ERRORLEVEL == 4 /* suspicion detected by heuristic analysis */ ERRORLEVEL == 5 /* virus found by heuristic analysis */
I'll contact support to ask what the real difference is. From looking at this further, there is a /HEUR switch needed to turn this on apparently, so in reality I probably haven't been using this.
BTW, at LOGLEVEL DEBUG, I have found that F-Prot will scan and catch a NetSky.J virus in about 0.13 seconds, but it takes AVG (32-bit) more than 3 times as long, 0.45 seconds. F-Prot also caught about 20% more viruses yesterday in the NetSky.L outbreak, though both scanners were missing things the other picked up.
Anyone else want to do a comparison between F-Prot and another scanner for comparison's sake so that we can figure out which ones are the fastest? Just set the LOGLEVEL DEBUG and copy and paste a hit for NetSky.J to the list.
Matt
03/12/2004 14:55:04.292 Q158a0c4c0272caa5 Declude Virus Pro Registered
03/12/2004 14:55:04.292 Q158a0c4c0272caa5 Starting locality check (sender=carcitydirect.com; nr=2 ca=off).
03/12/2004 14:55:04.292 Q158a0c4c0272caa5 CL Opening HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains
03/12/2004 14:55:04.292 Q158a0c4c0272caa5 [EMAIL PROTECTED] [0] is local domain1
03/12/2004 14:55:04.292 Q158a0c4c0272caa5 [EMAIL PROTECTED] [0] is local main domain
03/12/2004 14:55:04.292 Q158a0c4c0272caa5 Local host = conversionvans.net
03/12/2004 14:55:04.292 Q158a0c4c0272caa5 [EMAIL PROTECTED] Offset=5 Flags=1
03/12/2004 14:55:04.292 Q158a0c4c0272caa5 [EMAIL PROTECTED] Offset=0 Flags=0
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 Msgid: <[EMAIL PROTECTED]>
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 Subject: Re: Details
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 E:\spool\Q158a0c4c0272caa5.SMD
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 Starting virus scanning section...
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 MIMELAYER=0
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 Exclude Default=-1
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 Exclude Domain=-1
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 Exclude peruser=-1
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 DoAv( E:\spool\D158a0c4c0272caa5.SMD );
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 avtempdir=E:\spool
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 Temp dir set to: E:\spool\D158a0c4c0272caa5.vir\
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 fp=44d570
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 MIMELAYER++
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 DOMIME START
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 CT: Content-Type: multipart/mixed;boundary="----=_NextPart_000_0
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 Got boundary; =------=_NextPart_000_0012_00002431.00000497.
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 DOMIME end-of-headers
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 ISMULTI
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 Hit boundary... Recursing... 0 (5-0-).
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 MIMELAYER++
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 DOMIME START
03/12/2004 14:55:04.308 Q158a0c4c0272caa5 CT: Content-Type: text/plain;charset="Windows-1252"
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 Got Encoding 7bit.
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 DOMIME end-of-headers
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 !ISMULTI
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 Handling a MIME segment [Boundary=------=_NextPart_000_0012_00002431.00000497].
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 Encoding type: 7bit [1/]
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 Starting BASE64
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 Hit new boundary (fseek)
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 curpos=687
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 Deleting (1) plaintext segment E:\spool\D158a0c4c0272caa5.vir\0..
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 MIMELAYER--
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 Done Recursing...
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 Hit boundary... Recursing... 1 (5-0-).
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 MIMELAYER++
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 DOMIME START
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 CT: Content-Type: application/octet-stream;name="my_details.pif"
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 Setting MimeName to my_details.pif [14].
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 Got Encoding base64.
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 Got disp name=my_details.pif [MimeName=my_details.pif].
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 DOMIME end-of-headers
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 !ISMULTI
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 Handling a MIME segment [Boundary=------=_NextPart_000_0012_00002431.00000497].
