[Mimedefang] Cascading virus scanners
Aaron Paetznick
aaronp at critd.com
Thu Sep 19 16:34:01 EDT 2002
But that's the whole point of cascading the scanners. If I'm reading
the code correctly, the method below continues to scan until it 1) finds
a virus, or 2) exhausts it's list of available scanners. David?
This brings up another topic: which are the two or three most symbiotic
Open Source virus scanners available that MIMEDefang supports? I chose
File::Scan and clam because they are very actively/proactively
maintained, and they use seperate rulesets. You wouldn't want to use
OpenAntivirus and clam this way because they use similar if not
identical rulesets. Opinions?
--Aaron
mark.wiater at alexus.com wrote:
> Hi Aaron,
>
> The reason one might want to continue scanning is more a point of knowing if
> the virus scanners don't agree that a virus was found. Defense in depth if
> you will.
>
> And then too there is the case when vendor A is slow to issue pattern
> updates (during an outbreak) but vendor B is quite timely. If I remember
> correctly, that's how it worked for me when Melissa came on the seen. The
> vendor was slow to market with the pattern files.
>
> Returning immediately after an OK from the first virus scanner can be
> dangerous. After all, why does one virus scan the same email message twice?
> Because they are either very cautious or overly paranoid.
>
> Mark
>
> -----Original Message-----
> From: Aaron Paetznick [mailto:aaronp at critd.com]
> Sent: Thursday, September 19, 2002 4:05 PM
> To: mimedefang at lists.roaringpenguin.com
> Subject: Re: [Mimedefang] Cascading virus scanners
>
>
>
> I have David's version of the cascading scanning method in service right
> now on a test server. I'll be watching it over the next day or two and
> gathering feedback. Thanks for the help!
>
> I'm not sure what you mean by you might as well continue scanning. The
> method described below stops scanning as soon as it finds a virus.
> There is no reason to continue unless you want to 1) continue to add to
> your report text, or 2) not discard unless the virus has been confirmed
> by 2 or more scanners...
>
>
> --Aaron
>
>
>
> mark.wiater at alexus.com wrote:
>
>>Hey David,
>>
>>Thanks for a great tool... Great stuff.
>>
>>We've been doing just what you suggest in your example, running one virus
>>scanner then another, with one exception.
>>
>>If I'm going to be paranoid enough to virus scan the email twice I might
>
> as
>
>>well continue with the paranoia, I want to know if one of my virus
>
> scanners
>
>>(trend and mcafee) doesn't catch what the other did.
>>
>>And yes, I have seen a few instances of one or the other indicating a that
>
> a
>
>>virus was found.
>>
>>Mark
>>
>>-----Original Message-----
>>From: David F. Skoll [mailto:dfs at roaringpenguin.com]
>>Sent: Thursday, September 19, 2002 3:24 PM
>>To: mimedefang at lists.roaringpenguin.com
>>Subject: Re: [Mimedefang] Cascading virus scanners
>>
>>
>>On Thu, 19 Sep 2002, Aaron Paetznick wrote:
>>
>>
>>
>>>What if I wanted paranoid-level virus scanning? Could I run several
>>>different virus scanners in series? Would the following be the most
>>>efficient method?
>>
>>
>>>sub message_contains_virus () {
>>> if (message_contains_virus_filescan()) {
>>> return message_contains_virus_filescan();
>>> } elsif (message_contains_virus_clamav()) {
>>> return message_contains_virus_clamav();
>>> } else {
>>> return (wantarray ? (0, 'ok', 'ok') : 0);
>>> }
>>>}
>>
>>
>>No.
>>
>>You want:
>>
>>sub message_contains_virus () {
>> my($code, $cat, $act);
>>
>> ($code, $cat, $act) = message_contains_virus_filescan();
>> return (wantarray ? ($code, $cat, $act) : $code) if ($act ne "ok");
>>
>> ($code, $cat, $act) = message_contains_virus_clamav();
>> return (wantarray ? ($code, $cat, $act) : $code) if ($act ne "ok");
>>
>> # etc...
>>}
>>
>>
>>
>>>This allows me to optimize the stack and make my prefered scanner come
>>>first, but I'm efectively calling the scan twice to do this. There has
>>>to be a better way...
>>>
>>>Opinions?
>>>
>>>
>>>--Aaron
>>>
>>>
>>>
>>>_______________________________________________
>>>MIMEDefang mailing list
>>>MIMEDefang at lists.roaringpenguin.com
>>>http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>>>
>>
>>
>>Roaring Penguin Software Inc. | http://www.roaringpenguin.com
>>GPG fingerprint: C523 771C 3710 0F54 B2D2 4B0D C6EF 6991 34AB 95BA
>>GPG public key: http://www.roaringpenguin.com/dskoll-key-2002.txt ID:
>>34AB95BA
>>
>>_______________________________________________
>>MIMEDefang mailing list
>>MIMEDefang at lists.roaringpenguin.com
>>http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>>_______________________________________________
>>MIMEDefang mailing list
>>MIMEDefang at lists.roaringpenguin.com
>>http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
>
>
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list