Hi Dave:
I see. Based on your email I checked the Virus side of things and I do see Zerohour log entires. 06/07/2009 23:44:36.968 q29d50000b0d20821.smd Vulnerability flags = 1 06/07/2009 23:44:36.984 q29d50000b0d20821.smd ZEROHOUR Reports VIRUS: Unknown 06/07/2009 23:44:36.984 q29d50000b0d20821.smd File(s) are INFECTED [ZEROHOUR Unknown] 06/07/2009 23:44:36.984 q29d50000b0d20821.smd Scanned: CONTAINS A VIRUS [MIME: 2 24588] 06/07/2009 23:44:36.984 q29d50000b0d20821.smd From: ignitionhf8...@sicis.com To: imail...@wateroperations.com [incoming from 84.63.45.89] 06/07/2009 23:44:36.984 q29d50000b0d20821.smd Subject: =?koi8-r?B?WW91knZlIHJlY2VpdmVkIGEgZ3JlZXRpbmcgZWNhcmQ=?= Unfortunately, Zerohour doesnt identify the virus (which in some cases, may be obvious if its a yet unnamed outbreak). But, the problem is that know viruses are not handled as configured. What are my configuration options for Declude Virus with regards to ZeroHour? Can I at least control the order of scanning e.g., Id rather have the regular virus scanners try to identify and report known/named viruses and make Zerohour the option of last defense? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 9:36 AM To: declude.junkm...@declude.com Subject: RE: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED Hi Andy, The ZEROHOUR was integrated into Declude as part of the virus code as it provides ZEROHOUR anti-virus. Because of this it does not function the same as the other tests. It either scores the email for x points as defined in the global.cfg or it does not which is shown as zero. Changing the way ZEROHOUR was implemented is on our development list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax <mailto:dbar...@declude.com> dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Sunday, June 07, 2009 6:07 PM To: declude.junkm...@declude.com Subject: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED Importance: High Hi, Seems as if ZEROHOUR is not at all handled correctly vis-à-vis the TESTSFAILED variable? 1. Example: I have defined XINHEADER X-Declude: Triggered [%WEIGHT%] %TESTSFAILED% However, since activating ZEROHOUR I know see SMTP headers like this: X-Declude: Triggered [-2] None, ZEROHOUR [0] There are two things wrong with this: a) If Testsfailed returns None, why is the string ZEROHOUR appended? If its None then it should be None and nothing else. b) If ZEROHOUR didnt fail and thus has a weight of 0, then it shouldnt appear in the TESTSFAILED list at all. 2. In one of my filters, I have the line TESTSFAILED 5 CONTAINS ZEROHOUR However, it fails to add 5 to the weight as if it doesnt detect ZEROHOUR in the TestsFailed string which would be consistent with items a) and b) because apparently there is a bug where ZEROHOUR is not correctly included in the TESTSFAILED variable, but instead it is somehow appended behind it! The power of Declude is to be able to tightly configure (through various options) how weights are assigned and (with the help of TESTSFAILED filters) which groupings of tests might be testing/triggering on the same aspect of a message. Currently ZEROHOUR appears to negate all the other advantages of Declude! Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
