Chris Masters wrote: > So is it true to say that virus scanning on a per > entity basis does not maximise virus detection safety? > Should we always use MIME::Tools (via filter) *and* > the virus scanners own mime decoding functionality > (via filter_begin for example) for each mail?
No. The safest way is illustrated in the example filter. Do your scanning in filter_end, but call md_copy_orig_msg_to_work_dir_as_mbox_file() before invoking the virus scanner. > It looks as though the mail was a ligitimate bounce > that possibly contained (within the body) the encoded > original infected mail - based on the subject and the > size in logs. qmail is notorious for bouncing MIME messages as a big text/plain part containing (among other things) the original raw MIME message. MIME::Tools will *not* decode this, and neither should any mail clients, but you never know if an MUA author is going to decide to be "clever" and decode qmail bounces. > Even so, the scanners should surely pick > it up or does this render the virus harmless? It should render the virus harmless, but the good people who bring you M$ Outlook are well-known for snatching defeat from the jaws of victory when it comes to security. > I know that some virus scanners will (wrongly I think) fail to > detect a virus if it's renamed as a txt file because it cannot be > executed. This is not the case with MIMEDefang and ClamAV. Regards, David. _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
