RE: [Declude.Virus] Scanner Efficiency Olympics
Thanks for that in-depth work. It helps to clear things up. Now, go to sleep. I know you are not on the West coast, and it is already midnight here. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, March 31, 2004 11:48 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Scanner Efficiency Olympics I tested a bunch of AV scanners with Declude trying to figure out what the most efficient scanners were. I tested for both the time from start to completion, and also the average and peak processor utilization of the first instance as tracked by performance monitor. Note that the longer that the process lives, the more likely it is to be tracked by performance monitor and the higher the processor utilization. The times come from Declude logs at debug level. I tested 8 different scanners; F-Prot, AVG, McAfee, ClamAV, BitDefender, eTrust, Sophos and Kaspersky. Here's what I found for those that were worth tracking or capable of being tracked: Scanner Avg. TimeAvg.Processor% Peak% F-Prot...0.1 seconds...0.482%.4.688% AVG..0.5 seconds...0.934%52.316% McAfee...0.6 seconds...0.900%73.433% ClamAV...1.0 seconds...2.303%...100.000% F-Prot is amazing. If this was a horse race, they won by 20 lengths. I formerly thought that AVG was inefficient and inappropriate for mail server virus scanning, but they pretty much share the second spot with McAfee, maybe even nudging them out by a hair. ClamAV was tested with Clamd running, and while it doesn't come close to the other three, it outperforms the other 4 virus scanners that I tested. Note that in reality it shouldn't take even a half second to scan a short mail file, and the times shown are more so a reflection of both scanning and something else that's going on (who knows). On larger files the difference in time almost disappears. Longer times do though increase contention on busy systems and should be avoided whenever possible. Now for the dogs... Kaspersky - It takes 3.0 seconds for this scanner to complete, no clue as to why. Although the stats aren't shown, it was obvious that it was noticeably less processor efficient than the ones indicated above and therefore it isn't a good candidate for command line mail scanning unless you have plenty of extra processor capacity and no plans on increasing traffic. Sophos - Takes 2.0 seconds to complete a scan, and was noticeably less processor efficient than the top 4 so I didn't bother getting stats. On install, the real-time component was immediately started and turning this off was not intuitive, nor was the updating mechanism (works as a client/server installation). eTrust - Formerly VET, now owned by Computer Associates and sold as a replacement for their Inoculate product line. I couldn't get Declude to detect a return code. Customer service refused to provide direction/confirmation and indicated that it wasn't multi-processor capable. Seemed to be a very fast scanner though. BitDefender - DOS version gave me page faults when called from Win2K. Free Windows version didn't respond to a command line configuration. File Server version installed a real-time component without an option to not install it, and it started it immediately which conflicted with NAV. The uninstall process tool about 10 minutes to complete because the processors were pegged due to the conflict. The software looked nice, though it is expensive if this is the version that is necessary. I didn't care to test it after experiencing the installation/conflict issue. I skipped over some of the other scanners because they weren't listed with a 'report' configuration, though some of them might be contenders aside from the lack of functionality. The bottom line is that F-Prot should be the default choice for Declude as a primary scanner, and it seems like there are only two scanners that one might consider for a second scanner; AVG or McAfee. Beyond that, if you are at all concerned about speed, efficiency, and reporting capabilities, there doesn't seem to be any good choices. The fact though that F-Prot spanks everyone suggests that even AVG and McAfee have a lot of room for improvement. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at
RE: [Declude.Virus] Using a BitDefender scanner
It looks like the BitDefender Free Edition includes the command line scanner and excludes on-demand scanning. Just what's needed for this application. Unfortunately the free DOS edition does not return any error code. So it's not possible to use it at the moment. I've asked Bitdefender support around 6 months ago if they can add errorcodes to the dos edition. The answer was yes for the next release There was no new release until now for the free DOS edition. Two weeks ago I've asked Wolfgang (Developer of SpamChk) if he can ask Bitdefender because he's a Bitdefender reseller. My initial interest for this engine was because A.) the DOS engine is free B.) I've read an AV-engine test and Bitdefender has had good results Now after six months without any new release for the DOS edition I don't know if this engine is able to detect all new viruses. (Note that most other AV engines has released several engine updates in the last months) I assume also that the DOS edition is a 16bit application and so not realy performant on 32bit operating systems. Using the Standard or Professional Edition with prices around 30 - 40 USD / year seems to work but I haven't tested it yet. At http://www.bitdefender.com/bd/site/buy.php they have licenses for different Mailservers. All prices are based on the number of users, beginning at 119 USD/year for 10 Users up to 665 USD/year for 100 users. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Scanner Efficiency Olympics
Scanner Avg. TimeAvg.Processor% Peak% F-Prot...0.1 seconds...0.482%.4.688% AVG..0.5 seconds...0.934%52.316% McAfee...0.6 seconds...0.900%73.433% ClamAV...1.0 seconds...2.303%...100.000% Great work. Thank you! Regarding F-Prot, Mcafee and CalmAV I can confirm this from my observations. However some months ago I've seen certain rare days where Mcafee (I asume) has caused extraordinary high CPU usage. Without finding any solution then temporaly disabling this engine, this behavior disapeared the next day and so I asumed that it was caused by the daily (beta) updates from Mcafee. Last months I haven't seen this problem anymore. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Using a BitDefender scanner
I've been testing all sorts of scanners and I couldn't get the free versions of BitDefender to work. We did some testing with it, and couldn't get the DOS version to even run on NT or 2000 (it kept crashing as soon as it was started, but it would work on other OS's). However, the Windows version worked fine (the settings were recently added to the Declude Virus manual). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Netsky.P Occasionally Slips through?
Actually, I am running the newest F-Prot, and they're still slipping through. Winzip opens these files just fine as well, and Symantec Corp seems to be able to scan and detect the issue without any problems. They keep rolling in, makes me a little nervous, and customers sure hate it. Given that you have 3 virus scanners, and only one (F-Prot) sees any problems, and it doesn't even detect a virus, it sounds like this isn't something that the AV companies are detecting. My advice would be to send the .ZIP file to the AV companies, and see what they say. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] clamav
BTW, run clamd.exe and clamdscan.exe and notice a difference in speed Charles, Did you start clamd and then leave the server logged on? Terry --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Scanner Efficiency Olympics
ClamAV...1.0 seconds...2.303%...100.000% Charles posted on this a while back. Run clamd and link to clamdscan.exe (rather than clamscan). Times and processor usage are much less. Just running clamscan mine ranged from about a low of .8 to a high of 3.6 sec. Buf after running clamd and using clamdscan they dropped to a low of .047 and a high of .406 so far. Only thing is I'm not sure how to keep clamd running without keeping the server logged on. F-Prot is amazing. This really is true. Here are just a few stats I pulled from my logs (not from Declude - from one of my programs for an xmail server where I actually do the timing myself inside my program) (and this is after clamd): Total demime fprot naiclamav sniffer = == = = == === 1.672 0.563 0.156 0.266 0.406 0.281 1.047 0.141 0.234 0.281 0.110 0.266 1.828 0.485 0.187 0.453 0.156 0.547 2.015 0.203 0.609 0.594 0.328 0.281 0.625 0.109 0.062 0.235 0.047 0.625 0.079 0.062 0.188 0.125 0.500 0.094 0.062 0.188 0.156 Fprot actually does a decent job of demime by itself but it doesn't do everything so I began catching more when I added my own demime. NAI and clamav are both worthless without demime. When I have to write this stuff myself it makes me appreciate declude a lot! Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.Virus] clamav
I never updated after I posted that. I need to find a way to start and check the clamd service. Since it runs Unix style under Cygwin, it creates an instance and is out of sight, it doesn't fire correctly from a service manager like fire daemon, at least not in the config I used. I have been real busy with migrating 2 acquired companies into our network, so I haven't played with it much. Something I thought I might try is a batch file or Perl script that is fired by Task Scheduler and runs Cygwin ps to see if it is running, and restart it if it is not. Thanks, Chuck Frolick ArgoLink.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry Fritts Sent: Thursday, April 01, 2004 6:54 AM To: Charles Frolick Subject: Re[2]: [Declude.Virus] clamav BTW, run clamd.exe and clamdscan.exe and notice a difference in speed Charles, Did you start clamd and then leave the server logged on? Terry --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Scanner Efficiency Olympics
If yo ushow me how to set up your side of things, I'll show you how to keep the daemon running :) Matt Terry Fritts wrote: ClamAV...1.0 seconds...2.303%...100.000% Charles posted on this a while back. Run clamd and link to clamdscan.exe (rather than clamscan). Times and processor usage are much less. Just running clamscan mine ranged from about a low of .8 to a high of 3.6 sec. Buf after running clamd and using clamdscan they dropped to a low of .047 and a high of .406 so far. Only thing is I'm not sure how to keep clamd running without keeping the server logged on. F-Prot is amazing. This really is true. Here are just a few stats I pulled from my logs (not from Declude - from one of my programs for an xmail server where I actually do the timing myself inside my program) (and this is after clamd): Total demime fprot naiclamav sniffer = == = = == === 1.672 0.563 0.156 0.266 0.406 0.281 1.047 0.141 0.234 0.281 0.110 0.266 1.828 0.485 0.187 0.453 0.156 0.547 2.015 0.203 0.609 0.594 0.328 0.281 0.625 0.109 0.062 0.235 0.047 0.625 0.079 0.062 0.188 0.125 0.500 0.094 0.062 0.188 0.156 Fprot actually does a decent job of demime by itself but it doesn't do everything so I began catching more when I added my own demime. NAI and clamav are both worthless without demime. When I have to write this stuff myself it makes me appreciate declude a lot! Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
[Declude.Virus] What is this please
First post. I really appreciate the discussion here, it's helped me a lot to keep things working. This is likely the wrong place to ask, but as of 11AM today, I've had over 14 illegal Imail listserv command messages, I believe to be originating from . I've been getting a few of them everyday, but not to this extent. My sys files, normally around 3 -4 mb, are swelling to 70 - 80 mb. These all seem to be coming from different IPs. I'm running Imail 6. Since I'm not using it, I thought I would just turn the listserv function off, but there doesn't seem to be any way to do it. Any thoughts would be welcomed. Thanks Royce Burnett CICI --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Imail 8.1
This happens to me too. I am not using a copyall account. Regards, Steinar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Baumbach Sent: 1. april 2004 03:17 To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Imail 8.1 since I upgraded to 8.1 I now get double enteries added to the FOOTER botton of each incomming email outgoing emails seem to be OK GLOBAL.CFG WEIGHT-F weightrange xx -1000 1000 $default$.junkmail WEIGHT-F FOOTER %CR%[ scanned for spam to: %ALLRECIPS% %INOROUT% http://www.%LOCALHOST% on %DATE% at %TIME%-0500et. ]%CR% and this line also is added twice Virus.cfg FOOTER %CR%[ scanned for viruses to: %ALLRECIPS% %INOROUT% http://www.%LOCALHOST% on %DATE% at %TIME%-0500et. ]%CR% Sincerely, William J. Baumbach II [EMAIL PROTECTED] 9975 Pennsylvania Ave. Manassas, Va. 20110-2028 Ph: 703-367-7900 ext:1708 Fax: 703-691-0946 - - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 31, 2004 2:55 PM Subject: Re: [Declude.Virus] Imail 8.1 Are there any issues between Declude antivirus or junkmail and Imail 8.1 we need to be aware of or address if/when we choice to upgrade? I assume not, but since Ipswitch did not invite us to the IMail v8.1 beta, I can't answer for certain. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [ scanned for spam to: [EMAIL PROTECTED] incoming http://www.DcMetroNet.com on 03/31/2004 at 14:58:10-0500et. ] [ scanned for viruses to: [EMAIL PROTECTED] incoming http://www.DcMetroNet.com on 03/31/2004 at 14:58:13-0500et. ] [ scanned for spam to: [EMAIL PROTECTED] outgoing http://www.DcMetroNet.com on 03/31/2004 at 20:17:45-0500et. ] This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this email is prohibited. If you are not the intended recipient, please contact the sender and destroy all paper and electronic copies of this message. [ scanned for viruses to: [EMAIL PROTECTED] outgoing http://www.DcMetroNet.com on 03/31/2004 at 20:17:48-0500et. ] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Imail 8.1
This happens to me too. I am not using a copyall account. It seems that IMail v8.1 will send forwarded mail through Declude a second time. We haven't confirmed this yet, and unfortunately Ipswitch hasn't provided us with a copy of IMail v8.1 yet, so we are unable to test this yet, or determine what will be necessary for a workaround. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] clamav
I've spent another few hours playing around with this and when I call things correctly by starting clamd.exe and then configured Declude to run clamdscan.exe, the scan times went from 1 second to between 0.08 seconds up to 0.6 seconds across about a dozen scans. I also tracked this in performance monitor for an hour and found the average utilization of clamd.exe and clamdscan.exe combined to be about equal to that of F-Prot, but it had a couple very large peaks possibly hitting 100% momentarily, not sure what that was about. Note that Performance Monitor screws up the numbers and I consider it unreliable to assume something from just one hour of monitoring/stats. Clamd though is definitely a contender if some issues could be cleared up. I tried to use the Resource Kit's SRVANY.exe to create a service out of clamd.exe in a method similar to how the persistent version of Sniffer is run, but that doesn't work. Clamd.exe doesn't show up on the list of processes in Task Manager and the scan times go back to 1 second each. I have almost no experience in Unix environments, so I would be stabbing in the dark to figure out what was necessary to get this to work, but I would guess at it being a context issue. ClamAV would be a great backup scanner for Declude it seems if the daemon could be run without a kludge, and the reporting was modified to be compliant, or Declude was modified to accept various formats instead of just what follows a particular string. I suppose this could be done by having a before and an after definition instead of just a before. Terry, if you could explain the demime thing, that would be appreciated. Thanks, Matt Charles Frolick wrote: I never updated after I posted that. I need to find a way to start and check the clamd service. Since it runs Unix style under Cygwin, it creates an instance and is out of sight, it doesn't fire correctly from a service manager like fire daemon, at least not in the config I used. I have been real busy with migrating 2 acquired companies into our network, so I haven't played with it much. Something I thought I might try is a batch file or Perl script that is fired by Task Scheduler and runs Cygwin ps to see if it is running, and restart it if it is not. Thanks, Chuck Frolick ArgoLink.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Terry Fritts Sent: Thursday, April 01, 2004 6:54 AM To: Charles Frolick Subject: Re[2]: [Declude.Virus] clamav BTW, run clamd.exe and clamdscan.exe and notice a difference in speed Charles, Did you start clamd and then leave the server logged on? Terry --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re[2]: [Declude.Virus] clamav
Terry, if you could explain the demime thing, that would be appreciated. I'm sorry - I've been tied up all day working on name server issues. The application I referenced earlier was an xmail mail server. Declude is not available for it so I wrote my own program that is called by xmail for messages. My program does something similar to what declude does but not nearly as well. Giving a message to either NAI or ClavAV is inconsequential because both of those programs will not dismantle the message into its mime parts (demime). As I said Fprot actually does a certain amount of demime itself. I don't know how declude accomplishes this but I know declude does something to make NAI and others scan the pieces of the message. In my case I use an external program (munpack I think it is). My program creates a temporary directory and then calls munpack with that directory and message path. munpack then takes the message and splits into the various mime segments. For instance there might be a text segment, an html segment, and a zip file attachment. It is quite common to have 4 or more files. Then my program next calls fprot, nai, and clamav in turn for that directory. Each of those programs scan all the files in the temp folder and create a report file. My program extracts the virus name from the report files if an infection is indicated, logs it, quarantines the message, and tells the mail server to delete the message (if infected). Finally my program does some spam checking including a call to the sniffer engine. I don't do a lot of stuff that declude does however. As for the daemon issue I'm going to look a that and see if I can figure some way to keep the thing loaded - just no time today. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Imail 8.1
I may have to concur on this. I have a user that receives messages forwarded from another account. This morning, I saw the headers of one and it appeared to have be passed through Declude twice, but I have had a hairy morning and have not been able to follow up. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, April 01, 2004 1:34 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Imail 8.1 This happens to me too. I am not using a copyall account. It seems that IMail v8.1 will send forwarded mail through Declude a second time. We haven't confirmed this yet, and unfortunately Ipswitch hasn't provided us with a copy of IMail v8.1 yet, so we are unable to test this yet, or determine what will be necessary for a workaround. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] clamav
Thanks for the explanation. I was hoping for something miraculous that might be of benefit, but it looks like Declude does all of this already. On a related topic, during my testing I found that while I was logged into my server with pcANYWHERE instead of Terminal Services, I kept seeing CMD windows pop up when AVG was scanning despite the /silent switch. I don't ever recall seeing that before, but it's rare that I log in with pcANYWHERE. Maybe there is something else happening here that isn't necessary. The folks from Grissoft were nice enough to add the return codes and maybe they could help make the command line more efficient??? I also tried AVG without a bunch of the switches and didn't notice any difference, though apparently adding the heuristic switch will increase the scan time. One of my thoughts to increase the efficiency of the environment would be to add a handler application for Declude Virus to call instead of doing it directly. You could for instance have the handler call the first scanner, wait for the code, and then only call the second scanner if it was a negative result, or also only if the attachment was below a certain size (large attachments are a big hit and viruses are very rare with such things). I also found a sample of one such batch program in the archives with a helper that reconfigured the report file into a format that Declude accepted. I'm not sure about how much overhead this would add, but it would probably be a net benefit. http://www.mail-archive.com/[EMAIL PROTECTED]/msg03101.html I've been looking to do something similar with Sniffer (escape on existing high weight) but couldn't get the vbscript to work that supposedly would capture return codes. I'm thinking that this code sample might do the trick. I'm an awful hack though when it comes to programming though :) If anyone out there has interest in helping me do this, please don't hesitate to chime in. I'm on an efficiency kick as of late (if folks haven't noticed) based both on need and on my desire to not just throw more servers at the mix, primarily because after you outgrow the capacity that one machine can handle, you are forced into a more complicated load balancing methodology which is harder to manage and much more expensive after you add in the licensing. So far I've managed to trim a good deal of froth from my system without compromising the effectiveness by doing things such as moving mailfrom and ipfile filters into DNS, and even trimming massive blocks of comments from my custom filters. It's the good mail though that hogs the most processing power (thanks to SKIPIFWEIGHT) despite the lower volume, and tests like file size can be used to defeat expensive tests that aren't likely to be of use in such E-mail by using handler scripts and the new TESTSFAILED filter element. Matt Terry Fritts wrote: Terry, if you could explain the demime thing, that would be appreciated. I'm sorry - I've been tied up all day working on name server issues. The application I referenced earlier was an xmail mail server. Declude is not available for it so I wrote my own program that is called by xmail for messages. My program does something similar to what declude does but not nearly as well. Giving a message to either NAI or ClavAV is inconsequential because both of those programs will not dismantle the message into its mime parts (demime). As I said Fprot actually does a certain amount of demime itself. I don't know how declude accomplishes this but I know declude does something to make NAI and others scan the pieces of the message. In my case I use an external program (munpack I think it is). My program creates a temporary directory and then calls munpack with that directory and message path. munpack then takes the message and splits into the various mime segments. For instance there might be a text segment, an html segment, and a zip file attachment. It is quite common to have 4 or more files. Then my program next calls fprot, nai, and clamav in turn for that directory. Each of those programs scan all the files in the temp folder and create a report file. My program extracts the virus name from the report files if an infection is indicated, logs it, quarantines the message, and tells the mail server to delete the message (if infected). Finally my program does some spam checking including a call to the sniffer engine. I don't do a lot of stuff that declude does however. As for the daemon issue I'm going to look a that and see if I can figure some way to keep the thing loaded - just no time today. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure
Re: [Declude.Virus] clamav
On a related topic, during my testing I found that while I was logged into my server with pcANYWHERE instead of Terminal Services, I kept seeing CMD windows pop up when AVG was scanning despite the /silent switch. I don't ever recall seeing that before, but it's rare that I log in with pcANYWHERE. Maybe there is something else happening here that isn't necessary. The folks from Grissoft were nice enough to add the return codes and maybe they could help make the command line more efficient??? Actually, that will occur if you use the DEBUG mode in Declude Virus (it allows the console windows to be visible, in case there are messages there that need to be read). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
