RE: [Declude.Virus] ZEROHOUR, scanner order

2009-06-08 Thread David Barker
I confirmed that Commtouch runs before AVG as the internal virus scanner and
currently there is no way to change this without changing the code. I will
add this as a dev request to switch the order of AVG and Commtouch.


David

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Monday, June 08, 2009 11:28 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] ZEROHOUR, scanner order

 

Fair enough!

 

Looks like a good service in general - hopefully, the implementation can be
cleaned up at some point.

 

Thanks,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, June 08, 2009 11:10 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] ZEROHOUR, scanner order

 

Andy,

 

It is implemented in the Declude virus but because the spam function
overlaps into junkmail and the spam weighting system is in junkmail the
weight is specified in the global.cfg  - as you can see it is more as  a
directive than a test. Secondly you are correct about the developer who
integrated Commtouch. This was before I took over the managment of Declude
and it is suffice to say he is no longer with Declude either.

 

David

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Monday, June 08, 2009 11:02 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] ZEROHOUR, scanner order

 

Hi David:

 

Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was
implemented as Declude.Virus. So any configuration would go into the
Virus.cfg file. It seems to me as if it's implemented in some fashion in
both ends.

 

>> In the Declude EVA the ZEROHOUR is part of the internal scanner process
and I will need to look at the code to determine the order of scanning but I
will get back to you on this. <<

Based on log entries/detection it appears as if it first checks ZEROHOUR,
then AVG, then launches the external scanners.

 

Sorry for all the questions - just trying to wrap my arms around the "new
way" that everything is behaving now - as it's inconsistent with what I have
had in place all these years (both in Junkmail, which relies on TESTSFAILED
to control actions) and in Virus (which relies on virus name detection to
control what actions to take).

 

(Seems as if ZEROHOUR was added by a developer who wasn't yet
familiar/briefed with what was already in place elsewhere in the product,
and just came up with his/her own way of doing things instead of integration
with the existing features.)

 

Thanks,

Andy

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, June 08, 2009 10:34 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] ZEROHOUR, scanner order

 

Commtouch Zerohour identifies virus' based on traffic patterns rather than
signatures this is why it is not associated with a name. There is only one
option currently for Commtouch - in the global.cfg

 

ZEROHOUR   x

 

Where x is the weight assigned if ZEROHOUR is triggered. 

 

In the Declude EVA the ZEROHOUR is part of the internal scanner process and
I will need to look at the code to determine the order of scanning but I
will get back to you on this. 

David


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] ZEROHOUR, scanner order

2009-06-08 Thread Andy Schmidt
Fair enough!

 

Looks like a good service in general - hopefully, the implementation can be
cleaned up at some point.

 

Thanks,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, June 08, 2009 11:10 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] ZEROHOUR, scanner order

 

Andy,

 

It is implemented in the Declude virus but because the spam function
overlaps into junkmail and the spam weighting system is in junkmail the
weight is specified in the global.cfg  - as you can see it is more as  a
directive than a test. Secondly you are correct about the developer who
integrated Commtouch. This was before I took over the managment of Declude
and it is suffice to say he is no longer with Declude either.

 

David

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Monday, June 08, 2009 11:02 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] ZEROHOUR, scanner order

 

Hi David:

 

Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was
implemented as Declude.Virus. So any configuration would go into the
Virus.cfg file. It seems to me as if it's implemented in some fashion in
both ends.

 

>> In the Declude EVA the ZEROHOUR is part of the internal scanner process
and I will need to look at the code to determine the order of scanning but I
will get back to you on this. <<

Based on log entries/detection it appears as if it first checks ZEROHOUR,
then AVG, then launches the external scanners.

 

Sorry for all the questions - just trying to wrap my arms around the "new
way" that everything is behaving now - as it's inconsistent with what I have
had in place all these years (both in Junkmail, which relies on TESTSFAILED
to control actions) and in Virus (which relies on virus name detection to
control what actions to take).

 

(Seems as if ZEROHOUR was added by a developer who wasn't yet
familiar/briefed with what was already in place elsewhere in the product,
and just came up with his/her own way of doing things instead of integration
with the existing features.)

 

Thanks,

Andy

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, June 08, 2009 10:34 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] ZEROHOUR, scanner order

 

Commtouch Zerohour identifies virus' based on traffic patterns rather than
signatures this is why it is not associated with a name. There is only one
option currently for Commtouch - in the global.cfg

 

ZEROHOUR   x

 

Where x is the weight assigned if ZEROHOUR is triggered. 

 

In the Declude EVA the ZEROHOUR is part of the internal scanner process and
I will need to look at the code to determine the order of scanning but I
will get back to you on this. 

David


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] ZEROHOUR, scanner order

2009-06-08 Thread David Barker
Andy,

 

It is implemented in the Declude virus but because the spam function
overlaps into junkmail and the spam weighting system is in junkmail the
weight is specified in the global.cfg  - as you can see it is more as  a
directive than a test. Secondly you are correct about the developer who
integrated Commtouch. This was before I took over the managment of Declude
and it is suffice to say he is no longer with Declude either.

 

David

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Monday, June 08, 2009 11:02 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] ZEROHOUR, scanner order

 

Hi David:

 

Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was
implemented as Declude.Virus. So any configuration would go into the
Virus.cfg file. It seems to me as if it's implemented in some fashion in
both ends.

 

>> In the Declude EVA the ZEROHOUR is part of the internal scanner process
and I will need to look at the code to determine the order of scanning but I
will get back to you on this. <<

Based on log entries/detection it appears as if it first checks ZEROHOUR,
then AVG, then launches the external scanners.

 

Sorry for all the questions - just trying to wrap my arms around the "new
way" that everything is behaving now - as it's inconsistent with what I have
had in place all these years (both in Junkmail, which relies on TESTSFAILED
to control actions) and in Virus (which relies on virus name detection to
control what actions to take).

 

(Seems as if ZEROHOUR was added by a developer who wasn't yet
familiar/briefed with what was already in place elsewhere in the product,
and just came up with his/her own way of doing things instead of integration
with the existing features.)

 

Thanks,

Andy

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, June 08, 2009 10:34 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] ZEROHOUR, scanner order

 

Commtouch Zerohour identifies virus' based on traffic patterns rather than
signatures this is why it is not associated with a name. There is only one
option currently for Commtouch - in the global.cfg

 

ZEROHOUR   x

 

Where x is the weight assigned if ZEROHOUR is triggered. 

 

In the Declude EVA the ZEROHOUR is part of the internal scanner process and
I will need to look at the code to determine the order of scanning but I
will get back to you on this. 

David


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] ZEROHOUR, scanner order

2009-06-08 Thread Andy Schmidt
Hi David:

 

Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was
implemented as Declude.Virus. So any configuration would go into the
Virus.cfg file. It seems to me as if it's implemented in some fashion in
both ends.

 

>> In the Declude EVA the ZEROHOUR is part of the internal scanner process
and I will need to look at the code to determine the order of scanning but I
will get back to you on this. <<

Based on log entries/detection it appears as if it first checks ZEROHOUR,
then AVG, then launches the external scanners.

 

Sorry for all the questions - just trying to wrap my arms around the "new
way" that everything is behaving now - as it's inconsistent with what I have
had in place all these years (both in Junkmail, which relies on TESTSFAILED
to control actions) and in Virus (which relies on virus name detection to
control what actions to take).

 

(Seems as if ZEROHOUR was added by a developer who wasn't yet
familiar/briefed with what was already in place elsewhere in the product,
and just came up with his/her own way of doing things instead of integration
with the existing features.)

 

Thanks,

Andy

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, June 08, 2009 10:34 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] ZEROHOUR, scanner order

 

Commtouch Zerohour identifies virus' based on traffic patterns rather than
signatures this is why it is not associated with a name. There is only one
option currently for Commtouch - in the global.cfg

 

ZEROHOUR   x

 

Where x is the weight assigned if ZEROHOUR is triggered. 

 

In the Declude EVA the ZEROHOUR is part of the internal scanner process and
I will need to look at the code to determine the order of scanning but I
will get back to you on this. 

