|
No Matt, it wouldn't be a complete solution for you
or me. We don't trust DELETE actions at all.
Markus however, is ok with a DELETE action, as with many
others, so I'm pretty confident that they would be ok with an autodelete as
well, while trusting that Declude.com isn't going to make a mistake with a bad
keyword listing such as "suspicious" or "virus" (as opposed to desired behaviour
like "nyxem", "netsky", "bagle", "mytob", "sober".
For you and me, I think we'd want a "HOLD
[Path[\]][%DATE%]" action in the Declude EVA product that let us specify a
different HOLD folder. Any add-on web scripts that those ISPs or
Gatewaying companies have developed so that the end-user can self-service
their spam/virus folder would not include this secondary HOLD folder and
the ISP could take timed and scripted actions on these folders as they see
fit.
To make that work, we would then want a mechanism to
distinguish the detected viruses and move the *.smd files to the correct HOLD
folder accordingly. But that's a different thread, eh?
Andrew 8)
I thought that AV false positives can occur with definitions for
known virus names. In other words, if a message gets tagged as Bagle, it
might be legit 0.00001% of the time. So would this really be a complete
solution?
Matt
Colbeck, Andrew wrote:
Markus would find this handy (as would other die-hards who are often see
to post in this forum) and would be willing to maintain a small list of
entries for which he would like this behaviour.
However, in addition to the FORGINGVIRUS DNS lookup feature that Declude
already implements*, perhaps they would be interested in also
implementing a DNS lookup feature for known virus names that customers
could just delete out of hand.
This would of course require ongoing maintenance on their part, and
trust from their customers. Declude would provide a new switch to
govern this behaviour, which would default to OFF, e.g.
AUTODELETEKNOWNWORMS ON
Thus, Markus would be satisfied with being able to manually pick and
choose which virus families to delete, and administrators who want less
hands-on involvement could turn ON this feature to save disk space.
*The existing feature exists to skip email notification when the scanner
engine returns the name of a known virus/worm that Declude knows forges
the MAILFROM. The FORGINGVIRUS xxxxx feature is a manual version of
this feature that lets the Declude customer add in more viruses. As far
as I know, Declude.com does not keep a public list of the virus names
that they test for via DNS. Please correct me if I'm wrong on any of
this.
Andrew 8)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler
Sent: Wednesday, January 25, 2006 2:37 PM
To: [email protected]
Subject: [Declude.Virus] Feature request: DELETEVIRUSNAME
Maybe someone has already requested it:
Why not allow commands like
DELETEVIRUSNAME Netsky
DELETEVIRUSNAME Bagle
...
in the virus.cfg file?
I won't and can't delete all viruses on our server because
there is always the possibility that a scanner is catching
something as "suspicious" or "generic"
But commands to delete certain virusnames should be very easy
to implement and allow us to eliminate > 95% of all hold
viruses on out servers.
Markus
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
|
