I wish mine looked like that... Here's what I've got: With ClamAV Module ------------------- Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167 <[email protected]> info: found message size announcement: 973 Byte Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167 <[email protected]> to: [email protected] global Whitelisted sender address: [email protected] Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167 <[email protected]> to: [email protected] ClamAV: scanned 1153 bytes in whitelisted message - FOUND Eicar-Test-Signature(f077aa781ba6da057d17524c9548de2e:1153) Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167 <[email protected]> to: [email protected] Message-Score: added 50 (vdValencePB) for virus detected: 'Eicar-Test-Signature(f077aa781ba6da057d17524c9548de2e:1153)', total score for this message is now 50 Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] [VIRUS] 65.55.90.167 <[email protected]> to: [email protected] [spam found] (virus detected: 'Eicar-Test-Signature(f077aa781ba6da057d17524c9548de2e:1153)') [FW Test] -> /usr/share/assp/discarded/FW_Test--3216.eml; Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167 <[email protected]> to: [email protected] [SMTP Error] 554 5.7.1 Mail appears infected with \[Eicar-Test-Signature(f077aa781ba6da057d17524c9548de2e:1153)\]. Apr-04-13 07:17:41 m1-74261-03846 [Worker_1] 65.55.90.167 <[email protected]> to: [email protected] [SMTP Status] 451 4.7.1 Please try again later Apr-04-13 07:17:42 [Worker_1] Info: report successful sent to [email protected]
With ASSP_AFC plugin ------------------------------- Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] 65.55.90.155 <[email protected]> info: found message size announcement: 1019 Byte Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] 65.55.90.155 <[email protected]> to: [email protected] global Whitelisted sender address: [email protected] Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] 65.55.90.155 <[email protected]> to: [email protected] [Plugin] calling plugin ASSP_AFC Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] 65.55.90.155 <[email protected]> to: [email protected] [Plugin] calling plugin ASSP_DCC Apr-04-13 07:20:20 [Worker_1] Info: created agent to dccifd Apr-04-13 07:20:20 [Worker_1] Info: created DCC unix socket to /var/dcc/dccifd Apr-04-13 07:20:20 [Worker_1] Info: finshed sending connection DCC-data to dccifd Apr-04-13 07:20:20 [Worker_1] Info: connected to dccifd at /var/dcc/dccifd Apr-04-13 07:20:20 [Worker_1] Info: send mail data to dccifd Apr-04-13 07:20:20 [Worker_1] Info: querying results from dccifd Apr-04-13 07:20:20 [Worker_1] Info: waiting for answer from dccifd Apr-04-13 07:20:20 [Worker_1] Info: got answer A from dccifd Apr-04-13 07:20:20 [Worker_1] Info: waiting for answer from dccifd Apr-04-13 07:20:20 [Worker_1] Info: got answer A from dccifd Apr-04-13 07:20:20 [Worker_1] Info: got result: Accept - for recipients: [email protected] Accept - from DCC detection only Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] 65.55.90.155 <[email protected]> to: [email protected] DCC check OK Apr-04-13 07:20:20 m1-74420-10582 [Worker_1] [MessageOK] 65.55.90.155 <[email protected]> to: [email protected] message ok - (whitelistdb) - [FW Test] -> /usr/share/assp/notspam/FW_Test--3224.eml Its like when it hits ASSP_AFC, nothing happens. Is there any extra logging that can be enabled like the ASSP_DCC plugin? v/r, Louis ---------------------------------------- To: [email protected] From: [email protected] Date: Thu, 4 Apr 2013 08:07:57 +0200 Subject: [Assp-user] Antwort: Re: Antwort: Re: Antwort: Re: ASSP_AFC plugin and EICAR Apr-04-13 07:59:36 M1-55174-04259 [Worker_1] 1.1.1.1 <[email protected]> to: [email protected] [Plugin] calling plugin ASSP_AFC Apr-04-13 07:59:36 M1-55174-04259 [Worker_1] 1.1.1.1 <[email protected]> to: [email protected] ClamAV: scanned 70 bytes in message - FOUND Eicar-Test-Signature Apr-04-13 07:59:36 [Worker_1] Info: weighted regex (SuspiciousVirus) result found for Eicar - with eicar - weight is 1.5 Apr-04-13 07:59:36 M1-55174-04259 [Worker_1] 1.1.1.1 <[email protected]> to: [email protected] Message-Score: added 37 for SuspiciousVirus: Eicar-Test-Signature 'Eicar', total score for this message is now 42 Apr-04-13 07:59:36 M1-55174-04259 [Worker_1] [VIRUS][scoring] 1.1.1.1 <[email protected]> to: [email protected] 'Eicar-Test-Signature' passing the virus check because of only suspicious virus 'Eicar' Apr-04-13 07:59:36 M1-55174-04259 [Worker_1] 1.1.1.1 <[email protected]> to: [email protected] FileScan: is unable find temporary c:/assp/virusscan/a.1.29409.eml - possibly removed by the file system scanner Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] 1.1.1.1 <[email protected]> to: [email protected] Message-Score: added 50 (vdValencePB) for virus detected: 'FileScan' - unable to find file to scan, total