Performance of 'ClamAV Full Message Scan'

[Julian Field]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Scott Silva wrote:
> René Berber spake the following on 8/6/2007 7:43 PM:
>   
>> From the changelog:
>>
>> "When clamav, clamavmodule or clamd parsers are being used and new setting
>>   "ClamAV Full Message Scan" is set to "yes", pass each of the entire
>>   messages to ClamAV as well as the attachments so that the signatures that
>>   detect spam can work reliably. This is set to "no" be default as it has a
>>   speed impact."
>>
>> Why pass the message AND attachments?  ClamAV can detect the virus in the
>> message in any possible form, MailScanner is just making clam do double work,
>> plus the work done by MS to extract the attachments.
>>
>>     
> Some of the sanesecurity signatures need the full raw message to detect the
> nasties. It does it this way to stay compatible with any other virus scanners
> you might be running. Many of us run several virus scanners to catch more
> 0-day stuff.
> The double scoring is a side effect, but I expect more virus scanners to pick
> up things in the raw messages like clam and mcafee now do.
>
> I don't think Julian is going to have an option of "whole message only", but
> you never know.
>   
You're right, he's not.

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: ISO-8859-1

wj8DBQFGuMwYEfZZRxQVtlQRAlDPAKCH5ZbGqR+M7xi3NH6x+E0fbzvK0wCfQgm0
gKDEUdaDaZw9z6CQHCEY3kw=
=Lqdb
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk