[Mimedefang] Cascading virus scanners

Aaron Paetznick aaronp at critd.com
Thu Sep 19 16:34:01 EDT 2002 

But that's the whole point of cascading the scanners.  If I'm reading 
the code correctly, the method below continues to scan until it 1) finds 
a virus, or 2) exhausts it's list of available scanners.  David?

This brings up another topic: which are the two or three most symbiotic 
Open Source virus scanners available that MIMEDefang supports?  I chose 
File::Scan and clam because they are very actively/proactively 
maintained, and they use seperate rulesets.  You wouldn't want to use 
OpenAntivirus and clam this way because they use similar if not 
identical rulesets.  Opinions?


--Aaron



mark.wiater at alexus.com wrote:
> Hi Aaron,
> 
> The reason one might want to continue scanning is more a point of knowing if
> the virus scanners don't agree that a virus was found. Defense in depth if
> you will. 
> 
> And then too there is the case when vendor A is slow to issue pattern
> updates (during an outbreak) but vendor B is quite timely. If I remember
> correctly, that's how it worked for me when Melissa came on the seen. The
> vendor was slow to market with the pattern files. 
> 
> Returning immediately after an OK from the first virus scanner can be
> dangerous. After all, why does one virus scan the same email message twice?
> Because they are either very cautious or overly paranoid.
> 
> Mark
> 
> -----Original Message-----
> From: Aaron Paetznick [mailto:aaronp at critd.com]
> Sent: Thursday, September 19, 2002 4:05 PM
> To: mimedefang at lists.roaringpenguin.com
> Subject: Re: [Mimedefang] Cascading virus scanners
> 
> 
> 
> I have David's version of the cascading scanning method in service right 
> now on a test server.  I'll be watching it over the next day or two and 
> gathering feedback.  Thanks for the help!
> 
> I'm not sure what you mean by you might as well continue scanning.  The 
> method described below stops scanning as soon as it finds a virus. 
> There is no reason to continue unless you want to 1) continue to add to 
> your report text, or 2) not discard unless the virus has been confirmed 
> by 2 or more scanners...
> 
> 
> --Aaron
> 
> 
> 
> mark.wiater at alexus.com wrote:
> 
>>Hey David,
>>
>>Thanks for a great tool... Great stuff.
>>
>>We've been doing just what you suggest in your example, running one virus
>>scanner then another, with one exception. 
>>
>>If I'm going to be paranoid enough to virus scan the email twice I might
> 
> as
> 
>>well continue with the paranoia, I want to know if one of my virus
> 
> scanners
> 
>>(trend and mcafee) doesn't catch what the other did.
>>
>>And yes, I have seen a few instances of one or the other indicating a that
> 
> a
> 
>>virus was found.
>>
>>Mark
>>
>>-----Original Message-----
>>From: David F. Skoll [mailto:dfs at roaringpenguin.com]
>>Sent: Thursday, September 19, 2002 3:24 PM
>>To: mimedefang at lists.roaringpenguin.com
>>Subject: Re: [Mimedefang] Cascading virus scanners
>>
>>
>>On Thu, 19 Sep 2002, Aaron Paetznick wrote:
>>
>>
>>
>>>What if I wanted paranoid-level virus scanning?  Could I run several 
>>>different virus scanners in series?  Would the following be the most 
>>>efficient method?
>>
>>
>>>sub message_contains_virus () {
>>>  if (message_contains_virus_filescan()) {
>>>    return message_contains_virus_filescan();
>>>  } elsif (message_contains_virus_clamav()) {
>>>    return message_contains_virus_clamav();
>>>  } else {
>>>    return (wantarray ? (0, 'ok', 'ok') : 0);
>>>  }
>>>}
>>
>>
>>No.
>>
>>You want:
>>
>>sub message_contains_virus () {
>>	my($code, $cat, $act);
>>
>>	($code, $cat, $act) = message_contains_virus_filescan();
>>	return (wantarray ? ($code, $cat, $act) : $code) if ($act ne "ok");
>>
>>	($code, $cat, $act) = message_contains_virus_clamav();
>>	return (wantarray ? ($code, $cat, $act) : $code) if ($act ne "ok");
>>
>>	# etc...
>>}
>>
>>
>>
>>>This allows me to optimize the stack and make my prefered scanner come 
>>>first, but I'm efectively calling the scan twice to do this.  There has 
>>>to be a better way...
>>>
>>>Opinions?
>>>
>>>
>>>--Aaron
>>>
>>>
>>>
>>>_______________________________________________
>>>MIMEDefang mailing list
>>>MIMEDefang at lists.roaringpenguin.com
>>>http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>>>
>>
>>
>>Roaring Penguin Software Inc. | http://www.roaringpenguin.com
>>GPG fingerprint: C523 771C 3710 0F54 B2D2 4B0D C6EF 6991 34AB 95BA
>>GPG public key:  http://www.roaringpenguin.com/dskoll-key-2002.txt ID:
>>34AB95BA
>>
>>_______________________________________________
>>MIMEDefang mailing list
>>MIMEDefang at lists.roaringpenguin.com
>>http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>>_______________________________________________
>>MIMEDefang mailing list
>>MIMEDefang at lists.roaringpenguin.com
>>http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
> 
> 
> 
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list