Full message scan oddity
Denis Beauchemin
Denis.Beauchemin at USherbrooke.ca
Wed Aug 22 18:35:54 IST 2007
Julian Field a écrit :
>
>
> Denis Beauchemin wrote:
>> Hello,
>>
>> I just upgraded 2 MS servers to the latest stable and enabled the
>> following option:
>> ClamAV Full Message Scan = yes
>>
>> I sent a virus-infected email and noticed the following:
>> Aug 22 11:16:59 smtpe4 MailScanner[21708]:
>> l7MFGi0o022717/01_05_2005.txt:infected: Win32.Bagle.BO at mm
>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED::
>> Worm.Bagle.DK:: ./l7MFGi0o022717/
>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED::
>> Worm.Bagle.DK:: ./l7MFGi0o022717/01_05_2005.txt
>> Aug 22 11:17:00 smtpe4 MailScanner[21708]:
>> /l7MFGi0o022717.message/00000350.EML/01_05_2005.txt contient
>> le virus W32/Bagle.dldr.gen !!!
>> Aug 22 11:17:00 smtpe4 MailScanner[21708]:
>> /l7MFGi0o022717/01_05_2005.txt contient le virus
>> W32/Bagle.dldr.gen !!!
>>
>> On a different server without this new feature, I get:
>> Aug 22 11:34:31 132.210.244.93 MailScanner[4049]:
>> /l7MFXTYu031455/01_05_2005.txt contient le virus
>> W32/Bagle.dldr.gen !!!
>> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]:
>> l7MFXTYu031455/01_05_2005.txt:infected: Win32.Bagle.BO at mm
>> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]:
>> ClamAVModule::INFECTED:: Worm.Bagle.DK:: ./l7MFXTYu031455/01_05_2005.txt
>>
>> I now get 2 hits from McAfee and ClamAV, but only 1 from
>> Bitdefender... is there a way to pass only the full message to the
>> AV scanners? That way we would get only 1 warning and the server
>> would also be working less.
> I could add a feature to do that, but it sounds a very dangerous thing
> to do. You are relying on your virus scanners' ability to unpack
> attachments on its own. As a fraction of the whole process for each
> message, scanning the attachments as well as the full message is only
> a tiny part of the time involved. I really wouldn't advise setting up
> MailScanner to _not_ scan the attachments. Only a few virus scanners
> can do this anyway.
>
> I'm really not keen on adding this feature, it's one which hardly
> anyone would use and it potentially exposes you to viruses with most
> virus scanners.
>
> Jules
>
Julian,
It makes perfect sense. I guess I will have to live with not so
accurate virus statistics...
Thanks again!
Denis
--
_
°v° Denis Beauchemin, analyste
/(_)\ Université de Sherbrooke, S.T.I.
^ ^ T: 819.821.8000x62252 F: 819.821.8045
More information about the MailScanner
mailing list