Re: MS BS + Sorting out the virii
Don't underestimate clamav. Sure it does not have 75,000 virii in it's
database, but it catches well over 98% of the viruses that cross my little
ISP. (I run both NOD32 and ClamAV with MailScanner so I see all the ones
that NOD gets and ClamAV does not, which is _very_ few). Plus the ClamAV
community seems to have reached something close to critical mass in so far
as quickly as I can find a new virus (Sobig.F, Gibe.F) I am often too late
as someone else has already submitted it and the database has been updated.
Mike
On Wed, Sep 24, 2003 at 01:54:42AM +0200, Thomas Ritter wrote:
> Am Dienstag, 23. September 2003 23:48 schrieb Joel HATSCH:
> > > > of these fake Microsoft Update emails per day.
> > > > The single part MIME filter doesn't seem to catch it though. What
>
> Just a note: Open Antivirus programs like clamav are not perfect, because the
> open virus database [1] is still too small... but for _sorting_ mail, clamav
> (it's in sid) is really good. It gives you
>
> X-Virus-Found: yes
> X-Virus-Status:
> ------------------------------------------------------------
> Virus Scan Status:
> ------------------------------------------------------------
> /tmp/07ae019a324f44ed/textportionKGUGaX: OK
> /tmp/07ae019a324f44ed/textportionOE5x4J: OK
> /tmp/07ae019a324f44ed/textportion4onCon: Worm.Gibe.F FOUND
> /tmp/07ae019a324f44ed/UPGRADE.exegbm4Ix.exe: Worm.Gibe.F FOUND
>
> in a mail with a virus if you use clamfilter [2], a single-file perl script,
> from procmail. Maybe clamfilter should be put into a package, it comes in
> handy.
>
> And... a mail with a positive virus recognition can be deleted without having
> to fear it's a false positive, against which a mail found to be Spam by
> Spamassassin may be a real mail. Clamav is growing, but doesn't recognize
> enough virii to protect an M$-System, but hey, my "Spam and Virii" folder,
> which I checked every day because of some false positives I got just became
> one Spam folder with low traffic and one Virii folder where mails are being
> marked read automatically and deleted after two months (food for
> spamassassin). Just walking through some Spam mails per day for real mails is
> really much easier than clicking through all those Worm mails.
>
> By the way, can anyone tell me why on a debian system the Spamassassin flag
> "MICROSOFT_EXECUTABLE" scores less than one point? A mail with a M$ EXE
> should really score 4.5 or so, because even if one of my friends sends me an
> EXE file on purpose, I would look for that in my Spam folder first ;)
>
> [1] http://www.openantivirus.org/
> [2] http://www.everysoft.com/clamfilter.html
>
> --
> Thomas Ritter
>
> "Those who would give up essential liberty, to purchase a little temporary
> safety, deserve neither liberty nor safety." - Benjamin Franklin
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
Michael Sullenszino /---------------------------\
nospam@sullenszino.org | Powered By OpenBSD |
| http://www.openbsd.org |
\---------------------------/
Reply to: