[Mimedefang] ClamAV effectiveness
C.J.Theunissen at differ.nl
Tue Jul 2 14:07:37 EDT 2013
On Tue, 2 Jul 2013, John Nemeth wrote:
>On Jun 28, 9:31pm, Kees Theunissen wrote:
>} 947 Messages were rejected because they contained .exe files with
>} double extensions (.doc.exe or .JPEG.exe) in a zipped attachment.
>} None of those were detected by ClamAV.
> Do you perform this test before checking for viruses? I know
>I would, as a simple test to catch low hanging fruit like this is
>always going to run much faster then a virus scanner.
This low hanging fruit is harvested in the "filter" routine while
ClamAV is called from "filter_begin". So ClamAV runs first.
My filter is based on the "Suggested minimum-protection filter for
Microsoft Windows clients" distributed with MIMEDefang. The original
filter calls the configured virus scanner(s) from "filter_begin"
and I didn't change that. It might be possible to gain some performance
by moving the virus stuff to "filter_end" but at least it needs testing
to prove that. In my case, with an average load of 2 or 3 messages per
minute, performance isn't realy a concern and I have no urge to change
the order of the tests.
Kees Theunissen, System and network manager, Tel: +31 (0)30 6096724
Dutch Institute For Fundamental Energy Research (DIFFER)
e-mail address: C.J.Theunissen at differ.nl
postal address: PO Box 1207, 3430 BE Nieuwegein, NL
visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL
More information about the MIMEDefang