[Mimedefang] dealing with .exe/.com viruses

Kelson kelson at speed.net
Wed Nov 3 12:25:44 EST 2004


Paul Murphy wrote:
>>>Does someone know if there is a way to call the sub
>>>"filter_bad_filename" after the antivirus check ?
>>
>>Sure. In my filter() in mimedefang-filter, I do the 
>>anti-virus check first
>>and call filter_bad_filename() farther down. Works fine.
> 
> 
> Yes, but be wary that the overheads of virus scanning first just so that you can
> say that "hello.scr" was Bagle.AU rather than Bagle.AT are significant when
> compared to the effort to say that the extension is ".scr", so we're dropping it
> and doing no more work.  Also, it is very tempting to then say that anything
> which clears the virus scan is OK, when in fact any HTA, PIF, SCR, etc file is
> 99.999% likely to be a virus, and even if it isn't, you should be enforcing a
> policy that sending these types is not allowed.  That way, if you're A/V update
> fails or your vendor is too slow to issue the latest signatures, you're still
> mainly protected.

It all depends on the policy you want.  If you want to reject all 
noncompliant mail, then least-resistance is the way to go.  If you want 
to take different actions, you may have to rearrange things a bit.

For example, I drop definite mass-mailing viruses, reject other viruses, 
reject .exe, .scr and a few others, and defang other "bad" filenames 
after some extra checks on files like "whatever.com proposal.doc" or 
"cnn.com.html"

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>




More information about the MIMEDefang mailing list