Instead of doing something like that, which will require on-going,
hands-on maint, why not just tag to hold those which are identified by
the scanner as suspicious or generic and delete the rest?
Wednesday, January 25, 2006, 4:37:28 PM, Markus Gufler [EMAIL PROTECTED]
wrote:
MG Maybe someone
Thursday, January 26, 2006, 2:33:11 AM, Colbeck, Andrew [EMAIL PROTECTED]
wrote:
CA[SNIP]
CA Like you, I have a system that blocks a ton of mail, so I run AVAFTERJM
CA to cut down on the work, and this definitely leaves a gap in my
CA statistics. Similarly, it follows that I wouldn't want to
How does AVAFTERJM cut down on work? I thought it only
affected the order in which JM and AV ran, and that AV ran
each time, regardless of this setting.
The problem I know is when someone is reviewing hold spam messages and has
the possibility to requeue them. In this case the message
Instead of doing something like that, which will require
on-going, hands-on maint, why not just tag to hold those
which are identified by the scanner as suspicious or generic
and delete the rest?
This is another possible solution but my intention is to clean my server
from messages
How does AVAFTERJM cut down on work? I thought it only affected the
order in which JM and AV ran, and that AV ran each time, regardless of
this setting.
The main benefit is that it cuts down on the amount of messages virus
scanned thus saving resources. It has been a MAJOR help for me.
By running AVAFTERJM, you can use spam filtering to eliminate banned files
that you would otherwise have to review in the virus hold queue. The
drawback is that marginal emails are not identified as banned files, but on
our system at least, running AVAFTERJM means less to review.
Darin.
-
Darrell,
What happens in this scenario. Virus file comes in, AVAFTERJM
is turned on, thus Declude scans it for spam content, lets say it is
spam, thus ROUTETO sends it to a specific mailbox for customer to review
for certain amount of days. Does Declude Virus still run against it
prior
Keith,
It still gets virus scanned. I have tons of viruses in my virus drop point
for ROUTETO accounts.
Darrell
---
Check out http://www.invariantsystems.com for utilities for Declude, Imail,
mxGuard, and ORF. IMail/Declude Overflow Queue
Darrell,
I guess my question then is what advantage is it to have it run
prior to Virus if the Virus Scanner still scans it, won't it still use
the same CPU cycles?
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL
As a practical matter, about what percent fall into the category of
the Virus Scanner making a false positive? IOW, aren't you out hunting
mosquitos with hand grenades?
Friday, January 27, 2006, 8:58:25 AM, Markus Gufler [EMAIL PROTECTED] wrote:
Instead of doing something like that, which will
Your first and second message seem to be contradictory or I'm dense.
#1 The main benefit is that it cuts down on the amount of messages
virus scanned thus saving resources.
#2 It still gets virus scanned.
So, with or without AVAFTERJM, it looks like each message is scanned by the
virus
scanner
aren't you out hunting mosquitos with hand grenades?
If the mosquito is a very nasty but important customer it's bether using
tank's, mg's and whatever you can organize in order to prevent painfull
stings...
On a day liky today I could turn on DELETEVIRUSES with nearly zero risk in
order to
I would think that you would want to do the opposite, running the virus scanner before junk mail. This way if a virus is caught, it can be handled (either deleted or moved to virus folder) and you save on the system having to run your spam tests. Also, you know that no viruses are being routed to
So, with or without AVAFTERJM, it looks like each message is
scanned by the virus scanner (which makes sense to me).
Wrong... if you block the messages on the servers:
As we know usualy 50% of all incomming messages are spam.
We know too that resource usage of one or two scan-engines is way
Markus,
However, Darrell mentioned that the AV scanner still runs once
action is taking agains the SPAM message (i.e. routeto, subject, etc.).
Is this not true?
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Friday,
This is the crux of the issue that I would like to figure out.
I am however under the impression that if you DELETE a message, Declude
Virus never gets it. I suspect that HOLD and MAILBOX are also that
way. I am unsure about ROUTETO, and that is what really matters to me.
As far as savings
Don Brown wrote:
#1 "The main benefit is that it cuts down on the amount of messages
virus scanned thus saving resources."
correct.
#2 "It still gets virus scanned."
only those emails that get past the junkmail scanning. If you do not
delete any junkmail then there is no
Markus would find this handy (as would other die-hards who are often see
to post in this forum) and would be willing to maintain a small list of
entries for which he would like this behaviour.
However, in addition to the FORGINGVIRUS DNS lookup feature that Declude
already implements*, perhaps
I thought that AV false positives can occur with definitions for known
virus names. In other words, if a message gets tagged as Bagle, it
might be legit 0.1% of the time. So would this really be a
complete solution?
Matt
Colbeck, Andrew wrote:
Markus would find this handy (as would
Then you maybe should keep AUTODELETEKNOWNWORMS
OFF
My fear is not realy having false positives with real
viruses. The suspicious exit code seems dangerous to me for having false
positives.
So the big part of definitively known, forging, 100%
unwanted and programaticaly created
No Matt, it wouldn't be a complete solution for you
orme. We don't trust DELETE actions at all.
Markus however, is ok with a DELETE action, as with many
others, so I'm pretty confident that they would be ok with an autodelete as
well, while trusting that Declude.com isn't going to make a
Just because it's easy to produce...
This is from the viruses that get caught as spam from Dec
01 2005 through yesterday:
13
Suspicious program in Archive
1
Suspicious program
5
Unknown Virus
57
Keith,
We don't ROUTETO all of our mail. We hold and delete on a bunch. In this
case 95% of mail is not virus scanned. If you routeto everything than I
suspect you will not save any cycles.
