It seems that viruses CAN slip through MailScanner under high load!

[Antony Stone]

On Thursday 28 August 2003 8:07 am, Kevin Spicer wrote:

> On Thu, 2003-08-28 at 04:27, Bret Hughes wrote:
> >This assumes that the problem was load (probably was I admit)  but what
> >about a case where there is an issue with the virus scanning software
> >that caused it to not return.  No idea what that might be but I am
> >supposing here.
>
> Perhaps the easiest answer is to add a second virus scanner (e.g.
> ClamAV), although this does add to the load itself it means you have two
> shots at every virus.

Personally I think this is a good idea anyway (having two AV engines) however
I don't see it as a solution in this case, because I think an AV product
getting stuck on a file is 'interesting' in itself and should not be worked
around and ignored.

Better, I think, if MailScanner can work out when an AV engine hangs without
returning in some reasonable time, and then either:

a) automatically apply the 'virus found' rules (ie act pessimistic), although
this risks legitimate emails being deleted or bounced as viruses, or

peferably

b) quarantines the file in some special area which indicates that it did not
get completely processed (ie different from the normal quarantine area which
stores positive 'hits').

I agree with Mike Kercher's suggestion to use sendmail's "If system load is
too high, stop accepting more email" so that the problem should at least stop
getting any worse once it starts.

Regards,

Antony.

--

If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.