Re: [Declude.Virus] Second scanner
Just the DOS scanner Dirt cheap if you can find someone to sell it to you. A little spikey on the CPU utilization, but also pretty quick at definitions. - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: "Scott Fisher" Sent: Wednesday, November 09, 2005 11:15 PM Subject: [Declude.Virus] Second scanner I use F-Prot 1, McAfee 2, Clam 3 What version of McAfee do you use? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Second scanner
Thanks for info and link. I was searching the archives with little success. John From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, November 04, 2005 9:09 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Second scanner I suppose that I might be obligated to answer this one.The short answer is that F-prot is the fastest, followed closely by Clam-AV in daemon mode, followed by McAfee followed by Clam-AV in non-daemon mode. EXITSCANONVIRUSDETECT ON shouldn't make much of a difference except for viruses that mail extraodinarily frequently as was the case a few times in the past, but viruses are such a small percentage of your overall mail volume that it shouldn't cause a noticeable change otherwise. I did test with PRESCAN OFF and found with two scanners, F-Prot and McAfee, that the CPU utilization went up by almost 50%, so this isn't recommended unless you have plenty of head room.For details of my tests on the scanners: http://www.mail-archive.com/declude.virus@declude.com/msg09001.htmlMattJohn Carter wrote: This raises a question(s): Has anyone done any real testing of which AVs (in relation to Declude) perform the best, use the least resources, what is the best scanning order, and how many to use (how many is too many and what is the point of diminishing returns)? I realize something like this could drive you drink, but the idea of having the most effective (most hits for least resources used)AV as one, then second best next, etc. (along with EXITSCANONVIRUSDETECT ON) is appealing. John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Hirthe, Alexander Sent: Friday, November 04, 2005 8:09 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner I run both, AVG as second, Clam as third (and F-Prot as first) -Original Message- From: Kaj Søndergaard Laursen [mailto:[EMAIL PROTECTED]] Sent: Friday, November 04, 2005 2:51 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: 4. november 2005 07:22 To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner I use AVG as the second scanner and am happy with the results. Me too... I have not tried the windows version of ClamAV - the cygwin version did not run well in my setup. Regards, Kaj --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second scanner
I use F-Prot 1, McAfee 2, Clam 3 I use the Cygwin version of clam with runclamd and runclamscan. You'll find those at http://www.smartbusiness.net/imail/declude/ runclamd runs clam as a service. much faster. runclamscan returns a virus name to Declude Don't forget this is allowable: # # (2.0.6.16) This new directive, when added to the virus.cfg file, will cause Declude to stop calling # the remaining scanners after a virus has been detected. This directive has meaning only when there # is more than one scanner listed in the configuration file. The default behavior is for Declude to # call all scanners. # # EXITSCANONVIRUSDETECT ON As mentioned Prescan OFF will catch a majority of phishing attempts thought you will pay a performance penalty. # # Declude Virus Pro can pre-scan HTML files. If no dangerous code is detected, the # virus scanner will not get called. This can significantly cut down on CPU usage. # PRESCAN OFF - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: Sent: Thursday, November 03, 2005 11:24 PM Subject: [Declude.Virus] Second scanner After many years of using Virus Standard, I upgraded to Virus Pro to take advantage of a second scanner. I've scanned the previous threads on what others like for a second scanner to F-Prot, but can't seem to find any common thread ... So I would appreciate what seems to be the next most popular virus scanner to run as a secondary scanner to F-Prot? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second scanner
Oh, one quick follow up. AVG at some point after that test made some changes and ruined their results. This caused me to remove that scanner. I haven't revisited this testing since then so I am just assuming that AVG is slower than it showed there. Also, there was a follow up to that thread where Clam-AV in daemon mode was tested and found to be a very close second to F-Prot. Matt John Carter wrote: This raises a question(s): Has anyone done any real testing of which AVs (in relation to Declude) perform the best, use the least resources, what is the best scanning order, and how many to use (how many is too many and what is the point of diminishing returns)? I realize something like this could drive you drink, but the idea of having the most effective (most hits for least resources used)AV as one, then second best next, etc. (along with EXITSCANONVIRUSDETECT ON) is appealing. John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Hirthe, Alexander Sent: Friday, November 04, 2005 8:09 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner I run both, AVG as second, Clam as third (and F-Prot as first) -Original Message- From: Kaj Søndergaard Laursen [mailto:[EMAIL PROTECTED]] Sent: Friday, November 04, 2005 2:51 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: 4. november 2005 07:22 To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner I use AVG as the second scanner and am happy with the results. Me too... I have not tried the windows version of ClamAV - the cygwin version did not run well in my setup. Regards, Kaj --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second scanner
I suppose that I might be obligated to answer this one. The short answer is that F-prot is the fastest, followed closely by Clam-AV in daemon mode, followed by McAfee followed by Clam-AV in non-daemon mode. EXITSCANONVIRUSDETECT ON shouldn't make much of a difference except for viruses that mail extraodinarily frequently as was the case a few times in the past, but viruses are such a small percentage of your overall mail volume that it shouldn't cause a noticeable change otherwise. I did test with PRESCAN OFF and found with two scanners, F-Prot and McAfee, that the CPU utilization went up by almost 50%, so this isn't recommended unless you have plenty of head room. For details of my tests on the scanners: http://www.mail-archive.com/declude.virus@declude.com/msg09001.html Matt John Carter wrote: This raises a question(s): Has anyone done any real testing of which AVs (in relation to Declude) perform the best, use the least resources, what is the best scanning order, and how many to use (how many is too many and what is the point of diminishing returns)? I realize something like this could drive you drink, but the idea of having the most effective (most hits for least resources used)AV as one, then second best next, etc. (along with EXITSCANONVIRUSDETECT ON) is appealing. John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Hirthe, Alexander Sent: Friday, November 04, 2005 8:09 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner I run both, AVG as second, Clam as third (and F-Prot as first) -Original Message- From: Kaj Søndergaard Laursen [mailto:[EMAIL PROTECTED]] Sent: Friday, November 04, 2005 2:51 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: 4. november 2005 07:22 To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner I use AVG as the second scanner and am happy with the results. Me too... I have not tried the windows version of ClamAV - the cygwin version did not run well in my setup. Regards, Kaj --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second scanner
Matt has done this - it is in the Archives - -Nick John Carter wrote: This raises a question(s): Has anyone done any real testing of which AVs (in relation to Declude) perform the best, use the least resources, what is the best scanning order, and how many to use (how many is too many and what is the point of diminishing returns)? I realize something like this could drive you drink, but the idea of having the most effective (most hits for least resources used)AV as one, then second best next, etc. (along with EXITSCANONVIRUSDETECT ON) is appealing. John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Hirthe, Alexander Sent: Friday, November 04, 2005 8:09 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner I run both, AVG as second, Clam as third (and F-Prot as first) -Original Message- From: Kaj Søndergaard Laursen [mailto:[EMAIL PROTECTED]] Sent: Friday, November 04, 2005 2:51 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: 4. november 2005 07:22 To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner I use AVG as the second scanner and am happy with the results. Me too... I have not tried the windows version of ClamAV - the cygwin version did not run well in my setup. Regards, Kaj --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Second scanner
This raises a question(s): Has anyone done any real testing of which AVs (in relation to Declude) perform the best, use the least resources, what is the best scanning order, and how many to use (how many is too many and what is the point of diminishing returns)? I realize something like this could drive you drink, but the idea of having the most effective (most hits for least resources used)AV as one, then second best next, etc. (along with EXITSCANONVIRUSDETECT ON) is appealing. John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Friday, November 04, 2005 8:09 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Second scanner I run both, AVG as second, Clam as third (and F-Prot as first) > -Original Message- > From: Kaj Søndergaard Laursen [mailto:[EMAIL PROTECTED] > Sent: Friday, November 04, 2005 2:51 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Second scanner > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) > > Sent: 4. november 2005 07:22 > > To: Declude.Virus@declude.com > > Subject: RE: [Declude.Virus] Second scanner > > > > I use AVG as the second scanner and am happy with the results. > > Me too... > > I have not tried the windows version of ClamAV - the cygwin version > did not run well in my setup. > > Regards, > > Kaj > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Second scanner
