RE: [Declude.Virus] ZEROHOUR, scanner order
Commtouch Zerohour identifies virus based on traffic patterns rather than signatures this is why it is not associated with a name. There is only one option currently for Commtouch in the global.cfg ZEROHOUR x Where x is the weight assigned if ZEROHOUR is triggered. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, June 08, 2009 10:26 AM To: declude.virus@declude.com Subject: [Declude.Virus] ZEROHOUR, scanner order Hi Dave: I see. Based on your email I checked the Virus side of things and I do see Zerohour log entires. 06/07/2009 23:44:36.968 q29d5b0d20821.smd Vulnerability flags = 1 06/07/2009 23:44:36.984 q29d5b0d20821.smd ZEROHOUR Reports VIRUS: Unknown 06/07/2009 23:44:36.984 q29d5b0d20821.smd File(s) are INFECTED [ZEROHOUR Unknown] 06/07/2009 23:44:36.984 q29d5b0d20821.smd Scanned: CONTAINS A VIRUS [MIME: 2 24588] 06/07/2009 23:44:36.984 q29d5b0d20821.smd From: ignitionhf8...@sicis.com To: imail...@wateroperations.com [incoming from 84.63.45.89] 06/07/2009 23:44:36.984 q29d5b0d20821.smd Subject: =?koi8-r?B?WW91knZlIHJlY2VpdmVkIGEgZ3JlZXRpbmcgZWNhcmQ=?= Unfortunately, Zerohour doesnt identify the virus (which in some cases, may be obvious if its a yet unnamed outbreak). But, the problem is that know viruses are not handled as configured. What are my configuration options for Declude Virus with regards to ZeroHour? Can I at least control the order of scanning e.g., Id rather have the regular virus scanners try to identify and report known/named viruses and make Zerohour the option of last defense? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 9:36 AM To: declude.junkm...@declude.com Subject: RE: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED Hi Andy, The ZEROHOUR was integrated into Declude as part of the virus code as it provides ZEROHOUR anti-virus. Because of this it does not function the same as the other tests. It either scores the email for x points as defined in the global.cfg or it does not which is shown as zero. Changing the way ZEROHOUR was implemented is on our development list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Sunday, June 07, 2009 6:07 PM To: declude.junkm...@declude.com Subject: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED Importance: High Hi, Seems as if ZEROHOUR is not at all handled correctly vis-à-vis the TESTSFAILED variable? 1. Example: I have defined XINHEADERX-Declude: Triggered [%WEIGHT%] %TESTSFAILED% However, since activating ZEROHOUR I know see SMTP headers like this: X-Declude: Triggered [-2] None, ZEROHOUR [0] There are two things wrong with this: a) If Testsfailed returns None, why is the string ZEROHOUR appended? If its None then it should be None and nothing else. b) If ZEROHOUR didnt fail and thus has a weight of 0, then it shouldnt appear in the TESTSFAILED list at all. 2. In one of my filters, I have the line TESTSFAILED 5 CONTAINS ZEROHOUR However, it fails to add 5 to the weight as if it doesnt detect ZEROHOUR in the TestsFailed string which would be consistent with items a) and b) because apparently there is a bug where ZEROHOUR is not correctly included in the TESTSFAILED variable, but instead it is somehow appended behind it! The power of Declude is to be able to tightly configure (through various options) how weights are assigned and (with the help of TESTSFAILED filters) which groupings of tests might be testing/triggering on the same aspect of a message. Currently ZEROHOUR appears to negate all the other advantages of Declude! Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This
RE: [Declude.Virus] ZEROHOUR, scanner order
Hi David: Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was implemented as Declude.Virus. So any configuration would go into the Virus.cfg file. It seems to me as if it's implemented in some fashion in both ends. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. Based on log entries/detection it appears as if it first checks ZEROHOUR, then AVG, then launches the external scanners. Sorry for all the questions - just trying to wrap my arms around the new way that everything is behaving now - as it's inconsistent with what I have had in place all these years (both in Junkmail, which relies on TESTSFAILED to control actions) and in Virus (which relies on virus name detection to control what actions to take). (Seems as if ZEROHOUR was added by a developer who wasn't yet familiar/briefed with what was already in place elsewhere in the product, and just came up with his/her own way of doing things instead of integration with the existing features.) Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 10:34 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Commtouch Zerohour identifies virus' based on traffic patterns rather than signatures this is why it is not associated with a name. There is only one option currently for Commtouch - in the global.cfg ZEROHOUR x Where x is the weight assigned if ZEROHOUR is triggered. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ZEROHOUR, scanner order
