[AMaViS-user] Another secondary virus scanner
Rocco Scappatura
due to high load of my Postfix+Amavisd-new+MySQL boxes, I have had to
disable the primary virus scanner (UVSCAN). I found that UVSCAN is very
CPU expensive so I had no other choice other then disable it. So
Amavisd-new at the moment is using only CLAMAV. If it crash or stops
working for some reason, my mail gateway doesn't deliver email at all.
Since I find CLAMAV an effective virus scanner, I would like a similar
tool (demonized, open source, active project) that I can use as
secondary virus scanner for my Postfix+Amavisd-new+MySQL platform.
TIA,
rocsca
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
AMaViS-user mailing list
AMaVi...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Henrik K
> Hello,
>
> due to high load of my Postfix+Amavisd-new+MySQL boxes, I have had to
> disable the primary virus scanner (UVSCAN). I found that UVSCAN is very
> CPU expensive so I had no other choice other then disable it.
It is not daemonized, so no big surprise there.
> So Amavisd-new at the moment is using only CLAMAV. If it crash or stops
> working for some reason, my mail gateway doesn't deliver email at all.
Practically never happened here. If your mail queue goes bazookas for a few
minutes of downtime, then you have bigger problems.
> Since I find CLAMAV an effective virus scanner, I would like a similar
> tool (demonized, open source, active project) that I can use as secondary
> virus scanner for my Postfix+Amavisd-new+MySQL platform.
Wouldn't it be nice if there was a ClamAV competitor. But as we all know,
there is no such thing. You need to buy a better scanner like Sophos, F-Prot
etc..
Rocco Scappatura
to
> > disable the primary virus scanner (UVSCAN). I found that UVSCAN is
> very
>
> place uvscan as a backup scanner?
>
> > CPU expensive so I had no other choice other then disable it. So
How do I have to configure amavisd-new?
> Do you have the v5.30 engine? It is significantly faster than the
> v5.20
> or v5.10 engines. See related thread:
>
# uvscan --version
Virus Scan for Linux v4.40.0
:-((((
> http://groups.google.com/group/mailing.unix.amavis-
>
user/browse_thread/thread/290df7dc7b1fcb39/1cf69cf9691e083f?lnk=gst&q=u
> vscan+MrC#1cf69cf9691e083f
Thanks,
MrC
>>> due to high load of my Postfix+Amavisd-new+MySQL boxes, I have had
> to
>>> disable the primary virus scanner (UVSCAN). I found that UVSCAN is
>> very
>>
>> I have found that ClamAV detects as much or more than uvscan. Can you
>> place uvscan as a backup scanner?
>>
>>> CPU expensive so I had no other choice other then disable it. So
>
> How do I have to configure amavisd-new?
Comment out the primary scanner entry for uvscan in
@av_scanners = (
...
}
and add it to
@av_scanners_backup = (
...
}
You may ultimately not need to do this, if the updated scanner engine is
fast enough for your environment. See below.
>
>> Do you have the v5.30 engine? It is significantly faster than the
>> v5.20
>> or v5.10 engines. See related thread:
>>
>
> # uvscan --version
> Virus Scan for Linux v4.40.0
>
> :-((((
Frown indeed - that's ancient, and I believe EOL'd. See the trial
version of 5.30 McAfee VirusScan Command Line Scanner for Linux
here:
https://secure.nai.com/apps/downloads/free_evaluations/default.asp?region=us&segment=small
Rocco Scappatura
> version of 5.30 McAfee VirusScan Command Line Scanner for Linux
>
> here:
>
>
https://secure.nai.com/apps/downloads/free_evaluations/default.asp?regi
> on=us&segment=small
I will try and I'll let you know..
Many thanks,
Rocco Scappatura
https://secure.nai.com/apps/downloads/free_evaluations/default.asp?regi
> > on=us&segment=small
>
> I will try and I'll let you know..
>
The CPU has grown again.. I fear that I have to disable it!
Mark Martinec
> The CPU has grown again.. I fear that I have to disable it!
Just move it from @av_scanners to the @av_scanners_backup list
and keep clamd as a primary virus scanner.
Mark
Mark Martinec
> due to high load of my Postfix+Amavisd-new+MySQL boxes, I have had to
> disable the primary virus scanner (UVSCAN). I found that UVSCAN is very
> CPU expensive so I had no other choice other then disable it. So
> Amavisd-new at the moment is using only CLAMAV. If it crash or stops
> working for some reason, my mail gateway doesn't deliver email at all.
> Since I find CLAMAV an effective virus scanner, I would like a similar
> tool (demonized, open source, active project) that I can use as
> secondary virus scanner for my Postfix+Amavisd-new+MySQL platform.
