Hi everybody,
Today I received an infected email and it was blocked by ASSP: 2014-09-22 18:01:06 m1-01380-10527 [Worker_1] [Plugin] 186.63.225.200 <[email protected]> to: [email protected] ASSP_OCR: (att) file text3.upa found in mime part 3 2014-09-22 18:01:06 m1-01380-10527 [Worker_1] [Plugin] 186.63.225.200 <[email protected]> to: [email protected] ASSP_OCR: (att) file Ihre_Rechnung_22_09_2014.zip found in mime part 4 2014-09-22 18:01:06 m1-01380-10527 [Worker_1] [Plugin] 186.63.225.200 <[email protected]> to: [email protected] ASSP_OCR: (att) file img_logo_picture_09.jpeg found in mime part 5 2014-09-22 18:01:06 m1-01380-10527 [Worker_1] [Plugin] 186.63.225.200 <[email protected]> to: [email protected] ASSP_OCR: OCR(2.20) (TextFile(text3.upa)) data extracted 2014-09-22 18:01:06 m1-01380-10527 [Worker_1] 186.63.225.200 <[email protected]> to: [email protected] info: the setting of 'UseAvClamd' (block) is temporarily overwritten by the 'DoASSP_OCR' setting of (score) 2014-09-22 18:01:11 m1-01380-10527 [Worker_1] 186.63.225.200 <[email protected]> to: [email protected] info: the setting of 'DoFileScan' (disabled) is temporarily overwritten by the 'DoASSP_OCR' setting of (score) 2014-09-22 18:01:11 m1-01380-10527 [Worker_1] 186.63.225.200 <[email protected]> to: [email protected] info: the setting of 'DoScriptRe' (disabled) is temporarily overwritten by the 'DoASSP_OCR' setting of (score) 2014-09-22 18:01:11 m1-01380-10527 [Worker_1] 186.63.225.200 <[email protected]> to: [email protected] [Plugin] calling plugin ASSP_AFC 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] 186.63.225.200 <[email protected]> to: [email protected] ClamAV: scanned 0 bytes in whitelisted message - OK 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] 186.63.225.200 <[email protected]> to: [email protected] ClamAV: scanned 1188 bytes in whitelisted message - OK 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] 186.63.225.200 <[email protected]> to: [email protected] ClamAV: scanned 3873 bytes in whitelisted message - OK 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] 186.63.225.200 <[email protected]> to: [email protected] ClamAV: scanned 173179 bytes in whitelisted message - FOUND Zip.Suspect.WinDoubleExtension-zippwd-1(c7329ae811aee30a2404eaa07f4fbb6e:173 179) 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] 186.63.225.200 <[email protected]> to: [email protected] Message-Score: added 50 (vdValencePB) for virus detected: 'Zip.Suspect.WinDoubleExtension-zippwd-1(c7329ae811aee30a2404eaa07f4fbb6e:17 3179)', total score for this message is now 50 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] [VIRUS] 186.63.225.200 <[email protected]> to: [email protected] mail blocked by Plugin ASSP_AFC - reason VIRUS-found 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] [VIRUS] 186.63.225.200 <[email protected]> to: [email protected] [spam found] (VIRUS-found) [Ihre Mobilfunk Rechnung vom 22 09 2014 im Anhang als PDF]; 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] 186.63.225.200 <[email protected]> to: [email protected] [SMTP Error] 554 5.7.1 Mail appears infected with \[Zip.Suspect.WinDoubleExtension-zippwd-1(c7329ae811aee30a2404eaa07f4fbb6e:1 73179)\]. 2014-09-22 18:01:13 [Worker_1] Info: report successful sent to [email protected] Two little problems with this: 1) The infected email was not quarantined as I would expect. I cannot find it anywhere in my assp directories. The directories "quarantine" and "virusscan"exist and have full access permissions (777). (I'm not sure if "virusscan" is even needed, because I have the mail checked by ClamD.) Some settings from my assp.cfg: EmailVirusReportsToRCPT:=2 FileScanDir:=/opt/assp/virusscan viruslog:=quarantine SpamVirusLog:=5 2) The virus report I received did not have a "subject:" line As always thanks a lot for help and advice. Best regards Dirk ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
