Re: [Declude.Virus] False Positives

[Linda Pagillo]

Hi Kevin. Thanks for your post. I first would like to explain that what you 
are seeing is not a false-positive. The address that the emails are coming 
from are not a factor in the case of vulnerabilities. Our vulnerability 
checking looks for exploits in an email. If it finds one, it will mark it no 
matter who it is coming from. This is correct behavior for the tests and 
therefore, not a false-positive.


As for allowing these for everyone who sends to your server, I would advise 
against it, but of course, it is your choice. Instead I would allow 
vulnerabilities on a per-sender basis in order to be safe. For example, you 
said that you received 10 emails from a legit address that were caught as a 
vulnerability. In that case, I would allow vulnerabilities for that 
particular user. You can do that by adding a line to your virus.cfg file...


ALLOWVULNERABILITIESFROMu...@domain.com

If you wanted to allow vulnerabilities from the entire domain, you would add 
the following line instead...


ALLOWVULNERABILITIESFROMdomain.com (without the @ symbol)

You mentioned that the vulnerability you are seeing from the user in 
question is the 'uuencoding bad end' Vulnerability. Where are you seeing 
this? Is it in the email or the virus.cfg log? Could you copy and paste it 
from the log or email so I can send it over to development for review? 
Thanks again.


--
From: "Kevin Rogers" 
Sent: Thursday, May 06, 2010 8:39 PM
To: 
Subject: [Declude.Virus] False Positives


I'm getting several false positives a day for the following tests:

[Outlook 'Blank Folding' Vulnerability]
MIME segment in MIME Postamble

Today I received 10 false positives (from the same legit email address) of 
['uuencoding bad end' Vulnerability]


I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to 
allow it.  This is the first I've seen of this test.




I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow 
them.


I am running the latest v4.10.48 on Imail.

Are other people using these tests without many/any false positives?




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com. 




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] embedded AVG issue

[Harry Vanderzand]

I though I would check my virus logs which I have not done for a while.

 

It is not working.

 

See log entry:

05/07/2010 14:06:13.502 qb42e00250010.smd Scanned: Virus Free [MIME: 1
125]

05/07/2010 14:06:18.720 q990400280052.smd Vulnerability flags = 862

05/07/2010 14:06:18.814 q990400280052.smd Error: Could not start AVG
Instance (17)

05/07/2010 14:06:18.814 q990400280052.smd Scanned: Virus Free [MIME: 2
1293]

 

What could be the issue here?

 

Thank you

 

Please note our new Address

 

Harry Vanderzand

Intown Internet

740 Erbsville Road

Waterloo, On, N2J 3Z4

519-741-1222

 

DISCLAIMER: The information in this message is confidential and may be
legally privileged. It is intended solely for the addressee. Access to this
message by anyone else is unauthorised. If you are not the intended
recipient, any disclosure, copying,or distribution of the message, or any
action or omission taken by you in reliance on it, is prohibited and may be
unlawful. Please immediately contact the sender if you have received this
message in error. Thank you. 

 

 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] embedded AVG issue

[David Barker]

We have seen this mostly with manual installs. Error: Could not start AVG
Instance (17) has to do with the DLL. Please contact supp...@declude.com if
you need assistance.

 

1.   Stop decludeproc

2.   Download  
http://interim.declude.com/41048/AVG-DLL.zip

3.   Extract and replace the dll files overwriting your current dlls.

4.   Start decludeproc

5.   If the error persists or you get error 2 or error 4

6.   Stop decludeproc

7.   Delete all files in \declude\scanners\avg\db\

8.   Start decludeproc this will initiate a new download of the AVG
signatures

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry
Vanderzand
Sent: Friday, May 07, 2010 2:09 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] embedded AVG issue

 

I though I would check my virus logs which I have not done for a while.

 

It is not working.

