[Declude.Virus] ZEROHOUR, scanner order
Hi Dave: I see. Based on your email I checked the Virus side of things and I do see Zerohour log entires. 06/07/2009 23:44:36.968 q29d5b0d20821.smd Vulnerability flags = 1 06/07/2009 23:44:36.984 q29d5b0d20821.smd ZEROHOUR Reports VIRUS: Unknown 06/07/2009 23:44:36.984 q29d5b0d20821.smd File(s) are INFECTED [ZEROHOUR Unknown] 06/07/2009 23:44:36.984 q29d5b0d20821.smd Scanned: CONTAINS A VIRUS [MIME: 2 24588] 06/07/2009 23:44:36.984 q29d5b0d20821.smd From: ignitionhf8...@sicis.com To: imail...@wateroperations.com [incoming from 84.63.45.89] 06/07/2009 23:44:36.984 q29d5b0d20821.smd Subject: =?koi8-r?B?WW91knZlIHJlY2VpdmVkIGEgZ3JlZXRpbmcgZWNhcmQ=?= Unfortunately, Zerohour doesnt identify the virus (which in some cases, may be obvious if its a yet unnamed outbreak). But, the problem is that know viruses are not handled as configured. What are my configuration options for Declude Virus with regards to ZeroHour? Can I at least control the order of scanning e.g., Id rather have the regular virus scanners try to identify and report known/named viruses and make Zerohour the option of last defense? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 9:36 AM To: declude.junkm...@declude.com Subject: RE: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED Hi Andy, The ZEROHOUR was integrated into Declude as part of the virus code as it provides ZEROHOUR anti-virus. Because of this it does not function the same as the other tests. It either scores the email for x points as defined in the global.cfg or it does not which is shown as zero. Changing the way ZEROHOUR was implemented is on our development list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Sunday, June 07, 2009 6:07 PM To: declude.junkm...@declude.com Subject: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED Importance: High Hi, Seems as if ZEROHOUR is not at all handled correctly vis-à-vis the TESTSFAILED variable? 1. Example: I have defined XINHEADERX-Declude: Triggered [%WEIGHT%] %TESTSFAILED% However, since activating ZEROHOUR I know see SMTP headers like this: X-Declude: Triggered [-2] None, ZEROHOUR [0] There are two things wrong with this: a) If Testsfailed returns None, why is the string ZEROHOUR appended? If its None then it should be None and nothing else. b) If ZEROHOUR didnt fail and thus has a weight of 0, then it shouldnt appear in the TESTSFAILED list at all. 2. In one of my filters, I have the line TESTSFAILED 5 CONTAINS ZEROHOUR However, it fails to add 5 to the weight as if it doesnt detect ZEROHOUR in the TestsFailed string which would be consistent with items a) and b) because apparently there is a bug where ZEROHOUR is not correctly included in the TESTSFAILED variable, but instead it is somehow appended behind it! The power of Declude is to be able to tightly configure (through various options) how weights are assigned and (with the help of TESTSFAILED filters) which groupings of tests might be testing/triggering on the same aspect of a message. Currently ZEROHOUR appears to negate all the other advantages of Declude! Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ZEROHOUR, scanner order
Commtouch Zerohour identifies virus based on traffic patterns rather than signatures this is why it is not associated with a name. There is only one option currently for Commtouch in the global.cfg ZEROHOUR x Where x is the weight assigned if ZEROHOUR is triggered. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, June 08, 2009 10:26 AM To: declude.virus@declude.com Subject: [Declude.Virus] ZEROHOUR, scanner order Hi Dave: I see. Based on your email I checked the Virus side of things and I do see Zerohour log entires. 06/07/2009 23:44:36.968 q29d5b0d20821.smd Vulnerability flags = 1 06/07/2009 23:44:36.984 q29d5b0d20821.smd ZEROHOUR Reports VIRUS: Unknown 06/07/2009 23:44:36.984 q29d5b0d20821.smd File(s) are INFECTED [ZEROHOUR Unknown] 06/07/2009 23:44:36.984 q29d5b0d20821.smd Scanned: CONTAINS A VIRUS [MIME: 2 24588] 06/07/2009 23:44:36.984 q29d5b0d20821.smd From: ignitionhf8...@sicis.com To: imail...@wateroperations.com [incoming from 84.63.45.89] 06/07/2009 23:44:36.984 q29d5b0d20821.smd Subject: =?koi8-r?B?WW91knZlIHJlY2VpdmVkIGEgZ3JlZXRpbmcgZWNhcmQ=?= Unfortunately, Zerohour doesnt identify the virus (which in some cases, may be obvious if its a yet unnamed outbreak). But, the problem is that know viruses are not handled as configured. What are my configuration options for Declude Virus with regards to ZeroHour? Can I at least control the order of scanning e.g., Id rather have the regular virus scanners try to identify and report known/named viruses and make Zerohour the option of last defense? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 9:36 AM To: declude.junkm...@declude.com Subject: RE: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED Hi Andy, The ZEROHOUR was integrated into Declude as part of the virus code as it provides ZEROHOUR anti-virus. Because of this it does not function the same as the other tests. It either scores the email for x points as defined in the global.cfg or it does not which is shown as zero. Changing the way ZEROHOUR was implemented is on our development list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Sunday, June 07, 2009 6:07 PM To: declude.junkm...@declude.com Subject: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED Importance: High Hi, Seems as if ZEROHOUR is not at all handled correctly vis-à-vis the TESTSFAILED variable? 