Sophos & ClamAV + Sanesecurity

Mon Jan 11 13:35:35 GMT 2010

I'm not sure I quite understand you.
There are a myriad of issues here, which all need sensible answers.
What happens when 1 scanner finds a spamvirus and another scanner finds 
a real virus?
What happens when the same scanner finds both a spamvirus and a real virus?
There are umpteen combinations of these issues and others, and I'm not 
sure I can produce a working solution for all of them. In fact I don't 
think one can exist in theory.

What does it not do at the moment, and what would you like to do instead?
And what about all the problems of multiple infections and/or multiple 
scanners? How do they affect your answer?

I'm not trying to be mean, just that this stuff is a lot more awkward 
than it may at first appear.

Jules.

On 23/12/2009 21:06, Mike Wallace wrote:
> The order checking change is only good if you use Sanesecurity. If you don't, it can create major problems such as mine where infected messages are being delivered.
>
> My environment requires that all infected attachments be removed from messages before delivery and all messages with a spam score of 5.0 or greater delivered to a special mailbox. I use the Sought, OpenProtect and a couple of custom rules and have a false positive rate of 0.16% and a false negative rate of 0.87% (if I exclude the viruses that passed), so I don't think that I need the Sanesecurity rules.
>
> I just checked the last 12 infected message that went through with spamassassin and it scored at an average of 23.0, the lowest was 11.5 the highest was 40.4. So if they were spam checked, then they never would have been delivered to the user.
>
> You would think that if MailScanner flags something as being infected, it would be handled identically.
>
> Does anyone know how to force MailScanner to spam check every non-blacklisted or non-whitelisted message like it used to?
>
> Mike Wallace
> mike at mlrw.com
>
>
>
> On Dec 23, 2009, at 1:31 PM, Kai Schaetzl wrote:
>
>    
>> Mike Wallace wrote on Wed, 23 Dec 2009 11:16:09 -0500:
>>
>>      
>>> What I occasionally see is that clamav 0.95.3 finds an infection but
>>> the message never gets spam checked.
>>>        
>> The order of checking has been reverted lately. No need for a spamcheck if
>> it already contains a virus.
>>
>> Kai
>>
>> -- 
>> Kai Schätzl, Berlin, Germany
>> Get your web at Conactive Internet Services: http://www.conactive.com
>>
>>
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
>>
>>      
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.