Dennis Peterson wrote: > John Rudd wrote: >> Dennis Peterson wrote: >> >>> You need to have better monitoring and notification, and a mail system >>> that delivers mail even if there is a fatal error in the AV tool. This >>> is hardly a ClamAV problem. >> Depends on what your goals are. >> >> For me, a reliable email system does not just mean "mail gets >> delivered". It also means that "we reliably reject detectable viruses". >> If we're letting viruses through because our pants are down (because >> our AV tool has failed), then that's not a reliable email system. >> That's a dysfunctional email system. >> >> better monitoring and notification: yes, good. >> >> letting potentially virus laden email through because your AV tool is >> down: very bad. > > Send it to your next AV tool. You don't rely on a single tool for this, > do you?
A single virus detecting program? No. A single decision point about "deliver vs reject vs tempfail"? Yes. (and, "AV tool" to me means all of these programs collectively (sophos, clamav, and/or mcaffee as the detection programs, and mailscanner or mimedefang or some other milter as the decision maker) If, at the point of making the decision of "should I deliver?" I have not gotten a definitive answer to "is this message clean?" then it would be very bad to go with "deliver". There is no "next" tool to pass the decision on to, because at that point all of the available detection programs have answered. So, when you say "You need to have a mail system that delivers even if there is a fatal error in the AV tool", I say: no. A fatal error means that the collective tool hasn't been able to determine whether or not the message contains a known infection (no matter how many detection programs I'm running). Therefore, we tempfail it. I do not see any other available and acceptable outcome. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
