Dallman Ross <dman(_at_)nomotek(_dot_)com> wrote:
[...]
"They" who say that? I don't know, but either one can get
clam(d)scan to work or not on a particular system, would be
the point. We had lots of trouble getting it to compile right
on NetBSD where I am. But privately a friend I put up to it
on that system got it to work, just last night. My point is
only that if the compile works, then it works, right? There
is certainly a flurry of ongoing development with it, sure,
but it will probably only get better, quickly. I also think
it's a good product.
Just an aside: We got off on a bit of a tangent trying to get clamav to work
directly from procmail. There are plenty of scripts (perl and shell) that can
be used as wrappers to get it to work reliably and as expected from procmail.
The trick is to decode attachments, then scan them. Unfortunately, there's no
web page that says "DO THIS", so it was a bit of trial-and-error.
I needed the same capability (decode and scan) to use bitdefender's free linux
scanner, so just wound up doing a wrapper script that calls both to scan
attachments. (more below)
Me, I can't understand what all the hullaballo is about, since
I don't know of a virus that wouldn't be an encoded attachment
of some kind (possibly uuencode, if not MIME); and if you're
looking at attachments already, then you're 5/6 there.
There's no reason these approaches can't be used in complimentary fashion. Use
the fast and efficient procmail rules for first-level screening of well-known
patterns, clamav/bitdefender and other viable anti-virus scanners for heuristic
and advanced scanning/detection, bayes for detecting patterns in the messages
they're transported in, and finally some catch-all defanging rules for
whatever's left. The problem is similar to perimeter protection using routers,
firewalls, proxy servers and the like. Variety is GOOD.
So...
Level 1 - Screen widely known patterns using procmail. Stops known viruses.
Direct messages based on local policy (i.e. "power users" versus "normal") to
successive levels. Keep bulk of message processing fast.
Level 2 - Scan all incoming attachments/messages with active content with AV
tool of choice. Stops many unknown viruses/2nd level check. The "tool for the
job", applied where it makes sense.
Level 3 - Detect "wormish" patterns in message using bayes (not meant for this
purpose, but bogofilter & co. seem to be spotting these well in my superficial
testing). Stops what might be junkmail anyhow (compliments spam checking too).
Level 4 - Isolate/quarantine/defang according to local policy (i.e. anomy
sanitizer) Allows isolation of non-virus content that violates policy (i.e.
MP3s)
These needn't all be functions done on one box, nor for all users. For
high-volume settings, some of these might not be practical, or suitable only
for "optional enhanced services" scenarios.
Just my thoughts on it.
- Bob
But
certainly I'm biased. :) Btw, since you say you looked at
Virus Snaggers a while ago, you may not have noticed that the
recent releases do have signatures for MyDoom and NetSky, for
looking in ZIPs.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail