Performance of 'ClamAV Full Message Scan'
Scott Silva
ssilva at sgvwater.com
Tue Aug 7 19:21:00 IST 2007
René Berber spake the following on 8/6/2007 7:43 PM:
> From the changelog:
>
> "When clamav, clamavmodule or clamd parsers are being used and new setting
> "ClamAV Full Message Scan" is set to "yes", pass each of the entire
> messages to ClamAV as well as the attachments so that the signatures that
> detect spam can work reliably. This is set to "no" be default as it has a
> speed impact."
>
> Why pass the message AND attachments? ClamAV can detect the virus in the
> message in any possible form, MailScanner is just making clam do double work,
> plus the work done by MS to extract the attachments.
>
Some of the sanesecurity signatures need the full raw message to detect the
nasties. It does it this way to stay compatible with any other virus scanners
you might be running. Many of us run several virus scanners to catch more
0-day stuff.
The double scoring is a side effect, but I expect more virus scanners to pick
up things in the raw messages like clam and mcafee now do.
I don't think Julian is going to have an option of "whole message only", but
you never know.
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
More information about the MailScanner
mailing list