Enhancement request

[Julian Field]

At 11:47 24/09/2001, you wrote:
>One facility that our local stuff has that Mailscanner doesn't have (I
>think) is the ability to rename attachments as they pass through - for
>example we currently rename attachments such as "thing.exe" to
>"thing_exe".  Idea being to make executable attachments non-executable
>(at least without a fair amount of effort by the recipient) even with
>files that have been passed as clean by the virus checker.

Unfortunately, this is actually really hard to do. To keep the load as
light as possible (thereby making MailScanner as fast as possible) I don't
touch the body of messages without viruses in them. Renaming attachments
would entail rebuilding the message body for all messages with attachments,
which would add significantly to the system load.

>There is
>is concern here over possible time lags between viruses/worms being
>active and signatures for that virus/worm being in the anti-virus
>software.

This is why I have things like the double-file-extension trap in
filename.rules.conf. This has done the job admirably for us in the past,
admittedly at the cost of a number of false positives.

Also, Sophos are very good at getting out IDE pattern files in a matter of
hours. Run the Sophos autoupdate script 2 or 3 times a day and you'll be
very well protected. If you're using McAfee instead, then all I can suggest
is that you think about switching to Sophos. (I'm not paid in any way for
plugging Sophos, this is purely my personal opinion).
--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