Full message scan oddity

Scott Silva ssilva at sgvwater.com
Wed Aug 22 20:11:40 IST 2007 

Julian Field spake the following on 8/22/2007 9:14 AM:
> 
> 
> Denis Beauchemin wrote:
>> Hello,
>>
>> I just upgraded 2 MS servers to the latest stable and enabled the
>> following option:
>> ClamAV Full Message Scan = yes
>>
>> I sent a virus-infected email and noticed the following:
>> Aug 22 11:16:59 smtpe4 MailScanner[21708]:
>> l7MFGi0o022717/01_05_2005.txt:infected: Win32.Bagle.BO at mm
>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED::
>> Worm.Bagle.DK:: ./l7MFGi0o022717/
>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED::
>> Worm.Bagle.DK:: ./l7MFGi0o022717/01_05_2005.txt
>> Aug 22 11:17:00 smtpe4 MailScanner[21708]:
>> /l7MFGi0o022717.message/00000350.EML/01_05_2005.txt        contient le
>> virus W32/Bagle.dldr.gen !!!
>> Aug 22 11:17:00 smtpe4 MailScanner[21708]:
>> /l7MFGi0o022717/01_05_2005.txt        contient le virus
>> W32/Bagle.dldr.gen !!!
>>
>> On a different server without this new feature, I get:
>> Aug 22 11:34:31 132.210.244.93 MailScanner[4049]:
>> /l7MFXTYu031455/01_05_2005.txt        contient le virus
>> W32/Bagle.dldr.gen !!!
>> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]:
>> l7MFXTYu031455/01_05_2005.txt:infected: Win32.Bagle.BO at mm
>> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]:
>> ClamAVModule::INFECTED:: Worm.Bagle.DK:: ./l7MFXTYu031455/01_05_2005.txt
>>
>> I now get 2 hits from McAfee and ClamAV, but only 1 from
>> Bitdefender...  is there a way to pass only the full message to the AV
>> scanners?  That way we would get only 1 warning and the server would
>> also be working less.
> I could add a feature to do that, but it sounds a very dangerous thing
> to do. You are relying on your virus scanners' ability to unpack
> attachments on its own. As a fraction of the whole process for each
> message, scanning the attachments as well as the full message is only a
> tiny part of the time involved. I really wouldn't advise setting up
> MailScanner to _not_ scan the attachments. Only a few virus scanners can
> do this anyway.
> 
> I'm really not keen on adding this feature, it's one which hardly anyone
> would use and it potentially exposes you to viruses with most virus
> scanners.
> 
> Jules
> 
What would be nice is the logging module to not report the same infection
twice in the same message. IE... If found in unpacked message, suppress output
of same virus in raw message.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

More information about the MailScanner mailing list