Full message scan oddity

Julian Field MailScanner at ecs.soton.ac.uk
Wed Aug 22 17:14:45 IST 2007 


Denis Beauchemin wrote:
> Hello,
>
> I just upgraded 2 MS servers to the latest stable and enabled the 
> following option:
> ClamAV Full Message Scan = yes
>
> I sent a virus-infected email and noticed the following:
> Aug 22 11:16:59 smtpe4 MailScanner[21708]: 
> l7MFGi0o022717/01_05_2005.txt:infected: Win32.Bagle.BO at mm
> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: 
> Worm.Bagle.DK:: ./l7MFGi0o022717/
> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: 
> Worm.Bagle.DK:: ./l7MFGi0o022717/01_05_2005.txt
> Aug 22 11:17:00 smtpe4 MailScanner[21708]: 
> /l7MFGi0o022717.message/00000350.EML/01_05_2005.txt        contient le 
> virus W32/Bagle.dldr.gen !!!
> Aug 22 11:17:00 smtpe4 MailScanner[21708]: 
> /l7MFGi0o022717/01_05_2005.txt        contient le virus 
> W32/Bagle.dldr.gen !!!
>
> On a different server without this new feature, I get:
> Aug 22 11:34:31 132.210.244.93 MailScanner[4049]: 
> /l7MFXTYu031455/01_05_2005.txt        contient le virus 
> W32/Bagle.dldr.gen !!!
> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: 
> l7MFXTYu031455/01_05_2005.txt:infected: Win32.Bagle.BO at mm
> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: 
> ClamAVModule::INFECTED:: Worm.Bagle.DK:: ./l7MFXTYu031455/01_05_2005.txt
>
> I now get 2 hits from McAfee and ClamAV, but only 1 from 
> Bitdefender...  is there a way to pass only the full message to the AV 
> scanners?  That way we would get only 1 warning and the server would 
> also be working less.
I could add a feature to do that, but it sounds a very dangerous thing 
to do. You are relying on your virus scanners' ability to unpack 
attachments on its own. As a fraction of the whole process for each 
message, scanning the attachments as well as the full message is only a 
tiny part of the time involved. I really wouldn't advise setting up 
MailScanner to _not_ scan the attachments. Only a few virus scanners can 
do this anyway.

I'm really not keen on adding this feature, it's one which hardly anyone 
would use and it potentially exposes you to viruses with most virus 
scanners.

Jules

-- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

More information about the MailScanner mailing list