Bitdefender update?

[Steve Freegard]

On Wed, 2005-11-02 at 10:50 -0800, Scott Silva wrote:
> Ed Bruce spake the following on 11/2/2005 10:37 AM:
> > Scott Silva wrote:
> > 
> >>Ed
> >>
> >>>
> >>>Yup. We had to shutdown all the computers yesterday. Was in a meeting
> >>>discussing the dangers of hooking up laptops to our network, when one of
> >>>our techs sticks his in the door and says we seem to be having a
> >>>problem. I was only running ClamAV but it stopped all the Bagle variants
> >>>hitting us through email.
> >>>
> >>>Just for grins I ran ClamAV and BitDefender against the email archives
> >>>and lots of email infected, but not detected because they were
> >>>identified as Spam. Must think on this because I have email not cleaned
> >>>up so people can release from Quarantine. Now we could be releasing
> >>>infected emails.
> >>>
> >>>    
> >>>
> >>You could run with the "keep quarantine clean" option.
> >>WIll add to load because MailScanner will virus scan the spam also.
> >>
> >>
> >>  
> >>
> > 
> > But if I do that then I can't use MailWatch to release messages form
> > quarantine. It appears that the clean up is storing emails in a format
> > that can't be released from Quarantine. I'm still not sure what to do or
> > what I did that may have caused this. I'm still looking at the options.
> > We've had a few important emails that were misidentified and I was able
> > to just release them from quarantine. But only because I had removed the
> > keep quarantine clean option.

Not so - I always use the 'Keep Spam And MCP Archive Clean' setting when
using MailWatch to prevent users/admins from releasing anything that was
detected as infected by a virus scanner.

If this is preventing you from releasing a legitimate message then you
need to treat the cause of the problem:  a false-positive from the virus
scanner, most of them that I've seen can be fixed by raising the
'ClamAVmodule Maximum Compression Ratio' module (if ClamAVmodule is
used) or changing the settings in clamav-wrapper to achieve the same.

The clue as to why the message is marked as infected will be in the
'Report:' section on the Message Detail screen in MailWatch - it might
be worth posting the message here.

> > 
> Would adding an option to the spam actions ( and high scoring spam
> options) to forward to an alias pointed to the bitbucket cause a virus
> scan of an infected spam message "before" it is stored?
> Worth a try for a day or so.
> You could probably forward a real spammy example from your archives,
> with an eicar attachment and test it.
> 

This does exactly the same thing as 'Keep Spam And MCP Archive Clean' -
so it wouldn't make any difference.  I would only recommend this on
MailScanner versions that don't have the proper option to do this.

Cheers,
Steve.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!