Discussion:
what are the advantages/disadvantages in enabling attachment blocking when clamav scanner is active?
Bruno Negrão
2005-05-31 21:50:46 UTC
Permalink
Hi guys,

As a result from my previous discussion, now appeared this question: What
are the advantages/disadvantages in enabling attachment blocking when
clamav scanner is active?

I think the idea behind when the Simscan Guide
(http://qmailwiki.org/Simscan/Guide) says that we could disable ripmime
when using Clamav is, once you have clamav scanner enabled and blocking the
attachments with virus, you wouldn't need to enable attachment blocking
once clamav would already blocking the bad e-mails.

But for me, even with clamav enabled the attachement blocking is still
useful:
- 1) In the case a new and undetectable virus appears (this is not rare),
is good to be blocking the "always bad" file attachments, like .pif, .scr,
.com, .bat, and even .exe. For the majority of the users, they'll never
send/receive these files for working reasons. At least with the companys
that have domains in my ISP, I blindly blocked these files and i didn't
have any complaint. Then, in the case of a new virus that spreads through
one of these extensions, my clients won't be at risk.
- 2) I supposed (i'm really not sure about it) that calling ripmime and
blocking the e-mail by simply checking its attachment extension was faster
than calling clamdscan to scan the attachment for viruses. If this
supposition is right, this would be another advantage in using attachment
blocking, even with clamav enabled.

Can someone point some disadvantages or more advantages that I don't know?

Thank you,
-------------------------------------------------
Bruno Negrao - Network Manager
Engepel Teleinformática. 55-31-34812311
Belo Horizonte, MG, Brazil
Jason Frisvold
2005-05-31 22:04:01 UTC
Permalink
Post by Bruno Negrão
Hi guys,
As a result from my previous discussion, now appeared this question: What
are the advantages/disadvantages in enabling attachment blocking when
clamav scanner is active?
Advantage : You can block files regardless of whether they are virus
infected or not.
Disadvantage : It takes extra processing time since both ripmime and
clamav unmime the files. The alternative is to disable the unmime
process in clamav and just let ripmime do it, but there have been
discussions about how clamav's mime handling is better in some
instances.
Post by Bruno Negrão
I think the idea behind when the Simscan Guide
(http://qmailwiki.org/Simscan/Guide) says that we could disable ripmime
when using Clamav is, once you have clamav scanner enabled and blocking the
attachments with virus, you wouldn't need to enable attachment blocking
once clamav would already blocking the bad e-mails.
Correct. And maybe it needs to be a little clearer. If you need to
block attachments (regardless of virus status), then ripmime is needd.
If you're *only* worried about blocking known virii, ripmime is not
needed.

I'm not sure how other virus scanners fit into this equation.
Post by Bruno Negrão
- 2) I supposed (i'm really not sure about it) that calling ripmime and
blocking the e-mail by simply checking its attachment extension was faster
than calling clamdscan to scan the attachment for viruses. If this
supposition is right, this would be another advantage in using attachment
blocking, even with clamav enabled.
I'm not sure what happens in this instance. If an attachment is on
the blocklist, I'm not sure if it gets to the av scanner or not. I'd
have to crawl through the code to check...
Post by Bruno Negrão
Can someone point some disadvantages or more advantages that I don't know?
I hope that helps..
Post by Bruno Negrão
Thank you,
-------------------------------------------------
Bruno Negrao - Network Manager
Engepel Teleinformática. 55-31-34812311
Belo Horizonte, MG, Brazil
--
Jason 'XenoPhage' Frisvold
XenoPhage0-***@public.gmane.org
Tren Blackburn
2005-05-31 22:11:24 UTC
Permalink
Hi Bruno;
Post by Bruno Negrão
Hi guys,
As a result from my previous discussion, now appeared this question: What
are the advantages/disadvantages in enabling attachment blocking when
clamav scanner is active?
I think the idea behind when the Simscan Guide
(http://qmailwiki.org/Simscan/Guide) says that we could disable ripmime
when using Clamav is, once you have clamav scanner enabled and blocking the
attachments with virus, you wouldn't need to enable attachment blocking
once clamav would already blocking the bad e-mails.
But for me, even with clamav enabled the attachement blocking is still
- 1) In the case a new and undetectable virus appears (this is not rare),
is good to be blocking the "always bad" file attachments, like .pif, .scr,
.com, .bat, and even .exe. For the majority of the users, they'll never
send/receive these files for working reasons. At least with the companys
that have domains in my ISP, I blindly blocked these files and i didn't
have any complaint. Then, in the case of a new virus that spreads through
one of these extensions, my clients won't be at risk.
- 2) I supposed (i'm really not sure about it) that calling ripmime and
blocking the e-mail by simply checking its attachment extension was faster
than calling clamdscan to scan the attachment for viruses. If this
supposition is right, this would be another advantage in using attachment
blocking, even with clamav enabled.
Can someone point some disadvantages or more advantages that I don't know?
The biggest advantage I can think of is that attachment blocking is *very*
lightweight. You don't have to spawn clamdscan, it doesn't have to scan stuff;
It's just simply rejected. If you have a large volume of email going through
your server this can make the difference between being fine with your current
hardware, or needing to buy another server.