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 Encoding type: base64 [1/pif]
03/12/2004 14:55:04.324 Q158a0c4c0272caa5 Starting BASE64
03/12/2004 14:55:04.339 Q158a0c4c0272caa5 Hit new boundary (fseek)
03/12/2004 14:55:04.339 Q158a0c4c0272caa5 curpos=31072
03/12/2004 14:55:04.339 Q158a0c4c0272caa5 Ending BASE64
03/12/2004 14:55:04 Q158a0c4c0272caa5 MIME file: my_details.pif [base64; Length=22016 Checksum=2593084]
03/12/2004 14:55:04.339 Q158a0c4c0272caa5 Comparing |pif| to SKIPEXTs and BANEXTs
03/12/2004 14:55:04 Q158a0c4c0272caa5 Banning file with PIF extension [application/octet-stream].
03/12/2004 14:55:04.339 Q158a0c4c0272caa5 NOT PLAINTEXT: application/octet-stream.
03/12/2004 14:55:04.339 Q158a0c4c0272caa5 MIMELAYER--
03/12/2004 14:55:04.339 Q158a0c4c0272caa5 Done Recursing...
03/12/2004 14:55:04.339 Q158a0c4c0272caa5 Hit end of layer
03/12/2004 14:55:04.339 Q158a0c4c0272caa5 MIMELAYER layer--
03/12/2004 14:55:04.339 Q158a0c4c0272caa5 0 - my_details.pif
03/12/2004 14:55:04.339 Q158a0c4c0272caa5 Scanning files (2 scanners)
03/12/2004 14:55:04.339 Q158a0c4c0272caa5 Starting scanner #1: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM /ARCHIVE /PACKED /DUMB /REPORT=report.txt E:\spool\D158A0~1.VIR\
03/12/2004 14:55:04.339 Q158a0c4c0272caa5 Waiting for free processes [50 fpcmd.exe]
03/12/2004 14:55:04.355 Q158a0c4c0272caa5 Done waiting for free processes.
03/12/2004 14:55:04.355 Q158a0c4c0272caa5 Virus Scanner Started: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM /ARCHIVE /PACKED /DUMB /REPORT=report.txt E:\spool\D158A0~1.VIR\
03/12/2004 14:55:04.464 Q158a0c4c0272caa5 Virus scanner 1 reports exit code of 3
03/12/2004 14:55:04.464 Q158a0c4c0272caa5 E:\spool\D158a0c4c0272caa5.vir\
03/12/2004 14:55:04.464 Q158a0c4c0272caa5 E:\spool\D158a0c4c0272caa5.vir\report.txt
03/12/2004 14:55:04.464 Q158a0c4c0272caa5 report.txt len=693 rflen=41 cs=0
03/12/2004 14:55:04.464 Q158a0c4c0272caa5 file#=0 [name=0.pif ]
03/12/2004 14:55:04.464 Q158a0c4c0272caa5 Ending report.txt parsing
03/12/2004 14:55:04 Q158a0c4c0272caa5 Scanner 1: Virus=W32/[EMAIL PROTECTED] Attachment=my_details.pif [0] I
03/12/2004 14:55:04.464 Q158a0c4c0272caa5 Starting scanner #2: C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOEXPORT /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txt E:\spool\D158A0~1.VIR\
03/12/2004 14:55:04.464 Q158a0c4c0272caa5 Waiting for free processes [50 avgscan.exe]
03/12/2004 14:55:04.480 Q158a0c4c0272caa5 Done waiting for free processes.
03/12/2004 14:55:04.480 Q158a0c4c0272caa5 Virus Scanner Started: C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOEXPORT /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txt E:\spool\D158A0~1.VIR\
03/12/2004 14:55:04.933 Q158a0c4c0272caa5 Virus scanner 2 reports exit code of 6
03/12/2004 14:55:04.933 Q158a0c4c0272caa5 E:\spool\D158a0c4c0272caa5.vir\
03/12/2004 14:55:04.933 Q158a0c4c0272caa5 E:\spool\D158a0c4c0272caa5.vir\report.txt
03/12/2004 14:55:04.933 Q158a0c4c0272caa5 report.txt len=698 rflen=41 cs=1
03/12/2004 14:55:04.933 Q158a0c4c0272caa5 file#=0 [name=0.pif" Virus ]
03/12/2004 14:55:04.933 Q158a0c4c0272caa5 Ending report.txt parsing
03/12/2004 14:55:04 Q158a0c4c0272caa5 Scanner 2: Virus=I-Worm/Netsky.J Attachment=my_details.pif [0] I
03/12/2004 14:55:04.933 Q158a0c4c0272caa5 0: Your
03/12/2004 14:55:04.933 Q158a0c4c0272caa5 Starting EXT check .
