I did as Scott recommended and turned off prescan; but afterwards I noticed in the clam logs that ClamAV had caught phish previously with prescasn ON sooo why would you think that is so? eg - I guess what I'm asking is will ClamAV reliably anti-phish to its capability with prescan on?
PRESCAN ON (which works with Declude Virus Pro) saves CPU resources by not calling the AV scanner when an E-mail arrives that contains one or more HTML segments, if [1] there are no other segments except text and/or HTML segments, and [2] the HTML doesn't contain any code that Declude Virus identifies as potentially dangerous.
In other words, since most E-mail these days has HTML (by default, most mail clients send HTML E-mail, even if you just say "hi" in normal text), PRESCAN ON is able to save a lot of CPU time by not scanning those E-mails (while still catching the few E-mails that contain viruses/worms in HTML, such as kak.worm).
The drawback here to PRESCAN ON is that phishing attacks won't get sent to the virus scanner, so a virus scanner that is looking for them won't find them.
What you are probably seeing is an E-mail with a phishing attack that *does* contain potentially dangerous code. For example, if it contains any JavaScript -- even safe JavaScript code -- it would be sent to the virus scanner. So you may see the virus scanner detecting some phishing attacks even with PRESCAN ON. But to catch them all, you would need PRESCAN OFF.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
---- This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
