clamav is opensource AV Signature scanner. It’s not a full-blown endpoint protection solution. It also lacks advanced heuristics for an obvious reason (this is one of the few areas where security-by-obscurity does make sense). So of course it is limited within the scope of its application.
As you properly noted it does not have such a demand for implementation therefore the supply is also limited.
For a generic user it should suffice to apply SMAC/TE hardening (eg. SELinux or AppArmor) and use clamav for incoming content scanning. However since SMAC/TE hardening is very limiting what advanced user can do - it’s not very popular outside of enterprise world.
Nowdays package update feeds are targeting to mitigate known attack vectors, rather than third-party solutions (like end-point-protection). Eg. prevention/protection by removing the hole rather than putting a blanket on top of it.
1 Like