[Mimedefang] Which AV package are most people using with MimeDefang?
Tony Nugent
tony at linuxworks.com.au
Wed Oct 23 22:31:01 EDT 2002
On Wed Oct 23 2002 at 11:19, "Stefano McGhee" wrote:
> Hello,
> I use a mildly modified MD filter plus File::Scan. I have found
> that most every virus-ridden message gets blocked by MD. The only
> difference that File::Scan makes is that is gives it a name i.e. BugBear or
> Klez.
(that isn't so unusual, I thought most scanners could do that).
> Even before I updated File::Scan to detect BugBear, MD was stopping
> it. The only thing I am curious about is whether File:Scan/MD will work
> against MIME exploits and the like. I'm guessing they do as I have seen
If I run a small File::Scan script over a raw mail file with bugbear
in it, nothing is detected.
If I use NAI's uvscan to scan it, it detects the mime exploit it
contains (Exploit-MIME.gen.exe).
It has been doing this for a long while... it's actually a bit of
a problem since examples of mime exploits can be sometimes be
posted to places like bugtraq mailing lists - oops, they get
quarantined by mimedefang as a virus :)
Neither of them detect the bugbear virus itself unless the actual
mime attachments are extracted and individually scanned.
So when used with MD, uvscan must actually flag two different
"viruses" when it scans bugbear emails -- the mime exploit in the
ENTIRE_MESSAGE, and bugbear in the attachment. I glob for the
virus name in filter_end() so I assume that the details of the
second scan hit on the attachment replace the details of the first
hit. Which raises the notion of how to "properly" handle emails
with multiple exploits/viruses... :)
The conclusion is that MD (with its banned file extensions etc) and
the (patched) File:Tools are doing the job of detecting the mime
exploits and giving you the added protection.
> nary an exploit detected by my inside server running McAffee GroupShield
> for Exchange. MD/File::Scan closes the door on these evils. :)
(jumping to conclusions?? :)
If you have GroupShield, then this you should allow you to use
uvscan (for linux). I have no reservations in recommending it, it
has worked very well for me for more than 18 months. (Licence costs
are an issue in some situations so recently I've been looking at
alternatives).
> IMHO,
>
> Stefano
Cheers
Tony
More information about the MIMEDefang
mailing list