[prev in list] [next in list] [prev in thread] [next in thread] 

List:       clamav-users
Subject:    Re: [clamav-users] Problem with clamdscan and SELinux
From:       "G.W. Haywood via clamav-users" <clamav-users () lists ! clamav ! net>
Date:       2021-06-15 23:18:31
Message-ID: alpine.DEB.2.21.2106152304060.16595 () piplus ! local ! jubileegroup ! co ! uk
[Download RAW message or body]

Hi there,

On Tue, 15 Jun 2021, Lee, Raymond via clamav-users wrote:

> ... I don't want this thread to become a debate about whether or not to
> scan the entire system.  I was just looking for insight into my question
> about clamd and SELinux.

Sure, with you.  FWIW I don't scan Linux systems.  Primarily I use
ClamAV to scan mail, and I'm not especially interested in malware.

As far as SELinux is concerned it seems to me that it's most likely
doing what it's supposed to do.  My personal take on is that there's
no reason on Earth to scan a shadow_t type file with ClamAV, and if
you do let it do that you risk a vulnerability in ClamAV ruining your
whole holiday.  I don't know why you aren't seeing the log messages
which you're expecting to see, perhaps it's a permissions issue too.

In case it's interesting, here's the detection performance of some
scanners for the last 40 malicious emails processed by my systems:

  30 fortinet.com
  28 drweb.com
  26 gdatasoftware.com
  26 escanav.com
  26 bitdefender.com
  25 avast.com
  20 sophos.com
  20 ikarus.at
  19 eset.com
   7 f-secure.com
   5 f-prot.com
   3 clamav.net
   0 trendmicro.com

The detection numbers were obtained by manually inspecting attempts to
send suspicious mail to our servers, and after confirming that the mail
was malicious, submitting samples to Jotti's malware scan:

https://virusscan.jotti.org/

This was by no means a scientific experiment.  The sample size was
very samll; the malware chose to be in the study, not the other way
around; some of the 40 samples were almost identical; there may be
issues with the way in which samples were presented to the scanners
which skews the comparitive results.  But as you can see, even the
best performer only found three out of four.

It's food for thought.

-- 

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic