[clamav-users] ClamAV+exim: scanner finds not a single malware
groachmail-stopspammingme at yahoo.com
Sun May 29 07:33:17 EDT 2016
On 29/05/2016 13:08, Ned Slider wrote:
> As I mentioned above, as a postmaster I solved the problem by simply
> not allowing executable attachments. I do still run ClamAV on my mail
> servers, it uses few CPU cycles, detects nothing but I figure it does
> no harm so why mess with a system that isn't broken and has worked for
Yes, this is my approach too. There is not one single approach that is
100% effective - I think there is a combination of things that
collectively provide the best solution.
I have (in order):
At mailserver inbound level:
a, disallowed regular known executable/scripting attachments (.JS, .VB,
.CMD, .EXE. DOCM etc including compressed files that may hide them eg
.ZIP, .7Z etc). This should do the majority of the work as singularly
AV solutions cannot be trusted.
b, Scan with Clam + Sane defs (hopefully catches anything else that gets
missed above - recently they have started releasing .DOT files. Sneaky.)
c, Gets run through spamassassin - hopefully between this and (b) any
emails to known dodgy and dangerous sites gets eliminated too.
At client PC level:
d, install commercial solution (with proven track record, Bitdefender is
my choice) on EACH client PC - hopefully this also serves to help
protect against rogue BROWSING/download dangers.
e, Disable Macro Execution on all Windows-based MS OFFICE installs on
client machines (you just cant trust users - education fails to convince
them that it WILL be THEIR problem if they run something they shouldnt
(Oh, and Im sure some smart-arse will add I should be ditching windows
and use only Linux or Mac's for clients. Those people need to get real!!)
As a side note: is anyone surprised a virus hasnt been released,
embedded in a 'password protected' Zip file (to fool AV scans) with the
body of the email sayuing something like "to fight against viruses and
to protect you, it is password protected. Your password is: ABC123" ?
That is bound to fool some users, aint it. (Or has this already been
done and I havent seen it)?
More information about the clamav-users