Print Page | Close Window

New SpamFilter + antivirus beta

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
Printed Date: 14 March 2025 at 6:53am

Topic: New SpamFilter + antivirus beta
Posted By: LogSat
Subject: New SpamFilter + antivirus beta
Date Posted: 24 March 2005 at 11:11pm
We have released the public beta for the new version of SpamFilter ISP v2.5. The following information, along with the download links, is also available on the beta page at - .

An Activation Code is required to enable the antivirus plug-in. You may apply online to receive a free activation code that will be valid for the duration of the beta program.

Major Changes introduced in SpamFilter ISP v2.5 - The new SpamFilter ISP v2.5 includes support for an anti-virus plug-in. LogSat Software has partnered with - Norman to provide optional antivirus protection for email traffic.

The antivirus plug-in will be available for purchase separately from SpamFilter ISP and will be an optional component. Unlike SpamFilter ISP's licenses, the antivirus plug-in will be offered as a subscription service with a yearly subscription fee. The amount of the fee has not been finalized yet, but it will not exceed the price of a SpamFilter's license. The availability of the antivirus plug-in for the free version of SpamFilter ISP has not been determined yet.

Technical notes - SpamFilter can run with or without the antivirus plug-in. When SpamFilter starts, it will check for the plug-in files. If they are found, antivirus support will automatically be enabled. We recommend installing the antivirus plug-in after installing SpamFilter. Restart SpamFilter after installing the plug-in to activate it.

Changes from the previous beta are as follows:
// New to VersionNumber = '';
{TODO -cNew : A current antivirus Activation Code is required to enable antivirus plugin}
{TODO -cNew : Added automatic hourly virus definition updates}
{TODO -cNew : Added custom response for SPF filter}
{TODO -cNew : Added custom response for antivirus filter}
{TODO -cNew : Added " - No Data Received" log entry if remote server is disconnected without receving any data from it (probes, port scanners,etc)}

Known Issues - There are cases when the antivirus plug-in installation program does not update the Registry correctly. If the key HKEY_LOCAL_MACHINE\SOFTWARE\Norman Data Defense Systems is not created, please issue the following DOS command from the \SpamFilter\Norman\Nvc\Nse directory:


This will add the correct registry entries.

Disclaimer - This version is a pre-release beta. As such, problems are expected. 

This beta will expire on April 14, 2005

Roberto Franceschetti" rel="nofollow - LogSat Software" rel="nofollow - Spam Filter ISP

Posted By: Guests
Date Posted: 25 March 2005 at 11:45pm
Possible bug?
I have started getting these errors since installing the new version.

03/25/05 00:31:03:375 -- (340) Exception occurred during Disconnect: Access violation at address 00566935 in module 'SpamFilterSvc.exe'. Read of address 00000018

also started to get the following errors - Lots of them

- (2644) Connection from:  -  Originating country : Korea, Republic of
03/25/05 01:03:18:546 -- (2644) Too many connections. Disconnecting:
03/25/05 01:03:18:546 -- (2644) - No Data Received
03/25/05 01:03:18:546 -- (2644) Disconnect
03/25/05 01:03:20:328 -- (2644) Connection from:  -  Originating country : Korea, Republic of
03/25/05 01:03:20:328 -- (2644) Too many connections. Disconnecting:
03/25/05 01:03:20:328 -- (2644) - No Data Received
03/25/05 01:03:20:328 -- (2644) Disconnect
03/25/05 01:03:20:500 -- (2496) Resolving - Error resolving IP address (TimedOut)
03/25/05 01:03:20:500 -- (2496) - IP address is from a blacklisted country...
03/25/05 01:03:20:500 -- (2496) - Mail from: To: will be disconnected
03/25/05 01:03:20:500 -- (2496) Disconnect
03/25/05 01:03:21:078 -- (2644) Connection from:  -  Originating country : China
03/25/05 01:03:21:218 -- (2496) Connection from:  -  Originating country : Korea, Republic of
03/25/05 01:03:21:218 -- (2496) Too many connections. Disconnecting:
03/25/05 01:03:21:218 -- (2496) - No Data Received
03/25/05 01:03:21:218 -- (2496) Disconnect
03/25/05 01:03:22:078 -- (2496) Connection from:  -  Originating country : Colombia
03/25/05 01:03:22:078 -- (2496) Too many connections. Disconnecting:
03/25/05 01:03:22:078 -- (2496) - No Data Received
03/25/05 01:03:22:078 -- (2496) Disconnect
03/25/05 01:03:22:093 -- (1380) Connection from:  -  Originating country : United States
03/25/05 01:03:22:093 -- (1380) Too many connections. Disconnecting:


Posted By: Desperado
Date Posted: 26 March 2005 at 7:07pm


Roberto has addressed this and I have verified the fix on build 435. Re-Download the Beta and you will get the new build.


The Desperado
Dan Seligmann.

Posted By: Guests
Date Posted: 26 March 2005 at 11:31pm
Thanks Dan,
That seems to be the fix for that problem. Now on to the next one. The AV doesn't seem to be working even though is show in the GUI that it is active. The problem is that since updateing to the newest beta's the AV part is not blocking any files and I know for a fact that my server gets infected mail every day. But since yesterday I have had only one email blocked. I have cleared the database and will see if any emails get blocked.


Posted By: Desperado
Date Posted: 27 March 2005 at 12:07am


I AM getting plenty of Virus blocks going on.  Double chenk that all the dll's are in place and also, I *manualy* set up the nvc path and registry entries because I originally had the actual Norman installed and then un-installeed it to make sure the new SpamFilter version was working correctly.  My registry "script" is as follows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Norman Data Defense Systems]

If you save this as a file named "anything.reg" and douple click on it, it will update the registry (after making mods to match your system).

If I can find your address, I will email you some stats.

Dan S.


The Desperado
Dan Seligmann.

Posted By: Guests
Date Posted: 27 March 2005 at 1:11pm
I still don't get any blocked virus emails. What is strange is that when I tried the install of the plug-in I get a 16bit application error. This has happend with both beta's. Not sure why. When I was running the first beta, it was blocking a lot of infected email, but since upgrading to the latest beta I have no virus blocked emails. My pop mail server is getting none from the spam filter so this leads me to think that any email that have virus's are getting stopped I just don't know how since non of the virus scaners are logging any activity.

As a work agound for the connection floods I set the max concurrent connections by IP  to 1 and that seems to have helped since I was getting a lot of off-shore probes that were not dropping. I figure the not dropping part may have been due to the bug that was fixed in 435.

I did try switching back to the first beta and even though the AV part wouldn't work my Mcafee 4.5.1 did catch infected emails.

I currently have the Mcafee not running on the server to see if that make any differance.

Posted By: Desperado
Date Posted: 27 March 2005 at 1:52pm


If you do have another AV running, make sure it is *not* scanning the SpamFilter folder.



The Desperado
Dan Seligmann.

Posted By: Dan B
Date Posted: 28 March 2005 at 2:18pm


The new beta 434 is making max incoming connections reach limit.  This is happening on 2 servers that normally have 35-50 incomming connections.  Once the service is started with ver 434 about an hour later the limit is reached at 250 on both servers.  I went back to ver 431 and the problem went away.  I'm running 434 on 2 other servers but the incoming connections never reach over 10.  They too is set for the limit of 250.

FYI: We are not running bayesian filter on those 2 servers.

Dan B

Posted By: Desperado
Date Posted: 28 March 2005 at 2:27pm


This seems to be fixed in 435 as per the post above.  I had the exact same issue and 435 filed it.

Dan S.

The Desperado
Dan Seligmann.

Posted By: Dan B
Date Posted: 28 March 2005 at 3:15pm


That fixed it.

Dan B

Posted By: Guests
Date Posted: 28 March 2005 at 3:54pm
I have noticed that the Plugin uses the root drive (Example) "C:\randomname.tmp" for temp space. Is there a way to have it use some other folder under the AV plugin folder instead. Currently every time an infected email is scanned or sandboxed it writes the infected file to the root folder on the system and my Mcafee Netshield 4.5.1 will scan and delete the file if it can. This causes the system to scan the file twice. . This double scanning is causing the system to be slower then normal. I have the entire spamfilter folder excluded already but since the AV plugin writes the infected file to the root folder I have no way to really prevent it being scanned. I don't want to take a chance and not protect the rest of the system by not scanning the root folder.

The 435 beta fixed the maxing out of the connections.

Great work BTW.


Posted By: Desperado
Date Posted: 28 March 2005 at 5:37pm


I never noticed that because my SpamFilter in not on the root drive.  I just looked and *yikes* there is a ton of tmp files. Thanks for pointing that out to me.


If possible, if the AV used the "tmp" enviroment variable, that would work because I script all the temp files away at midnight.  For now, I have a small java applett that does all my server clean-ups.  I am now setting it up to remove the tmp files in the root.   I NEVER write anything to the root so seeing these was an eye opener.


The Desperado
Dan Seligmann.

Posted By: LogSat
Date Posted: 28 March 2005 at 5:42pm
We'll need to look into this further with our partner, Norman, to see if there is anything that can be done.

Thanks for the info.

