[Mimedefang] Which AV package are most people using with MimeDefang?

Tony Nugent tony at linuxworks.com.au
Wed Oct 23 22:31:01 EDT 2002 

On Wed Oct 23 2002 at 11:19, "Stefano McGhee" wrote:

> Hello,
> 	I use a mildly modified MD filter plus File::Scan.  I have found
> that most every virus-ridden message gets blocked by MD.  The only
> difference that File::Scan makes is that is gives it a name i.e. BugBear or
> Klez.

(that isn't so unusual, I thought most scanners could do that).

> Even before I updated File::Scan to detect BugBear, MD was stopping
> it.  The only thing I am curious about is whether File:Scan/MD will work
> against MIME exploits and the like.  I'm guessing they do as I have seen

If I run a small File::Scan script over a raw mail file with bugbear
in it, nothing is detected.

If I use NAI's uvscan to scan it, it detects the mime exploit it
contains (Exploit-MIME.gen.exe).

  It has been doing this for a long while... it's actually a bit of
  a problem since examples of mime exploits can be sometimes be
  posted to places like bugtraq mailing lists - oops, they get
  quarantined by mimedefang as a virus :)

Neither of them detect the bugbear virus itself unless the actual
mime attachments are extracted and individually scanned.

  So when used with MD, uvscan must actually flag two different
  "viruses" when it scans bugbear emails -- the mime exploit in the
  ENTIRE_MESSAGE, and bugbear in the attachment.  I glob for the
  virus name in filter_end() so I assume that the details of the
  second scan hit on the attachment replace the details of the first
  hit.  Which raises the notion of how to "properly" handle emails
  with multiple exploits/viruses...  :)

The conclusion is that MD (with its banned file extensions etc) and
the (patched) File:Tools are doing the job of detecting the mime
exploits and giving you the added protection.

> nary an exploit detected by my inside server running McAffee GroupShield
> for Exchange.  MD/File::Scan closes the door on these evils. :)

(jumping to conclusions??  :)

If you have GroupShield, then this you should allow you to use
uvscan (for linux).  I have no reservations in recommending it, it
has worked very well for me for more than 18 months.  (Licence costs
are an issue in some situations so recently I've been looking at
alternatives).

> IMHO,
> 
> Stefano

Cheers
Tony

More information about the MIMEDefang mailing list