[Declude.Virus] ClamWin
Has anyone else installed the GUI version of ClamAV? I got a successful install using the default settings (C:\Program Files\ClamWin\). Now I am getting an error code 50 in the Declude log. Plus the Declude manual says nothing about a REPORT line in the virus cfg for ClamAV, but a reply in the list archives says to use REPORT FOUND. Tried it both ways without success. What do I use? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus with unusual deployment
Doesn't the newer versions of Declude Virus catch the IFRAME vulnerability? The problem with the current virus strains is that they do not contain any vulnerabilty at all The IFRAME vulnerability exists on the site contained in the body link Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamWin
I use this version of clamav: http://www.sosdg.org/clamav-win32/index.php with this wrapper to get virus names: http://www.smartbusiness.com/imail/declude/ My global.cfg lines: SCANFILE2 d:\imail\declude\runclamscan.exe log=0 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt VIRUSCODE2 1 REPORT2 FOUND If you have Declude Pro and you can afford to turn off Prescan, CLAMav will catch phish for you. - Original Message - From: John Carter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 8:15 AM Subject: [Declude.Virus] ClamWin Has anyone else installed the GUI version of ClamAV? I got a successful install using the default settings (C:\Program Files\ClamWin\). Now I am getting an error code 50 in the Declude log. Plus the Declude manual says nothing about a REPORT line in the virus cfg for ClamAV, but a reply in the list archives says to use REPORT FOUND. Tried it both ways without success. What do I use? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamWin
I did as Scott recommended and turned off prescan; but afterwards I noticed in the clam logs that ClamAV had caught phish previously with prescasn ON sooo why would you think that is so? eg - I guess what I'm asking is will ClamAV reliably anti-phish to its capability with prescan on? PRESCAN ON (which works with Declude Virus Pro) saves CPU resources by not calling the AV scanner when an E-mail arrives that contains one or more HTML segments, if [1] there are no other segments except text and/or HTML segments, and [2] the HTML doesn't contain any code that Declude Virus identifies as potentially dangerous. In other words, since most E-mail these days has HTML (by default, most mail clients send HTML E-mail, even if you just say hi in normal text), PRESCAN ON is able to save a lot of CPU time by not scanning those E-mails (while still catching the few E-mails that contain viruses/worms in HTML, such as kak.worm). The drawback here to PRESCAN ON is that phishing attacks won't get sent to the virus scanner, so a virus scanner that is looking for them won't find them. What you are probably seeing is an E-mail with a phishing attack that *does* contain potentially dangerous code. For example, if it contains any JavaScript -- even safe JavaScript code -- it would be sent to the virus scanner. So you may see the virus scanner detecting some phishing attacks even with PRESCAN ON. But to catch them all, you would need PRESCAN OFF. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus with unusual deployment
McAfee is catching the "virus generated" e-mails as W32/Mydoom.gen!eml http://vil.nai.com/vil/content/v_129633.htm Virus Characteristics: This is a generic detection covering email messages sent by W32/[EMAIL PROTECTED] and W32/[EMAIL PROTECTED] . These messages do not contain an attachment. But without any real violations (virus or vulnerability) in the e-mail it will be hard for the AV companies to tell good from bad. It will be even harder to write good generic detections that catch future versions of this virus, because the virus writer can change almost everything about the e-mail and the only thing that really counts is "does the link work". I not expect Declude's checking to catch this one. I've been wondering what took the virus writers so long to use this model of distribution, Host the virus on each infected PC. It is much harder to stop at the mail server than an attachment. (And there is no central sever to be shut down.) Given enough variation in the virus generated e-mail, I not sure the AV companies will be able to catch future versions of this virus at the mail server. So far the volume is low (I have yet to get one here). http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.AHVSect=SPeriod=1d But this one or another member of it's family is going to get very wide spread. Greg Little PS Anybody know how the other AV companies are doing on catching the virus generated e-mails? Rick Davidson wrote: Doesn't the newer versions of Declude Virus catch the IFRAME vulnerability? The problem with the current virus strains is that they do not contain any vulnerability at all The IFRAME vulnerability exists on the site contained in the body link --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamWin
Maybe the new MyDoom virus suggests a change in the way that PRESCAN qualifies messages? These messages don't contain any exploitable code, however it is likely that these viruses will all be linked by way of an IP. So maybe sending messages to the virus scanner when they contain an IP would be wise? I am of course guessing that some virus scanners are detecting this just like they detect the phishes. As Andrew pointed out in the other forum, it wouldn't be a surprise to see these messages use a standard port, or even exclude the port and default to 80, and if they did that, we would be hard pressed to detect all of these viruses since it would mean that content patterns alone would be the deciding factor in detection and they can be variable enough for individual administrators to not be able to handle, while the AV companies consider this type of thing to be their job. Matt R. Scott Perry wrote: I did as Scott recommended and turned off prescan; but afterwards I noticed in the clam logs that ClamAV had caught phish previously with prescasn ON sooo why would you think that is so? eg - I guess what I'm asking is will ClamAV reliably anti-phish to its capability with prescan on? PRESCAN ON (which works with Declude Virus Pro) saves CPU resources by not calling the AV scanner when an E-mail arrives that contains one or more HTML segments, if [1] there are no other segments except text and/or HTML segments, and [2] the HTML doesn't contain any code that Declude Virus identifies as potentially dangerous. In other words, since most E-mail these days has HTML (by default, most mail clients send HTML E-mail, even if you just say hi in normal text), PRESCAN ON is able to save a lot of CPU time by not scanning those E-mails (while still catching the few E-mails that contain viruses/worms in HTML, such as kak.worm). The drawback here to PRESCAN ON is that phishing attacks won't get sent to the virus scanner, so a virus scanner that is looking for them won't find them. What you are probably seeing is an E-mail with a phishing attack that *does* contain potentially dangerous code. For example, if it contains any JavaScript -- even safe JavaScript code -- it would be sent to the virus scanner. So you may see the virus scanner detecting some phishing attacks even with PRESCAN ON. But to catch them all, you would need PRESCAN OFF. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus with unusual deployment
Since these are HTML segments, my guess this is another case of where Declude Virus Pro's Prescan would need to be turned off for these to be scanned. I am catching these segments with Prescan off with Clam and Mcafee. - Original Message - From: Greg Little To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 10:05 AM Subject: Re: [Declude.Virus] New virus with unusual deployment McAfee is catching the "virus generated" e-mails as W32/Mydoom.gen!eml http://vil.nai.com/vil/content/v_129633.htm Virus Characteristics: This is a generic detection covering email messages sent by W32/[EMAIL PROTECTED] and W32/[EMAIL PROTECTED] . These messages do not contain an attachment.But without any real violations (virus or vulnerability) in the e-mail it will be hard for the AV companies to tell good from bad. It will be even harder to write good generic detections that catch future versions of this virus, because the virus writer can change almost everything about the e-mail and the only thing that really counts is "does the link work".I not expect Declude's checking to catch this one.I've been wondering what took the virus writers so long to use this model of distribution, Host the virus on each infected PC. It is much harder to stop at the mail server than an attachment. (And there is no central sever to be shut down.) Given enough variation in the virus generated e-mail, I not sure the AV companies will be able to catch future versions of this virus at the mail server.So far the volume is low (I have yet to get one here).http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.AHVSect=SPeriod=1dBut this one or another member of it's family is going to get very wide spread.Greg LittlePS Anybody know how the other AV companies are doing on catching the virus generated e-mails?Rick Davidson wrote: Doesn't the newer versions of Declude Virus catch the IFRAME vulnerability? The problem with the current virus strains is that they do not contain any vulnerability at all The IFRAME vulnerability exists on the site contained in the body link --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamWin
Thanks. Since I didn't really need the GUI, I uninstalled it, went with the other version, and used your virus.cfg lines. It seems to be happy now. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, November 10, 2004 9:14 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] ClamWin I use this version of clamav: http://www.sosdg.org/clamav-win32/index.php with this wrapper to get virus names: http://www.smartbusiness.com/imail/declude/ My global.cfg lines: SCANFILE2 d:\imail\declude\runclamscan.exe log=0 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt VIRUSCODE2 1 REPORT2 FOUND If you have Declude Pro and you can afford to turn off Prescan, CLAMav will catch phish for you. - Original Message - From: John Carter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 8:15 AM Subject: [Declude.Virus] ClamWin Has anyone else installed the GUI version of ClamAV? I got a successful install using the default settings (C:\Program Files\ClamWin\). Now I am getting an error code 50 in the Declude log. Plus the Declude manual says nothing about a REPORT line in the virus cfg for ClamAV, but a reply in the list archives says to use REPORT FOUND. Tried it both ways without success. What do I use? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamWin
We are on exactly the same track. If this kind of attack catches on, and the e-mail can look like almost anything. Passing everything to the more CPU consuming AV engine may be needed. This attack will work just fine in a plain text (non-HTLM) e-mail. (Will the link work easy?) Greg Matt wrote: Maybe the new MyDoom virus suggests a change in the way that PRESCAN qualifies messages? --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] PRESCAN
Greg, Plain text E-mail will not link in Outlook unless it appears as a URL that begins with www, and that means that it is very unlikely that a successful exploit could be constructed in plain text as the infected computers won't have A records pointing at them that begin with www. As far as links go of this variety, they would need to be embedded in text/html segments, and they would almost definitely come by way of a linked IP instead of using the FQDN of the exploited machine since many reverse DNS entries won't resolve to A records, and many computers don't have reverse DNS entries (primarily in other areas of the world). It is unfortunately possible that someone might get creative and use some reverse DNS entries, but that would be unnecessary if they are successful at this form of exploit by using just an IP. It seems like it would therefore be safe and prudent to simply expand PRESCAN to include messages that are linked with IP's, regardless of also having a port since that isn't necessary. This would only add a modicum of overhead related to the additional messages that might be sent to the virus scanner, and it would enable many of the phish attempts to be scanned as well without needing to scan everything since most phishing attempts make use of IP's in links these days (domains are generally quickly killed when used for phishing, but the IP will live as long as the host allows it). This is actually the second virus to have tried linking to the exploit that I am aware of. The first one was a Bagel variant if I recall correctly, but it used a known universe of about 500 hosts that were 99% removed by the various ISP's within 12 hours of the virus being detected, so this method was ineffective. It also was making use of an exploit that had been patched for almost a year, so it went nowhere. This virus was easy for me to block, though I might cause some false positives on discussions of the virus. If it came as an IP link, but without the fixed ports, I would have had to spend a lot more time coding something up to protect from this based on content, and as things stand, this will probably have to remain on my system for more than a year, and with other variants likely to come still. My second scanner is McAfee though, and turning PRESCAN OFF might soon become my only realistic choice. I'm going to guess that this might remove more than 25% of my system's capacity however, and that gets costly. Matt Greg Little wrote: We are on exactly the same track. If this kind of attack catches on, and the e-mail can look like almost anything. Passing everything to the more CPU consuming AV engine may be needed. This attack will work just fine in a plain text (non-HTLM) e-mail. (Will the link work easy?) Greg Matt wrote: Maybe the new MyDoom virus suggests a change in the way that PRESCAN qualifies messages? --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] PRESCAN
Matt, thanks for the analysis. I would very much like to know what the additional load is on your server by setting PRESCAN to OFF. Please do post your results if you test this. I have had PRESCAN OFF for a few weeks now, and have not noticed much of an increase on my servers, but I was not near capacity anyway. Bill - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 11:41 AM Subject: Re: [Declude.Virus] PRESCAN Greg, Plain text E-mail will not link in Outlook unless it appears as a URL that begins with www, and that means that it is very unlikely that a successful exploit could be constructed in plain text as the infected computers won't have A records pointing at them that begin with www. As far as links go of this variety, they would need to be embedded in text/html segments, and they would almost definitely come by way of a linked IP instead of using the FQDN of the exploited machine since many reverse DNS entries won't resolve to A records, and many computers don't have reverse DNS entries (primarily in other areas of the world). It is unfortunately possible that someone might get creative and use some reverse DNS entries, but that would be unnecessary if they are successful at this form of exploit by using just an IP. It seems like it would therefore be safe and prudent to simply expand PRESCAN to include messages that are linked with IP's, regardless of also having a port since that isn't necessary. This would only add a modicum of overhead related to the additional messages that might be sent to the virus scanner, and it would enable many of the phish attempts to be scanned as well without needing to scan everything since most phishing attempts make use of IP's in links these days (domains are generally quickly killed when used for phishing, but the IP will live as long as the host allows it). This is actually the second virus to have tried linking to the exploit that I am aware of. The first one was a Bagel variant if I recall correctly, but it used a known universe of about 500 hosts that were 99% removed by the various ISP's within 12 hours of the virus being detected, so this method was ineffective. It also was making use of an exploit that had been patched for almost a year, so it went nowhere. This virus was easy for me to block, though I might cause some false positives on discussions of the virus. If it came as an IP link, but without the fixed ports, I would have had to spend a lot more time coding something up to protect from this based on content, and as things stand, this will probably have to remain on my system for more than a year, and with other variants likely to come still. My second scanner is McAfee though, and turning PRESCAN OFF might soon become my only realistic choice. I'm going to guess that this might remove more than 25% of my system's capacity however, and that gets costly. Matt Greg Little wrote: We are on exactly the same track. If this kind of attack catches on, and the e-mail can look like almost anything. Passing everything to the more CPU consuming AV engine may be needed. This attack will work just fine in a plain text (non-HTLM) e-mail. (Will the link work easy?) Greg Matt wrote: Maybe the new MyDoom virus suggests a change in the way that PRESCAN qualifies messages? --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Whitelist
I have a filter I use for a whitelist which I give a negative weight to for certain e-mail addresses. Is there a limit of the amount of addresses that can be put into a whitelist? There is a limit of 200 WHITELIST entries in the global.cfg file for Declude JunkMail, but the filters can have an unlimited number of lines. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] PRESCAN
Bill Landry wrote: Matt, thanks for the analysis. I would very much like to know what the additional load is on your server by setting PRESCAN to OFF. Please do post your results if you test this. I have had PRESCAN OFF for a few weeks now, and have not noticed much of an increase on my servers, but I was not near capacity anyway. Bill, I've got a handy app from Passler that provides me with nice graphs including processor utilization that I am sampling every minute (minute averages). I just turned PRESCAN OFF a short while ago and it's actually a bit worse than a 25% relative increase on my system. My hourly average went directly from 33% to 46% with PRESCAN OFF, which is a 39% increase. I've attached an image of the minute averages with a green line marking the point when I turned PRESCAN OFF. Take note that I run both F-Prot and McAfee on my system, so systems with only one virus scanner won't see the same degree of a jump, though it should be rather large. On systems with plenty of capacity, this is not a concern and the increase would be not very noticeable despite being relatively high, but I would like to fill this box to capacity and add more, but not before I have to. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = inline: graph.gif
Re: [Declude.Virus] PRESCAN
On 10 Nov 2004 at 16:33, Matt wrote: Matt - Would you elaborate on the Passler app? Where from how much? -Nick Bill Landry wrote: Matt, thanks for the analysis. I would very much like to know what the additional load is on your server by setting PRESCAN to OFF. Please do post your results if you test this. I have had PRESCAN OFF for a few weeks now, and have not noticed much of an increase on my servers, but I was not near capacity anyway. Bill, I've got a handy app from Passler that provides me with nice graphs including processor utilization that I am sampling every minute (minute averages). I just turned PRESCAN OFF a short while ago and it's actually a bit worse than a 25% relative increase on my system. My hourly average went directly from 33% to 46% with PRESCAN OFF, which is a 39% increase. I've attached an image of the minute averages with a green line marking the point when I turned PRESCAN OFF. Take note that I run both F-Prot and McAfee on my system, so systems with only one virus scanner won't see the same degree of a jump, though it should be rather large. On systems with plenty of capacity, this is not a concern and the increase would be not very noticeable despite being relatively high, but I would like to fill this box to capacity and add more, but not before I have to. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] PRESCAN
Hello Matt, Wednesday, November 10, 2004, 2:41:59 PM, you wrote: M is McAfee though, and turning PRESCAN OFF might soon become my only M realistic choice. I'm going to guess that this might remove more than M 25% of my system's capacity however, and that gets costly. FYI - one of our boxes is dual 2.8G Xeon that does nothing but gateway filtering. Prescan OFF took processor utilization from 45% to 65%. VERY costly. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] PRESCAN
