[Avcheck] Re: drweb (was: Removing of long options?)

Michael Tokarev mjt@tls.msk.ru
Thu, 02 Aug 2001 16:09:03 +0400 

Geir Thomassen wrote:
> 
[]
> I did play with drweb
> 
> * The heuristic analyzer kicks on "php-ldap-4.0.4pl1-9.i386.rpm"
> from the Redhat 7.1 distro, flagging it as a possible virus (I
> guess that is the downside to a heuristic scanner)

Yes, it is.  Some time ago there was an option like "heuristic
analisys level" in win/dos-based drweb, and I don't know what
was happened to this option (now it may be turned on or off
only).  I'll ask for this techsupp.  BTW, there are some interesting
issues to play with around: drweb can scan files based on format
(skipping files that can't contain viruses at all), so it is possible
to skip rpm files (by format) and not scan them.  But now, when
some linux worms shown it's existance, I think it is not a good
idea to skip rpms...  Again, need to discuss this with drweb people.
Actually I never saw any useful help from heuristics for now, but
my "experience" with it is somewhat limited (our office virus policy
disallows "random" viruses to come in).

> * I have seen it crash (hang) a few times, but I can't reproduce
> it reliable. It seems to happen after scanning many files
> (eg. /home), and then hitting a large archive (eg. linux-2.2.19.tar.gz)

This is interesting and definitely should be fixed (looks like a
memory leak or something like this).  Did you tried to contact with
"drwebers"?  BTW, for daemon mode it isn't an issue, as daemon forks
for every file it scans and then child exits.

> * Parts of the documentation is only in russian !

Yes.  Folks at drweb working on this (I contacted with them yesterday).
I expect that it be sellable (together with proper docs/packaging)
soon.  BTW, them has very little reseller base (unlike those of e.g.
avp aka kaspersky), and somewhat preliminary english-language site,
and them are working around this too.

> I am very pleased with the scanner, and I belive that we should
> integrate it into avscan asap.

I'm working on this right now.  I personally like drweb.

> I have not tried the drwebd dæmon, nor the postfix interface to the
> scanner.

Postfix interface is currently unusable.  Again, yesterday I sent them
tons of tips/tricks/error_reports/etc about this interface, showing
how to do things correctly (usual problem: people with good antivirus
expirience has little knowlege about unix/security/etc, but this is
really curable, especially with external help).  I expect it will be
very useful in next version (it is in preparation now).

> Have fun,
>    Geir

Regards,
 Michael.