Virus Scan Order

John Rudd jrudd at UCSC.EDU
Thu Jun 3 13:50:00 IST 2004


On Jun 3, 2004, at 5:30 AM, Richard Lynch wrote:

> John Rudd wrote:
>
>> On Jun 3, 2004, at 1:58 AM, Martin Hepworth wrote:
>>
>>> Thirded
>>>
>>> IMHO everything should be scanned for malware - just in case I forget
>>> and release something I shouldn't...
>>>
>>> Yes I know it increases load, but I'd rather be safe than sorry.
>>>
>>
>> Actually, I think it would _reduce_ the load.  I know when Julian was
>> still designing he says that virus scanning was more expensive and
>> thus
>> getting rid of as many things as you can is better before you pass it
>> on to the virus scanner.  But, I think things have changed since then,
>> and Spam Assassin is VERY expensive.  Further, if you're not deleting
>> spam, doing the spam scanning first doesn't reduce your virus load at
>> all.  Whereas, if you are at least removing infected attachments
>> during
>> virus scanning, you'll at last reduce the sizes of messages that get
>> passed to Spam Assassin if you do the virus scanning first.
>>
>>
>> As anecdotal evidence, on days where our scanning machines are being
>> saturated, if I turn off spam scanning, our queues clear out pretty
>> quickly and then stay low.  (I can't really turn off the virus
>> scanning
>> though, as it's part of our security infrastructure ... where spam
>> scanning is more of a convenience, sorta)
>>
>> At one point, there was a request to have a variable that would
>> specify
>> the order of different features, but Julian said it would require a
>> significant re-write.  That's probably true for just reversing the
>> order, as well.  I think specifying the order would be great, but even
>> just doing the virus scan first would greatly help our scanning loads.
>>
> This topic comes up frequently -- seems almost weekly.  Julian has said
> it is desirable but it isn't going to happen over night.  He's also
> suggested making it dynamic in that he could analyze traffic patterns
> and switch the order on the fly.
>
> An idea that's occurred to me is to install clamav-milter.  It rejects
> infected messages at the MTA.  That is, if the message is infected  it
> is refused by sendmail and MS never sees it.  Wouldn't that achieve
> what
> you're asking for?  Is there any reason that such a setup would be
> incompatible with MailScanner?
>

It wouldn't be incompatible with MS, but it might be incompatible with
each site's MTA.

For example, I'm hoping to drop sendmail completely.  So, a milter
wouldn't really help me much.

Though, what might make it easier is to have multiple installations of
mailscanner with different queues.  Sort of like:

MS#1 -> does virus scanning and probably dangerous content scanning,
but absolutely no spam scanning; has mqueue.1 as its incoming
directory, and dumps message into mqueue.2 without invoking sendmail

MS#2 -> does all of your spam scanning and such; has mqueue.2 as its
incoming directory, and mqueue as its outgoing (with or without
invoking sendmail).

That does mean keeping around 2 versions of mailscanner, or at least
invoking it twice, each with different config files (I haven't tried
doing that, so I don't know how hard/easy it is to set that up).


The other option, esp. if you're on a smaller site where the
performance hit wont bother you, is that you can do Spam Assassin via
procmail, and just use MailScanner for its non-spam aspects (that's
what I do at home, right now: RBL's in the MTA, virus/content scanning
in MailScanner, Spam Assassin in procmail).


Those aren't as elegant as being able to adjust the order MS does its
work, but they do have the overall effect of reducing how much traffic
gets through to Spam Assassin without depending upon MTA specific
features like milters.

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list