Forums & Blog

Hello SM community,

 I am ready to save some money, and stop renewing my Symantec Mail Security for SMTP Gateways subscription. The filtering and spam handling options in SM far surpass those available in the 4.x product version I am using now, and like i said, i need to save some money and build a better mouse trap (spam trap?).

The crux of my question is:

Which CLI scanner are you using, and why do you like it? What dont you like? Just a standard pros/cons question.

Based on my latest statistics, Im am processing about 6000 messages a day, nearly 92% of which are unwanted. I havent seen a good virus/mass mailer outbreak in a while, but symantec always handled those with ease.

I have about 40 days to get my SMGateway VM setup, so the sooner you can respond, the better.

Thanks,

dnsplus.net, chicago

I've used both.

AVG:

Pro: Many times faster than Clam.
Pro: Uses much less memory than Clam.
Pro: Very few false positives. 
Pro: Virus pattern files can be updated as often as desired.  No wasted bandwidth if no new patterns exist.

Con: License fee (but still extremely cheap)
Con: Does not address phishing messages.
Con: Nobody knows the correct command line to run via SmarterMail.

ClamAV:

Pro: No cost.
Pro: Better than nothing (but not by much).

Con: Much higher false positive rate when compared to commercial products.
Con: Pattern files are only updated every 6 hours.  New viruses fly thru your system in the mean time.
Con: Pattern file updates for new viruses is variable.  Sometimes fast, sometimes very slow.
Con: High memory usage.  Not designed to run on Windows.
Con: Very slow on Windows.

Clam has the advantage of being free and includes scanning for phishing messages, but other than that it's not a very good product... especially on a Windows box. 

It's my opinion that you should never consider a message received thru a SmarterMail system that was scanned by Clam as being virus free.  The way SmarterMail/Clam integrate you don't even know if the message was actually scanned or not.  Due to the 6 hour pattern updates it's very likely that new viruses (which are the real problem anyway) will not be picked up by such a system. 

It's unfortunate that SmarterMail doesn't at least provide a working command line for some of the various "real" virus scanners. 

I'm using Declude with SmarterMail.  Declude has AVG built into it, but I also run ClamAV for some anti-virus redundancy.  One thing that I have noticed is that I'll often see viruses go through AVG undetected and get picked up by ClamAV.  The implication is that ClamAV is a lot better at finding new viruses than AVG.  Another bonus is that ClamAV will detect some phishing spams.

I check my email with Outlook and have Norton scan all of my incoming/outgoing email for viruses.  My implementation of CLAM before SM bundled it was a comman line program that would retain the heders of the email and insert a message that the virus had been removed.  Anyway, my point, I never personally saw a false positive, nor was I informed of any.  Also, I can't think of an occasion when my Norton caught a virus that had snuck through clam.  One thing you can do is run clam and another cheap real-time scanner.  Extend your delivery delay to 30-50 seconds and set it to scan the spool directory.  Just make sure it excludes teh domain directory.  This will give you two scanners for a relatively low cost.  I don't have any experience with AVG, so I can't help you there.  

 I have no idea why people putting Clam down.. yes it can be slow and yes is a bit of a memory hog, but time and time again it shows to be one of the best virus scanners out, opensource or commercial. Personally I use Trend + Clam but really if Clam updated more than every 6 hours it could replace many commercial products.

i think there is a parameter within clamd conf where you can set an update interval. I have mine set for 2 hours, but being an opensource project, are updates that frequent really necessary? I was doing some checking, and it seems that def updates are rather infrequent.

We have not had issues with AVG missing viruses. Be sure your virus signatures are up-to-date. Secondly many Declude customers do use Clam with declude as a second scanner, as Clam has the ability to look for phishing and image spam signatures and best of all is free.