Full message scan oddity

Gareth list-mailscanner at linguaphone.com
Wed Aug 22 18:50:16 IST 2007 

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of Denis
> Beauchemin
> Sent: 22 August 2007 18:36
> To: MailScanner discussion
> Subject: Re: Full message scan oddity
> 
> 
> Julian Field a écrit :
> >
> >
> > Denis Beauchemin wrote:
> >> Hello,
> >>
> >> I just upgraded 2 MS servers to the latest stable and enabled the 
> >> following option:
> >> ClamAV Full Message Scan = yes
> >>
> >> I sent a virus-infected email and noticed the following:
> >> Aug 22 11:16:59 smtpe4 MailScanner[21708]: 
> >> l7MFGi0o022717/01_05_2005.txt:infected: Win32.Bagle.BO at mm
> >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: 
> >> Worm.Bagle.DK:: ./l7MFGi0o022717/
> >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: 
> >> Worm.Bagle.DK:: ./l7MFGi0o022717/01_05_2005.txt
> >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: 
> >> /l7MFGi0o022717.message/00000350.EML/01_05_2005.txt        contient 
> >> le virus W32/Bagle.dldr.gen !!!
> >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: 
> >> /l7MFGi0o022717/01_05_2005.txt        contient le virus 
> >> W32/Bagle.dldr.gen !!!
> >>
> >> On a different server without this new feature, I get:
> >> Aug 22 11:34:31 132.210.244.93 MailScanner[4049]: 
> >> /l7MFXTYu031455/01_05_2005.txt        contient le virus 
> >> W32/Bagle.dldr.gen !!!
> >> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: 
> >> l7MFXTYu031455/01_05_2005.txt:infected: Win32.Bagle.BO at mm
> >> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: 
> >> ClamAVModule::INFECTED:: Worm.Bagle.DK:: 
> ./l7MFXTYu031455/01_05_2005.txt
> >>
> >> I now get 2 hits from McAfee and ClamAV, but only 1 from 
> >> Bitdefender...  is there a way to pass only the full message to the 
> >> AV scanners?  That way we would get only 1 warning and the server 
> >> would also be working less.
> > I could add a feature to do that, but it sounds a very dangerous thing 
> > to do. You are relying on your virus scanners' ability to unpack 
> > attachments on its own. As a fraction of the whole process for each 
> > message, scanning the attachments as well as the full message is only 
> > a tiny part of the time involved. I really wouldn't advise setting up 
> > MailScanner to _not_ scan the attachments. Only a few virus scanners 
> > can do this anyway.
> >
> > I'm really not keen on adding this feature, it's one which hardly 
> > anyone would use and it potentially exposes you to viruses with most 
> > virus scanners.
> >
> > Jules
> >
> Julian,
> 
> It makes perfect sense.  I guess I will have to live with not so 
> accurate virus statistics...
> 
> Thanks again!
> 
> Denis

In my opinion you certenly dont want to stop scanning the attachments. The only thing you could do is not report the fact that the virus scanner found a virus in the email if it found something in the attachment.

More information about the MailScanner mailing list