[Mimedefang] ClamAV effectiveness

[G.W. Haywood]

Hi there,

On Fri, 19 Sep 2014, David F. Skoll wrote:

> 4. ClamAV effectiveness (was Re: MIMEDefang Digest, Vol 132, Issue 3)

Oops.  Sorry about that. :/

Mr. Skoll also wrote:

> On Thu, 18 Sep 2014 17:33:44 +0100 (BST)
> "G.W. Haywood" <mimedefang at jubileegroup.co.uk> wrote:
>> In my opinion ClamAV is more or less useless for anything other than
>> the phishing signatures etc. for which I use it.
>
> Seconded.  ClamAV has become almost completely useless since the
> Sourcefire and then Cicso acquisition.  It's a fine engine, but signatures
> are awful.
>
> On our hosted anti-spam service, we outright block executables as well
> as executables contained within archive files like ZIP, ARJ, .tar.gz, etc.

I call sub filter_bad_filename() in sub filter() and sub filter_multipart()
and REJECT the message if it doesn't pass muster.

# Doesn't everybody do this?
sub filter_bad_filename ($) {
     my($entity) = @_;
     my($bad_exts, $re);
     $bad_exts = $long_list_of_bad_extensions . '(|\{[^\}]+\})';
     $re = '\.' . $bad_exts . '\.*$';
     return 1 if (re_match($entity, $re));
     # Note: Install Archive::Zip on this server!
     if (re_match($entity, '\.zip$') and $Features{"Archive::Zip"}) {
         my $bh = $entity->bodyhandle();
         if (defined($bh)) {
             my $path = $bh->path();
             if (defined($path)) {
                 return re_match_in_zip_directory($path, $re);
             }
         }
     }
     return 0;
}


Mr. Skoll wrote further:

> On Thu, 18 Sep 2014 14:17:13 -0500 Richard Laager <rlaager at wiktel.com> wrote:
> 
> > Is there a virus scanner you'd recommend for use with MIMEDefang on Linux?
> 
> ... I'd recommend not running Windows which reduces your exposure to viruses

Seconded.

> by 99%.

I respectfully disagree with the 99%.  I'm sure it's more than that. :)

--

73,
Ged.