Use your uvscan as a backup scanner. It won't be called unless
clamd fails, which is just what you need.
Mark
MrC
> Hello,
>
> due to high load of my Postfix+Amavisd-new+MySQL boxes, I have had to
> disable the primary virus scanner (UVSCAN). I found that UVSCAN is very
I have found that ClamAV detects as much or more than uvscan. Can you
place uvscan as a backup scanner?
> CPU expensive so I had no other choice other then disable it. So
Do you have the v5.30 engine? It is significantly faster than the v5.20
or v5.10 engines. See related thread:
> Amavisd-new at the moment is using only CLAMAV. If it crash or stops
> working for some reason, my mail gateway doesn't deliver email at all.
> Since I find CLAMAV an effective virus scanner, I would like a similar
> tool (demonized, open source, active project) that I can use as
> secondary virus scanner for my Postfix+Amavisd-new+MySQL platform.
> rocsca
Rocco Scappatura
https://secure.nai.com/apps/downloads/free_evaluations/default.asp?regi
> > > on=us&segment=small
> >
> > I will try and I'll let you know..
> >
>
> The CPU has grown again.. I fear that I have to disable it!
>
Or maybe is there a way to set 'uvscan' as secondary mail scanner and to
scan email only if the primary mail scanner fails?
Rocco Scappatura
>
> Just move it from @av_scanners to the @av_scanners_backup list
> and keep clamd as a primary virus scanner.
>
I never have read the conf file completely... :-( Sorry..
Now I have:
@av_scanners = (
### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
['ClamAV-clamscan', 'clamscan',
"--stdout --no-summary -r --tempdir=$TEMPBASE {}",
[0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);
@av_scanners_backup = (
### http://www.nai.com/
['NAI McAfee AntiVirus (uvscan)', 'uvscan',
'--secure -rv --mime --summary --noboot - {}', [0], [13],
qr/(?x) Found (?:
\ the\ (.+)\ (?:virus|trojan) |
\ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
:\ (.+)\ NOT\ a\ virus)/,
# sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
# sub {delete $ENV{LD_PRELOAD}},
],
);
But from docs it seems to me that in this manner every message is
scanned two time anyway.. Is this true? Could I set up Amavisd-new so
that I skip the secondary av scanner if the first detect that the
message is infected?
rocsca
Dave McGuire
>> due to high load of my Postfix+Amavisd-new+MySQL boxes, I have had to
>> disable the primary virus scanner (UVSCAN). I found that UVSCAN is
>> very
>> CPU expensive so I had no other choice other then disable it. So
>> Amavisd-new at the moment is using only CLAMAV. If it crash or stops
>> working for some reason, my mail gateway doesn't deliver email at
>> all.
>> Since I find CLAMAV an effective virus scanner, I would like a
>> similar
>> tool (demonized, open source, active project) that I can use as
>> secondary virus scanner for my Postfix+Amavisd-new+MySQL platform.
>
> Use your uvscan as a backup scanner. It won't be called unless
> clamd fails, which is just what you need.
Is this just a matter of moving the uvscan block from @av_scanners
to @av_scanners_backup in amavisd.conf?
-Dave
--
Dave McGuire
Port Charlotte, FL
Mark Martinec
> > Use your uvscan as a backup scanner. It won't be called unless
> > clamd fails, which is just what you need.
>
> Is this just a matter of moving the uvscan block from @av_scanners
> to @av_scanners_backup in amavisd.conf?
Yes.
Mark
Mark Martinec
> > Just move it from @av_scanners to the @av_scanners_backup list
> > and keep clamd as a primary virus scanner.
>
> I never have read the conf file completely... :-( Sorry..
> Now I have:
> @av_scanners = ( ...
> @av_scanners_backup = ( ...
> But from docs it seems to me that in this manner every message is
> scanned two time anyway.. Is this true?
No.
> Could I set up Amavisd-new so that I skip the secondary av scanner
> if the first detect that the message is infected?
Secondary scanners are skipped is at least one primary provides
a definitive answer (clean or infected, not a failure).
amavisd.conf-sample:
# If no virus scanners from the @av_scanners list produce 'clean' nor
# 'infected' status (i.e. they all fail to run or the list is empty),
# then _all_ scanners from the @av_scanners_backup list are tried
# (subject to $first_infected_stops_scan). When there are both
# daemonized and equivalent or similar command-line scanners available,
# it is customary to place slower command-line scanners in the
# @av_scanners_backup list. The default choice is somewhat arbitrary,
# move entries from one list to another as desired, keeping main scanners
# in the primary list to avoid warnings.
Mark
Rocco Scappatura
Thanks Mark.
Now is all clear.
rocsca