[Declude.Virus] Revisiting the McAfee command line arguments

[Matt]

I've searched the archives and came up with nothing specific regarding this, but that's not to say that there wasn't a discussion.  I seem to remember Bill Landry having some of his own tweaks to the McAfee command line, but I really can't recall. Anyway, I found that using the published config for McAfee, it was scanning the boot records, in fact I believe it scans all of them.  Checking the /? I found that there is a switch to turn this off in the 4.4.00 scan engine, /NOBOOT.  From the command line I verified that this does in fact not scan the MBR's and my Declude log shows that it is still detecting viruses.  This could be a big improvement for McAfee if this switch was used, however I wouldn't recommend doing it without further discussion or testing. I also found what appears to be a new switch called /PROGRAM.  McAfee's notes describes this as, "Scan for potentially unwanted applications."  I turned it on and noted a change in the way that McAfee was detecting some things.  It appears that Declude reports the first virus found in the report.txt file and before the change on some Netsky viruses, F-Prot would detect an "HTML/[EMAIL PROTECTED]" in the HTML segment and McAfee would detect "W32/[EMAIL PROTECTED]" in the executable attachment.  After using the /PROGRAM switch, McAfee is now detecting the exploit in the HTML segment as "potentially unwanted program Exploit-MIME.gen.c."  Here are a before and after using the switch from my logs of what I assume to be the same virus in different messages: Before 04/26/2005 23:02:48 Q00D885AA00904BD6 Scanner 1: Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML segment] [0] O 04/26/2005 23:02:49 Q00D885AA00904BD6 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=message.scr [0] O After 04/26/2005 23:09:27 Q0264DA3401104E3C Scanner 1: Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML segment] [0] O 04/26/2005 23:09:28 Q0264DA3401104E3C Scanner 2: Virus=potentially unwanted program Exploit-MIME.gen.c. Attachment=[HTML segment] [0] O I am assuming that McAfee would/is still detecting the virus in the attachment, but Declude is just simply logging the first matching string that is found in the Report.txt, and therefore this would appear to be a good switch to use. Based on the above, and assuming that no problems arise as a result of either switch, it would then be a good idea to modify McAfee's command line options using the 4.4.00 scan engine (released late last year) to the following: C:\[McAfee Path]\scan.exe /ALL /NOBOOT /NOMEM /NOBEEP /NOBREAK /UNZIP /SILENT /NODDA /PROGRAM /REPORT report.txt There are some other switches that I also came across and don't recall seeing before, but may be beneficial.  They are as follows along with some comments on why I think they might be useful, but note that I have no experience with any of these and am only speculating: /TIMEOUT <seconds> - Set the maximum time to spend scanning any one file. I'm thinking that this might be a good way to help protect a Declude system from overloaded conditions.  While Declude will timeout on a scan, if you are using two virus scanners and where the first (F-Prot) is more efficient than McAfee, this might be a good way to disable the second scanner under high load conditions after a reasonable amount of time so as to not overwhelm the server as much as without the switch. /MAILBOX - Scan inside plain text mailboxes. I'm thinking that this might help or be required in order to detect phishing and linked viruses based on content patterns. /AFC=<cache size> - Set the Size of the Internal Cache Used When Decompressing Archive Files. I'm thinking that this might be a way to prevent decompression bombs, but it might also add overhead.  I don't know. /MIME - Scan inside MIME, UUE, XXE and BinHex files. Although Declude decodes attachments before calling the scanners, this might provide some backup protection in the event of a decoding error.  This might also cause additional overhead. /ANALYZE - Turn on heuristic analysis for programs and macros. /PANALYZE - Turn on program heuristics. I'm not sure what FP's either one of these could cause, but some around here do prefer tighter controls despite the risk of more FP's and these might be desirable under those conditions.  I'm not sure how they differ. Any comments or experiences would be appreciated. Thanks, Matt -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================