[Mimedefang] ClamAV effectiveness

Helmut Hullen Hullen at t-online.de
Fri Jun 28 22:58:00 EDT 2013

Hallo, David,

Du meintest am 28.06.13:

[zipped *.exe]

>> Such a type of suspicious file you should detect with another
>> routine - it's faster, and it seems to be reliable enough especially
>> for news viruses.

> Yes, I agree and we do that.  However, here's the problem: I'm
> confident enough to outright discard messages that ClamAV detects as
> a virus.  I would dearly love to do the same with *all* EXE files,
> but our users would revolt.  So instead, we quarantine them.

> If ClamAV detected a higher proportion of viruses, then there would
> be fewer quarantined incidents and (more importantly) less danger of
> an unsophisticated user releasing a virus from the quarantine.

Perhaps ...
All my e-mails which contained an attachment with a zipped *.exe  
contained a virus. And when I let examine these attachments from  
jotti.org or virustotal.com most times only few scanners detected a  
virus within the first 4 to 6 hours.

Declaring such type of attachments as "suspicious" did the job, using a  
virus scanner most times didn't.

Ok - "suspicious" mail has to be handled in a special way from the end  
user. Not from the server (or from the MTA).

> We put a giant warning icon in the quarantine user-interface if
> there's an EXE, but users ignore giant warning icons. :(

That's the major problem - am I mother and father of my users, and are  
they my innocent little children whom I have to protect?

Viele Gruesse!

More information about the MIMEDefang mailing list