Dennis Peterson wrote: >> I've been following this discussion for the past few days, and I got to ask >> why >> scan an mbox file in the first place? I realize that if one does choose to >> scan >> an mbox file, then the scanner should do the right thing and consider each >> message within the mbox as a separate file. However, if one is scanning >> messages at transport time, why would they need to scan the mbox file? >> >> If one is not scanning at transport time, then since the infected message has >> already been delivered, it could very well be that it has also executed it's >> payload and scanning the mbox file after-the-fact is too late. > > A message arrives on Monday. By Tuesday a new pattern has come out. Scanning > the > inbox finds the virus in the message that came in on Monday. Your manager > thinks you > are a credit to his department, you get a commendation and are put in for a > raise. > > Day zero is a race. Don't think you're always going to win it.
Agreed, but virus scanning, like spam filtering, is a "best effort" service. If one has hundreds of thousands of users, I can't imagine that the resources necessary to scan all of those mbox files (many of which can be quite large) can be worth the effort. At some point you have to pass the responsibility onto the end user (personal virus scanner, updated regularly), otherwise you make yourself liable for their actions/mistakes. I would not want to assume any more responsibility for viruses getting through to end users then the virus vendors themselves are assuming. Otherwise you are setting yourself up for some real problems. Just my unsolicited 2 cents... Bill _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
