On Fri, Jun 27, 2003, Fluke <[EMAIL PROTECTED]> wrote: > On Fri, 27 Jun 2003, Antony Stone wrote: > > > On Friday 27 June 2003 11:41 pm, Johannes Erdfelt wrote: > > > > > On Fri, Jun 27, 2003, Antony Stone <[EMAIL PROTECTED]> wrote: > > > > On Friday 27 June 2003 10:45 pm, Johannes Erdfelt wrote: > > > > > Has anyone thought much about including metadata about viruses/worms? > > > > > > > > > > For instance, I'd like to develop a mail filtering application that > > > > > will filter out infected files and deliver the rest of the email. > > > > > > > > Try http://www.mailscanner.info > > > > > > I don't see the correlation. If clamav can't give that information to > > > anything I develop, MailScanner doesn't have that information either. > > > > MailScanner will remove infected attachments from emails and deliver the > > remainder of the email as it was. Is that not what you want to do? > > I think he wants clamav to "innoculate" the attachment and still pass it > on. But for the majority of emails that are detected, none of the email > holds value. The majority of detections I am running into are worms where > the from, subject, body and attachment are all worthless. The next > largest group of detections I am running into are IFrame exploits from > SPAM where again, even if the IFrame exploit is removed the email still > does not contain reasonable value. Lastly, is a small number of emails > that should otherwise be legit. Having the mail gateway re-author the > attachment puts alot of over-head on the mail gateway to reduce putting > pressure on the actual attachment author to virus scan their own computer. > Rather than moving the overhead to the mail gateway, I would rather the > original mail author take responsiblity issuing a clean attachment. Once > something underdesirable is detected, why should I trust *ANY* of it. > How many additional emails from the same author is the gateway going to > have to innoculate because the author now expect the gateway to take > responsiblity for delivering the email by disinfecting it each time? > Should clamav have an Word parser to cleanly extract Word macro viruses > while keeping the file in a sane format? Is clamav responsible for > re-zip'ing? If users get used to clamav re-compressing infected archives, > is it acceptable then to act on archives that clamav can scan but not > re-compress such as digitally signed archives or formats where a > decompression method is available on multiple platforms but a compression > method isn't as widely available (such as installshield). I would prefer > light weight zero-tolerence anti-virus system than a heavy weight > disinfection system that may continue to deliver useless, garbled or > corrupted emails/attachments.
You make lots of good points, but I don't think they really apply. I don't think anyone is asking to put these features into clamav. I would just like to see some metadata in there so systems that build on clamav can make more intelligent decisions. JE --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
