[Mimedefang] ClamAV effectiveness

[Paul Murphy]

> All my e-mails which contained an attachment with a zipped *.exe
contained a virus. 
> And when I let examine these attachments from jotti.org or
virustotal.com most times 
> only few scanners detected a virus within the first 4 to 6 hours.

Precisely - there is always a window of risk with new viruses and
variants, so you cannot rely on a virus scanner to pick up everything.
Good policy will always be needed, and in every environment the only
effective approach is either to quarantine such messages for manual
inspection, or to delay their delivery for long enough that the virus
scanners may have caught up.  Whether this is by automated quarantine
release after 24 hours if the message is still reported as clean, or by
a kind of greylisting for messages which have this sort of attachment,
it has the same effect.

It is precisely because the end users are stupid that you can't just
deliver it and rely on them not opening the zip file with an executable
in it which claims to be a delivery notification from Fedex, because in
reality at least 25% of them will do so.

So, virus distributors have learned that sending out the same code for
weeks on end suffers from severely diminishing returns, and now they
have a new variant every day or every few hours.  The AV vendors are all
struggling to keep up, and the signature files are now huge and
memory-intensive.

Paul.