[Declude.Virus] Prescan idea
I'd like to submit this for a Declude Virus feature change: I like having Prescan OFF to provide the maximum amount of protection that I can. I also run 3 virus scanners. I'm wondering if it would possible to migrate the Prescan parameter into the virus engines definitions to turn it on or off for individual engines. I might do this: SCANFILE1 ... PRESCAN1 ON SCANFILE2 ... PRESCAN2 OFF SCANFILE1 ... PRESCAN3 ON In my case: Scanner 1. Fprot. No benefit to running with Prescan OFF that I have noticed. Scanner 2. Clam.Scanner detects some malware and most Phish with Prescan OFF. Good benefits. Scanner 3. Mcafee. Scanner detects some malware and a few Phish. No real benefit over Clam. I'd see a performance benefit for only having the Prescan OFF option apply to my Scanner 2 and running Scanner 1 and 3 with a Prescan ON setting.
Re: [Declude.Virus] PRESCAN
Greg, Plain text E-mail will not link in Outlook unless it appears as a URL that begins with www, and that means that it is very unlikely that a successful exploit could be constructed in plain text as the infected computers won't have A records pointing at them that begin with www. As far as links go of this variety, they would need to be embedded in text/html segments, and they would almost definitely come by way of a linked IP instead of using the FQDN of the exploited machine since many reverse DNS entries won't resolve to A records, and many computers don't have reverse DNS entries (primarily in other areas of the world). It is unfortunately possible that someone might get creative and use some reverse DNS entries, but that would be unnecessary if they are successful at this form of exploit by using just an IP. It seems like it would therefore be safe and prudent to simply expand PRESCAN to include messages that are linked with IP's, regardless of also having a port since that isn't necessary. This would only add a modicum of overhead related to the additional messages that might be sent to the virus scanner, and it would enable many of the phish attempts to be scanned as well without needing to scan everything since most phishing attempts make use of IP's in links these days (domains are generally quickly killed when used for phishing, but the IP will live as long as the host allows it). This is actually the second virus to have tried linking to the exploit that I am aware of. The first one was a Bagel variant if I recall correctly, but it used a known universe of about 500 hosts that were 99% removed by the various ISP's within 12 hours of the virus being detected, so this method was ineffective. It also was making use of an exploit that had been patched for almost a year, so it went nowhere. This virus was easy for me to block, though I might cause some false positives on discussions of the virus. If it came as an IP link, but without the fixed ports, I would have had to spend a lot more time coding something up to protect from this based on content, and as things stand, this will probably have to remain on my system for more than a year, and with other variants likely to come still. My second scanner is McAfee though, and turning PRESCAN OFF might soon become my only realistic choice. I'm going to guess that this might remove more than 25% of my system's capacity however, and that gets costly. Matt Greg Little wrote: We are on exactly the same track. If this kind of attack catches on, and the e-mail can look like almost anything. Passing everything to the more CPU consuming AV engine may be needed. This attack will work just fine in a plain text (non-HTLM) e-mail. (Will the link work easy?) Greg Matt wrote: Maybe the new MyDoom virus suggests a change in the way that PRESCAN qualifies messages? --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] PRESCAN
Matt, thanks for the analysis. I would very much like to know what the additional load is on your server by setting PRESCAN to OFF. Please do post your results if you test this. I have had PRESCAN OFF for a few weeks now, and have not noticed much of an increase on my servers, but I was not near capacity anyway. Bill - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 11:41 AM Subject: Re: [Declude.Virus] PRESCAN Greg, Plain text E-mail will not link in Outlook unless it appears as a URL that begins with www, and that means that it is very unlikely that a successful exploit could be constructed in plain text as the infected computers won't have A records pointing at them that begin with www. As far as links go of this variety, they would need to be embedded in text/html segments, and they would almost definitely come by way of a linked IP instead of using the FQDN of the exploited machine since many reverse DNS entries won't resolve to A records, and many computers don't have reverse DNS entries (primarily in other areas of the world). It is unfortunately possible that someone might get creative and use some reverse DNS entries, but that would be unnecessary if they are successful at this form of exploit by using just an IP. It seems like it would therefore be safe and prudent to simply expand PRESCAN to include messages that are linked with IP's, regardless of also having a port since that isn't necessary. This would only add a modicum of overhead related to the additional messages that might be sent to the virus scanner, and it would enable many of the phish attempts to be scanned as well without needing to scan everything since most phishing attempts make use of IP's in links these days (domains are generally quickly killed when used for phishing, but the IP will live as long as the host allows it). This is actually the second virus to have tried linking to the exploit that I am aware of. The first one was a Bagel variant if I recall correctly, but it used a known universe of about 500 hosts that were 99% removed by the various ISP's within 12 hours of the virus being detected, so this method was ineffective. It also was making use of an exploit that had been patched for almost a year, so it went nowhere. This virus was easy for me to block, though I might cause