Kaspersky 0...default Clam AV doing all the work

YeOldeStonecat · 04-09-2010, 07:51 AM

We're running the super duper bundle, Kaspersky module installed. Now...our UT box filters approx 1500 mails per day. CommTouch spam booster working well. I notice the default Clam AV module seems to average tween 20-30 "infected" mails caught per day...yet Kaspersky is showing a history of...ZERO. It never shows that it bags something.

In my experience..Kaspersky is very strong in detection/cleaning, it's consitently been one of the top performing AVs out there. Also in my experience..Clam isn't that strong. I'm wondering if somehow Kaspersky isn't running correctly...or I'm brain farting and missing something like a toggle switch to enable it.

gotkimchi · 04-09-2010, 08:23 AM

Try this test. Turn off the clam and only have the Kaspersky on. Do the eicar test.
http://www.eicar.org/download/eicar.com
http://eicar.org/anti_virus_test_file.htm

You should get the block page. If you are not getting the block page, your Kaspersky is not working properly.

proactivens · 04-09-2010, 09:33 AM

I think the way it works is clam scans first, then kaspersky. If clam catches the infection, it will be removed before it gets to kaspersky. Kaspersky is the fall back, so you will not see many catches on it. However, when you do see catches, that means that if you didnt have it installed, then a virus would have slipped through and compromised your security. So even if at the end of the year clam catches 2000 viruses and kaspersky only catches 10, thats still 10 infections that would have otherwise gotten through.

YeOldeStonecat · 04-09-2010, 10:23 AM

Quote:

Originally Posted by proactivens

I think the way it works is clam scans first, then kaspersky. If clam catches the infection, it will be removed before it gets to kaspersky. Kaspersky is the fall back, so you will not see many catches on it. However, when you do see catches, that means that if you didnt have it installed, then a virus would have slipped through and compromised your security. So even if at the end of the year clam catches 2000 viruses and kaspersky only catches 10, thats still 10 infections that would have otherwise gotten through.

I thought of that...that Clam gets to sniff the traffic first. But...lets face it, Clam can't find its way out of a paper bag, I would expect Clam to miss about 60% of the viruses that flow through it, and I'd expect Kaspersky to be catching quite a bit that slip past Clam. I have a lot of clients on open source Untangle....I know a lot of viruses slip past the Clam..and I see them bagged in whatever antivirus I have on their Exchange Server...so I usually see a lot of "zeros" in Clams counters. I don't have anyone else on Kas though, just our office.

I'll try the disabling Clam test for a bit.

engine411 · 04-09-2010, 12:04 PM

Quote:

Originally Posted by YeOldeStonecat

But...lets face it, Clam can't find its way out of a paper bag, I would expect Clam to miss about 60% of the viruses that flow through it, and I'd expect Kaspersky to be catching quite a bit that slip past Clam. I have a lot of clients on open source Untangle....

If this is true, why is UT using Clam? There are other Linux based antivirus softwares.
It is interesting watching what people say about Clam. Some swear by it, some against it.

YeOldeStonecat · 04-10-2010, 04:50 AM

Quote:

Originally Posted by engine411

If this is true, why is UT using Clam? There are other Linux based antivirus softwares.
It is interesting watching what people say about Clam. Some swear by it, some against it.

To be fair...it's good for scanning mail..aka on e-mail servers or on SMTP gateways. It's quite popular for that, and has a proven track record there.

I'm just having a hard time believe that it's bagging everything before KAV. I think I have to try some web based tests..besides Eicar...like transferring infected files via browser.

sky-knight · 04-10-2010, 11:01 AM

Dude, Clam makes a darn nice engine. And it works really well. It's detection rate isn't as bad as you're thinking. Also, I can confirm with my own experiments that Clam gets to scan first for some reason. If I turn off Clam KAV gets to go.

