[Mimedefang] dealing with .exe/.com viruses
Kelson
kelson at speed.net
Wed Nov 3 12:25:44 EST 2004
Paul Murphy wrote:
>>>Does someone know if there is a way to call the sub
>>>"filter_bad_filename" after the antivirus check ?
>>
>>Sure. In my filter() in mimedefang-filter, I do the
>>anti-virus check first
>>and call filter_bad_filename() farther down. Works fine.
>
>
> Yes, but be wary that the overheads of virus scanning first just so that you can
> say that "hello.scr" was Bagle.AU rather than Bagle.AT are significant when
> compared to the effort to say that the extension is ".scr", so we're dropping it
> and doing no more work. Also, it is very tempting to then say that anything
> which clears the virus scan is OK, when in fact any HTA, PIF, SCR, etc file is
> 99.999% likely to be a virus, and even if it isn't, you should be enforcing a
> policy that sending these types is not allowed. That way, if you're A/V update
> fails or your vendor is too slow to issue the latest signatures, you're still
> mainly protected.
It all depends on the policy you want. If you want to reject all
noncompliant mail, then least-resistance is the way to go. If you want
to take different actions, you may have to rearrange things a bit.
For example, I drop definite mass-mailing viruses, reject other viruses,
reject .exe, .scr and a few others, and defang other "bad" filenames
after some extra checks on files like "whatever.com proposal.doc" or
"cnn.com.html"
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list