Hi,
I have confirmed that Declude Virus is handling infected/suspicious files correctly - but if you look at the "MID" level log - you really don't get that impression and end up having to waste time chasing a multitude of logs. Case 3 and 4 document what Declude logs when either the built in AVG detects and virus or, when McAfee detects the viruses that AVG misses. There are explicit lines that document the state of the email and attachment (e.g.: "Deleting"). While these lines are "out of order" (they really should appear at the end of the log), at least they DO appear. However, case 1 and 2 document how Declude logs vulnerabilities or fake classes that are banned. In this case, the Declude log leaves us guessing if (and what) action Declude might have taken. I eventually had to scan through the Imail log to confirm that NO local or remote delivery was done. It's necessary for Declude to document the final disposition of a banned message, e.g., by adding a line "Banning email with vulnerability" or "Banning file with bogus class ID". It's necessary for Declude to document from/to/subject information for banned messages (like "bogus .jpg file") so that the log may be scanned by that information if a client inquires about missing mail! Case 1: 08/21/2007 02:04:43.867 q807901a800008126.smd Vulnerability flags = 0 08/21/2007 02:04:46.304 q807901a800008126.smd Virus scanner 1 reports exit code of 0 08/21/2007 02:04:46.304 q807901a800008126.smd Found a bogus .jpg file - What's the final disposition of this message? - What's the from/to/subject of this banned message? Case 2: 08/21/2007 00:00:00.556 q633c01f70000617f.smd Vulnerability flags = 0 08/21/2007 00:00:00.556 q633c01f70000617f.smd Outlook 'CR' vulnerability [Subject: =] in line 6 08/21/2007 00:00:05.133 q633c01f70000617f.smd Virus scanner 1 reports exit code of 0 08/21/2007 00:00:05.148 q633c01f70000617f.smd Scanned: CONTAINS A VIRUS [MIME: 1 2138] 08/21/2007 00:00:05.148 q633c01f70000617f.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 122.43.112.167] 08/21/2007 00:00:05.148 q633c01f70000617f.smd Subject: =?ISO-2022-JP?B?GyRCQ084NSROJSolUCU1JXMkckp6JC0kPyQkJEckOSQrISklbCVZGyhC?= - What's the final disposition of this message? Case 3: 08/21/2007 00:20:18.004 q67fb019200006750.smd Vulnerability flags = 0 08/21/2007 00:20:19.426 q67fb019200006750.smd AVG Reports VIRUS: Worm/Feebs 08/21/2007 00:20:19.426 q67fb019200006750.smd File(s) are INFECTED [Worm/Feebs: 7] 08/21/2007 00:20:19.457 q67fb019200006750.smd Deleting file with virus 08/21/2007 00:20:19.457 q67fb019200006750.smd Deleting E-mail with virus! 08/21/2007 00:20:19.457 q67fb019200006750.smd Scanned: CONTAINS A VIRUS [MIME: 4 64661] 08/21/2007 00:20:19.457 q67fb019200006750.smd From: <> To: [EMAIL PROTECTED] [incoming from 195.207.151.68] 08/21/2007 00:20:19.457 q67fb019200006750.smd Subject: Delivery Status Notification (Failure) Case 4: 08/21/2007 09:04:47.499 qe2e401e500003f7e.smd Vulnerability flags = 0 08/21/2007 09:04:52.734 qe2e401e500003f7e.smd Virus scanner 1 reports exit code of 13 08/21/2007 09:04:52.734 qe2e401e500003f7e.smd Scanner 1: Virus= the W32/Bagle.fc!pwdzip Attachment=Emanual.zip [61] I 08/21/2007 09:04:52.734 qe2e401e500003f7e.smd Deleting file with virus 08/21/2007 09:04:52.734 qe2e401e500003f7e.smd Deleting E-mail with virus! 08/21/2007 09:04:52.734 qe2e401e500003f7e.smd Scanned: CONTAINS A VIRUS [MIME: 3 86468] 08/21/2007 09:04:52.734 qe2e401e500003f7e.smd From: [Forged] To: [EMAIL PROTECTED] [incoming from 216.85.246.178] 08/21/2007 09:04:52.734 qe2e401e500003f7e.smd Subject: Nathaniell Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
