Choose 3 command line scanners?

Discussion in 'other anti-virus software' started by hutchingsp, Aug 24, 2008.

Thread Status:
Not open for further replies.
  1. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    Firstly let me be very clear - I don't want this to turn into an "X is better than Y" and "No, Z kicks Y's butt" thread because it'll get closed quickly.

    I want to add some additional scanners to a MailScanner (www.mailscanner.info) install. They don't need to be deamonised or anything specific to a mail server, just the regular linux command line scanner is required.

    I'm already running clamd, and I suspect an additional 3 engines is the absolute maximum I could add before scanning starts to consume a few too many resources.

    As it's not realtime I don't care about anything other than these criteria:

    Scan Speed
    Detection Rate
    Reaction Speed i.e. time to release updates for example the recent UPS/Fedex trojans
    Price to Performance Ratio i.e. if you were to consider engine Y 5% better than engine Z but engine Y cost 10x the price I'd choose Z.

    These are the options:

    antivir
    avast
    avastd
    avg
    bitdefender
    clamav
    clamd
    clamavmodule
    command
    css
    drweb
    esets
    etrust
    f-prot
    f-prot-6
    f-secure
    inoculan
    inoculate
    kaspersky
    mcafee
    nod32
    norman
    panda
    rav
    sophos
    sophossavi
    symscanengine
    trend
    vba32
    vexira

    Suggestions and reasons appreciate - as I said I don't want to get into X vs. Y or anything against the forum AUP I would just like to know which you would choose and in which order and any specific reasons.
     
  2. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    If you spent 5 minutes searching this forum you would answer your own question. I have no doubt this thread will turn into a vs. b. :doubt:
     
  3. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    I've specifically asked for that not to happen, if people choose to turn it into that doubtless it will be locked so I'm hoping that won't happen.

    I always find the "search the forum" answer odd tbh as there are simply so many variables to each situation that it's not that simple - for example I've not found much here regarding linux scanners, the emphasis seems to be on realtime protection and almost predominantly for Windows - the same product for Linux could be a total dog and common sense says I can't test 30 products myself.

    Maybe I'm naive but I see a forum as a place to exchange opinions and seek advice - not to be a bitch fest over "My AV is better than yours".
     
  4. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    well i would definatly add f-secure since it uses kaspersky engine as well as the f-secure in house engines.
     
  5. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
  6. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    The way to manage this is to focus on specific technical issue. In this case, what are your primary technical objectives and constraints?

    Are there other traits that are important?

    Do you have some technical data to back this suspicion up?

    With respect to paid vs. free - when you get down to it, the paid options sit in a rather narrow window on a single seat basis. This trait really only matters a lot on a multiseat install. As for the other traits listed, there are some natural conflicts in that feature set that you have to balance (e.g. scan speed and detection rate).

    list snipped

    My own recommendations with reasons:
    • Dr Web CureIt: Free, portable application. Since you don't want realtime, this is number 1 as it's demand only. Good/fast detection. With respect to fast - since I see comments here to the contrary - within the past few weeks I ran across a piece of malware that I determined as definitively malicious prior to sending to them, provided them with the complete exe and observations - it was added in less than 10 minutes with a confirming email that is was added. By the way, they weren't behind on this one - nobody had it according to a multiscanner and I'm not a regular submitter to them, I was just a random user forwarding a file. Dr Web gets hits in the commentary here and elsewhere, but I believe they're a very solid and underrated vendor. The one downside, you need to redownload to update. Not a major issue unless you're scanning all the time.
    • One of the major online scanners: for example Kaspersky, Eset, BitDefender, F-Secure, and so on. Some clean, some only notify regarding flagged files. Either should be fine since this is a demand scan scenario. The advantage of the online scanners over, for example, an installed product, is minimization of the potential conflict with other installed options.
    • I would not recommend installing multiple products with realtime modules with the aim to disable the realtime component. Sometimes you can finesse the inherent conflicts, sometimes not, and if you do finesse it, who knows what the next engine update may do. This is a case where the downside potential could be worse that what you are trying to protect yourself from.
    Blue
     
  7. risl

    risl Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    581
    I'd say underrated is a very good word to describe Dr.Web.
     
  8. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Am I missing something here ??
    MailScanner is a unix only software, so how do you run Dr.Web CureIT on it ? DrWeb has a Unix-command line scanner but it isn't free.

    Info from MailScanner website:
     
  9. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Do names such as Wine or Crossover ring a bell?

