[Mimedefang] re_match in filter_begin

Jan-Pieter Cornet johnpc at xs4all.nl
Mon Mar 3 04:03:34 EST 2008 

On Fri, Feb 29, 2008 at 06:33:48PM -0500, Kevin A. McGrail wrote:
> Follow-up on my earlier code.  I think if I want to trick MD into thinking 
> I have a different scanner temporarily, I need to do this.  It's untested 
> but I definitely didn't have it right before.
> 
>      if (re_match($entity, '\.docx?') && 1 == 2) {
>        $Features{'Virus:NAI_temp'} = $Features{'Virus:NAI'};
>        $Features{'Virus:NAI'} = undef;
>        $Features{'Virus:CLAMAV'} = '/usr/local/clamav/bin/clamscan';
>        undef @VirusScannerMessageRoutines;
>        undef @VirusScannerEntityRoutines;
>        $VirusScannerRoutinesInitialized = 0;
>        initialize_virus_scanner_routines();
> 
> ...
> 
>        $Features{'Virus:NAI'} = $Features{'Virus:NAI_temp'};
>        $Features{'Virus:CLAMAV'} = undef;
>        undef @VirusScannerMessageRoutines;
>        undef @VirusScannerEntityRoutines;
>        $VirusScannerRoutinesInitialized = 0;
>        initialize_virus_scanner_routines();
>      }
>    }

Why don't you simply use both scanners all the time? Performance
issues? Afraid of false positives?

We're currently using 3 virus scanners, and virus scanning doesn't
take much resources, when compared to spamassassin. Plus, it's clear
that not all scanners detect all viruses, so we get the benefit of
a better detection rate.

Also, since we always run all scanners, it allows us to compare the
performance of the scanners, so when it's time to re-evaluate the
license, you can tell something about the value that scanners adds.

And finally, because we run all scanners, when 2 or more scanners say
it's a virus, we don't bother "bouncing" it (sending a 5xx reply),
but we simply discard it. For the sake of false positives (sporadic,
but still present), we reject on a single virus match (we used to
tempfail, but that turned out to have no positive effect, especially
in todays email environment).

You do have to configure clamav with "PhishingScanURLs no", but I 
believe that issue has been beaten to death here already.

-- 
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs.  !!

More information about the MIMEDefang mailing list