RE: [Declude.Virus] Scanner performance difference

Fri, 13 Jun 2003 07:11:18 -0700

Title: Message
Mark:
 
please note the following, self-explantory messages by Declude:
 
WARNING: Couldn't remove .vir directory C:\IMail\spool\D142f2350009ec731.vir\: SHARING VIOLATION.
"Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool"
 
You should go into the Netshield configuration and do as Declude instructs.
Since you are using Declude and the command line scanner to scan and "handle" (e.g., delete) infected emails, you should NOT allow NetShield to attempt to do the same.  The effect is a potential locking conflict.

Best Regards
Andy Schmidt

H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-3414 x20 (Business)
Fax:    +1 201 934-9206

http://www.HM-Software.com/

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Friday, June 13, 2003 09:38 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Scanner performance difference

Hi all,

Today I've found 5 temporary directories in our spool folder created by declude virus.
All 5 directories contains the same 11 MB zip-file containing a single .DWG-file (I think it's a vector grafic file format)

In the logfile I've found the lines:

06/13/2003 05:08:01 Q142f2350009ec731 ERROR: Virus scanner didn't finish after 30 seconds; terminating.
06/13/2003 05:08:01 Q142f2350009ec731 Couldn't delete C:\IMail\spool\D142f2350009ec731.vir\0.zip: 32.
06/13/2003 05:08:01 Q142f2350009ec731 Couldn't delete C:\IMail\spool\D142f2350009ec731.vir\report.txt: 32.
06/13/2003 05:08:01 Q142f2350009ec731 WARNING: Couldn't remove .vir directory C:\IMail\spool\D142f2350009ec731.vir\: SHARING VIOLATION.
06/13/2003 05:08:01 Q142f2350009ec731 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool.

Now I've tried to scan the file on command line with our first scanner: Mcafee's scan.exe

The result: A long time (over 30 seconds) of 100% CPU usage
 
F-Prot (until now our second and now our one and only scan engine) has scanned the same file in < 1 second.
 
I've setup both scanners with the suggested parameters on the declude man page. Both scanners shows in their report file a total of 2 scanned files (zip + dwg)
 
At the moment I've disabled mcafee's engine, but usualy they provide the best and fastest updates on new spreading viruses... (?)
 
Searching for the cause of this strange difference between scan time I've read all possible commandline parameters. This are the suggested parameters:
/ALL                 Scan all files regardless of filename extension.
/NOBREAK             Disable Ctrl-C / Ctrl-Break during scanning.
/NOMEM               Do not scan memory for viruses.
/NODDA               No direct disk access.
/REPORT  <filename>  Report names of viruses found into <filename>.
/SILENT              Disable all screen output.
/UNZIP               Scan inside archive files.
What about this parameters:
/ANALYZE             Turn on heuristic analysis for programs and macros.
/MANALYZE            Turn on macro heuristics.
/PANALYZE            Turn on program heuristics.
/MIME                Scan inside MIME, UUE, XXE and BinHex files.
/PROGRAM             Scan for potentially malicious commercial software.
/NOBOOT              Do not scan boot sectors.
As I can understand all of this additional parameters will consume another lot of CPU power except the last one.
 
any suggestions?
 
Markus
 
 


Reply via email to