From: Nick M. <ni...@my...> - 2013-07-02 09:36:42
|
Hello, I hope someone can help... I've installed ASSP_AFC plugin, enabled it with the action 'Do ClamAV and FileScan', but where I was previously seeing partial copies of every email in the virusscan folder and the external script was being successfully executed, there's no such activity now. The logs say 'calling plugin ASSP_AFC', but no other mention of the scan. When I disable the ASSP_AFC plugin, the filescan activity in the virusscan folder resumes as before. It seems to be the same issue a user recently highlighted, but unfortunately there wasn't a solution: http://anti-spam-smtp-proxy-server.996265.n3.nabble.com/ASSP-AFC-plugin-and- EICAR-td17311.html An example of the log would be: Jul-02-13 09:30:26 m-53825-00303 [Worker_8] [TLS-in] 207.23.63.98 <te...@te...> to: te...@te... [Plugin] calling plugin ASSP_AFC Jul-02-13 09:30:26 m-53825-00303 [Worker_8] [TLS-in] [MessageOK] 207.23.63.98 < te...@te... > to: te...@te... message ok - (whiteListedDomains 'te...@te...') - [RE test email] And this from the Debug log: >Jul-02-13 09:36:09 [Worker_14] <callPlugin >Jul-02-13 09:36:09 [Worker_14] <call Plugin ASSP_AFC with priority: 6 in run level 'complete mail' >Jul-02-13 09:36:09 m-54168-00649 [Worker_14] 195.241.237.16 <te...@te...> to: te...@te... [Plugin] calling plugin ASSP_AFC Jul-02-13 09:36:09 [Worker_14] <sayMessageOK >Jul-02-13 09:36:09 [Worker_14] <makeSubject >Jul-02-13 09:36:09 m-54168-00649 [Worker_14] [MessageOK] 195.241.237.16 <te...@te...> to: te...@te... message ok - (whiteListedDomains 'te...@te...') - [test email 2] Jul-02-13 09:36:09 [Worker_14] <sq: IO::Socket::INET=GLOB(0x342fbe44) l=2744 After that, there's no more log entries for ASSP_AFC on that thread/message. Am I missing something obvious? Thanks Nick ______________________________________________ Giacom email security by www.messagestream.com |
From: Thomas E. <Tho...@th...> - 2013-07-03 05:58:50
|
Nick, I've an idea - but first I need to know your setting for 'DoBlockExes' ? If my idea is right - your setting is 'disabled' / '0' . If so, please modify the ASSP_AFC.pm as follows: $this->{clamscandone}=0; $this->{filescandone}=0; if( ! &haveToScan($fh) && ! &haveToFileScan($fh) && ! $main::DoBlockExes && ! ($self->{script} && (($this->{relayok} && $self->{outsize}) || (! $this->{relayok} && $self->{insize}))) ){ $this->{clamscandone}=1; $this->{filescandone}=1; return 1; } $this->{clamscandone}=1 if( ! &haveToScan($fh) ); $this->{filescandone}=1 if( ! &haveToFileScan($fh) ); to (add the two lines): $this->{clamscandone}=0; $this->{filescandone}=0; $plScan = 1; if( ! &haveToScan($fh) && ! &haveToFileScan($fh) && ! $main::DoBlockExes && ! ($self->{script} && (($this->{relayok} && $self->{outsize}) || (! $this->{relayok} && $self->{insize}))) ){ $this->{clamscandone}=1; $this->{filescandone}=1; $plScan = 0; return 1; } $this->{clamscandone}=1 if( ! &haveToScan($fh) ); $this->{filescandone}=1 if( ! &haveToFileScan($fh) ); tell me if this works - thank you. Thomas Von: "Nick Marshall" <ni...@my...> An: <ass...@li...>, Datum: 02.07.2013 11:38 Betreff: [Assp-user] Can't get ASSP_AFC to work... Hello, I hope someone can help... I've installed ASSP_AFC plugin, enabled it with the action 'Do ClamAV and FileScan', but where I was previously seeing partial copies of every email in the virusscan folder and the external script was being successfully executed, there's no such activity now. The logs say 'calling plugin ASSP_AFC', but no other mention of the scan. When I disable the ASSP_AFC plugin, the filescan activity in the virusscan folder resumes as before. It seems to be the same issue a user recently highlighted, but unfortunately there wasn't a solution: http://anti-spam-smtp-proxy-server.996265.n3.nabble.com/ASSP-AFC-plugin-and- EICAR-td17311.html An example of the log would be: Jul-02-13 09:30:26 m-53825-00303 [Worker_8] [TLS-in] 207.23.63.98 <te...@te...> to: te...@te... [Plugin] calling plugin ASSP_AFC Jul-02-13 09:30:26 m-53825-00303 [Worker_8] [TLS-in] [MessageOK] 207.23.63.98 < te...@te... > to: te...@te... message ok - (whiteListedDomains 'te...@te...') - [RE test email] And this from the Debug log: >Jul-02-13 09:36:09 [Worker_14] <callPlugin >Jul-02-13 09:36:09 [Worker_14] <call Plugin ASSP_AFC with priority: 6 in run level 'complete mail' >Jul-02-13 09:36:09 m-54168-00649 [Worker_14] 195.241.237.16 <te...@te...> to: te...@te... [Plugin] calling plugin ASSP_AFC Jul-02-13 09:36:09 [Worker_14] <sayMessageOK >Jul-02-13 09:36:09 [Worker_14] <makeSubject >Jul-02-13 09:36:09 m-54168-00649 [Worker_14] [MessageOK] 195.241.237.16 <te...@te...> to: te...@te... message ok - (whiteListedDomains 'te...@te...') - [test email 2] Jul-02-13 09:36:09 [Worker_14] <sq: IO::Socket::INET=GLOB(0x342fbe44) l=2744 After that, there's no more log entries for ASSP_AFC on that thread/message. Am I missing something obvious? Thanks Nick ______________________________________________ Giacom email security by www.messagestream.com ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Assp-user mailing list Ass...@li... https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* |
