Sophos & ClamAV + Sanesecurity

Kai Schaetzl maillists at conactive.com
Tue Jan 12 00:38:03 GMT 2010


Mike Wallace wrote on Mon, 11 Jan 2010 17:03:04 -0500:

> In older versions, it would scan the message for viruses with clamav

No. It would first spamscan and then viruscan the message. If it was found to be
spam and the action was to quarantine it, no further viruscan would happen at this 
stage. Now it's the other way around.

> and if it's infected, remove the virus and insert the warning message

did it? Not by default I think. Default for viruses was/is to put the message in 
quarantine. Full stop. There's no point in "disinfecting" virus laden messages, 
because there are *no* messages that contain a virus *and* a legitimate message at the 
same time.

> and then spam score it. Then based on the score either deliver it
> to the recipient or forward it to a specific mailbox for review. Now
> if clamav finds a virus, MailScanner just marks it as {Virus} and
> delivers it.

That's because you misconfigured your MS. Again, there is no point in delivering a
message with a virus, with the virus removed or not.

> 
> It also seems that {Disarmed} and {Fraud} don't work the same. I see
> messages marked with {Disarmed}, but in the body I see "MailScanner
> has detected a possible fraud attempt from". So did it disarm a WebBug,
> is it phishing or is it both? In older versions the only time I saw
> {Disarmed} was when a WebBug was replaced with http://www.mailscanner.tv/1x1spacer.gif
> (which is still true).

Disarmed also removes objectionable HTML tags etc. That's why it is called 
"disarmed". It has nothing to do with fraud or phishing, it can be a legitimate
mail.



Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com





More information about the MailScanner mailing list