I wish mine looked like that... Here's what I've got: With ClamAV Module ------------------- Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167 <quantumsch...@outlook.com> info: found message size announcement: 973 Byte Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167 <quantumsch...@outlook.com> to: ad...@mydomain.com global Whitelisted sender address: quantumsch...@outlook.com Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167 <quantumsch...@outlook.com> to: ad...@mydomain.com ClamAV: scanned 1153 bytes in whitelisted message - FOUND Eicar-Test-Signature(f077aa781ba6da057d17524c9548de2e:1153) Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167 <quantumsch...@outlook.com> to: ad...@mydomain.com Message-Score: added 50 (vdValencePB) for virus detected: 'Eicar-Test-Signature(f077aa781ba6da057d17524c9548de2e:1153)', total score for this message is now 50 Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] [VIRUS] 65.55.90.167 <quantumsch...@outlook.com> to: ad...@mydomain.com [spam found] (virus detected: 'Eicar-Test-Signature(f077aa781ba6da057d17524c9548de2e:1153)') [FW Test] -> /usr/share/assp/discarded/FW_Test--3216.eml; Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167 <quantumsch...@outlook.com> to: ad...@mydomain.com [SMTP Error] 554 5.7.1 Mail appears infected with \[Eicar-Test-Signature(f077aa781ba6da057d17524c9548de2e:1153)\]. Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167 <quantumsch...@outlook.com> to: ad...@mydomain.com [SMTP Status] 451 4.7.1 Please try again later Apr-04-13 07:17:42 [Worker_1] Info: report successful sent to ad...@mydomain.com
With ASSP_AFC plugin ------------------------------- Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] 65.55.90.155 <quantumsch...@outlook.com> info: found message size announcement: 1019 Byte Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] 65.55.90.155 <quantumsch...@outlook.com> to: ad...@mydomain.com global Whitelisted sender address: quantumsch...@outlook.com Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] 65.55.90.155 <quantumsch...@outlook.com> to: ad...@mydomain.com [Plugin] calling plugin ASSP_AFC Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] 65.55.90.155 <quantumsch...@outlook.com> to: ad...@mydomain.com [Plugin] calling plugin ASSP_DCC Apr-04-13 07:20:20 [Worker_1] Info: created agent to dccifd Apr-04-13 07:20:20 [Worker_1] Info: created DCC unix socket to /var/dcc/dccifd Apr-04-13 07:20:20 [Worker_1] Info: finshed sending connection DCC-data to dccifd Apr-04-13 07:20:20 [Worker_1] Info: connected to dccifd at /var/dcc/dccifd Apr-04-13 07:20:20 [Worker_1] Info: send mail data to dccifd Apr-04-13 07:20:20 [Worker_1] Info: querying results from dccifd Apr-04-13 07:20:20 [Worker_1] Info: waiting for answer from dccifd Apr-04-13 07:20:20 [Worker_1] Info: got answer A from dccifd Apr-04-13 07:20:20 [Worker_1] Info: waiting for answer from dccifd Apr-04-13 07:20:20 [Worker_1] Info: got answer A from dccifd Apr-04-13 07:20:20 [Worker_1] Info: got result: Accept - for recipients: ad...@mydomain.com Accept - from DCC detection only Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] 65.55.90.155 <quantumsch...@outlook.com> to: ad...@mydomain.com DCC check OK Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] [MessageOK] 65.55.90.155 <quantumsch...@outlook.com> to: ad...@mydomain.com message ok - (whitelistdb) - [FW Test] -> /usr/share/assp/notspam/FW_Test--3224.eml Its like when it hits ASSP_AFC, nothing happens. Is there any extra logging that can be enabled like the ASSP_DCC plugin? v/r, Louis ---------------------------------------- To: assp-user@lists.sourceforge.net From: thomas.ecka...@thockar.com Date: Thu, 4 Apr 2013 08:07:57 +0200 Subject: [Assp-user] Antwort: Re: Antwort: Re: Antwort: Re: ASSP_AFC plugin and EICAR Apr-04-13 07:59:36 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com> to: thomas.ecka...@thockar.com [Plugin] calling plugin ASSP_AFC Apr-04-13 07:59:36 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com> to: thomas.ecka...@thockar.com ClamAV: scanned 70 bytes in message - FOUND Eicar-Test-Signature Apr-04-13 07:59:36 [Worker_1] Info: weighted regex (SuspiciousVirus) result found for Eicar - with eicar - weight is 1.5 Apr-04-13 07:59:36 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com> to: thomas.ecka...@thockar.com Message-Score: added 37 for SuspiciousVirus: Eicar-Test-Signature 'Eicar', total score for this message is now 42 Apr-04-13 07:59:36 M1-55174-04259 [Worker_1] [VIRUS][scoring] 1.1.1.1 <sen...@domain.com> to: thomas.ecka...@thockar.com 'Eicar-Test-Signature' passing the virus check because of only suspicious virus 'Eicar' Apr-04-13 07:59:36 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com> to: thomas.ecka...@thockar.com FileScan: is unable find temporary c:/assp/virusscan/a.1.29409.eml - possibly removed by the file system scanner Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com> to: thomas.ecka...