Eicar.zip not detected + performance stats

Julian Field mailscanner at ecs.soton.ac.uk
Tue May 27 19:08:39 IST 2003 

At 18:57 27/05/2003, you wrote:
>I tested a complete setup today and had problems with viruses. I caught
>two real viruses and detected the eicar.com file even though I don't
>really know if it was caught by the filtering of com-files or as a an
>actual virus. When I tested with eicar.com in a zip-file it just slipped
>through undetected. Zip's are allowed but shouldn't it have been scanned
>and detected as the Eicar file? Should I be worried? I use an up to date
>ClamAV. It detects the "virus" if I scan the eicar.zip manually.

It certainly should pick this up. Try running the clamav-wrapper script on
a directory containing eicar.zip. Did you install it in the default
location? If not, you will have to update the paths in clamav-wrapper and
clamav-autoupdate.


>As I said I tested a setup today and have some stats if someone is
>interested. The site is low volume but anyway.
>
>I routed (only) the incoming mail from the outer MTA to the mailscanner
>and then on into the Exchange system. Outgoing mail went from Exchange
>to the outer MTA directly so only like 65% of the actual external load
>was handled. Is there any point in scanning outgoing mail? The
>mailscanner box is a Sun Fire V100 with 550 MHz CPU, 512 MB RAM and
>soft-mirrored 40 GB IDE drives.
>
>
>Test 1, MS filtering, running 2h40m
>- 15m load average about 0.18, mail queues "always" empty
>- 1.890 mails, 183.642 KB
>- 1 file caught
>
>Test 2, MS filtering + SA (RBL + DCC), running 2h5m
>- 15m load average about 0.4, mail queues "always" empty
>- 1.485 mails, 175.997 KB
>- 2 files caught
>- 1 IFrame caught
>- 118 spam caught
>
>Test 3, MS filtering + SA (RBL + DCC) + ClamAV, running 2h30m
>- 15m load average about 0.55, mail queues "always" empty
>- 1.513 mails, 174.601 KB
>- 4 files caught
>- 1 IFrame caught
>- 134 spam caught
>- 3 viruses caught
>
>I used 5 and 10 as thresholds for spam and caught a couple of
>mail-lists, the few non-spam mails usually got between 5-6 points. I
>don't see a problem whitelisting those. The accuracy seems very good,
>DCC and Spamhaus added a lot to the scores. High score was 41. By the
>way PGP mail was tagged as spam too, is that normal?
>
>When I checked with vmstat I noticed a lot of variation on the CPU Idle,
>it constantly varied between 60-90 and sometimes between 0-100. I
>suspect the IDE drives add some system time since the outer MTA is a
>similar box (Sun Fire V120) but with SCSI drives. It fed the mailscanner
>and had a load average of about 0.04 and CPU Idle like 90-100. Maybe I
>could better the Idle time with SCSI drives, what do you think?
>MailScanner must be disk intensive with the double queuing.
>
>/Peter Bonivart
>
>--Unix lovers do it in the Sun

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list