Re: [Declude.Virus] False Positives
Kevin, could you please send me one of the actual emails that was caught by the 'uuencoding bad end' Vulnerability as an attachment? Also, could you put your virus.cfg file in debug mode and send me the entire log snip from the next message that is caught by this vulnerability? You can send it directly to me if you like. My email address is lpagi...@declude.com. Thanks. -- From: "Linda Pagillo" Sent: Sunday, May 09, 2010 7:07 PM To: Subject: Re: [Declude.Virus] False Positives You're welcome, Kevin and thanks for the log snip. I sent it over to development to obtain more detailed information about it. I will let you know as soon as I receive a response. -- From: "Kevin Rogers" Sent: Friday, May 07, 2010 6:02 PM To: Cc: "Linda Pagillo" Subject: Re: [Declude.Virus] False Positives Thanks for your help Linda. Here are a couple log snippets of the 'uuencoding bad end' Vulnerability 05/06/2010 15:39:30.823 q126c7cd3e05f.smd Vulnerability flags = 65 05/06/2010 15:39:31.854 q126c7cd3e05f.smd 'uuencoding bad end' vulnerability in line 208152 05/06/2010 15:39:32.166 q126c7cd3e05f.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 13110006] 05/06/2010 15:41:21.916 qa51e7cdae07c.smd Vulnerability flags = 65 05/06/2010 15:41:22.932 qa51e7cdae07c.smd 'uuencoding bad end' vulnerability in line 203543 05/06/2010 15:41:23.276 qa51e7cdae07c.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 12819408] On 5/7/2010 7:31 AM, Linda Pagillo wrote: Hi Kevin. Thanks for your post. I first would like to explain that what you are seeing is not a false-positive. The address that the emails are coming from are not a factor in the case of vulnerabilities. Our vulnerability checking looks for exploits in an email. If it finds one, it will mark it no matter who it is coming from. This is correct behavior for the tests and therefore, not a false-positive. As for allowing these for everyone who sends to your server, I would advise against it, but of course, it is your choice. Instead I would allow vulnerabilities on a per-sender basis in order to be safe. For example, you said that you received 10 emails from a legit address that were caught as a vulnerability. In that case, I would allow vulnerabilities for that particular user. You can do that by adding a line to your virus.cfg file... ALLOWVULNERABILITIESFROMu...@domain.com If you wanted to allow vulnerabilities from the entire domain, you would add the following line instead... ALLOWVULNERABILITIESFROMdomain.com (without the @ symbol) You mentioned that the vulnerability you are seeing from the user in question is the 'uuencoding bad end' Vulnerability. Where are you seeing this? Is it in the email or the virus.cfg log? Could you copy and paste it from the log or email so I can send it over to development for review? Thanks again. -- From: "Kevin Rogers" Sent: Thursday, May 06, 2010 8:39 PM To: Subject: [Declude.Virus] False Positives I'm getting several false positives a day for the following tests: [Outlook 'Blank Folding' Vulnerability] MIME segment in MIME Postamble Today I received 10 false positives (from the same legit email address) of ['uuencoding bad end' Vulnerability] I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to allow it. This is the first I've seen of this test. I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow them. I am running the latest v4.10.48 on Imail. Are other people using these tests without many/any false positives? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] False Positives
You're welcome, Kevin and thanks for the log snip. I sent it over to development to obtain more detailed information about it. I will let you know as soon as I receive a response. -- From: "Kevin Rogers" Sent: Friday, May 07, 2010 6:02 PM To: Cc: "Linda Pagillo" Subject: Re: [Declude.Virus] False Positives Thanks for your help Linda. Here are a couple log snippets of the 'uuencoding bad end' Vulnerability 05/06/2010 15:39:30.823 q126c7cd3e05f.smd Vulnerability flags = 65 05/06/2010 15:39:31.854 q126c7cd3e05f.smd 'uuencoding bad end' vulnerability in line 208152 05/06/2010 15:39:32.166 q126c7cd3e05f.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 13110006] 05/06/2010 15:41:21.916 qa51e7cdae07c.smd Vulnerability flags = 65 05/06/2010 15:41:22.932 qa51e7cdae07c.smd 'uuencoding bad end' vulnerability in line 203543 05/06/2010 15:41:23.276 qa51e7cdae07c.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 12819408] On 5/7/2010 7:31 AM, Linda Pagillo wrote: Hi Kevin. Thanks for your post. I first would like to explain that what you are seeing is not a false-positive. The address that the emails are coming from are not a factor in the case of vulnerabilities. Our vulnerability checking looks for exploits in an email. If it finds one, it will mark it no matter who it is coming from. This is correct behavior for the tests and therefore, not a false-positive. As for allowing these for everyone who sends to your server, I would advise against it, but of course, it is your choice. Instead I would allow vulnerabilities on a per-sender basis in order to be safe. For example, you said that you received 10 emails from a legit address that were caught as a vulnerability. In that case, I would allow vulnerabilities for that particular user. You can do that by adding a line to your virus.cfg file... ALLOWVULNERABILITIESFROMu...@domain.com If you wanted to allow vulnerabilities from the entire domain, you would add the following line instead... ALLOWVULNERABILITIESFROMdomain.com (without the @ symbol) You mentioned that the vulnerability you are seeing from the user in question is the 'uuencoding bad end' Vulnerability. Where are you seeing this? Is it in the email or the virus.cfg log? Could you copy and paste it from the log or email so I can send it over to development for review? Thanks again. -- From: "Kevin Rogers" Sent: Thursday, May 06, 2010 8:39 PM To: Subject: [Declude.Virus] False Positives I'm getting several false positives a day for the following tests: [Outlook 'Blank Folding' Vulnerability] MIME segment in MIME Postamble Today I received 10 false positives (from the same legit email address) of ['uuencoding bad end' Vulnerability] I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to allow it. This is the first I've seen of this test. I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow them. I am running the latest v4.10.48 on Imail. Are other people using these tests without many/any false positives? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] False Positives
Thanks for your help Linda. Here are a couple log snippets of the 'uuencoding bad end' Vulnerability 05/06/2010 15:39:30.823 q126c7cd3e05f.smd Vulnerability flags = 65 05/06/2010 15:39:31.854 q126c7cd3e05f.smd 'uuencoding bad end' vulnerability in line 208152 05/06/2010 15:39:32.166 q126c7cd3e05f.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 13110006] 05/06/2010 15:41:21.916 qa51e7cdae07c.smd Vulnerability flags = 65 05/06/2010 15:41:22.932 qa51e7cdae07c.smd 'uuencoding bad end' vulnerability in line 203543 05/06/2010 15:41:23.276 qa51e7cdae07c.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 12819408] On 5/7/2010 7:31 AM, Linda Pagillo wrote: Hi Kevin. Thanks for your post. I first would like to explain that what you are seeing is not a false-positive. The address that the emails are coming from are not a factor in the case of vulnerabilities. Our vulnerability checking looks for exploits in an email. If it finds one, it will mark it no matter who it is coming from. This is correct behavior for the tests and therefore, not a false-positive. As for allowing these for everyone who sends to your server, I would advise against it, but of course, it is your choice. Instead I would allow vulnerabilities on a per-sender basis in order to be safe. For example, you said that you received 10 emails from a legit address that were caught as a vulnerability. In that case, I would allow vulnerabilities for that particular user. You can do that by adding a line to your virus.cfg file... ALLOWVULNERABILITIESFROMu...@domain.com If you wanted to allow vulnerabilities from the entire domain, you would add the following line instead... ALLOWVULNERABILITIESFROMdomain.com (without the @ symbol) You mentioned that the vulnerability you are seeing from the user in question is the 'uuencoding bad end' Vulnerability. Where are you seeing this? Is it in the email or the virus.cfg log? Could you copy and paste it from the log or email so I can send it over to development for review? Thanks again. -- From: "Kevin Rogers" Sent: Thursday, May 06, 2010 8:39 PM To: Subject: [Declude.Virus] False Positives I'm getting several false positives a day for the following tests: [Outlook 'Blank Folding' Vulnerability] MIME segment in MIME Postamble Today I received 10 false positives (from the same legit email address) of ['uuencoding bad end' Vulnerability] I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to allow it. This is the first I've seen of this test. I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow them. I am running the latest v4.10.48 on Imail. Are other people using these tests without many/any false positives? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] False Positives
Hi Kevin. Thanks for your post. I first would like to explain that what you are seeing is not a false-positive. The address that the emails are coming from are not a factor in the case of vulnerabilities. Our vulnerability checking looks for exploits in an email. If it finds one, it will mark it no matter who it is coming from. This is correct behavior for the tests and therefore, not a false-positive. As for allowing these for everyone who sends to your server, I would advise against it, but of course, it is your choice. Instead I would allow vulnerabilities on a per-sender basis in order to be safe. For example, you said that you received 10 emails from a legit address that were caught as a vulnerability. In that case, I would allow vulnerabilities for that particular user. You can do that by adding a line to your virus.cfg file... ALLOWVULNERABILITIESFROMu...@domain.com If you wanted to allow vulnerabilities from the entire domain, you would add the following line instead... ALLOWVULNERABILITIESFROMdomain.com (without the @ symbol) You mentioned that the vulnerability you are seeing from the user in question is the 'uuencoding bad end' Vulnerability. Where are you seeing this? Is it in the email or the virus.cfg log? Could you copy and paste it from the log or email so I can send it over to development for review? Thanks again. -- From: "Kevin Rogers" Sent: Thursday, May 06, 2010 8:39 PM To: Subject: [Declude.Virus] False Positives I'm getting several false positives a day for the following tests: [Outlook 'Blank Folding' Vulnerability] MIME segment in MIME Postamble Today I received 10 false positives (from the same legit email address) of ['uuencoding bad end' Vulnerability] I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to allow it. This is the first I've seen of this test. I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow them. I am running the latest v4.10.48 on Imail. Are other people using these tests without many/any false positives? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] False positives?
