[Mimedefang] Mimedefang not calling virus scanners sometimes

Josh Kelley josh at jbc.edu
Thu Apr 22 10:06:23 EDT 2004


Bill Maidment wrote:

> Because File-Scan identifies the NetSky virus and variants with that 
> name and ClamAV identifies the same viruses as SomeFool, I would have 
> expected the first virus scanner (which happens to be File-Scan) to 
> always pick them up give them all the same name (NetSky in this case). 
> However the logs show a mix of NetSky and SomeFool names (see attached 
> graphdefang image), which leads me to the conclusion that for some 
> reason File-Scan is not picking up the virus first and so it is caught 
> by ClamAV. That's not so bad, but yesterday we had an older virus 
> (Welchia-B) get through both File-Scan and ClamAV, even though it was 
> known to both.

I haven't used File::Scan, but from using NAI uvscan and ClamAV, I've 
noticed some differences in how virus scanners handle bounced messages, 
error messages, etc.  A bounce or error message may contain a virus, 
part of a virus, or remnants of a virus after an ignorant virus scanner 
removed it.  Because there are so many different variations on how these 
emails may appear, and because some of these emails aren't properly 
formatted, I suspect that no virus scanner can properly handle them 
all.  I've seen ClamAV (very rarely) miss a virus that NAI uvscan 
catches, and I've seen uvscan may miss a virus that McAfee VirusScan for 
Windows (also an NAI product) catches.  I would guess that this is 
what's causing you to see a few viruses slip through.

Josh Kelley



More information about the MIMEDefang mailing list