I run both, AVG as second, Clam as third (and F-Prot as first) > -Original Message- > From: Kaj Søndergaard Laursen [mailto:[EMAIL PROTECTED] > Sent: Friday, November 04, 2005 2:51 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Second scanner > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) > > Sent: 4. november 2005 07:22 > > To: Declude.Virus@declude.com > > Subject: RE: [Declude.Virus] Second scanner > > > > I use AVG as the second scanner and am happy with the > > results. > > Me too... > > I have not tried the windows version of ClamAV - the cygwin > version did not run well in my setup. > > Regards, > > Kaj > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second scanner
I use Mcafee and it has been great they tend to be amoung the top for getting updates out quick. However, it is very resource intensive. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Declude Log Parsers. David Dodell writes: After many years of using Virus Standard, I upgraded to Virus Pro to take advantage of a second scanner. I've scanned the previous threads on what others like for a second scanner to F-Prot, but can't seem to find any common thread ... So I would appreciate what seems to be the next most popular virus scanner to run as a secondary scanner to F-Prot? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Second scanner
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) > Sent: 4. november 2005 07:22 > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Second scanner > > I use AVG as the second scanner and am happy with the > results. Me too... I have not tried the windows version of ClamAV - the cygwin version did not run well in my setup. Regards, Kaj --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Second scanner
Second the motion on ClamAV. Being free and very good against phishing, I would definitely consider it. It can be a bit of a memory hog (just a spike), there is a persistent mode that helps that. John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Lanard Sent: Friday, November 04, 2005 7:27 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Second scanner When I upgraded to the pro version, I added ClamAV for phishing attempts (be sure to use the PRESCAN OFF directive) and AVG. The implementation of ClamAV for windows I used can be found at, ClamAV http://www.sosdg.org/clamav-win32/index.php David Dodell wrote: > After many years of using Virus Standard, I upgraded to Virus Pro to > take advantage of a second scanner. I've scanned the previous > threads on what others like for a second scanner to F-Prot, but can't > seem to find any common thread ... > > So I would appreciate what seems to be the next most popular virus > scanner to run as a secondary scanner to F-Prot? > > David > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail was scanned for viruses by the University of Georgia SBDC Email System.] > > -- Richard Lanard Information Technology Support University of Georgia Business Outreach Services /SBDC 1180 East Broad Street - Chicopee Complex Athens, Ga 30602-5412 phone: (706) 542-6774 fax: (706) 542-6776 [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by the University of Georgia SBDC Email System.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second scanner
When I upgraded to the pro version, I added ClamAV for phishing attempts (be sure to use the PRESCAN OFF directive) and AVG. The implementation of ClamAV for windows I used can be found at, ClamAV http://www.sosdg.org/clamav-win32/index.php David Dodell wrote: After many years of using Virus Standard, I upgraded to Virus Pro to take advantage of a second scanner. I've scanned the previous threads on what others like for a second scanner to F-Prot, but can't seem to find any common thread ... So I would appreciate what seems to be the next most popular virus scanner to run as a secondary scanner to F-Prot? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by the University of Georgia SBDC Email System.] -- Richard Lanard Information Technology Support University of Georgia Business Outreach Services /SBDC 1180 East Broad Street - Chicopee Complex Athens, Ga 30602-5412 phone: (706) 542-6774 fax: (706) 542-6776 [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by the University of Georgia SBDC Email System.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second scanner
Hi David, Mcafee is one - the command line scanner is only $11 - if you can find a vendor to sell it to you. ClamAV is another choice and its free. I use it w/clamd. http://www.sosdg.org/clamav-win32/index.php I use all three.. -Nick David Dodell wrote: After many years of using Virus Standard, I upgraded to Virus Pro to take advantage of a second scanner. I've scanned the previous threads on what others like for a second scanner to F-Prot, but can't seem to find any common thread ... So I would appreciate what seems to be the next most popular virus scanner to run as a secondary scanner to F-Prot? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Second scanner
I use AVG as the second scanner and am happy with the results. I like BitDefender as they publish updates on average a dozen or more times per day, but it is more resource costly. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of David Dodell > Sent: Thursday, November 03, 2005 9:25 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] Second scanner > > After many years of using Virus Standard, I upgraded to Virus Pro to > take advantage of a second scanner. I've scanned the previous > threads on what others like for a second scanner to F-Prot, but can't > seem to find any common thread ... > > So I would appreciate what seems to be the next most popular virus > scanner to run as a secondary scanner to F-Prot? > > David > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
