Anti-virus strategy

[Kenneth Porter <sh...@sewingwitch.com>]

--On Wednesday, November 23, 2005 10:07 AM -0500 Bowie Bailey 
<Bo...@BUC.com> wrote:

> It's always good to have multiple layers.  We have ClamAV on the mail
> server and Symantec Corporate Edition on the desktops.  I haven't had
> any problems with Clam.  We had a few Sober.U get through before the
> definitions updated, but that's expected with a new virus on any AV
> program (unfortunately).

Agreed. I use ClamAV on the mail server (under MIMEDefang) and Trend Micro 
Small Business on my Win2003 and WinXP clients. (No Exchange here.)

> I have Clam installed with all the default options and I run freshclam
> a few times a day to keep it updated.  It just works.

If you use the Clam DNS feature to check for new data files, you can set 
freshclam to check every 15 minutes (when the DNS record expires). This is 
a very light load (a single UDP packet in each direction to the Clam DB 
server), esp. if you forward that domain to your ISP so that the ISP caches 
it for other users. This lets you update your DB file very rapidly when a 
new threat is identified. If you look at the white papers and testimonials 
on Clam's site, you can see that they often have an update before 
commercial vendors, and have responded as fast as 20 minutes from the first 
report. That reduces your exposure window to the maximum of the time it 
takes the DNS record to expire plus the response time of the data file 
generator.