Hi Kevin. Thanks for your post. I first would like to explain that what you
are seeing is not a false-positive. The address that the emails are coming
from are not a factor in the case of vulnerabilities. Our vulnerability
checking looks for exploits in an email. If it finds one, it will mark it no
matter who it is coming from. This is correct behavior for the tests and
therefore, not a false-positive.
As for allowing these for everyone who sends to your server, I would advise
against it, but of course, it is your choice. Instead I would allow
vulnerabilities on a per-sender basis in order to be safe. For example, you
said that you received 10 emails from a legit address that were caught as a
vulnerability. In that case, I would allow vulnerabilities for that
particular user. You can do that by adding a line to your virus.cfg file...
ALLOWVULNERABILITIESFROM u...@domain.com
If you wanted to allow vulnerabilities from the entire domain, you would add
the following line instead...
ALLOWVULNERABILITIESFROM domain.com (without the @ symbol)
You mentioned that the vulnerability you are seeing from the user in
question is the 'uuencoding bad end' Vulnerability. Where are you seeing
this? Is it in the email or the virus.cfg log? Could you copy and paste it
from the log or email so I can send it over to development for review?
Thanks again.
--------------------------------------------------
From: "Kevin Rogers" <ke...@rootdesign.com>
Sent: Thursday, May 06, 2010 8:39 PM
To: <declude.virus@declude.com>
Subject: [Declude.Virus] False Positives
I'm getting several false positives a day for the following tests:
[Outlook 'Blank Folding' Vulnerability]
MIME segment in MIME Postamble
Today I received 10 false positives (from the same legit email address) of
['uuencoding bad end' Vulnerability]
I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to
allow it. This is the first I've seen of this test.
I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow
them.
I am running the latest v4.10.48 on Imail.
Are other people using these tests without many/any false positives?
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.