RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
I'm still on Declude v2.x and am comfortable there, as Don points out, many of us are waiting for the v3.x to be utterly stable and to have desired new features before going to it. As the software is maturing, so is much of the userbase; there used to be a lot of early adopters when the releases were coming out fast and furious. I've running it on 3 different servers and except the strangenes with the declude.cfg file on one if this servers that was solved be recreating it I'm very impressioned from stability and performance of v3. The amount of incomming messages is growing rapidly and so the number of hold viruses and spam too. (v3 can process much more messages the previous versions!) So I search for something simple to clean out all this stuff as fast as it's comming in. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
We are also running the latest release of v 3. We only have one open question to Declude Tech support as to why Base64 does not trigger sometimes. No crashes or other problems with either AV or JM. It is a lot faster. Thanks, Sunday, January 29, 2006, 4:06:28 AM, Markus Gufler [EMAIL PROTECTED] wrote: I'm still on Declude v2.x and am comfortable there, as Don points out, many of us are waiting for the v3.x to be utterly stable and to have desired new features before going to it. As the software is maturing, so is much of the userbase; there used to be a lot of early adopters when the releases were coming out fast and furious. MG I've running it on 3 different servers and except the strangenes with the MG declude.cfg file on one if this servers that was solved be recreating it I'm MG very impressioned from stability and performance of v3. The amount of MG incomming messages is growing rapidly and so the number of hold viruses and MG spam too. (v3 can process much more messages the previous versions!) MG So I search for something simple to clean out all this stuff as fast as it's MG comming in. MG Markus MG --- MG [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG --- MG This E-mail came from the Declude.Virus mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.Virus.The archives can be found MG at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
e custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
Matt, Thank you for this informative report. As I have many scripts working around Declude (my intention is to reduce them) I have to verify some things before I can turn on AVAFTERJM. But if this will be the case here is my vote for the original R-line in the Q-file. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Sunday, January 29, 2006 7:53 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME A quick update on this.I verified that when the virus scanner triggers using AVAFTERJM ON, the COPYFILE action will not trigger. This is good. It also means that people can ROUTETO a null account (auto-delete account), and use the COPYFILE action in place of HOLD and avoid having viruses stacking up in their held E-mail. The COPYFILE action also allows for adding JunkMail headers if you include the following command in your Global.cfg, which can be a further benefit. COPYFILEACTIONWITHHEADERS ONApparently this is the default in SmarterMail...confusing.There is one caveat to turning this on that I should have mentioned earlier. Declude will modify the recipients in the Q* file if they were changed by a COPYTO or ROUTETO action whereas the HOLD action doesn't modify the Q* file. I did previously ask Declude to modify this behavior so that the original Q* file is copied before the changes are made. One good thing though is that the original recipients are still in that file, but not in a format that IMail will route to if they are requeued by just copying the file. You have to read and adjust the file with a script or manually if you wish to do this. For instance, the following would be an original Q* file: QF:\\Dffe0699801363abc.SMDHmail.mailpure.comIffe0699801363abcX1WE:\mail.mailpure.comE0,S[EMAIL PROTECTED]NRCPT TO:[EMAIL PROTECTED]R[EMAIL PROTECTED]After a ROUTETO action sends the message to [EMAIL PROTECTED] and the COPYFILE action is applied with this switch, the Q* file would look like the following: QF:\\Dffe0699801363abc.SMDHmail.mailpure.comIffe0699801363abcX1WE:\mail.mailpure.comE0,S[EMAIL PROTECTED]NRCPT TO:[EMAIL PROTECTED]R[EMAIL PROTECTED]As you can see, the "R" line is what IMail will actually deliver to, but you can read the file, delete the "R" lines and change the "NRCPT TO" lines to "R" lines and then requeue the message.And another note about this. If others prefer the original Q file instead of the modified one to be used with COPYFILE, please voice your opinions. I can't understand how the modified Q file is useful at all, so I believe the behavior should be changed entirely instead of adding a switch and further complicating the code. This essentially would make it just like HOLD, but not a final action, and with the ability to have JunkMail headers in the D* file.MattMatt wrote: Let me try to summarize what seems to be the consensus here.With AVAFTERJM ON, only certain final actions will result in no virus scanning. Those apparently include the following: HOLD DELETE DELETE_RECIPIENT (for the deleted recipients)On the following final actions, virus scanning will occur: DELETE_RECIPIENT (for non-deleted recipients) ROUTETO COPYTO WARN SUBJECT HEADER FOOTER ALERT LOG BEEPThe following final actions are unclear to me as to the behavior and I haven't seen a mention about them here: COPYFILE (for the file copied not the one delivered, might copy the virus) MAILBOX (maybe bypasses virus scanning, could use ROUTETO instead) ATTACH (not sure how this affects virus scanning, could bypass it in certain situations or all) BOUNCEONLYIFYOUMUST (might bypass virus scanning)It would seem that the only new issues under the most common configurations where spam is captured to accounts using ROUTETO would be that undetected viruses could land in these accounts. This is probably not that much E-mail on the typical day, though it could potentially include banned extensions that would create bounces with JunkMail running last. There would be an advantage to this in that it would help stop backscatter though. One could create a filter to segregate messages in these spam capture accounts that contained a common virus executable so that they could be handled differently, for instance, one could use the HEADER action or WARN action to tag the headers and then use IMail rules to move these messages into a special folder or delete them from the spam capture accounts if that was preferred.Would people agree that this is accurate?MattDarrell ([EMAIL PROTECTED]) wrote: HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
Ok you're right exactly as you was when HOP was introduced. Such a little feature request was not worth neither the half of all messages in this topic. Additionaly the entire Declude staff seems to be in holidays. So I have to write another time my own post-solution. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Saturday, January 28, 2006 5:32 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME A single piece of software can't possibly be all things to all people. I think the best that can be expected is that it reasonably addresses all, or most, of those objectives which the user community shares. It is easy to say that it only costs $xx when it's not your money, the same as it is to say that it will only take 30 lines of code when you don't have to write it, test it, maintain it and fix it when it breaks. I was the culprit who introduced the HOP feature in Declude a long time ago. It was effective back then in combating dynamic servers in the delivery chain. As intimate as Scott was with his code and with the challenges we all faced, we debated it on and off the list for a long time, before he was convinced it would be a good thing for the entire user community. IOW, he had to see the beef - the evidence, that there was an issue and that it was one which Declude could address effectively. Scott is gone and Imail has changed requiring a major overhaul in Declude. Many of the old timers on this list are still NOT running the most current release, due to certain challenges and anomalies. I'm not trying to be a horses tail or beat you up and there is nothing personal involved. I just think that unless a feature request can be justified with facts, which you admit that yours cannot, that we refrain from distracting the community and particularly the people at Declude. I'd rather see Declude keep pumping the water out of the bilge to the point they can fix the hull, rather than taking the time to hang a new pennant from the mast. Wouldn't you? Thanks, Friday, January 27, 2006, 6:05:46 PM, Markus Gufler [EMAIL PROTECTED] wrote: MG I hav no stat's or numbers. MG Only the fact that AV-Engines has introduced a suspicious category MG that is catching more and more new outbreaks. Additionaly it seems MG that the scanning process is becoming more and more complex. Each MG variant (we have up to two-letter versions!) seems to need complete MG new definitions. Another more MG alarming: certain virus-signatures seems catching only a part of one MG single but polymorphic and encrypted virus variant. MG Try to send a vb-script containing one single call of the MG filesystem-object even if zipped or with renamed file extension trough some av-engines. MG DELETEVIRUS ON will delete the entire message and you will have to MG tell some fairy story to the customer who call you because he misses some messages. MG Don't deleting messages immediately as many of us do is one way. MG Adding 5 DELETEVIRUSNAME-lines in the global.cfg would be a very MG simple possibility to keep clean and small the virus folder. And I MG repeat: It should be something very very