is OUTDATED!

WARNING: Your ClamAV installation is OUTDATED!

Mon Feb 22 14:18:47 2016 -> WARNING: Local version: 0.98.7 Recommended version: 0.99

WARNING: Local version: 0.98.7 Recommended version: 0.99

Mon Feb 22 14:18:47 2016 -> DON'T PANIC! Read http://www.clamav.net/support/faq

Mon Feb 22 14:18:48 2016 -> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)

Mon Feb 22 14:18:48 2016 -> daily.cld is up to date (version: 21399, sigs: 1851287, f-level: 63, builder: neo)

Mon Feb 22 14:18:48 2016 -> bytecode.cvd is up to date (version: 271, sigs: 47, f-level: 63, builder: anvilleg)

Mon Feb 22 14:18:59 2016 -> --------------------------------------

Mon Feb 22 16:18:59 2016 -> Received signal: wake up

Mon Feb 22 16:18:59 2016 -> ClamAV update process started at Mon Feb 22 16:18:59 2016

Mon Feb 22 16:18:59 2016 -> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)

Mon Feb 22 16:18:59 2016 -> daily.cld is up to date (version: 21399, sigs: 1851287, f-level: 63, builder: neo)

Mon Feb 22 16:18:59 2016 -> bytecode.cvd is up to date (version: 271, sigs: 47, f-level: 63, builder: anvilleg)

Mon Feb 22 16:19:04 2016 -> --------------------------------------

Mac mini, Other OS, Mac OS X 10.11.3, Server 5

Posted on Feb 22, 2016 8:35 AM

Close

Q: clamav installation outdated

  • All replies
  • Helpful answers

  • by pterobyte,

    pterobyte pterobyte Feb 23, 2016 2:43 AM in response to Rob Tillyard
    Level 6 (11,101 points)
    Servers Enterprise
    Feb 23, 2016 2:43 AM in response to Rob Tillyard

    Not sure which reports you base this information on, but I have yet to see a significant amount of infected mails making it through to clients in 10 years of using ClamAV. It has been always doing its job properly.

     

    That said, there is two parts to ClamAV successfully detecting viruses. One is the binary itself, the other is the database. Your database is up-to-date, but your binary isn't.

     

    While it is certainly good to have an updated binary as well, as long as it is not ancient, you will hardly ever see any major detections issues when you are e few minor releases behind.

     

    Apple used to be way behind in the past (up to 10.6) and it made sense to manually update the ClamAV binaries as well. Today, they tend to be only slightly behind, which is actually a good thing as you are running tested software.

  • by MadMacs0,

    MadMacs0 MadMacs0 Feb 23, 2016 6:37 PM in response to Rob Tillyard
    Level 5 (4,791 points)
    Feb 23, 2016 6:37 PM in response to Rob Tillyard

    Rob Tillyard wrote:

     

    I only installed the server six days ago and it has all updates installed. It appears that there is a 0.99 version available on the clamav website but that hasn't made it into Server 5 as yet.

    Apple almost never updates ClamXav on a deployed OS X Server. As I recall, it only happened once when their were security issues with one of the releases.

     

    To be honest, I don't know what version of the ClamAV scan engine is included with the 10.11 OS X Server, but I'm sure somebody in this Community can inform us.  It is possible to upgrade the engine from source and there there is some older information on the Internet on how to accomplish this, but it's a bit of a PITA.

     

    There have certainly been some improvements since 0.98.7 and some of the definitions in the database only work with 0.99, but I certainly can't claim that it would markedly improve the e-mail detection rates you are currently seeing. A discussion on the clamav-user e-mail list over the weekend included major complaints about the ability of the standard ClamAV's ability with regard to e-mail. The following comment was made by the Cisco/Sourcefire/ClamAV Team Lead "Gentlemen.  We get the point.  We’re working on it.  I had a conversation with the malware lead last week to see what we can do here."

     

    The conclusion of some users was that their are "Unofficial" signature databases that can be subscribed to which will apparently increase the detection rates. One such is SaneSecurity.  I know there have been some off-line discussions between the two organizations about an official status for the latter, but not sure where that may stand.

     

    It's amazing to me that an organization like ClamAV that began as an exclusive e-mail scanning service could have drifted so far from it's goals over the years. Hopefully they will take the criticism to heart and do something quickly to recover.