Virus Scan Order

Richard Lynch rich at MAIL.WVNET.EDU
Thu Jun 3 13:30:16 IST 2004


John Rudd wrote:

> On Jun 3, 2004, at 1:58 AM, Martin Hepworth wrote:
>
>> Thirded
>>
>> IMHO everything should be scanned for malware - just in case I forget
>> and release something I shouldn't...
>>
>> Yes I know it increases load, but I'd rather be safe than sorry.
>>
>
> Actually, I think it would _reduce_ the load.  I know when Julian was
> still designing he says that virus scanning was more expensive and thus
> getting rid of as many things as you can is better before you pass it
> on to the virus scanner.  But, I think things have changed since then,
> and Spam Assassin is VERY expensive.  Further, if you're not deleting
> spam, doing the spam scanning first doesn't reduce your virus load at
> all.  Whereas, if you are at least removing infected attachments during
> virus scanning, you'll at last reduce the sizes of messages that get
> passed to Spam Assassin if you do the virus scanning first.
>
>
> As anecdotal evidence, on days where our scanning machines are being
> saturated, if I turn off spam scanning, our queues clear out pretty
> quickly and then stay low.  (I can't really turn off the virus scanning
> though, as it's part of our security infrastructure ... where spam
> scanning is more of a convenience, sorta)
>
> At one point, there was a request to have a variable that would specify
> the order of different features, but Julian said it would require a
> significant re-write.  That's probably true for just reversing the
> order, as well.  I think specifying the order would be great, but even
> just doing the virus scan first would greatly help our scanning loads.
>
This topic comes up frequently -- seems almost weekly.  Julian has said
it is desirable but it isn't going to happen over night.  He's also
suggested making it dynamic in that he could analyze traffic patterns
and switch the order on the fly.

An idea that's occurred to me is to install clamav-milter.  It rejects
infected messages at the MTA.  That is, if the message is infected  it
is refused by sendmail and MS never sees it.  Wouldn't that achieve what
you're asking for?  Is there any reason that such a setup would be
incompatible with MailScanner?

--



-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rich.vcf
Type: text/x-vcard
Size: 259 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040603/0b0d7574/rich.vcf


More information about the MailScanner mailing list