simple to implement. Anyone MG who doesn't want or need it could simply not turn it on. MG Regarding the allready existing FORGINGVIRUS DNS lookup feature and MG a possible enhancement like AUTODELETEKNOWNWORMS. MG I wouldn't say that I don't trust declude's FORGINGVIRUS list. But MG first of all I realy want to know what I categorize FORGING and what MG not an my server. Beside the fact that since we don't send out MG notfications to customers anymore my personal FORGINGVIRUS list is MG simply a good way to filter out 99% of all postmaster notifications, MG and so a wave of thus notifications is an excellent indicator that MG something new is around that I should give a look. MG An additional DNS lookup for each hold virus in my eyes is not MG really usefull if the number of forging viruses is so small as it is MG today. Ok it's a nice thing for someone who doesn't want daily care his server. MG Another unclear aspect is how this DNS-based list handles different MG virus names. We have seen in the last months that there is no more MG consistent naming between AV-Companies. Does Declude maintain and MG serve forging virus names for all AV-Engines? MG I still consider Declude my swiss army knife for handling MG SMTP-traffic and keep our customer mailboxes usable for the daily MG work. And even if I know that some tools in my knife can be MG dangerous I want to have them when it will become neccessary. MG Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Friday, January 27, 2006 8:24 PM
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
We've all made good points [except Matt, he's apparently high on life... ;) ] and that is precisely the value of the debating club we've formed here. Excellent features have been put into Declude precisely because of the debating club. When Scott was the sole developer, this debate and feedback was a great way for him to gauge the relative importance of new and enhanced feature requests. Although I don't need it, I thought it was worth offering up a possible automagic feature that would be a good addition to Declude. I certainly wasn't going to take offense if anybody shot at the flag I just ran up the flagpole! As it turns out, there were a few salutes. I'm still on Declude v2.x and am comfortable there, as Don points out, many of us are waiting for the v3.x to be utterly stable and to have desired new features before going to it. As the software is maturing, so is much of the userbase; there used to be a lot of early adopters when the releases were coming out fast and furious. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Saturday, January 28, 2006 1:13 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME Ok you're right exactly as you was when HOP was introduced. Such a little feature request was not worth neither the half of all messages in this topic. Additionaly the entire Declude staff seems to be in holidays. So I have to write another time my own post-solution. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Saturday, January 28, 2006 5:32 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME A single piece of software can't possibly be all things to all people. I think the best that can be expected is that it reasonably addresses all, or most, of those objectives which the user community shares. It is easy to say that it only costs $xx when it's not your money, the same as it is to say that it will only take 30 lines of code when you don't have to write it, test it, maintain it and fix it when it breaks. I was the culprit who introduced the HOP feature in Declude a long time ago. It was effective back then in combating dynamic servers in the delivery chain. As intimate as Scott was with his code and with the challenges we all faced, we debated it on and off the list for a long time, before he was convinced it would be a good thing for the entire user community. IOW, he had to see the beef - the evidence, that there was an issue and that it was one which Declude could address effectively. Scott is gone and Imail has changed requiring a major overhaul in Declude. Many of the old timers on this list are still NOT running the most current release, due to certain challenges and anomalies. I'm not trying to be a horses tail or beat you up and there is nothing personal involved. I just think that unless a feature request can be justified with facts, which you admit that yours cannot, that we refrain from distracting the community and particularly the people at Declude. I'd rather see Declude keep pumping the water out of the bilge to the point they can fix the hull, rather than taking the time to hang a new pennant from the mast. Wouldn't you? Thanks, Friday, January 27, 2006, 6:05:46 PM, Markus Gufler [EMAIL PROTECTED] wrote: MG I hav no stat's or numbers. MG Only the fact that AV-Engines has introduced a suspicious category MG that is catching more and more new outbreaks. Additionaly it seems MG that the scanning process is becoming more and more complex. Each MG variant (we have up to two-letter versions!) seems to need complete MG new definitions. Another more MG alarming: certain virus-signatures seems catching only a part of one MG single but polymorphic and encrypted virus variant. MG Try to send a vb-script containing one single call of the MG filesystem-object even if zipped or with renamed file extension trough some av-engines. MG DELETEVIRUS ON will delete the entire message and you will have to MG tell some fairy story to the customer who call you because he misses some messages. MG Don't deleting messages immediately as many of us do is one way. MG Adding 5 DELETEVIRUSNAME-lines in the global.cfg would be a very MG simple possibility to keep clean and small the virus folder. And I MG repeat: It should be something very very simple to implement. Anyone MG who doesn't want or need it could simply not turn it on. MG Regarding the allready existing FORGINGVIRUS DNS lookup feature and MG a possible enhancement like AUTODELETEKNOWNWORMS. MG I wouldn't say that I don't trust declude's FORGINGVIRUS list. But MG first
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Instead of doing something like that, which will require on-going, hands-on maint, why not just tag to hold those which are identified by the scanner as suspicious or generic and delete the rest? Wednesday, January 25, 2006, 4:37:28 PM, Markus Gufler [EMAIL PROTECTED] wrote: MG Maybe someone has already requested it: MG Why not allow commands like MG DELETEVIRUSNAME Netsky MG DELETEVIRUSNAME Bagle MG ... MG in the virus.cfg file? MG I won't and can't delete all viruses on our server because there is always MG the possibility that a scanner is catching something as suspicious or MG generic MG But commands to delete certain virusnames should be very easy to implement MG and allow us to eliminate 95% of all hold viruses on out servers. MG Markus MG --- MG [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG --- MG This E-mail came from the Declude.Virus mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.Virus.The archives can be found MG at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Thursday, January 26, 2006, 2:33:11 AM, Colbeck, Andrew [EMAIL PROTECTED] wrote: CA[SNIP] CA Like you, I have a system that blocks a ton of mail, so I run AVAFTERJM CA to cut down on the work, and this definitely leaves a gap in my CA statistics. Similarly, it follows that I wouldn't want to scan my whole CA SPAM folder. Even reading the directory of the filenames is a disk CA workout. [SNIP] How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The problem I know is when someone is reviewing hold spam messages and has the possibility to requeue them. In this case the message will be delivered without being checked from Declude Virus. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
Instead of doing something like that, which will require on-going, hands-on maint, why not just tag to hold those which are identified by the scanner as suspicious or generic and delete the rest? This is another possible solution but my intention is to clean my server from messages containing certain viruses. Thus are the well know top viri like Sober, Netsky and Co. Deleting them immediatly there will remain only a little crowd of viruses and suspicious files. Whatever will happen in the future I have them on my server and can keep it there also for one or two weeks in the case it turns out that some user is missing a legit message. In this cas I can find the message in my virus-folder on the server and requeue it even if it was false positive-identified by some scanner as a fiften year old tequila-Virus. Andrews idea to parse the virus logfile instead of the content from each virus-message is definitively an excellent idea. However there is a more simplier and efficient possibility if we could delete infected messages by the virus name. Markus Wednesday, January 25, 2006, 4:37:28 PM, Markus Gufler [EMAIL PROTECTED] wrote: MG Maybe someone has already requested it: MG Why not allow commands like MG DELETEVIRUSNAME Netsky MG DELETEVIRUSNAME Bagle MG ... MG in the virus.cfg file? MG I won't and can't delete all viruses on our server because there is MG always the possibility that a scanner is catching something as MG suspicious or generic MG But commands to delete certain virusnames should be very easy to MG implement and allow us to eliminate 95% of all hold viruses on out servers. MG Markus MG --- MG [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG --- MG This E-mail came from the Declude.Virus mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.Virus.The archives can be found MG at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
