On Mon, 28 Aug 2006 [EMAIL PROTECTED] wrote: > jef moskot wrote: > > Occasionally there are major virus flare-ups (and often there are phishing > > scams and such) that occur before an appropriate signature is in place. > When do you actually scan then? Do you scan when the email is retrieved by > the end user or do you just cron job something to go through all the boxes?
I usually only do this manually in special instances, but then I don't have a huge number of mailboxes to go through. When it's a major outbreak (eg, something Microsoft has no patch for), I would consider it negligent not to try to eliminate as many copies of the virus as possible. I have a small script I modify to do the job of lifting the offending messages out of the mbox files. On a large scale, there's the obvious problem of modifying files that could be in use or files that the user could modifying during the stripping process. I can monitor these fairly easily in my environment, but on a larger scale, this would certainly be a much nastier problem. As to the question of whether or not the files have been accessed already, in the general case, I can get to the mailboxes before they are accessed by a majority of the users. Certainly a high enough percentage to make the task worth it. Again, though, this is due to our environment. Jeffrey Moskot System Administrator [EMAIL PROTECTED] _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
