You're welcome, Kevin and thanks for the log snip. I sent it over to
development to obtain more detailed information about it. I will let you
know as soon as I receive a response.
--------------------------------------------------
From: "Kevin Rogers" <ke...@rootdesign.com>
Sent: Friday, May 07, 2010 6:02 PM
To: <declude.virus@declude.com>
Cc: "Linda Pagillo" <lpagi...@declude.com>
Subject: Re: [Declude.Virus] False Positives
Thanks for your help Linda.
Here are a couple log snippets of the 'uuencoding bad end' Vulnerability
05/06/2010 15:39:30.823 q126c00007cd3e05f.smd Vulnerability flags = 65
05/06/2010 15:39:31.854 q126c00007cd3e05f.smd 'uuencoding bad end'
vulnerability in line 208152
05/06/2010 15:39:32.166 q126c00007cd3e05f.smd Scanned: CONTAINS A VIRUS
[UU: 2 46771][MIME: 3 13110006]
05/06/2010 15:41:21.916 qa51e00007cdae07c.smd Vulnerability flags = 65
05/06/2010 15:41:22.932 qa51e00007cdae07c.smd 'uuencoding bad end'
vulnerability in line 203543
05/06/2010 15:41:23.276 qa51e00007cdae07c.smd Scanned: CONTAINS A VIRUS
[UU: 2 46771][MIME: 3 12819408]
On 5/7/2010 7:31 AM, Linda Pagillo wrote:
Hi Kevin. Thanks for your post. I first would like to explain that what
you are seeing is not a false-positive. The address that the emails are
coming from are not a factor in the case of vulnerabilities. Our
vulnerability checking looks for exploits in an email. If it finds one,
it will mark it no matter who it is coming from. This is correct behavior
for the tests and therefore, not a false-positive.
As for allowing these for everyone who sends to your server, I would
advise against it, but of course, it is your choice. Instead I would
allow vulnerabilities on a per-sender basis in order to be safe. For
example, you said that you received 10 emails from a legit address that
were caught as a vulnerability. In that case, I would allow
vulnerabilities for that particular user. You can do that by adding a
line to your virus.cfg file...
ALLOWVULNERABILITIESFROM u...@domain.com
If you wanted to allow vulnerabilities from the entire domain, you would
add the following line instead...
ALLOWVULNERABILITIESFROM domain.com (without the @ symbol)
You mentioned that the vulnerability you are seeing from the user in
question is the 'uuencoding bad end' Vulnerability. Where are you seeing
this? Is it in the email or the virus.cfg log? Could you copy and paste
it from the log or email so I can send it over to development for review?
Thanks again.
--------------------------------------------------
From: "Kevin Rogers" <ke...@rootdesign.com>
Sent: Thursday, May 06, 2010 8:39 PM
To: <declude.virus@declude.com>
Subject: [Declude.Virus] False Positives
I'm getting several false positives a day for the following tests:
[Outlook 'Blank Folding' Vulnerability]
MIME segment in MIME Postamble
Today I received 10 false positives (from the same legit email address)
of ['uuencoding bad end' Vulnerability]
I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to
allow it. This is the first I've seen of this test.
I was getting too many of the OLMIMESEGMIMEPRE test before I had to
allow them.
I am running the latest v4.10.48 on Imail.
Are other people using these tests without many/any false positives?
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.