By running AVAFTERJM, you can use spam filtering to eliminate banned files that you would otherwise have to review in the virus hold queue. The drawback is that marginal emails are not identified as banned files, but on our system at least, running AVAFTERJM means less to review. Darin. - Original Message - From: Don Brown [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, January 27, 2006 9:45 AM Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME Thursday, January 26, 2006, 2:33:11 AM, Colbeck, Andrew [EMAIL PROTECTED] wrote: CA[SNIP] CA Like you, I have a system that blocks a ton of mail, so I run AVAFTERJM CA to cut down on the work, and this definitely leaves a gap in my CA statistics. Similarly, it follows that I wouldn't want to scan my whole CA SPAM folder. Even reading the directory of the filenames is a disk CA workout. [SNIP] How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Keith, It still gets virus scanned. I have tons of viruses in my virus drop point for ROUTETO accounts. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
Darrell, I guess my question then is what advantage is it to have it run prior to Virus if the Virus Scanner still scans it, won't it still use the same CPU cycles? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:43 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME Keith, It still gets virus scanned. I have tons of viruses in my virus drop point for ROUTETO accounts. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
As a practical matter, about what percent fall into the category of the Virus Scanner making a false positive? IOW, aren't you out hunting mosquitos with hand grenades? Friday, January 27, 2006, 8:58:25 AM, Markus Gufler [EMAIL PROTECTED] wrote: Instead of doing something like that, which will require on-going, hands-on maint, why not just tag to hold those which are identified by the scanner as suspicious or generic and delete the rest? MG This is another possible solution but my intention is to clean my server MG from messages containing certain viruses. Thus are the well know top viri MG like Sober, Netsky and Co. MG Deleting them immediatly there will remain only a little crowd of viruses MG and suspicious files. Whatever will happen in the future I have them on my MG server and can keep it there also for one or two weeks in the case it turns MG out that some user is missing a legit message. In this cas I can find the MG message in my virus-folder on the server and requeue it even if it was MG false positive-identified by some scanner as a fiften year old MG tequila-Virus. MG Andrews idea to parse the virus logfile instead of the content from each MG virus-message is definitively an excellent idea. However there is a more MG simplier and efficient possibility if we could delete infected messages by MG the virus name. MG Markus Wednesday, January 25, 2006, 4:37:28 PM, Markus Gufler [EMAIL PROTECTED] wrote: MG Maybe someone has already requested it: MG Why not allow commands like MG DELETEVIRUSNAME Netsky MG DELETEVIRUSNAME Bagle MG ... MG in the virus.cfg file? MG I won't and can't delete all viruses on our server because there is MG always the possibility that a scanner is catching something as MG suspicious or generic MG But commands to delete certain virusnames should be very easy to MG implement and allow us to eliminate 95% of all hold viruses on out servers. MG Markus MG --- MG [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG --- MG This E-mail came from the Declude.Virus mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.Virus.The archives can be found MG at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. MG --- MG [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG --- MG This E-mail came from the Declude.Virus mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.Virus.The archives can be found MG at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Your first and second message seem to be contradictory or I'm dense. #1 The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. #2 It still gets virus scanned. So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). If that is so, then how does it cut down on machine resources? Friday, January 27, 2006, 9:43:19 AM, Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] wrote: Dsic Keith, Dsic It still gets virus scanned. I have tons of viruses in my virus drop point Dsic for ROUTETO accounts. Dsic Darrell Dsic --- Dsic Check out http://www.invariantsystems.com for utilities for Declude, Imail, Dsic mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI Dsic integration, MRTG Integration, and Log Parsers. Dsic Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Dsic Dsic --- Dsic [This E-mail was scanned for viruses by Declude EVA www.declude.com] Dsic --- Dsic This E-mail came from the Declude.Virus mailing list. To Dsic unsubscribe, just send an E-mail to [EMAIL PROTECTED], and Dsic type unsubscribe Declude.Virus.The archives can be found Dsic at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
aren't you out hunting mosquitos with hand grenades? If the mosquito is a very nasty but important customer it's bether using tank's, mg's and whatever you can organize in order to prevent painfull stings... On a day liky today I could turn on DELETEVIRUSES with nearly zero risk in order to keep the server disk clean. But what happens if tommorow turns out that one of the scan engines has catched many legit messages as viruses due to a new buggy singature or because a legit message unexpected contains something sospicious. How do you explain to customers that the messages are already deleted? F-Prot's exit code 8 (suspicious files) has catched a lot of new unknow viruses before singatures was available. So I use this exit code in my config to hold messages. But suspicous could also be something legit we don't know at the moment. As I can understand a feature like DELETEVIRUSNAME wouldn't require more then 30 lines of code and 3 hours of work and it would eliminate any need for own scripts on each server. This is not what I consider a hand grenade... Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
I would think that you would want to do the opposite, running the virus scanner before junk mail. This way if a virus is caught, it can be handled (either deleted or moved to virus folder) and you save on the system having to run your spam tests. Also, you know that no viruses are being routed to mailboxes. Dean On 1/27/06, Don Brown [EMAIL PROTECTED] wrote: Your first and second message seem to be contradictory or I'm dense.#1 The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources.#2 It still gets virus scanned.So, with or without AVAFTERJM, it looks like each message is scanned by the virusscanner (which makes sense to me).If that is so, then how does it cut down on machine resources?Friday, January 27, 2006, 9:43:19 AM, Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] wrote:Dsic Keith,Dsic It still gets virus scanned.I have tons of viruses in my virus drop pointDsic for ROUTETO accounts.Dsic DarrellDsic--- Dsic Check out http://www.invariantsystems.com for utilities for Declude, Imail,Dsic mxGuard, and ORF.IMail/Declude Overflow Queue Monitoring, SURBL/URIDsic integration, MRTG Integration, and Log Parsers. Dsic Keith Johnson writes: Darrell, What happens in this scenario.Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days.Does Declude Virus still run against it prior to ROUTETO?My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ( [EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work?I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources.It has been a MAJOR help for me. Darrell--- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF.IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list.To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list.To unsubscribe, just send an E-mail to [EMAIL PROTECTED] , and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.DsicDsic ---Dsic [This E-mail was scanned for viruses by Declude EVA www.declude.com]Dsic ---Dsic This E-mail came from the Declude.Virus mailing list.ToDsic unsubscribe, just send an E-mail to [EMAIL PROTECTED], andDsic type unsubscribe Declude.Virus.The archives can be foundDsic at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc.[EMAIL PROTECTED] http://www.inetconcepts.net(972) 788-2364Fax: (972) 788-5049 ---[This E-mail was scanned for viruses by Declude EVA www.declude.com]---This E-mail came from the Declude.Virus mailing list.Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype unsubscribe Declude.Virus.The archives can be foundat http://www.mail-archive.com. -- __Dean Lawrence, CIO/PartnerInternet Data Technology888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/Corporate Internet Development and Marketing Specialists
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Don Brown wrote: #1 "The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources." correct. #2 "It still gets virus scanned." only those emails that get past the junkmail scanning. If you do not delete any junkmail then there is no benefit -Nick So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). If that is so, then how does it cut down on machine resources? Friday, January 27, 2006, 9:43:19 AM, Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] wrote: Dsic Keith, Dsic It still gets virus scanned. I have tons of viruses in my virus drop point Dsic for ROUTETO accounts. Dsic Darrell Dsic --- Dsic Check out http://www.invariantsystems.com for utilities for Declude, Imail, Dsic mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI Dsic integration, MRTG Integration, and Log Parsers. Dsic Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. Dsic Dsic --- Dsic [This E-mail was scanned for viruses by Declude EVA www.declude.com] Dsic --- Dsic This E-mail came from the Declude.Virus mailing list. To Dsic unsubscribe, just send an E-mail to [EMAIL PROTECTED], and Dsic type "unsubscribe Declude.Virus".The archives can be found Dsic at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME automagic
