Hi all, a fixup 2.6.3 build 19115 is released on sourceforge. It fixes some bugs and provides new features.
https://sourceforge.net/projects/assp/files/ASSP%20V2%20multithreading/2.6.3%20latest%20fixup/ fix list: - the post virusscan for the stored corpus files, scored for the already finished mail - this was confusing for some users and id removed - HTML-comments are now removed from resend request emails, because there content may has affected the resend processing - The ClamAV-engine now uses the modern INSTREAM clamav-API. It uses less system resources and is faster than the "old" STREAM-API. - The default value for 'ClamAVtimeout' is changed to 30 seconds. - Several domains provide their SPF-record (and possibly other DNS-records) as wildcard records (for each possible subdomain). This caused the DKIM-preCheck to detect a (possible) provided DKIM-DNS-configuration, because it got a TXT record (the wildcard-record) for _domainkey.domain.tld and/or _adsp._domainkey.domain.tld. Not DKIM related DNS TXT answers are now ignored by the DKIM-preCheck to prevent false positives. - the resend from block report using the right button failed, if the subject of the mail contained 'x' followed by two digits (eg: x30) - using the unix socket for the ClamAV communication failed on some systems - assp has thrown an error if the ClamAV, configuration was anyway invalid or not working, but UseAvClamd was disabled - the rebuildspamdb task crashed, if the HMMdb contained only one record ASSP_AFC.pm is now able to tell a local mail server or andvanced thread analyzer, if the attached files may need some further investigation or analysis This is done by adding a special (hiddenly configurable) MIME header tag. # advanced thread analyzing or deep thread inspection for incoming mails $ASSP_AFC::enableATA = 0; # 1- check ATA if an attachment failed, 2- check if any attachment is found, 3- check every mail $ASSP_AFC::ATAHeaderTag = "X-ASSP-Require-ATA: YES; RESENDLINK;SHOWMAIL;SHOWLOG\r\n"; # the literal RESENDLINK will be replaced by a mailto resendlink, which may be shown by an ATA report mail # SHOWMAIL offers the link to open the file in the assp file editor # SHOWLOG offers the link to show the log for the mail in maillogtail (an optional trailing number defines the days in the past e.g. SHOWLOG2 for example - two days is default and used if no number is given) # every link is preceeded by \r\n\t - ASSP_AFC 5.06 is released - it contains fixes and extensions for 'ASSP_AFCKnownGoodEXE','Well Known Good Executable Files' [ASSP_AFCKnownGoodEXE,'Well Known Good Executable Files' 'Put the SHA256_HEX hash of all well known good executables in to this file (one per line). If the SHA256_HEX hash (not case sensitive) of an attachment or a part of a compressed attachment (e.g. exe, *.bin MS-Macro or OLE) is equal to a line in this file, the attachment passes the attachment check for all mails (regardless its extension and the settings in UserAttach). The same applies to the following ojects in a PDF file: Certificate, Signature, JavaScript . If the SHA256_HEX hash of any of these PDF objects matches, the PDF will pass the attachment check. Comments are allowed after the hash and at the begin of a line (recommended). If configured, the analyzer and the maillog.txt will show the SHA256_HEX hash and the optional defined comment for all detected executables and PDF objects. For security reasons, virus scanning is not skipped. <b>Notice:</b> this feature is mainly created for executable files, but it will work for every attachment and every part of a compressed attachment. For example - this can be usefull, if clients regular sending or receiving documents or excel sheets, which contains every time the same MS-Macro/MS-OLE (e.g. executable). In this case, decompress the doc[xm] and calculate the SHA256_HEX hash for the vbaProject.bin or the vbaProjectSignature.bin file and register the hash here. examples: # sales documents a704ebf55efa5bb8079bb2ea1de54bfd5e9a0f7ed3a38867759b81bfc7b2cc9c # sales price_list.pdf - contains well known good Java-Script 96c4e6976d16b424ff02d7ef3fdabf41262d3ffc6a191431dc77176a814c1256 # sales sales_report.pdf - contains known Certificate 08d5518ef129ba1a992f5eb5c25e497cf886556710ffebe7cfb6aedf9d5727c9 # VBA Macro signature vbaProjectSignature.bin in sales info.docm In addition to the SHA256_HEX hash, you can define at which compression level the hash should be valid. Compression levels are comma separated numerical values or ranges - like 0,1,2 or 0-2 or 0...8 or 0-2,4...6 or 1 . The compression level zero is the not decompressed attachment itself. To include all compression levels, define a single asterix * or no level definition. examples: # sales documents a704ebf55efa5bb8079bb2ea1de54bfd5e9a0f7ed3a38867759b81bfc7b2cc9c 0,1 # sales price_list.pdf - contains well known good Java-Script - valid at zip level 0 and 1 96c4e6976d16b424ff02d7ef3fdabf41262d3ffc6a191431dc77176a814c1256 * # sales sales_report.pdf - contains known Certificate - valid at any zip level 08d5518ef129ba1a992f5eb5c25e497cf886556710ffebe7cfb6aedf9d5727c9 1 # VBA Macro signature vbaProjectSignature.bin in sales info.docm - only valid in the .docm itself (which is a zip) - .docm in a zip is not valid 08d5518ef129ba1a992f5eb5c25e497cf886556710ffebe7cfb6aedf9d5727c9 0 # VBA Macro signature vbaProjectSignature.bin in sales info.docm - this will not work, because a .docm is a compressed file To show the SHA256_HEX value for a file at the command line, execute :>shasum -a 256 -b the_file_name To show the SHA256_HEX values for all relevant PDF-objects in a PDF file, change in to the assp folder and execute :>perl getpdfsha.pl the_PDF_file_name . You may also compose and send a mail with the files in question attached to the analyze email-interface - EmailAnalyze . The log output of the analyzer will show all SHA256_HEX hashes (if AttachmentLog is enabled). Notice: different PDF creator applications may store the same PDF-object (Cert, Sig, JS) in different ways, which will result in different SHA256_HEX hashes for the same PDF-object! If this happens, you need to calculate the SHA256_HEX hash for each different occurence of the PDF-object.' Thomas DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
_______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
