On Fri, 29 Jul 2011, Adam Moffett wrote:
On 07/29/2011 02:13 PM, Kelson Vibber wrote:
> Also, to complete the system, I recall there were some AV-mailets at
the age. If possible use> them before SA to catch message carrying
viruses.
Absolutely - we've got ClamAV running first, before anything touches SA,
and using some of the SaneSecurity signature sets to catch additional
malware.
I've often mused about which should run first, but never did any sort of
testing. Is it pretty much the general consensus that it's less wasteful for
the AV to scan the spam than to have SA scan the malware?
Need to keep in mind that the AV scans and SA scans have somewhat
different criteria for what to scan and how to deal with the results
of the scan.
EG: don't SA scan mail with large binary attachments, Do want to AV
scan such critters.
users may want to receive spam tagged messages for personal judgment,
in general you do not want to give users AV detected malware.
Probably want to run AV scanning at the front end of the mail process
so you can SMTP reject malware, SA scanning could be deferred to later
in the processing chain.
As the AV scanning tends to be a less resource intensive process you
probably want to do that first.
FWIW, I run two different instances of ClamAV. One with the stock
signatures as a milter front-end that SMTP rejects viri, one with
SaneSecurity and other additional sigs via the SA clam plugin to aid
spam/phish detection.
The SaneSecurity sigs are good but have too high a FP rate for me
to feel comfortable running them as a SMTP reject process. I'm
quite happy to run them as a part of SA where Bayes, white-lists,
score adjustments, etc can ameliorate damage from FPs.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
