Re: [Declude.Virus] False Positives
Kevin, could you please send me one of the actual emails that was caught by the 'uuencoding bad end' Vulnerability as an attachment? Also, could you put your virus.cfg file in debug mode and send me the entire log snip from the next message that is caught by this vulnerability? You can send it directly to me if you like. My email address is lpagi...@declude.com. Thanks. -- From: Linda Pagillo lpagi...@declude.com Sent: Sunday, May 09, 2010 7:07 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] False Positives You're welcome, Kevin and thanks for the log snip. I sent it over to development to obtain more detailed information about it. I will let you know as soon as I receive a response. -- From: Kevin Rogers ke...@rootdesign.com Sent: Friday, May 07, 2010 6:02 PM To: declude.virus@declude.com Cc: Linda Pagillo lpagi...@declude.com Subject: Re: [Declude.Virus] False Positives Thanks for your help Linda. Here are a couple log snippets of the 'uuencoding bad end' Vulnerability 05/06/2010 15:39:30.823 q126c7cd3e05f.smd Vulnerability flags = 65 05/06/2010 15:39:31.854 q126c7cd3e05f.smd 'uuencoding bad end' vulnerability in line 208152 05/06/2010 15:39:32.166 q126c7cd3e05f.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 13110006] 05/06/2010 15:41:21.916 qa51e7cdae07c.smd Vulnerability flags = 65 05/06/2010 15:41:22.932 qa51e7cdae07c.smd 'uuencoding bad end' vulnerability in line 203543 05/06/2010 15:41:23.276 qa51e7cdae07c.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 12819408] On 5/7/2010 7:31 AM, Linda Pagillo wrote: Hi Kevin. Thanks for your post. I first would like to explain that what you are seeing is not a false-positive. The address that the emails are coming from are not a factor in the case of vulnerabilities. Our vulnerability checking looks for exploits in an email. If it finds one, it will mark it no matter who it is coming from. This is correct behavior for the tests and therefore, not a false-positive. As for allowing these for everyone who sends to your server, I would advise against it, but of course, it is your choice. Instead I would allow vulnerabilities on a per-sender basis in order to be safe. For example, you said that you received 10 emails from a legit address that were caught as a vulnerability. In that case, I would allow vulnerabilities for that particular user. You can do that by adding a line to your virus.cfg file... ALLOWVULNERABILITIESFROMu...@domain.com If you wanted to allow vulnerabilities from the entire domain, you would add the following line instead... ALLOWVULNERABILITIESFROMdomain.com (without the @ symbol) You mentioned that the vulnerability you are seeing from the user in question is the 'uuencoding bad end' Vulnerability. Where are you seeing this? Is it in the email or the virus.cfg log? Could you copy and paste it from the log or email so I can send it over to development for review? Thanks again. -- From: Kevin Rogers ke...@rootdesign.com Sent: Thursday, May 06, 2010 8:39 PM To: declude.virus@declude.com Subject: [Declude.Virus] False Positives I'm getting several false positives a day for the following tests: [Outlook 'Blank Folding' Vulnerability] MIME segment in MIME Postamble Today I received 10 false positives (from the same legit email address) of ['uuencoding bad end' Vulnerability] I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to allow it. This is the first I've seen of this test. I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow them. I am running the latest v4.10.48 on Imail. Are other people using these tests without many/any false positives? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] False Positives
You're welcome, Kevin and thanks for the log snip. I sent it over to development to obtain more detailed information about it. I will let you know as soon as I receive a response. -- From: Kevin Rogers ke...@rootdesign.com Sent: Friday, May 07, 2010 6:02 PM To: declude.virus@declude.com Cc: Linda Pagillo lpagi...@declude.com Subject: Re: [Declude.Virus] False Positives Thanks for your help Linda. Here are a couple log snippets of the 'uuencoding bad end' Vulnerability 05/06/2010 15:39:30.823 q126c7cd3e05f.smd Vulnerability flags = 65 05/06/2010 15:39:31.854 q126c7cd3e05f.smd 'uuencoding bad end' vulnerability in line 208152 05/06/2010 15:39:32.166 q126c7cd3e05f.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 13110006] 05/06/2010 15:41:21.916 qa51e7cdae07c.smd Vulnerability flags = 65 05/06/2010 15:41:22.932 qa51e7cdae07c.smd 'uuencoding bad end' vulnerability in line 203543 05/06/2010 15:41:23.276 qa51e7cdae07c.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 12819408] On 5/7/2010 7:31 AM, Linda Pagillo wrote: Hi Kevin. Thanks for your post. I first would like to explain that what you are seeing is not a false-positive. The address that the emails are coming from are not a factor in the case of vulnerabilities. Our vulnerability checking looks for exploits in an email. If it finds one, it will mark it no matter who it is coming from. This is correct behavior for the tests and therefore, not a false-positive. As for allowing these for everyone who sends to your server, I would advise against it, but of course, it is your choice. Instead I would allow vulnerabilities on a per-sender basis in order to be safe. For example, you said that you received 10 emails from a legit address that were caught as a vulnerability. In that case, I would allow vulnerabilities for that particular user. You can do that by adding a line to your virus.cfg file... ALLOWVULNERABILITIESFROMu...@domain.com If you wanted to allow vulnerabilities from the entire domain, you would add the following line instead... ALLOWVULNERABILITIESFROMdomain.com (without the @ symbol) You mentioned that the vulnerability you are seeing from the user in question is the 'uuencoding bad end' Vulnerability. Where are you seeing this? Is it in the email or the virus.cfg log? Could you copy and paste it from the log or email so I can send it over to development for review? Thanks again. -- From: Kevin Rogers ke...@rootdesign.com Sent: Thursday, May 06, 2010 8:39 PM To: declude.virus@declude.com Subject: [Declude.Virus] False Positives I'm getting several false positives a day for the following tests: [Outlook 'Blank Folding' Vulnerability] MIME segment in MIME Postamble Today I received 10 false positives (from the same legit email address) of ['uuencoding bad end' Vulnerability] I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to allow it. This is the first I've seen of this test. I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow them. I am running the latest v4.10.48 on Imail. Are other people using these tests without many/any false positives? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] False Positives
Hi Kevin. Thanks for your post. I first would like to explain that what you are seeing is not a false-positive. The address that the emails are coming from are not a factor in the case of vulnerabilities. Our vulnerability checking looks for exploits in an email. If it finds one, it will mark it no matter who it is coming from. This is correct behavior for the tests and therefore, not a false-positive. As for allowing these for everyone who sends to your server, I would advise against it, but of course, it is your choice. Instead I would allow vulnerabilities on a per-sender basis in order to be safe. For example, you said that you received 10 emails from a legit address that were caught as a vulnerability. In that case, I would allow vulnerabilities for that particular user. You can do that by adding a line to your virus.cfg file... ALLOWVULNERABILITIESFROMu...@domain.com If you wanted to allow vulnerabilities from the entire domain, you would add the following line instead... ALLOWVULNERABILITIESFROMdomain.com (without the @ symbol) You mentioned that the vulnerability you are seeing from the user in question is the 'uuencoding bad end' Vulnerability. Where are you seeing this? Is it in the email or the virus.cfg log? Could you copy and paste it from the log or email so I can send it over to development for review? Thanks again. -- From: Kevin Rogers ke...@rootdesign.com Sent: Thursday, May 06, 2010 8:39 PM To: declude.virus@declude.com Subject: [Declude.Virus] False Positives I'm getting several false positives a day for the following tests: [Outlook 'Blank Folding' Vulnerability] MIME segment in MIME Postamble Today I received 10 false positives (from the same legit email address) of ['uuencoding bad end' Vulnerability] I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to allow it. This is the first I've seen of this test. I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow them. I am running the latest v4.10.48 on Imail. Are other people using these tests without many/any false positives? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] False Positives
Thanks for your help Linda. Here are a couple log snippets of the 'uuencoding bad end' Vulnerability 05/06/2010 15:39:30.823 q126c7cd3e05f.smd Vulnerability flags = 65 05/06/2010 15:39:31.854 q126c7cd3e05f.smd 'uuencoding bad end' vulnerability in line 208152 05/06/2010 15:39:32.166 q126c7cd3e05f.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 13110006] 05/06/2010 15:41:21.916 qa51e7cdae07c.smd Vulnerability flags = 65 05/06/2010 15:41:22.932 qa51e7cdae07c.smd 'uuencoding bad end' vulnerability in line 203543 05/06/2010 15:41:23.276 qa51e7cdae07c.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 12819408] On 5/7/2010 7:31 AM, Linda Pagillo wrote: Hi Kevin. Thanks for your post. I first would like to explain that what you are seeing is not a false-positive. The address that the emails are coming from are not a factor in the case of vulnerabilities. Our vulnerability checking looks for exploits in an email. If it finds one, it will mark it no matter who it is coming from. This is correct behavior for the tests and therefore, not a false-positive. As for allowing these for everyone who sends to your server, I would advise against it, but of course, it is your choice. Instead I would allow vulnerabilities on a per-sender basis in order to be safe. For example, you said that you received 10 emails from a legit address that were caught as a vulnerability. In that case, I would allow vulnerabilities for that particular user. You can do that by adding a line to your virus.cfg file... ALLOWVULNERABILITIESFROMu...@domain.com If you wanted to allow vulnerabilities from the entire domain, you would add the following line instead... ALLOWVULNERABILITIESFROMdomain.com (without the @ symbol) You mentioned that the vulnerability you are seeing from the user in question is the 'uuencoding bad end' Vulnerability. Where are you seeing this? Is it in the email or the virus.cfg log? Could you copy and paste it from the log or email so I can send it over to development for review? Thanks again. -- From: Kevin Rogers ke...@rootdesign.com Sent: Thursday, May 06, 2010 8:39 PM To: declude.virus@declude.com Subject: [Declude.Virus] False Positives I'm getting several false positives a day for the following tests: [Outlook 'Blank Folding' Vulnerability] MIME segment in MIME Postamble Today I received 10 false positives (from the same legit email address) of ['uuencoding bad end' Vulnerability] I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to allow it. This is the first I've seen of this test. I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow them. I am running the latest v4.10.48 on Imail. Are other people using these tests without many/any false positives? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
