Possible issue with anti-virus plugin
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6609
Printed Date: 05 February 2025 at 1:05pm
Topic: Possible issue with anti-virus plugin
Posted By: LogSat
Subject: Possible issue with anti-virus plugin
Date Posted: 31 January 2009 at 5:16pm
|
On Jan 29, Norman (our antivirus partner), released an upgrade of the antivirus engine. We have been made aware that there is an issue when receiving some emails containing PDF attachments. Depending on how the MIME attachments are added to the emails, the antivirus plugin may cause the email to be rejected even if the PDF file is legitimate, without adding the email to the quarantine. The sender will however be notified of the delivery problem.
While we work with Norman to solve this issue, if you are experiencing the problems described, you may follow the procedure below to revert back to the previous version of the antivirus plugin. Download a copy of the previous AV plugin files from: http://www.logsat.com/spamfilter/pub/temp/nse-1-28-09.zip To downgrade, you will need to: 1. Stop SpamFilter 2. Extract the contents of the zip files above in the \SpamFilter\Nse\Bin directory, replacing all the existing files with the new ones. 3. Edit the SpamFilter.ini file, and look for the section [NVC]. Underneath it, you will see entries similar to: NvcBinDate=1/28/2009 10:12:02 AM NvcIncrDate=1/31/2009 3:11:16 PM NvcMacroDate=1/28/2009 9:56:54 AM Nse_w32Date=1/16/2009 2:00:52 PM NCLDate=4/28/2008 11:55:50 AM 4. You will need to change those dates to a date in the future, so that SpamFilter will not attempt to download updates, for example: NvcBinDate=1/28/2010 10:12:02 AM NvcIncrDate=1/31/2010 3:11:16 PM NvcMacroDate=1/28/2010 9:56:54 AM Nse_w32Date=1/16/2010 2:00:52 PM NCLDate=4/28/2010 11:55:50 AM 5. Then restart SpamFilter. Please note that if you do follow this procedure, you will need to manually revert back the dates in the SpamFilter.ini file to receive the correct files when we solve this problem (hopefully within the next few hours). We will update this thread as soon as we have new information. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Replies:
Posted By: LogSat
Date Posted: 01 February 2009 at 6:21pm
|
Update - It seems, so far, that this issue is only occurring if the PDF file is corrupted. Whenever minor corruption occurs in a PDF file, usually and often the Acrobat products will attempt to auto-repair the file on the fly, without warning the users, so the errors may often go undetected.
We're still unable to reproduce this issue with "valid" PDF files, so the problem so far does not appear to be of great concern. We hope to have further information within the next few hours. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: LogSat
Date Posted: 03 February 2009 at 10:41am
|
Update - We have received reports of this issue occurring with valid PDF files as well. Norman is working trying to find a solution soon, and we are looking for workarounds within SpamFilter itself.
We've placed a copy of the previous AV plugin files with updated virus definitions at: http://www.logsat.com/spamfilter/pub/temp/nse-2-3-09.zip ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: LogSat
Date Posted: 03 February 2009 at 9:27pm
|
While we wait for a patch for the antivirus plugin to be ready, we've created a workaround in SpamFilter that **so far** appears to work. SpamFilter is still experiencing memory corruption due to the bug, but we seem to have been able to "deviate" the memory leak in the plugin to an area in SpamFilter that performs the activity logging. Whenever a "problem" PDF is received, there will be a couple of corrupted entries in the activity log, but the email should be received correctly.
We've made available SpamFilter v4.1.2.801 in the registered user are on our website. Please note that this build is to be treated as a beta due to the uncertainty of the problem, while an official fix from Norman is received. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: LogSat
Date Posted: 04 February 2009 at 4:27pm
Update - Normal almost beat us in releasing a patch  .
We've received an updated nse_w32.dll (v6.0.6.0) that solves the issue discovered in the buggy nse_w32.dll v6.0.2.0. This update will be deployed automatically during the next AV update cycle that occurs hourly. If you have manually deployed the *previous* version of the antivirus plugin (the one having the Nse_w32.dll v 5.93) to temporarily solve this issue as mentioned in the earlier posts in the forum, all you need to do is to edit the SpamFilter.ini file and restore the older settings in the [NVC] section of this file: NvcBinDate=1/28/2009 10:12:02 AM NvcIncrDate=1/31/2009 3:11:16 PM NvcMacroDate=1/28/2009 9:56:54 AM Nse_w32Date=1/16/2009 2:00:52 PM NCLDate=4/28/2008 11:55:50 AM There is no need to restart SpamFilter after making these changes. Once this is done, within 60 minutes SpamFilter will automatically download the updates. If you wish, you can also trigger the download of the new antivirus files manually by going to the "AntiVirus" tab in SpamFilter and click on the "Update Now" button. PLEASE NOTE THAT YOU WILL NEED TO WAIT 60 SECONDS AFTER SAVING THE SPAMFILTER.INI FILE BEFORE TRIGGERING THE MANUAL UPDATE. This is because SpamFilter may take up to 60 seconds before re-importing the settings in the SpamFilter.ini file. It is to be noted that Norman provided us the patch in v6.0.6.0 in a "beta" status, as the update has not gone thru their normal QA process. We feel however that the bug present in the "official v6.0.2.0 version is serious enough, and with the potential of causing other issues not detected yet, that it is safer to use the latest beta rather than the buggy release. If you do not wish to use the beta version, simply follow the procedures in the previous posts to download the previous v5 of the Norma antivirus plugin. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |