RE: [Declude.Virus] Integrated Sniffer
Hi Pete: Thanks for jumping in. 1. The SNF engine performs the SNF2CHECK task before it accepts a new rulebase I'm a little confused - the script replaces the rulebase - without checking. So what happens if the rulebase is bad. By the time the engine checks the good one is already rename and the bad one is already called .snf if exist %LICENSE_ID%.old del %LICENSE_ID%.old if exist %LICENSE_ID%.snf rename %LICENSE_ID%.snf %LICENSE_ID%.old rename %LICENSE_ID%.new %LICENSE_ID%.snf 2. I assume I can still just update the XML file to move the logfiles, rulebase and workspace to its own subfolders to keep things tidy and for improved maintainability? log path='[PATH]\declude\scanners\SNF\logs\'/ rulebase path='[PATH]\declude\scanners\SNF\rulebase\'/ workspace path='[PATH]\declude\scanners\SNF\work\'/ Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Friday, March 19, 2010 1:22 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] How to disable CommTouch Zerohour (for testing) On 3/19/2010 11:26 AM, Andy Schmidt wrote: Thanks - downloaded and installed. I'll have to take a look at the integrated Sniffer. I got pulled away and never got back to it. I'll have to take a good luck at the rulebase update - on first glace it seems as if your script is leaving out the crucial SNF2CHECK to make sure that the downloaded rulebase is valid BEFORE replacing it. So I'll have to look at it very carefully. Andy, The script cannot call snf2check for the embedded SNF because that would expose the OEM rulebase. The SNF engine performs the SNF2CHECK task before it accepts a new rulebase so it's ok to leave that out of the update script in OEM integrations of the SNF engine. In fact, the getRulebase.cmd script need not be used at all by an OEM -- they can use their own facility. However in this case I recommended strongly that Declude use a modified getRulebase script so that Declude customers could modify it to perform additional tasks in the way they are used to. Hope this helps, Best, _M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Integrated Sniffer
On 3/19/2010 1:46 PM, Andy Schmidt wrote: Hi Pete: Thanks for jumping in. 1. The SNF engine performs the SNF2CHECK task before it accepts a new rulebase I'm a little confused - the script replaces the rulebase - without checking. So what happens if the rulebase is bad. By the time the engine checks the good one is already rename and the bad one is already called .snf If the rulebase does not properly authenticate in the SNF engine then the reload is rejected. Once the guard time expires the update script will be run again (by default after 3 minutes). 2. I assume I can still just update the XML file to move the logfiles, rulebase and workspace to its own subfolders to keep things tidy and for improved maintainability? log path='[PATH]\declude\scanners\SNF\logs\'/ rulebase path='[PATH]\declude\scanners\SNF\rulebase\'/ workspace path='[PATH]\declude\scanners\SNF\work\'/ As far as I know that should be ok -- but you need to check with Declude on that first. They may have certain expectations built into their software and/or their support process. _M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Integrated Sniffer
Thanks If the rulebase does not properly authenticate in the SNF engine then the reload is rejected. Once the guard time expires the update script will be run again (by default after 3 minutes). Which also means, if the corrupt rulebase persists and the server or services happen to be restarted during those times, we have a potential problem because upon restart it won't have a good rulebase to fall back on. So there's definitely a (calculated) risk in NOT checking the rulebase BEFORE renaming it. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Integrated Sniffer
On 3/19/2010 2:48 PM, Andy Schmidt wrote: Thanks If the rulebase does not properly authenticate in the SNF engine then the reload is rejected. Once the guard time expires the update script will be run again (by default after 3 minutes). Which also means, if the corrupt rulebase persists and the server or services happen to be restarted during those times, we have a potential problem because upon restart it won't have a good rulebase to fall back on. So there's definitely a (calculated) risk in NOT checking the rulebase BEFORE renaming it. That's true -- but the risk is very small. _M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
