Re: [Declude.Virus] Multiple responses in the report.txt
Colbeck, Andrew wrote: For what it's worth, last month for every ham message we received, we received 3 spam and one-sixth of a virus. And those numbers are *down* from the month before, because our inbound ham has been growing faster than spam. Spam has been growing, and I'm seeing a 6 to 9% increase every month over the previous month. We're averaging about 90% spam (goes up to +96% on weekends). The ongoing dictionary attacks on about 20 domains helps that number a great deal. My experience is that corporate domains are significantly less spammy, probably because of less personal use than small businesses, and more business use, and also because of the ratio of Web site listed addresses to total addresses. I do have one client that has several hundred addresses and did the bonehead move of listing over half of their on their site, and as a result they get much more than most medium sized businesses. Excluding the dictionary attacks, I'm not sure if spam is actually increasing, or measurably so if it is. Your results could very well be due to the propagation of E-mail addresses from spammer to spammer, increased personal use among employees that tends to create more spam, and of course a general rise in spam rates. Earlier this year I thought that zombie spam had gone through the roof, but in fact what was happening was isolated to the domains that started being dictionary attacked. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.Virus] Multiple responses in the report.txt
Title: Message I'm doing a head to head comparison on a few tens of thousands of messages right now. I have already been using the command line McAfee as a post-processing scripted thingmajig late at night in order to find out how many viruses I was really catching as spam. I picked my poison based on two months of postings over at Mail-Archive (including your 8 way competition) as well as the incidental stuff that bled over to the JunkMail list I've been on for 2 years. I'm not worried about the stability of F-Prot, and I'm not impressed with the message decoding or speed of McAfee. And we can always upgrade later if we want to put in more engines. For what it's worth, last month for every ham message we received, we received 3 spam and one-sixth of a virus. And those numbers are *down* from the month before, because our inbound ham has been growing faster than spam. Spam has been growing, and I'm seeing a 6 to 9% increase every month over the previous month. Andrew 8) -Original Message-From: Matt [mailto:[EMAIL PROTECTED] Sent: Friday, December 10, 2004 4:28 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.Virus] Multiple responses in the report.txtYou could essentially do that with just Declude and a bit of programming for stripping the attachments out of messages.Regardless, having one scanner is not going to do a good enough job if you rely on F-Prot based on results from the last year. I would recommend McAfee over F-Prot as a single scanner since it appears that they are more stable, though it is clear that any single scanner can have issues from time to time.MattColbeck, Andrew wrote: Thanks, Matt. I only went for the Lite version because this is a gateway scanner. The internal mail servers are indeed protected by a different vendor's product. I'm setting up these two layers because my company prefers to quarantine all viral messages, and then substitute any other inbound executables with a text message in the original message. This way, our users don't receive unnecessary emails. The "other" log line I'm seeing is independent of the usage of the /ai switch. As for investigation of the /ai switch, this email is part of that due diligence! Andrew 8) -Original Message- From: Matt [mailto:[EMAIL PROTECTED]] Sent: Friday, December 10, 2004 3:58 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Multiple responses in the report.txt Andrew, A separate instance is set up for each message's attachments that are scanned, there is no cause for any concern. MAXATONCE was designed for licensing reasons and shouldn't be used in most installations. If you set MAXATONCE below the number of processes that might be launched (this is a highly variable number), then it will cause overflow to occur or otherwise backup your system needlessly. Regarding your other question, I believe that you are seeing this because you are using the /ai switch. I don't use that switch, though I couldn't say why exactly. I have found however with many such things that their definitions of a non-virus that throw off such things might vary widely and include things such as encrypted zip files, something that Declude handles more flexibly. It's always a good idea to get as much information about new or alternative switches before using them. I have found info in KB's, release notes, and also by E-mailing the companies. These things aren't always as descriptive as you might want, so dig deep. I would also very strongly recommend a second scanner. Simply put, things will sometimes not function properly. There have been at least 4 occasions in about a year that F-Prot has messed up and would have caused significant virus leaking. Currently I would recommend McAfee, but I would recommend ClamAV after a period of stability emerges since the daemon is faster than anything but F-Prot. McAfee is of course a bit more responsible with their definitions, so if capacity isn't a problem, I would use that over ClamAV regardless. Matt Colbeck, Andrew wrote: I'm using the f-prot command line scanner, and the lines in the virus.cfg look like this: SCANFILEC:\F-Prot\fpcmd.exe /ai /type /silent /archive=5 /dumb /noboot /nomem /packed /report=report.txt VIRUSCODE 3 VIRUSCODE 6 REPORT Infection: That's working fine, but in my testing I'm only putting a few messages through at a time. I note that the /report variable is setting one specific filename. What happens when two or more declude processes are launched and both want to call the virus scanner at the same time? I realize that scanning is relatively quick, but I can see that collisions would result. If Declude doesn't handle this internally to set a different report name per instance, then I think paranoi
Re: [Declude.Virus] Multiple responses in the report.txt
