Kaspersky 0...default Clam AV doing all the work

[YeOldeStonecat]

Quote:

Originally Posted by hescominsoon

that's interesting you say that. It consistently has detection rates that will compete with anything. It is NOT an real-time scanner on a pc..it is an on demand scanner like in the case of a mail scanner. Use it as it is designed..as an on demand type scanner and it will hang with anything. I have never seen it miss anything AND unlike the commercial big boys it's NEVER had a false positive.

I'm not going to get into a debate about the effectiveness of Clam...most of us in IT have seen reviews of it over the years showing its performance. It does "OK" as an SMTP scanner, yes. And yes I'm more than very well aware that it doesn't have real time file protection.

Back to my point...I was puzzled as to why a far superior product, KAV, wasn't racking up a score in its module. It' still all zeros. We move over 1500 mails though our UT box per day, and with the AV module bagging from 20-30 per day on average, since I'm sure we can all agree that no AV product gets 100% of all infections...even the best muster in the upper 90% range..by now a few should have slipped by. I'm confident anyone worth their salt who's been in IT for an appreciable period of time would support that KAV is superior. Hence my question.

[sky-knight]

KAV is in a slump? There's always that ebb and flow of general effectiveness in these things... That's why we have two in there.

[hescominsoon]

Quote:

Originally Posted by YeOldeStonecat

I'm not going to get into a debate about the effectiveness of Clam...most of us in IT have seen reviews of it over the years showing its performance. It does "OK" as an SMTP scanner, yes. And yes I'm more than very well aware that it doesn't have real time file protection.

Back to my point...I was puzzled as to why a far superior product, KAV, wasn't racking up a score in its module. It' still all zeros. We move over 1500 mails though our UT box per day, and with the AV module bagging from 20-30 per day on average, since I'm sure we can all agree that no AV product gets 100% of all infections...even the best muster in the upper 90% range..by now a few should have slipped by. I'm confident anyone worth their salt who's been in IT for an appreciable period of time would support that KAV is superior. Hence my question.

I don't think KAV is truly superior to be honest..you can take your opinion of if i am worth my salt or not. The reason Kav hasn't caught anything is nothing got by clam. If you run a/v on your desktops check them and see if anything in e-mail has gotten by UT..

[redhale3]

It's interesting that, after having this discussion, one day this week one of my client's UT blocked a burst of files. KAV blocked 14 and Clam blocked 5. On the same machine I noticed that today KAV blocked 4 and Clam blocked 3. I guess it does make sense to have them both.

[Danp]

KAV also blocked 1 virus for me this week. Actually, I just checked and its up to 2! Both are DHL related email viruses.

The interesting thing is that KAV appears to be scanning before Clam. The attached image shows that KAV has scanned two more documents than Clam, which makes sense if KAV has blocked two.

FWIW, I've also seen entries in the KAV log where it passed stuff like the UPS email viruses that were then blocked by Clam.

[neiby]

We've been running KAV for months and I don't think it's ever blocked a virus. It notices the EICAR test file, but I don't recall ever seeing the blocked counter go up when I wasn't testing with EICAR. I just enabled Clam to see if there is something weird going on.

[LR897]

Quote:

Originally Posted by Danp

KAV also blocked 1 virus for me this week. Actually, I just checked and its up to 2! Both are DHL related email viruses.

The interesting thing is that KAV appears to be scanning before Clam. The attached image shows that KAV has scanned two more documents than Clam, which makes sense if KAV has blocked two.

FWIW, I've also seen entries in the KAV log where it passed stuff like the UPS email viruses that were then blocked by Clam.

I checked on the Untangle wiki and is says that Kaspersky scans first before ClamAV.

" If I have both virus blockers installed, are one or both used and in which order?

If you have only one virus blocker installed then only that scanner will be applied, according to the settings you have established, assuming the Rack element is powered up. If you have two virus scanners installed then the "for fee" service is applied to a message first: if a message passes the "for fee" scanner then and only then the open source scanner is applied to the message (there's no point in scanning the message twice if the first scanner has rejected it.) This is not to say one scanner is inherently better than the another: we point this out in the event you are evaluating the two scanners against one another to determine which or both best fits your needs. In this case, note that the "for fee" scanner is complemented by the open source scanner and in the case of a virus-free message, the computational overhead of the virus scan includes both scanners; where as a message that would be rejected by both scanners incurs the computational and time cost of just the "for fee" scanner. So, to perform a valid comparison, you should run test messages through the Untangle Gateway with no scanners installed, the "for fee" scanner by itself, the open source scanner by itself and lastly both scanners installed together and compare the results. "

I can't post links yet, so you will have to add the http to read the wiki:
://wiki.untangle.com/index.php/Virus_Blocker

[boyan.sharic]

Quote:

Originally Posted by Danp

KAV also blocked 1 virus for me this week. Actually, I just checked and its up to 2! Both are DHL related email viruses.

The interesting thing is that KAV appears to be scanning before Clam. The attached image shows that KAV has scanned two more documents than Clam, which makes sense if KAV has blocked two.

FWIW, I've also seen entries in the KAV log where it passed stuff like the UPS email viruses that were then blocked by Clam.

maybe file/MIME types that are being scanned are not the same on both of your modules