Thanks a lot setting ASSP_AFCSelect = 3 solved it. I was confused by that documentation: ASSP_AFCSelect If you enable one or both options of this plugin, the complete mail will be scanned for bad attachments and/or viruses!
So I had the impression, AFC would be used nevertheless of which option selected (one or both options) Thomas From: Thomas Eckardt <thomas.ecka...@thockar.com> Sent: Saturday, September 19, 2020 1:58 PM To: For Users of ASSP <assp-user@lists.sourceforge.net> Subject: Re: [Assp-user] ASSP_AFC not using VirusTotal >we enabled and configured ASSP_AFC OK ? , but how ! >ASSP_AFCSelect:=1 for virusscan, this should be SET TO '2' OR '3' 1:do attachments 2:do ClamAV, FileScan 3:do both 'DoVirusTotalVirusScan','Enable VirusTotal Virus Scan' - 'If a VirusTotalAPIKey is provided and this option is enabled, all MIME-parts will be (in addition to ClamAV and/or FileScan) checked by www.virustotal.com.' Thomas Von: "Thomas Kofler" <k...@outlook.com> An: "For Users of ASSP" <assp-user@lists.sourceforge.net> Datum: 18.09.2020 19:15 Betreff: Re: [Assp-user] ASSP_AFC not using VirusTotal Thanks, set to verbose and reports like below, unfortunately I am still out of ideas. Sep-18-20 19:05:54 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> info: found message size announcement: 105.50 kByte Sep-18-20 19:05:55 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com redlisted: us...@domain1.com - not white Sep-18-20 19:05:55 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com DKIM-Signature found Sep-18-20 19:05:55 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com info: found known good HELO 'eur04-he1-obe.outbound.protection.outlook.com' - weight is -0.9 Sep-18-20 19:05:55 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com Message-Score: added -18 for KnownGoodHelo, total score for this message is now -18 Sep-18-20 19:05:56 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com [scoring] DKIM signature verified-OK - header-passed - identity is: @outlook.com - sender policy is: neutral - author policy is: neutral Sep-18-20 19:05:56 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com info: domain outlook.com has published a DMARC record Sep-18-20 19:05:56 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com Message-Score: added -10 (spfpValencePB) for SPF pass, total score for this message is now -28 Sep-18-20 19:05:57 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com Message-Score: added 10 for Foreign IP-Country FI (MICROSOFT CORPORATION), total score for this message is now -18 Sep-18-20 19:05:57 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com Message-Score: added -15 (pbwValencePB) for In Penalty White Box, total score for this message is now -33 Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com ClamAV: scanned 64981 bytes in message - OK Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com Bayesian Check [scoring] - Prob: 0.00000 => ham - answer/query relation: 55% of 20 Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com [Plugin] calling plugin ASSP_AFC Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com info: 1 attachment found for Level-0 Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com [Plugin] calling plugin ASSP_Razor Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com razor message [check]: Razor-Agents v2.86 starting razor-check Sep-18-20 19:05:59 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com razor message [check]: mail 1 is not known spam. Sep-18-20 19:05:59 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com [Plugin] calling plugin ASSP_DCC Sep-18-20 19:05:59 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] [MessageOK] 40.92.73.16 <us...@domain1.com> to: us...@localdomain2.com message ok [attach scan 2] From: Thomas Eckardt <thomas.ecka...@thockar.com> Sent: Friday, September 18, 2020 1:42 PM To: For Users of ASSP <assp-user@lists.sourceforge.net> Subject: Re: [Assp-user] ASSP_AFC not using VirusTotal inrease the level of 'ScanLog' Thomas Von: "Thomas Kofler" <k...@outlook.com> An: "assp-user@lists.sourceforge.net" <assp-user@lists.sourceforge.net> Datum: 18.09.2020 13:29 Betreff: [Assp-user] ASSP_AFC not using VirusTotal Hi, we enabled and configured ASSP_AFC, but it seems that its not using VirusTotal, which we configured including the API key (clamav is fine). Based on maillog calling plugin ASSP_AFC is called, but we see no API calls on the dashboard of VirusTotal (only, if we enable URI-based scanning outside of ASSP_AFC). Is there any possibility to debug ASSP_AFC? Thanks, Thomas ASSP 2.6.3 (20002), all module version requirements met based on assp gui ASSP_AFCSelect:=1 ASSP_AFCPriority:=6 ASSP_AFCDoVirusTotalVirusScan:=1 ASSP_AFCblockEncryptedZIP:= ASSP_AFCMaxZIPLevel:=10 ASSP_AFCextractAttMail:=3 ASSP_AFCKnownGoodEXE:=file:files/knowngoodattach.txt ASSP_AFCReplBadAttach:= ASSP_AFCReplBadAttachText:=The attached file (FILENAME) was removed from this email by ASSP for policy reasons! The file was detected as REASON . ASSP_AFCReplViriParts:= ASSP_AFCReplViriPartsText:=There was a virus (VIRUS) removed from this email (attachment FILENAME) by ASSP! ASSP_AFCMSGSIZEscore:= ASSP_AFCDetectSpamAttachRe:=image\/ ASSP_AFCWebScript:= ASSP_AFCinsize:=1024 ASSP_AFCoutsize:=1024 ASSP_AFCSMIME:=7060944965f8076143302e50d79550fb55522c0b8346275100187c0954 ClamAVBytes:=60000 UseAvClamd:=1 AvClamdPort:=/var/run/clamd.scan/clamd.sock ClamAVLogScan:=2 ClamAVtimeout:=30 _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