I thought that AV false positives can occur with definitions for known virus names. In other words, if a message gets tagged as Bagle, it might be legit 0.1% of the time. So would this really be a complete solution? Matt Colbeck, Andrew wrote: Markus would find this handy (as would other die-hards who are often see to post in this forum) and would be willing to maintain a small list of entries for which he would like this behaviour. However, in addition to the FORGINGVIRUS DNS lookup feature that Declude already implements*, perhaps they would be interested in also implementing a DNS lookup feature for known virus names that customers could just delete out of hand. This would of course require ongoing maintenance on their part, and trust from their customers. Declude would provide a new switch to govern this behaviour, which would default to OFF, e.g. AUTODELETEKNOWNWORMS ON Thus, Markus would be satisfied with being able to manually pick and choose which virus families to delete, and administrators who want less hands-on involvement could turn ON this feature to save disk space. *The existing feature exists to skip email notification when the scanner engine returns the name of a known virus/worm that Declude knows forges the MAILFROM. The FORGINGVIRUS x feature is a manual version of this feature that lets the Declude customer add in more viruses. As far as I know, Declude.com does not keep a public list of the virus names that they test for via DNS. Please correct me if I'm wrong on any of this. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Wednesday, January 25, 2006 2:37 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Feature request: DELETEVIRUSNAME Maybe someone has already requested it: Why not allow commands like DELETEVIRUSNAME Netsky DELETEVIRUSNAME Bagle ... in the virus.cfg file? I won't and can't delete all viruses on our server because there is always the possibility that a scanner is catching something as "suspicious" or "generic" But commands to delete certain virusnames should be very easy to implement and allow us to eliminate 95% of all hold viruses on out servers. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME automagic
Then you maybe should keep AUTODELETEKNOWNWORMS OFF My fear is not realy having false positives with real viruses. The suspicious exit code seems dangerous to me for having false positives. So the big part of definitively known, forging, 100% unwanted and programaticaly created virus-messages can be deleted be keeping a small part of virus messages on the disk for some (more) days. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, January 27, 2006 7:09 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME automagic I thought that AV false positives can occur with definitions for known virus names. In other words, if a message gets tagged as Bagle, it might be legit 0.1% of the time. So would this really be a complete solution?MattColbeck, Andrew wrote: Markus would find this handy (as would other die-hards who are often see to post in this forum) and would be willing to maintain a small list of entries for which he would like this behaviour. However, in addition to the FORGINGVIRUS DNS lookup feature that Declude already implements*, perhaps they would be interested in also implementing a DNS lookup feature for known virus names that customers could just delete out of hand. This would of course require ongoing maintenance on their part, and trust from their customers. Declude would provide a new switch to govern this behaviour, which would default to OFF, e.g. AUTODELETEKNOWNWORMS ON Thus, Markus would be satisfied with being able to manually pick and choose which virus families to delete, and administrators who want less hands-on involvement could turn ON this feature to save disk space. *The existing feature exists to skip email notification when the scanner engine returns the name of a known virus/worm that Declude knows forges the MAILFROM. The FORGINGVIRUS x feature is a manual version of this feature that lets the Declude customer add in more viruses. As far as I know, Declude.com does not keep a public list of the virus names that they test for via DNS. Please correct me if I'm wrong on any of this. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Wednesday, January 25, 2006 2:37 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Feature request: DELETEVIRUSNAME Maybe someone has already requested it: Why not allow commands like DELETEVIRUSNAME Netsky DELETEVIRUSNAME Bagle ... in the virus.cfg file? I won't and can't delete all viruses on our server because there is always the possibility that a scanner is catching something as "suspicious" or "generic" But commands to delete certain virusnames should be very easy to implement and allow us to eliminate 95% of all hold viruses on out servers. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME automagic
No Matt, it wouldn't be a complete solution for you orme. We don't trust DELETE actions at all. Markus however, is ok with a DELETE action, as with many others, so I'm pretty confident that they would be ok with an autodelete as well, while trusting that Declude.com isn't going to make a mistake with a bad keyword listing such as "suspicious" or "virus" (as opposed to desired behaviour like "nyxem", "netsky", "bagle", "mytob", "sober". For you and me, I think we'd want a"HOLD [Path[\]][%DATE%]" action in the DecludeEVA product that let us specify a different HOLD folder. Any add-on web scripts that those ISPs or Gatewaying companies have developed so that the end-user can self-service theirspam/virus folder would not include this secondary HOLD folder and the ISPcould take timed and scripted actions on these folders as they see fit. To make that work, we would then want a mechanism to distinguish the detected viruses and move the *.smd files to the correct HOLD folder accordingly. But that's a different thread, eh? Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, January 27, 2006 10:09 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME automagic I thought that AV false positives can occur with definitions for known virus names. In other words, if a message gets tagged as Bagle, it might be legit 0.1% of the time. So would this really be a complete solution?MattColbeck, Andrew wrote: Markus would find this handy (as would other die-hards who are often see to post in this forum) and would be willing to maintain a small list of entries for which he would like this behaviour. However, in addition to the FORGINGVIRUS DNS lookup feature that Declude already implements*, perhaps they would be interested in also implementing a DNS lookup feature for known virus names that customers could just delete out of hand. This would of course require ongoing maintenance on their part, and trust from their customers. Declude would provide a new switch to govern this behaviour, which would default to OFF, e.g. AUTODELETEKNOWNWORMS ON Thus, Markus would be satisfied with being able to manually pick and choose which virus families to delete, and administrators who want less hands-on involvement could turn ON this feature to save disk space. *The existing feature exists to skip email notification when the scanner engine returns the name of a known virus/worm that Declude knows forges the MAILFROM. The FORGINGVIRUS x feature is a manual version of this feature that lets the Declude customer add in more viruses. As far as I know, Declude.com does not keep a public list of the virus names that they test for via DNS. Please correct me if I'm wrong on any of this. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Wednesday, January 25, 2006 2:37 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Feature request: DELETEVIRUSNAME Maybe someone has already requested it: Why not allow commands like DELETEVIRUSNAME Netsky DELETEVIRUSNAME Bagle ... in the virus.cfg file? I won't and can't delete all viruses on our server because there is always the possibility that a scanner is catching something as "suspicious" or "generic" But commands to delete certain virusnames should be very easy to implement and allow us to eliminate 95% of all hold viruses on out servers. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Keith, We don't ROUTETO all of our mail. We hold and delete on a bunch. In this case 95% of mail is not virus scanned. If you routeto everything than I suspect you will not save any cycles. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Keith Johnson writes: Darrell, I guess my question then is what advantage is it to have it run prior to Virus if the Virus Scanner still scans it, won't it still use the same CPU cycles? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:43 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME Keith, It still gets virus scanned. I have tons of viruses in my virus drop point for ROUTETO accounts. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Seems there is some confusion about whether or not AVAFTERJM prevents AV from running. Some say it does and some say it doesn't matter - AV still runs on all messages. So, I guess we first need to have someone from Declude tell us, FOR SURE, which it is. There isn't much in either section 9.1 or elsewhere in the JM manual and I didn't find anything in the AV manual about AVAFTERJM. So, DECLUDE, does, under any circumstances, AVAFTERJM cause AV not to be ran on a message? In the event that Declude responds that AV is prevented from running under some or all circumstances by using AVAFTERJM, then: 1. It seems to me that if you are holding messages which were not AV scanned and which could later be dropped into the queue for processing, that eventually Murphy will make sure that a virus infected message is released to an end-user. 2. You are putting a bandaid on a gunshot wound or treating the symptom rather than the disease. If you are starved for cycles, plan to scale up or use gateways to separate the processes and reduce the bottleneck. FWIW Friday, January 27, 2006, 11:02:32 AM, Markus Gufler [EMAIL PROTECTED] wrote: So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). MG Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. MG We know too that resource usage of one or two scan-engines is way above the MG entire spam filtering even if you use 5-6 external applications like MG sniffer, inv-uribl, spamchk, ... MG So if you're spam filters are set up properly they will filter out at least MG 50% of all incomming messages before they will reach the av-engines. MG Markus MG --- MG [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG --- MG This E-mail came from the Declude.Virus mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.Virus.The archives can be found MG at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Don, Messages that are HOLD or DELETE are not virus scanned. ROUTETO gets virus scanned. In summary you have to look at your situation and if it makes sense for you. We don't do much ROUTETO so it makes sense for us and saves a signifigant amount of CPU. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Don Brown writes: Your first and second message seem to be contradictory or I'm dense. #1 The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. #2 It still gets virus scanned. So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). If that is so, then how does it cut down on machine resources? Friday, January 27, 2006, 9:43:19 AM, Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] wrote: Dsic Keith, Dsic It still gets virus scanned. I have tons of viruses in my virus drop point Dsic for ROUTETO accounts. Dsic Darrell Dsic --- Dsic Check out http://www.invariantsystems.com for utilities for Declude, Imail, Dsic mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI Dsic integration, MRTG Integration, and Log Parsers. Dsic Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Dsic Dsic --- Dsic [This E-mail was scanned for viruses by Declude EVA www.declude.com] Dsic --- Dsic This E-mail came from the Declude.Virus mailing list. To Dsic unsubscribe, just send an E-mail to [EMAIL PROTECTED], and Dsic type unsubscribe Declude.Virus.The archives can be found Dsic at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
IIRC, the HOLD action was where the risk came in. Messages that are held by Declude using AVAFTERJM and then manually re-queued (via, say, the old SpamReview app) would NOT be scanned for viruses at all, since re-queued messages bypass Declude altogether. HOLD is the only 'semi-final' action. All other actions either deliver the email to an mbox (in which case it is scanned by EVA), or remove the message completely (which is where the saved cycles come in). IMO, AVAFTERJM should be changed so that only deleted emails, not held ones, by pass the AV scan. In other words, all messages should be first scanned for spam, then the ones that are not DELETED should all be scanned for viruses. This would close the security risk from re-queued messages. The AVAFTERJM option would then only be useful for those that use the DELETE action, but with the huge security risk involved in requeueing unscanned messages I think that it is ALREADY only useful for those that use the DELETE action. Unfortunately the manual isn't clear on this point. At the very least, Declude should add a warning to the manual around AVAFTERJM that says that AVAFTERJM and HOLD should not be used in the same configuration. --DH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
There is no perfect Spam or Virus system. There will either be false positives, missed Spam or Viruses or a combination of both. Therefore, if the customer is expecting absolute perfection, then I think the problem is one of a customer with unrealistic expectations. You said, what happens if tommorow turns out that scan engines has catched many legit messages as viruses due to a new buggy singature. Well, then you need to HOLD ALL messages tagged as containing a virus, if you are that anal about it and that makes your original point moot. For instance, you've solved nothing if you had bagal hard coded to be deleted and that was the buggy one in the signature file. How often does this really happen - does it happen more than 1% of the time? It hasn't shown to be an issue in our case, but I think we'd all be interested in your statistics which show it as a significant exposure to false positives. You said, or because a legit message unexpected contains something sospicious. My previous comment was to hold all of those tagged as suspicious. Do you have good statistics on these, which show a significant false positive rate? I think we'd all be interested in your finding . . . Thanks, Friday, January 27, 2006, 10:56:56 AM, Markus Gufler [EMAIL PROTECTED] wrote: aren't you out hunting mosquitos with hand grenades? MG If the mosquito is a very nasty but important customer it's bether using MG tank's, mg's and whatever you can organize in order to prevent painfull MG stings... MG On a day liky today I could turn on DELETEVIRUSES with nearly zero risk in MG order to keep the server disk clean. But what happens if tommorow turns out MG that one of the scan engines has catched many legit messages as viruses due MG to a new buggy singature or because a legit message unexpected contains MG something sospicious. How do you explain to customers that the messages MG are already deleted? MG F-Prot's exit code 8 (suspicious files) has catched a lot of new unknow MG viruses before singatures was available. So I use this exit code in my MG config to hold messages. But suspicous could also be something legit we MG don't know at the moment. MG As I can understand a feature like DELETEVIRUSNAME wouldn't require more MG then 30 lines of code and 3 hours of work and it would eliminate any need MG for own scripts on each server. This is not what I consider a hand MG grenade... MG Markus MG --- MG [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG --- MG This E-mail came from the Declude.Virus mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.Virus.The archives can be found MG at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
IIRC, the HOLD action was where the risk came in. Messages that are held by Declude using AVAFTERJM and then manually re-queued (via, say, the old SpamReview app) would NOT be scanned for viruses at all, since re-queued messages bypass Declude altogether. snip At the very least, Declude should add a warning to the manual around AVAFTERJM that says that AVAFTERJM and HOLD should not be used in the same configuration. --DH Dan, this is all implementation dependent. Your observed behaviour is not universal to Declude deployments. Specifically, re-queued messages on IMail systems do indeed get scanned by Declude JunkMail and EVA when the Q*.SMD is moved to the overflow folder (as opposed to being moved to the spool folder with the D*.SMD file). Given this re-queuing method, I disagree with your conclusion. I do agree that there is a gap in the functionality and/or the manual on how re-queuing is accomplished and what the wrinkles are. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Horne Sent: Friday, January 27, 2006 11:12 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME HOLD is the only 'semi-final' action. All other actions either deliver the email to an mbox (in which case it is scanned by EVA), or remove the message completely (which is where the saved cycles come in). IMO, AVAFTERJM should be changed so that only deleted emails, not held ones, by pass the AV scan. In other words, all messages should be first scanned for spam, then the ones that are not DELETED should all be scanned for viruses. This would close the security risk from re-queued messages. The AVAFTERJM option would then only be useful for those that use the DELETE action, but with the huge security risk involved in requeueing unscanned messages I think that it is ALREADY only useful for those that use the DELETE action. Unfortunately the manual isn't clear on this point. At the very least, Declude should add a warning to the manual around AVAFTERJM that says that AVAFTERJM and HOLD should not be used in the same configuration. --DH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Let me try to summarize what seems to be the consensus here. With AVAFTERJM ON, only certain final actions will result in no virus scanning. Those apparently include the following: HOLD DELETE DELETE_RECIPIENT (for the deleted recipients) On the following final actions, virus scanning will occur: DELETE_RECIPIENT (for non-deleted recipients) ROUTETO COPYTO WARN SUBJECT HEADER FOOTER ALERT LOG BEEP The following final actions are unclear to me as to the behavior and I haven't seen a mention about them here: COPYFILE (for the file copied not the one delivered, might copy the virus) MAILBOX (maybe bypasses virus scanning, could use ROUTETO instead) ATTACH (not sure how this affects virus scanning, could bypass it in certain situations or all) BOUNCEONLYIFYOUMUST (might bypass virus scanning) It would seem that the only new issues under the most common configurations where spam is captured to accounts using ROUTETO would be that undetected viruses could land in these accounts. This is probably not that much E-mail on the typical day, though it could potentially include banned extensions that would create bounces with JunkMail running last. There would be an advantage to this in that it would help stop backscatter though. One could create a filter to segregate messages in these spam capture accounts that contained a common virus executable so that they could be handled differently, for instance, one could use the HEADER action or WARN action to tag the headers and then use IMail rules to move these messages into a special folder or delete them from the spam capture accounts if that was preferred. Would people agree that this is accurate? Matt Darrell ([EMAIL PROTECTED]) wrote: HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declud
