[Esd-l] Quarantine/Strip Attachments vs. Virus Scanner

Brent Wallis bw at infosynergy.com.au
Sat Nov 2 00:17:01 PST 2002

For my part, the following has held true now for more than 2 years:

1. By blocking anything that is executable, a user base that is now over
5000 across 50 + subnets, each with their own smtp server and the
have not had a single infection......not one whether the problem was new
or old.

2. Some of my clients bleat a little about us blocking exe's etc, but in
the end, there is not a single business reason for using this type of
attachment that I have not been able to successfully argue against.

3. When the server based sanitizer combined with desktop AV software the
risk of email born virus is almost nil... in my case it IS nil, but I am
wary of the fact that it is only a very small statistical sample...

4. The problem with server based AV software that relies on signatures,
is that a signature has to be obtained for a known problem before the
software becomes effective....so there is always a window of
vulnerability if this software is used as a sole method of AV

5. Proprietary, server based AV software is going the same way as the
rest of M$ software.....pay for a licence to use, pay for a licence to
connect, pay for a licence to get updates, pay for an upgrade that "may"
happen in the next 2 years, tough it becomes available 1 day after the 2
years is up.....pay pay pay pay pay....ad nauseum.

Even more damaging however is:

6. Proprietary AV software vendors in Australia are also starting to
insist on their own consultants to install and maintain their
software...we have some instances where entire networks in our control
are expected to be opened up for a 3rd party to do AV updates.... this
point is the most irritating and will fail in the long term anyway
because it is trying to bend consumer sentiment/demand to their own
ends. In most cases, the "consultants" we have met that do this are
"clue.....less in the x...treme"...and we ban them from the building,
especially if we have a security regime/SLA to uphold.

7. Signature scanning requires capacity beyond a normal mail servers
use, if the load is high, the hardware requirement is huge. 

In short, using the AV on PC's, sanitizer on a local email relay/server
means that I really don't have to worry when another "bugbear" comes

If it's executable, then quarantine it, it can always be recovered if
there is an error. Delete the quarantine every week and that's the end
of that.....good bye server based AV Software Industry... :-)

PS: John, as always....tks ...:-)

-----Original Message-----
From: Mike McCandless [mailto:michael at prismbiz.com] 
Sent: Thursday, 31 October 2002 1:21 AM
To: esd-l at spconnect.com
Subject: [Esd-l] Quarantine/Strip Attachments vs. Virus Scanner

I would like to get some input from the group, maybe from folks who have
used both approaches:

In the context of preventing infection and spread of viruses, what are
the trade-offs between using an approach (like email sanitizer) to
quarantine/strip "questionable" file types, e.g. exe, com, dll, scr,
etc. versus using a virus scanner as a part of the mail acceptance
process, e.g. I've read about something called AMAVIS.

Is the decision more related to whether you're an ISP (customers get
ticked when you delete/quarantine attachments) or a company (the
security organization has more latitude in enforcing email policy).

I'm currently using postfix and the email sanitizer and it's working

Mike McCandless
michael at prismbiz.com
Esd-l mailing list
Esd-l at spconnect.com

More information about the esd-l mailing list