Full message scan oddity

Denis Beauchemin Denis.Beauchemin at USherbrooke.ca
Wed Aug 22 19:03:05 IST 2007 

Gareth a écrit :
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of Denis
>> Beauchemin
>> Sent: 22 August 2007 18:36
>> To: MailScanner discussion
>> Subject: Re: Full message scan oddity
>>
>>
>> Julian Field a écrit :
>>     
>>> Denis Beauchemin wrote:
>>>       
>>>> Hello,
>>>>
>>>> I just upgraded 2 MS servers to the latest stable and enabled the 
>>>> following option:
>>>> ClamAV Full Message Scan = yes
>>>>
>>>> I sent a virus-infected email and noticed the following:
>>>> Aug 22 11:16:59 smtpe4 MailScanner[21708]: 
>>>> l7MFGi0o022717/01_05_2005.txt:infected: Win32.Bagle.BO at mm
>>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: 
>>>> Worm.Bagle.DK:: ./l7MFGi0o022717/
>>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: 
>>>> Worm.Bagle.DK:: ./l7MFGi0o022717/01_05_2005.txt
>>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: 
>>>> /l7MFGi0o022717.message/00000350.EML/01_05_2005.txt        contient 
>>>> le virus W32/Bagle.dldr.gen !!!
>>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: 
>>>> /l7MFGi0o022717/01_05_2005.txt        contient le virus 
>>>> W32/Bagle.dldr.gen !!!
>>>>
>>>> On a different server without this new feature, I get:
>>>> Aug 22 11:34:31 132.210.244.93 MailScanner[4049]: 
>>>> /l7MFXTYu031455/01_05_2005.txt        contient le virus 
>>>> W32/Bagle.dldr.gen !!!
>>>> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: 
>>>> l7MFXTYu031455/01_05_2005.txt:infected: Win32.Bagle.BO at mm
>>>> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: 
>>>> ClamAVModule::INFECTED:: Worm.Bagle.DK:: 
>>>>         
>> ./l7MFXTYu031455/01_05_2005.txt
>>     
>>>> I now get 2 hits from McAfee and ClamAV, but only 1 from 
>>>> Bitdefender...  is there a way to pass only the full message to the 
>>>> AV scanners?  That way we would get only 1 warning and the server 
>>>> would also be working less.
>>>>         
>>> I could add a feature to do that, but it sounds a very dangerous thing 
>>> to do. You are relying on your virus scanners' ability to unpack 
>>> attachments on its own. As a fraction of the whole process for each 
>>> message, scanning the attachments as well as the full message is only 
>>> a tiny part of the time involved. I really wouldn't advise setting up 
>>> MailScanner to _not_ scan the attachments. Only a few virus scanners 
>>> can do this anyway.
>>>
>>> I'm really not keen on adding this feature, it's one which hardly 
>>> anyone would use and it potentially exposes you to viruses with most 
>>> virus scanners.
>>>
>>> Jules
>>>
>>>       
>> Julian,
>>
>> It makes perfect sense.  I guess I will have to live with not so 
>> accurate virus statistics...
>>
>> Thanks again!
>>
>> Denis
>>     
>
> In my opinion you certenly dont want to stop scanning the attachments. The only thing you could do is not report the fact that the virus scanner found a virus in the email if it found something in the attachment. 
>
>   
Gareth,

No, I don't want to stop scanning some content.  That's why I will have 
to live with inaccurate virus statistics (since some virus will be 
detected twice by ClamAV and McAfee).

Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070822/8c8ba98e/smime.bin

More information about the MailScanner mailing list