There is no perfect Spam or Virus system. There will either be false positives, missed Spam or Viruses or a combination of both. Therefore, if the customer is expecting absolute perfection, then I think the problem is one of a customer with unrealistic expectations.
You said, "what happens if tommorow turns out that scan engines has catched many legit messages as viruses due to a new buggy singature." Well, then you need to HOLD ALL messages tagged as containing a virus, if you are that anal about it and that makes your original point moot. For instance, you've solved nothing if you had "bagal" hard coded to be deleted and that was the buggy one in the signature file. How often does this really happen - does it happen more than 1% of the time? It hasn't shown to be an issue in our case, but I think we'd all be interested in your statistics which show it as a significant exposure to false positives. You said, "or because a legit message unexpected contains something "sospicious." My previous comment was to hold all of those tagged as suspicious. Do you have good statistics on these, which show a significant false positive rate? I think we'd all be interested in your finding . . . Thanks, Friday, January 27, 2006, 10:56:56 AM, Markus Gufler <[EMAIL PROTECTED]> wrote: >> aren't you out hunting mosquitos with hand grenades? MG> If the "mosquito" is a very nasty but important customer it's bether using MG> tank's, mg's and whatever you can organize in order to prevent painfull MG> stings... MG> On a day liky today I could turn on DELETEVIRUSES with nearly zero risk in MG> order to keep the server disk clean. But what happens if tommorow turns out MG> that one of the scan engines has catched many legit messages as viruses due MG> to a new buggy singature or because a legit message unexpected contains MG> something "sospicious". How do you explain to customers that the messages MG> are already deleted? MG> F-Prot's exit code 8 (suspicious files) has catched a lot of new unknow MG> viruses before singatures was available. So I use this exit code in my MG> config to hold messages. But suspicous could also be something legit we MG> don't know at the moment. MG> As I can understand a feature like DELETEVIRUSNAME wouldn't require more MG> then 30 lines of code and 3 hours of work and it would eliminate any need MG> for own scripts on each server. This is not what I consider a hand MG> grenade... MG> Markus MG> --- MG> [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG> --- MG> This E-mail came from the Declude.Virus mailing list. To MG> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG> type "unsubscribe Declude.Virus". The archives can be found MG> at http://www.mail-archive.com. ---- Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364 Fax: (972) 788-5049 ---- --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
