[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

[WBrown at e1b.org]

mimedefang-bounces at lists.roaringpenguin.com wrote on 06/30/2005 10:19:29 
AM:

> I would say that virus software running on the mail gateway (clam av,
> mcafee, etc.) are far more accurate than desktop AV software.  This is 
not
> because the AV software is better for mail gateways, but it is *easier* 
to
> detect a virus in an email than it is to accurately identify and detect 
a
> virus on someone's hard disk due to all the poorly written programs,
> documents, archives, and executables that people download and/or store 
on
> their PC disks (which in most cases violates their own corporate 
computer
> usage policies). So it all boils down to complexity.  AV scanners on the
> mail gateway most certainly have an easier job scanning and detecting a
> virus, where desktop AV scanners have to take much more into 
consideration,
> so the room for error is much greater with desktop AV software.
> Unfortunately, a large number of valid and legitimate MX hosts do not 
run AV
> scanners on their gateways, so we can't rely on others to stop 
illegitimate
> mail from propagating to other servers, including our own.  The burden 
falls
> on our shoulders, so we (as Admins) have to take appropriate measures to
> stop the problem in its tracks.

Huh?  program.exe is the same file, whether it is stored on a local drive, 
or extracted from an email.  And if the same definition says it is a 
virus, I don't see why it would matter wherer it was.

And anyone that runs a mail server not protected by AV is just hanging out 
a big old "KICK ME! sign. It doesn't matter whether it is an MX or a relay 
for internal users.  The only mail servers that can get away without 
running AV are those that only accept connections from servers that *ARE* 
running AV and do not accept any connections from end-user devices.