some false positives on discussions of the virus. If it came as an IP link, but without the fixed ports, I would have had to spend a lot more time coding something up to protect from this based on content, and as things stand, this will probably have to remain on my system for more than a year, and with other variants likely to come still. My second scanner is McAfee though, and turning PRESCAN OFF might soon become my only realistic choice. I'm going to guess that this might remove more than 25% of my system's capacity however, and that gets costly. Matt Greg Little wrote: We are on exactly the same track. If this kind of attack catches on, and the e-mail can look like almost anything. Passing everything to the more CPU consuming AV engine may be needed. This attack will work just fine in a plain text (non-HTLM) e-mail. (Will the link work easy?) Greg Matt wrote: Maybe the new MyDoom virus suggests a change in the way that PRESCAN qualifies messages? --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] PRESCAN
Bill Landry wrote: Matt, thanks for the analysis. I would very much like to know what the additional load is on your server by setting PRESCAN to OFF. Please do post your results if you test this. I have had PRESCAN OFF for a few weeks now, and have not noticed much of an increase on my servers, but I was not near capacity anyway. Bill, I've got a handy app from Passler that provides me with nice graphs including processor utilization that I am sampling every minute (minute averages). I just turned PRESCAN OFF a short while ago and it's actually a bit worse than a 25% relative increase on my system. My hourly average went directly from 33% to 46% with PRESCAN OFF, which is a 39% increase. I've attached an image of the minute averages with a green line marking the point when I turned PRESCAN OFF. Take note that I run both F-Prot and McAfee on my system, so systems with only one virus scanner won't see the same degree of a jump, though it should be rather large. On systems with plenty of capacity, this is not a concern and the increase would be not very noticeable despite being relatively high, but I would like to fill this box to capacity and add more, but not before I have to. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = inline: graph.gif
Re: [Declude.Virus] PRESCAN
On 10 Nov 2004 at 16:33, Matt wrote: Matt - Would you elaborate on the Passler app? Where from how much? -Nick Bill Landry wrote: Matt, thanks for the analysis. I would very much like to know what the additional load is on your server by setting PRESCAN to OFF. Please do post your results if you test this. I have had PRESCAN OFF for a few weeks now, and have not noticed much of an increase on my servers, but I was not near capacity anyway. Bill, I've got a handy app from Passler that provides me with nice graphs including processor utilization that I am sampling every minute (minute averages). I just turned PRESCAN OFF a short while ago and it's actually a bit worse than a 25% relative increase on my system. My hourly average went directly from 33% to 46% with PRESCAN OFF, which is a 39% increase. I've attached an image of the minute averages with a green line marking the point when I turned PRESCAN OFF. Take note that I run both F-Prot and McAfee on my system, so systems with only one virus scanner won't see the same degree of a jump, though it should be rather large. On systems with plenty of capacity, this is not a concern and the increase would be not very noticeable despite being relatively high, but I would like to fill this box to capacity and add more, but not before I have to. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] PRESCAN
Hello Matt, Wednesday, November 10, 2004, 2:41:59 PM, you wrote: M is McAfee though, and turning PRESCAN OFF might soon become my only M realistic choice. I'm going to guess that this might remove more than M 25% of my system's capacity however, and that gets costly. FYI - one of our boxes is dual 2.8G Xeon that does nothing but gateway filtering. Prescan OFF took processor utilization from 45% to 65%. VERY costly. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] PRESCAN
Wow, that is quite a jump in processor utilization. I also run two scanners (TrendMicro F-Prot), but I might not have noticed as much of an increase because I am running on dual-processor systems. When I get a minute I will throw up a monitor and check to see how the PRESCAN ON/OFF actually affects my systems. Bill - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 1:33 PM Subject: Re: [Declude.Virus] PRESCAN Bill Landry wrote: Matt, thanks for the analysis. I would very much like to know what the additional load is on your server by setting PRESCAN to OFF. Please do post your results if you test this. I have had PRESCAN OFF for a few weeks now, and have not noticed much of an increase on my servers, but I was not near capacity anyway.Bill,I've got a handy app from Passler that provides me with nice graphs including processor utilization that I am sampling every minute (minute averages). I just turned PRESCAN OFF a short while ago and it's actually a bit worse than a 25% relative increase on my system. My hourly average went directly from 33% to 46% with PRESCAN OFF, which is a 39% increase. I've attached an image of the minute averages with a green line marking the point when I turned PRESCAN OFF. Take note that I run both F-Prot and McAfee on my system, so systems with only one virus scanner won't see the same degree of a jump, though it should be rather large. On systems with plenty of capacity, this is not a concern and the increase would be not very noticeable despite being relatively high, but I would like to fill this box to capacity and add more, but not before I have to.Matt-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] PRESCAN
Two replies in one... Nick, it would have helped if I spelled Paessler correctly :) (http://www.paessler.com/ipcheck) The Professional License ($349) is required in order to do SNMP monitoring, but the features go far beyond that. I purchased it because it can alert me based on events, and it can be configured to pre-qualify the events. I figured that this was a better use of my money over my time, but for those that have a knack, MRTG can do this type of thing and it is freeware. Paessler also sells this as a service for those that only want a few monitors (http://www.ipcheck-server-monitor.com). There is a fully functional 30 day trial of the downloadable software. Bill, this is a dual 3.06GHz Xeon system that was built for speed. >From my previous tests, the only virus scanners that are faster than McAfee are F-Prot and ClamAV in daemon mode, but I can't remember if I tested Trend Micro (search the archives for "scanner efficiency olympics"). Keep in mind that a jump from 15% to 21% is a 40% increase, and so is a jump from 60% to 84%. My hourly averages have now had a bit more time to build, and it actually looks more like a 50% increase in utilization. I have yet to configure my gateways to do full address validation, and at least 25% of my traffic is coming from dictionary attacks and going to dead addresses. My utilization decreases dramatically when I tested validation for the majority of my customer base, but I need to get the thing automated before I leave it that way. All of this traffic is not being virus scanned with PRESCAN ON, but I believe that you are doing address validation and that would lessen the impact on your system. Some of the other things that you do with your gateway might also be taking out a good deal of other things (zombie spam) that similarly lack things that would trip PRESCAN. So it is likely that more of the E-mail reaching your Declude Virus installation was being scanned prior to turning PRESCAN off than on mine. Matt Nick wrote: On 10 Nov 2004 at 16:33, Matt wrote: Matt - Would you elaborate on the Passler app? Where from how much? -Nick Bill Landry wrote: Matt, thanks for the analysis. I would very much like to know what the additional load is on your server by setting PRESCAN to OFF. Please do post your results if you test this. I have had PRESCAN OFF for a few weeks now, and have not noticed much of an increase on my servers, but I was not near capacity anyway. Bill, I've got a handy app from Passler that provides me with nice graphs including processor utilization that I am sampling every minute (minute averages). I just turned PRESCAN OFF a short while ago and it's actually a bit worse than a 25% relative increase on my system. My hourly average went directly from 33% to 46% with PRESCAN OFF, which is a 39% increase. I've attached an image of the minute averages with a green line marking the point when I turned PRESCAN OFF. Take note that I run both F-Prot and McAfee on my system, so systems with only one virus scanner won't see the same degree of a jump, though it should be rather large. On systems with plenty of capacity, this is not a concern and the increase would be not very noticeable despite being relatively high, but I would like to fill this box to capacity and add more, but not before I have to. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] PRESCAN
- Original Message - From: Panda Consulting S.A. Luis Alberto Arango [EMAIL PROTECTED] What is the suggested configuration for this option? PRESCAN ON or OFF ? Comments...? thanks I have prescan on and, if you are running Virus Pro, I don't know why you wouldn't want to enable it. This from the Virus manual: == Declude Virus Pro has the option for pre-scanning E-mail, which can significantly improve performance. Since the majority of E-mails are really plaintext with a cute HTML version of the E-mail attached (that is usually identical to the plain text version), a lot of scanning may be done that isn't necessary. Plain HTML files (without any scripts or other potentially dangerous code) are safe. The pre-scanning in Declude Virus Pro will check HTML segments to see if there is any potentially dangerous code (JavaScript, Active-X, plugins, etc.). If so, it will send them to the virus scanner as they usually would be. Otherwise, it will let them pass through unscanned, which will improve performance. To turn on pre-scanning, you can change the PRESCAN OFF line in the \IMail\Declude\virus.cfg file to PRESCAN ON. == Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] PRESCAN
Thank you Bill. I am reviewing my config option and comparing them against the releases notes, manual and make sure everything is up to date. Looking at the PRESCAN option, it was OFF.. and I am unsure why I left it OFF back when I first configured it. Thanks for your post. I will turn it ON and see how it goes. Luis Arango -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Sunday, August 08, 2004 4:20 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] PRESCAN - Original Message - From: Panda Consulting S.A. Luis Alberto Arango [EMAIL PROTECTED] What is the suggested configuration for this option? PRESCAN ON or OFF ? Comments...? thanks I have prescan on and, if you are running Virus Pro, I don't know why you wouldn't want to enable it. This from the Virus manual: == Declude Virus Pro has the option for pre-scanning E-mail, which can significantly improve performance. Since the majority of E-mails are really plaintext with a cute HTML version of the E-mail attached (that is usually identical to the plain text version), a lot of scanning may be done that isn't necessary. Plain HTML files (without any scripts or other potentially dangerous code) are safe. The pre-scanning in Declude Virus Pro will check HTML segments to see if there is any potentially dangerous code (JavaScript, Active-X, plugins, etc.). If so, it will send them to the virus scanner as they usually would be. Otherwise, it will let them pass through unscanned, which will improve performance. To turn on pre-scanning, you can change the PRESCAN OFF line in the \IMail\Declude\virus.cfg file to PRESCAN ON. == Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] PRESCAN
Hi: What is the suggested configuration for this option? PRESCAN ON or OFF ? Comments...? thanks Luis Arango __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