You could essentially do that with just Declude and a bit of programming for stripping the attachments out of messages. Regardless, having one scanner is not going to do a good enough job if you rely on F-Prot based on results from the last year. I would recommend McAfee over F-Prot as a single scanner since it appears that they are more stable, though it is clear that any single scanner can have issues from time to time. Matt Colbeck, Andrew wrote: Thanks, Matt. I only went for the Lite version because this is a gateway scanner. The internal mail servers are indeed protected by a different vendor's product. I'm setting up these two layers because my company prefers to quarantine all viral messages, and then substitute any other inbound executables with a text message in the original message. This way, our users don't receive unnecessary emails. The "other" log line I'm seeing is independent of the usage of the /ai switch. As for investigation of the /ai switch, this email is part of that due diligence! Andrew 8) -Original Message- From: Matt [mailto:[EMAIL PROTECTED]] Sent: Friday, December 10, 2004 3:58 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Multiple responses in the report.txt Andrew, A separate instance is set up for each message's attachments that are scanned, there is no cause for any concern. MAXATONCE was designed for licensing reasons and shouldn't be used in most installations. If you set MAXATONCE below the number of processes that might be launched (this is a highly variable number), then it will cause overflow to occur or otherwise backup your system needlessly. Regarding your other question, I believe that you are seeing this because you are using the /ai switch. I don't use that switch, though I couldn't say why exactly. I have found however with many such things that their definitions of a non-virus that throw off such things might vary widely and include things such as encrypted zip files, something that Declude handles more flexibly. It's always a good idea to get as much information about new or alternative switches before using them. I have found info in KB's, release notes, and also by E-mailing the companies. These things aren't always as descriptive as you might want, so dig deep. I would also very strongly recommend a second scanner. Simply put, things will sometimes not function properly. There have been at least 4 occasions in about a year that F-Prot has messed up and would have caused significant virus leaking. Currently I would recommend McAfee, but I would recommend ClamAV after a period of stability emerges since the daemon is faster than anything but F-Prot. McAfee is of course a bit more responsible with their definitions, so if capacity isn't a problem, I would use that over ClamAV regardless. Matt Colbeck, Andrew wrote: I'm using the f-prot command line scanner, and the lines in the virus.cfg look like this: SCANFILEC:\F-Prot\fpcmd.exe /ai /type /silent /archive=5 /dumb /noboot /nomem /packed /report=report.txt VIRUSCODE 3 VIRUSCODE 6 REPORT Infection: That's working fine, but in my testing I'm only putting a few messages through at a time. I note that the /report variable is setting one specific filename. What happens when two or more declude processes are launched and both want to call the virus scanner at the same time? I realize that scanning is relatively quick, but I can see that collisions would result. If Declude doesn't handle this internally to set a different report name per instance, then I think paranoia would pushe me to set MAXATONCE 1 ... ? Andrew. _ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.Virus] Multiple responses in the report.txt
Thanks, Matt. I only went for the Lite version because this is a gateway scanner. The internal mail servers are indeed protected by a different vendor's product. I'm setting up these two layers because my company prefers to quarantine all viral messages, and then substitute any other inbound executables with a text message in the original message. This way, our users don't receive unnecessary emails. The "other" log line I'm seeing is independent of the usage of the /ai switch. As for investigation of the /ai switch, this email is part of that due diligence! Andrew 8) -Original Message- From: Matt [mailto:[EMAIL PROTECTED] Sent: Friday, December 10, 2004 3:58 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Multiple responses in the report.txt Andrew, A separate instance is set up for each message's attachments that are scanned, there is no cause for any concern. MAXATONCE was designed for licensing reasons and shouldn't be used in most installations. If you set MAXATONCE below the number of processes that might be launched (this is a highly variable number), then it will cause overflow to occur or otherwise backup your system needlessly. Regarding your other question, I believe that you are seeing this because you are using the /ai switch. I don't use that switch, though I couldn't say why exactly. I have found however with many such things that their definitions of a non-virus that throw off such things might vary widely and include things such as encrypted zip files, something that Declude handles more flexibly. It's always a good idea to get as much information about new or alternative switches before using them. I have found info in KB's, release notes, and also by E-mailing the companies. These things aren't always as descriptive as you might want, so dig deep. I would also very strongly recommend a second scanner. Simply put, things will sometimes not function properly. There have been at least 4 occasions in about a year that F-Prot has messed up and would have caused significant virus leaking. Currently I would recommend McAfee, but I would recommend ClamAV after a period of stability emerges since the daemon is faster than anything but F-Prot. McAfee is of course a bit more responsible with their definitions, so if capacity isn't a problem, I would use that over ClamAV regardless. Matt Colbeck, Andrew wrote: >I'm using the f-prot command line scanner, and the lines in the >virus.cfg look like this: > >SCANFILEC:\F-Prot\fpcmd.exe /ai /type /silent /archive=5 /dumb >/noboot /nomem /packed /report=report.txt >VIRUSCODE 3 >VIRUSCODE 6 >REPORT Infection: > >That's working fine, but in my testing I'm only putting a few messages >through at a time. I note that the /report variable is setting one >specific filename. What happens when two or more declude processes are >launched and both want to call the virus scanner at the same time? I >realize that scanning is relatively quick, but I can see that >collisions would result. > >If Declude doesn't handle this internally to set a different report >name per instance, then I think paranoia would pushe me to set >MAXATONCE 1 ... ? > >Andrew. > > >_ >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.Virus mailing list. To unsubscribe, >just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. > > > > -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. _ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Multiple responses in the report.txt
Hey, folks. What if I want to have multiple response lines in the antivirus scanner's report.txt? fpcmd.exe emits a line with "Infection:" before the filename if it's a virus. But if it's malware, it emits a line with "is a security risk named" before the filename. Since I bought the Lite edition, putting in multiple SCANFILE+VIRUSCODE+REPORT lines isn't going to be an option for me. I'm guessing that providing exactly the same parameters in SCANFILE0 and SCANFILE1 would suppress the actual virus scanning, as with JunkMail, thus letting me have multiple REPORT lines. That is, if I had the Pro version. Andrew. _ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.