Just my 0.02$CAD (canadian...so like 1/8th of a US cent)

Regards,

Tren
Wayne Blick
2005-05-31 23:50:38 UTC
Permalink
Post by Bruno Negrão
Can someone point some disadvantages or more advantages that I don't know?
We enable attachment blocking on all our client sites. Business owners
generally agree that it reduces their bandwidth and "play" time by staff.

About 90 attachment types are listed in our "ssattach" control file
including the recreational ones like .avi, .mp3, .pps etc. We apply this to
inbound and outbound email.

Regards,
Wayne Blick
Bruno Negrão
2005-06-01 19:51:18 UTC
Permalink
Guys, thank you for the feedback.

Jason and Tren,

I added a new section the Simscan Guide in http://qmailwiki.org/Simscan/Guide#Attachment_Blocking_Processing where I resume our conversation.

Also, I made slight changes in http://qmailwiki.org/Simscan/Guide#ClamAntiVirus_Processing so it gets clear that disabling ripmime is interesting just for those who don't want attachment blocking.

Wayne,

Can you send to me your /var/qmail/control/ssattach file? I'd like to add this list as an aswer to a question I'll post on the FAQ: "Does someone have a list of file extensions that everybody should block?"

Regards,
-------------------------------------------------
Bruno Negrao - Network Manager
Engepel Teleinformática. 55-31-34812311
Belo Horizonte, MG, Brazil
Bruno Negrão
2005-06-01 21:08:51 UTC
Permalink
Post by Bruno Negrão
I added a new section the Simscan Guide in
http://qmailwiki.org/Simscan/Guide#Attachment_Blocking_Processing
where I resume our conversation.
I saw Simscan Guide already had a section called
http://qmailwiki.org/Simscan/Guide#Attachment_Processing
where it was explaining the attachment blocking process. This section was
located far after the ClamAntiVirus Processing section.

What I did now was glue together what I wrote with what was in
http://qmailwiki.org/Simscan/Guide#Attachment_Processing
And I inserted this section before
http://qmailwiki.org/Simscan/Guide#ClamAntiVirus_Processing section. I
think this order makes more sense once the attach scanner is the easier to
set up. And prepares for the discussion of diabling ripmime in the next
section, inside http://qmailwiki.org/Simscan/Guide#ClamAntiVirus_Processing

Now you can see the resulting section in
http://qmailwiki.org/Simscan/Guide#Attachment_Processing

Forgive me for this mess,
bnegrao
Wayne Blick
2005-06-01 22:53:23 UTC
Permalink
Post by Bruno Negrão
Wayne,
Can you send to me your /var/qmail/control/ssattach file? I'd like to add
this > list as an aswer to a question I'll post on the FAQ: "Does someone
have a list > of file extensions that everybody should block?"

Here it is Bruno.

Regards,
Wayne Blick
Bruno Negrão
2005-06-03 17:58:33 UTC
Permalink
Thanks Wayne. Your list was posted at http://www.qmailwiki.org/SimScanTips#Does_someone_have_a_list_of_file_extensions_that_everybody_should_block.3F

bnegrao
----- Original Message -----
From: Wayne Blick
To: simscan-nNFyE46TO9nQT0dZR+***@public.gmane.org
Sent: Wednesday, June 01, 2005 7:53 PM
Subject: Re: [simscan] what are the advantages/disadvantages in enabling attachment blocking when clamav scanner is active?
Post by Bruno Negrão
Wayne,
Can you send to me your /var/qmail/control/ssattach file? I'd like to add
this > list as an aswer to a question I'll post on the FAQ: "Does someone
have a list > of file extensions that everybody should block?"

Here it is Bruno.

Regards,
Wayne Blick
Aecio F. Neto
2005-06-03 17:48:06 UTC
Permalink
Post by Bruno Negrão
Thanks Wayne. Your list was posted at http://www.qmailwiki.
org/SimScanTips#Does_someone_have_a_list_of_file_extensions_that_everybody_should_block.
Post by Bruno Negrão
3F
Is it possible to have this list in a separate config file instead of
inside simcontrol?
(sorry for dumb questions, I am new to simscan...)
Bruno Negrão
2005-06-03 19:10:27 UTC
Permalink
Post by Aecio F. Neto
Is it possible to have this list in a separate config file instead of
inside simcontrol?
hmmm I don't think so, if you're using per-domain scan, i think you will
indeed with a huge "attach=.bat:.etc:..." line inside your simcontrol file.

Guys, when you enable per-domain scan, the ssattach file is not read
anymore, right?

bruno

Loading...