RE: [exim] antivirus

On Tue, 17 May 2005, GamCo - Gawie Marais wrote:

> We use Amavisd-new with ClamAV and Spamassassin + Razor combination.

We're different in detail, but we use ClamAV and Spamassassin.

Note however that our Win-based users are also required to run Sophos
AV (campus licence). So that gives two possible defences before
anything hits the user.

But I have to remark that at least two recent major virus outbreaks
were running for several hours before the templates arrived from
ClamAV (first) and Sophos (soon after). It would be insane to rely on
antivirus tools as a first line of defence. I tell the users to think
of the anti-virus alert like an airbag: if it ever goes off, it's a
serious warning that you were behaving too dangerously in the first
place, and to reconsider your procedures if you're not to fall victim
to one of these viruses that arrive before their AV template.

Virus-compromised hosts on campus get disconnected from the network in
fairly short order, and we aren't particularly sympathetic towards
reconnecting them. Our service provider (JANET) has an acceptable use
policy, over and above any rules that the campus may lay down.

> virus/spam scanning takes up a lot of IO's.

Well, the anti-virus costs much less than spamassassin, in our
experience.

But yes, anything you can do to reject mail offers before they get to
that stage (preferably already at the RCPT ACL) represents a big
saving in system load. Last time I looked, we were rejecting about 7
mail offers for every one we accepted, we sure wouldn't want to run
all of those past spamassassin.

> You will have to plan your hardware very well else you will end up
> running a load on your server.

I have to say that our major load seems to be the imap server. Next
I'd put spamassassin (for those mail offers which manage to get that
far). ClamAV is way down the field in terms of system usage.

all the best