FutureQuest has completed the upgrades of its virus scanning system to the latest version of ClamAV (0.85.1). The new version of ClamAV has many improvements, including:
Improved detection of JPEG (MS04-028) based exploits
Support for TNEF files
New detection mechanisms
The JPEG exploit detector now also checks embedded Photoshop thumbnail images
Archive meta-data scanner (improves malware detection within encrypted archives)
Support for all tar archive formats
Database updateable false positive eliminator
Various bugfixes (including problems with scanning of digest mail files) and speed improvements.


Note: As with any virus scanning system, there is a chance that some viruses not yet known by the filtering system could get through; there is also an extremely slight chance that a message could be incorrectly tagged as having a virus.

Thank-you!

Does it scan out-going mail too? I just sent a 1792 KB email and it seemed to take a really long time to send it to myself and to the person it's intended for, over DSL. AVG scanned it on my side, so maybe that was the problem, but I thought I'd ask.

Is there a reliable way to determine whether up-to-date AV software already scanned the email and to skip the ClamAV (beta) scan in that case?

Does it scan out-going mail too?We scan all messages while they are being delivered to us for viruses. This includes mail that we accept to relay elsewhere. Locally-generated mail (ie by a script, etc) is not scanned.
I just sent a 1792 KB email and it seemed to take a really long time to send it to myself and to the person it's intended for, over DSL.Virus scanning is actually a very very fast process. It takes us a small fraction of a second to scan most messages.

Actually, the second email that I sent, to the intended recipient, was CCed to someone else, so the size was double what I said, but it still seemed much slower than loading an equal sized webpage. Not sure whose fault that is.

We scan all messages while they are being delivered to us for viruses. This includes mail that we accept to relay elsewhere. Huh -- didn't know that. Would we get any kind of notification (from ClamAV itself or the FQ staff if you're monitoring it) that one of our accounts was spewing viruses?

Randall

I just got a Windows popup about installing an update. When I approved it, I kept getting asked if I want to restart my computer. When I said I don't want to restart, it didn't give me an option of when to be reminded again (doesn't it do that any more?). Maybe things were slow because of a patch being downloaded. I doubt that was it though. Maybe Verizon again.

I don't like all this filtering that's not under my control, especially when I have my own AV software for email and when we can't see the email logs to see whether an email was accepted, or sent, or whatever the logs could tell you.

Huh -- didn't know that. Would we get any kind of notification (from ClamAV itself or the FQ staff if you're monitoring it) that one of our accounts was spewing viruses?No, only the sender in question would get any notification, and only then if the virus is sent through the mail client. We can scan the logs for the rejections, but no automatic extraction is being done. Even then, when scanning, we would need to know what IP is sending, since (nearly?) all common viruses forge the sender address.

When I said I don't want to restart, it didn't give me an option of when to be reminded again (doesn't it do that any more?). No, and in fact it becomes highly annoying if you don't reboot right away. Constant popups.

So of course, now I don't update until I'm ready to shut the system down. The icon has been nudging me for two days, but it's a lot less annoying.

Still can't figure out why this machine at work fails to update itself. I can't even run Windows Update manually because it gets stuck at the "Checking for the latest version of the Windows Update software" step. I had to download the full SP2 file and install it locally. No, only the sender in question would get any notification, and only then if the virus is sent through the mail client. That's what I really meant by "we." We can scan the logs for the rejections, but no automatic extraction is being done. I was wondering if maybe you had some homebrew software checking for "local" outbreaks.

Randall

I'm also having problems with sending out attachments. The error message is that the smtp server has stopped responding. The attachments are not that large.

I don't like all this filtering that's not under my control, especially when I have my own AV software for email and when we can't see the email logs to see whether an email was accepted, or sent, or whatever the logs could tell you.
The antivirus scanning is protection for the FutureQuest network and prevents virus-laden emails from entering our network, therefore preventing any possibility of them being relayed through our network.

Prior to implementing the anti-virus scanning, FutureQuest had numerous incidents of emails sent through our network (into an address here and then back out again, either by bouncing or by being received at an email address hosted here and then forwarded on to another address), where these emails then generated complaints against our network, including blockades against our mail servers.

The anti-virus scanning prevents any virus-laden emails from entering and then exiting our email network, which protects our mail servers from being blacklisted. By keeping our mail servers out of the blacklists, we are able to successfully deliver the email our clients want to send to outside mail servers.

I'm also having problems with sending out attachments. The error message is that the smtp server has stopped responding. The attachments are not that large.

The error message received when someone tries to connect to and send a virus-laden email is the following:
554 message refused
Lynxtrax, if that is not the error message that you are receiving, then it is not the antivirus scanner that is preventing your emails from being accepted. Does your mail program allow logging of the SMTP session? That might be helpful for debugging purposes to find out what the problem could be so that it could be corrected. If possible, I would suggest turning on such SMTP session logging, or temporarily trying out a mail program that allows session logging so that you can narrow down what might be causing the issue.

Wassercrats, if someone were trying to send you valid email and it was identified by our antivirus scanner as having a virus, they would get the above message.

In the very long time we've been running this scanner (http://www.aota.net/forums/showthread.php?postid=109639#post109639), we are aware of only two incidents with false positives (one in Oct 2004 and one in Jan 2005), out of the millions of emails handled by our system daily. In both cases the antivirus scanner was triggered by zip file attachments with a very, very high compression ratio.

The error message received when someone tries to connect to and send a virus-laden email is the following:
554 message refused

I like my bounce message better:Your email was detected as spam by FutureQuest's spam filters. This could be due to the email matching certain Realtime Blackhole Lists (RBLs). RBLs are lists of IP addresses or domains that are likely to send spam. It could also be due to the subject or body of the email. If your email is not spam, please re-send from a different email account and/or with less spam-like content.It would have to be reworded for use when an AV filter bounces the email, but the point is to give the sender a clue and not make him think I don't want anything he sends. I just like to be cautious.

I like my bounce message better. Well, the '554 message refused' error is not actually a bounce message. It's a generic error message from the server during the SMTP conversation between the MUA (mail client) and the server, saying that it won't accept the message.
A bounce message is created after accepting a message and finding it can't be delivered.

Arthur

Thanks Sheila,
I have to edit the registry to enable session logging (using m$ Outlook).

The problem just happened to coincide with the AV upgrades so I thought there could be a connection if others were experiencing sending slowdowns.

If it continues, I'll use a different program to try to capture what's going on.