Matt, this seems to be interesting.
I was sure to have already in use the NOBOOT switch but
after opening my virus.cfg file I've seen that this was only part of my F-prot
config line. So if it will work for F-prot why it shouldn't work too for
Mcafee's engine?
The PROGRAMM switch seems also interesting but maybe we
should enable it and check for possible false positives. As "potentially
unwanted program Exploit-MIME.gen.c" isn't set as forging there should be both a
warning for sender recipient and postmaster and so it should be easy to try it
out.
From the other switches you mentioned MIME was already part
of my Mcafee config line. Haven't had any problem with up to
now.
Markus
I've searched the archives and came up with nothing specific
regarding this, but that's not to say that there wasn't a discussion. I
seem to remember Bill Landry having some of his own tweaks to the McAfee
command line, but I really can't recall.
Anyway, I found that using the
published config for McAfee, it was scanning the boot records, in fact I
believe it scans all of them. Checking the /? I found that there is a
switch to turn this off in the 4.4.00 scan engine, /NOBOOT. From the
command line I verified that this does in fact not scan the MBR's and my
Declude log shows that it is still detecting viruses. This could be a
big improvement for McAfee if this switch was used, however I wouldn't
recommend doing it without further discussion or testing.
I also found
what appears to be a new switch called /PROGRAM. McAfee's notes
describes this as, "Scan for potentially unwanted applications." I
turned it on and noted a change in the way that McAfee was detecting some
things. It appears that Declude reports the first virus found in the
report.txt file and before the change on some Netsky viruses, F-Prot would
detect an "HTML/[EMAIL PROTECTED]" in the HTML segment and McAfee would detect
"W32/[EMAIL PROTECTED]" in the executable attachment. After using the /PROGRAM
switch, McAfee is now detecting the exploit in the HTML segment as
"potentially unwanted program Exploit-MIME.gen.c." Here are a before and
after using the switch from my logs of what I assume to be the same virus in
different messages:
Before 04/26/2005 23:02:48 Q00D885AA00904BD6 Scanner
1: Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML segment] [0] O 04/26/2005
23:02:49 Q00D885AA00904BD6 Scanner 2: Virus=the W32/[EMAIL PROTECTED]
Attachment=message.scr [0] O
After 04/26/2005 23:09:27
Q0264DA3401104E3C Scanner 1: Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML
segment] [0] O 04/26/2005 23:09:28 Q0264DA3401104E3C Scanner 2:
Virus=potentially unwanted program Exploit-MIME.gen.c. Attachment=[HTML
segment] [0] O
I am assuming that McAfee would/is
still detecting the virus in the attachment, but Declude is just simply
logging the first matching string that is found in the Report.txt, and
therefore this would appear to be a good switch to use.
Based on the
above, and assuming that no problems arise as a result of either switch, it
would then be a good idea to modify McAfee's command line options using the
4.4.00 scan engine (released late last year) to the following:
C:\[McAfee Path]\scan.exe /ALL /NOBOOT /NOMEM /NOBEEP
/NOBREAK /UNZIP /SILENT /NODDA /PROGRAM /REPORT
report.txt
There are some other switches that I also
came across and don't recall seeing before, but may be beneficial. They
are as follows along with some comments on why I think they might be useful,
but note that I have no experience with any of these and am only
speculating:
/TIMEOUT <seconds> - Set the maximum time to spend
scanning any one file.
I'm thinking that this might be a good way to help protect a
Declude system from overloaded conditions. While Declude will
timeout on a scan, if you are using two virus scanners and where the first
(F-Prot) is more efficient than McAfee, this might be a good way to
disable the second scanner under high load conditions after a reasonable
amount of time so as to not overwhelm the server as much as without the
switch.
/MAILBOX - Scan inside plain text
mailboxes.
I'm thinking that this might help or be required in order to
detect phishing and linked viruses based on content
patterns.
/AFC=<cache size> - Set the Size
of the Internal Cache Used When Decompressing Archive Files.
I'm thinking that this might be a way to prevent decompression
bombs, but it might also add overhead. I don't
know.
/MIME - Scan inside MIME, UUE, XXE and
BinHex files.
Although Declude decodes attachments before calling the
scanners, this might provide some backup protection in the event of a
decoding error. This might also cause additional
overhead.
/ANALYZE - Turn on heuristic analysis
for programs and macros. /PANALYZE - Turn on program
heuristics.
I'm not sure what FP's either one of these could cause, but
some around here do prefer tighter controls despite the risk of more FP's
and these might be desirable under those conditions. I'm not sure
how they differ.
Any comments or experiences
would be appreciated.
Thanks,
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|