Re: [Declude.JunkMail] Multi Server Configs

[Matthew Bramble]

One of the beauties of using Declude plus F-Prot is that most desktops use either Norton or McAfee, and the release of the various definitions updates aren't instantaneous.  I've seen F-Prot catch stuff that Norton isn't yet detecting and visa-versa. I have Norton also running on my server, but I leave the auto-protect limited to on Modified (scan on create) which is good for a Web server/E-mail server, and I tell it to keep away from my spool and account directories.  I'm not convinced that Norton can catch every detectable virus in a spool file either because the headers are often malformed, and I think that Scott focuses on this for his product.  It also leaves a lot of junk in your spool, only deleting the message and not the delivery info file. If you are looking to save processing power, Declude plus F-Prot is quicker because it doesn't evoke a full scan on every E-mail, just the ones that contain code that might need processing (you can change this setting).  I would think though that a memory resident real-time scanner like Norton though would be faster on the actual scan, but that point is moot because most files don't get full scanned by Declude. BTW, I've found virus scanning to be much more marketable because viruses cause measurable monetary damage and after an infection people seek out a solution.  I have a LAN integrator friend that turns people my way, and almost always, his clients have anti-virus programs installed, but they can be out of date or turned off for various reasons (and too small for a server solution of their own).  The double line of protection (F-Prot plus Norton or McAfee) is also appealing to those that are more aware. Matt Dan Patnode wrote: Thank you Matt. If correct, you've brought me more clarity and direction than I've had since this mess began. I've been so focused on fighting spam, I havn't yet installed Scott's AV system (after more than a year), relying instead on a basic Norton config to handle things. Scott, Can you confirm that virus' stopped by Declude AV (if so configured) will prevent that message from being scanned by the spam system, including those tagged soley by attachment names like *.pif? Thanks, Dan 'Sobig Egg on Face' Patnode On Sunday, August 24, 2003 18:30, Matthew Bramble <[EMAIL PROTECTED]> wrote: Dan, It appears that E-mail is first scanned by the virus scanner (F-Prot or whatever), and then if it passes, the excluded extensions are tested.  So as soon as your virus scanner became Sobig.F aware, the excluded extensions test doesn't get done because it is blocked by the scanner.  Maybe Scott can suggest other ways to save processing power? Scott, I know this is the wrong discussion group, but since we're on the topic, would it make more sense to test for banned extensions before it goes to the virus scanner in order to save processing power? Matt Dan Patnode wrote: Matt, by this: This does tie back into processor utilization though, because before the definitions were available, the banned extension test was placing those E-mails in a hold (wish you could have them deleted).  The system seems though to scan the attachments first and then look for attachments to ban by extension, and that order could be reversed to save processing power.  I assume this because the virus detection is now catching these files subsequent to the definitions update instead of the banned extension test doing the dirty work.  are you saying that I could set up Fprot to scan for .pif files and then have it run before Declude's junk filters, holding/deleting them, saving the CPU from scanning these messages with my junk tests? Can this be confirmed, Scott? Dan