Nick,
I think your Karma has gone fishing on you :)
I think that when it comes to such things that we are best served by
discussing things in these forums. Scott was a tremendous resource
based on his experience with such things, but I'm not convinced that
the new staff has any more experience with running things like command
line McAfee than we do, and so why not just turn to each other in such
cases.
Someone from Declude did ask me a quick question regarding this thread
off-list, maybe others were contacted as well, and it would appear that
they are evaluating what we have shared and might tweak the default
settings. In any event, many of us around here don't use Declude's
default settings anyway. What's most valuable to me is hearing from
people like Andy, Markus and Scott that they have been running a
particular way for a particular period of time and had either no issues
or some issues so that I can make my own determination.
I don't doubt that the majority of Declude's users never pay attention
to this stuff, and they seem to respond appropriately to specific
questions regarding functionality, but not necessarily tweaking the
software in one's config and that's fine with me. I also think that
the new release has turned the corner as far as bugs and changes are
concerned.
Matt
Nick wrote:
On 27 Apr 2005 at 8:55, Scott Fisher wrote:
Thanks Scott - you have some switches I haven't seen !
Also -
Declude tech support -
Declude Scott used to make excellent recommendations regarding
command line switches - can anyone with Declude tech support continue
with same? This list used to be a support form from Declude but is
support now only on a per incident basis?
Thanks!
-Nick
I'm using:
SCANFILE3 D:\VIRUSSCAN\scan.exe /ALL /NOMEM /NOBEEP /NOBREAK /UNZIP
/SILENT /NODDA /MANALYZE /MIME /PANALYZE /PROGRAM /REPORT report.txt
Haven't seen any FPs with /MANALYZE or /PANALYZE
I run PRESCAN OFF and the /MAILBOX isn't needed to find Phish/Links
I sense a frustration with virus protection from you. I think this CPU
intensive process could be improved. If a virus is found with scanner
1, I'd like an option to avoid calling later scanners. While it's good
for comparison sakes, if a virus is found, I don't need 2 other
programs to confirm that. I'd also like to have the PRESCAN ON/OFF
setting moved within the virus scanner definitions. I could then have
one of the scanners scan all of the e-mail, and the less effective
scanner would run a Prescan ON. Example: SCANFILE1 ... VIRUSCODE1 3
REPORT1 Infection: PRESCAN1 OFF
SCANFILE2 ...
VIRUSCODE2 13
REPORT2 Found
PRESCAN2 ON
----- Original Message -----
From: Matt
To: Declude.Virus@declude.com
Sent: Tuesday, April 26, 2005 10:53 PM
Subject: [Declude.Virus] Revisiting the McAfee command line arguments
I've searched the archives and came up with nothing specific
regarding this, but that's not to say that there wasn't a
discussion. I seem to remember Bill Landry having some of his own
tweaks to the McAfee command line, but I really can't recall.
Anyway, I found that using the published config for McAfee, it was
scanning the boot records, in fact I believe it scans all of them.
Checking the /? I found that there is a switch to turn this off in the
4.4.00 scan engine, /NOBOOT. From the command line I verified that
this does in fact not scan the MBR's and my Declude log shows that it
is still detecting viruses. This could be a big improvement for McAfee
if this switch was used, however I wouldn't recommend doing it without
further discussion or testing.
I also found what appears to be a new switch called /PROGRAM.
McAfee's notes describes this as, "Scan for potentially unwanted
applications." I turned it on and noted a change in the way that
McAfee was detecting some things. It appears that Declude reports the
first virus found in the report.txt file and before the change on some
Netsky viruses, F-Prot would detect an "HTML/[EMAIL PROTECTED]" in the HTML
segment and McAfee would detect "W32/[EMAIL PROTECTED]" in the executable
attachment. After using the /PROGRAM switch, McAfee is now detecting
the exploit in the HTML segment as "potentially unwanted program
Exploit-MIME.gen.c." Here are a before and after using the switch from
my logs of what I assume to be the same virus in different messages:
Before
04/26/2005 23:02:48 Q00D885AA00904BD6 Scanner 1:
Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML segment] [0] O
04/26/2005 23:02:49 Q00D885AA00904BD6 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment=message.scr [0] O
After
04/26/2005 23:09:27 Q0264DA3401104E3C Scanner 1:
Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML segment] [0] O
04/26/2005 23:09:28 Q0264DA3401104E3C Scanner 2: Virus=potentially
unwanted program Exploit-MIME.gen.c. Attachment=[HTML segment] [0]
O
I am assuming that McAfee would/is still detecting the virus in the
attachment, but Declude is just simply logging the first matching
string that is found in the Report.txt, and therefore this would
appear to be a good switch to use.
Based on the above, and assuming that no problems arise as a result of
either switch, it would then be a good idea to modify McAfee's command
line options using the 4.4.00 scan engine (released late last year) to
the following:
C:\[McAfee Path]\scan.exe /ALL /NOBOOT /NOMEM /NOBEEP /NOBREAK
/UNZIP /SILENT /NODDA /PROGRAM /REPORT report.txt
There are some other switches that I also came across and don't
recall seeing before, but may be beneficial. They are as follows along
with some comments on why I think they might be useful, but note that
I have no experience with any of these and am only speculating:
/TIMEOUT <seconds> - Set the maximum time to spend scanning any
one file. I'm thinking that this might be a good way to help
protect a Declude system from overloaded conditions. While Declude
will timeout on a scan, if you are using two virus scanners and
where the first (F- Prot) is more efficient than McAfee, this
might be a good way to disable the second scanner under high load
conditions after a reasonable amount of time so as to not
overwhelm the server as much as without the switch.
/MAILBOX - Scan inside plain text mailboxes.
I'm thinking that this might help or be required in order to
detect phishing and linked viruses based on content patterns.
/AFC=<cache size> - Set the Size of the Internal Cache Used When
Decompressing Archive Files. I'm thinking that this might be a way
to prevent decompression bombs, but it might also add overhead. I
don't know.
/MIME - Scan inside MIME, UUE, XXE and BinHex files.
Although Declude decodes attachments before calling the scanners,
this might provide some backup protection in the event of a
decoding error. This might also cause additional overhead.
/ANALYZE - Turn on heuristic analysis for programs and macros.
/PANALYZE - Turn on program heuristics. I'm not sure what FP's
either one of these could cause, but some around here do prefer
tighter controls despite the risk of more FP's and these might be
desirable under those conditions. I'm not sure how they differ.
Any comments or experiences would be appreciated.
Thanks,
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
