Markus,
I stopped bouncing any AV notifications except for banned extensions
several months ago, and I also turned off banned extensions for
encrypted zips. Essentially +99% of the viruses that a mail server
receives are forging or partially forged. While at one time it was a
nice thing to let people know that they were infected, for the most
part sending notifications for things that aren't considered forging in
Declude are still going to innocent parties because the system isn't
reliable enough to stop the backscatter. AV notifications are
primarily useful for Macro viruses or other things that are manually
spread, and I chose less backscatter over notifying the few if any that
would benefit from this. Most replies to my AV notifications were
autoresponders or people telling me that they didn't send the message
in question, and I feel bad for putting people though this.
Anyway, it would seem to be better protection to use /PROGRAM since it
captures other forms of exploits. F-Prot already does this with the
standard config so making McAfee do it too seems like a wise idea to
me. Andy, Scott and Andrew all have been using that switch and none
have reported issues, so I'm going to assume that it is safe to use
along with /NOBOOT.
I'm still unsure about the heuristic stuff and the other switches. It
seems like using the heuristics are fairly common for those that have
tweaked, but the other stuff doesn't seem to be used.
Matt
Markus Gufler wrote:
Matt, this seems to be
interesting.
I was sure to have already in
use the NOBOOT switch but after opening my virus.cfg file I've seen
that this was only part of my F-prot config line. So if it will work
for F-prot why it shouldn't work too for Mcafee's engine?
The PROGRAMM switch seems also
interesting but maybe we should enable it and check for possible false
positives. As "potentially unwanted program Exploit-MIME.gen.c" isn't
set as forging there should be both a warning for sender recipient and
postmaster and so it should be easy to try it out.
From the other switches you
mentioned MIME was already part of my Mcafee config line. Haven't had
any problem with up to now.
Markus
I've searched the archives and came up with nothing specific regarding
this, but that's not to say that there wasn't a discussion. I seem to
remember Bill Landry having some of his own tweaks to the McAfee
command line, but I really can't recall.
Anyway, I found that using the published config for McAfee, it was
scanning the boot records, in fact I believe it scans all of them.
Checking the /? I found that there is a switch to turn this off in the
4.4.00 scan engine, /NOBOOT. From the command line I verified that
this does in fact not scan the MBR's and my Declude log shows that it
is still detecting viruses. This could be a big improvement for McAfee
if this switch was used, however I wouldn't recommend doing it without
further discussion or testing.
I also found what appears to be a new switch called /PROGRAM. McAfee's
notes describes this as, "Scan for potentially unwanted applications."
I turned it on and noted a change in the way that McAfee was detecting
some things. It appears that Declude reports the first virus found in
the report.txt file and before the change on some Netsky viruses,
F-Prot would detect an "HTML/[EMAIL PROTECTED]" in the HTML segment and
McAfee would detect "W32/[EMAIL PROTECTED]" in the executable attachment.
After using the /PROGRAM switch, McAfee is now detecting the exploit in
the HTML segment as "potentially unwanted program Exploit-MIME.gen.c."
Here are a before and after using the switch from my logs of what I
assume to be the same virus in different messages:
Before
04/26/2005 23:02:48 Q00D885AA00904BD6 Scanner 1: Virus=HTML/[EMAIL PROTECTED]
Attachment=[HTML segment] [0] O
04/26/2005 23:02:49 Q00D885AA00904BD6 Scanner 2: Virus=the
W32/[EMAIL PROTECTED] Attachment=message.scr [0] O
After
04/26/2005 23:09:27 Q0264DA3401104E3C Scanner 1: Virus=HTML/[EMAIL PROTECTED]
Attachment=[HTML segment] [0] O
04/26/2005 23:09:28 Q0264DA3401104E3C Scanner 2: Virus=potentially
unwanted program Exploit-MIME.gen.c. Attachment=[HTML segment] [0] O
I am assuming that McAfee would/is still detecting the virus in the
attachment, but Declude is just simply logging the first matching
string that is found in the Report.txt, and therefore this would appear
to be a good switch to use.
Based on the above, and assuming that no problems arise as a result of
either switch, it would then be a good idea to modify McAfee's command
line options using the 4.4.00 scan engine (released late last year) to
the following:
C:\[McAfee Path]\scan.exe /ALL /NOBOOT /NOMEM
/NOBEEP /NOBREAK /UNZIP /SILENT /NODDA /PROGRAM /REPORT report.txt
There are some other switches that I also came across and don't recall
seeing before, but may be beneficial. They are as follows along with
some comments on why I think they might be useful, but note that I have
no experience with any of these and am only speculating:
/TIMEOUT <seconds> - Set the maximum time
to spend scanning any one file.
I'm thinking that this might be a good way to help
protect a Declude system from overloaded conditions. While Declude
will timeout on a scan, if you are using two virus scanners and where
the first (F-Prot) is more efficient than McAfee, this might be a good
way to disable the second scanner under high load conditions after a
reasonable amount of time so as to not overwhelm the server as much as
without the switch.
/MAILBOX - Scan inside plain text mailboxes.
I'm thinking that this might help or be required in
order to detect phishing and linked viruses based on content patterns.
/AFC=<cache size> - Set the Size of the Internal
Cache Used When Decompressing Archive Files.
I'm thinking that this might be a way to prevent
decompression bombs, but it might also add overhead. I don't know.
/MIME - Scan inside MIME, UUE, XXE and BinHex files.
Although Declude decodes attachments before calling
the scanners, this might provide some backup protection in the event of
a decoding error. This might also cause additional overhead.
/ANALYZE - Turn on heuristic analysis for programs and
macros.
/PANALYZE - Turn on program heuristics.
I'm not sure what FP's either one of these could
cause, but some around here do prefer tighter controls despite the risk
of more FP's and these might be desirable under those conditions. I'm
not sure how they differ.
Any comments or experiences would be appreciated.
Thanks,
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
