Sophos & ClamAV + Sanesecurity

Mike Wallace mike at mlrw.com
Mon Jan 11 22:03:04 GMT 2010


I am trying to get MailScanner to work like it used to. 

In older versions, it would scan the message for viruses with clamav and if it's infected, remove the virus and insert the warning message and then spam score it. Then based on the score either deliver it to the recipient or forward it to a specific mailbox for review. Now if clamav finds a virus, MailScanner just marks it as {Virus} and delivers it.

It also seems that {Disarmed} and {Fraud} don't work the same. I see messages marked with {Disarmed}, but in the body I see "MailScanner has detected a possible fraud attempt from". So did it disarm a WebBug, is it phishing or is it both? In older versions the only time I saw {Disarmed} was when a WebBug was replaced with http://www.mailscanner.tv/1x1spacer.gif (which is still true).

What changes in MailScanner changed this behavior? Is it "ClamAV Full Message Scan = yes" and the order of av scan and spamassassin or is there other changes? 

Other than MailScanner passing viruses I love the product and recommend it. I just want to get back to the old behaviour.

Mike Wallace
mike at mlrw.com



On Jan 11, 2010, at 8:35 AM, Jules Field wrote:

> I'm not sure I quite understand you.
> There are a myriad of issues here, which all need sensible answers.
> What happens when 1 scanner finds a spamvirus and another scanner finds a real virus?
> What happens when the same scanner finds both a spamvirus and a real virus?
> There are umpteen combinations of these issues and others, and I'm not sure I can produce a working solution for all of them. In fact I don't think one can exist in theory.
> 
> What does it not do at the moment, and what would you like to do instead?
> And what about all the problems of multiple infections and/or multiple scanners? How do they affect your answer?
> 
> I'm not trying to be mean, just that this stuff is a lot more awkward than it may at first appear.
> 
> Jules.
> 
> On 23/12/2009 21:06, Mike Wallace wrote:
>> The order checking change is only good if you use Sanesecurity. If you don't, it can create major problems such as mine where infected messages are being delivered.
>> 
>> My environment requires that all infected attachments be removed from messages before delivery and all messages with a spam score of 5.0 or greater delivered to a special mailbox. I use the Sought, OpenProtect and a couple of custom rules and have a false positive rate of 0.16% and a false negative rate of 0.87% (if I exclude the viruses that passed), so I don't think that I need the Sanesecurity rules.
>> 
>> I just checked the last 12 infected message that went through with spamassassin and it scored at an average of 23.0, the lowest was 11.5 the highest was 40.4. So if they were spam checked, then they never would have been delivered to the user.
>> 
>> You would think that if MailScanner flags something as being infected, it would be handled identically.
>> 
>> Does anyone know how to force MailScanner to spam check every non-blacklisted or non-whitelisted message like it used to?
>> 
>> Mike Wallace
>> mike at mlrw.com
>> 
>> 
>> 
>> On Dec 23, 2009, at 1:31 PM, Kai Schaetzl wrote:
>> 
>>   
>>> Mike Wallace wrote on Wed, 23 Dec 2009 11:16:09 -0500:
>>> 
>>>     
>>>> What I occasionally see is that clamav 0.95.3 finds an infection but
>>>> the message never gets spam checked.
>>>>       
>>> The order of checking has been reverted lately. No need for a spamcheck if
>>> it already contains a virus.
>>> 
>>> Kai
>>> 
>>> -- 
>>> Kai Schätzl, Berlin, Germany
>>> Get your web at Conactive Internet Services: http://www.conactive.com
>>> 
>>> 
>>> 
>>> -- 
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>> 
>>> Before posting, read http://wiki.mailscanner.info/posting
>>> 
>>> Support MailScanner development - buy the book off the website!
>>> 
>>> 
>>> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
>>> 
>>>     
>>   
> 
> Jules
> 
> -- 
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> 
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
> 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 
> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
> 



More information about the MailScanner mailing list