Re: [Declude.Virus] clamav

[Matt]

Thanks for the explanation.  I was hoping for something miraculous that might be of benefit, but it looks like Declude does all of this already. On a related topic, during my testing I found that while I was logged into my server with pcANYWHERE instead of Terminal Services, I kept seeing CMD windows pop up when AVG was scanning despite the /silent switch.  I don't ever recall seeing that before, but it's rare that I log in with pcANYWHERE.  Maybe there is something else happening here that isn't necessary.  The folks from Grissoft were nice enough to add the return codes and maybe they could help make the command line more efficient???  I also tried AVG without a bunch of the switches and didn't notice any difference, though apparently adding the heuristic switch will increase the scan time. One of my thoughts to increase the efficiency of the environment would be to add a handler application for Declude Virus to call instead of doing it directly.  You could for instance have the handler call the first scanner, wait for the code, and then only call the second scanner if it was a negative result, or also only if the attachment was below a certain size (large attachments are a big hit and viruses are very rare with such things).  I also found a sample of one such batch program in the archives with a helper that reconfigured the report file into a format that Declude accepted.  I'm not sure about how much overhead this would add, but it would probably be a net benefit.     http://www.mail-archive.com/[EMAIL PROTECTED]/msg03101.html I've been looking to do something similar with Sniffer (escape on existing high weight) but couldn't get the vbscript to work that supposedly would capture return codes.  I'm thinking that this code sample might do the trick.  I'm an awful hack though when it comes to programming though :)  If anyone out there has interest in helping me do this, please don't hesitate to chime in. I'm on an efficiency kick as of late (if folks haven't noticed) based both on need and on my desire to not just throw more servers at the mix, primarily because after you outgrow the capacity that one machine can handle, you are forced into a more complicated load balancing methodology which is harder to manage and much more expensive after you add in the licensing.  So far I've managed to trim a good deal of froth from my system without compromising the effectiveness by doing things such as moving mailfrom and ipfile filters into DNS, and even trimming massive blocks of comments from my custom filters.  It's the good mail though that hogs the most processing power (thanks to SKIPIFWEIGHT) despite the lower volume, and tests like file size can be used to defeat expensive tests that aren't likely to be of use in such E-mail by using handler scripts and the new TESTSFAILED filter element. Matt Terry Fritts wrote: Terry, if you could explain the demime thing, that would be appreciated. I'm sorry - I've been tied up all day working on name server issues. The application I referenced earlier was an xmail mail server. Declude is not available for it so I wrote my own program that is called by xmail for messages. My program does something similar to what declude does but not nearly as well. Giving a message to either NAI or ClavAV is inconsequential because both of those programs will not dismantle the message into its mime parts (demime). As I said Fprot actually does a certain amount of demime itself. I don't know how declude accomplishes this but I know declude does something to make NAI and others scan the pieces of the message. In my case I use an external program (munpack I think it is). My program creates a temporary directory and then calls munpack with that directory and message path. munpack then takes the message and splits into the various mime segments. For instance there might be a text segment, an html segment, and a zip file attachment. It is quite common to have 4 or more files. Then my program next calls fprot, nai, and clamav in turn for that directory. Each of those programs scan all the files in the temp folder and create a report file. My program extracts the virus name from the report files if an infection is indicated, logs it, quarantines the message, and tells the mail server to delete the message (if infected). Finally my program does some spam checking including a call to the sniffer engine. I don't do a lot of stuff that declude does however. As for the daemon issue I'm going to look a that and see if I can figure some way to keep the thing loaded - just no time today. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================