On Mon, 23 Jul 2007, Chr. v. Stuckrad wrote:
> On Mon, 23 Jul 2007, John Scully wrote:
>
> > ... After adding the sanesecurity sigs to clamd last
> > week not one PDF has made it through. And since clamd unpacks and examines
> > every attachment anyway it is no additional load. In fact, due to the
> > messages not hitting SA it probably reduced load slightly.
>
> I have a 'political problem' with that. We 'drop' knowv viruses into
> a quarantine directory without further notice, and only once in years
> somebody complained and wanted his virus back :-)
>
> We *only* TAG spam with headers, then users decide to drop, move, or read it.
>
> So if I 'simply insert' those clamav sigs, spam would be handled as a virus,
> not as 'our spam', which I'm not allowed to destroy.
>
> Did somebody of you create an extra 'instance' of clamad-filter to fight
> spam with spam-sigs only, without scaning for virus-sigs? Does that
> sound feasible?
>
> Stucki
Doing exactly that here, easily done.
Create two instances of "clamd" (same binary, different config files
with different "DatabaseDirectory"s). First instance has only standard
AV sigs, second "DatabaseDirectory" has all supplemental sigs.
One trick, in the second "DatabaseDirectory" make 'daily.inc' and
'main.inc' be soft-links pointing to the real subdirectories in the
first "DatabaseDirectory". That way you only need to run one instance
of freshclam to keep everything up-2-date for the standard ClamAV sigs.
Install the ClamAVPlugin in your SA, config it to 'talk' to the second
clamd instance, score appropriately.
You can then also try out the experimental anti-phishing features
in the second clamd instance with less risk of loosing messages.
More details upon request.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