> Forgive me if I'm naive, but what does a local virus scanner have to > do with TCP/IP? I'll write how I understand it. In the case being discussed we have ClamD running as a service under Windows. When clamdscan is called to actually scan a file then that instance of clamdscan communicates with ClamD which is already resident. Because ClamD is running and listening then this makes the scanning process faster since some functions are already in memory awaiting service. But in order for this to occur ClamD has to be "listening" for a request from the calling program. Normally the service establishes a socket - meaning a hole punched through the OS - to allow such communication to occur. However, for ClamD in the configuration file there is an option to bind the service to a specific IP address and a specific port assignment. For greater security 127.0.0.1 is the default address. But the service could be bound to another IP address. I don't know why this might solve "stability problems" on some versions of windows but that's the message in the conf and somethng I was advised to try from my forum posting. Since the error I was seeing in the ClamD log file was an error with accept() it seemed reasonable to me to try it. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Second Scanner
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Terry Fritts > Sent: 6. juni 2005 21:40 > To: David Sullivan > Subject: Re: [Declude.Virus] Second Scanner > > If you also want to try this find clamd.conf (usually in > C:\clamav-devel\etc) and open in an editor. Change the following in > clamd.conf: > > Comment out with # the lines: >LocalSocket /cygdrive/c/clamav-devel/clamd.sock >FixStaleSocket yes > Uncomment the lines: >TCPSocket 3310 >TCPAddr 127.0.0.1 In my version of clamd.conf (just downloaded and installed, thanks for the info that made me try ClamAV Terry) it says # UNCOMMENT THE FOLLOWING TWO OPTIONS IF YOU WANT # CLAMAV TO RUN IN TCP/IP MODE, WHICH MAY SOLVE SOME # STABILITY ISSUES ON SOME VERSIONS OF WINDOWS # before the TCPSocket and TCPAddr lines Regards, Kaj --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
> it looks like the genesis of the problem is that clam started > timing out. It may be but I haven't been able to force it to happen so far. For me this is the first instance of this in more than one year. I am suspicious that it could be a Windows socket issue which is why I've changed the clamd.conf settings. If you also want to try this find clamd.conf (usually in C:\clamav-devel\etc) and open in an editor. Change the following in clamd.conf: Comment out with # the lines: LocalSocket /cygdrive/c/clamav-devel/clamd.sock FixStaleSocket yes Uncomment the lines: TCPSocket 3310 TCPAddr 127.0.0.1 Restart clamd by Stopping Runclamd and then restarting. Since you've had more occurrences it may be a better test. > As I mentioned, a completely separate process that copies my Sniffer > .snf file onto the same drive failed with a "could not copy file" > error That's very interesting although I'm uncertain what it may mean. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
> I do have some weird log lines on one of the machines: Those look okay to me. > There are 57 on one box and 80 on another. Every time I click on of > the files, I get a simple "Access Denied" error even though ALL clam > processes are stopped and I'm running under a Domain Admin account. These exist because the scanner never completed and the files are owned by SYSTEM. You'll have to select them - right click - and change the owner to your Admin account so you can then change the permissions to delete them. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
I am not real clear on this thread - but if it has to do with clamd - it w/Declude no question has a problem in Windows. I have stopped using it - it may take a week or even a month but it will crash... -Nick Terry Fritts wrote: I can't find anything in the event or application logs that looks bad around this time either. I can't either. I've switched my clamd.conf file settings to run on TCP/IP rather than local socket. In the clamd.log file there were accept() errors recorded when this occurs which is a socket command error. I don't know that running in TCP/IP will help but the conf file says it can help some stability issues on windows servers. I also see that once this starts the other scanners never get a return either - not sure why that would be. --- Terry --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
> I can't find anything in the event or application logs that looks bad > around this time either. I can't either. I've switched my clamd.conf file settings to run on TCP/IP rather than local socket. In the clamd.log file there were accept() errors recorded when this occurs which is a socket command error. I don't know that running in TCP/IP will help but the conf file says it can help some stability issues on windows servers. I also see that once this starts the other scanners never get a return either - not sure why that would be. --- Terry --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
