[Mimedefang] Cascading virus scanners

Aaron Paetznick aaronp at critd.com
Thu Sep 19 16:06:01 EDT 2002 

I have David's version of the cascading scanning method in service right 
now on a test server.  I'll be watching it over the next day or two and 
gathering feedback.  Thanks for the help!

I'm not sure what you mean by you might as well continue scanning.  The 
method described below stops scanning as soon as it finds a virus. 
There is no reason to continue unless you want to 1) continue to add to 
your report text, or 2) not discard unless the virus has been confirmed 
by 2 or more scanners...


--Aaron



mark.wiater at alexus.com wrote:
> Hey David,
> 
> Thanks for a great tool... Great stuff.
> 
> We've been doing just what you suggest in your example, running one virus
> scanner then another, with one exception. 
> 
> If I'm going to be paranoid enough to virus scan the email twice I might as
> well continue with the paranoia, I want to know if one of my virus scanners
> (trend and mcafee) doesn't catch what the other did.
> 
> And yes, I have seen a few instances of one or the other indicating a that a
> virus was found.
> 
> Mark
> 
> -----Original Message-----
> From: David F. Skoll [mailto:dfs at roaringpenguin.com]
> Sent: Thursday, September 19, 2002 3:24 PM
> To: mimedefang at lists.roaringpenguin.com
> Subject: Re: [Mimedefang] Cascading virus scanners
> 
> 
> On Thu, 19 Sep 2002, Aaron Paetznick wrote:
> 
> 
>>What if I wanted paranoid-level virus scanning?  Could I run several 
>>different virus scanners in series?  Would the following be the most 
>>efficient method?
> 
> 
>>sub message_contains_virus () {
>>   if (message_contains_virus_filescan()) {
>>     return message_contains_virus_filescan();
>>   } elsif (message_contains_virus_clamav()) {
>>     return message_contains_virus_clamav();
>>   } else {
>>     return (wantarray ? (0, 'ok', 'ok') : 0);
>>   }
>>}
> 
> 
> No.
> 
> You want:
> 
> sub message_contains_virus () {
> 	my($code, $cat, $act);
> 
> 	($code, $cat, $act) = message_contains_virus_filescan();
> 	return (wantarray ? ($code, $cat, $act) : $code) if ($act ne "ok");
> 
> 	($code, $cat, $act) = message_contains_virus_clamav();
> 	return (wantarray ? ($code, $cat, $act) : $code) if ($act ne "ok");
> 
> 	# etc...
> }
> 
> 
>>This allows me to optimize the stack and make my prefered scanner come 
>>first, but I'm efectively calling the scan twice to do this.  There has 
>>to be a better way...
>>
>>Opinions?
>>
>>
>>--Aaron
>>
>>
>>
>>_______________________________________________
>>MIMEDefang mailing list
>>MIMEDefang at lists.roaringpenguin.com
>>http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>>
> 
> 
> Roaring Penguin Software Inc. | http://www.roaringpenguin.com
> GPG fingerprint: C523 771C 3710 0F54 B2D2 4B0D C6EF 6991 34AB 95BA
> GPG public key:  http://www.roaringpenguin.com/dskoll-key-2002.txt ID:
> 34AB95BA
> 
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list