I wouldn't call it frustration. I was just doing some cleanup of
things and I decided to revisit the command line arguments. McAfee has
been acting funny on my system, but I'm not sure what the cause is.
While on Monday I had over a dozen application errors with it, on
Tuesday it was back to normal with no errors on slightly higher volume
and no other changes except the DAT.
Sine I was not running the /NOBOOT switch, that was definitely causing
more load and latency. Declude should at minimum add this to their
recommended McAfee config.
I also agree about the saving of some processing by not running the
second scanner when the first one detects a virus code. For the most
part this will do little for the CPU's based on the rarity of viruses,
but there have been viruses in the past that would pound a server with
hundreds of copies per address in rapid succession and if we see one of
those again, it would definitely hurt.
I would prefer that PRESCAN just simply be expanded so that it will
trigger on things that might contain a phishing attempt. I figure that
this is what you are getting after with the per-scanner setting on
this. If PRESCAN triggered on linked IP's, and also obfuscated URL's,
that would probably cover almost all of the phishing stuff and linked
viruses that scanners like McAfee can detect based on content alone.
The additional number of scanned messages would be low and not cause a
noticeable hit on the CPU's, but turning PRESCAN OFF does result in a
50% increase in CPU utilization on my system when running both F-Prot
and McAfee.
Would you prefer the approach of including more qualifications for
PRESCAN, or just switching it on and off per scanner?
Matt
Scott Fisher wrote:
I'm using:
SCANFILE3 D:\VIRUSSCAN\scan.exe
/ALL /NOMEM /NOBEEP /NOBREAK /UNZIP /SILENT /NODDA /MANALYZE /MIME
/PANALYZE /PROGRAM /REPORT report.txt
Haven't seen any FPs with /MANALYZE
or /PANALYZE
I run PRESCAN OFF and the /MAILBOX
isn't needed to find Phish/Links
I sense a frustration with virus
protection from you. I think this CPU intensive process could be
improved.
If a virus is found with scanner 1,
I'd like an option to avoid calling later scanners. While it's good for
comparison sakes, if a virus is found, I don't need 2 other programs to
confirm that.
I'd also like to have the PRESCAN
ON/OFF setting moved within the virus scanner definitions. I could then
have one of the scanners scan all of the e-mail, and the less effective
scanner would run a Prescan ON.
Example:
SCANFILE1 ...
VIRUSCODE1 3
REPORT1 Infection:
PRESCAN1 OFF
SCANFILE2 ...
VIRUSCODE2
13
REPORT2 Found
PRESCAN2
ON
-----
Original Message -----
Sent:
Tuesday, April 26, 2005 10:53 PM
Subject:
[Declude.Virus] Revisiting the McAfee command line arguments
I've searched the archives and came up with nothing specific regarding
this, but that's not to say that there wasn't a discussion. I seem to
remember Bill Landry having some of his own tweaks to the McAfee
command line, but I really can't recall.
Anyway, I found that using the published config for McAfee, it was
scanning the boot records, in fact I believe it scans all of them.
Checking the /? I found that there is a switch to turn this off in the
4.4.00 scan engine, /NOBOOT. From the command line I verified that
this does in fact not scan the MBR's and my Declude log shows that it
is still detecting viruses. This could be a big improvement for McAfee
if this switch was used, however I wouldn't recommend doing it without
further discussion or testing.
I also found what appears to be a new switch called /PROGRAM. McAfee's
notes describes this as, "Scan for potentially unwanted applications."
I turned it on and noted a change in the way that McAfee was detecting
some things. It appears that Declude reports the first virus found in
the report.txt file and before the change on some Netsky viruses,
F-Prot would detect an "HTML/[EMAIL PROTECTED]" in the HTML segment and
McAfee would detect "W32/[EMAIL PROTECTED]" in the executable attachment.
After using the /PROGRAM switch, McAfee is now detecting the exploit in
the HTML segment as "potentially unwanted program Exploit-MIME.gen.c."
Here are a before and after using the switch from my logs of what I
assume to be the same virus in different messages:
Before
04/26/2005 23:02:48 Q00D885AA00904BD6 Scanner 1: Virus=HTML/[EMAIL PROTECTED]
Attachment=[HTML segment] [0] O
04/26/2005 23:02:49 Q00D885AA00904BD6 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment=message.scr [0] O
After
04/26/2005 23:09:27 Q0264DA3401104E3C Scanner 1: Virus=HTML/[EMAIL PROTECTED]
Attachment=[HTML segment] [0] O
04/26/2005 23:09:28 Q0264DA3401104E3C Scanner 2: Virus=potentially
unwanted program Exploit-MIME.gen.c. Attachment=[HTML segment] [0] O
I am assuming that McAfee would/is still detecting the virus in the
attachment, but Declude is just simply logging the first matching
string that is found in the Report.txt, and therefore this would appear
to be a good switch to use.
Based on the above, and assuming that no problems arise as a result of
either switch, it would then be a good idea to modify McAfee's command
line options using the 4.4.00 scan engine (released late last year) to
the following:
C:\[McAfee Path]\scan.exe /ALL /NOBOOT /NOMEM
/NOBEEP /NOBREAK /UNZIP /SILENT /NODDA /PROGRAM /REPORT report.txt
There are some other switches that I also came across and don't recall
seeing before, but may be beneficial. They are as follows along with
some comments on why I think they might be useful, but note that I have
no experience with any of these and am only speculating:
/TIMEOUT <seconds> - Set the maximum time
to spend scanning any one file.
I'm thinking that this might be a good way to help
protect a Declude system from overloaded conditions. While Declude
will timeout on a scan, if you are using two virus scanners and where
the first (F-Prot) is more efficient than McAfee, this might be a good
way to disable the second scanner under high load conditions after a
reasonable amount of time so as to not overwhelm the server as much as
without the switch.
/MAILBOX - Scan inside plain text mailboxes.
I'm thinking that this might help or be required in
order to detect phishing and linked viruses based on content patterns.
/AFC=<cache size> - Set the Size of the Internal
Cache Used When Decompressing Archive Files.
I'm thinking that this might be a way to prevent
decompression bombs, but it might also add overhead. I don't know.
/MIME - Scan inside MIME, UUE, XXE and BinHex files.
Although Declude decodes attachments before calling
the scanners, this might provide some backup protection in the event of
a decoding error. This might also cause additional overhead.
/ANALYZE - Turn on heuristic analysis for programs and
macros.
/PANALYZE - Turn on program heuristics.
I'm not sure what FP's either one of these could
cause, but some around here do prefer tighter controls despite the risk
of more FP's and these might be desirable under those conditions. I'm
not sure how they differ.
Any comments or experiences would be appreciated.
Thanks,
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
