Gianmarco Giovannelli wrote:
Heh - this reminds me of what happened with my content-filter - Qmail-Scanner. It has this functionality - and *used to* do it just as you say: do the "policy blocks" first - and if they trigger - don't bother running the AV.UNAUTHORIZED ATTACH TYPE Stop... :-)
Do you think the idea is wrong ? In this way, as I said, you could also lower the cpu load on the antivir box (you discard without check) and you could fight better the new virus (If my sig doesn't detect, probably the attach type do the message be discarded).
And last... we probably stop to use other tool like noattach (which I like very much, indeed).
However, a lot of sites complained. They actually looked at the logs and they didn't like seeing that 44% of their quarantine events were "PIF blocked" - they wanted to know WHAT VIRUS IT WAS.
I couldn't win :-) Now Qmail-Scanner will still AV scan the e-mail - even if "policy block" triggered - so that if the PIF file does contain a virus - it's logged as such. Either way - it's quarantined - it's just that the logs more thoroughly reflect why it was blocked now. Basically "policy block" is for blocking things that aren't currently detected as viral (I'm ignoring "real" policy reasons like blocking MP3 for this discussion)
In the end, the performance difference is negliable. Almost all of your e-mails won't trigger a policy block event anyway (go through your logs: are 99% of your e-mails text only - or do 99% of them have PIF file attachments?) - so AT BEST you might save 1-2% system resources.
-- Cheers
Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
