Delay Virus Scanning

Walker Aumann walkera at OFB.NET
Thu Mar 11 20:56:15 GMT 2004


Hi there,

One of the obvious remaining vulnerabilities we have to viruses is the
window between the release of a new virus and the availability of new
signatures that will detect the virus.  I'm working on some code to
allow a delay to be programmed in to MailScanner so that scanning of
certain things is deferred for a bit to give the antivirus groups a
chance.

I'm hoping this code will eventually be able to be part of the main
distribution, so I want to make sure the changes don't strike people as
being wrong, broken, or poorly thought out.

So far, the idea is to create a directory similar to quarantine that
holds the exploded messages (copied out of a workdir), with a tag that
says when the messages should actually be scanned.  The delay would be
configured with a ruleset so that only files that could contain viruses
get delayed (and later scanned).

My initial thought was do add a function right before VirusScan is
called in MessageBatch.pm that moved files between the current workdir
and the delaydir as necessary.  However, that would delay things that
will be rejected during VirusScan due to filename rules, etc.  It seems
to me that it would make more sense to put the delay functions as a
wrapper around SweepViruses, and put SweepViruses after SweepOther and
SweepContent.  This may also help cut the load a bit as we wouldn't
check for viruses in files we were going to throw out anyway, although
it would reduce the count of the number of viruses received, as they'd
be rejected before the virus scanners had a chance to see them.

So...

1) Is there a chance of this getting rolled in?

2) Does reordering things in VirusScan make sense, or are they best left
the way they are, possibly delaying things longer than necessary?

3) Does anyone have a ruleset or other representation of which file
types can contain viruses?

Walker



More information about the MailScanner mailing list