Just curious if anyone had any thoughts. I'd love to get the AFC plugin up
running. I'm wondering if the ClamAV module of ASSP works well with my version
of ClamAV/File::Scan::ClamAV and ASSP_AFC isn't playing so well with it.
Versions: ASSP: 2.2.1(13020) ASSP_AFC: 2.06 ClamAV: 0.97.7
File::Scan::ClamAV: 1.91
v/r,Louis > From: quantumsch...@outlook.com
> To: assp-user@lists.sourceforge.net
> Date: Thu, 4 Apr 2013 07:27:16 -0400
> Subject: Re: [Assp-user] Antwort: Re: Antwort: Re: Antwort: Re: ASSP_AFC
> plugin and EICAR
>
> I wish mine looked like that... Here's what I've got:
>
> With ClamAV Module
> -------------------
> Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167
> <quantumsch...@outlook.com> info: found message size announcement: 973 Byte
> Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167
> <quantumsch...@outlook.com> to: ad...@mydomain.com global Whitelisted sender
> address: quantumsch...@outlook.com
> Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167
> <quantumsch...@outlook.com> to: ad...@mydomain.com ClamAV: scanned 1153 bytes
> in whitelisted message - FOUND
> Eicar-Test-Signature(f077aa781ba6da057d17524c9548de2e:1153)
> Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167
> <quantumsch...@outlook.com> to: ad...@mydomain.com Message-Score: added 50
> (vdValencePB) for virus detected:
> 'Eicar-Test-Signature(f077aa781ba6da057d17524c9548de2e:1153)', total score
> for this message is now 50
> Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] [VIRUS] 65.55.90.167
> <quantumsch...@outlook.com> to: ad...@mydomain.com [spam found] (virus
> detected: 'Eicar-Test-Signature(f077aa781ba6da057d17524c9548de2e:1153)') [FW
> Test] -> /usr/share/assp/discarded/FW_Test--3216.eml;
> Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167
> <quantumsch...@outlook.com> to: ad...@mydomain.com [SMTP Error] 554 5.7.1
> Mail appears infected with
> \[Eicar-Test-Signature(f077aa781ba6da057d17524c9548de2e:1153)\].
> Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167
> <quantumsch...@outlook.com> to: ad...@mydomain.com [SMTP Status] 451 4.7.1
> Please try again later
> Apr-04-13 07:17:42 [Worker_1] Info: report successful sent to
> ad...@mydomain.com
>
> With ASSP_AFC plugin
> -------------------------------
> Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] 65.55.90.155
> <quantumsch...@outlook.com> info: found message size announcement: 1019 Byte
> Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] 65.55.90.155
> <quantumsch...@outlook.com> to: ad...@mydomain.com global Whitelisted sender
> address: quantumsch...@outlook.com
> Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] 65.55.90.155
> <quantumsch...@outlook.com> to: ad...@mydomain.com [Plugin] calling plugin
> ASSP_AFC
> Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] 65.55.90.155
> <quantumsch...@outlook.com> to: ad...@mydomain.com [Plugin] calling plugin
> ASSP_DCC
> Apr-04-13 07:20:20 [Worker_1] Info: created agent to dccifd
> Apr-04-13 07:20:20 [Worker_1] Info: created DCC unix socket to /var/dcc/dccifd
> Apr-04-13 07:20:20 [Worker_1] Info: finshed sending connection DCC-data to
> dccifd
> Apr-04-13 07:20:20 [Worker_1] Info: connected to dccifd at /var/dcc/dccifd
> Apr-04-13 07:20:20 [Worker_1] Info: send mail data to dccifd
> Apr-04-13 07:20:20 [Worker_1] Info: querying results from dccifd
> Apr-04-13 07:20:20 [Worker_1] Info: waiting for answer from dccifd
> Apr-04-13 07:20:20 [Worker_1] Info: got answer A from dccifd
> Apr-04-13 07:20:20 [Worker_1] Info: waiting for answer from dccifd
> Apr-04-13 07:20:20 [Worker_1] Info: got answer A from dccifd
> Apr-04-13 07:20:20 [Worker_1] Info: got result: Accept - for recipients:
> ad...@mydomain.com Accept - from DCC detection only
> Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] 65.55.90.155
> <quantumsch...@outlook.com> to: ad...@mydomain.com DCC check OK
> Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] [MessageOK] 65.55.90.155
> <quantumsch...@outlook.com> to: ad...@mydomain.com message ok - (whitelistdb)
> - [FW Test] -> /usr/share/assp/notspam/FW_Test--3224.eml
>
> Its like when it hits ASSP_AFC, nothing happens. Is there any extra logging
> that can be enabled like the ASSP_DCC plugin?
>
> v/r,
> Louis
> ----------------------------------------
> To: assp-user@lists.sourceforge.net
> From: thomas.ecka...@thockar.com
> Date: Thu, 4 Apr 2013 08:07:57 +0200
> Subject: [Assp-user] Antwort: Re: Antwort: Re: Antwort: Re: ASSP_AFC plugin
> and EICAR
> Apr-04-13 07:59:36 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com>
> to: thomas.ecka...@thockar.com [Plugin] calling plugin ASSP_AFC
> Apr-04-13 07:59:36 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com>
> to: thomas.ecka...@thockar.com ClamAV: scanned 70 bytes in message -
> FOUND Eicar-Test-Signature
> Apr-04-13 07:59:36 [Worker_1] Info: weighted regex (SuspiciousVirus)
> result found for Eicar - with eicar - weight is 1.5
> Apr-04-13 07:59:36 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com>
> to: thomas.ecka...@thockar.com Message-Score: added 37 for
> SuspiciousVirus: Eicar-Test-Signature 'Eicar', total score for this
> message is now 42
> Apr-04-13 07:59:36 M1-55174-04259 [Worker_1] [VIRUS][scoring] 1.1.1.1
> <sen...@domain.com> to: thomas.ecka...@thockar.com 'Eicar-Test-Signature'
> passing the virus check because of only suspicious virus 'Eicar'
> Apr-04-13 07:59:36 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com>
> to: thomas.ecka...@thockar.com FileScan: is unable find temporary
> c:/assp/virusscan/a.1.29409.eml - possibly removed by the file system
> scanner
> Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com>
> to: thomas.ecka...@thockar.com Message-Score: added 50 (vdValencePB) for
> virus detected: 'FileScan' - unable to find file to scan, total score for
> this message is now 92
> Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] [VIRUS] 1.1.1.1
> <sen...@domain.com> to: thomas.ecka...@thockar.com 554 5.7.1 Mail appears
> infected with \[a virus\] -- disinfect and resend. - replaced
> virus-mail-part with simple text
> Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com>
> to: thomas.ecka...@thockar.com ClamAV: scanned 677 bytes in message - OK
> Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com>
> to: thomas.ecka...@thockar.com FileScan: scanned 677 bytes in message
> Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com>
> to: thomas.ecka...@thockar.com info: sending modified message
> Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] 1.1.1.1 <sen...@domain.com>
> to: thomas.ecka...@thockar.com [spam found] 554 5.7.1 Mail appears
> infected with \[a virus\] -- disinfect and resend. [eicar test]
> Thomas
> Von: Louis Carreiro <quantumsch...@outlook.com>
> An: ASSP Mailing List <assp-user@lists.sourceforge.net>,
> Datum: 03.04.2013 21:40
> Betreff: Re: [Assp-user] Antwort: Re: Antwort: Re: ASSP_AFC plugin
> and EICAR
> Nope... If I put the EICAR string in the body of an email while the normal
> ClamAV plugin is running, it blocks the email and I get notified with an
> alert from ASSP. If I enable ASSP_AFC and then send the email again with
> just the EICAR string in the body, it lets it right on through to my
> mailbox.
> v/r,
> Louis
> ----------------------------------------
> To: assp-user@lists.sourceforge.net
> From: thomas.ecka...@thockar.com
> Date: Wed, 3 Apr 2013 21:30:55 +0200
> Subject: [Assp-user] Antwort: Re: Antwort: Re: ASSP_AFC plugin and EICAR
> Is the virus being replaced ?
