[Mimedefang] Which AV package are most people using with MimeDefang?

Stefano McGhee SMcGhee at ARCweb.com
Thu Oct 24 09:53:00 EDT 2002 

Tony,
	So, a fan of uvscan, eh? :)  What does it take to give it a try on
my rig?  I've downloaded it and installed it to the default dir.  Do I just
recompile MD?  Do I need to remove File::Scan to preference UV?  I seem to
remember something about MD using the first AV program it finds, and
File::Scan it high on the list.  Will recompiling and reinstalling MD
overwrite my filter files i.e. mimedefang-filter?

Thanks,

Stefano

-----Original Message-----
From: Tony Nugent [mailto:tony at linuxworks.com.au] 
Sent: Wednesday, October 23, 2002 10:31 PM
To: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] Which AV package are most people using with
MimeDefang? 


On Wed Oct 23 2002 at 11:19, "Stefano McGhee" wrote:

> Hello,
> 	I use a mildly modified MD filter plus File::Scan.  I have found
> that most every virus-ridden message gets blocked by MD.  The only
> difference that File::Scan makes is that is gives it a name i.e. BugBear
or
> Klez.

(that isn't so unusual, I thought most scanners could do that).

> Even before I updated File::Scan to detect BugBear, MD was stopping
> it.  The only thing I am curious about is whether File:Scan/MD will work
> against MIME exploits and the like.  I'm guessing they do as I have seen

If I run a small File::Scan script over a raw mail file with bugbear
in it, nothing is detected.

If I use NAI's uvscan to scan it, it detects the mime exploit it
contains (Exploit-MIME.gen.exe).

  It has been doing this for a long while... it's actually a bit of
  a problem since examples of mime exploits can be sometimes be
  posted to places like bugtraq mailing lists - oops, they get
  quarantined by mimedefang as a virus :)

Neither of them detect the bugbear virus itself unless the actual
mime attachments are extracted and individually scanned.

  So when used with MD, uvscan must actually flag two different
  "viruses" when it scans bugbear emails -- the mime exploit in the
  ENTIRE_MESSAGE, and bugbear in the attachment.  I glob for the
  virus name in filter_end() so I assume that the details of the
  second scan hit on the attachment replace the details of the first
  hit.  Which raises the notion of how to "properly" handle emails
  with multiple exploits/viruses...  :)

The conclusion is that MD (with its banned file extensions etc) and
the (patched) File:Tools are doing the job of detecting the mime
exploits and giving you the added protection.

> nary an exploit detected by my inside server running McAffee GroupShield
> for Exchange.  MD/File::Scan closes the door on these evils. :)

(jumping to conclusions??  :)

If you have GroupShield, then this you should allow you to use
uvscan (for linux).  I have no reservations in recommending it, it
has worked very well for me for more than 18 months.  (Licence costs
are an issue in some situations so recently I've been looking at
alternatives).

> IMHO,
> 
> Stefano

Cheers
Tony
_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list