7 Replies Latest reply on Apr 8, 2010 5:29 AM by Mal09

    SDAT Change?

      Has there been a change to the downloadable SDAT recently or is there perhaps a problem with it?  Up until very recently it was ~120mb and is now ~60mb.  When I run "sdatnnnn -e" on a recently downloaded one to extract it, scan.exe, license.dat and messages.dat are all 5 bytes and just contain the text DUMMY in them.

       

      This is causing a problem for us particularly because our e-mail content filter that scans inbound e-mails for virus and content uses scan.exe to check mails for viruses.  We have a download and extraction scheduled each day.  As it stands now, our e-mail content filter is using definitions that are a few days out of date.

       

      Can anybody advise how I can get this working again?

       

      Apologies if this has been covered elsewhere - I couldn't find anything relevant using the search

        • 1. Re: SDAT Change?

          There were big changes starting April 1st with how the dats are  packaged and released.

           

          In summary:

          - V1 dat files  were discontinued.

          - In the Superdat, the V1 dat files were  removed, and  Scan.exe, messages.dat and license.dat were converted into  stubs instead of being actual files.

           

          This is what  caused the size to shrink so much as the superdat now only contains V2  dat files and engine support files.

           

          To continue using scan.exe, you will be required  to download the V2 enabled Command Line dos scanner from your Products  download page https://secure.nai.com/apps/downloads/my_products/login.asp using a valid grant number. (It's under Endpoint Security / Command  Line Scanners / vscl-w32-6.0.1-l.zip

           

          If you then  download the Sdat daily, you would want to ensure it doesn't overwrite  the correct scan.exe/license/message files. I think the Superdat will  ensure that the latest engine is used by scan.exe (but aren't totally  sure how McAfee plan to handle engine upgrades with the command line  scanner). If you didn't want to have the hassle of ensuring the correct  files were being used, then you could use the Xdat.exe (which only  contains dat files), but then you need to consider how to upgrade  engines when McAfee release new ones.

           

          See  also https://kc.mcafee.com/corporate/index?page=content&id=KB68671

           

          Also,  you probably want to have a read through: https://kc.mcafee.com/corporate/index?page=content&id=KB68023

          as it will affect the load time of scan.exe.

           

           

          Message was edited by: Mal09 on 07/04/10 10:32:50 GMT
          1 of 1 people found this helpful
          • 2. Re: SDAT Change?

            That was great - thanks for all of that information.  It really helped.

             

            I'm having another problem now though.  I tried to make our content filter (Mailsweeper) use the new scan.exe however it started blocking all e-mails, so I reverted to the old one.  To investigate, I ran the new scan.exe against an eicar.txt file that we have.  It came back saying Total Files:1, Not Scanned:1.  When I use the old scan.exe against the same file, it tell me Total Files:1, Possibly Infected:1.  This is the behaviour that I was expecting so I'm not sure if the new scan.exe is scanning properly or if I need to use some parameters with scan.exe.

             

            Is there new behaviour or have I done something wrong?

            • 3. Re: SDAT Change?

              Just did some quick tests, and the errorlevel returned from an Eicar detection is 13, which from memory matches what MSW should be expecting.

               

              I think the issue you are seeing is that the 6.X version requires you to use the /ALL for it to scan a .txt file - even if the file is explicitly named in the command line. I'm not sure, but think this is different behaviour to the earlier versions.

               

              Try scan.exe eicar.txt /ALL and see whether it detects the file.

               

              If that still doesn't detect the threat, then I suspect there is something wrong with your fileset. eg you don't have the V2 AVV dat set in place or similar.

               

              Something else of note. Even though I've uncompressed the AVV dat files, the load time is still pretty slow. Depending on your user count with MSW and number of emails processed / day this may cause massive backlogs.

              1 of 1 people found this helpful
              • 4. Re: SDAT Change?

                Thanks again.  I tried the /all switch and it found the eicar file OK.  I'm going to try this again in the morning with Mailsweeper and see if I can specify the switch anywhere to make sure it's scanning e-mails properly.  We wouldn't have a huge amount of users and performance of the scan.exe is something that  I've been aware of before so I'll be watching this closely for a few days to make sure it's behaving itself, as long as I get it working.

                • 5. Re: SDAT Change?

                  To add the switch in MSW (it probably already is there anyway), IIRC you have to modify exe.ini and then recreate the McAfee scenario.

                   

                  Do a search for McAfee on the Clearswift Support forum ( http://www.clearswift.com/support/public-discussion-forums ), there is a wealth of info there.

                   

                  One final point, the new Cmd line scanner contains "Support for multi-threaded scanning.". This may mean that you can remove the MUTEX command on MSW (more on the forum) without the threat of the cmd line scanner having issues due to various threads interfering with each other. If this is correct, then scan speed will increase greatly as MSW doesn't have to wait for each process of scan.exe to return an error code before handing off the next file to scan.

                   

                   

                  Message was edited by: Mal09 on 07/04/10 16:19:54 GMT
                  1 of 1 people found this helpful
                  • 6. Re: SDAT Change?

                    I was speaking with Clearswift support this morning and they don't support the command line scanner version that it seems I need to use now (6.0).  I think he said that 5.2 was the latest that they supported.  I think I'll have to look at an alternative product now for this mail scanning and this might also have the advantage of being much faster than the McAfee command line scanner.

                     

                    Thanks a lot for all your help Mal09.  You have been a wealth of knowledge yourself.

                    • 7. Re: SDAT Change?

                      Just about any AV scanner that returns errorlevels can be used with MSW. It's just a case of having the correct information in the exe.ini.

                       

                      While CS support may *claim* it's not supported, I don't think that's fully correct.

                       

                      Post over at the CS forum about the topic, and either myself or someone else will give some more advice there. It's too Off-Topic for here.