score for this message is now 92 Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] [VIRUS] 1.1.1.1 <[email protected]> to: [email protected] 554 5.7.1 Mail appears infected with \[a virus\] -- disinfect and resend. - replaced virus-mail-part with simple text Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] 1.1.1.1 <[email protected]> to: [email protected] ClamAV: scanned 677 bytes in message - OK Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] 1.1.1.1 <[email protected]> to: [email protected] FileScan: scanned 677 bytes in message Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] 1.1.1.1 <[email protected]> to: [email protected] info: sending modified message Apr-04-13 07:59:37 M1-55174-04259 [Worker_1] 1.1.1.1 <[email protected]> to: [email protected] [spam found] 554 5.7.1 Mail appears infected with \[a virus\] -- disinfect and resend. [eicar test] Thomas Von: Louis Carreiro <[email protected]> An: ASSP Mailing List <[email protected]>, Datum: 03.04.2013 21:40 Betreff: Re: [Assp-user] Antwort: Re: Antwort: Re: ASSP_AFC plugin and EICAR Nope... If I put the EICAR string in the body of an email while the normal ClamAV plugin is running, it blocks the email and I get notified with an alert from ASSP. If I enable ASSP_AFC and then send the email again with just the EICAR string in the body, it lets it right on through to my mailbox. v/r, Louis ---------------------------------------- To: [email protected] From: [email protected] Date: Wed, 3 Apr 2013 21:30:55 +0200 Subject: [Assp-user] Antwort: Re: Antwort: Re: ASSP_AFC plugin and EICAR Is the virus being replaced ? Thomas Von: Louis Carreiro <[email protected]> An: ASSP Mailing List <[email protected]>, Datum: 03.04.2013 21:09 Betreff: Re: [Assp-user] Antwort: Re: ASSP_AFC plugin and EICAR Right... that's what I wanted. What I'm not seeing is anything showing up in the ClamAV logs like with the regular ClamAV module. Also, its not catching and scoring and the spam emails with the sanesecurity databases. Its like nothing is getting moved over to the ClamAV socket. v/r, Louis ---------------------------------------- To: [email protected] From: [email protected] Date: Wed, 3 Apr 2013 20:54:45 +0200 Subject: [Assp-user] Antwort: Re: ASSP_AFC plugin and EICAR >ASSP_AFCReplViriParts:=1 This will replace the virus by a text file ! Thomas Von: Louis Carreiro <[email protected]> An: ASSP Mailing List <[email protected]>, Datum: 03.04.2013 20:38 Betreff: Re: [Assp-user] ASSP_AFC plugin and EICAR Thomas, Thanks for the quick reply. For the settings are as follows: DoASSP_AFC:=1 ASSP_AFCSelect:=3 ASSP_AFCPriority:=6 ASSP_AFCReplBadAttach:= ASSP_AFCReplBadAttachText:=The attached file (FILENAME) was removed from this email by ASSP for policy reasons! ASSP_AFCReplViriParts:=1 ASSP_AFCReplViriPartsText:=There was a virus removed from this email (attachment FILENAME) by ASSP! ASSP_AFCMSGSIZEscore:= ASSP_AFCDetectSpamAttachRe:=file:files/ASSP_AFCDetectSpamAttachReimage.txt ASSP_AFCWebScript:= ASSP_AFCinsize:=1024 ASSP_AFCoutsize:=1024 I've tried ASSP_AFCinsize to 10 as well with same result. v/r, Louis >what are the stting for the AFC-plugin ? > >Thomas > From: [email protected] > To: [email protected] > Date: Wed, 3 Apr 2013 10:20:42 -0400 > Subject: [Assp-user] ASSP_AFC plugin and EICAR > > Hey all, > > With everything running okay on my new ASSPv2 implementation, I started adding in the plugins. ASSP_OCR and ASSP_DCC are bothing running flawlessly. The problem I'm having is with the ASSP_AFC plugin. I currently have the ClamAV plugin working extremely well and I'm pulling down the SaneSecurity DB's and its pulling all sorts of spam out. When I turn on ASSP_AFC, everything from a ClamAV perspective gets quiet. I've tried sending a plain text email through with the EICAR string in the body and it doesn't get it. If I disble the ASSP_AFC plugin and let the ClamAV plugin take back over, it catches it. I'm not quite sure where to go with this... Any help would be greatly appreciated! > > Thanks in advance! > Louis > ------------------------------------------------------------------------------ > Minimize network downtime and maximize team effectiveness. > Reduce network management and security costs.Learn how to hire > the most talented Cisco Certified professionals. Visit the > Employer Resources Portal > http://www.cisco.com/web/learning/employer_resources/index.html > _______________________________________________ > Assp-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-userNope... If I put the EICAR string in the body of an email while the normal ClamAV plugin is running, it blocks the email and I get notified with an alert from ASSP. If I enable ASSP_AFC and then send the email again with just the EICAR string in the body, it lets it right on through to my mailbox. v/r, Louis ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
