Eicar.zip not detected + performance stats

Peter Bonivart peter at UCGBOOK.COM
Tue May 27 18:57:13 IST 2003 

I tested a complete setup today and had problems with viruses. I caught
two real viruses and detected the eicar.com file even though I don't
really know if it was caught by the filtering of com-files or as a an
actual virus. When I tested with eicar.com in a zip-file it just slipped
through undetected. Zip's are allowed but shouldn't it have been scanned
and detected as the Eicar file? Should I be worried? I use an up to date
ClamAV. It detects the "virus" if I scan the eicar.zip manually.

As I said I tested a setup today and have some stats if someone is
interested. The site is low volume but anyway.

I routed (only) the incoming mail from the outer MTA to the mailscanner
and then on into the Exchange system. Outgoing mail went from Exchange
to the outer MTA directly so only like 65% of the actual external load
was handled. Is there any point in scanning outgoing mail? The
mailscanner box is a Sun Fire V100 with 550 MHz CPU, 512 MB RAM and
soft-mirrored 40 GB IDE drives.


Test 1, MS filtering, running 2h40m
- 15m load average about 0.18, mail queues "always" empty
- 1.890 mails, 183.642 KB
- 1 file caught

Test 2, MS filtering + SA (RBL + DCC), running 2h5m
- 15m load average about 0.4, mail queues "always" empty
- 1.485 mails, 175.997 KB
- 2 files caught
- 1 IFrame caught
- 118 spam caught

Test 3, MS filtering + SA (RBL + DCC) + ClamAV, running 2h30m
- 15m load average about 0.55, mail queues "always" empty
- 1.513 mails, 174.601 KB
- 4 files caught
- 1 IFrame caught
- 134 spam caught
- 3 viruses caught

I used 5 and 10 as thresholds for spam and caught a couple of
mail-lists, the few non-spam mails usually got between 5-6 points. I
don't see a problem whitelisting those. The accuracy seems very good,
DCC and Spamhaus added a lot to the scores. High score was 41. By the
way PGP mail was tagged as spam too, is that normal?

When I checked with vmstat I noticed a lot of variation on the CPU Idle,
it constantly varied between 60-90 and sometimes between 0-100. I
suspect the IDE drives add some system time since the outer MTA is a
similar box (Sun Fire V120) but with SCSI drives. It fed the mailscanner
and had a load average of about 0.04 and CPU Idle like 90-100. Maybe I
could better the Idle time with SCSI drives, what do you think?
MailScanner must be disk intensive with the double queuing.

/Peter Bonivart

--Unix lovers do it in the Sun

More information about the MailScanner mailing list