Scott, You're getting there ... it appears Declude 1.16d is incorrectly nabbing e-mail when containing a number of uuencoded sections???Seems to be working fine otherwise.Thanks for %VERSION%. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Monday, March 26, 2001 7:16 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] False positives? >... and you've got one. Yes, I just confirmed last night that there is an >issue with v1.16c where it will catch some E-mail that does not have a >virus. I would recommend going back to v1.16b ( >http://www.declude.com/Release/116b/declude.exe ), which does not have >this issue (but the %VIRUSNAME% and %VIRUSFILE% may not work properly in >reports). I should have a fix out by the end of the day. I have just released v1.16d that should take care of this issue. We should have a new stable public release soon... -Scott [ This E-mail came from the Declude.Virus mailing list. To ] [ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ] [ type "unsubscribe Declude.Virus yourname". You can E-mail] [ [EMAIL PROTECTED] for assistance. You can visit our web ] [ site at http://www.declude.com . ] [ This E-mail came from the Declude.Virus mailing list. To ] [ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ] [ type "unsubscribe Declude.Virus yourname". You can E-mail] [ [EMAIL PROTECTED] for assistance. You can visit our web ] [ site at http://www.declude.com . ]
Re: [Declude.Virus] False positives?
>... and you've got one. Yes, I just confirmed last night that there is an >issue with v1.16c where it will catch some E-mail that does not have a >virus. I would recommend going back to v1.16b ( >http://www.declude.com/Release/116b/declude.exe ), which does not have >this issue (but the %VIRUSNAME% and %VIRUSFILE% may not work properly in >reports). I should have a fix out by the end of the day. I have just released v1.16d that should take care of this issue. We should have a new stable public release soon... -Scott [ This E-mail came from the Declude.Virus mailing list. To ] [ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ] [ type "unsubscribe Declude.Virus yourname". You can E-mail] [ [EMAIL PROTECTED] for assistance. You can visit our web ] [ site at http://www.declude.com . ]
RE: [Declude.Virus] False positives?
> ... I should have a fix out by the end of the day. Thanks. That's one bug down ... now if you could fix colds . [ This E-mail came from the Declude.Virus mailing list. To ] [ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ] [ type "unsubscribe Declude.Virus yourname". You can E-mail] [ [EMAIL PROTECTED] for assistance. You can visit our web ] [ site at http://www.declude.com . ]
Re: [Declude.Virus] False positives?
>Is it me or does 1.16c seem to be nabbing e-mail that isn't virused? > >I'm reaching for the cheap, easy answer here ... ... and you've got one. Yes, I just confirmed last night that there is an issue with v1.16c where it will catch some E-mail that does not have a virus. I would recommend going back to v1.16b ( http://www.declude.com/Release/116b/declude.exe ), which does not have this issue (but the %VIRUSNAME% and %VIRUSFILE% may not work properly in reports). I should have a fix out by the end of the day. -Scott [ This E-mail came from the Declude.Virus mailing list. To ] [ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ] [ type "unsubscribe Declude.Virus yourname". You can E-mail] [ [EMAIL PROTECTED] for assistance. You can visit our web ] [ site at http://www.declude.com . ]