> Thomas
> Von: Louis Carreiro <quantumsch...@outlook.com>
> An: ASSP Mailing List <assp-user@lists.sourceforge.net>,
> Datum: 03.04.2013 21:09
> Betreff: Re: [Assp-user] Antwort: Re: ASSP_AFC plugin and EICAR
> Right... that's what I wanted. What I'm not seeing is anything showing up
> in the ClamAV logs like with the regular ClamAV module. Also, its not
> catching and scoring and the spam emails with the sanesecurity databases.
> Its like nothing is getting moved over to the ClamAV socket.
> v/r,
> Louis
> ----------------------------------------
> To: assp-user@lists.sourceforge.net
> From: thomas.ecka...@thockar.com
> Date: Wed, 3 Apr 2013 20:54:45 +0200
> Subject: [Assp-user] Antwort: Re: ASSP_AFC plugin and EICAR
> >ASSP_AFCReplViriParts:=1
> This will replace the virus by a text file !
> Thomas
> Von: Louis Carreiro <quantumsch...@outlook.com>
> An: ASSP Mailing List <assp-user@lists.sourceforge.net>,
> Datum: 03.04.2013 20:38
> Betreff: Re: [Assp-user] ASSP_AFC plugin and EICAR
> Thomas,
> Thanks for the quick reply. For the settings are as follows:
> DoASSP_AFC:=1
> ASSP_AFCSelect:=3
> ASSP_AFCPriority:=6
> ASSP_AFCReplBadAttach:=
> ASSP_AFCReplBadAttachText:=The attached file (FILENAME) was removed from
> this email by ASSP for policy reasons!
> ASSP_AFCReplViriParts:=1
> ASSP_AFCReplViriPartsText:=There was a virus removed from this email
> (attachment FILENAME) by ASSP!
> ASSP_AFCMSGSIZEscore:=
> ASSP_AFCDetectSpamAttachRe:=file:files/ASSP_AFCDetectSpamAttachReimage.txt
> ASSP_AFCWebScript:=
> ASSP_AFCinsize:=1024
> ASSP_AFCoutsize:=1024
> I've tried ASSP_AFCinsize to 10 as well with same result.
> v/r,
> Louis
> >what are the stting for the AFC-plugin ?
> >
> >Thomas
> > From: quantumsch...@outlook.com
> > To: assp-user@lists.sourceforge.net
> > Date: Wed, 3 Apr 2013 10:20:42 -0400
> > Subject: [Assp-user] ASSP_AFC plugin and EICAR
> >
> > Hey all,
> >
> > With everything running okay on my new ASSPv2 implementation, I started
> adding in the plugins. ASSP_OCR and ASSP_DCC are bothing running
> flawlessly. The problem I'm having is with the ASSP_AFC plugin. I
> currently have the ClamAV plugin working extremely well and I'm pulling
> down the SaneSecurity DB's and its pulling all sorts of spam out. When I
> turn on ASSP_AFC, everything from a ClamAV perspective gets quiet. I've
> tried sending a plain text email through with the EICAR string in the body
> and it doesn't get it. If I disble the ASSP_AFC plugin and let the ClamAV
> plugin take back over, it catches it. I'm not quite sure where to go with
> this... Any help would be greatly appreciated!
> >
> > Thanks in advance!
> > Louis
> >
> ------------------------------------------------------------------------------
> > Minimize network downtime and maximize team effectiveness.
> > Reduce network management and security costs.Learn how to hire
> > the most talented Cisco Certified professionals. Visit the
> > Employer Resources Portal
> > http://www.cisco.com/web/learning/employer_resources/index.html
> > _______________________________________________
> > Assp-user mailing list
> > Assp-user@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/assp-user
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire
> the most talented Cisco Certified professionals. Visit the
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire
> the most talented Cisco Certified professionals. Visit the
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire
> the most talented Cisco Certified professionals. Visit the
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire
> the most talented Cisco Certified professionals. Visit the
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-userNope... If I put the
> EICAR string in the body of an email while the normal ClamAV plugin is
> running, it blocks the email and I get notified with an alert from ASSP.
> If I enable ASSP_AFC and then send the email again with just the EICAR
> string in the body, it lets it right on through to my mailbox.
> v/r,
> Louis
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire
> the most talented Cisco Certified professionals. Visit the
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire
> the most talented Cisco Certified professionals. Visit the
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
>
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire
> the most talented Cisco Certified professionals. Visit the
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