> At one point on each > machine started getting these errors in the Declude Virus file: > > 06/04/2005 14:06:54 Qed820cb43917 ERROR: Virus scanner 2 didn't > finish after 60 seconds; terminating. > 06/04/2005 14:06:54 Qed820cb43917 WARNING: Couldn't remove .vir > directory o:\spool\Ded820cb43917.vir\: SHARING VIOLATION. > 06/04/2005 14:06:54 Qed820cb43917 Likely problem: An on-access > scanner is interfering; disable or set not to scan subdirectories off > of \IMail\spool. we had this happen this morning. I think it has to do with the number of processes at one time. I'm taking a look at it today. --- Terry --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
McAfee isn't a CPU hog, it's just that F-Prot is miles ahead of any other command line scanner in terms of performance. The only thing that touches the performance of F-Prot is running ClamAV in daemon mode, but it's understandable that running a virus scanner as a service would be more efficient. Running ClamAV as a command line/launched scanner will net even worse results than McAfee. In my testing I found that McAfee was actually the third fastest option behind F-Prot and ClamAV in daemon mode. All of the other scanners that I tested were slower and required more CPU. McAfee is also generally much more reliable than F-Prot and ClamAV, and in my experience it is also more reliable than AVG, but I can't speak for the others. The only strike against ClamAV in my book is that it isn't operated by a large corporation and likely lacks the same degree of testing prior to launching new definitions as has been evidenced a couple of times, and of course it was developed originally for Linux. Matt Douglas Cohn wrote: Mcafee is a CPU HOG. Uses double the CPU of Fprot. I have a low powered machine and cannot even run Mcafee but fprot is no problem. Both is unreal. This is the mcafee command line scanner. The declude archive includes a Wget updater that works fine. I use a 4NT update script but the Wget is probably better I have just been too lazy to change it back. Of course you will not that the Website clearly states you are required to have a license to mcafee before you use this code which is readily available to all. You can also download the daily dats which are considered BETA quality but that's fine with me. Unluckily I do not use the with declude because smartermail and mcafee are just more than the measly server I have this one can handle. Luckily Smartermail and fprot are working just fine with declude and I have nothing to complain about (ESPECIALLY SINCE I GOT RID OF THAT IMAIL --- Blech). Here is a mcafee command line scanner. ftp://ftp.nai.com/CommonUpdater/ Download the latest superdat (sdat.exe) file from the Network Associates ftp site. Now you must unpack it using the "/e" parameter. From the mcafee folder, run sdat.exe /e (where is the version number, for example sdat4290.exe). When unpacking you don't see anything happen for about 20 seconds, just wait for it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott Fisher Sent: Thursday, June 02, 2005 6:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Second Scanner Matt posted speed comparison's I'd say about a year ago. I use F-Prot ClamAV and McAfee - Original Message - From: "David Sullivan" <[EMAIL PROTECTED]> To: Sent: Thursday, June 02, 2005 4:50 PM Subject: [Declude.Virus] Second Scanner I know this comes up every now and then, but the last thread I can find is from May 2004. I was interested in what folks were using as a second scanner aside from F-Prot. I've heard AVG is good but slow, Kaspersky fast with updates but expensive, MacAfee good but hard to get a command line. I thought someone had posted some stats about this but can't find them. Any suggestions? -- Best regards, David mailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.Virus] Second Scanner
Mcafee is a CPU HOG. Uses double the CPU of Fprot. I have a low powered machine and cannot even run Mcafee but fprot is no problem. Both is unreal. This is the mcafee command line scanner. The declude archive includes a Wget updater that works fine. I use a 4NT update script but the Wget is probably better I have just been too lazy to change it back. Of course you will not that the Website clearly states you are required to have a license to mcafee before you use this code which is readily available to all. You can also download the daily dats which are considered BETA quality but that's fine with me. Unluckily I do not use the with declude because smartermail and mcafee are just more than the measly server I have this one can handle. Luckily Smartermail and fprot are working just fine with declude and I have nothing to complain about (ESPECIALLY SINCE I GOT RID OF THAT IMAIL --- Blech). Here is a mcafee command line scanner. ftp://ftp.nai.com/CommonUpdater/ Download the latest superdat (sdat.exe) file from the Network Associates ftp site. Now you must unpack it using the "/e" parameter. From the mcafee folder, run sdat.exe /e (where is the version number, for example sdat4290.exe). When unpacking you don't see anything happen for about 20 seconds, just wait for it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, June 02, 2005 6:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Second Scanner Matt posted speed comparison's I'd say about a year ago. I use F-Prot ClamAV and McAfee - Original Message - From: "David Sullivan" <[EMAIL PROTECTED]> To: Sent: Thursday, June 02, 2005 4:50 PM Subject: [Declude.Virus] Second Scanner >I know this comes up every now and then, but the last thread I can > find is from May 2004. > > I was interested in what folks were using as a second scanner aside > from F-Prot. I've heard AVG is good but slow, Kaspersky fast with > updates but expensive, MacAfee good but hard to get a command line. > > I thought someone had posted some stats about this but can't find > them. Any suggestions? > > -- > Best regards, > David mailto:[EMAIL PROTECTED] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
