ClamAV is an open source, free anti-virus tool, designed for email scanning on mail gateways.
It is owned by Sourcefire, which employs the ClamAV developers and provides commercial support for ClamAV.
The most important capability of an anti-virus product is to be able to remove a high percentage of viruses, including rapid reaction to new viruses.
A test by Untangle put ClamAV as one of the top three (along with Kaspersky and Symantec). This test generated a lot of controversy, with some arguing the test methodology to be flawed and others suggesting that commercial vendors are trying to suppress a free alternative.
A comment from AV-Comparatives, which provides independent testing, gives useful insight in explaining why it does not include ClamAV in its standard list. AV-Comparatives notes that ClamAV is not designed or suitable for use on an end system, but is designed to detect spreading viruses, and has a very good response rate to new threats. This is confirmed in its report and other references on the net.
ClamAV detects phishing attacks, as well as conventional viruses and worms. During one day’s operation on the Isode servers, the following viruses and phishing attacks were detected:
- Exploit.HTML.IFrame: 10 Time(s)
- Exploit.WMF: 6 Time(s)
- HTML.Phishing.Auction-144: 1 Time(s)
- HTML.Phishing.Auction-222: 2 Time(s)
- HTML.Phishing.Bank-1232: 1 Time(s)
- HTML.Phishing.Bank-474: 18 Time(s)
- HTML.Phishing.Pay-36: 1 Time(s)
- W32.Sality.Q-1: 5 Time(s)
- Worm.Mydoom.I: 1 Time(s)
- Worm.Mydoom.M: 4 Time(s)
- Worm.SomeFool.AA-2: 9 Time(s)
- Worm.SomeFool.D: 1 Time(s)
- Worm.SomeFool.P: 17 Time(s)
- Worm.Stration.YY: 1 Time(s)
- Worm.Womble.D: 8 Time(s)
The integration with an email gateway is straightforward and efficient. This is important for gateway/boundary use. A number of AV vendors are focusing on appliance and “complete solution,” and either dropping or reducing support for integration with other products.
ClamAV is a good anti-virus option for boundary checking.