Which AV is right :) ?
Peter Peters
p.g.m.peters at utwente.nl
Thu Aug 12 16:07:12 IST 2004
On Thu, 12 Aug 2004 14:16:50 +0200, you wrote:
>Just completed a small test to see if F-Prot finds viruses Clam passed as
>virusfree ..... and yes .. it did.
>
>But: I am not yet convinced if F-Prot is doing the 'Right thing TM :)"
>
>Scenario:
> - 1. An email containing a virus as an attachment is send to a
>foreign mailserver.
> - 2. Foreign mailserver bounces the message attaching the complete
>message in mbox format in de message body.
> - 3. Clam scans the messages -> No virus found
> - 4. F-Prot scans the message -> Zafi.B found ....
>
>- The actual virus is in de mbox formatted body ... this is not executable
>by a normal user if he/she receives it ?
It is. People click on the attachment, which probably is an RFC822
attachment", which opens up a new message window with (AFAIK) the same
rules regarding opening and starting attachments. I know Agent has the
possibility to show RFC822 attachments just as normal messages in your
folder. Allthough it will ask you a whole lot of questions before you
can start an attachment.
>- "Clamscan --mbox [body of msg]" does find the Zafi.B virus.
>
>Should MailScanner do a double check ?.. one with and one without de mbox
>parameter, or is F-Prot just to paranoid ?
>
>Which is right ?
I would consider F-Prot to be right in protecting people used to
clicking on attachments.
--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
More information about the MailScanner
mailing list