I'm wondering if KAV is worth it... in every case I've had a file get caught by KAV and not clam, it's been a false positive.

redhale3 · 04-10-2010, 11:51 AM

I have a client that gets sent a lot of spam with viruses. Until around 2 months ago, KAV stopped nearly everything. Then it changed. Now Clam stops everything and KAV never seems to detect anything.

hescominsoon · 04-10-2010, 04:22 PM

Quote:

Originally Posted by YeOldeStonecat

I thought of that...that Clam gets to sniff the traffic first. But...lets face it, Clam can't find its way out of a paper bag, I would expect Clam to miss about 60% of the viruses that flow through it, and I'd expect Kaspersky to be catching quite a bit that slip past Clam. I have a lot of clients on open source Untangle....I know a lot of viruses slip past the Clam..and I see them bagged in whatever antivirus I have on their Exchange Server...so I usually see a lot of "zeros" in Clams counters. I don't have anyone else on Kas though, just our office.

I'll try the disabling Clam test for a bit.

that's interesting you say that. It consistently has detection rates that will compete with anything. It is NOT an real-time scanner on a pc..it is an on demand scanner like in the case of a mail scanner. Use it as it is designed..as an on demand type scanner and it will hang with anything. I have never seen it miss anything AND unlike the commercial big boys it's NEVER had a false positive.

sky-knight · 04-10-2010, 09:25 PM

It catches revelation from snadboy.com as a bug. Both engines do, the app is safe, been using it for ages.

But it is a "hacking tool" so meh.

04-09-2010, 07:51 AM	#1 (permalink)
YeOldeStonecat Join Date: Aug 2007 Posts: 1,394	Kaspersky 0...default Clam AV doing all the work We're running the super duper bundle, Kaspersky module installed. Now...our UT box filters approx 1500 mails per day. CommTouch spam booster working well. I notice the default Clam AV module seems to average tween 20-30 "infected" mails caught per day...yet Kaspersky is showing a history of...ZERO. It never shows that it bags something. In my experience..Kaspersky is very strong in detection/cleaning, it's consitently been one of the top performing AVs out there. Also in my experience..Clam isn't that strong. I'm wondering if somehow Kaspersky isn't running correctly...or I'm brain farting and missing something like a toggle switch to enable it.

04-09-2010, 08:23 AM	#2 (permalink)
gotkimchi Administrator Join Date: Jan 2007 Location: Bay Area Posts: 2,076	Try this test. Turn off the clam and only have the Kaspersky on. Do the eicar test. http://www.eicar.org/download/eicar.com http://eicar.org/anti_virus_test_file.htm You should get the block page. If you are not getting the block page, your Kaspersky is not working properly. __________________ to be understood, you must first understand. Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

04-09-2010, 09:33 AM	#3 (permalink)
proactivens Join Date: Sep 2008 Location: Greensburg, Pa Posts: 2,307	I think the way it works is clam scans first, then kaspersky. If clam catches the infection, it will be removed before it gets to kaspersky. Kaspersky is the fall back, so you will not see many catches on it. However, when you do see catches, that means that if you didnt have it installed, then a virus would have slipped through and compromised your security. So even if at the end of the year clam catches 2000 viruses and kaspersky only catches 10, thats still 10 infections that would have otherwise gotten through. __________________ www.untangleappliances.com Toll Free: 866-794-8879 UNTANGLE PLATINUM PARTNER Follow us at spiceworks!

04-10-2010, 11:01 AM	#7 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,464	Dude, Clam makes a darn nice engine. And it works really well. It's detection rate isn't as bad as you're thinking. Also, I can confirm with my own experiments that Clam gets to scan first for some reason. If I turn off Clam KAV gets to go. I'm wondering if KAV is worth it... in every case I've had a file get caught by KAV and not clam, it's been a false positive. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

04-10-2010, 09:25 PM	#10 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,464	It catches revelation from snadboy.com as a bug. Both engines do, the app is safe, been using it for ages. But it is a "hacking tool" so meh. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

Protect

Filter

Perform

Connect

Manage

Add-Ons

04-10-2010, 11:51 AM	#8 (permalink)
redhale3 Untangler Join Date: Oct 2008 Location: Vancouver, WA Posts: 80	I have a client that gets sent a lot of spam with viruses. Until around 2 months ago, KAV stopped nearly everything. Then it changed. Now Clam stops everything and KAV never seems to detect anything.