Hi Kevin. Thanks for your post. I first would like to explain that what you are seeing is not a false-positive. The address that the emails are coming from are not a factor in the case of vulnerabilities. Our vulnerability checking looks for exploits in an email. If it finds one, it will mark it no matter who it is coming from. This is correct behavior for the tests and therefore, not a false-positive.

As for allowing these for everyone who sends to your server, I would advise against it, but of course, it is your choice. Instead I would allow vulnerabilities on a per-sender basis in order to be safe. For example, you said that you received 10 emails from a legit address that were caught as a vulnerability. In that case, I would allow vulnerabilities for that particular user. You can do that by adding a line to your virus.cfg file...


ALLOWVULNERABILITIESFROM    u...@domain.com

If you wanted to allow vulnerabilities from the entire domain, you would add the following line instead...

ALLOWVULNERABILITIESFROM    domain.com (without the @ symbol)

You mentioned that the vulnerability you are seeing from the user in question is the 'uuencoding bad end' Vulnerability. Where are you seeing this? Is it in the email or the virus.cfg log? Could you copy and paste it from the log or email so I can send it over to development for review? Thanks again.

--------------------------------------------------
From: "Kevin Rogers" <ke...@rootdesign.com>
Sent: Thursday, May 06, 2010 8:39 PM
To: <declude.virus@declude.com>
Subject: [Declude.Virus] False Positives

I'm getting several false positives a day for the following tests:

[Outlook 'Blank Folding' Vulnerability]
MIME segment in MIME Postamble

Today I received 10 false positives (from the same legit email address) of ['uuencoding bad end' Vulnerability]

I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to allow it. This is the first I've seen of this test.



I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow them.

I am running the latest v4.10.48 on Imail.

Are other people using these tests without many/any false positives?




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.

Reply via email to