On Wed, Jun 25, 2003 at 04:53:22PM -0400, john crawford wrote: > Developers: > > We are blocking with quarantine-attachments.txt, certain > suffixes. It would be nice if the virus checking logic would > run and make a response before the suffix check is (optionally) called. > For silent_viruses (where the sender information is bogus) qmail-scanner
I'm afraid the perlscanner file checks happen first for a reason - they're cheap :-) Any virus/whatever you can block earlier means less work for your system.
Yes. I'm considering the cost of human administrator follow-up with the person who didn't actually send the message but gets excited by the notification they receive. CPU time is cheap compared to my time and the loss of goodwill. As we are trying to maximize productivity with qmail-scanner, I'd say putting the best logic into responding most appropriately (and by doing so, limiting collateral damage) to viruses is worth the penalty of extra processor cycles.
I do appreciate the silent_viruses logic , and I might try to keep up with things using the phrase in descriptions idea you mention. But from my perspective of costs, perhaps moving &scanloop before &perlscan_scanner will be worth my testing.
Thanks.
-John
For virii that are really obvious - like the new Sobig-E that came out yesterday (which always has an attachment "your_details.zip") - you can always define your quarantine-attachments.txt entry for it including a string that will match the "silent_viruses" entries. You should be able to "hack it" by ensuring one of the "silent_viruses" phrases appears in your description area in quarantine-attachments.txt...
However, in general you are correct. The "silent_viruses" is nice, but I don't know if I'm willing to move chunks of code around - making Q-S less efficient - just to make that work again. In fact, in the next release of Q-S, I've added even more "direct detection" code for obvious MIME-hacks/etc - again, they'll block messages and you won't know what virus it was blocking. All in the name of performance.
Any suggestions on a better solution would be welcome of course.
-- Cheers
Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
