[Mimedefang] ClamAV effectiveness
David F. Skoll
dfs at roaringpenguin.com
Fri Jun 28 16:52:11 EDT 2013
On 28 Jun 2013 22:18:00 +0200
Hullen at t-online.de (Helmut Hullen) wrote:
> Such a type of suspicious file you should detect with another routine
> - it's faster, and it seems to be reliable enough especially for
> news viruses.
Yes, I agree and we do that. However, here's the problem: I'm confident
enough to outright discard messages that ClamAV detects as a virus. I
would dearly love to do the same with *all* EXE files, but our users
would revolt. So instead, we quarantine them.
If ClamAV detected a higher proportion of viruses, then there would be
fewer quarantined incidents and (more importantly) less danger of an
unsophisticated user releasing a virus from the quarantine.
We put a giant warning icon in the quarantine user-interface if there's
an EXE, but users ignore giant warning icons. :(
More information about the MIMEDefang