Should You Disinfect?

Lately we have come across a few cases where the use of disinfect as an action for virus infections causes problems with MPP. Tangentially related, we are coming across issues with clamav or clamd that make it dangerous to use discard with these scanners if you are not careful. I want to make you aware of the particulars of these issues.

First of all, using disinfect as an action for email virus scanners is not very useful since the majority of email borne viruses are worms. Since a worm generated email only contains the worm itself there is nothing to disinfect. Disinfect presupposes that there is a real file that has been infected and that disinfecting will help use the file again. Fortunately virus scanners have become defacto standards on email servers so the incidence of actual email borne viruses has become statistically low, especially when compared against the prevalence of spam and phishing emails.

For a while customers were asking for MPP to have different actions for worms and real viruses but since we use so many different scanners and they all report differently, combined with the fact that both worms and email borne viruses have been largely held in check, we opted not to do this. Additionally, and this leads to the next point, spam scanners started detecting and reporting email worms while virus scanners, and clamav in particular, have started to report phishing emails as viruses.

While Clam’s detection of phishing emails sounded like a great idea it has become problematic in practice. We are getting many reports of false positives from ClamAV, something unheard of in the past, and it is no surprise that all of the false positives are from phishing signatures. Phishing signatures can be disabled by setting “PhishingScanURLs no” in the clamd config file and I highly recommend avoiding Clam’s experiment in your production network.

One important point is that disinfect is not supported with either the clamd or clamav scanner within MPP.

My recommendation is that if you really care about not losing legitimate email then you must quarantine. My recommendation is to discard virus infected emails altogether as the incidence of false positives without clamav phisihing signatures is minute with the current antivirus technology.

Comments

• Recent Posts

  • MPP 4.4.4 Released
  • MPP Manager Release
  • Fix for Non-English Character Searches
  • Custom Spam Scoring Enhancements
  • Enhanced Alias Support for Spam Quarnatine Management

• Categories

  • MPP Releases and Fixes
  • News and Tidbits
  • Opinions on Email Security
  • Podcasts
  • Spam Wisdom
  • Uncategorized

• Archives

  • November 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006
  • September 2006
  • August 2006
  • July 2006
  • June 2006

• Links

• Meta

  • Register
  • Login
  • WordPress
  • XHTML