03/12/2004 14:55:04.933 Q158a0c4c0272caa5 1: my_details.pif MZ?
03/12/2004 14:55:04.933 Q158a0c4c0272caa5 Found an EXE file
03/12/2004 14:55:04.933 Q158a0c4c0272caa5 Starting EXT check pif.
03/12/2004 14:55:04 Q158a0c4c0272caa5 Invalid PIF Vulnerability
03/12/2004 14:55:04.933 Q158a0c4c0272caa5 Found bogus file...
03/12/2004 14:55:04 Q158a0c4c0272caa5 Found a bogus .pif file
03/12/2004 14:55:04.933 Q158a0c4c0272caa5 E:\spool\D158a0c4c0272caa5.vir\*.*
03/12/2004 14:55:04.949 Q158a0c4c0272caa5 0.pif
03/12/2004 14:55:04.949 Q158a0c4c0272caa5 Deleted E:\spool\D158a0c4c0272caa5.vir\0.pif.
03/12/2004 14:55:04.949 Q158a0c4c0272caa5 report.txt
03/12/2004 14:55:04.949 Q158a0c4c0272caa5 Deleted E:\spool\D158a0c4c0272caa5.vir\report.txt.
03/12/2004 14:55:04.949 Q158a0c4c0272caa5 han=1345a8 b=False
03/12/2004 14:55:04 Q158a0c4c0272caa5 File(s) are INFECTED [W32/[EMAIL PROTECTED]: 6]
03/12/2004 14:55:04.949 Q158a0c4c0272caa5 204.38.132.2.W32/[EMAIL PROTECTED]
03/12/2004 14:55:05.245 Q158a0c4c0272caa5 High code=23.
03/12/2004 14:55:05 Q158a0c4c0272caa5 Deleting file with virus
03/12/2004 14:55:05.245 Q158a0c4c0272caa5 AV returned 25
03/12/2004 14:55:05 Q158a0c4c0272caa5 Deleting E-mail with virus!
03/12/2004 14:55:05 Q158a0c4c0272caa5 Scanned: CONTAINS A VIRUS [MIME: 2 22184]
03/12/2004 14:55:05 Q158a0c4c0272caa5 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 204.38.132.2]
03/12/2004 14:55:05 Q158a0c4c0272caa5 Subject: Re: Details
03/12/2004 14:55:05.245 Q158a0c4c0272caa5 Skipping non-AV E-mail BANnotify.eml
03/12/2004 14:55:05.245 Q158a0c4c0272caa5 C:\IMail\Declude\recip.eml
03/12/2004 14:55:05.245 Q158a0c4c0272caa5 C:\IMail\Declude\recip.eml
03/12/2004 14:55:05.245 Q158a0c4c0272caa5 Starting E-mail file C:\IMail\Declude\recip.eml
03/12/2004 14:55:05.245 Q158a0c4c0272caa5 Not sending .eml file since AUTOFORGING detected a forging virus.
03/12/2004 14:55:05.245 Q158a0c4c0272caa5 Set process priority back to 32.
03/12/2004 14:55:05.261 Q158a0c4c0272caa5 feof=16, ferror=0
R. Scott Perry wrote:
I noticed that you removed the "5" result code from the 32-bit AVG example in the manual. I'm wondering if this might be beneficial.
It's hard to say. While heuristics can be beneficial, in general it seems that they rarely catch new viruses before definitions are created for them, and quite often they seem to have false positives.
So in this case, it would really depend on how good AVG's heuristics are.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