@thockar.com Message-Score: added 50 (vdValencePB) for virus detected: 'FileScan' - unable to find file to scan, total score for this message is now 92 Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] [VIRUS] 1.1.1.1 <sen...@domain.com> to: thomas.ecka...@thockar.com 554 5.7.1 Mail appears infected with \[a virus\] -- disinfect and resend. - replaced virus-mail-part with simple text Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com> to: thomas.ecka...@thockar.com ClamAV: scanned 677 bytes in message - OK Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com> to: thomas.ecka...@thockar.com FileScan: scanned 677 bytes in message Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com> to: thomas.ecka...@thockar.com info: sending modified message Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com> to: thomas.ecka...@thockar.com [spam found] 554 5.7.1 Mail appears infected with \[a virus\] -- disinfect and resend. [eicar test] Thomas Von: Louis Carreiro <quantumsch...@outlook.com> An: ASSP Mailing List <assp-user@lists.sourceforge.net>, Datum: 03.04.2013 21:40 Betreff: Re: [Assp-user] Antwort: Re: Antwort: Re: ASSP_AFC plugin and EICAR Nope... If I put the EICAR string in the body of an email while the normal ClamAV plugin is running, it blocks the email and I get notified with an alert from ASSP. If I enable ASSP_AFC and then send the email again with just the EICAR string in the body, it lets it right on through to my mailbox. v/r, Louis ---------------------------------------- To: assp-user@lists.sourceforge.net From: thomas.ecka...@thockar.com Date: Wed, 3 Apr 2013 21:30:55 +0200 Subject: [Assp-user] Antwort: Re: Antwort: Re: ASSP_AFC plugin and EICAR Is the virus being replaced ? Thomas Von: Louis Carreiro <quantumsch...@outlook.com> An: ASSP Mailing List <assp-user@lists.sourceforge.net>, Datum: 03.04.2013 21:09 Betreff: Re: [Assp-user] Antwort: Re: ASSP_AFC plugin and EICAR Right... that's what I wanted. What I'm not seeing is anything showing up in the ClamAV logs like with the regular ClamAV module. Also, its not catching and scoring and the spam emails with the sanesecurity databases. Its like nothing is getting moved over to the ClamAV socket. v/r, Louis ---------------------------------------- To: assp-user@lists.sourceforge.net From: thomas.ecka...@thockar.com Date: Wed, 3 Apr 2013 20:54:45 +0200 Subject: [Assp-user] Antwort: Re: ASSP_AFC plugin and EICAR >ASSP_AFCReplViriParts:=1 This will replace the virus by a text file ! Thomas Von: Louis Carreiro <quantumsch...@outlook.com> An: ASSP Mailing List <assp-user@lists.sourceforge.net>, Datum: 03.04.2013 20:38 Betreff: Re: [Assp-user] ASSP_AFC plugin and EICAR Thomas, Thanks for the quick reply. For the settings are as follows: DoASSP_AFC:=1 ASSP_AFCSelect:=3 ASSP_AFCPriority:=6 ASSP_AFCReplBadAttach:= ASSP_AFCReplBadAttachText:=The attached file (FILENAME) was removed from this email by ASSP for policy reasons! ASSP_AFCReplViriParts:=1 ASSP_AFCReplViriPartsText:=There was a virus removed from this email (attachment FILENAME) by ASSP! ASSP_AFCMSGSIZEscore:= ASSP_AFCDetectSpamAttachRe:=file:files/ASSP_AFCDetectSpamAttachReimage.txt ASSP_AFCWebScript:= ASSP_AFCinsize:=1024 ASSP_AFCoutsize:=1024 I've tried ASSP_AFCinsize to 10 as well with same result. v/r, Louis >what are the stting for the AFC-plugin ? > >Thomas > From: quantumsch...@outlook.com > To: assp-user@lists.sourceforge.net > Date: Wed, 3 Apr 2013 10:20:42 -0400 > Subject: [Assp-user] ASSP_AFC plugin and EICAR > > Hey all, > > With everything running okay on my new ASSPv2 implementation, I started adding in the plugins. ASSP_OCR and ASSP_DCC are bothing running flawlessly. The problem I'm having is with the ASSP_AFC plugin. I currently have the ClamAV plugin working extremely well and I'm pulling down the SaneSecurity DB's and its pulling all sorts of spam out. When I turn on ASSP_AFC, everything from a ClamAV perspective gets quiet. I've tried sending a plain text email through with the EICAR string in the body and it doesn't get it. If I disble the ASSP_AFC plugin and let the ClamAV plugin take back over, it catches it. I'm not quite sure where to go with this... Any help would be greatly appreciated! > > Thanks in advance! > Louis > ------------------------------------------------------------------------------ > Minimize network downtime and maximize team effectiveness. > Reduce network management and security costs.Learn how to hire > the most talented Cisco Certified professionals. Visit the > Employer Resources Portal > http://www.cisco.com/web/learning/employer_resources/index.html > _______________________________________________ > Assp-user mailing list > Assp-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-userNope... If I put the EICAR string in the body of an email while the normal ClamAV plugin is running, it blocks the email and I get notified with an alert from ASSP. If I enable ASSP_AFC and then send the email again with just the EICAR string in the body, it lets it right on through to my mailbox. v/r, Louis ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
