Sounds like it's worth a test and some monitoring just to see if there
is a measurable difference in mail scanning activities.
Thanks for sharing.
Matt
Colbeck, Andrew wrote:
I should have also mentioned that the script
first makes a list of the files to scan, then tells scan.exe to scan
the files in the list.
I don't just tell scan.exe to scan the folder
(if I had, I could buy the behaviour of reading the directory over and
over again).
Andrew 8)
I don't mean scanning the files in the
root repetitively. In particular, FileMon was showing me that scan.exe
was READing D:\ (as opposed to OPEN, CLOSE, QUERY INFORMATION, or SET
INFORMATION - all of which are other request types that FileMon can
log).
Actually, it might have been D: instead of D:\
... I'm not sure now. My conclusion was that it was re-reading the
contents of the directory over and over. As you suggest, using the
/exclude parameter to excerpt the root of the drive may have helped.
The scan.exe file is dated October 2004, and my
script was certainly working before and after that date, so it is also possible
that a hotfix applied in late December or early January changed the
behaviour of some API that scan.exe uses; I really don't know how much
a DAT file can control the scanning behaviour, but the DATs are the
only part of the McAfee client that changed!
Andrew 8)
Andrew,
When you say "reading the root of the drive" do you mean the boot
sector, or the files contained in the root of C: or the drive that was
defined in the command line? And also just to clarify, "reading" in
this case meaning "scanning", correct?
Seems like being able to turn that off, or at least remove files from
the root might make a big performance difference when you have high
volume.
Thanks,
Matt
Colbeck, Andrew wrote:
FWIW, I recently ran into a weirdness with McAfee; I use the daily dat
download (engine plus dats), and have so for some months. What I do is
for reporting completeness, I do a nightly scan of my spam folder to
find out how many viruses were caught as spam.
January didn't work, and I didn't notice for most of the month. What
was happening was that the script was taking forever, and not completing
for the script ran again the next night.
I copied my spam folder to my local machine and ran the script again,
with much the same result. I ran SystInternals.com's FileMon and found
that McAfee's scan.exe was reading the current folder and the root of
the drive bazillions of times. With a small-ish corpus, these
extraneous reads made no difference to the scan time. With a large
number of files in a directory with a very large number of files, the
scan wasn't worth running.
So just at the end of last week, I modified the script to use F-Prot
instead of McAfee, and that has been working fine.
Andrew 8)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Bill Landry
Sent: Monday, February 07, 2005 7:04 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] McAfee and POP3 service crash
Although I cannot explain the cause of the issues you've seen, I would
suggest that you upgrade your scan engine:
http://www.mcafeesecurity.com/us/downloads/default.asp?wt.mc_n=us_update
s&wt.mc_t=ext_li_con&cid=10373.
Download and run the SuperDat, file which contains the latest dat and
engine updates (version 4400\4426).
Bill
----- Original Message -----
From: "Matt" <[EMAIL PROTECTED]>
To: <Declude.Virus@declude.com>
Sent: Monday, February 07, 2005 6:27 AM
Subject: [Declude.Virus] McAfee and POP3 service crash
I've never seen this before, but beginning on Saturday morning, I
started getting appearances of "Application Error" in my Event Log
about
McAfee:
Faulting application Scan.exe, version 4.3.2.0, faulting module
mcscan32.dll, version 4.3.2.0, fault address 0x0001cfd0.
Then this morning the POP3 service started also giving errors in
addition to McAfee:
Faulting application POP3d32.exe, version 12.11.9.8, faulting module
POP3d32.exe, version 12.11.9.8, fault address 0x00010bcb.
The POP3 service had in fact crashed and it needed to be restarted (I
rebooted just to be safe). I believe that this is the first time that
I have ever seen the POP3 service crash. Although I don't believe
that POP3 has anything direct relationship to McAfee on my server
since that app is only used as a command line scanner, I'm quite
suspicious of this causing the issue.
Has anyone else seen either one of these errors on their systems?
Thanks,
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/ <http://www.mailpure.com/software/>
=====================================================
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
