----- "Chuck Swiger" <[EMAIL PROTECTED]> wrote: > You haven't mentioned what MTA you are using, which makes a big > difference as > to when and what you can use to do rejects during the SMTP session > rather than > accepting and then bouncing. > > However, note that ClamAV is a virus scanner, not a MIME analyzer: you > should > be saving the virus-scanning for last because it is fairly expensive, > and > perform MIME defanging or rejection of various content-types via > cheaper tools > like MIMEdefang or amavisd-new, and only run ClamAV on the stuff you > accept.
Hi Chuck, The MTA is qmail with simscan sitting up front calling ClamAV and qmail-scanner on the backend calling more AV engines. I don't have the regex pattern matching enabled in simscan since, aside from this issue, it is not needed and I imagine would be more expensive than having ClamAV block these 0.001% of emails which is why I'm investigating this avenue first. I think it comes down to opinion but I feel that ClamAV should alert on files that it isn't properly able to scan. For example, if I scan one of the message files: /test: OK ----------- SCAN SUMMARY ----------- Known viruses: 142100 Engine version: 0.91.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.48 MB Time: 3.857 sec (0 m 3 s) fsav /test F-Secure Anti-Virus for Linux Servers Database version: 2007-08-01_06 [/test] /test: Suspected: Partial MIME message. [ArchiveScanner] Scan ended at Wed Aug 1 14:57:56 2007 1 file scanned 1 file suspected If ClamAV does not perform any MIME analysis, what does the "ScanMail yes" option do? Thanks for the reply. Matt. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
