Open source ClamAV beats McAfee and Norton
A little anti-virus “bake off” organized by security gateway vendor Untangle has found that popular open source ClamAV has very good detection rates compared to commercial anti-virus products. In an informal test using variations of the EICAR test pattern plus 25-odd “in the wild” and community-submitted malware, Kaspersky scored the highest overall detection rate, with ClamAV second and Symantec Norton AV third. McAfee scored sixth.
Most notable was that while ClamAV and Norton detected 100% of the “in the wild” samples, McAfee found only 83.3%, the worst of all the major vendors tested. That’s alarming… detecting malware that is actively circulating is what AV is all about.
ClamAV nearly beat both Kaspersky and Norton in this test… it really only failed when scanning encrypted ZIP files, which most organizations delete at the gateway anyway.
The complete results, presentation and the actual test malware are available for download.
The results are amusing, but the test is far from the controlled and comprehensive testing performed by outfits like ICSA Labs. For one, an “in the wild” test set is typically 200 to 500 items .
Er… maybe. Untangle says that one motivation for doing this bake-off was that the AV testing labs refused to test ClamAV and would not reveal their test set. ISCA for example only gives products a pass/fail rating and rates detection of traditional propagating malware only… they ignore detect rates for non-relicating malware like spyware, trojans and backdoors.
What does it say when the leading commercial products perform worse than a volunteer-driven open source alternative? What does it also say when a testing lab refuses to test a product that happens to be free? (hint: they’re a for-profit company funded by the vendors they test).
We’ve been using ClamAV on our email gateways for about two years now and found it to be adequate. It’s proven to be at least as accurate as other products we’ve used, and the project releases updated pattern files faster than many commercial products.
Of course, getting hung up about detection rates is a like arguing which brand of buggy whip makes your car get more miles to the gallon. Regardless of what AV product you choose, the concept of pattern-based malware prevention is obsolete. Enterprise management features and how often the vendor has released updates that cripple every desktop in your organization are more important. Yes, you have to use AV since every operational security standard requires it and it’s another layer to your defense in depth, but in terms of actual protection against malware, AV is virtually useless.
Related posts: