|
List Info
Thread: Exclude Eicar Virus from Maia
|
|
| Exclude Eicar Virus from Maia |
|
2006-08-24 21:59:35 |
|
|
Greetings,
Running Maia 1.0.0 on SuSE 10.0
Is there a way to keep Maia from recording Eicar virus hits? ; Our system monitoring tool sends out various tests that include virus checks.
It’s more of a nuisance as the Eicar tests skew our virus detection scores.
Thanks
**********************************************************
Michael Weremecki
Department of Information Technology
Data Conversion Laboratory, Inc.
61-18 190th St. 2nd Floor
Fresh Meadows, NY 11365
(718) 357-8700 x217
fax: (718) 357-8776
dclab.com">mailto:mweremecki dclab.com
http://www.dclab.com
***********************************************************
Sign up for DCL's monthly newsletter at http://www.dclab.com/request_subscription.asp
and check out our new XML resources pages at http://xml.dclab.com/xml.asp
|
| Exclude Eicar Virus from Maia |
|
2006-08-24 22:26:32 |
Michael Weremecki wrote:
> Is there a way to keep Maia from recording Eicar virus
hits? Our system
> monitoring tool sends out various tests that include
virus checks.
>
> It’s more of a nuisance as the Eicar tests skew our
virus detection scores.
That's something you need to take up with your antivirus
software. Maia
doesn't know what a virus or worm or test-file is, it just
records
whatever your antivirus software says is a
virus/worm/Trojan/etc. Your
antivirus software may have a config setting that lets you
determine
what kinds of items get flagged and what kinds get quietly
overlooked.
That said, the purpose of the EICAR test file is to test
antivirus
software, so if people are sending you copies of the EICAR
test file you
should be wondering what they're up to. It's a diagnostic
tool, so
there's no reason I can think of to be sending it in large
enough
quantities to be statistically significant. Generally once
you're
assured that your antivirus software is working, you stop
sending
yourself EICAR tests, and that's the end of it.
--
Robert LeBlanc <rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamail
guard.com/>
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Exclude Eicar Virus from Maia |
|
2006-08-25 12:43:44 |
Robert,
We have a system monitoring tool that routinely tests all
the services
we have running on our LAN (www.nagios.org). This includes
testing our
mail server's virus checker via Eicar tests. It does this
a few times a
day, so obviously over time this skews our results.
So for our purposes we don't want to turn off the detection
in our av
software. I pretty much anticipated what your response
would be, but
figured it was worth a shot to ask.
Thanks for your help.
-----Original Message-----
From: Robert LeBlanc [mailto:rjlrenaissoft.com]
Sent: Thursday, August 24, 2006 6:27 PM
To: Michael Weremecki
Cc: maia-usersrenaissoft.com
Subject: Re: [Maia-users] Exclude Eicar Virus from Maia
Michael Weremecki wrote:
> Is there a way to keep Maia from recording Eicar virus
hits? Our
system
> monitoring tool sends out various tests that include
virus checks.
>
> It's more of a nuisance as the Eicar tests skew our
virus detection
scores.
That's something you need to take up with your antivirus
software. Maia
doesn't know what a virus or worm or test-file is, it just
records
whatever your antivirus software says is a
virus/worm/Trojan/etc. Your
antivirus software may have a config setting that lets you
determine
what kinds of items get flagged and what kinds get quietly
overlooked.
That said, the purpose of the EICAR test file is to test
antivirus
software, so if people are sending you copies of the EICAR
test file you
should be wondering what they're up to. It's a diagnostic
tool, so
there's no reason I can think of to be sending it in large
enough
quantities to be statistically significant. Generally once
you're
assured that your antivirus software is working, you stop
sending
yourself EICAR tests, and that's the end of it.