1. Example: I have defined XINHEADERX-Declude: Triggered [%WEIGHT%] %TESTSFAILED% However, since activating ZEROHOUR I know see SMTP headers like this: X-Declude: Triggered [-2] None, ZEROHOUR [0] There are two things wrong with this: a) If Testsfailed returns None, why is the string ZEROHOUR appended? If its None then it should be None and nothing else. b) If ZEROHOUR didnt fail and thus has a weight of 0, then it shouldnt appear in the TESTSFAILED list at all. 2. In one of my filters, I have the line TESTSFAILED 5 CONTAINS ZEROHOUR However, it fails to add 5 to the weight as if it doesnt detect ZEROHOUR in the TestsFailed string which would be consistent with items a) and b) because apparently there is a bug where ZEROHOUR is not correctly included in the TESTSFAILED variable, but instead it is somehow appended behind it! The power of Declude is to be able to tightly configure (through various options) how weights are assigned and (with the help of TESTSFAILED filters) which groupings of tests might be testing/triggering on the same aspect of a message. Currently ZEROHOUR appears to negate all the other advantages of Declude! Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This
RE: [Declude.Virus] ClamAV
Hi David: The best is http://oss.netfarm.it/clamav - because it's the same one ClamWin is using and it's kept up-to-date. I don't recall any installation difficulty. It did have a successful installer and is able to install itself as a service. There is a .REG file that sets up a registry entry where the path is stored. In their registry, I chose to change the following (because I wanted to keep the CONF files and the DB files out of the program code): [HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV] ConfigDir=C:\\Progra~1\\ClamAV\\conf DataDir=C:\\Progra~1\\ClamAV\\db For FreshClam.conf, I changed these parameters to match my preference: DatabaseDirectory C:\Program Files\clamAV\db UpdateLogFile C:\Program Files\clamAV\log\freshclam.log LogTime yes For ClamD.conf, I changed these: LogFile C:\Program Files\clamAV\log\clamd.log LogTime yes TemporaryDirectory C:\Temp DatabaseDirectory C:\Program Files\clamAV\db For the service, I removed the spaces from the path (not sure if this was needed): C:\Progra~1\ClamAV\clamd.exe --daemon In Declude, I used: #ClamAV SCANFILE1 C:\Progra~1\ClamAV\ClamDScan.exe VIRUSCODE1 1 Of course, that still leaves the problem of Declude having no decent virus report file parser (if you care about seeing the proper virus name in the proper location of the log files). For now, I still use a middleware to reformat the Report file before feeding it to Declude. If you don't care about names, then this isn't necessary. Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Dodell Sent: Monday, June 08, 2009 12:26 AM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV I'm using an older version of ClamAV that needs to be updated as a backup scanner.Unfortunately, it is no longer being developed. Has anyone tried the ClamID from ArmResearch or any other version of ClamAV that is current that works with Declude? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] automated response
Thanks for the email!!! However, I will be out of the office until Tueday, June 9th when I will return and sort the good mail from the junk mail. If your email is important, don't worry, I'll get to it. Thanks! --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ZEROHOUR, scanner order
Hi David: Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was implemented as Declude.Virus. So any configuration would go into the Virus.cfg file. It seems to me as if it's implemented in some fashion in both ends. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. Based on log entries/detection it appears as if it first checks ZEROHOUR, then AVG, then launches the external scanners. Sorry for all the questions - just trying to wrap my arms around the new way that everything is behaving now - as it's inconsistent with what I have had in place all these years (both in Junkmail, which relies on TESTSFAILED to control actions) and in Virus (which relies on virus name detection to control what actions to take). (Seems as if ZEROHOUR was added by a developer who wasn't yet familiar/briefed with what was already in place elsewhere in the product, and just came up with his/her own way of doing things instead of integration with the existing features.) Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 10:34 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Commtouch Zerohour identifies virus' based on traffic patterns rather than signatures this is why it is not associated with a name. There is only one option currently for Commtouch - in the global.cfg ZEROHOUR x Where x is the weight assigned if ZEROHOUR is triggered. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ZEROHOUR, scanner order
Andy, It is implemented in the Declude virus but because the spam function overlaps into junkmail and the spam weighting system is in junkmail the weight is specified in the global.cfg - as you can see it is more as a directive than a test. Secondly you are correct about the developer who integrated Commtouch. This was before I took over the managment of Declude and it is suffice to say he is no longer with Declude either. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, June 08, 2009 11:02 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Hi David: Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was implemented as Declude.Virus. So any configuration would go into the Virus.cfg file. It seems to me as if it's implemented in some fashion in both ends. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. Based on log entries/detection it appears as if it first checks ZEROHOUR, then AVG, then launches the external scanners. Sorry for all the questions - just trying to wrap my arms around the new way that everything is behaving now - as it's inconsistent with what I have had in place all these years (both in Junkmail, which relies on TESTSFAILED to control actions) and in Virus (which relies on virus name detection to control what actions to take). (Seems as if ZEROHOUR was added by a developer who wasn't yet familiar/briefed with what was already in place elsewhere in the product, and just came up with his/her own way of doing things instead of integration with the existing features.) Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 10:34 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Commtouch Zerohour identifies virus' based on traffic patterns rather than signatures this is why it is not associated with a name. There is only one option currently for Commtouch - in the global.cfg ZEROHOUR x Where x is the weight assigned if ZEROHOUR is triggered. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ZEROHOUR, scanner order
Fair enough! Looks like a good service in general - hopefully, the implementation can be cleaned up at some point. Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 11:10 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Andy, It is implemented in the Declude virus but because the spam function overlaps into junkmail and the spam weighting system is in junkmail the weight is specified in the global.cfg - as you can see it is more as a directive than a test. Secondly you are correct about the developer who integrated Commtouch. This was before I took over the managment of Declude and it is suffice to say he is no longer with Declude either. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, June 08, 2009 11:02 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Hi David: Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was implemented as Declude.Virus. So any configuration would go into the Virus.cfg file. It seems to me as if it's implemented in some fashion in both ends. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. Based on log entries/detection it appears as if it first checks ZEROHOUR, then AVG, then launches the external scanners. Sorry for all the questions - just trying to wrap my arms around the new way that everything is behaving now - as it's inconsistent with what I have had in place all these years (both in Junkmail, which relies on TESTSFAILED to control actions) and in Virus (which relies on virus name detection to control what actions to take). (Seems as if ZEROHOUR was added by a developer who wasn't yet familiar/briefed with what was already in place elsewhere in the product, and just came up with his/her own way of doing things instead of integration with the existing features.) Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 10:34 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Commtouch Zerohour identifies virus' based on traffic patterns rather than signatures this is why it is not associated with a name. There is only one option currently for Commtouch - in the global.cfg ZEROHOUR x Where x is the weight assigned if ZEROHOUR is triggered. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ZEROHOUR, scanner order
I confirmed that Commtouch runs before AVG as the internal virus scanner and currently there is no way to change this without changing the code. I will add this as a dev request to switch the order of AVG and Commtouch. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, June 08, 2009 11:28 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Fair enough! Looks like a good service in general - hopefully, the implementation can be cleaned up at some point. Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 11:10 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Andy, It is implemented in the Declude virus but because the spam function overlaps into junkmail and the spam weighting system is in junkmail the weight is specified in the global.cfg - as you can see it is more as a directive than a test. Secondly you are correct about the developer who integrated Commtouch. This was before I took over the managment of Declude and it is suffice to say he is no longer with Declude either. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, June 08, 2009 11:02 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Hi David: Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was implemented as Declude.Virus. So any configuration would go into the Virus.cfg file. It seems to me as if it's implemented in some fashion in both ends. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. Based on log entries/detection it appears as if it first checks ZEROHOUR, then AVG, then launches the external scanners. Sorry for all the questions - just trying to wrap my arms around the new way that everything is behaving now - as it's inconsistent with what I have had in place all these years (both in Junkmail, which relies on TESTSFAILED to control actions) and in Virus (which relies on virus name detection to control what actions to take). (Seems as if ZEROHOUR was added by a developer who wasn't yet familiar/briefed with what was already in place elsewhere in the product, and just came up with his/her own way of doing things instead of integration with the existing features.) Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 10:34 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Commtouch Zerohour identifies virus' based on traffic patterns rather than signatures this is why it is not associated with a name. There is only one option currently for Commtouch - in the global.cfg ZEROHOUR x Where x is the weight assigned if ZEROHOUR is triggered. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.