[Mimedefang] Cascading virus scanners
mark.wiater at alexus.com
mark.wiater at alexus.com
Thu Sep 19 16:18:06 EDT 2002
Hi Aaron,
The reason one might want to continue scanning is more a point of knowing if
the virus scanners don't agree that a virus was found. Defense in depth if
you will.
And then too there is the case when vendor A is slow to issue pattern
updates (during an outbreak) but vendor B is quite timely. If I remember
correctly, that's how it worked for me when Melissa came on the seen. The
vendor was slow to market with the pattern files.
Returning immediately after an OK from the first virus scanner can be
dangerous. After all, why does one virus scan the same email message twice?
Because they are either very cautious or overly paranoid.
Mark
-----Original Message-----
From: Aaron Paetznick [mailto:aaronp at critd.com]
Sent: Thursday, September 19, 2002 4:05 PM
To: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] Cascading virus scanners
I have David's version of the cascading scanning method in service right
now on a test server. I'll be watching it over the next day or two and
gathering feedback. Thanks for the help!
I'm not sure what you mean by you might as well continue scanning. The
method described below stops scanning as soon as it finds a virus.
There is no reason to continue unless you want to 1) continue to add to
your report text, or 2) not discard unless the virus has been confirmed
by 2 or more scanners...
--Aaron
mark.wiater at alexus.com wrote:
> Hey David,
>
> Thanks for a great tool... Great stuff.
>
> We've been doing just what you suggest in your example, running one virus
> scanner then another, with one exception.
>
> If I'm going to be paranoid enough to virus scan the email twice I might
as
> well continue with the paranoia, I want to know if one of my virus
scanners
> (trend and mcafee) doesn't catch what the other did.
>
> And yes, I have seen a few instances of one or the other indicating a that
a
> virus was found.
>
> Mark
>
> -----Original Message-----
> From: David F. Skoll [mailto:dfs at roaringpenguin.com]
> Sent: Thursday, September 19, 2002 3:24 PM
> To: mimedefang at lists.roaringpenguin.com
> Subject: Re: [Mimedefang] Cascading virus scanners
>
>
> On Thu, 19 Sep 2002, Aaron Paetznick wrote:
>
>
>>What if I wanted paranoid-level virus scanning? Could I run several
>>different virus scanners in series? Would the following be the most
>>efficient method?
>
>
>>sub message_contains_virus () {
>> if (message_contains_virus_filescan()) {
>> return message_contains_virus_filescan();
>> } elsif (message_contains_virus_clamav()) {
>> return message_contains_virus_clamav();
>> } else {
>> return (wantarray ? (0, 'ok', 'ok') : 0);
>> }
>>}
>
>
> No.
>
> You want:
>
> sub message_contains_virus () {
> my($code, $cat, $act);
>
> ($code, $cat, $act) = message_contains_virus_filescan();
> return (wantarray ? ($code, $cat, $act) : $code) if ($act ne "ok");
>
> ($code, $cat, $act) = message_contains_virus_clamav();
> return (wantarray ? ($code, $cat, $act) : $code) if ($act ne "ok");
>
> # etc...
> }
>
>
>>This allows me to optimize the stack and make my prefered scanner come
>>first, but I'm efectively calling the scan twice to do this. There has
>>to be a better way...
>>
>>Opinions?
>>
>>
>>--Aaron
>>
>>
>>
>>_______________________________________________
>>MIMEDefang mailing list
>>MIMEDefang at lists.roaringpenguin.com
>>http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>>
>
>
> Roaring Penguin Software Inc. | http://www.roaringpenguin.com
> GPG fingerprint: C523 771C 3710 0F54 B2D2 4B0D C6EF 6991 34AB 95BA
> GPG public key: http://www.roaringpenguin.com/dskoll-key-2002.txt ID:
> 34AB95BA
>
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list