Wow, that is quite a jump in processor utilization. I also run two scanners (TrendMicro F-Prot), but I might not have noticed as much of an increase because I am running on dual-processor systems. When I get a minute I will throw up a monitor and check to see how the PRESCAN ON/OFF actually affects my systems. Bill - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 1:33 PM Subject: Re: [Declude.Virus] PRESCAN Bill Landry wrote: Matt, thanks for the analysis. I would very much like to know what the additional load is on your server by setting PRESCAN to OFF. Please do post your results if you test this. I have had PRESCAN OFF for a few weeks now, and have not noticed much of an increase on my servers, but I was not near capacity anyway.Bill,I've got a handy app from Passler that provides me with nice graphs including processor utilization that I am sampling every minute (minute averages). I just turned PRESCAN OFF a short while ago and it's actually a bit worse than a 25% relative increase on my system. My hourly average went directly from 33% to 46% with PRESCAN OFF, which is a 39% increase. I've attached an image of the minute averages with a green line marking the point when I turned PRESCAN OFF. Take note that I run both F-Prot and McAfee on my system, so systems with only one virus scanner won't see the same degree of a jump, though it should be rather large. On systems with plenty of capacity, this is not a concern and the increase would be not very noticeable despite being relatively high, but I would like to fill this box to capacity and add more, but not before I have to.Matt-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] PRESCAN
Two replies in one... Nick, it would have helped if I spelled Paessler correctly :) (http://www.paessler.com/ipcheck) The Professional License ($349) is required in order to do SNMP monitoring, but the features go far beyond that. I purchased it because it can alert me based on events, and it can be configured to pre-qualify the events. I figured that this was a better use of my money over my time, but for those that have a knack, MRTG can do this type of thing and it is freeware. Paessler also sells this as a service for those that only want a few monitors (http://www.ipcheck-server-monitor.com). There is a fully functional 30 day trial of the downloadable software. Bill, this is a dual 3.06GHz Xeon system that was built for speed. >From my previous tests, the only virus scanners that are faster than McAfee are F-Prot and ClamAV in daemon mode, but I can't remember if I tested Trend Micro (search the archives for "scanner efficiency olympics"). Keep in mind that a jump from 15% to 21% is a 40% increase, and so is a jump from 60% to 84%. My hourly averages have now had a bit more time to build, and it actually looks more like a 50% increase in utilization. I have yet to configure my gateways to do full address validation, and at least 25% of my traffic is coming from dictionary attacks and going to dead addresses. My utilization decreases dramatically when I tested validation for the majority of my customer base, but I need to get the thing automated before I leave it that way. All of this traffic is not being virus scanned with PRESCAN ON, but I believe that you are doing address validation and that would lessen the impact on your system. Some of the other things that you do with your gateway might also be taking out a good deal of other things (zombie spam) that similarly lack things that would trip PRESCAN. So it is likely that more of the E-mail reaching your Declude Virus installation was being scanned prior to turning PRESCAN off than on mine. Matt Nick wrote: On 10 Nov 2004 at 16:33, Matt wrote: Matt - Would you elaborate on the Passler app? Where from how much? -Nick Bill Landry wrote: Matt, thanks for the analysis. I would very much like to know what the additional load is on your server by setting PRESCAN to OFF. Please do post your results if you test this. I have had PRESCAN OFF for a few weeks now, and have not noticed much of an increase on my servers, but I was not near capacity anyway. Bill, I've got a handy app from Passler that provides me with nice graphs including processor utilization that I am sampling every minute (minute averages). I just turned PRESCAN OFF a short while ago and it's actually a bit worse than a 25% relative increase on my system. My hourly average went directly from 33% to 46% with PRESCAN OFF, which is a 39% increase. I've attached an image of the minute averages with a green line marking the point when I turned PRESCAN OFF. Take note that I run both F-Prot and McAfee on my system, so systems with only one virus scanner won't see the same degree of a jump, though it should be rather large. On systems with plenty of capacity, this is not a concern and the increase would be not very noticeable despite being relatively high, but I would like to fill this box to capacity and add more, but not before I have to. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
