Noel Jones wrote:
Clam must scan the whole email message because (as you know) some
signatures only trigger on files that look like a mail message.
To have both attachment blocking and full email scanning, the mail
ends up being scanned twice. Maybe I'll put in a request for a "don't
scan decoded parts" feature ...
I've updated the page here with the new info:
http://www.sanesecurity.com/clamav/problems.htm
In order to get the best out of the Sanesecurity signatures the FULL
message must be passed to ClamAV, as a lot of the signatures use From
header/Subject/Others Headers and
combination of header/body.
As for performance, I'd agree it not double-scan would be a good idea.
Cheers,
Steve
Sanesecurity
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
