[Mimedefang] ClamAV effectiveness

Kees Theunissen C.J.Theunissen at differ.nl
Tue Jul 2 14:07:37 EDT 2013

On Tue, 2 Jul 2013, John Nemeth wrote:

>On Jun 28,  9:31pm, Kees Theunissen wrote:
>}  947  Messages were rejected because they contained .exe files with
>}       double extensions (.doc.exe or .JPEG.exe) in a zipped attachment.
>}       None of those were detected by ClamAV.
>     Do you perform this test before checking for viruses?  I know
>I would, as a simple test to catch low hanging fruit like this is
>always going to run much faster then a virus scanner.

This low hanging fruit is harvested in the "filter" routine while
ClamAV is called from "filter_begin". So ClamAV runs first.

My filter is based on the "Suggested minimum-protection filter for
Microsoft Windows clients" distributed with MIMEDefang. The original
filter calls the configured virus scanner(s) from "filter_begin"
and I didn't change that. It might be possible to gain some performance
by moving the virus stuff to "filter_end" but at least it needs testing
to prove that. In my case, with an average load of 2 or 3 messages per
minute, performance isn't realy a concern and I have no urge to change
the order of the tests.


Kees Theunissen.

Kees Theunissen,  System and network manager,   Tel: +31 (0)30 6096724
Dutch Institute For Fundamental Energy Research (DIFFER)
e-mail address:   C.J.Theunissen at differ.nl
postal address:   PO Box 1207, 3430 BE Nieuwegein, NL
visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL

More information about the MIMEDefang mailing list