    Blue
     
  10. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Yes, they do :)

    But is do you really think there is utility in running Windows Apps in Simulators over native unix apps ? Especially security apps, which could potentially crash the simulator or think the simulator files to be threats ?
    Plus, do the license/EULA for these windows apps allow such usage ?

    I have never tried this and nor do I have indepth knowledge on this.
    So any info would be great, Blue.

    ---EDIT ---
    If you can legally and safely run win tools in Wine. Then I can use to run periodically on our Samba Servers too, right ? Or is it limited to home or personal use ?
     
    Last edited: Aug 26, 2008
  11. ShyGuy

    ShyGuy Registered Member

    Joined:
    Mar 31, 2008
    Posts:
    16
    Location:
    Thunder Road
  12. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
  13. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!

    • wow!

      Never heard you speak with good praise for the doctor before Blue, of course, i agree :)

      gets hits in the commentary, what do you mean, ive always been there to squash the myths and jealous types *lol* :p
     
  14. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    C.S.J.,

    Anyone can perform a search here and note the criticism that this product receives, those are the hits. With respect to my specific critique of those comments that appear from time to time....:
    • Low detection statistics - there's a lot of gnashing of teeth and emotion spent on differences in performance indicated by challenge demand scan tests. Even if one assumes that these are real differences, one really should step back and ask what's the nature of the threat that they will actually experience? If they are involved in P2P file sharing, regularly download random content as soon as it appears from unknown sites, and are click happy to check out every balloon being offered to them, perhaps they would experience in-use performance differences reflected by these test results (i.e. of the population of "all malware", they are personally exposed to most of it). That profile fits very few. Taking the AV-Comparatives ratings of Standard vs Advanced vs Advanced+, I really don't believe the bulk of users would be able to discern these differences based on their own experience. I base that comment on the fact that valid alerts - in my own hands - tend to number a few per year based on a lot of surfing. It would take multiple years to exceed a dozen. Yes, one of those threats could be a submolecular uber rootkit that infects at the atomic level, but I choose to live in the realm of objective reality and ignore those possibilities until they are at least physically (or conceptually) plausible. I'll extend my typical comment that most major AV products are fine to, in most situations, note that they are essentially equal performers.
    • DrWeb the company is unresponsive/rude: Recently, a direct link to malware was posted on this site (here is the specific thread). Virtually no major products covered it at the time of that posting (KAV, NOD32, DrWeb, you name it, it wasn't flagged). Since I was running Dr Web on this machine, I figured I'd see how they'd handle it. I had already executed it on my machine and validated that the downloaded exe was live and malicious. I have too many other irons in the fire to do this as an activity, so I'm not known as a regular submitter anywhere. I used the standard submission service. In fact, this was a first from me to them. I attached a short note:
      The submission was made at 7:30 AM local time. At 7:39 AM I received a note that the sample had been analyzed and a new virus record has been added. Nine minute turnaround seems reasonably responsive to me. Short, to the point, and what was needed.
    At various times virtually any product will fall short with respect to both areas that I mention (detection and customer service). Too often, the negative is overly hyped and the positive is lost in the noise. I happen to use DrWeb on this machine to minimize resource footprint. I find that the tradeoff in performance traits that I pay attention to and weight heavily strikes a good balance in the current version. It's not perfect and won't fit all situations, but it is a very solid offering.

    Blue
     
  15. ShyGuy

    ShyGuy Registered Member

    Joined:
    Mar 31, 2008
    Posts:
    16
    Location:
    Thunder Road
    Hi Vijayind,
    I think the best way to know this is contacting Panda and telling what kind of "non personal" use is yours.
    Panda agrees that many online scanners uses PAVCL for scanning cause Panda has benefits too, for example publicity.
    Try contact the company.
     
  16. Miyagi

    Miyagi Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    420
    Location:
    Honolulu, Hawaii
    Good one Blue. :) The light footprint does weight a lot on my setup too. Great to see Dr.Web being more responsive and with a quick turn around.
     
  17. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Thanks, ShyGuy. I'll do that. :thumb:
     
  18. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    So far vba32 is definitely on the "to have" list, Bitdefender may be, though I may be using that on our Exchange boxes which means there's less need for it at the gateway.

    Avira wanted to sell me a mail server license, totally their prerogative, just not something I was interested in.

    Because we are a business and have to be legal I emailed several vendors whose product I would have been very interested in, and had heard absolutely sod all from them, which is nice.
     
Loading...
Thread Status:
Not open for further replies.