David



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] ZEROHOUR, scanner order

2009-06-08 Thread David Barker
Commtouch Zerohour identifies virus’ based on traffic patterns rather than
signatures this is why it is not associated with a name. There is only one
option currently for Commtouch – in the global.cfg

 

ZEROHOUR   x

 

Where x is the weight assigned if ZEROHOUR is triggered. 

 

In the Declude EVA the ZEROHOUR is part of the internal scanner process and
I will need to look at the code to determine the order of scanning but I
will get back to you on this. 



David

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Monday, June 08, 2009 10:26 AM
To: declude.virus@declude.com
Subject: [Declude.Virus] ZEROHOUR, scanner order

 

Hi Dave:

 

I see.

 

Based on your email I checked the “Virus” side of things – and I do see
Zerohour log entires.

 

06/07/2009 23:44:36.968 q29d5b0d20821.smd Vulnerability flags = 1

06/07/2009 23:44:36.984 q29d5b0d20821.smd ZEROHOUR Reports VIRUS:
Unknown

06/07/2009 23:44:36.984 q29d5b0d20821.smd File(s) are INFECTED [ZEROHOUR
Unknown]

06/07/2009 23:44:36.984 q29d5b0d20821.smd Scanned: CONTAINS A VIRUS
[MIME: 2 24588]

06/07/2009 23:44:36.984 q29d5b0d20821.smd From: ignitionhf8...@sicis.com
To: imail...@wateroperations.com [incoming from 84.63.45.89]

06/07/2009 23:44:36.984 q29d5b0d20821.smd Subject:
=?koi8-r?B?WW91knZlIHJlY2VpdmVkIGEgZ3JlZXRpbmcgZWNhcmQ=?=

 

Unfortunately, Zerohour doesn’t identify the virus (which in some cases, may
be obvious if it’s a yet unnamed outbreak). But, the problem is that “know”
viruses are not handled as configured.

 

What are my configuration options for Declude Virus with regards to
ZeroHour?

 

Can I at least control the order of scanning – e.g., I’d rather have the
regular virus scanners try to “identify” and report “known/named” viruses –
and make Zerohour the option of last defense?

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, June 08, 2009 9:36 AM
To: declude.junkm...@declude.com
Subject: RE: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED

 

Hi Andy,

 

The ZEROHOUR was integrated into Declude as part of the virus code as it
provides ZEROHOUR anti-virus. Because of this it does not function the same
as the other tests. It either scores the email for x points as defined in
the global.cfg or it does not which is shown as zero. Changing the way
ZEROHOUR was implemented is on our development list.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Sunday, June 07, 2009 6:07 PM
To: declude.junkm...@declude.com
Subject: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED
Importance: High

 

Hi,

 

Seems as if ZEROHOUR is not at all handled correctly vis-à-vis the
TESTSFAILED variable?

 

1.   Example: I have defined

 

XINHEADERX-Declude: Triggered [%WEIGHT%] %TESTSFAILED%

 

However, since activating ZEROHOUR I know see SMTP headers like this:

X-Declude: Triggered [-2] None, ZEROHOUR [0]

 

There are two things wrong with this:

 

a)  If “Testsfailed” returns “None”, why is the string “ZEROHOUR”
appended?  If it’s “None” then it should be “None” – and nothing else.

b)  If “ZEROHOUR” didn’t fail and thus has a weight of “0”, then it
shouldn’t appear in the TESTSFAILED list at all.

 

2.   In one of my filters, I have the line
TESTSFAILED  5  CONTAINS  ZEROHOUR
However, it fails to add “5” to the weight – as if it doesn’t detect
“ZEROHOUR” in the TestsFailed string – which would be consistent with items
“a)” and “b)” – because apparently there is a bug where ZEROHOUR is not
correctly included in the “TESTSFAILED” variable, but instead it is somehow
“appended” behind it!

 

The power of Declude is to be able to tightly configure (through various
options) how weights are assigned and (with the help of “TESTSFAILED”
filters) which groupings of tests might be testing/triggering on the same
“aspect” of a message. Currently ZEROHOUR appears to negate all the other
advantages of Declude!

 

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---