From: Nick M. <ni...@my...> - 2013-07-03 09:47:31
|
Hi Thomas Thank you for the work you've done on this... First, you're right, I do have DoBlockExecs set as 'disabled'. I changed the code as below in ASSP_AFC to the new code, but unfortunately lit didn't make any difference whilst DoBlockExecs was set to 'disabled'. However, when I set DoBlockExecs to 'monitor', ASSP_AFC starts working, with or without the above code change. Thomas, what impact does 'monitor' have on the DoBlockExecs setting - will it just report and not block exes? Thanks Nick -----Original Message----- From: Thomas Eckardt [mailto:Tho...@th...] Sent: 03 July 2013 06:58 To: For Users of ASSP Subject: [Assp-user] Antwort: Can't get ASSP_AFC to work... Nick, I've an idea - but first I need to know your setting for 'DoBlockExes' ? If my idea is right - your setting is 'disabled' / '0' . If so, please modify the ASSP_AFC.pm as follows: $this->{clamscandone}=0; $this->{filescandone}=0; if( ! &haveToScan($fh) && ! &haveToFileScan($fh) && ! $main::DoBlockExes && ! ($self->{script} && (($this->{relayok} && $self->{outsize}) || (! $this->{relayok} && $self->{insize}))) ){ $this->{clamscandone}=1; $this->{filescandone}=1; return 1; } $this->{clamscandone}=1 if( ! &haveToScan($fh) ); $this->{filescandone}=1 if( ! &haveToFileScan($fh) ); to (add the two lines): $this->{clamscandone}=0; $this->{filescandone}=0; $plScan = 1; if( ! &haveToScan($fh) && ! &haveToFileScan($fh) && ! $main::DoBlockExes && ! ($self->{script} && (($this->{relayok} && $self->{outsize}) || (! $this->{relayok} && $self->{insize}))) ){ $this->{clamscandone}=1; $this->{filescandone}=1; $plScan = 0; return 1; } $this->{clamscandone}=1 if( ! &haveToScan($fh) ); $this->{filescandone}=1 if( ! &haveToFileScan($fh) ); tell me if this works - thank you. Thomas Von: "Nick Marshall" <ni...@my...> An: <ass...@li...>, Datum: 02.07.2013 11:38 Betreff: [Assp-user] Can't get ASSP_AFC to work... Hello, I hope someone can help... I've installed ASSP_AFC plugin, enabled it with the action 'Do ClamAV and FileScan', but where I was previously seeing partial copies of every email in the virusscan folder and the external script was being successfully executed, there's no such activity now. The logs say 'calling plugin ASSP_AFC', but no other mention of the scan. When I disable the ASSP_AFC plugin, the filescan activity in the virusscan folder resumes as before. It seems to be the same issue a user recently highlighted, but unfortunately there wasn't a solution: http://anti-spam-smtp-proxy-server.996265.n3.nabble.com/ASSP-AFC-plugin-and- EICAR-td17311.html An example of the log would be: Jul-02-13 09:30:26 m-53825-00303 [Worker_8] [TLS-in] 207.23.63.98 <te...@te...> to: te...@te... [Plugin] calling plugin ASSP_AFC Jul-02-13 09:30:26 m-53825-00303 [Worker_8] [TLS-in] [MessageOK] 207.23.63.98 < te...@te... > to: te...@te... message ok - (whiteListedDomains 'te...@te...') - [RE test email] And this from the Debug log: >Jul-02-13 09:36:09 [Worker_14] <callPlugin >Jul-02-13 09:36:09 [Worker_14] <call Plugin ASSP_AFC with priority: 6 in run level 'complete mail' >Jul-02-13 09:36:09 m-54168-00649 [Worker_14] 195.241.237.16 <te...@te...> to: te...@te... [Plugin] calling plugin ASSP_AFC Jul-02-13 09:36:09 [Worker_14] <sayMessageOK >Jul-02-13 09:36:09 [Worker_14] <makeSubject >Jul-02-13 09:36:09 m-54168-00649 [Worker_14] [MessageOK] 195.241.237.16 <te...@te...> to: te...@te... message ok - (whiteListedDomains 'te...@te...') - [test email 2] Jul-02-13 09:36:09 [Worker_14] <sq: IO::Socket::INET=GLOB(0x342fbe44) l=2744 After that, there's no more log entries for ASSP_AFC on that thread/message. Am I missing something obvious? Thanks Nick ______________________________________________ Giacom email security by www.messagestream.com ---------------------------------------------------------------------------- -- This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Assp-user mailing list Ass...@li... https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* |