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Dan, You might try COPYFILE which is essentially HOLD, but it adds the Declude headers to the messages. COPYFILE won't block the E-mail however, so you might want to either ROUTETO null, or HOLD and just delete what is in that folder since you have another copy. I am unclear about whether or not the COPYFILE action happens before or after virus scanning with AVAFTERJM ON, so that would need to be verified, but it might be a good workaround if this is a problem. Matt Dan Horne wrote: IIRC, the HOLD action was where the risk came in. Messages that are held by Declude using AVAFTERJM and then manually re-queued (via, say, the old SpamReview app) would NOT be scanned for viruses at all, since re-queued messages bypass Declude altogether. HOLD is the only 'semi-final' action. All other actions either deliver the email to an mbox (in which case it is scanned by EVA), or remove the message completely (which is where the saved cycles come in). IMO, AVAFTERJM should be changed so that only deleted emails, not held ones, by pass the AV scan. In other words, all messages should be first scanned for spam, then the ones that are not DELETED should all be scanned for viruses. This would close the security risk from re-queued messages. The AVAFTERJM option would then only be useful for those that use the DELETE action, but with the huge security risk involved in requeueing unscanned messages I think that it is ALREADY only useful for those that use the DELETE action. Unfortunately the manual isn't clear on this point. At the very least, Declude should add a warning to the manual around AVAFTERJM that says that AVAFTERJM and HOLD should not be used in the same configuration. --DH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overf
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Correction. COPYFILE wouldn't work with HOLD, so you would need to ROUTETO null. Matt Matt wrote: Dan, You might try COPYFILE which is essentially HOLD, but it adds the Declude headers to the messages. COPYFILE won't block the E-mail however, so you might want to either ROUTETO null, or HOLD and just delete what is in that folder since you have another copy. I am unclear about whether or not the COPYFILE action happens before or after virus scanning with AVAFTERJM ON, so that would need to be verified, but it might be a good workaround if this is a problem. Matt Dan Horne wrote: IIRC, the HOLD action was where the risk came in. Messages that are held by Declude using AVAFTERJM and then manually re-queued (via, say, the old SpamReview app) would NOT be scanned for viruses at all, since re-queued messages bypass Declude altogether. HOLD is the only 'semi-final' action. All other actions either deliver the email to an mbox (in which case it is scanned by EVA), or remove the message completely (which is where the saved cycles come in). IMO, AVAFTERJM should be changed so that only deleted emails, not held ones, by pass the AV scan. In other words, all messages should be first scanned for spam, then the ones that are not DELETED should all be scanned for viruses. This would close the security risk from re-queued messages. The AVAFTERJM option would then only be useful for those that use the DELETE action, but with the huge security risk involved in requeueing unscanned messages I think that it is ALREADY only useful for those that use the DELETE action. Unfortunately the manual isn't clear on this point. At the very least, Declude should add a warning to the manual around AVAFTERJM that says that AVAFTERJM and HOLD should not be used in the same configuration. --DH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Thanks. We use both hold and delete, but not routeto. I don't mind saving cycles. I guess that instead of using HOLD we could ROUTETO the Spam Hold folder and mitigate the risk of dropping a virus infected message back into the queue. Comments about this?? Thanks, Friday, January 27, 2006, 12:51:41 PM, Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] wrote: Dsic Don, Dsic Messages that are HOLD or DELETE are not virus scanned. ROUTETO gets Dsic virus scanned. In summary you have to look at your situation and if it Dsic makes sense for you. We don't do much ROUTETO so it makes sense for us and Dsic saves a signifigant amount of CPU. Dsic Darrell Dsic --- Dsic Check out http://www.invariantsystems.com for utilities for Declude, Imail, Dsic mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI Dsic integration, MRTG Integration, and Log Parsers. Dsic Don Brown writes: Your first and second message seem to be contradictory or I'm dense. #1 The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. #2 It still gets virus scanned. So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). If that is so, then how does it cut down on machine resources? Friday, January 27, 2006, 9:43:19 AM, Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] wrote: Dsic Keith, Dsic It still gets virus scanned. I have tons of viruses in my virus drop point Dsic for ROUTETO accounts. Dsic Darrell Dsic --- Dsic Check out http://www.invariantsystems.com for utilities for Declude, Imail, Dsic mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI Dsic integration, MRTG Integration, and Log Parsers. Dsic Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Dsic Dsic --- Dsic [This E-mail was scanned for viruses by Declude EVA www.declude.com] Dsic --- Dsic This E-mail came from the Declude.Virus mailing list. To Dsic unsubscribe, just send an E-mail to [EMAIL PROTECTED], and Dsic type unsubscribe Declude.Virus.The archives can be found Dsic at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Dsic Dsic --- Dsic [This E-mail was scanned for viruses by Declude EVA www.declude.com] Dsic --- Dsic This E-mail came from the Declude.Virus mailing list. To Dsic unsubscribe, just send an E-mail to [EMAIL PROTECTED], and Dsic type unsubscribe Declude.Virus.The archives can be found Dsic at http://www.mail-archive.com. Don Brown - Dallas, Texas USA
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Friday, January 27, 2006, 1:12:04 PM, Dan Horne [EMAIL PROTECTED] wrote: DH [SNIP] DH IMO, AVAFTERJM should be changed so that only deleted emails, not held DH ones, by pass the AV scan. In other words, all messages should be DH first scanned for spam, then the ones that are not DELETED should all be DH scanned for viruses. This would close the security risk from re-queued DH messages. DH [SNIP] DH --DH [SNIP] I agree. However, as a work-around for now, could we use ROUTETO and a mailbox, but on the 'directory' tab for that user/mailbox, change to specify the Spam hold folder? Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
COPYFILE does not add any Declude headers. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Friday, January 27, 2006 1:28 PM Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME Dan,You might try COPYFILE which is essentially HOLD, but it adds the Declude headers to the messages. COPYFILE won't block the E-mail however, so you might want to either ROUTETO null, or HOLD and just delete what is in that folder since you have another copy. I am unclear about whether or not the COPYFILE action happens before or after virus scanning with AVAFTERJM ON, so that would need to be verified, but it might be a good workaround if this is a problem.MattDan Horne wrote: IIRC, the HOLD action was where the risk came in. Messages that are held by Declude using AVAFTERJM and then manually re-queued (via, say, the old SpamReview app) would NOT be scanned for viruses at all, since re-queued messages bypass Declude altogether. HOLD is the only 'semi-final' action. All other actions either deliver the email to an mbox (in which case it is scanned by EVA), or remove the message completely (which is where the saved cycles come in). IMO, AVAFTERJM should be changed so that only deleted emails, not held ones, by pass the AV scan. In other words, all messages should be first scanned for spam, then the ones that are not DELETED should all be scanned for viruses. This would close the security risk from re-queued messages. The AVAFTERJM option would then only be useful for those that use the DELETE action, but with the huge security risk involved in requeueing unscanned messages I think that it is ALREADY only useful for those that use the DELETE action. Unfortunately the manual isn't clear on this point. At the very least, Declude should add a warning to the manual around AVAFTERJM that says that AVAFTERJM and HOLD should not be used in the same configuration. --DH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
Dan, this is all implementation
dependent. Your observed behaviour is not universal to Declude
deployments.Specifically, re-queued messages on
IMail systems do indeed get scanned by Declude JunkMail and EVA when the
Q*.SMD is moved to the overflow folder (as opposed to being moved to the
spoolfolder with the D*.SMD file).Yes, but
copying the files into the overflow directory is a work-around that was come up
with some time ago on this list. Declude themselves, in the Junkmail
manual, state:"The HOLD action will move the E-mail into the
\{MAILSERVER}\spool\spam directory. This way, you can check messages to make
sure they are spam before deleting them manually (or, you can move
the files (Q*.SMD and D*.SMD for Imail...) back to the spool directory to have
them delivered on the next queue run (about 20-30 minutes))." (my
emphasis)So while YOU may not requeue the messages this way, it IS the
way that DECLUDE recommends requeueing the messages in the manual.
Therefore, it follows that the vast majority of implementations WILL requeue
messages this way.
