On 27 Apr 2005 at 8:55, Scott Fisher wrote: Thanks Scott - you have some switches I haven't seen !
Also - Declude tech support - Declude Scott used to make excellent recommendations regarding command line switches - can anyone with Declude tech support continue with same? This list used to be a support form from Declude but is support now only on a per incident basis? Thanks! -Nick > > I'm using: > SCANFILE3 D:\VIRUSSCAN\scan.exe /ALL /NOMEM /NOBEEP /NOBREAK /UNZIP > /SILENT /NODDA /MANALYZE /MIME /PANALYZE /PROGRAM /REPORT report.txt > > Haven't seen any FPs with /MANALYZE or /PANALYZE > I run PRESCAN OFF and the /MAILBOX isn't needed to find Phish/Links > > > I sense a frustration with virus protection from you. I think this CPU > intensive process could be improved. If a virus is found with scanner > 1, I'd like an option to avoid calling later scanners. While it's good > for comparison sakes, if a virus is found, I don't need 2 other > programs to confirm that. I'd also like to have the PRESCAN ON/OFF > setting moved within the virus scanner definitions. I could then have > one of the scanners scan all of the e-mail, and the less effective > scanner would run a Prescan ON. Example: SCANFILE1 ... VIRUSCODE1 3 > REPORT1 Infection: PRESCAN1 OFF > > SCANFILE2 ... > VIRUSCODE2 13 > REPORT2 Found > PRESCAN2 ON > > > ----- Original Message ----- > From: Matt > To: [email protected] > Sent: Tuesday, April 26, 2005 10:53 PM > Subject: [Declude.Virus] Revisiting the McAfee command line arguments > > I've searched the archives and came up with nothing specific > regarding this, but that's not to say that there wasn't a > discussion. I seem to remember Bill Landry having some of his own > tweaks to the McAfee command line, but I really can't recall. > > Anyway, I found that using the published config for McAfee, it was > scanning the boot records, in fact I believe it scans all of them. > Checking the /? I found that there is a switch to turn this off in the > 4.4.00 scan engine, /NOBOOT. From the command line I verified that > this does in fact not scan the MBR's and my Declude log shows that it > is still detecting viruses. This could be a big improvement for McAfee > if this switch was used, however I wouldn't recommend doing it without > further discussion or testing. > > I also found what appears to be a new switch called /PROGRAM. > McAfee's notes describes this as, "Scan for potentially unwanted > applications." I turned it on and noted a change in the way that > McAfee was detecting some things. It appears that Declude reports the > first virus found in the report.txt file and before the change on some > Netsky viruses, F-Prot would detect an "HTML/[EMAIL PROTECTED]" in the HTML > segment and McAfee would detect "W32/[EMAIL PROTECTED]" in the executable > attachment. After using the /PROGRAM switch, McAfee is now detecting > the exploit in the HTML segment as "potentially unwanted program > Exploit-MIME.gen.c." Here are a before and after using the switch from > my logs of what I assume to be the same virus in different messages: > Before > 04/26/2005 23:02:48 Q00D885AA00904BD6 Scanner 1: > Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML segment] [0] O > 04/26/2005 23:02:49 Q00D885AA00904BD6 Scanner 2: Virus=the > W32/[EMAIL PROTECTED] Attachment=message.scr [0] O > > After > 04/26/2005 23:09:27 Q0264DA3401104E3C Scanner 1: > Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML segment] [0] O > 04/26/2005 23:09:28 Q0264DA3401104E3C Scanner 2: Virus=potentially > unwanted program Exploit-MIME.gen.c. Attachment=[HTML segment] [0] > O > I am assuming that McAfee would/is still detecting the virus in the > attachment, but Declude is just simply logging the first matching > string that is found in the Report.txt, and therefore this would > appear to be a good switch to use. > > Based on the above, and assuming that no problems arise as a result of > either switch, it would then be a good idea to modify McAfee's command > line options using the 4.4.00 scan engine (released late last year) to > the following: > C:\[McAfee Path]\scan.exe /ALL /NOBOOT /NOMEM /NOBEEP /NOBREAK > /UNZIP /SILENT /NODDA /PROGRAM /REPORT report.txt > There are some other switches that I also came across and don't > recall seeing before, but may be beneficial. They are as follows along > with some comments on why I think they might be useful, but note that > I have no experience with any of these and am only speculating: > > /TIMEOUT <seconds> - Set the maximum time to spend scanning any > one file. I'm thinking that this might be a good way to help > protect a Declude system from overloaded conditions. While Declude > will timeout on a scan, if you are using two virus scanners and > where the first (F- Prot) is more efficient than McAfee, this > might be a good way to disable the second scanner under high load > conditions after a reasonable amount of time so as to not > overwhelm the server as much as without the switch. > > /MAILBOX - Scan inside plain text mailboxes. > I'm thinking that this might help or be required in order to > detect phishing and linked viruses based on content patterns. > > /AFC=<cache size> - Set the Size of the Internal Cache Used When > Decompressing Archive Files. I'm thinking that this might be a way > to prevent decompression bombs, but it might also add overhead. I > don't know. > > /MIME - Scan inside MIME, UUE, XXE and BinHex files. > Although Declude decodes attachments before calling the scanners, > this might provide some backup protection in the event of a > decoding error. This might also cause additional overhead. > > /ANALYZE - Turn on heuristic analysis for programs and macros. > /PANALYZE - Turn on program heuristics. I'm not sure what FP's > either one of these could cause, but some around here do prefer > tighter controls despite the risk of more FP's and these might be > desirable under those conditions. I'm not sure how they differ. > > Any comments or experiences would be appreciated. > > Thanks, > > Matt > -- > ===================================================== > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > ===================================================== --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
