On Fri, 27 Jun 2003, Antony Stone wrote: > On Friday 27 June 2003 11:41 pm, Johannes Erdfelt wrote: > > > On Fri, Jun 27, 2003, Antony Stone <[EMAIL PROTECTED]> wrote: > > > On Friday 27 June 2003 10:45 pm, Johannes Erdfelt wrote: > > > > Has anyone thought much about including metadata about viruses/worms? > > > > > > > > For instance, I'd like to develop a mail filtering application that > > > > will filter out infected files and deliver the rest of the email. > > > > > > Try http://www.mailscanner.info > > > > I don't see the correlation. If clamav can't give that information to > > anything I develop, MailScanner doesn't have that information either. > > MailScanner will remove infected attachments from emails and deliver the > remainder of the email as it was. Is that not what you want to do?
I think he wants clamav to "innoculate" the attachment and still pass it on. But for the majority of emails that are detected, none of the email holds value. The majority of detections I am running into are worms where the from, subject, body and attachment are all worthless. The next largest group of detections I am running into are IFrame exploits from SPAM where again, even if the IFrame exploit is removed the email still does not contain reasonable value. Lastly, is a small number of emails that should otherwise be legit. Having the mail gateway re-author the attachment puts alot of over-head on the mail gateway to reduce putting pressure on the actual attachment author to virus scan their own computer. Rather than moving the overhead to the mail gateway, I would rather the original mail author take responsiblity issuing a clean attachment. Once something underdesirable is detected, why should I trust *ANY* of it. How many additional emails from the same author is the gateway going to have to innoculate because the author now expect the gateway to take responsiblity for delivering the email by disinfecting it each time? Should clamav have an Word parser to cleanly extract Word macro viruses while keeping the file in a sane format? Is clamav responsible for re-zip'ing? If users get used to clamav re-compressing infected archives, is it acceptable then to act on archives that clamav can scan but not re-compress such as digitally signed archives or formats where a decompression method is available on multiple platforms but a compression method isn't as widely available (such as installshield). I would prefer light weight zero-tolerence anti-virus system than a heavy weight disinfection system that may continue to deliver useless, garbled or corrupted emails/attachments. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
