Riaan, > Since an email relay sits mere seconds away from malware generation, one > can accept that not all viruses would get caught.. I've however heard > reports from downstream that a next relay in line is catching some viruses > that got missed by our amavisd-new setup. Also using ClamAV. > > Now, before making assumptions or trying to test this elusive suspicion, > I'd like to run this question by the list first: Do you think that > scanning a directory filled with MIME unpacked email bits should be more, > less, or equally as reliable as scanning the raw email file? In practice, > do you think that Clam or whatever might use the extra "information" of > malicious payload sitting snugly surrounded by it's MIME encoding? In > short, which option is best, pointing the AV components of amavisd-new at > the raw file or at the pieces? Thanks for any advice!
Indeed, ClamAV may use the extra information from a mail header section or from a message structure. For this reason it is advisable to retain the complete message as one additional (or the only) file passed to virus scanners - and this is a default since amavisd-new-2.6.3: @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, )); Mark ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
