I'm running ASSP on Debian 7.7 (wheezy) on the current ASSP release. I've specified that IP address 10.10.10.250 should not be scanned because some times the SaneSecurity signatures are triggered on my daily reports. Today, I just noted that I haven't seen a report in a couple days and reviewed the ASSP logs.
They show that ClamAV is still scanning the excluded IP address. 09-01-2015 23:30:09 m1-64209-07507 [Worker_1] [TLS-out] 10.10.10.250 <supp...@drdos.info> to: supp...@drdos.info Regex:Noprocessing '@lists.digium.com' 09-01-2015 23:30:09 m1-64209-07507 [Worker_1] [TLS-out] 10.10.10.250 <supp...@drdos.info> to: supp...@drdos.info ClamAV: scanned 12159 bytes in local message - FOUND Sanesecurity.Jurlbl.5698.UNOFFICIAL(dd164f7548721d3945ba20d3bd690427:12159) 09-01-2015 23:30:09 m1-64209-07507 [Worker_1] [TLS-out] [VIRUS] 10.10.10.250 <supp...@drdos.info> to: supp...@drdos.info [spam found] (virus detected: 'Sanesecurity.Jurlbl.5698.UNOFFICIAL(dd164f7548721d3945ba20d3bd690427:12159)') [Daily mail report for 2015 01 09] -> /assp/quarantine/--159007.eml; 09-01-2015 23:30:09 m1-64209-07507 [Worker_1] [TLS-out] 10.10.10.250 <supp...@drdos.info> to: supp...@drdos.info [SMTP Error] 554 5.7.1 Mail appears infected with \[Sanesecurity.Jurlbl.5698.UNOFFICIAL(dd164f7548721d3945ba20d3bd690427:12159)\]. ASSP config: Do Not Scan Messages from these IP's* (noScanIP) 10.10.10.250|192.168.145.10 I am also trying to figure out why it would hit a Noprocessing rule for lists.digium.com? In fact, I see different entries matching different Noprocessing rules: 16-01-2015 23:30:09 m1-69009-08961 [Worker_2] [TLS-out] 10.10.10.250 <supp...@drdos.info> to: supp...@drdos.info Regex:Noprocessing '@mythtv.org' 16-01-2015 23:30:09 m1-69009-08961 [Worker_2] [TLS-out] 10.10.10.250 <supp...@drdos.info> to: supp...@drdos.info ClamAV: scanned 12013 bytes in local message - FOUND Sanesecurity.Jurlbl.6418.UNOFFICIAL(737417455cdbdc73f8034fdabb8fb028:12013) 16-01-2015 23:30:09 m1-69009-08961 [Worker_2] [TLS-out] [VIRUS] 10.10.10.250 <supp...@drdos.info> to: supp...@drdos.info [spam found] (virus detected: 'Sanesecurity.Jurlbl.6418.UNOFFICIAL(737417455cdbdc73f8034fdabb8fb028:12013)') [Daily mail report for 2015 01 16] -> /assp/quarantine/--160579.eml; 16-01-2015 23:30:09 m1-69009-08961 [Worker_2] [TLS-out] 10.10.10.250 <supp...@drdos.info> to: supp...@drdos.info [SMTP Error] 554 5.7.1 Mail appears infected with \[Sanesecurity.Jurlbl.6418.UNOFFICIAL(737417455cdbdc73f8034fdabb8fb028:12013)\]. Is there something I missing? Thanks, Doug Doug -- Ben Franklin quote: "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test