Performance Suggestion with MS A/V scanning for Julian

Randal, Phil prandal at herefordshire.gov.uk
Thu Feb 22 18:05:15 CET 2007


There are other clever strategies which can be used as well.

For example, Microsoft's Antigen can be configured to use its scan
engines in an order determined by their past performance - so that the
engine which gets the most hits gets tried first.

I think the basic options are:

1:  manual ordering (user configured)
2:  heuristic ordering (determined over time based on hit rates)

and

Scan Viruses with all engines = Yes/No

Now, in our case, we use ClamAV with additional phishing sigs and
McAfee, and we'd want to be aware of malware which is detected by ClamAV
and not McAfee so we can submit samples to Avert Labs.  So we'd need to
use both scanners.

Be aware that the performance gain isn't going to be high unless a
significant proportion of your processed emails contain "viruses",
because you still have to scan all the uninfected emails with all virus
scan engines.

If only 1% of your incoming emails contain viruses, then scanning with
multiple engines isn't going to cause much of a slowdown.

Cheers,

Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> Of TCIS List Acct
> Sent: 22 February 2007 16:23
> To: MailScanner discussion
> Subject: Performance Suggestion with MS A/V scanning for Julian
> 
> Hi Julian,
> 
> Here is a thought --
> 
> When using multiple A/V scanners from within MS, would it be 
> possible to:
> 
> 1. Specify the order in which the A/V scanners are tried 
> (this may already be 
> the behavior based on order in the config, not sure).  The 
> rationale for this is 
> that some scanners are faster than others (e.g. f-prot is 
> faster than clamav).
> 
> and, if
> 
> 2. The first A/V scanner finds a virus, to not try any 
> subsequent A/V scanners. 
>   The reason for this is, 99.9% of today's viruses are 
> removed rather than 
> cleaned, so if the attached infected file is getting removed 
> anyway, what point 
> is there to wasting resources in passing the infected file to 
> subsequent A/V 
> scanners?
> 
> -- 
> 
> -----------------------------------------
> Mike Bacher / listacct at tulsaconnect.com
> TCIS - TulsaConnect Internet Services
> http://www.tulsaconnect.com
> -----------------------------------------
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 
> 


More information about the MailScanner mailing list