Hi, I browsed the documentation but couldn't find much info about the format of the virus database (CVD), not counting the info on how to use it & append to it.
My question is towared the following: there was a recent discussion in the MailScanner mailing list because Julian Field (the developer) is not only deprecating, but also eliminating, the possibility of 'bouncing' a mail containing a virus back to its (aparent) originator. The motivation is obvious, most new virus & worms fake the originating address and the mail servers configured to bounce back the messages only contribute to the problem... I personally get dozens of MyDoom bounces from several antivirus stating that my machine is infected. MailScanner has had, for a long time, a (manually mantained) list of "Silent Virus" about which it should never send a bounce, and you can configure it to not tell the recipient about the virus he/she would have received even when the default is to _do_ inform him/her. Now, as this list is mantained manually, and it must take into account the different names given to these virus by the different av-scanning engines, it is a PITA, and also it is ineffective, since, when a new worm like MyDoom (or Novarg or SCO or whatever you please to call it) is released, it is, by definition, not in this list. Kevin Miller (on the MS list) asked what if this was a feature of the av- scanning engine, where you need to include, in the virus database, a field telling if this particular virus fakes its origin... see: http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0402&L=mailscanner&P=17196 The field shouldn't be boolean (it could have at least the following values "the virus/worm fakes its origin", "the virus/worm doens't fake its origin", "this is not mail-borne virus so it doesn't fake", "we don't know". If you can have an option in the scanner that gives a sensible output based on this field, mail gateways using the scanner could use the info to make a couple of decisions. I personally don't have a problem erasing every message with a virus passing by, but many customers insist on being informed... Apparently, Sophos is working on this (or so their PR people lie about): http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0402&L=mailscanner&P=17462 Are there plans to this in clamav? (or maybe, there's something already in there and I don't know anything about it)... I started using clamav+MailScanner a little time ago and I'm more than satisfied with it... in fact, the MyDoom/SCO worm was stopped by MailScanner+clamav about 5 hours before a similar server using MailScanner+McAffee got the needed update (both are configured to check for updates every hour, so the actual difference between when the updates were available was between 4 and 6 hours in favor of clamav... impressive). TIA -- Mariano Absatz El Baby ---------------------------------------------------------- It is now proved beyond doubt that smoking is one of the leading causes of statistics. -- Fletcher Knebel ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
