Bill Landry wrote: > Dennis Peterson wrote: >> Joao S Veiga wrote: >>> Hi John, >>> >>>> think long and hard about the combination of payments and entities which >>>> are >>>> reduced to using numeric IPs in URLs. I suspect my business goes >>>> elsewhere. >>> Agreed :-), but the problem is (and what has caused most of my problems) >>> that if >>> you have an email with the Subject: Pagamento in your mailbox file, then >>> receive >>> another one with the numeric href, clamav will say your mailbox is infected >>> - it >>> doesn't matter that the two parts of the signature are in different emails. >> This problem is also being discussed in the "Getting line numbers" thread. >> The >> Email.FreeGame pattern demonstrates the very bad idea of using unanchored >> wildcard >> expressions in regex searches. If the software is not working on an >> extracted copy of >> each message found in the mbox then all such unanchored searches will crawl >> to the >> end of the mbox file with each invocation and in very many cases that is a >> lot of >> file to be crawling. If clamav is not treating mbox files as tables of >> rfc-822 >> messages then it is a pretty poor choice of tools for scanning them. > > I've been following this discussion for the past few days, and I got to ask > why > scan an mbox file in the first place? I realize that if one does choose to > scan > an mbox file, then the scanner should do the right thing and consider each > message within the mbox as a separate file. However, if one is scanning > messages at transport time, why would they need to scan the mbox file? > > If one is not scanning at transport time, then since the infected message has > already been delivered, it could very well be that it has also executed it's > payload and scanning the mbox file after-the-fact is too late.
A message arrives on Monday. By Tuesday a new pattern has come out. Scanning the inbox finds the virus in the message that came in on Monday. Your manager thinks you are a credit to his department, you get a commendation and are put in for a raise. Day zero is a race. Don't think you're always going to win it. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
