[Declude.Virus] Scanner performance difference

Fri, 13 Jun 2003 06:44:48 -0700

Title: Nachricht

Hi all,

Today I've found 5 temporary directories in our spool folder created by declude virus.
All 5 directories contains the same 11 MB zip-file containing a single .DWG-file (I think it's a vector grafic file format)

In the logfile I've found the lines:

06/13/2003 05:08:01 Q142f2350009ec731 ERROR: Virus scanner didn't finish after 30 seconds; terminating.
06/13/2003 05:08:01 Q142f2350009ec731 Couldn't delete C:\IMail\spool\D142f2350009ec731.vir\0.zip: 32.
06/13/2003 05:08:01 Q142f2350009ec731 Couldn't delete C:\IMail\spool\D142f2350009ec731.vir\report.txt: 32.
06/13/2003 05:08:01 Q142f2350009ec731 WARNING: Couldn't remove .vir directory C:\IMail\spool\D142f2350009ec731.vir\: SHARING VIOLATION.
06/13/2003 05:08:01 Q142f2350009ec731 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool.

Now I've tried to scan the file on command line with our first scanner: Mcafee's scan.exe

The result: A long time (over 30 seconds) of 100% CPU usage
 
F-Prot (until now our second and now our one and only scan engine) has scanned the same file in < 1 second.
 
I've setup both scanners with the suggested parameters on the declude man page. Both scanners shows in their report file a total of 2 scanned files (zip + dwg)
 
At the moment I've disabled mcafee's engine, but usualy they provide the best and fastest updates on new spreading viruses... (?)
 
Searching for the cause of this strange difference between scan time I've read all possible commandline parameters. This are the suggested parameters:
/ALL                 Scan all files regardless of filename extension.
/NOBREAK             Disable Ctrl-C / Ctrl-Break during scanning.
/NOMEM               Do not scan memory for viruses.
/NODDA               No direct disk access.
/REPORT  <filename>  Report names of viruses found into <filename>.
/SILENT              Disable all screen output.
/UNZIP               Scan inside archive files.
What about this parameters:
/ANALYZE             Turn on heuristic analysis for programs and macros.
/MANALYZE            Turn on macro heuristics.
/PANALYZE            Turn on program heuristics.
/MIME                Scan inside MIME, UUE, XXE and BinHex files.
/PROGRAM             Scan for potentially malicious commercial software.
/NOBOOT              Do not scan boot sectors.
As I can understand all of this additional parameters will consume another lot of CPU power except the last one.
 
any suggestions?
 
Markus
 
 

Reply via email to