It appears to be stopping when it finds a vulnerability and does not get scanned for virus.
John T eServices For You > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Colbeck, Andrew > Sent: Saturday, May 28, 2005 5:58 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] EXITSCANONVIRUS > > ... that's reasonable, John. > > How does it work up to now? If a vulnerability and a virus are > detected, which gets reported? > > Andrew 8) > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff > (Lists) > Sent: Saturday, May 28, 2005 5:17 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] EXITSCANONVIRUS > > > I agree with Darrell. If it contains a virus, I want it to be marked as > a virus. If it does not contain a virus, then if it contains a > vulnerability or banned extension then mark as such. > > An example is that some Sober viruses also contain vulnerability. Well, > I want it labeled as a virus not vulnerability. > > John T > eServices For You > > > -----Original Message----- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > On Behalf Of Darrell ([EMAIL PROTECTED]) > > Sent: Saturday, May 28, 2005 10:10 AM > > To: Declude.Virus@declude.com > > Subject: Re: [Declude.Virus] EXITSCANONVIRUS > > > > My thoughts are this - a virus is a virus and a vulnerability is a > > vulnerability. My expectation is that if a virus is detected than the > other > > scanners will not be called. However, if a vulnerability is detected > > the scanners will execute until such time a "virus" is found. > > > > Maybe two switches - EXITSCANONVULNERABILITY... > > > > However, on the grander scale of things if nothing changed on this I > > would still use EXITSCANONVIRUS as long as it observes the various > > delivery options on vulnerabilities. > > > > Darrell > > > > ------------------------------------------- > > invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the > > default configuration. Download a copy today - > > http://www.invariantsystems.com > > > > > > ----- Original Message ----- > > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > > To: <Declude.Virus@declude.com> > > Sent: Saturday, May 28, 2005 12:49 PM > > Subject: RE: [Declude.Virus] EXITSCANONVIRUS > > > > > > John, can you expand on that? > > > > In my implementation, there is no difference in message treatment if a > > > vulnerability or virus is detected. Therefore, I am happy to stop the > > > virus scanning if a vulnerability is detected. That is, as long as > > ALLOWVULNERABILITIESFROM is still respected. > > > > Of course, I've already found that these two had too many false > > positives for the safety they afford, so I've turned them off: > > > > BANPARTIAL OFF > > BANCRVIRUSES OFF > > > > which leaves me with > > > > BANCLSID ON > > > > which has never been triggered. > > > > Andrew 8) > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff > > (Lists) > > Sent: Saturday, May 28, 2005 12:34 AM > > To: Declude.Virus@declude.com > > Subject: RE: [Declude.Virus] EXITSCANONVIRUS > > > > > > Well, here is an example of what I was hoping not to see. > > > > 05/27/2005 23:35:14 Q112105DF00002AB2 Vulnerability flags = 0 > > 05/27/2005 23:35:14 Q112105DF00002AB2 Outlook 'CR' vulnerability > > [Subject: H] in line 15 05/27/2005 23:35:15 Q112105DF00002AB2 Virus > > scanner 1 reports exit code of 0 05/27/2005 23:35:15 Q112105DF00002AB2 > > > File(s) are INFECTED [[Outlook 'CR' > > Vulnerability]: 0] > > 05/27/2005 23:35:36 Q112105DF00002AB2 Scanned: CONTAINS A VIRUS > > 05/27/2005 23:35:36 Q112105DF00002AB2 From: > > [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] [incoming from x.x.x.x] 05/27/2005 > > 23:35:36 Q112105DF00002AB2 Subject: How is Rebecca doing? > > > > In this case, the subject line is the last line for the message in the > > > Declude Virus log in HIGH and it apparently shows that scanners 2 & 3 > > were not called. If it finds a vulnerability, it still should fire the > > > scanners to see if one of them finds an actual virus. > > > > John T > > eServices For You > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > > On Behalf Of David Franco-Rocha [ Declude ] > > > Sent: Friday, May 27, 2005 7:21 AM > > > To: Declude.Virus@declude.com > > > Subject: Re: [Declude.Virus] EXITSCANONVIRUS > > > > > > John, > > > > > > There is a processing loop wherein all the scanners are called in > > > succession. It is independent of vulnerability checking. This > > > directive merely tells Declude to break out of the external virus > > > scanner execution loop. If you use this directive to exit the > > > scanning > > > > > loop on virus > > detection > > > and (1) you have 5 scanners listed in your cfg file and (2) a virus > > > is > > > > > detected by the first scanner listed, then the effect is exactly the > > > > same > > in > > > processing as if you had a single scanner listed and a virus were > > > detected by that single scanner. > > > > > > David Franco-Rocha > > > Declude Technical Support > > > > > > ----- Original Message ----- > > > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > > > To: <Declude.Virus@declude.com> > > > Sent: Friday, May 27, 2005 2:50 AM > > > Subject: [Declude.Virus] EXITSCANONVIRUS > > > > > > > > > A question about this new feature. > > > > > > Am I correct in thinking that as soon as a scanner reports a virus, > > > the > > next > > > scanner(s) in line will not be called and the message will be > > > processed accordingly, and that it will not be affected by Declude > > > first finding a banned attachment before having it scanned by a > > > scanner? > > > > > > John T > > > eServices For You > > > > > > > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, > > > > > just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, > > > > > just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > --- > > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > --- > > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > --- > > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