--DH
CONFIDENTIALITY NOTICE:This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
SPAM-FREE 1.0(2476)
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Thanks, Matt that'll be helpful. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Friday, January 27, 2006 2:32 PM Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME Sorry. If you add the following directive to your Global.cfg it will: COPYFILEACTIONWITHHEADERS ONThis was introduced somewhere in the 2.x series. It's a very useful tweak for me.MattScott Fisher wrote: COPYFILE does not add any Declude headers. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Friday, January 27, 2006 1:28 PM Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME Dan,You might try COPYFILE which is essentially HOLD, but it adds the Declude headers to the messages. COPYFILE won't block the E-mail however, so you might want to either ROUTETO null, or HOLD and just delete what is in that folder since you have another copy. I am unclear about whether or not the COPYFILE action happens before or after virus scanning with AVAFTERJM ON, so that would need to be verified, but it might be a good workaround if this is a problem.MattDan Horne wrote: IIRC, the HOLD action was where the risk came in. Messages that are held by Declude using AVAFTERJM and then manually re-queued (via, say, the old SpamReview app) would NOT be scanned for viruses at all, since re-queued messages bypass Declude altogether. HOLD is the only 'semi-final' action. All other actions either deliver the email to an mbox (in which case it is scanned by EVA), or remove the message completely (which is where the saved cycles come in). IMO, AVAFTERJM should be changed so that only deleted emails, not held ones, by pass the AV scan. In other words, all messages should be first scanned for spam, then the ones that are not DELETED should all be scanned for viruses. This would close the security risk from re-queued messages. The AVAFTERJM option would then only be useful for those that use the DELETE action, but with the huge security risk involved in requeueing unscanned messages I think that it is ALREADY only useful for those that use the DELETE action. Unfortunately the manual isn't clear on this point. At the very least, Declude should add a warning to the manual around AVAFTERJM that says that AVAFTERJM and HOLD should not be used in the same configuration. --DH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
I hav no stat's or numbers. Only the fact that AV-Engines has introduced a suspicious category that is catching more and more new outbreaks. Additionaly it seems that the scanning process is becoming more and more complex. Each variant (we have up to two-letter versions!) seems to need complete new definitions. Another more alarming: certain virus-signatures seems catching only a part of one single but polymorphic and encrypted virus variant. Try to send a vb-script containing one single call of the filesystem-object even if zipped or with renamed file extension trough some av-engines. DELETEVIRUS ON will delete the entire message and you will have to tell some fairy story to the customer who call you because he misses some messages. Don't deleting messages immediately as many of us do is one way. Adding 5 DELETEVIRUSNAME-lines in the global.cfg would be a very simple possibility to keep clean and small the virus folder. And I repeat: It should be something very very simple to implement. Anyone who doesn't want or need it could simply not turn it on. Regarding the allready existing FORGINGVIRUS DNS lookup feature and a possible enhancement like AUTODELETEKNOWNWORMS. I wouldn't say that I don't trust declude's FORGINGVIRUS list. But first of all I realy want to know what I categorize FORGING and what not an my server. Beside the fact that since we don't send out notfications to customers anymore my personal FORGINGVIRUS list is simply a good way to filter out 99% of all postmaster notifications, and so a wave of thus notifications is an excellent indicator that something new is around that I should give a look. An additional DNS lookup for each hold virus in my eyes is not really usefull if the number of forging viruses is so small as it is today. Ok it's a nice thing for someone who doesn't want daily care his server. Another unclear aspect is how this DNS-based list handles different virus names. We have seen in the last months that there is no more consistent naming between AV-Companies. Does Declude maintain and serve forging virus names for all AV-Engines? I still consider Declude my swiss army knife for handling SMTP-traffic and keep our customer mailboxes usable for the daily work. And even if I know that some tools in my knife can be dangerous I want to have them when it will become neccessary. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Friday, January 27, 2006 8:24 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME There is no perfect Spam or Virus system. There will either be false positives, missed Spam or Viruses or a combination of both. Therefore, if the customer is expecting absolute perfection, then I think the problem is one of a customer with unrealistic expectations. You said, what happens if tommorow turns out that scan engines has catched many legit messages as viruses due to a new buggy singature. Well, then you need to HOLD ALL messages tagged as containing a virus, if you are that anal about it and that makes your original point moot. For instance, you've solved nothing if you had bagal hard coded to be deleted and that was the buggy one in the signature file. How often does this really happen - does it happen more than 1% of the time? It hasn't shown to be an issue in our case, but I think we'd all be interested in your statistics which show it as a significant exposure to false positives. You said, or because a legit message unexpected contains something sospicious. My previous comment was to hold all of those tagged as suspicious. Do you have good statistics on these, which show a significant false positive rate? I think we'd all be interested in your finding . . . Thanks, Friday, January 27, 2006, 10:56:56 AM, Markus Gufler [EMAIL PROTECTED] wrote: aren't you out hunting mosquitos with hand grenades? MG If the mosquito is a very nasty but important customer it's bether MG using tank's, mg's and whatever you can organize in order to prevent MG painfull stings... MG On a day liky today I could turn on DELETEVIRUSES with nearly zero MG risk in order to keep the server disk clean. But what happens if MG tommorow turns out that one of the scan engines has catched many MG legit messages as viruses due to a new buggy singature or because a MG legit message unexpected contains something sospicious. How do you MG explain to customers that the messages are already deleted? MG F-Prot's exit code 8 (suspicious files) has catched a lot of new MG unknow viruses before singatures was available. So I use this exit MG code in my config to hold messages. But suspicous could also be MG something legit we don't know at the moment. MG As I can understand a feature like DELETEVIRUSNAME wouldn't require MG more then 30 lines of code and 3 hours of work
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
A single piece of software can't possibly be all things to all people. I think the best that can be expected is that it reasonably addresses all, or most, of those objectives which the user community shares. It is easy to say that it only costs $xx when it's not your money, the same as it is to say that it will only take 30 lines of code when you don't have to write it, test it, maintain it and fix it when it breaks. I was the culprit who introduced the HOP feature in Declude a long time ago. It was effective back then in combating dynamic servers in the delivery chain. As intimate as Scott was with his code and with the challenges we all faced, we debated it on and off the list for a long time, before he was convinced it would be a good thing for the entire user community. IOW, he had to see the beef - the evidence, that there was an issue and that it was one which Declude could address effectively. Scott is gone and Imail has changed requiring a major overhaul in Declude. Many of the old timers on this list are still NOT running the most current release, due to certain challenges and anomalies. I'm not trying to be a horses tail or beat you up and there is nothing personal involved. I just think that unless a feature request can be justified with facts, which you admit that yours cannot, that we refrain from distracting the community and particularly the people at Declude. I'd rather see Declude keep pumping the water out of the bilge to the point they can fix the hull, rather than taking the time to hang a new pennant from the mast. Wouldn't you? Thanks, Friday, January 27, 2006, 6:05:46 PM, Markus Gufler [EMAIL PROTECTED] wrote: MG I hav no stat's or numbers. MG Only the fact that AV-Engines has introduced a suspicious category that is MG catching more and more new outbreaks. Additionaly it seems that the scanning MG process is becoming more and more complex. Each variant (we have up to MG two-letter versions!) seems to need complete new definitions. Another more MG alarming: certain virus-signatures seems catching only a part of one single MG but polymorphic and encrypted virus variant. MG Try to send a vb-script containing one single call of the filesystem-object MG even if zipped or with renamed file extension trough some av-engines. MG DELETEVIRUS ON will delete the entire message and you will have to tell some MG fairy story to the customer who call you because he misses some messages. MG Don't deleting messages immediately as many of us do is one way. MG Adding 5 DELETEVIRUSNAME-lines in the global.cfg would be a very simple MG possibility to keep clean and small the virus folder. And I repeat: It MG should be something very very simple to implement. Anyone who doesn't want MG or need it could simply not turn it on. MG Regarding the allready existing FORGINGVIRUS DNS lookup feature and a MG possible enhancement like AUTODELETEKNOWNWORMS. MG I wouldn't say that I don't trust declude's FORGINGVIRUS list. But first of MG all I realy want to know what I categorize FORGING and what not an my MG server. Beside the fact that since we don't send out notfications to MG customers anymore my personal FORGINGVIRUS list is simply a good way to MG filter out 99% of all postmaster notifications, and so a wave of thus MG notifications is an excellent indicator that something new is around that I MG should give a look. MG An additional DNS lookup for each hold virus in my eyes is not really MG usefull if the number of forging viruses is so small as it is today. Ok it's MG a nice thing for someone who doesn't want daily care his server. MG Another unclear aspect is how this DNS-based list handles different virus MG names. We have seen in the last months that there is no more consistent MG naming between AV-Companies. Does Declude maintain and serve forging virus MG names for all AV-Engines? MG I still consider Declude my swiss army knife for handling SMTP-traffic and MG keep our customer mailboxes usable for the daily work. And even if I know MG that some tools in my knife can be dangerous I want to have them when it MG will become neccessary. MG Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Friday, January 27, 2006 8:24 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME There is no perfect Spam or Virus system. There will either be false positives, missed Spam or Viruses or a combination of both. Therefore, if the customer is expecting absolute perfection, then I think the problem is one of a customer with unrealistic expectations. You said, what happens if tommorow turns out that scan engines has catched many legit messages as viruses due to a new buggy singature. Well, then you need to HOLD ALL messages tagged as containing a virus, if you are that anal about it and that makes your original point moot. For instance, you've solved nothing if you had