Darrell
---
Check out http://www.invariantsystems.com for
Seems there is some confusion about whether or not AVAFTERJM prevents
AV from running. Some say it does and some say it doesn't matter - AV
still runs on all messages.
So, I guess we first need to have someone from Declude tell us, FOR
SURE, which it is. There isn't much in either section 9.1 or
Don,
Messages that are HOLD or DELETE are not virus scanned. ROUTETO gets
virus scanned. In summary you have to look at your situation and if it
makes sense for you. We don't do much ROUTETO so it makes sense for us and
saves a signifigant amount of CPU.
Darrell
HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM
ROUTETO, SUBJECT, Etc - Does get virus scanned.
Think of it this way anything that ends up being delivered somewhere (i.e.
mailbox etc) gets scanned.
Darrell
Matt writes:
This is the crux of the issue that I would like to
IIRC, the HOLD action was where the risk came in. Messages that are
held by Declude using AVAFTERJM and then manually re-queued (via, say,
the old SpamReview app) would NOT be scanned for viruses at all, since
re-queued messages bypass Declude altogether.
HOLD is the only 'semi-final' action.
There is no perfect Spam or Virus system. There will either be false
positives, missed Spam or Viruses or a combination of both.
Therefore, if the customer is expecting absolute perfection, then I
think the problem is one of a customer with unrealistic expectations.
You said, what happens if
IIRC, the HOLD action was where the risk came in. Messages
that are held by Declude using AVAFTERJM and then manually
re-queued (via, say, the old SpamReview app) would NOT be
scanned for viruses at all, since
re-queued messages bypass Declude altogether.
snip
At the very least,
Let me try to summarize what seems to be the consensus here.
With AVAFTERJM ON, only certain final actions will result in no virus
scanning. Those apparently include the following:
HOLD
DELETE
DELETE_RECIPIENT (for the deleted recipients)
On the following final actions, virus
Dan,
You might try COPYFILE which is essentially HOLD, but it adds the
Declude headers to the messages. COPYFILE won't block the E-mail
however, so you might want to either ROUTETO null, or HOLD and just
delete what is in that folder since you have another copy. I am
unclear about whether or
Correction. COPYFILE wouldn't work with HOLD, so you would need to
ROUTETO null.
Matt
Matt wrote:
Dan,
You might try COPYFILE which is essentially HOLD, but it adds the
Declude headers to the messages. COPYFILE won't block the E-mail
however, so you might want to either ROUTETO
Andrew,
What are you using to compile these numbers?
Mark
At 12:48 PM 1/27/2006, you wrote:
Just because it's easy to produce...
This is from the viruses that get caught as
spam from Dec 01 2005 through yesterday:
13 Suspicious
program in Archive
1
Suspicious program
5
Unknown Virus
57
Thanks.
We use both hold and delete, but not routeto.
I don't mind saving cycles.
I guess that instead of using HOLD we could ROUTETO the Spam Hold
folder and mitigate the risk of dropping a virus infected message back
into the queue. Comments about this??
Thanks,
Friday, January 27, 2006,
Friday, January 27, 2006, 1:12:04 PM, Dan Horne [EMAIL PROTECTED] wrote:
DH [SNIP]
DH IMO, AVAFTERJM should be changed so that only deleted emails, not held
DH ones, by pass the AV scan. In other words, all messages should be
DH first scanned for spam, then the ones that are not DELETED
COPYFILE does not add any Declude
headers.
- Original Message -
From:
Matt
To: Declude.Virus@declude.com
Sent: Friday, January 27, 2006 1:28
PM
Subject: Re: [Declude.Virus] Feature
request: DELETEVIRUSNAME
Dan,You might try COPYFILE which is essentially HOLD,
I use PERL for most of this stuff. Easy
enough to learn, or I could send you the script off-line.
Karl Drugge
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imail
Sent: Friday, January 27, 2006 2:37
PM
To:
Dan, this is all implementation
dependent. Your observed behaviour is not universal to Declude
deployments.Specifically, re-queued messages on
IMail systems do indeed get scanned by Declude JunkMail and EVA when the
Q*.SMD is moved to the overflow folder (as opposed to being moved to the
Thanks, Matt that'll be helpful.
- Original Message -
From:
Matt
To: Declude.Virus@declude.com
Sent: Friday, January 27, 2006 2:32
PM
Subject: Re: [Declude.Virus] Feature
request: DELETEVIRUSNAME
Sorry. If you add the following directive to your
Global.cfg it
Have you tried the virus log analyzer at http://www.csonline.net/imailstuff/viruslog.htm
(found on Declude's Tools page.)
John C
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
ImailSent: Friday, January 27, 2006 2:56 PMTo:
Declude.Virus@declude.comSubject: RE:
I would love to use your perl
script. This is pretty cool. Nice stats to know.
Thanks,
Evans Martin
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl
Drugge)
Sent: Friday, January 27, 2006
2:21 PM
To: Declude.Virus@declude.com
I hav no stat's or numbers.
Only the fact that AV-Engines has introduced a suspicious category that is
catching more and more new outbreaks. Additionaly it seems that the scanning
process is becoming more and more complex. Each variant (we have up to
two-letter versions!) seems to need complete
If you don't want to bother learning or using perl
I suggest you look at DLAnalyzer. It can do Junkmail reporting and Virus
reporting for Declude integrated into one Windows based application. There
is a functional free version (lite).
Darrell
A single piece of software can't possibly be all things to all people.
I think the best that can be expected is that it reasonably addresses
all, or most, of those objectives which the user community shares.
It is easy to say that it only costs $xx when it's not your money, the
same as it is to
44 matches
Mail list logo
