[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications
Chris Gauch
cgauch at digicon.net
Thu Jun 30 10:19:29 EDT 2005
WBrown at e1b.org wrote:
> Symantec (back when it wwas Norton AV) used to generate some false
> positives in their desktop AV products, so I'm leary of just dropping
> messages. If I refuse delivery, I don't feel any responsibility for the
> NDN generated by some other system. They should not have accepted the
> mail for relay anyways, unless it truly was from an authorized user, in
> which case they deserve the bounces.
I would say that virus software running on the mail gateway (clam av,
mcafee, etc.) are far more accurate than desktop AV software. This is not
because the AV software is better for mail gateways, but it is *easier* to
detect a virus in an email than it is to accurately identify and detect a
virus on someone's hard disk due to all the poorly written programs,
documents, archives, and executables that people download and/or store on
their PC disks (which in most cases violates their own corporate computer
usage policies). So it all boils down to complexity. AV scanners on the
mail gateway most certainly have an easier job scanning and detecting a
virus, where desktop AV scanners have to take much more into consideration,
so the room for error is much greater with desktop AV software.
Unfortunately, a large number of valid and legitimate MX hosts do not run AV
scanners on their gateways, so we can't rely on others to stop illegitimate
mail from propagating to other servers, including our own. The burden falls
on our shoulders, so we (as Admins) have to take appropriate measures to
stop the problem in its tracks.
- Chris
------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net
More information about the MIMEDefang
mailing list