Re: Antivirus for Debian

[Stefan Monnier <monnier@iro.umontreal.ca>]

> We run a list server.  Clamav and spamassassin find viruses and spam all
> the time.

Not finding spam would indeed be pretty scary.

As for finding viruses, don't forget that finding viruses is only useful
if that virus would have infected some other machine.  Viruses "caught"
by anti-virus software fall into 3 categories:

- False positives: these are not virus at all, they just look like one.
  Not sure how frequent this is for email messages, but at least for
  virus scanners inspecting incoming files and stuff on Windows boxes,
  this is a pretty common problem (we frequently got reports about
  Emacs being flagged as containing a virus, for example).

- Viruses which exploit bugs that have been plugged already: it's
  a virus alright, but it's harmless.  This is the most common kind.
  Virus scanners will be careful not to tell you that, tho.  Instead,
  they'll proudly tell you they caught a virus, making you feel like
  you've been well served by your scanner, and even feeling a bit
  more secure.

- Actual viruses that exploit an actual vulnerability.  These can only
  happen during the time window where the anti-virus software has been
  updated to recognize a new virus, yet the vulnerability is still left
  wide open.
  In systems like Debian, it's not much harder to plug a security hole than
  it is to update a virus scanner database, so this time-window should
  be vanishingly small.


        Stefan