Commercial virus checker failed ...

Michael H. Warfield mhw at WITTSEND.COM
Tue Jan 8 20:29:08 GMT 2002


On Tue, Jan 08, 2002 at 05:54:44PM +0000, Nick Phillips wrote:
> On Tue, Jan 08, 2002 at 07:32:16PM +0200, Nikolay Kabaivanov wrote:

> > ______________________________________________________________________
> > Jan  8 19:00:54 octus mailscanner[16926]: Going to scan 1 messages
> > Jan  8 19:00:55 octus mailscanner[18781]: Commercial virus checker
> > failed with real error: Can't run commercial checker: No such file or
> > directory at /usr/local/MailScanner/bin/sweep.pl line 302.
> > Jan  8 19:00:55 octus mailscanner[16926]: Scanned 1 messages, 13572
> > bytes in 1 seconds
> > Jan  8 19:00:55 octus mailscanner[16926]: About to deliver 1 messages
> > ___________________________________________________________________________
>
> It's not working. Have you set the right path to the f-prot wrapper in the
> mailscanner.conf??
>
> > I do not run commercial checker. I use f-prot.
>
> That is a commercial checker for our purposes, even though they don't charge for
> it at the moment.
>
> > I like to ask a question : Is there is a way to use 2 or 3 virus checker
> > to check 1 message ?

> Not at the moment; there's not really any very good reason to do so, so far as
> I'm aware.

        Actually there are several that I'm aware and it's a feature which
is a high priority to me.

        #1 Reason...  There are many occasions when one virus scanner or
another picks up a virus/worm and not the others.  No one product leads
the field in this and I've heard recommendations to run at least three
virus checkers in commercial development environments where deliverable
product is prepared.

        #2 Reason...  Sometimes one vendor is a little quicker than
others to update signatures, either due to updaing schedule or ongoing
research work - leading to reason #1.

        #3 Reason...  Nameology.  Sometimes virus checkers vary in their
terminology.  Correlating detection with field reports can be simplified.
Some may argue that this isn't a "good reason" while others may consider
it vital.  Depends on what you are doing with the information.

        #4 Reason...  Even when several virus checkers can spot a virus,
not all of them may be able to sanitize the material the same way or
may behave differently..

        All of the above boil down to reliablilty and reaction speed.
Depending on one virus vendor is not a safe bet.  While even combinations
of vendors can not be relied on totally (last virus go-round I worked on
we were fighting an infestation of the goner_a worm for 5 hours before
the FIRST vendor had their signatures updated and some were over a day)
having multiple vendors is more reliable than picking one and praying.
Next time, the guys (who I will not name) who came in first may be dead
last.  Especially at a critical trottle point like a central email server.

        Using multiple virus scanners is a lot like using multiple spam
identifiers.  SpamAssassin is the epitomie of this.  You are more effective
using multiple sources of information.

> Cheers,

> Nick
>
> --
> Nick Phillips -- nwp at lemon-computing.com
> You never know how many friends you have until you rent a house on the beach.

        Mike
--
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!



More information about the MailScanner mailing list