[Mimedefang] Re: Anti-virus software

Chris Gauch cgauch at digicon.net
Wed Mar 2 14:43:26 EST 2005 

> Just to be contrary ;) I'll say that it depends on your objective: Viruses
> tend to "stay in the system" a long time and if you've got savvy users who
> already know to use a good MUA and who don't blindly click on things, then
> the benefit of AV at the mail gateway is to reduce the load of looking at
> the stuff. It's essentially the same benefit you get from a spam scanner.
> 
> Alas, most of us suffer clueless users and PHB's insisting on vulnerable
> clients (mostly made by guess-who) so MS' point is well-taken.

Also, in defense of AV scanning at the mail gateway, we have not had a
single virus pass through to any of our recipient's mailboxes since we began
using ClamAV on our gateway spam filtering servers and our main mail server
(so basically we employ 2 layers of ClamAV virus scanning).  Even recently,
when new/unknown viruses have surfaced, the ClamAV virus signatures DB (as
long as it was up-to-date) often caught viruses ahead of time; other virus
scanning systems (even several commercial scanners) have not been as
fortunate.  A cron job updates the virus signatures DB every hour, but
keeping up with the stable releases is just as important (if not more
important) than keeping the signatures DB current.  Newer versions of ClamAV
can also snag those "phishing" emails that contain viruses embedded in HTML
(something that a client AV scanner might not even catch); just one of
several features not available in earlier versions of ClamAV. 

Probably 90% or so of personnel in a typical business environment are
"non-savvy" computer users, and in our case the problems we have encountered
have been 100% to blame on spyware.  Unfortunately, there's no way for us to
stop each and every user on our network from clicking on that "You might
have a virus -- click HERE to fix it" message.  It would be nice, however,
if some sort of centrally-controlled "electric fence" was available to
administrators; then every now and again we could give the clueless user a
nice zap right before they click on one of those links. Perhaps that would
teach 'em once and for all ;-)  


- Chris


------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
cgauch at digicon.net

More information about the MIMEDefang mailing list