Is KAV working at all?

[neiby]

We've been running untangle for many months. I've seen KAV do something when I test it using EICAR, but other than that I don't think I recall seeing the counters increase above zero.

I thought this was pretty odd, especially since I saw a few other threads from people wondering if KAV was working or not, so I decided to install the free Virus Blocker into our main rack yesterday. In that time, it has blocked an web virus and removed an email virus. KAV is still humming along with zero detections.

Something odd seems to be going on. We periodically see people get viruses on their PCs and KAV didn't catch them. I just assumed that these were new viruses that KAV didn't have signatures for yet. But now I wonder if it's just missing them. Seeing the free Virus Blocker stop two viruses in 12 hours makes me think something is wrong with KAV.

Any thoughts?

[dbunyard]

Since the numbers has last reset on our UT box here at work (we never did establish when these numbers reset) Kaspersky has:

Documents blocked: 3
Infections removed: 2

Log:

Code:

2010-05-04 8:33:50 am
	
blocked
	
10.37.58.201:62973
	
(HTTP) http://www.autoitscript.com/autoit3/scite/download/SciTE4AutoIt3.exe
	
virus found
	
87.106.244.38:80
2010-04-30 5:32:51 pm
	
remove infection
	
209.143.16.46:3713
	
(SMTP) You have received an eCard
	
virus found
	
10.37.59.29:25
2010-04-29 5:53:52 pm
	
remove infection
	
209.143.16.46:59684
	
(SMTP) bcemail.net account notification
	
virus found
	
10.37.59.29:25
2010-04-12 2:14:45 pm
	
blocked
	
10.37.58.201:63713
	
(FTP) 209.143.16.30
	
virus found
	
209.143.16.30:60007
2010-04-06 10:35:15 am
	
blocked
	
10.37.58.89:2226
	
(FTP) 205.178.145.65
	
virus found
	
205.178.145.65:26419

The virus blocker has:

Documents blocked: 0
Infections removed: 10

Log:

Code:

2010-05-13 3:25:57 pm
	
remove infection
	
209.143.16.46:2555
	
(SMTP) Congratulations you are a lucky winner Promotion
	
virus found
	
10.37.59.29:25
2010-05-13 3:19:16 pm
	
remove infection
	
209.143.16.46:27983
	
(SMTP) Congratulations you are a lucky winner Promotion
	
virus found
	
10.37.59.29:25
2010-05-04 5:21:32 pm
	
remove infection
	
209.143.16.46:34724
	
(SMTP) Re[2]:
	
virus found
	
10.37.59.29:25
2010-04-27 10:36:48 am
	
remove infection
	
209.143.16.46:65096
	
(SMTP) Anti terrorist & monetary crime division (view attached file and comply)
	
virus found
	
10.37.59.29:25
2010-04-19 5:06:45 pm
	
remove infection
	
209.143.16.46:11807
	
(SMTP) UPS Delivery Problem NR 39011.
	
virus found
	
10.37.59.29:25
2010-04-12 3:53:51 pm
	
remove infection
	
209.143.16.46:19477
	
(SMTP) DHL Customer Services. Please get your parcel NR.3468
	
virus found
	
10.37.59.29:25
2010-04-08 3:37:13 pm
	
remove infection
	
209.143.16.46:11494
	
(SMTP) Winner!
	
virus found
	
10.37.59.29:25
2010-04-06 8:34:10 pm
	
remove infection
	
209.143.16.46:38971
	
(SMTP) Winner
	
virus found
	
10.37.59.29:25
2010-04-03 2:47:36 am
	
remove infection
	
209.143.16.46:63797
	
(SMTP) Winner
	
virus found
	
10.37.59.29:25
2010-04-03 2:11:00 am
	
remove infection
	
209.143.16.46:40362
	
(SMTP) Winner
	
virus found
	
10.37.59.29:25
2010-03-31 8:11:50 am
	
remove infection
	
209.143.16.46:57539
	
(SMTP) FUND TRANSFER
	
virus found
	
10.37.59.29:25
2010-03-31 5:10:46 am
	
remove infection
	
209.143.16.46:61687
	
(SMTP) FUND TRANSFER
	
virus found
	
10.37.59.29:25

[neiby]

It's entirely possible that KAV has blocked some things and I just didn't notice. But considering how many users we have accessing the Internet, I would have expected a little bit more activity.

Then again, we block most users from downloading EXEs. That makes a big difference right there.

[dbunyard]

Quote:

Originally Posted by neiby

Then again, we block most users from downloading EXEs. That makes a big difference right there.

That right there is probably a big part of why you don't get much stuff stopped by UT.

[neiby]

Yep. On the other hand, Virus Blocker has blocked two things in just 12 hours of being installed. I don't recall ever seeing anything like that from KAV. Of course, longer monitoring and further testing will be needed. It just seems a bit curious.

[juank]

Also, I think CLAMAV checks for viruses FIRST, right? I can see in my logs that CLAMAV caught some viruses while KAV stays in ZERO...

[neiby]

Quote:

Originally Posted by juank

Also, I think CLAMAV checks for viruses FIRST, right? I can see in my logs that CLAMAV caught some viruses while KAV stays in ZERO...

I tested this yesterday. I turned both on and then downloaded EICAR. With both on, KAV caught it first. It just seems so odd that the only times I ever see KAV blocking something is when I'm testing it with EICAR. I guess that proves that it's working.

[dbunyard]

Same here, Kaspersky caught it first.

[neiby]

Quote:

Originally Posted by dbunyard

Same here, Kaspersky caught it first.

Which I guess brings me back around to the beginning. KAV appears to be "working", since it is catching EICAR. But it never seems to catch anything else. Since turning on Virus Blocker yesterday, it has caught two different things that KAV didn't catch. I wonder how many other things in the past year KAV has let in that Virus Blocker might have blocked. It never occurred to me to have both of them in a rack at the same time.

I'll leave both running for now and see what happens over time.

[juank]

WE run both here... there is also another thread on this: http://forums.untangle.com/kaspersky...-all-work.html