https://www.dslreports.com/forum/remark,17355525

And the number last is.... ClamAV. Is it as poor as the test results lead us to believe?

That's a good question, and I'm not sure I have a good answer for you, but I'll try. Keep in mind that I'm not on the ClamWin team (just a supporter of open source/freeware), and I'm no expert.

Before I try to answer, however, let me tell you that I recently got a phishing virus (Gold something or other). I was running the AVG paid version along with ClamWin, the Windows Defender, and Zone Alarm. ClamWin spotted it and quarantined it. I uploaded the file to the VirusTotal service to see if it really was malware. After the scan, only Avir AntiVir, ClamWin, and VirusBlockADA found anything. If a couple of other AV programs find something, it is probably malware. In this case, it was malware that was evidently a fairly low threat. It is interesting that ClamWin and VirusBlockADA (from Belarus) aren't very high profile antivirus programs, and you don't hear much about AntiVir (Germany), which is a very good antivirus program that blocks spyware in addition to viruses/worms/trojans.

So I think the answer depends upon what kind of malware you get. The purpose of ClamAV, which is the "engine" running ClamWin is to find email viruses. ClamWin also uses Clam's signature database, so it is also going to be better at finding email viruses.

Many of those tests of antivirus software supposedly use "in the Wild" (ITW) viruses, and the antivirus companies that are marketing oriented, and they all make sure they can detect the ITW stuff, and they concentrate less upon the low threat stuff. The ITW stuff is the high profile malware, which everybody knows about--the Internet service providers, the IT staffs, etc.

Someting else to consider: the price of antivirus software is increasing. There is a danger that the large, bloated antivirus programs will be our only choice at some point. That is a good reason to support a free, open source program like ClamWin. It's worth a few dollars a year to help out!

I keep hearing now (from Kaspersky and others) that malware writers are now concentrating upon using malware to make money. I also hear that they are targeting/testing their malware against the most visible antirus companies (they can upload to VirusTotal also). They are even timing their "exploits" to come out just after Microsoft's Patch "Tuesdays." This is a good reason to use a "low profile" antivirus software.

If you look at the frequency with which most antivirus companies update their signature databases, ClamAV is up there with the fastest ones. Their database now includes over 85,000 signatures, which is more than some of the commercial antivirus software. I think that there will be a significant improvement in the quantity of detection at 100,000 signatures--they can't all be email viruses.

ClamWin needs to get a resident scanning capability, and ClamAV needs to put a couple of smart heuristic capabilities in the engine. I believe you will see both of these in 2007.

Here is a link to an "inside" test of ClamWin against AVG for your information:
https://wiki.clamwin.com/index.php/Detection_Rate. Note that ClamWin is just about as good as AVG on this test of about 70,000 "real" virus samples. Based on my experience in the starting example I gave above, ClamWin found a phishing virus that AVG did not.

Presently, ClamWin can only be as good as ClamAV. The ClamWin team is doing what they can with the limited resources they have. Several antivirus programs have more than one engine, and some of them change engines. If you support ClamWin, they will be able to improve the separate portion of ClamWin code--and perhaps even move away from ClamAV at some point.

At the present time, ClamWin is about where the commercial antivirus software was before it got resident capability. With a resident capability, 100,000 virus signatures, better unpacking capability, and some basic heuristics, ClamWin will be good enough to scare some of the commercial antivirus software. Then the ClamWin team can start "tinkering." with the interface and some other "nice" things.

Antivirus software is your choice. My current choice is to support ClamWin and also use AntiVir until ClamWin goes resident.

I hope this helps.

Regards,

Thanks for the extensive answer with many valid points.

Why is ClamAV number last is a good question, but another good one is how the "winner" manages to find almost 100% of 460.000 malware related files. And that doesn't even include viruses. Surely it doesn't have such a huge database. Heuristics that ClamAV misses (like you said), probably.

Hopefully that on-access scanner for ClamWin will be available soon. I don't really want to do without one. However, I wonder what the effect on the system will be. At the moment scanning is quite slow and it is doubtful whether the engine is fast enough for this type of scanning. Well, as far as I can tell. For what it's worth...

Thanks again.

You shouldn't be without a resident scanner, but many computer viruses are preventable, as they are caught by "risky behavior". There are decent free antivirus programs. AVG by Grisoft is free, and so is AntiVir Personal Classic from Avira. AntiVir is very good. Just go to the Grisoft or Avira Web sites to download. Two antivirus programs should give better protection that one. My resident scanner once found a virus when ClamWin was doing a scan. Just make sure only one is resident and use the other only on-demand. Scan time won't be much of a problem when ClamWin is resident, and they will do more to optimize scan time when they can--such as using check sums so they can bypass an already-scanned file. You can speed it up some if you use the configuration menu to scan only for the most dangerous file extensions. Google for "dangerous file extensions."

Regards,

Here's another German test in which ClamAV did pretty well. It came in at the middle of the pack, and beat some high profile antivirus programs. The narrative is in German, but you can see the numbers.

https://www.vnunet.de/praxis/security/article200612180252.aspx

Regards,

I can read German.
That test only shows whether developers are keeping up with the latest "trends" in virusland. I guess the result is not too bad for an open source project. I would feel pretty bad if were an F-Prot developer.

I'm not really worried about "catching a virus", but I need a reliable scanner to check my spam\e-mail before I forward it to Knujon https://www.knujon.com/.
Anything their AV scanner intercepts will be deleted, so checking before forwarding is imperative. So far ClamWin seems to be doing alright. It found several attachments with trojans in them and it even reported a phishing attempt.

I believe that F-Prot is one of those AV programs that have decided to use someone else's engine (Norman's and Kaspersky's engines are popular). When ClamAV reaches Version 1.0, they might get some revenue by doing this--eh?

Regards,

here is another test conducted:
- August 8th 2007 at LinuxWorld
- conducted in front of an audience at the show by Untangle
- viruses submitted by members of the audience
- 10 antivirus products were confronted with 25 viruses

100 % of the viruses caught by:
ClamAV, Kaspersky and Symantec.

94 % F-Prot and Sophos
89 % McAfee
61 % GlobalHauri, Fortinet, and SonicWall

read more about: Why were the results so different from what we usually read in tests conducted by other labs? https://www.clamav.net/2007/08/09/untangle-tests-antivirus-tools-in-linuxworld-fight-club/ link

Erkan YILMAZ
blog: https://iaskquestions.com I ask questions

Even if i realy like the result, you will notice, after a quick check of the testset, that this results are not very accurate. The testset contains - just as one example - a PP zip file with several files in it. What does it tell you about an AV if it detects or doesn't detect such a file?

25??? lol.

Clamav primarily runs on mail servers, and primarily detects email worms. It will simply not do as well as a bulk of the others because most of its submissions come from mail sources.

Assuming that clamav is in the same ballpark with more advanced AVs like kaspersky, outside of email worm detection, is absurd.