Thanks a lot setting ASSP_AFCSelect = 3 solved it. I was confused by that documentation: ASSP_AFCSelect If you enable one or both options of this plugin, the complete mail will be scanned for bad attachments and/or viruses!
So I had the impression, AFC would be used nevertheless of which option selected (one or both options) Thomas From: Thomas Eckardt <[email protected]> Sent: Saturday, September 19, 2020 1:58 PM To: For Users of ASSP <[email protected]> Subject: Re: [Assp-user] ASSP_AFC not using VirusTotal >we enabled and configured ASSP_AFC OK ? , but how ! >ASSP_AFCSelect:=1 for virusscan, this should be SET TO '2' OR '3' 1:do attachments 2:do ClamAV, FileScan 3:do both 'DoVirusTotalVirusScan','Enable VirusTotal Virus Scan' - 'If a VirusTotalAPIKey is provided and this option is enabled, all MIME-parts will be (in addition to ClamAV and/or FileScan) checked by www.virustotal.com.' Thomas Von: "Thomas Kofler" <[email protected]> An: "For Users of ASSP" <[email protected]> Datum: 18.09.2020 19:15 Betreff: Re: [Assp-user] ASSP_AFC not using VirusTotal Thanks, set to verbose and reports like below, unfortunately I am still out of ideas. Sep-18-20 19:05:54 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> info: found message size announcement: 105.50 kByte Sep-18-20 19:05:55 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] redlisted: [email protected] - not white Sep-18-20 19:05:55 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] DKIM-Signature found Sep-18-20 19:05:55 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] info: found known good HELO 'eur04-he1-obe.outbound.protection.outlook.com' - weight is -0.9 Sep-18-20 19:05:55 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] Message-Score: added -18 for KnownGoodHelo, total score for this message is now -18 Sep-18-20 19:05:56 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] [scoring] DKIM signature verified-OK - header-passed - identity is: @outlook.com - sender policy is: neutral - author policy is: neutral Sep-18-20 19:05:56 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] info: domain outlook.com has published a DMARC record Sep-18-20 19:05:56 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] Message-Score: added -10 (spfpValencePB) for SPF pass, total score for this message is now -28 Sep-18-20 19:05:57 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] Message-Score: added 10 for Foreign IP-Country FI (MICROSOFT CORPORATION), total score for this message is now -18 Sep-18-20 19:05:57 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] Message-Score: added -15 (pbwValencePB) for In Penalty White Box, total score for this message is now -33 Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] ClamAV: scanned 64981 bytes in message - OK Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] Bayesian Check [scoring] - Prob: 0.00000 => ham - answer/query relation: 55% of 20 Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] [Plugin] calling plugin ASSP_AFC Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] info: 1 attachment found for Level-0 Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] [Plugin] calling plugin ASSP_Razor Sep-18-20 19:05:58 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] razor message [check]: Razor-Agents v2.86 starting razor-check Sep-18-20 19:05:59 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] razor message [check]: mail 1 is not known spam. Sep-18-20 19:05:59 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] 40.92.73.16 <[email protected]> to: [email protected] [Plugin] calling plugin ASSP_DCC Sep-18-20 19:05:59 m1-48754-10214 [Worker_2] [TLS-in] [TLS-out] [MessageOK] 40.92.73.16 <[email protected]> to: [email protected] message ok [attach scan 2] From: Thomas Eckardt <[email protected]> Sent: Friday, September 18, 2020 1:42 PM To: For Users of ASSP <[email protected]> Subject: Re: [Assp-user] ASSP_AFC not using VirusTotal inrease the level of 'ScanLog' Thomas Von: "Thomas Kofler" <[email protected]> An: "[email protected]" <[email protected]> Datum: 18.09.2020 13:29 Betreff: [Assp-user] ASSP_AFC not using VirusTotal Hi, we enabled and configured ASSP_AFC, but it seems that its not using VirusTotal, which we configured including the API key (clamav is fine). Based on maillog calling plugin ASSP_AFC is called, but we see no API calls on the dashboard of VirusTotal (only, if we enable URI-based scanning outside of ASSP_AFC). Is there any possibility to debug ASSP_AFC? Thanks, Thomas ASSP 2.6.3 (20002), all module version requirements met based on assp gui ASSP_AFCSelect:=1 ASSP_AFCPriority:=6 ASSP_AFCDoVirusTotalVirusScan:=1 ASSP_AFCblockEncryptedZIP:= ASSP_AFCMaxZIPLevel:=10 ASSP_AFCextractAttMail:=3 ASSP_AFCKnownGoodEXE:=file:files/knowngoodattach.txt ASSP_AFCReplBadAttach:= ASSP_AFCReplBadAttachText:=The attached file (FILENAME) was removed from this email by ASSP for policy reasons! The file was detected as REASON . ASSP_AFCReplViriParts:= ASSP_AFCReplViriPartsText:=There was a virus (VIRUS) removed from this email (attachment FILENAME) by ASSP! ASSP_AFCMSGSIZEscore:= ASSP_AFCDetectSpamAttachRe:=image\/ ASSP_AFCWebScript:= ASSP_AFCinsize:=1024 ASSP_AFCoutsize:=1024 ASSP_AFCSMIME:=7060944965f8076143302e50d79550fb55522c0b8346275100187c0954 ClamAVBytes:=60000 UseAvClamd:=1 AvClamdPort:=/var/run/clamd.scan/clamd.sock ClamAVLogScan:=2 ClamAVtimeout:=30 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
