[Declude.Virus] Message id with ATTACH action
Hi I'm using Imail+Declude as a anti-spam+virus smtp-relay in front of my exchange server. It seems to me that when I use the ATTACH options every message gets a message-id [EMAIL PROTECTED] I suspect that causes some strange issues at my exchange server - at least when I use message tracking. What is the cause of this, and should something be done? Regards, Kaj --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV scan time
FYI – 1st scanner is F-Prot. 2nd is ClamAV. I am using the “runclamscan” wrapper found at http://www.smartbusiness.com/imail/declude/. Today I haven’t had any left over directories and vir*.log is clean of errors. It may have been the particular load at that time and message size as someone mentioned yesterday. John From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, November 16, 2004 10:21 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] ClamAV scan time Terry, Maybe if you could clarify. You are running ClamAV in daemon mode, am I correct? My point was that as of several months ago, the non-daemon installation was a processor hog and took a lot of time compared to F-Prot, the best performing scanner. Things might have changed since then. I also noted that when run in daemon mode, ClamAV was virtually as fast as F-Prot, and used less resources. I'm not running ClamAV because I had issues with the stability/management of their daemon at that time. I suspect that things have changed since then. Regardless, I would not be surprised to see the per-process launched ClamAV causing excessive load on a busy server. It wasn't clear if John was running one way or another. Hitting a 60 second timeout suggests that his server was being redlined for a prolonged period of time, and going to the daemon mode might provide substantial relief. If his other scanner isn't F-Prot, he should also think about switching because there is nothing as efficient as F-Prot, and it hardly uses any resources. Matt Terry Fritts wrote: ClamAV when not run in daemon mode is very slow in comparison to othervirus scanners. If your server is getting pushed to it's limits, the first sign will likely be their vir directories piling up as a result of ClamAV not finishing within the specified time configured in Declude Virus. I played around with daemon mode several months back, but there was an issue with the service not shutting down when you told it to, so I abandoned it for the time being. Maybe some others have information about how to do this properly now with newer builds. My log records the scan times. I did check when I read this and there are a few excessively long scan times. I checked about 10,000 entries. There were 360 scans that took longer than .5 sec. There were 206 that took 1 sec or longer. Also, I record the total time, the time to check to see if the service is running, and then the actual scan time. In my worst case these numbers were recorded: 13.3490,11.947,1.402. But notice that the middle number is the time to check to see if the service is running. This indicates to me that the issue is not with ClamAV but with the server load at the time of the scan. I know the server is being hammered anyway. I did check to see if there were any correlation between the file size and the long elapsed times and I really could not find any. But then again we are not handling huge numbers of messages either. My programs are available for download at: http://www.smartbusiness.com/imail/declude/ Terry Fritts ---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
Re: [Declude.Virus] ClamAV scan time
Terry, Maybe if you could clarify. You are running ClamAV in daemon mode, am I correct? My point was that as of several months ago, the non-daemon installation was a processor hog and took a lot of time compared to F-Prot, the best performing scanner. Things might have changed since then. I also noted that when run in daemon mode, ClamAV was virtually as fast as F-Prot, and used less resources. I'm not running ClamAV because I had issues with the stability/management of their daemon at that time. I suspect that things have changed since then. Regardless, I would not be surprised to see the per-process launched ClamAV causing excessive load on a busy server. It wasn't clear if John was running one way or another. Hitting a 60 second timeout suggests that his server was being redlined for a prolonged period of time, and going to the daemon mode might provide substantial relief. If his other scanner isn't F-Prot, he should also think about switching because there is nothing as efficient as F-Prot, and it hardly uses any resources. Matt Terry Fritts wrote: ClamAV when not run in daemon mode is very slow in comparison to other virus scanners. If your server is getting pushed to it's limits, the first sign will likely be their vir directories piling up as a result of ClamAV not finishing within the specified time configured in Declude Virus. I played around with daemon mode several months back, but there was an issue with the service not shutting down when you told it to, so I abandoned it for the time being. Maybe some others have information about how to do this properly now with newer builds. My log records the scan times. I did check when I read this and there are a few excessively long scan times. I checked about 10,000 entries. There were 360 scans that took longer than .5 sec. There were 206 that took 1 sec or longer. Also, I record the total time, the time to check to see if the service is running, and then the actual scan time. In my worst case these numbers were recorded: 13.3490,11.947,1.402. But notice that the middle number is the time to check to see if the service is running. This indicates to me that the issue is not with ClamAV but with the server load at the time of the scan. I know the server is being hammered anyway. I did check to see if there were any correlation between the file size and the long elapsed times and I really could not find any. But then again we are not handling huge numbers of messages either. My programs are available for download at: http://www.smartbusiness.com/imail/declude/ Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] ClamAV scan time
> ClamAV when not run in daemon mode is very slow in comparison to other > virus scanners. If your server is getting pushed to it's limits, the > first sign will likely be their vir directories piling up as a result of > ClamAV not finishing within the specified time configured in Declude Virus. > > I played around with daemon mode several months back, but there was an > issue with the service not shutting down when you told it to, so I > abandoned it for the time being. Maybe some others have information > about how to do this properly now with newer builds. My log records the scan times. I did check when I read this and there are a few excessively long scan times. I checked about 10,000 entries. There were 360 scans that took longer than .5 sec. There were 206 that took 1 sec or longer. Also, I record the total time, the time to check to see if the service is running, and then the actual scan time. In my worst case these numbers were recorded: 13.3490,11.947,1.402. But notice that the middle number is the time to check to see if the service is running. This indicates to me that the issue is not with ClamAV but with the server load at the time of the scan. I know the server is being hammered anyway. I did check to see if there were any correlation between the file size and the long elapsed times and I really could not find any. But then again we are not handling huge numbers of messages either. My programs are available for download at: http://www.smartbusiness.com/imail/declude/ Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Corrupt price.exe ?
Some minutes ago I've received a message with price.exe as attachment. (John: due to ISP activity we cant simply block exe's :-) I've forwarded the file (67 Bytes) to virustotal.com and the response was: Virus Total _ Codification 7bit Unsupported or malformed attached file codification (Response to a message sent on Tue, 16 Nov 2004 11:38:48 +0100) So according to the file size it seems there is a corrupt/incomplete variant of this virus out and it's worth to block with BANNAME price.exe if it's not possible to block all exe files. Have I missed something? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.