[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

Chris Gauch cgauch at digicon.net
Thu Jun 30 13:00:55 EDT 2005 

Matthew.van.Erde wrote:

> I hate to disagree with David on his own list...
> 
> But it's all about risk and reward, isn't it.
> 
> Sure, chances are near 0%.  But the chance is still there.  Check the
> ClamAV list for some recent false positive reports, for example.  (Not
> picking on ClamAV - every AV scanner has this problem.)
> 
> If a real virus is missed, you might get infected.  Unless you have
> redundant protection levels, which most of us do nowadays.  If we're
> careful, that is.
> 
> If a real file is misread as a virus, you have dropped user mail.  The
> consequences of this depend on the nature of your relationship with the
> people that use your mail server.

I'm not arguing your point, what you say is certainly valid -- ok there's a
miniscule probability of a FP from a virus scanner, but you HAVE TO ADMIT
that if it is something legitimate that a client sent, your MOST probable
response would be "well, next time don't sent vbs files directly attached to
your email", or something along those lines, and the client will almost
certainly accept it as his/her fault, as has been with case with us 100% of
the time when dealing with this very same issue; but let's get back to the
rejecting vs. discarding viruses argument. 

No matter how you slice it, you are adding "risk" by perpetuating the
existence of a virus when you reject at the SMTP level.  You may not be
adding risk directly on your OWN network, but let's say a client of yours
(with a poorly-protected mail server), on SOME OTHER network, happens to be
the poor bystander who's address was FORGED by the virus by some mail server
over in Ethiopia or whatever, you just became the cause (albeit indirect) of
your client receiving a virus-laden attachment because the message was
BOUNCED to him/her after you rejected it from some sort of remote SMTP relay
or MX host.  Yes, not all viruses forge emails this way, but many of them
now do.  Think of things from the virus writer's perspective...I'm sure
you'll reconsider some of your arguments.

> 
> If people want to get infected, let them.  As long as they back up their
> data... and they don't particularly care about information leaks... what's
> the harm?  It's their decision, not yours.  All you can do is inform them
> of possible consequences of their decisions.
> 
> The Titanic didn't have enough lifeboats... this was White Star's call...

Whoa, if we all took that approach, we'd be in a heap of trouble (imagine if
the W.H.O. took that approach...).  "As long as they back up their data..."
is also stretching it.  Sure, let him all get infected, but never forget
that what goes around, comes around.  We're talking about small to medium
businesses that do not bring in 7-figure revenues each year and certainly
cannot afford an IT staff.  I'm not arguing my decision vs. theirs, I'm
arguing loosely from a semi-utilitarian perspective (with many mods).  

- Chris

------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net

More information about the MIMEDefang mailing list