[clamav-users] ClamAV+exim: scanner finds not a single malware

Groach groachmail-stopspammingme at yahoo.com
Sun May 29 11:33:17 UTC 2016 

On 29/05/2016 13:08, Ned Slider wrote:
> As I mentioned above, as a postmaster I solved the problem by simply 
> not allowing executable attachments. I do still run ClamAV on my mail 
> servers, it uses few CPU cycles, detects nothing but I figure it does 
> no harm so why mess with a system that isn't broken and has worked for 
> years.

Yes, this is my approach too.  There is not one single approach that is 
100% effective - I think there is a combination of things that 
collectively provide the best solution.

I have (in order):

At mailserver inbound level:
a, disallowed regular known executable/scripting attachments (.JS, .VB, 
.CMD, .EXE. DOCM etc including compressed files that may hide them eg 
.ZIP, .7Z etc).  This should do the majority of the work as singularly 
AV solutions cannot be trusted.
b, Scan with Clam + Sane defs (hopefully catches anything else that gets 
missed above - recently they have started releasing .DOT files. Sneaky.)
c, Gets run through spamassassin - hopefully between this and (b) any 
emails to known dodgy and dangerous sites gets eliminated too.

At client PC level:
d, install commercial solution (with proven track record, Bitdefender is 
my choice) on EACH client PC - hopefully this also serves to help 
protect against rogue BROWSING/download dangers.
e, Disable Macro Execution on all Windows-based MS OFFICE installs on 
client machines (you just cant trust users - education fails to convince 
them that it WILL be THEIR problem if they run something they shouldnt 
be doing)

(Oh, and Im sure some smart-arse will add I should be ditching windows 
and use only Linux or Mac's for clients.  Those people need to get real!!)

As a side note:  is anyone surprised a virus hasnt been released, 
embedded in a  'password protected' Zip file (to fool AV scans) with the 
body of the email sayuing something like "to fight against viruses and 
to protect you, it is password protected.  Your password is:  ABC123" ?  
That is bound to fool some users, aint it.  (Or has this already been 
done and I havent seen it)?

More information about the clamav-users mailing list