Hi Andy, I forgot to mention: Both scan engines (Mcafee, and F-Prot) has disabled on-access file protection. Both engines are uptodate with latest releases and virus definitions.
Now I sit here and watch the mailservers CPU usage history. (Like Kami some days ago :-) Hasn't seen one single 100% period during longer then 1 second after I've removed Mcafee from the declude virus.cfg file. Before there was at least one "5-second-100%-period" every 2 minutes. Markus -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Friday, June 13, 2003 4:00 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Scanner performance difference Mark: please note the following, self-explantory messages by Declude: WARNING: Couldn't remove .vir directory C:\IMail\spool\D142f2350009ec731.vir\: SHARING VIOLATION. "Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool" You should go into the Netshield configuration and do as Declude instructs. Since you are using Declude and the command line scanner to scan and "handle" (e.g., delete) infected emails, you should NOT allow NetShield to attempt to do the same. The effect is a potential locking conflict. Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 http://www.HM-Software.com/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, June 13, 2003 09:38 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Scanner performance difference Hi all, Today I've found 5 temporary directories in our spool folder created by declude virus. All 5 directories contains the same 11 MB zip-file containing a single .DWG-file (I think it's a vector grafic file format) In the logfile I've found the lines: 06/13/2003 05:08:01 Q142f2350009ec731 ERROR: Virus scanner didn't finish after 30 seconds; terminating. 06/13/2003 05:08:01 Q142f2350009ec731 Couldn't delete C:\IMail\spool\D142f2350009ec731.vir\0.zip: 32. 06/13/2003 05:08:01 Q142f2350009ec731 Couldn't delete C:\IMail\spool\D142f2350009ec731.vir\report.txt: 32. 06/13/2003 05:08:01 Q142f2350009ec731 WARNING: Couldn't remove .vir directory C:\IMail\spool\D142f2350009ec731.vir\: SHARING VIOLATION. 06/13/2003 05:08:01 Q142f2350009ec731 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. Now I've tried to scan the file on command line with our first scanner: Mcafee's scan.exe The result: A long time (over 30 seconds) of 100% CPU usage F-Prot (until now our second and now our one and only scan engine) has scanned the same file in < 1 second. I've setup both scanners with the suggested parameters on the declude man page. Both scanners shows in their report file a total of 2 scanned files (zip + dwg) At the moment I've disabled mcafee's engine, but usualy they provide the best and fastest updates on new spreading viruses... (?) Searching for the cause of this strange difference between scan time I've read all possible commandline parameters. This are the suggested parameters: /ALL Scan all files regardless of filename extension. /NOBREAK Disable Ctrl-C / Ctrl-Break during scanning. /NOMEM Do not scan memory for viruses. /NODDA No direct disk access. /REPORT <filename> Report names of viruses found into <filename>. /SILENT Disable all screen output. /UNZIP Scan inside archive files. What about this parameters: /ANALYZE Turn on heuristic analysis for programs and macros. /MANALYZE Turn on macro heuristics. /PANALYZE Turn on program heuristics. /MIME Scan inside MIME, UUE, XXE and BinHex files. /PROGRAM Scan for potentially malicious commercial software. /NOBOOT Do not scan boot sectors. As I can understand all of this additional parameters will consume another lot of CPU power except the last one. any suggestions? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
