From: Dirk K. <d.k...@ne...> - 2014-09-22 17:53:07
|
Hi everybody, Today I received an infected email and it was blocked by ASSP: 2014-09-22 18:01:06 m1-01380-10527 [Worker_1] [Plugin] 186.63.225.200 <rai...@vo...> to: rec...@my... ASSP_OCR: (att) file text3.upa found in mime part 3 2014-09-22 18:01:06 m1-01380-10527 [Worker_1] [Plugin] 186.63.225.200 <rai...@vo...> to: rec...@my... ASSP_OCR: (att) file Ihre_Rechnung_22_09_2014.zip found in mime part 4 2014-09-22 18:01:06 m1-01380-10527 [Worker_1] [Plugin] 186.63.225.200 <rai...@vo...> to: rec...@my... ASSP_OCR: (att) file img_logo_picture_09.jpeg found in mime part 5 2014-09-22 18:01:06 m1-01380-10527 [Worker_1] [Plugin] 186.63.225.200 <rai...@vo...> to: rec...@my... ASSP_OCR: OCR(2.20) (TextFile(text3.upa)) data extracted 2014-09-22 18:01:06 m1-01380-10527 [Worker_1] 186.63.225.200 <rai...@vo...> to: rec...@my... info: the setting of 'UseAvClamd' (block) is temporarily overwritten by the 'DoASSP_OCR' setting of (score) 2014-09-22 18:01:11 m1-01380-10527 [Worker_1] 186.63.225.200 <rai...@vo...> to: rec...@my... info: the setting of 'DoFileScan' (disabled) is temporarily overwritten by the 'DoASSP_OCR' setting of (score) 2014-09-22 18:01:11 m1-01380-10527 [Worker_1] 186.63.225.200 <rai...@vo...> to: rec...@my... info: the setting of 'DoScriptRe' (disabled) is temporarily overwritten by the 'DoASSP_OCR' setting of (score) 2014-09-22 18:01:11 m1-01380-10527 [Worker_1] 186.63.225.200 <rai...@vo...> to: rec...@my... [Plugin] calling plugin ASSP_AFC 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] 186.63.225.200 <rai...@vo...> to: rec...@my... ClamAV: scanned 0 bytes in whitelisted message - OK 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] 186.63.225.200 <rai...@vo...> to: rec...@my... ClamAV: scanned 1188 bytes in whitelisted message - OK 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] 186.63.225.200 <rai...@vo...> to: rec...@my... ClamAV: scanned 3873 bytes in whitelisted message - OK 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] 186.63.225.200 <rai...@vo...> to: rec...@my... ClamAV: scanned 173179 bytes in whitelisted message - FOUND Zip.Suspect.WinDoubleExtension-zippwd-1(c7329ae811aee30a2404eaa07f4fbb6e:173 179) 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] 186.63.225.200 <rai...@vo...> to: rec...@my... Message-Score: added 50 (vdValencePB) for virus detected: 'Zip.Suspect.WinDoubleExtension-zippwd-1(c7329ae811aee30a2404eaa07f4fbb6e:17 3179)', total score for this message is now 50 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] [VIRUS] 186.63.225.200 <rai...@vo...> to: rec...@my... mail blocked by Plugin ASSP_AFC - reason VIRUS-found 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] [VIRUS] 186.63.225.200 <rai...@vo...> to: rec...@my... [spam found] (VIRUS-found) [Ihre Mobilfunk Rechnung vom 22 09 2014 im Anhang als PDF]; 2014-09-22 18:01:13 m1-01380-10527 [Worker_1] 186.63.225.200 <rai...@vo...> to: rec...@my... [SMTP Error] 554 5.7.1 Mail appears infected with \[Zip.Suspect.WinDoubleExtension-zippwd-1(c7329ae811aee30a2404eaa07f4fbb6e:1 73179)\]. 2014-09-22 18:01:13 [Worker_1] Info: report successful sent to rec...@my... Two little problems with this: 1) The infected email was not quarantined as I would expect. I cannot find it anywhere in my assp directories. The directories "quarantine" and "virusscan"exist and have full access permissions (777). (I'm not sure if "virusscan" is even needed, because I have the mail checked by ClamD.) Some settings from my assp.cfg: EmailVirusReportsToRCPT:=2 FileScanDir:=/opt/assp/virusscan viruslog:=quarantine SpamVirusLog:=5 2) The virus report I received did not have a "subject:" line As always thanks a lot for help and advice. Best regards Dirk |