From owner-freebsd-questions@freebsd.org  Wed Mar 23 16:02:39 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id ACF9DADB74A
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Wed, 23 Mar 2016 16:02:39 +0000 (UTC)
 (envelope-from galtsev@kicp.uchicago.edu)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 9A6641A99
 for <freebsd-questions@freebsd.org>; Wed, 23 Mar 2016 16:02:39 +0000 (UTC)
 (envelope-from galtsev@kicp.uchicago.edu)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 99C8DADB749; Wed, 23 Mar 2016 16:02:39 +0000 (UTC)
Delivered-To: questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9972AADB748
 for <questions@mailman.ysv.freebsd.org>; Wed, 23 Mar 2016 16:02:39 +0000 (UTC)
 (envelope-from galtsev@kicp.uchicago.edu)
Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.70.90])
 by mx1.freebsd.org (Postfix) with ESMTP id 79FE31A98
 for <questions@freebsd.org>; Wed, 23 Mar 2016 16:02:39 +0000 (UTC)
 (envelope-from galtsev@kicp.uchicago.edu)
Received: by cosmo.uchicago.edu (Postfix, from userid 48)
 id 5327DCB8C9D; Wed, 23 Mar 2016 11:02:33 -0500 (CDT)
Received: from 128.135.52.6 (SquirrelMail authenticated user valeri)
 by cosmo.uchicago.edu with HTTP;
 Wed, 23 Mar 2016 11:02:33 -0500 (CDT)
Message-ID: <62985.128.135.52.6.1458748953.squirrel@cosmo.uchicago.edu>
In-Reply-To: <1458712914.1578.37.camel@au.dyndns.ws>
References: <wu7vb4fm8ji.fsf@banyan.cs.ait.ac.th>
 <CALfReyeHNrqZsCd_-3gMb+5RDEnW8aK2QfYCDRSBG+3bN5tpsQ@mail.gmail.com>
 <1458712914.1578.37.camel@au.dyndns.ws>
Date: Wed, 23 Mar 2016 11:02:33 -0500 (CDT)
Subject: Re: Anti-virus for FreeBSD
From: "Valeri Galtsev" <galtsev@kicp.uchicago.edu>
To: "Wayne Sierke" <ws@au.dyndns.ws>
Cc: "krad" <kraduk@gmail.com>, "Olivier Nicole" <olivier.nicole@cs.ait.ac.th>,
 questions@freebsd.org
Reply-To: galtsev@kicp.uchicago.edu
User-Agent: SquirrelMail/1.4.8-5.el5.centos.7
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2016 16:02:39 -0000


On Wed, March 23, 2016 1:01 am, Wayne Sierke wrote:
> On Tue, 2016-03-22 at 09:07 +0000, krad wrote:
>
>> Other than that clamav
>> is good enough.
>
> I'm curious as to whether that's an objective or subjective view?
>
> I've got clam-av set up on a couple of mail boxes scanning incoming
> messages and find a worrying amount of viral content still gets
> through. Even after submitting false-negative reports, manual tests
> conducted (days!) later have failed to detect them.
>
> To be fair, some of that also fails to be detected initially by
> commercial AV scanners on MS Windows. However in one instance, for
> example, one AV provider had an update deployed and distributed less
> than two hours after they were notified.
>
> I've submitted suspect attachments to the Virus-Total web site to find
> that it was already submitted previously, sometimes long ago, and clam-
> av is listed with a negative detection result.
>

Partly to toss some more fuel into the fire ;-) and partly to discourage
too harsh judgement of "some anti-vurus software not catching some
viruses" (or should I say virii as a plural of Latin word virus?)

First of all, the whole anti-virus approach is fundamentally flawed. In
fact, you can not enumerate bad (what anti-virus is trying to do). You
only can enumerate good and prohibit everything else. So, don't be too
harsh on those [anti-viruses] that miss some of evil things sometimes:
remember, they are trying to do the task that is fundamentally flawed.

Second, the very existence of Windows viruses is based on architecture
flaws of MS Windows system IMHO. Of course, most of us have to use and
maintain that system in a course of fulfilling our job duties; that can
not prevent us from having some attitude. Based on which I would
discourage running for your Unix/Linux mail server virus scanning software
on Windows machine. I would to my best ability avoid running any services
at all on MS Windows. This one - avoid using Windows for scanning what
Windows is vulnerable to - is yet another reason in addition to a need of
maintaining too many systems.

Just my $0.02

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++