<html>
<body>
That appears to be basically true. Disinfectable viruses account for
something like 0.7% of all viruses, so it's probably<br>
a) not worth disinfecting them anyway,<br>
and<br>
b) not worth worrying about too much.<br><br>
At 17:47 21/08/2003, you wrote:<br>
<blockquote type=cite class=cite cite><font face="arial" size=2>Without
going through the code (which in my case would be pointless
:)</font><br>
<br>
<font face="arial" size=2>Can somebody help me understand the sequence
and decision making for handling/notifications that mailscanner
uses?</font><br>
<br>
<font face="arial" size=2>In looking at a couple of log entries relating
to Sobig...it seems that the system processes the SPAM checking, then
(since action is deliver) scans with virus scanner and finds an infected
attachment. The system quarantines as it should...</font><br>
<br>
<br>
<font face="arial" size=2>New Batch: Scanning 1 messages, 101651
bytes<br>
Spam Checks: Starting<br>
Aug 21 10:14:00 HOST MailScanner[18553]: Message 93F0F1C00E from 1.2.3.4
(<a href="mailto:user@example.net">user@example.net</a>) to example.com
is spam, SpamAssassin (score=6, re<br>
quired 6, BAYES_20 -2.60, DCC_CHECK 2.63, FORGED_MUA_OUTLOOK 2.17,
INVALID_DATE 0.59, MICROSOFT_EXECUTABLE 0.10, MIME_BOUND_NEXTPART 0.16,
MISSING_MIME<br>
OLE 0.10, NO_REAL_NAME 1.15, RAZOR2_CF_RANGE_91_100 1.21, RAZOR2_CHECK
0.88, X_AUTH_WARNING -0.40)<br>
Spam Checks: Found 1 spam messages<br>
Spam Actions: message 93F0F1C00E actions are deliver<br>
MailScanner E-Mail Virus Scanner version 4.22-5 starting...<br>
Config: calling custom init function SQLLogging<br>
Initialising SQL Logging temp files<br>
Virus and Content Scanning: Starting<br>
INFECTED:: W32/Sobig-F:: ./93F0F1C00E/document_all.pif<br>
Virus Scanning: SophosSAVI found 1 infections<br>
Virus Scanning: Found 1 viruses<br>
Filetype Checks: No executables (document_all.pif)<br>
Other Checks: Found 1 problems<br>
Saved entire message to /quarantine/example.com/20030821/93F0F1C00E<br>
writing to /quarantine/example.com/20030821/93F0F1C00E/message: No such
file or directory</font><br>
<br>
<font face="arial" size=2>With that said, I pose the following questions
and my attempt at the answers:</font><br>
<br>
<font face="arial" size=2>1. Will the virus scanner always run no
matter what the disposition and handling direction is for
SPAM?</font><br>
<font face="arial" size=2>Answer: Yes, no matter what handling or
detection is done on the SPAM characteristics, the VIRUS scanner will be
run against the message.</font><br>
<br>
<br>
<font face="arial" size=2>2. If so, which disposition takes
priority? the SPAM or the VIRUS handling instructions?</font><br>
<font face="arial" size=2>Answer: No matter the
disposition/handling of the SPAM identified message, if the VIRUS SCAN is
positive for a virus, VIRUS processing and handling takes
over.</font><br>
<br>
<font face="arial" size=2>3. This got me to thinking about VIRUS
handling....is it safe to say that IF a message is clean, its passed and
handled appropriately, however if it is infected, the scanner will
attempt to clean the virus? If it can clean the virus, it passes
the message with a "Virus disinfected" notification? If
its not able to clean the virus the system delete's the attachment unless
its told otherwise in the "Quarantine Infections ="
directive?</font><br>
<br>
<font face="arial" size=2>Sorry for the long-winded question, just
spawned a couple of ideas...</font><br>
<br>
<font face="arial" size=2>CT</font><br>
<br>
<br>
<br>
<br>
<br>
<br>
</blockquote></body>
<br>
<div>-- </div>
<div>Julian Field</div>
<div><a href="http://www.mailscanner.info/" EUDORA=AUTOURL>www.MailScanner.info</a></div>
<div>Professional Support Services at
<a href="http://www.mailscanner.biz/" EUDORA=AUTOURL>www.MailScanner.biz</a></div>
MailScanner thanks transtec Computers for their support
</html>