multiple virus scanners, what happens?

[Julian Field]

At 21:24 14/08/2003, you wrote:
>Julian,
>
>I added ClamAV 0.60 onto my mail server today (Solaris 9, Sophos
>3.72, MS 4.22-5) as a second anti-virus after sophossavi.  I've noticed
>in the syslog that when MS hits a virus, both anti-virus guys check
>the message and complain to syslog.  While this is good, it seems
>like a waste of CPU cycles to have both give a thumbs down.  Why not
>"OR" instead of "AND" for the list of virus scanners?  Or make this
>user configurable?  Personally, I'm interested in the cases where
>Clam catches something that Sophos missed.

That's unfortunately very difficult to do. Because mail messages are
scanned in batches, it would involve parsing the output of the 1st scanner
then deleting all the files that were found to be infected in the first
scan, so that they didn't get checked again by the second scan. But then
how would you quarantine the files if you had already deleted them? The
only way would be to move them to somewhere else that was outside the
scanning tree for the second virus scanner and then quarantining from there.

Which all makes it rather a pain to do.
Scanning one or two files from each batch doesn't add much to the total
batch scanning time, and has to be weighed against all the complexity and
work involved in moving some of the files to another directory. I'm not
convinced it will make any significant difference.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support