[Mimedefang] dealing with .exe/.com viruses

[Paul Murphy]

> > Does someone know if there is a way to call the sub
> > "filter_bad_filename" after the antivirus check ?
> 
> Sure. In my filter() in mimedefang-filter, I do the 
> anti-virus check first
> and call filter_bad_filename() farther down. Works fine.

Yes, but be wary that the overheads of virus scanning first just so that you can
say that "hello.scr" was Bagle.AU rather than Bagle.AT are significant when
compared to the effort to say that the extension is ".scr", so we're dropping it
and doing no more work.  Also, it is very tempting to then say that anything
which clears the virus scan is OK, when in fact any HTA, PIF, SCR, etc file is
99.999% likely to be a virus, and even if it isn't, you should be enforcing a
policy that sending these types is not allowed.  That way, if you're A/V update
fails or your vendor is too slow to issue the latest signatures, you're still
mainly protected.

In general, I try to follow the least-effort route in scanning:

1.  Reject based on HELO/relay address
2.  Reject based on MAIL FROM
3.  Reject based on RCPT TO
4.  Reject based on ESMTP size
5.  Reject on message type
6.  Reject on attachment type/name
7.  Reject on Virus found
8.  Reject on Spam classification
9.  Reject on other content checks

Best Wishes,

Paul.
__________________________________________________
Paul Murphy
Head of Informatics
Ionix Pharmaceuticals Ltd
418 Science Park, Cambridge, CB4 0PA

Tel. 01223 433741
Fax. 01223 433788


_______________________________________________________________________
DISCLAIMER:
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to which they
are addressed.  If you have received this email in error please contact
the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741
_______________________________________________________________________