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
Do you mean this script on my disk who creates one hour each day with 100% CPU usage? Markus, I found that a pretty fun bit of sarcasm. But I have a dry sense of humour. It sounds like you're not using AVAFTERJM so that you catch viruses as viruses and spam as spam. In this scenario I'm pretty confident that you could automate grepping your virMMDD.log file hourly, look for a pre-set list of virus names, cut up the Q* column to derive the filename, and delete the Q*.SMD and D*.SMD file, for example, this line: 01/24/2006 18:54:38 QE867AAFA0144EA71 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] Is quite easy to parse. Let me share something similar I've done. I've remarked on it vaguely before... I wanted to nail down some of my statistics, and as that evolved, I wanted to know how much of the inbound mail that is blocked as spam was actually viral. It turned out that I block a lot of viruses as spam because they have the same IP source characteristics, malformed headers, fake source domains and so forth as zombie spam (no surprise, they're much the same machines). Like you, I have a system that blocks a ton of mail, so I run AVAFTERJM to cut down on the work, and this definitely leaves a gap in my statistics. Similarly, it follows that I wouldn't want to scan my whole SPAM folder. Even reading the directory of the filenames is a disk workout. During our slow period (nightly) I do a scheduled run of a .cmd script that uses the GNU utilities to check my Declude logs for the held spam for that day only, I weed out ones that triggered SNIFFERMALWARE or my own Declude filter tests for viruses, then from that subset I have a list of Q* names. From that Q* column, I can form the filename. I then grep each one of those files for strings that would indicate that there is a possibly viral attachment (it's not perfect), and then on the remainder of the filenames, I invoke my F-Prot scanner and check the result code for each file. This isn't ideal, but I found that invoking it every time with specific filenames was far, far faster than scanning a folder. Windows certainly caches the fpcmd and pattern files, so that definitely helps. How much am I saving? Well, I am scanning all the files in some fashion, but I'm doing grep for some spam and grep plus antivirus for the minority of it, and I'm doing it outside of our busy hours. It takes *two hours*, and produces results like this in a day: Viruses caught by Declude Virus after using AVAFTERJM: 1 Messages caught by filters or Sniffer: 349 Messages scanned after hours: 25,000 Viruses found after hours: 378 So, I time-shifted away from normal hours the CPU and disk hit of doing the scanning, and I still get my virus statistics without causing a performance problem at night. The resulting logs are easily grepped for virus names and counts if I want. I use another set of scripts to compile the stats at the end of the month, with little to no maintenance. It's awful code, but if a non-programmer like me can do this, your virMMDD.log can be used to delete the messages for viruses you don't want to keep on disk. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, January 25, 2006 10:13 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME As a work around until and if Declude adds the requested feature, you could write a script to search the files on a timed based for a phrase (virus name) and have it delete them. Do you mean this script on my disk who creates one hour each day with 100% CPU usage? Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Interesting, Andrew. We've run AVAFTERJM for the same reasons, and have been considering doing something to remove the viruses from the spam hold queue as well. Speaking of which, I'd like to re-request a feature from Declude to be able to selectively notify on detected vulnerabilities. We have notification on banned files, but I don't believe vulnerabilities notify. Adding that would make virus detection system manual maintenance almost non-existent. Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, January 26, 2006 3:33 AM Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME Do you mean this script on my disk who creates one hour each day with 100% CPU usage? Markus, I found that a pretty fun bit of sarcasm. But I have a dry sense of humour. It sounds like you're not using AVAFTERJM so that you catch viruses as viruses and spam as spam. In this scenario I'm pretty confident that you could automate grepping your virMMDD.log file hourly, look for a pre-set list of virus names, cut up the Q* column to derive the filename, and delete the Q*.SMD and D*.SMD file, for example, this line: 01/24/2006 18:54:38 QE867AAFA0144EA71 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] Is quite easy to parse. Let me share something similar I've done. I've remarked on it vaguely before... I wanted to nail down some of my statistics, and as that evolved, I wanted to know how much of the inbound mail that is blocked as spam was actually viral. It turned out that I block a lot of viruses as spam because they have the same IP source characteristics, malformed headers, fake source domains and so forth as zombie spam (no surprise, they're much the same machines). Like you, I have a system that blocks a ton of mail, so I run AVAFTERJM to cut down on the work, and this definitely leaves a gap in my statistics. Similarly, it follows that I wouldn't want to scan my whole SPAM folder. Even reading the directory of the filenames is a disk workout. During our slow period (nightly) I do a scheduled run of a .cmd script that uses the GNU utilities to check my Declude logs for the held spam for that day only, I weed out ones that triggered SNIFFERMALWARE or my own Declude filter tests for viruses, then from that subset I have a list of Q* names. From that Q* column, I can form the filename. I then grep each one of those files for strings that would indicate that there is a possibly viral attachment (it's not perfect), and then on the remainder of the filenames, I invoke my F-Prot scanner and check the result code for each file. This isn't ideal, but I found that invoking it every time with specific filenames was far, far faster than scanning a folder. Windows certainly caches the fpcmd and pattern files, so that definitely helps. How much am I saving? Well, I am scanning all the files in some fashion, but I'm doing grep for some spam and grep plus antivirus for the minority of it, and I'm doing it outside of our busy hours. It takes *two hours*, and produces results like this in a day: Viruses caught by Declude Virus after using AVAFTERJM: 1 Messages caught by filters or Sniffer: 349 Messages scanned after hours: 25,000 Viruses found after hours: 378 So, I time-shifted away from normal hours the CPU and disk hit of doing the scanning, and I still get my virus statistics without causing a performance problem at night. The resulting logs are easily grepped for virus names and counts if I want. I use another set of scripts to compile the stats at the end of the month, with little to no maintenance. It's awful code, but if a non-programmer like me can do this, your virMMDD.log can be used to delete the messages for viruses you don't want to keep on disk. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, January 25, 2006 10:13 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME As a work around until and if Declude adds the requested feature, you could write a script to search the files on a timed based for a phrase (virus name) and have it delete them. Do you mean this script on my disk who creates one hour each day with 100% CPU usage? Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
But if we are cycling the held viruses on a x day basis, (my cycle is 5 days,) why would that be needed? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, January 25, 2006 2:37 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Feature request: DELETEVIRUSNAME Maybe someone has already requested it: Why not allow commands like DELETEVIRUSNAME Netsky DELETEVIRUSNAME Bagle ... in the virus.cfg file? I won't and can't delete all viruses on our server because there is always the possibility that a scanner is catching something as suspicious or generic But commands to delete certain virusnames should be very easy to implement and allow us to eliminate 95% of all hold viruses on out servers. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Excellent idea! - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, January 25, 2006 4:37 PM Subject: [Declude.Virus] Feature request: DELETEVIRUSNAME Maybe someone has already requested it: Why not allow commands like DELETEVIRUSNAME Netsky DELETEVIRUSNAME Bagle ... in the virus.cfg file? I won't and can't delete all viruses on our server because there is always the possibility that a scanner is catching something as suspicious or generic But commands to delete certain virusnames should be very easy to implement and allow us to eliminate 95% of all hold viruses on out servers. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
But if we are cycling the held viruses on a x day basis, (my cycle is 5 days,) why would that be needed? 5 days x 2 viruses x 2 (d q-file) = 200k files Around 99% of this files contains the same 5 types of malware that are stored, moved and defragmented unnecessary. I asked only because as I understand it should be very easy and unproblematic to add such a feature. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
As a work around until and if Declude adds the requested feature, you could write a script to search the files on a timed based for a phrase (virus name) and have it delete them. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, January 25, 2006 3:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME But if we are cycling the held viruses on a x day basis, (my cycle is 5 days,) why would that be needed? 5 days x 2 viruses x 2 (d q-file) = 200k files Around 99% of this files contains the same 5 types of malware that are stored, moved and defragmented unnecessary. I asked only because as I understand it should be very easy and unproblematic to add such a feature. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
As a work around until and if Declude adds the requested feature, you could write a script to search the files on a timed based for a phrase (virus name) and have it delete them. Do you mean this script on my disk who creates one hour each day with 100% CPU usage? Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
