Full message scan oddity

Julian Field MailScanner at ecs.soton.ac.uk
Wed Aug 22 19:50:03 IST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Denis Beauchemin wrote:
> Gareth a écrit :
>>> -----Original Message-----
>>> From: mailscanner-bounces at lists.mailscanner.info
>>> [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of Denis
>>> Beauchemin
>>> Sent: 22 August 2007 18:36
>>> To: MailScanner discussion
>>> Subject: Re: Full message scan oddity
>>>
>>>
>>> Julian Field a écrit :
>>>    
>>>> Denis Beauchemin wrote:
>>>>      
>>>>> Hello,
>>>>>
>>>>> I just upgraded 2 MS servers to the latest stable and enabled the 
>>>>> following option:
>>>>> ClamAV Full Message Scan = yes
>>>>>
>>>>> I sent a virus-infected email and noticed the following:
>>>>> Aug 22 11:16:59 smtpe4 MailScanner[21708]: 
>>>>> l7MFGi0o022717/01_05_2005.txt:infected: Win32.Bagle.BO at mm
>>>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV 
>>>>> Module::INFECTED:: Worm.Bagle.DK:: ./l7MFGi0o022717/
>>>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV 
>>>>> Module::INFECTED:: Worm.Bagle.DK:: ./l7MFGi0o022717/01_05_2005.txt
>>>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: 
>>>>> /l7MFGi0o022717.message/00000350.EML/01_05_2005.txt        
>>>>> contient le virus W32/Bagle.dldr.gen !!!
>>>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: 
>>>>> /l7MFGi0o022717/01_05_2005.txt        contient le virus 
>>>>> W32/Bagle.dldr.gen !!!
>>>>>
>>>>> On a different server without this new feature, I get:
>>>>> Aug 22 11:34:31 132.210.244.93 MailScanner[4049]: 
>>>>> /l7MFXTYu031455/01_05_2005.txt        contient le virus 
>>>>> W32/Bagle.dldr.gen !!!
>>>>> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: 
>>>>> l7MFXTYu031455/01_05_2005.txt:infected: Win32.Bagle.BO at mm
>>>>> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: 
>>>>> ClamAVModule::INFECTED:: Worm.Bagle.DK::         
>>> ./l7MFXTYu031455/01_05_2005.txt
>>>    
>>>>> I now get 2 hits from McAfee and ClamAV, but only 1 from 
>>>>> Bitdefender...  is there a way to pass only the full message to 
>>>>> the AV scanners?  That way we would get only 1 warning and the 
>>>>> server would also be working less.
>>>>>         
>>>> I could add a feature to do that, but it sounds a very dangerous 
>>>> thing to do. You are relying on your virus scanners' ability to 
>>>> unpack attachments on its own. As a fraction of the whole process 
>>>> for each message, scanning the attachments as well as the full 
>>>> message is only a tiny part of the time involved. I really wouldn't 
>>>> advise setting up MailScanner to _not_ scan the attachments. Only a 
>>>> few virus scanners can do this anyway.
>>>>
>>>> I'm really not keen on adding this feature, it's one which hardly 
>>>> anyone would use and it potentially exposes you to viruses with 
>>>> most virus scanners.
>>>>
>>>> Jules
>>>>
>>>>       
>>> Julian,
>>>
>>> It makes perfect sense.  I guess I will have to live with not so 
>>> accurate virus statistics...
>>>
>>> Thanks again!
>>>
>>> Denis
>>>     
>>
>> In my opinion you certenly dont want to stop scanning the 
>> attachments. The only thing you could do is not report the fact that 
>> the virus scanner found a virus in the email if it found something in 
>> the attachment.
>>   
> Gareth,
>
> No, I don't want to stop scanning some content.  That's why I will 
> have to live with inaccurate virus statistics (since some virus will 
> be detected twice by ClamAV and McAfee).
The other stats problem is that the sanesecurity ClamAV signatures cause 
a load of your spam to be reported as a virus. That skews the stats 
quite a lot :-( Not much I can do about it either.

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)
Charset: UTF-8

wj8DBQFGzIVdEfZZRxQVtlQRAi6yAKDglaGNeEh2e+djpfy48WMD4J86bgCgvUb1
YIi+EJUqn5OBBJUazzWQrqA=
=VZUV
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

More information about the MailScanner mailing list