Topic: ClamAV not finding much anymore

[toothandnail]

I've noticed this problem on a number of SME servers (5 SME 9.x, 2 SME 8.x). Even though the virus scan runs every night, over the last few weeks, there are very few hits being reported. All of the machines have the unofficial sigs loaded and all of them run as they're supposed to.

It would be nice to think that the number of viruses(?) in the wild has dropped, but on most of the networks I've been able to check, virus checking on Windows machines is showing a large increase in the number of hits, so that does not seem to be the case.

Is anyone else seeing this pattern? If so, any ideas as to what has gone wrong with ClamAV, and any suggestions for an alternate? The only problem I can see in the logs is this:

Code: [Select]

WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99 Recommended version: 0.99.1
Don't think that would be enough to cause the current problem...

Paul.

[Gary Douglas]

I have noticed this, possibly since the update which allows setting clamav; FilesystemScanUnofficialSigs=no, there have been no infected files found on any of my SME8/9 servers. Prior to setting FilesystemScanUnofficialSigs to no, all sorts of known good files were moved to quarantine from detection by the unofficial signatures.

[Daniel B.]

Unofficial signatures are not adapted for filesystem scans, they generate far too many false positives. They are only useful for inbound emails scan. At least in europe, most infected emails are carrying a locky variant (since a few months). Unfortunately, locky can take a lot of different form, and clamav seems to have trouble detecting it correctly.