> I also use Terry's runclamscan with no issues. That's good to hear. Runclamscan is just a wrapper to return the correct virus name to Declude. It would be better really if Declude would modify their code to accommodate ClamAV's reporting. Then there would not be a need for the intermediate runclamscan wrapper. And the fewer programs to call the better. So if anyone from Declude is listening I think that would be a nice feature for them to include in some future release. > I have had rare email melt downs when I was running runclamd. The only real thing runclamd is supposed to do is to keep the clamdscan service running on windows without anyone logged on to the machine. There are other programs that do this just as well so don't hesitate to use them if you think runclamd might be causing problems. I have had 3 basic problems with ClamAV: 1) when the ClamAV program itself changes - or changes with cygwin stuff 2) there was an issue with one of the sosdg versions that reported an unexpected return code - but that's a while back 3) some issues with the installation that caused file ownership problems Otherwise we've enjoyed really good results with it. As has been mentioned it does a great job on the phishing exploits and it often picks up a few other things that FPROT misses. With clamdscan we get scanning speeds very similar to FPROT. (I know on this because on our XMAIL server we track the speeds for FPROT as we do ClamAV) Brian Burns of sosdg.org deserves a lot of credit for his work on ClamAV for windows. --- Terry Fritts --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
> It took a reboot of both machines to fix the problem. On one I had 288 > process running which fouls everything else up. Clam is SCANNER2 > > Any ideas? What did the runclamscan log report if anything? What kind of times are you seeing in it for the actual scanning? The only time I've had anything similar happen had to do with ownership of the files and folders. It seems to me I may have had to change the ownership of the virus folder but I don't recall now. --- Terry --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
One last ClamAV comment... I've added the command line switch --max-ratio 0 I've had some false positives on some .zip files that forced me to add the switch. - Original Message - From: "Terry Fritts" <[EMAIL PROTECTED]> To: "David Sullivan" Sent: Thursday, June 02, 2005 5:52 PM Subject: Re: [Declude.Virus] Second Scanner I was interested in what folks were using as a second scanner aside from F-Prot. ... I thought someone had posted some stats about this but can't find them. Any suggestions? ClamAV - http://www.sosdg.org/clamav-win32/index.php Get my utilities: runclamd, runclamdscan http://www.smartbusiness.com/imail/declude/ Set up a scheduled task to periodically run freshclam to keep the database update. Works extremely well for us. --- Terry Fritts --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
> How can I figure out if freshclam is grabbing the latest defs? I set up a scheduled task update_clamav to run every 2 hours or so: start in: c:\clamav-devel\bin\ run: freshclam.exe --quiet -l c:\clamav-devel\log\freshclam.log Then I can check the freshclam.log file. > I have "Rundclamd" running as a service under LocalSystem. Should I > set the startup type to "Automatic" or leave it at "Manual"? Mine is set to automatic. > If I leave it on "Manual" do I need to rerun "runclamd -start" after > a reboot? Yes. The point of runclamd is to be able to use clamdscan (the daemon or service) rather than clamscan. runclamd has a log too. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
> I was interested in what folks were using as a second scanner aside > from F-Prot. ... I thought someone had posted some stats about this > but can't find them. Any suggestions? ClamAV - http://www.sosdg.org/clamav-win32/index.php Get my utilities: runclamd, runclamdscan http://www.smartbusiness.com/imail/declude/ Set up a scheduled task to periodically run freshclam to keep the database update. Works extremely well for us. --- Terry Fritts --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
Matt posted speed comparison's I'd say about a year ago. I use F-Prot ClamAV and McAfee - Original Message - From: "David Sullivan" <[EMAIL PROTECTED]> To: Sent: Thursday, June 02, 2005 4:50 PM Subject: [Declude.Virus] Second Scanner I know this comes up every now and then, but the last thread I can find is from May 2004. I was interested in what folks were using as a second scanner aside from F-Prot. I've heard AVG is good but slow, Kaspersky fast with updates but expensive, MacAfee good but hard to get a command line. I thought someone had posted some stats about this but can't find them. Any suggestions? -- Best regards, David mailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.