 

See log entry:

05/07/2010 14:06:13.502 qb42e00250010.smd Scanned: Virus Free [MIME: 1
125]

05/07/2010 14:06:18.720 q990400280052.smd Vulnerability flags = 862

05/07/2010 14:06:18.814 q990400280052.smd Error: Could not start AVG
Instance (17)

05/07/2010 14:06:18.814 q990400280052.smd Scanned: Virus Free [MIME: 2
1293]

 

What could be the issue here?

 

Thank you

 

Please note our new Address

 

Harry Vanderzand

Intown Internet

740 Erbsville Road

Waterloo, On, N2J 3Z4

519-741-1222

 

DISCLAIMER: The information in this message is confidential and may be
legally privileged. It is intended solely for the addressee. Access to this
message by anyone else is unauthorised. If you are not the intended
recipient, any disclosure, copying,or distribution of the message, or any
action or omission taken by you in reliance on it, is prohibited and may be
unlawful. Please immediately contact the sender if you have received this
message in error. Thank you. 

 

 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] False Positives

[Kevin Rogers]

Thanks for your help Linda.

Here are a couple log snippets of the 'uuencoding bad end' Vulnerability


05/06/2010 15:39:30.823 q126c7cd3e05f.smd Vulnerability flags = 65
05/06/2010 15:39:31.854 q126c7cd3e05f.smd 'uuencoding bad end' 
vulnerability in line 208152
05/06/2010 15:39:32.166 q126c7cd3e05f.smd Scanned: CONTAINS A VIRUS 
[UU: 2 46771][MIME: 3 13110006]


05/06/2010 15:41:21.916 qa51e7cdae07c.smd Vulnerability flags = 65
05/06/2010 15:41:22.932 qa51e7cdae07c.smd 'uuencoding bad end' 
vulnerability in line 203543
05/06/2010 15:41:23.276 qa51e7cdae07c.smd Scanned: CONTAINS A VIRUS 
[UU: 2 46771][MIME: 3 12819408]




On 5/7/2010 7:31 AM, Linda Pagillo wrote:
Hi Kevin. Thanks for your post. I first would like to explain that 
what you are seeing is not a false-positive. The address that the 
emails are coming from are not a factor in the case of 
vulnerabilities. Our vulnerability checking looks for exploits in an 
email. If it finds one, it will mark it no matter who it is coming 
from. This is correct behavior for the tests and therefore, not a 
false-positive.


As for allowing these for everyone who sends to your server, I would 
advise against it, but of course, it is your choice. Instead I would 
allow vulnerabilities on a per-sender basis in order to be safe. For 
example, you said that you received 10 emails from a legit address 
that were caught as a vulnerability. In that case, I would allow 
vulnerabilities for that particular user. You can do that by adding a 
line to your virus.cfg file...


ALLOWVULNERABILITIESFROMu...@domain.com

If you wanted to allow vulnerabilities from the entire domain, you 
would add the following line instead...


ALLOWVULNERABILITIESFROMdomain.com (without the @ symbol)

You mentioned that the vulnerability you are seeing from the user in 
question is the 'uuencoding bad end' Vulnerability. Where are you 
seeing this? Is it in the email or the virus.cfg log? Could you copy 
and paste it from the log or email so I can send it over to 
development for review? Thanks again.


--
From: "Kevin Rogers" 
Sent: Thursday, May 06, 2010 8:39 PM
To: 
Subject: [Declude.Virus] False Positives


I'm getting several false positives a day for the following tests:

[Outlook 'Blank Folding' Vulnerability]
MIME segment in MIME Postamble

Today I received 10 false positives (from the same legit email 
address) of ['uuencoding bad end' Vulnerability]


I can't even find the 'uuencoding bad end' vulnerability in virus.cfg 
to allow it.  This is the first I've seen of this test.




I was getting too many of the OLMIMESEGMIMEPRE test before I had to 
allow them.


I am running the latest v4.10.48 on Imail.

Are other people using these tests without many/any false positives?




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com. 




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.








---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.