Clamav suggestions

[Scott Silva]

Fabio Pedretti spake the following on 5/4/2007 3:36 AM:
> I have some suggestions on using clamav in MailScanner on which I have
> already sent a mail some time ago:
> http://lists.mailscanner.info/pipermail/mailscanner/2007-March/071330.html
> 
> 1) clamscan is called with the option --disable-summary , which is
> deprecated (at least since clamav 0.70, released on 2004-04-16).
> --no-summary should be used instead in SweepViruses.pm.
> 2) I noticed (as well as others:
> http://lists.mailscanner.info/pipermail/mailscanner/2007-April/072504.html
> ) that some phishing mail are not blocked (I am also using
> the signatures of sanesecurity). If I do a clamscan on the full
> original mail with headers, clamscan find the virus (I can provide a
> sample if needed). Seems the problem is that MailScanner extracts the
> content of the mail (body + attachment) and scans it, but some
> phishing mail are only detected if the full headers are present (in
> the clamav DB in the extended signature format, option 4 is for mail
> files, look at signatures.pdf in clamav source, and are detected only
> if full mail with headers is scanned).
> MailScanner should be modified so that all the original mail (with
> headers and without extracting attachment) should be passed to
> clamscan/clamd, so all virus can be catched.
> 3) Support for clamd trough clamdscan is nice, however, best would be to
> connect to clamd directly to its socket (or network socket) from
> MailScanner, without call clamdscan, and fallback to clamscan if clamd
> is not working.
> 4) Would be nice to have the possibility to quarantine only the entire
> message and not also the attachments: worse is that if there are some
> compressed files, the original file as well as the content are
> quarantined, doubling (or more) the space on the disk.
> 
I'm sure Julian would welcome some tested patches.


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!