processing sequence

Julian Field mailscanner at ecs.soton.ac.uk
Thu Aug 21 19:46:03 IST 2003 

That appears to be basically true. Disinfectable viruses account for
something like 0.7% of all viruses, so it's probably
a) not worth disinfecting them anyway,
and
b) not worth worrying about too much.

At 17:47 21/08/2003, you wrote:
>Without going through the code (which in my case would be pointless  :)
>
>Can somebody help me understand the sequence and decision making for
>handling/notifications that mailscanner uses?
>
>In looking at a couple of log entries relating to Sobig...it seems that
>the system processes the SPAM checking, then (since action is deliver)
>scans with virus scanner and finds an infected attachment.  The system
>quarantines as it should...
>
>
>New Batch: Scanning 1 messages, 101651 bytes
>Spam Checks: Starting
>Aug 21 10:14:00 HOST MailScanner[18553]: Message 93F0F1C00E from 1.2.3.4
>(<mailto:user at example.net>user at example.net) to example.com is spam,
>SpamAssassin (score=6, re
>quired 6, BAYES_20 -2.60, DCC_CHECK 2.63, FORGED_MUA_OUTLOOK 2.17,
>INVALID_DATE 0.59, MICROSOFT_EXECUTABLE 0.10, MIME_BOUND_NEXTPART 0.16,
>MISSING_MIME
>OLE 0.10, NO_REAL_NAME 1.15, RAZOR2_CF_RANGE_91_100 1.21, RAZOR2_CHECK
>0.88, X_AUTH_WARNING -0.40)
>Spam Checks: Found 1 spam messages
>Spam Actions: message 93F0F1C00E actions are deliver
>MailScanner E-Mail Virus Scanner version 4.22-5 starting...
>Config: calling custom init function SQLLogging
>Initialising SQL Logging temp files
>Virus and Content Scanning: Starting
>INFECTED:: W32/Sobig-F:: ./93F0F1C00E/document_all.pif
>Virus Scanning: SophosSAVI found 1 infections
>Virus Scanning: Found 1 viruses
>Filetype Checks: No executables (document_all.pif)
>Other Checks: Found 1 problems
>Saved entire message to /quarantine/example.com/20030821/93F0F1C00E
>writing to /quarantine/example.com/20030821/93F0F1C00E/message: No such
>file or directory
>
>With that said, I pose the following questions and my attempt at the answers:
>
>1.  Will the virus scanner always run no matter what the disposition and
>handling direction is for SPAM?
>Answer:  Yes, no matter what handling or detection is done on the SPAM
>characteristics, the VIRUS scanner will be run against the message.
>
>
>2.  If so, which disposition takes priority?  the SPAM or the VIRUS
>handling instructions?
>Answer:  No matter the disposition/handling of the SPAM identified
>message, if the VIRUS SCAN is positive for a virus, VIRUS processing and
>handling takes over.
>
>3.  This got me to thinking about VIRUS handling....is it safe to say that
>IF a message is clean, its passed and handled appropriately, however if it
>is infected, the scanner will attempt to clean the virus?  If it can clean
>the virus, it passes the message with a "Virus disinfected"
>notification?  If its not able to clean the virus the system delete's the
>attachment unless its told otherwise in the "Quarantine Infections ="
>directive?
>
>Sorry for the long-winded question, just spawned a couple of ideas...
>
>CT
>
>
>
>
>
>
>

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030821/9a87afbb/attachment.html

More information about the MailScanner mailing list