Re: Virus scanner *solely* for e-mail?

From: N. Miller (nsm_at_blackhole.aosake.net)
Date: 03/13/04 

Date: Fri, 12 Mar 2004 16:50:00 -0800

In article <fcd2fc13.0403120110.2f260c7c@posting.google.com>,
frisk@complex.is says...

> N. Miller <nsm@blackhole.aosake.net> wrote in message news:<MPG.1ab9a61ae53470fe989dbf@msnews.microsoft.com>...

> > the F-Prot for DOS on demand scanner called by Mercury Mail as a task,

> I am a bit surprised to hear that anyone is using our DOS version for
> that purpose. It should probably work in most cases though, but it is
> probably a bit slow - may be OK for a private end-user, though.

Just a couple of hobby domains, two users.

> Note that the DOS version has certain limitations - for example it has
> problems with long file (and directory) names under NT and XP. This
> is
> not a flaw in the DOS version as such - any other DOS application has
> the same limitations. (And of course the F-PROT Windows cersion and
> the Windows command-line version do not have those limitations)

Running on Windows ME.

> Anyhow, just be aware of any potential problems, if you use the
> program for something it was never intended to handle.

It seems to do the job, but my Norton subscription is due to run out in a
month. I will see if there is something out there which is better suited to
working with a mail server that doesn't cost an arm and a leg.

Just for showing how 'busy' the server is:

Mercury/32 v4.01a statistical report, Wed Mar 10 15:50:31 2004
--------------------------------------------------------------

Mercury Core Process:
   Total messages processed 86 (0)

I believe that would include incoming SMTP, the POP3 fetches, and outgoing
SMTP combined.

I wouldn't be trying it with a real load. I was using F-Prot for DOS as a
weekly verification of what the resident on access scanner was doing. When
the other user started receiving Klez infected email, I found links online
which described how to call F-Prot for DOS as a Mercury Mail AV Policy. It
is supposedly better to have a proper SMTP scanning engine, but I don't know
if any are available at an affordable price (under $99 per year, for me).

But it works the way it is, for now. The last infected message received
caused this report:

> Received: from spooler by aosake.net (Mercury/32 v4.01a); 12 Mar 2004 06:45:05 -0800
> X-Envelope-To: ...@aosake.net
> From: p...@aosake.net
> To: ...@aosake.net
> Subject: Policy Exception Advice
> Date: Fri, 12 Mar 2004 06:44:54 -0800
> MIME-Version: 1.0
> Content-type: Multipart/Mixed; Boundary="550F28CE.20849.20849"
>
> This is a message in MIME format with multiple parts.
> If you are reading this, then your mail program does not
> understand the MIME format.
>
> --550F28CE.20849.20849
> Content-description: Mail message body
> Content-type: text/plain; charset=US-ASCII
> Content-disposition: Inline
>
> Notice of policy exception from aosake.net:
> ---------------------------------------------------------------------
>
> A mail message with the following details has caused a mail server policy
> exception and has been stored for your inspection.
>
> Message sender:
> Name of policy entry: F-Prot Antivirus
> File containing message text: F:\Quarantine\05552897
>
> The policy's task generated the following diagnostic information explaining
> why this message caused an exception:
>
> ------------ Start of result file -------------------
>
> Virus scanning report - 12 March 2004 @ 6:44
>
> F-PROT ANTIVIRUS
> Program version: 3.14b
> Engine version: 3.14.7
>
> VIRUS SIGNATURE FILES
> SIGN.DEF created 11 March 2004
> SIGN2.DEF created 11 March 2004
> MACRO.DEF created 8 March 2004
>
> Search: E:\SCRATCH\755A263A.TMP
> Action: Report only
> Files: "Dumb" scan of all files
> Switches: /ARCHIVE /PACKED /REPORT=Result /NOBOOT /NOMEM /WRAP
> Memory was not scanned.
> Hard disk boot sectors were not scanned.
>
> E:\SCRATCH\755A263A.TMP->usb_d2.exe is a security risk named W32/Inor.D
>
> Results of virus scanning:
>
> Files: 1
> MBRs: 0
> Boot sectors: 0
> Objects scanned: 2
> Infected: 0
> Suspicious: 1
> Disinfected: 0
> Deleted: 0
> Renamed: 0
>
> Time: 0:00
> *SUSPICIOUS* file found, no known infection
>
> ------------ End of result file ---------------------
>
> A copy of this diagnostic information has also been saved in the file
> F:\Quarantine\05552897.DIA.
>
> Depending on the policy module that raised the exception, you may need to
> exercise caution when inspecting the message's data.
>
>
> --550F28CE.20849.20849--
>

Normally I wouldn't even see that much because Mercury Mail is usually set
to just delete the message causing the exception. I was just curious about
what I was trapping. I will probably set it back to delete after the
weekend. 

-- 
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint