Full message scan oddity

Denis Beauchemin Denis.Beauchemin at USherbrooke.ca
Wed Aug 22 18:35:54 IST 2007 

Julian Field a écrit :
>
>
> Denis Beauchemin wrote:
>> Hello,
>>
>> I just upgraded 2 MS servers to the latest stable and enabled the 
>> following option:
>> ClamAV Full Message Scan = yes
>>
>> I sent a virus-infected email and noticed the following:
>> Aug 22 11:16:59 smtpe4 MailScanner[21708]: 
>> l7MFGi0o022717/01_05_2005.txt:infected: Win32.Bagle.BO at mm
>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: 
>> Worm.Bagle.DK:: ./l7MFGi0o022717/
>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: 
>> Worm.Bagle.DK:: ./l7MFGi0o022717/01_05_2005.txt
>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: 
>> /l7MFGi0o022717.message/00000350.EML/01_05_2005.txt        contient 
>> le virus W32/Bagle.dldr.gen !!!
>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: 
>> /l7MFGi0o022717/01_05_2005.txt        contient le virus 
>> W32/Bagle.dldr.gen !!!
>>
>> On a different server without this new feature, I get:
>> Aug 22 11:34:31 132.210.244.93 MailScanner[4049]: 
>> /l7MFXTYu031455/01_05_2005.txt        contient le virus 
>> W32/Bagle.dldr.gen !!!
>> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: 
>> l7MFXTYu031455/01_05_2005.txt:infected: Win32.Bagle.BO at mm
>> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: 
>> ClamAVModule::INFECTED:: Worm.Bagle.DK:: ./l7MFXTYu031455/01_05_2005.txt
>>
>> I now get 2 hits from McAfee and ClamAV, but only 1 from 
>> Bitdefender...  is there a way to pass only the full message to the 
>> AV scanners?  That way we would get only 1 warning and the server 
>> would also be working less.
> I could add a feature to do that, but it sounds a very dangerous thing 
> to do. You are relying on your virus scanners' ability to unpack 
> attachments on its own. As a fraction of the whole process for each 
> message, scanning the attachments as well as the full message is only 
> a tiny part of the time involved. I really wouldn't advise setting up 
> MailScanner to _not_ scan the attachments. Only a few virus scanners 
> can do this anyway.
>
> I'm really not keen on adding this feature, it's one which hardly 
> anyone would use and it potentially exposes you to viruses with most 
> virus scanners.
>
> Jules
>
Julian,

It makes perfect sense.  I guess I will have to live with not so 
accurate virus statistics...

Thanks again!

Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045

More information about the MailScanner mailing list