[Mimedefang] RFC: better virus scanner status reporting?

Steffen Kaiser skmimedefang at smail.inf.fh-bonn-rhein-sieg.de
Tue Aug 12 03:23:01 EDT 2003


On Tue, 12 Aug 2003, James Ralston wrote:

> On 2003-08-10 at 22:25:30-0400 "David F. Skoll" <dfs at roaringpenguin.com> wrote:
>
> > If the exit code "2" always means "encrypted", then I agree: An
> > "encrypted" category is useful.  If an exit code of "2" could mean
> > something else, then it becomes difficult to know how to handle this
> > code.
>
> I performed some testing (using Sophos Sweep 3.72, the latest version)
> over several gigabytes of files.
>
> Exit code "2" does not always mean "password protected".  It will also
> be returned for certain PDF files, with an error message of either
> "format not supported" or "unexpected error [0x80040202]".  It may
> also be returned in other situations.

Actually I do not understand this topic for the reasons already mentioned
in various posts about the pros and cons of scanning archives at all.

There are plenty of reasons why to scan an archive can fail. Most of all:
You do not know if that is an archive at all. Are you really drop all
attachments of unknown type (I mean unknown _file_ type, not MIME type)?

IMHO if you tell your customers/users that you scan archives or perform a
deep scan of the documents, you take away responsibility from them to be
aware themselves, you increase the "feeling" of security a lot without
improving the security itself.

> Is it worth it to create a separate $category to indicate "well, no
> viruses were found, but since the virus scanner couldn't scan some
> parts of this message, there may still be a virus in it"?

Well, I exactly means this:
<<There may still be a virus in it>> even if the virus scanner says, there
is none! No need for such category, because the virus topic by itself
implies that. E.G. consider how long it takes to get a new virus into the
DB of the scanner.

Bye,

-- 
Steffen Kaiser



More information about the MIMEDefang mailing list