[Mimedefang] ClamAV effectiveness
Hullen at t-online.de
Fri Jun 28 22:58:00 EDT 2013
Du meintest am 28.06.13:
>> Such a type of suspicious file you should detect with another
>> routine - it's faster, and it seems to be reliable enough especially
>> for news viruses.
> Yes, I agree and we do that. However, here's the problem: I'm
> confident enough to outright discard messages that ClamAV detects as
> a virus. I would dearly love to do the same with *all* EXE files,
> but our users would revolt. So instead, we quarantine them.
> If ClamAV detected a higher proportion of viruses, then there would
> be fewer quarantined incidents and (more importantly) less danger of
> an unsophisticated user releasing a virus from the quarantine.
All my e-mails which contained an attachment with a zipped *.exe
contained a virus. And when I let examine these attachments from
jotti.org or virustotal.com most times only few scanners detected a
virus within the first 4 to 6 hours.
Declaring such type of attachments as "suspicious" did the job, using a
virus scanner most times didn't.
Ok - "suspicious" mail has to be handled in a special way from the end
user. Not from the server (or from the MTA).
> We put a giant warning icon in the quarantine user-interface if
> there's an EXE, but users ignore giant warning icons. :(
That's the major problem - am I mother and father of my users, and are
they my innocent little children whom I have to protect?
More information about the MIMEDefang