Andy, It is implemented in the Declude virus but because the spam function overlaps into junkmail and the spam weighting system is in junkmail the weight is specified in the global.cfg - as you can see it is more as a directive than a test. Secondly you are correct about the developer who integrated Commtouch. This was before I took over the managment of Declude and it is suffice to say he is no longer with Declude either. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, June 08, 2009 11:02 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Hi David: Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was implemented as Declude.Virus. So any configuration would go into the Virus.cfg file. It seems to me as if it's implemented in some fashion in both ends. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. Based on log entries/detection it appears as if it first checks ZEROHOUR, then AVG, then launches the external scanners. Sorry for all the questions - just trying to wrap my arms around the new way that everything is behaving now - as it's inconsistent with what I have had in place all these years (both in Junkmail, which relies on TESTSFAILED to control actions) and in Virus (which relies on virus name detection to control what actions to take). (Seems as if ZEROHOUR was added by a developer who wasn't yet familiar/briefed with what was already in place elsewhere in the product, and just came up with his/her own way of doing things instead of integration with the existing features.) Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 10:34 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Commtouch Zerohour identifies virus' based on traffic patterns rather than signatures this is why it is not associated with a name. There is only one option currently for Commtouch - in the global.cfg ZEROHOUR x Where x is the weight assigned if ZEROHOUR is triggered. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ZEROHOUR, scanner order
Fair enough! Looks like a good service in general - hopefully, the implementation can be cleaned up at some point. Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 11:10 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Andy, It is implemented in the Declude virus but because the spam function overlaps into junkmail and the spam weighting system is in junkmail the weight is specified in the global.cfg - as you can see it is more as a directive than a test. Secondly you are correct about the developer who integrated Commtouch. This was before I took over the managment of Declude and it is suffice to say he is no longer with Declude either. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, June 08, 2009 11:02 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Hi David: Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was implemented as Declude.Virus. So any configuration would go into the Virus.cfg file. It seems to me as if it's implemented in some fashion in both ends. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. Based on log entries/detection it appears as if it first checks ZEROHOUR, then AVG, then launches the external scanners. Sorry for all the questions - just trying to wrap my arms around the new way that everything is behaving now - as it's inconsistent with what I have had in place all these years (both in Junkmail, which relies on TESTSFAILED to control actions) and in Virus (which relies on virus name detection to control what actions to take). (Seems as if ZEROHOUR was added by a developer who wasn't yet familiar/briefed with what was already in place elsewhere in the product, and just came up with his/her own way of doing things instead of integration with the existing features.) Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 10:34 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Commtouch Zerohour identifies virus' based on traffic patterns rather than signatures this is why it is not associated with a name. There is only one option currently for Commtouch - in the global.cfg ZEROHOUR x Where x is the weight assigned if ZEROHOUR is triggered. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ZEROHOUR, scanner order
I confirmed that Commtouch runs before AVG as the internal virus scanner and currently there is no way to change this without changing the code. I will add this as a dev request to switch the order of AVG and Commtouch. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, June 08, 2009 11:28 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Fair enough! Looks like a good service in general - hopefully, the implementation can be cleaned up at some point. Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 11:10 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Andy, It is implemented in the Declude virus but because the spam function overlaps into junkmail and the spam weighting system is in junkmail the weight is specified in the global.cfg - as you can see it is more as a directive than a test. Secondly you are correct about the developer who integrated Commtouch. This was before I took over the managment of Declude and it is suffice to say he is no longer with Declude either. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, June 08, 2009 11:02 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Hi David: Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was implemented as Declude.Virus. So any configuration would go into the Virus.cfg file. It seems to me as if it's implemented in some fashion in both ends. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. Based on log entries/detection it appears as if it first checks ZEROHOUR, then AVG, then launches the external scanners. Sorry for all the questions - just trying to wrap my arms around the new way that everything is behaving now - as it's inconsistent with what I have had in place all these years (both in Junkmail, which relies on TESTSFAILED to control actions) and in Virus (which relies on virus name detection to control what actions to take). (Seems as if ZEROHOUR was added by a developer who wasn't yet familiar/briefed with what was already in place elsewhere in the product, and just came up with his/her own way of doing things instead of integration with the existing features.) Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 10:34 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Commtouch Zerohour identifies virus' based on traffic patterns rather than signatures this is why it is not associated with a name. There is only one option currently for Commtouch - in the global.cfg ZEROHOUR x Where x is the weight assigned if ZEROHOUR is triggered. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
