[Mimedefang] entity_contains_virus_clamd message_contains_virus_clamd

Kelson kelson at speed.net
Mon Aug 30 12:25:15 EDT 2004


Florian Meister wrote:
> Why di I have to scan every mail two times ? 
> 
> In filter_begin() with message_contains_virus_clamd
> And in filter() with entity_contains_virus_clamd 
> 
> I understand, that I need entity_contains_virus_clamd to replace a specific part with a warning or something, but why do I need message_contains_virus_clamd ?? 

Well, there are two reasons.  The first is that since 
message_contains_virus_* runs on the entire working directory it should 
be slightly more efficient than calling the scanner once per entity.

More importantly, clamd can scan the entire unparsed message along with 
the entities mimedefang extracts.  And *this* is important for two reasons:

Clamd will recognize some types of attachments that mimedefang does not 
on its own (I think binhex falls under that category).

There are many ways to produce invalid MIME, and every mime parser will 
correct for a slightly different set of errors.  If some virus author 
comes up with a method that Outlook will puzzle out but MIMEDefang 
won't, you have a better chance of catching it by having both MD and 
clamd look for attachments.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>



More information about the MIMEDefang mailing list