[Rspamd-Users] rspamd-3.7.1: lua module clamav is enabled but has not been configured

Franta Hanzlík franta at hanzlici.cz
Mon Oct 23 12:21:15 UTC 2023 

Hi Ged!
First, thank You for the important information about the effectiveness 
of antivirus solutions. Further in the context of your statements:

On Mon, 23 Oct 2023 11:40:42 +0100 (BST)
"G.W. Haywood via Users" <users at lists.rspamd.com> wrote:

> Hi there,
> 
> On Mon, 23 Oct 2023, Franta Hanzlík via Users wrote:
> 
> > I'm trying configure rspamd clamav antivirus interface module (until
> > now I used clamav-milter + clamd as separate milter on my postfix MTA),
> > according to 'https://rspamd.com/doc/modules/antivirus.html'.  
> 
> Can you tell me why you are doing this?  In view of the very poor
> detection rates from ClamAV it seems to me like a lot of work for
> little reward.  By 'very poor' I mean detection rate of a few percent
> of viruses.  Do you use third party databases with ClamAV?  The third
> party databases are the only reason I use ClamAV at all.

Why am I doing this? I want to do as much as possible for the security 
of mail delivered by my mail server. With the best possible price/
performance ratio, ideally using the FOSS available for my OS (Fedora 
Linux) - and ClamAV seems like a natural solution. I had no idea that 
the efficiency of AV engines and ClamAV in particular was so low.
I'm using ClamAV with eXtremeSHOK 3rd party AV DB:
  https://github.com/extremeshok/clamav-unofficial-sigs
I don't know how good this database is.

And specifically, why I want to replace separate (clamav-milter + clamd 
scan engine) and integrate AV scan under RSPAMD:
  1) integration into one milter seems optimal from the point of view 
of resource usage (I will save clamav-milter bridge to clamd engine) 
and results and statistics are collected in one place .
  2) with the combination of clamav-milter + clamd-scanner, I had a 
problem several times - non-functioning clamd engine (crash, damaged 
DB etc.) led to the blocking of MTA Postfix, which was waiting for a 
response from clamav-milter. I don't know if this error is still there,
but I hope that the AV scan from rspamd will not block MTA.

> > ...
> > 2023-10-23 06:09:17 #938628(main) <6gu15n>; cfg; ....
> > ...
> > (last one is probably unrelated (but some error it perhaps is? ))  
> 
> It's certainly an unrelated error.
> 
> > Any idea what else needs to be configured for the clamav antivirus
> > to work properly?  
> 
> My feeling is that your efforts would be better rewarded by adding an
> alternative means of detecting malware.  I wouldn't go so far as to
> suggest removing ClamAV, but I'm not sure that I can think of anything
> with a higher ratio of resource usage to usefulness.  The table below
> gives the detection results for seventeen virus scanners, courtesy of
> Jotti's virus scan (https://virusscan.jotti.org/).  These results have
> been collected here for the incoming viruses in our mail since about
> the end of April 2021.  The viruses were detected automatically by my
> own software (which has a relatively high false positive rate, but a
> zero false negative rate) and then verified and submitted manually to
> Jotti for scanning by multiple scanners.
> 
> 8<--------------------------
>   Yes   No
>   398   66 fortinet.com
>   331  133 avast.com
>   328  135 gdatasoftware.com
>   318  150 bitdefender.com
>   317  150 escanav.com
>   269  198 ikarus.at
>   240  225 secure.com
>   222  246 drweb.com
>   220   42 cyren.com
>   173  120 sophos.com
>   162   63 kaspersky.com
>    79  389 virus.by
>    60   77 eset.com
>    57  411 k7computing.com
>    20  448 trendmicro.com
>    15  453 clamav.net
>     9  144 prot.com
> 8<--------------------------
> 
> About 450 individual virus samples are represented above.  Not all
> scanners scanned all samples (mainly because Jotti has added scanners
> to the list over the years) which explains why Yes+No does not always
> add up to the same number.  A few samples were scanned more than once.
> 
> As you can see from the table, ClamAV as configured by Jotti caught
> about three percent of the viruses which we've seen in the last two
> and a half years.  That figure could be a lot better if Sanesecurity
> and other third-party databases were configured, but still it probably
> wouldn't be as good as the best of them, and the *best* of them missed
> 15 percent of the viruses which were sent to us.  One in six!
> 
> My advice is don't rely on virus scanners - because if you do then the
> compromise of your systems is inevitable.
> -- 

This sounds pretty negative for ClamAV.
I agree that ClamAV's memory requirements are large and start of its scan 
engine itself takes so long that I had to increase the relevant TimeoutSec 
systemd units parameter. I did not detect ClamAV CPU load.

On the other hand, computer RAM memory is not that expensive, and my 
demands (mails for wide family members, about half Linux half windows) 
are not too big.
Then I only have experience with Kaspersky AV + Postfix, which I also 
configured. But I don't have any comparison of the effectiveness of both 
AV solutions.
-- 
Thanks, Franta Hanzlík

More information about the Users mailing list