[Rspamd-Users] rspamd-3.7.1: lua module clamav is enabled but has not been configured

G.W. Haywood rspamd at jubileegroup.co.uk
Mon Oct 23 10:40:42 UTC 2023 

Hi there,

On Mon, 23 Oct 2023, Franta Hanzlík via Users wrote:

> I'm trying configure rspamd clamav antivirus interface module (until
> now I used clamav-milter + clamd as separate milter on my postfix MTA),
> according to 'https://rspamd.com/doc/modules/antivirus.html'.

Can you tell me why you are doing this?  In view of the very poor
detection rates from ClamAV it seems to me like a lot of work for
little reward.  By 'very poor' I mean detection rate of a few percent
of viruses.  Do you use third party databases with ClamAV?  The third
party databases are the only reason I use ClamAV at all.

> ...
> 2023-10-23 06:09:17 #938628(main) <6gu15n>; cfg; ....
> ...
> (last one is probably unrelated (but some error it perhaps is? ))

It's certainly an unrelated error.

> Any idea what else needs to be configured for the clamav antivirus
> to work properly?

My feeling is that your efforts would be better rewarded by adding an
alternative means of detecting malware.  I wouldn't go so far as to
suggest removing ClamAV, but I'm not sure that I can think of anything
with a higher ratio of resource usage to usefulness.  The table below
gives the detection results for seventeen virus scanners, courtesy of
Jotti's virus scan (https://virusscan.jotti.org/).  These results have
been collected here for the incoming viruses in our mail since about
the end of April 2021.  The viruses were detected automatically by my
own software (which has a relatively high false positive rate, but a
zero false negative rate) and then verified and submitted manually to
Jotti for scanning by multiple scanners.

8<--------------------------
  Yes   No
  398   66 fortinet.com
  331  133 avast.com
  328  135 gdatasoftware.com
  318  150 bitdefender.com
  317  150 escanav.com
  269  198 ikarus.at
  240  225 secure.com
  222  246 drweb.com
  220   42 cyren.com
  173  120 sophos.com
  162   63 kaspersky.com
   79  389 virus.by
   60   77 eset.com
   57  411 k7computing.com
   20  448 trendmicro.com
   15  453 clamav.net
    9  144 prot.com
8<--------------------------

About 450 individual virus samples are represented above.  Not all
scanners scanned all samples (mainly because Jotti has added scanners
to the list over the years) which explains why Yes+No does not always
add up to the same number.  A few samples were scanned more than once.

As you can see from the table, ClamAV as configured by Jotti caught
about three percent of the viruses which we've seen in the last two
and a half years.  That figure could be a lot better if Sanesecurity
and other third-party databases were configured, but still it probably
wouldn't be as good as the best of them, and the *best* of them missed
15 percent of the viruses which were sent to us.  One in six!

My advice is don't rely on virus scanners - because if you do then the
compromise of your systems is inevitable.

-- 

73,
Ged.

More information about the Users mailing list