I agree with Darrell. If it contains a virus, I want it to be marked as a virus. If it does not contain a virus, then if it contains a vulnerability or banned extension then mark as such.
An example is that some Sober viruses also contain vulnerability. Well, I want it labeled as a virus not vulnerability. John T eServices For You > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Darrell ([EMAIL PROTECTED]) > Sent: Saturday, May 28, 2005 10:10 AM > To: [email protected] > Subject: Re: [Declude.Virus] EXITSCANONVIRUS > > My thoughts are this - a virus is a virus and a vulnerability is a > vulnerability. My expectation is that if a virus is detected than the other > scanners will not be called. However, if a vulnerability is detected the > scanners will execute until such time a "virus" is found. > > Maybe two switches - EXITSCANONVULNERABILITY... > > However, on the grander scale of things if nothing changed on this I would > still use EXITSCANONVIRUS as long as it observes the various delivery > options on vulnerabilities. > > Darrell > > ------------------------------------------- > invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default > configuration. Download a copy today - http://www.invariantsystems.com > > > ----- Original Message ----- > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Saturday, May 28, 2005 12:49 PM > Subject: RE: [Declude.Virus] EXITSCANONVIRUS > > > John, can you expand on that? > > In my implementation, there is no difference in message treatment if a > vulnerability or virus is detected. Therefore, I am happy to stop the > virus scanning if a vulnerability is detected. That is, as long as > ALLOWVULNERABILITIESFROM is still respected. > > Of course, I've already found that these two had too many false > positives for the safety they afford, so I've turned them off: > > BANPARTIAL OFF > BANCRVIRUSES OFF > > which leaves me with > > BANCLSID ON > > which has never been triggered. > > Andrew 8) > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff > (Lists) > Sent: Saturday, May 28, 2005 12:34 AM > To: [email protected] > Subject: RE: [Declude.Virus] EXITSCANONVIRUS > > > Well, here is an example of what I was hoping not to see. > > 05/27/2005 23:35:14 Q112105DF00002AB2 Vulnerability flags = 0 05/27/2005 > 23:35:14 Q112105DF00002AB2 Outlook 'CR' vulnerability [Subject: H] in > line 15 05/27/2005 23:35:15 Q112105DF00002AB2 Virus scanner 1 reports > exit code of 0 05/27/2005 23:35:15 Q112105DF00002AB2 File(s) are > INFECTED [[Outlook 'CR' > Vulnerability]: 0] > 05/27/2005 23:35:36 Q112105DF00002AB2 Scanned: CONTAINS A VIRUS > 05/27/2005 23:35:36 Q112105DF00002AB2 From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] [incoming from x.x.x.x] 05/27/2005 > 23:35:36 Q112105DF00002AB2 Subject: How is Rebecca doing? > > In this case, the subject line is the last line for the message in the > Declude Virus log in HIGH and it apparently shows that scanners 2 & 3 > were not called. If it finds a vulnerability, it still should fire the > scanners to see if one of them finds an actual virus. > > John T > eServices For You > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > On Behalf Of David Franco-Rocha [ Declude ] > > Sent: Friday, May 27, 2005 7:21 AM > > To: [email protected] > > Subject: Re: [Declude.Virus] EXITSCANONVIRUS > > > > John, > > > > There is a processing loop wherein all the scanners are called in > > succession. It is independent of vulnerability checking. This > > directive merely tells Declude to break out of the external virus > > scanner execution loop. If you use this directive to exit the scanning > > > loop on virus > detection > > and (1) you have 5 scanners listed in your cfg file and (2) a virus is > > > detected by the first scanner listed, then the effect is exactly the > > same > in > > processing as if you had a single scanner listed and a virus were > > detected by that single scanner. > > > > David Franco-Rocha > > Declude Technical Support > > > > ----- Original Message ----- > > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > > To: <[email protected]> > > Sent: Friday, May 27, 2005 2:50 AM > > Subject: [Declude.Virus] EXITSCANONVIRUS > > > > > > A question about this new feature. > > > > Am I correct in thinking that as soon as a scanner reports a virus, > > the > next > > scanner(s) in line will not be called and the message will be > > processed accordingly, and that it will not be affected by Declude > > first finding a banned attachment before having it scanned by a > > scanner? > > > > John T > > eServices For You > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > --- > > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
