Noel Jones wrote the following on 5/21/2007 9:32 PM -0800: > At 09:55 PM 5/21/2007, Bill Landry wrote: > >> Mark, can you tell me why the Email.Malware are still not detected >> without enabling /^MAIL$/? I would like to keep virus scan processing >> to a minimum, but if I disable /^MAIL$/, then Email.Malware messages are >> not detected. >> > > Most of the Email.Malware signatures are "email" type > signatures. Clamav must be presented with a file recognizable as an > email (Received: headers and other clues) for these signature to even > be checked. > > You must always present clamav with raw email files to use all the > published signatures. In addition to the SaneSecurity add-on > signatures, most of the "official" clam Phish signatures are "email" > type, along with several official trojan & worm signatures. > > If you don't set amavisd-new to scan the full email message, you > effectively disable all signatures requiring an email message. > > Okay, then is there any reason to have amavisd-new break e-mail messages up for individual parts scanning? Would it make sense to disable parts scanning and just have amavisd-new only pass the entire raw message to clamd for scanning?
Bill ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/