Performance Suggestion with MS A/V scanning for Julian

[Scott Silva]

TCIS List Acct spake the following on 2/22/2007 8:22 AM:
> Hi Julian,
> 
> Here is a thought --
> 
> When using multiple A/V scanners from within MS, would it be possible to:
> 
> 1. Specify the order in which the A/V scanners are tried (this may
> already be the behavior based on order in the config, not sure).  The
> rationale for this is that some scanners are faster than others (e.g.
> f-prot is faster than clamav).
> 
> and, if
> 
> 2. The first A/V scanner finds a virus, to not try any subsequent A/V
> scanners.  The reason for this is, 99.9% of today's viruses are removed
> rather than cleaned, so if the attached infected file is getting removed
> anyway, what point is there to wasting resources in passing the infected
> file to subsequent A/V scanners?
> 
The files aren't passed to virus scanners serially. The batch of messages is
unpacked/opened/decoded into the temporary work directory and all the virus
scanners are called at the same time on the whole batch. Then MailScanner
interprets the output from the virus scanners to do its logging. It does this
over whatever comes in, up to your maximum batch size. So a system could be
scanning 30 or more messages in a batch.

If MailScanner was to do as you ask, it would take much longer to scan. Some
of us use 3 or 4 virus scanners, and the batch time would be very long,
especially on the 0-day stuff that only one virus scanner catches. What if the
one scanner that catches the message was the last one called?


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!