Re: [Declude.Virus] EXITSCANONVIRUS

[Darin Cox]

I would hope existing vulnerability checks would not be retired, since there are already flags to decide whether or not to check for particular ones.  We catch a bit of spam in the virus queue with these checks that is not otherwise caught, especially some that someone else (Andrew?) mentioned getting rid of.   Unless there is 100% probability that no one will use the functionality any longer, please add flags to turn it off instead of removing it completely.  That way those that still prefer it can still use it. Darin.     ----- Original Message ----- From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 1:23 AM Subject: Re: [Declude.Virus] EXITSCANONVIRUS John, I don't think that the behavior displayed in your logs was entirely purposeful.  Declude tagged it with a vulnerability and then it ran your first virus scanner and found no virus, and then apparently it decided not to run the last two virus scanners.  This of course is only interim functionality and I would imagine that they would be open to reports of unexpected behavior as well as tweaks for more optimal behavior. I believe that the intended functionality for EXITSCANONVIRUS ON would be to ignore the vulnerabilities and only skip further virus scanning when a prior virus scanner reports an exit code that you have configured to mark it as a virus.  This seems consistent with what you are saying it should be. In an older thread regarding some bugs with F-Prot and other related things, Andrew also suggested separate functionality that would skip virus scanning when a vulnerability was found since that would be enough to block it on most systems.  At that time I suggested that this was not necessarily a good idea, but I made a mistake. For my system, and many others running BANCRVIRUSES ON, it might be an even bigger CPU savings to skip all virus scanners when a vulnerability is detected.  The only downside to this is that you will fill up your virus directory when using such a switch unless you are using another new directive, DELETEVULNERABILITIES ON.  Naturally skipping virus scanning for vulnerabilities would be optional and not the default setting, and so would be deleting vulnerabilities.  I would be in favor of seeing something like EXITSCANONVULNERABILITY added to Declude. Note that there are many issues with the current set of vulnerability checks that Declude does, and it would help to address these at the same time.  We do have a switch to turn most of this off, but I get the impression that they are aware of the issues and are considering or may have decided to approach vulnerabilities differently, or possibly retiring some where appropriate.  Deleting messages that fail vulnerability checks but aren't tagged as viruses should only really be done if you can rely on the vulnerability checks to be accurate. Matt John Tolmachoff (Lists) wrote: It appears to be stopping when it finds a vulnerability and does not get scanned for virus. John T eServices For You -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Saturday, May 28, 2005 5:58 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS ... that's reasonable, John. How does it work up to now? If a vulnerability and a virus are detected, which gets reported? Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, May 28, 2005 5:17 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS I agree with Darrell. If it contains a virus, I want it to be marked as a virus. If it does not contain a virus, then if it contains a vulnerability or banned extension then mark as such. An example is that some Sober viruses also contain vulnerability. Well, I want it labeled as a virus not vulnerability. John T eServices For You -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Saturday, May 28, 2005 10:10 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS My thoughts are this - a virus is a virus and a vulnerability is a vulnerability. My expectation is that if a virus is detected than the other scanners will not be called. However, if a vulnerability is detected the scanners will execute until such time a "virus" is found. Maybe two switches - EXITSCANONVULNERABILITY... However, on the grander scale of things if nothing changed on this I would still use EXITSCANONVIRUS as long as it observes the various delivery options on vulnerabilities. Darrell ------------------------------------------- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com ----- Original Message ----- From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: <Declude.Virus@declude.com> Sent: Saturday, May 28, 2005 12:49 PM Subject: RE: [Declude.Virus] EXITSCANONVIRUS John, can you expand on that? In my implementation, there is no difference in message treatment if a vulnerability or virus is detected. Therefore, I am happy to stop the virus scanning if a vulnerability is detected. That is, as long as ALLOWVULNERABILITIESFROM is still respected. Of course, I've already found that these two had too many false positives for the safety they afford, so I've turned them off: BANPARTIAL OFF BANCRVIRUSES OFF which leaves me with BANCLSID ON which has never been triggered. Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, May 28, 2005 12:34 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS Well, here is an example of what I was hoping not to see. 05/27/2005 23:35:14 Q112105DF00002AB2 Vulnerability flags = 0 05/27/2005 23:35:14 Q112105DF00002AB2 Outlook 'CR' vulnerability [Subject: H] in line 15 05/27/2005 23:35:15 Q112105DF00002AB2 Virus scanner 1 reports exit code of 0 05/27/2005 23:35:15 Q112105DF00002AB2 File(s) are INFECTED [[Outlook 'CR' Vulnerability]: 0] 05/27/2005 23:35:36 Q112105DF00002AB2 Scanned: CONTAINS A VIRUS 05/27/2005 23:35:36 Q112105DF00002AB2 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from x.x.x.x] 05/27/2005 23:35:36 Q112105DF00002AB2 Subject: How is Rebecca doing? In this case, the subject line is the last line for the message in the Declude Virus log in HIGH and it apparently shows that scanners 2 & 3 were not called. If it finds a vulnerability, it still should fire the scanners to see if one of them finds an actual virus. John T eServices For You -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Franco-Rocha [ Declude ] Sent: Friday, May 27, 2005 7:21 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS John, There is a processing loop wherein all the scanners are called in succession. It is independent of vulnerability checking. This directive merely tells Declude to break out of the external virus scanner execution loop. If you use this directive to exit the scanning loop on virus detection and (1) you have 5 scanners listed in your cfg file and (2) a virus is detected by the first scanner listed, then the effect is exactly the same in processing as if you had a single scanner listed and a virus were detected by that single scanner. David Franco-Rocha Declude Technical Support ----- Original Message ----- From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: <Declude.Virus@declude.com> Sent: Friday, May 27, 2005 2:50 AM Subject: [Declude.Virus] EXITSCANONVIRUS A question about this new feature. Am I correct in thinking that as soon as a scanner reports a virus, the next scanner(s) in line will not be called and the message will be processed accordingly, and that it will not be affected by Declude first finding a banned attachment before having it scanned by a scanner? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================