[Mimedefang] Mimedefang not calling virus scanners sometimes
Josh Kelley
josh at jbc.edu
Thu Apr 22 10:06:23 EDT 2004
Bill Maidment wrote:
> Because File-Scan identifies the NetSky virus and variants with that
> name and ClamAV identifies the same viruses as SomeFool, I would have
> expected the first virus scanner (which happens to be File-Scan) to
> always pick them up give them all the same name (NetSky in this case).
> However the logs show a mix of NetSky and SomeFool names (see attached
> graphdefang image), which leads me to the conclusion that for some
> reason File-Scan is not picking up the virus first and so it is caught
> by ClamAV. That's not so bad, but yesterday we had an older virus
> (Welchia-B) get through both File-Scan and ClamAV, even though it was
> known to both.
I haven't used File::Scan, but from using NAI uvscan and ClamAV, I've
noticed some differences in how virus scanners handle bounced messages,
error messages, etc. A bounce or error message may contain a virus,
part of a virus, or remnants of a virus after an ignorant virus scanner
removed it. Because there are so many different variations on how these
emails may appear, and because some of these emails aren't properly
formatted, I suspect that no virus scanner can properly handle them
all. I've seen ClamAV (very rarely) miss a virus that NAI uvscan
catches, and I've seen uvscan may miss a virus that McAfee VirusScan for
Windows (also an NAI product) catches. I would guess that this is
what's causing you to see a few viruses slip through.
Josh Kelley
More information about the MIMEDefang
mailing list