Chr. v. Stuckrad wrote:
On Mon, 23 Jul 2007, John Scully wrote:... After adding the sanesecurity sigs to clamd last week not one PDF has made it through. And since clamd unpacks and examines every attachment anyway it is no additional load. In fact, due to the messages not hitting SA it probably reduced load slightly.I have a 'political problem' with that. We 'drop' knowv viruses into a quarantine directory without further notice, and only once in years somebody complained and wanted his virus back :-) We *only* TAG spam with headers, then users decide to drop, move, or read it. So if I 'simply insert' those clamav sigs, spam would be handled as a virus, not as 'our spam', which I'm not allowed to destroy. Did somebody of you create an extra 'instance' of clamad-filter to fight spam with spam-sigs only, without scaning for virus-sigs? Does that sound feasible?
The clamav helper I'm working on for CommuniGate Pro can do exactly that. You could have:
a) clamav #1 running with regular signatures, detecting viruses and phishing, rejecting them or adding a set of headers that say "this is a virus".
b) clamav #2 running against 3rd party scanners, and generating different headers that say "this is something else".
You could even do it as 5 different instances (1 for base clamav sigs, 1 for each of the signature files from sanesecurity, 1 for each of the signature files from msrbl), and mark them accordingly.
I have no idea if anyone is doing something similar for other clamav mechanisms.
