Best practice

Scott Silva ssilva at SGVWATER.COM
Thu Oct 13 16:39:28 IST 2005

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Gray, Richard spake the following on 10/13/2005 2:59 AM:
>>This was the start point for our discussion, then my doubt on 
>>that rule. 
>>Could  be a 'better performance' rule, but there are real 
>>attacks catched ONLY by that rule ?
> Its Defence In Depth. You're right that their nearly always caught by
> something else (a lot of ours are stopped by spam filters and RBLs) but
> there is always a possibility that one will slip through, however remote
> the chance may be.
> Its like all these defences, you have to weigh up whats more important,
> and make a decision based on that. If you are getting major grief for
> double dot viruses, then IMHO you're probably safe to take them out. You
> could mitigate the risk by using a heuristic virus scanner. This might
> increase the number of FPs that you get, but lowers the risk of a double
> dotted 0-day virus coming in.
> Your choice really.

But wouldn't blocking executables by filetype catch anything that could
be executable? Even if the filename is obscured?
The file command is pretty good with dos and windows executables, no
matter the extension. I usually catch the newer viruses here as their
signatures are written and distributed through the virus scanner channels.


/-----------------------\           |~~\_____/~~\__  |
| MailScanner; The best |___________ \N1____====== )-+
| protection on the net!|                   ~~~|/~~  |
\-----------------------/                      ()

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list