--
Robert LeBlanc <rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamail
guard.com/>
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Exclude Eicar Virus from Maia |
|
2006-08-25 12:43:44 |
Robert,
We have a system monitoring tool that routinely tests all
the services
we have running on our LAN (www.nagios.org). This includes
testing our
mail server's virus checker via Eicar tests. It does this
a few times a
day, so obviously over time this skews our results.
So for our purposes we don't want to turn off the detection
in our av
software. I pretty much anticipated what your response
would be, but
figured it was worth a shot to ask.
Thanks for your help.
-----Original Message-----
From: Robert LeBlanc [mailto:rjlrenaissoft.com]
Sent: Thursday, August 24, 2006 6:27 PM
To: Michael Weremecki
Cc: maia-usersrenaissoft.com
Subject: Re: [Maia-users] Exclude Eicar Virus from Maia
Michael Weremecki wrote:
> Is there a way to keep Maia from recording Eicar virus
hits? Our
system
> monitoring tool sends out various tests that include
virus checks.
>
> It's more of a nuisance as the Eicar tests skew our
virus detection
scores.
That's something you need to take up with your antivirus
software. Maia
doesn't know what a virus or worm or test-file is, it just
records
whatever your antivirus software says is a
virus/worm/Trojan/etc. Your
antivirus software may have a config setting that lets you
determine
what kinds of items get flagged and what kinds get quietly
overlooked.
That said, the purpose of the EICAR test file is to test
antivirus
software, so if people are sending you copies of the EICAR
test file you
should be wondering what they're up to. It's a diagnostic
tool, so
there's no reason I can think of to be sending it in large
enough
quantities to be statistically significant. Generally once
you're
assured that your antivirus software is working, you stop
sending
yourself EICAR tests, and that's the end of it.
--
Robert LeBlanc <rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamail
guard.com/>
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Exclude Eicar Virus from Maia |
|
2006-08-25 21:27:25 |
Michael Weremecki wrote:
> We have a system monitoring tool that routinely tests
all the services
> we have running on our LAN (www.nagios.org). This
includes testing our
> mail server's virus checker via Eicar tests. It does
this a few times a
> day, so obviously over time this skews our results.
>
> So for our purposes we don't want to turn off the
detection in our av
> software.
In this case you're using the EICAR test for something it
was not
designed to do. Its purpose is to verify that you've got
your antivirus
software properly configured, and that it's able to do a
very basic
lookup in its database (file read/permissions test), get its
endian
logic right for your architecture, and other post-compile
validity
tests. It's not meant to be used continuously as some sort
of
running/not-running test.
Indeed, if you're mainly concerned about determining
whether your
antivirus software is running, querying the daemon itself is
probably
more useful, since you can also verify version numbers for
the engine
and the database while you're at it, and determine whether
the signature
database is up to date. The EICAR test won't tell you
anything of that
sort, since it doesn't change/evolve over time--it's the
same today as
it was when you first installed the antivirus software. If
a signature
file update fails, most antivirus software will continue
running with
the previous version of the signature database, so your
EICAR test will
still pass. Any serious functionality problems, for that
matter, are
more likely to be described in error logs and/or the absence
of the
daemon in the list of running processes.
> I pretty much anticipated what your response would be,
but
> figured it was worth a shot to ask.
Well, it's something we can open a feature request ticket
for, but since
it has relatively little utility for most people it would
probably
remain a low-priority item unless others begin clamoring for
it as well.
More to the point, though, how exactly would you handle an
EICAR test
file with this EICAR test exclusion? Certainly you
wouldn't want it to
count as a virus for statistical purposes, but what should
happen to the
mail itself? Should it still be quarantined? Should it be
quietly
discarded? Should it be passed through for delivery like
ordinary mail?
For that matter, are there any other malware items that
anyone here can
imagine deserving special treatment? If it's just the
EICAR test, a
hard-coded exception could be made, but if there's any more
general
utility to this sort of exclusion it may merit a more
general mechanism
(e.g. a "malware whitelist").
--
Robert LeBlanc <rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamail
guard.com/>
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
[1-5]
|
|