Does ClamAV work at all?

[Jyling]

I was tasked with adding a proxy to the router, for staff on the go, and a question arose as to whether to enable clam AV or not.

So I go reading and find out that its detection rate is abysmal 60%. Since this is anecdotal, I begin to test it and sick it on arbitrary files: OS ISOs, software distros, installed software etc. The result is simply mind-boggling: clamdscan either returns instantaneous clean file or hangs and has to be killed with Ctrl C. No other options, no middle ground.

It does detect that short string which everyone uses for its testing, and that's about it. Its detection time does not seem to correlate with the file/directory size, i.e. it instantaneously says that a file is clean be it 1 MB or 1 GB. Also, there is no correlation of when it hangs with the file size.

Since I do not have any infected files sitting around, I can't prove or disprove that. Can anyone confirm that Clam AV does indeed detect viruses be it in email attachments or files being downloaded by proxy users?

[BrandyWine]

Well, let's start with some basics around proxy.

Is the proxy doing man-middle for TLS? If not then any security control that needs to scrub the payload will be completely moot.

If your proxy setup is all good with trusted certs for end-users (basically one trusted cert to impersonate all dst URI), then the security controls can work on the payload. Is clam-av any good? It's something, but the bad folks know how to skirt around it.

Example, send some questionable exe's to virus-total, the big list of scanners there will scrub it, most will say the exe is ok, a few will say not.

So, is clam-av any good for you? Debatable for sure. But I can say for sure, is something better than nothing?

[Jyling]

Well, let's start with some basics around proxy.

Is the proxy doing man-middle for TLS? If not then any security control that needs to scrub the payload will be completely moot.

If your proxy setup is all good with trusted certs for end-users (basically one trusted cert to impersonate all dst URI), then the security controls can work on the payload. Is clam-av any good? It's something, but the bad folks know how to skirt around it.

Example, send some questionable exe's to virus-total, the big list of scanners there will scrub it, most will say the exe is ok, a few will say not.

So, is clam-av any good for you? Debatable for sure. But I can say for sure, is something better than nothing?

First, I need to know whether ClamAV works conceptually. So far this is inconclusive.

[BrandyWine]

Well, let's start with some basics around proxy.

Is the proxy doing man-middle for TLS? If not then any security control that needs to scrub the payload will be completely moot.

If your proxy setup is all good with trusted certs for end-users (basically one trusted cert to impersonate all dst URI), then the security controls can work on the payload. Is clam-av any good? It's something, but the bad folks know how to skirt around it.

Example, send some questionable exe's to virus-total, the big list of scanners there will scrub it, most will say the exe is ok, a few will say not.

So, is clam-av any good for you? Debatable for sure. But I can say for sure, is something better than nothing?

First, I need to know whether ClamAV works conceptually. So far this is inconclusive.

Short answer is yes. If you want the long answer than you need to define a lot of other things. It works to some extent, and the shortfalls are well documented.

To help with the short answer, three readings are provided:

1) https://docs.opnsense.org/manual/how-tos/clamav.html
2) https://forum.opnsense.org/index.php?topic=19460.0
3) https://en.wikipedia.org/wiki/ClamAV

[Jyling]

Are you an AI bot?

[BrandyWine]

Are you an AI bot?

That depends on your definition of AI.

[Monviech (Cedrik)]

I think its better to have central managed endpoint protection on the user devices, as it will also scan and intercept when e.g. an encrypted archive is opened with a virus inside and do advanced heuristics over a longer period, and actually stop threads actively once triggered.

An intercepting clamav cannot handle complex scenarios and depending on the signatures it has its also not good at detecting anything other than basic threads, its better not to use it than feeling its actually doing something.

[Jyling]

I'd love to see it work even for the simplest of scenarios first. It seems to do nothing at all.

[Monviech (Cedrik)]

If you want a real life example of it doing at least something, check out a plesk server running their email security suite.

It uses amavis with clamav and spamassassin and it scans mails.

[BrandyWine]

I'd love to see it work even for the simplest of scenarios first. It seems to do nothing at all.

What test exactly did you try. Does it stop eicar from being downloaded over non-encrypted protocol?
ClamAV works.

[Jyling]

What test exactly did you try.

That which is described in the OP, in great detail.

ClamAV works.

Not according to my tests.

[BrandyWine]

Since this is anecdotal, I begin to test it and sick it on arbitrary files: OS ISOs, software distros, installed software etc.

So all these test items have malware in them? I am a bit confused as to how or what you are testing with.
Drop eicar on the system, scan the system.

Ctrl-C ?? You know the use of & ?
Well, try downloading some test files, plenty of sites that have downloadable malware you can park on the system, then launch clam scan from cli (use the &, or if not get a 2nd ssh session going).

If clam is balking on large GB ISO's, then it's a system resource issue, but you can spot this from the cli (top as example).

I hope this helps some.