Interesting, Andrew. We've run AVAFTERJM for the same reasons, and have been considering doing something to remove the viruses from the spam hold queue as well.
Speaking of which, I'd like to re-request a feature from Declude to be able to selectively notify on detected vulnerabilities. We have notification on banned files, but I don't believe vulnerabilities notify. Adding that would make virus detection system manual maintenance almost non-existent. Darin. ----- Original Message ----- From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Thursday, January 26, 2006 3:33 AM Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME > Do you mean this script on my disk who creates one hour each > day with 100% CPU usage? Markus, I found that a pretty fun bit of sarcasm. But I have a dry sense of humour. It sounds like you're not using AVAFTERJM so that you catch viruses as viruses and spam as spam. In this scenario I'm pretty confident that you could automate grepping your virMMDD.log file hourly, look for a pre-set list of virus names, cut up the Q* column to derive the filename, and delete the Q*.SMD and D*.SMD file, for example, this line: 01/24/2006 18:54:38 QE867AAFA0144EA71 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] Is quite easy to parse. Let me share something similar I've done. I've remarked on it vaguely before... I wanted to nail down some of my statistics, and as that evolved, I wanted to know how much of the inbound mail that is blocked as spam was actually viral. It turned out that I block a lot of viruses as spam because they have the same IP source characteristics, malformed headers, fake source domains and so forth as zombie spam (no surprise, they're much the same machines). Like you, I have a system that blocks a ton of mail, so I run AVAFTERJM to cut down on the work, and this definitely leaves a gap in my statistics. Similarly, it follows that I wouldn't want to scan my whole SPAM folder. Even reading the directory of the filenames is a disk workout. During our slow period (nightly) I do a scheduled run of a .cmd script that uses the GNU utilities to check my Declude logs for the held spam for that day only, I weed out ones that triggered SNIFFERMALWARE or my own Declude filter tests for viruses, then from that subset I have a list of Q* names. >From that Q* column, I can form the filename. I then grep each one of those files for strings that would indicate that there is a possibly viral attachment (it's not perfect), and then on the remainder of the filenames, I invoke my F-Prot scanner and check the result code for each file. This isn't ideal, but I found that invoking it every time with specific filenames was far, far faster than scanning a folder. Windows certainly caches the fpcmd and pattern files, so that definitely helps. How much am I saving? Well, I am scanning all the files in some fashion, but I'm doing grep for some spam and grep plus antivirus for the minority of it, and I'm doing it outside of our busy hours. It takes *two hours*, and produces results like this in a day: Viruses caught by Declude Virus after using AVAFTERJM: 1 Messages caught by filters or Sniffer: 349 Messages scanned "after hours": 25,000 Viruses found "after hours": 378 So, I time-shifted away from normal hours the CPU and disk hit of doing the scanning, and I still get my virus statistics without causing a performance problem at night. The resulting logs are easily grepped for virus names and counts if I want. I use another set of scripts to compile the stats at the end of the month, with little to no maintenance. It's awful code, but if a non-programmer like me can do this, your virMMDD.log can be used to delete the messages for viruses you don't want to keep on disk. Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler > Sent: Wednesday, January 25, 2006 10:13 PM > To: [email protected] > Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME > > > > > As a work around until and if Declude adds the requested > feature, you > > could write a script to search the files on a timed based > for a phrase > > (virus > > name) and have it delete them. > > Do you mean this script on my disk who creates one hour each > day with 100% CPU usage? > > Markus > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