Roberto Franceschetti" rel="nofollow - LogSat Software" rel="nofollow - Spam Filter ISP

Posted By: Desperado
Date Posted: 28 March 2005 at 5:51pm


In the short term a simple scheduled task to run a .cmd file will work easily:

del /q c:\*.tmp

Run say once / hour

For George, I guess the c:\*.tmp could be "Excluded" from the AV scanning ... Yes?



The Desperado
Dan Seligmann.

Posted By: Guests
Date Posted: 28 March 2005 at 8:22pm
Yes I could exclude the *.tmp from scanning but I would rather not since Mcafee is deleting the infected files and preventing them from running by chance.


Posted By: mikek
Date Posted: 29 March 2005 at 2:47am
do I need to update the AV Plugin as well or have those files not been updated?

Posted By: mikek
Date Posted: 29 March 2005 at 3:01am

I already have a Norman AV Server Installation on my server. The previous beta (431) happily used this Norman instance.

The new build (435) now says: no antivirus support files found on server and no virus checking is being done.

The 2 plugin dlls are in the spamfilter folder though...


Posted By: Desperado
Date Posted: 29 March 2005 at 12:01pm


If norman is installed, try removing the registry entry "Norman Defense Systems" but still make sure all the dll's are in the SpamFilter root ... I think 3 not 2 dll's.  And make sure the On Access Scanner is NOT scanning the SpamFilter folder.  Remember that the Norman Application will be doing the updates ... not spam filter so make sure that is disabled on spamfilter.  In this mode, SpamFilter does not actually use the plugin but detects the "Real" Norman scan engine.

I do not know if this will help but when I had Norman on my server, this is what I did.  I no longer am running the Norman App on my SpamFilter server so I had to put the registry entries back in and (THIS IS IMPORTANT) I still did not work until I rebooted.  I got the "no antivirus support files found on server" error.   Once I rebotted, it worked.

All the above may or may not be your issue but give it a shot.



The Desperado
Dan Seligmann.

Posted By: LogSat
Date Posted: 30 March 2005 at 12:55am
We're still trying to find a way around the tmp files in the root drive. Dan, George, could you try creating the directory C:\NRMTEMP and see if the AV plugin tries to place files there instead of in the root? This may require restarting SpamFilter to make it visible.

Roberto Franceschetti" rel="nofollow - LogSat Software" rel="nofollow - Spam Filter ISP

Posted By: Desperado
Date Posted: 30 March 2005 at 1:19am


Will Do.


The Desperado
Dan Seligmann.

Posted By: mikek
Date Posted: 30 March 2005 at 2:08am
Originally posted by Desperado Desperado wrote:

If norman is installed, try removing the registry entry "Norman Defense Systems" but still make sure all the dll's are in the SpamFilter root ... I think 3 not 2 dll's.  And make sure the On Access Scanner is NOT scanning the SpamFilter folder.  Remember that the Norman Application will be doing the updates ... not spam filter so make sure that is disabled on spamfilter.  In this mode, SpamFilter does not actually use the plugin but detects the "Real" Norman scan engine.

I do not know if this will help but when I had Norman on my server, this is what I did.  I no longer am running the Norman App on my SpamFilter server so I had to put the registry entries back in and (THIS IS IMPORTANT) I still did not work until I rebooted.  I got the "no antivirus support files found on server" error.   Once I rebotted, it worked.

All the above may or may not be your issue but give it a shot.


Dan, I can't remove the Norman Data Defense Registry Entries because the Mailserver on the same server is using the Norman Engine as well. I have rebooted the server after installing the new SpamFilter version and activating the AV plugin.

Roberto: any help on this issue? "Activation Status" is empty, although the activation code has been entered and saved in SpamFilter.ini. What exactly is SpamFilter looking for to determine if "Antivirus support files" are found or not?


Posted By: Guests
Date Posted: 30 March 2005 at 3:40am
The C:\NRMTEMP folder idea didn't work. I think that this is something Norman will have to build into the plugin. As I stated in an earlier post, it would be best if the plugin kept it's files in it's directory rather then use the system root. Currently no matter what drive you install Spamfilter on the AV plugin will still write it's temp files to the system root.

The fact that the plugin write a infected file to the drive bothers me. The fact that it is writing to the system root scares me to the point of considering dropping the beta until this is fixed.


Posted By: LogSat
Date Posted: 30 March 2005 at 5:39pm
Originally posted by mikek mikek wrote:

Roberto: any help on this issue? "Activation Status" is empty, although the activation code has been entered and saved in SpamFilter.ini. What exactly is SpamFilter looking for to determine if "Antivirus support files" are found or not?


The plugin will not initialize until a valid activation code has been entered. Once you paste the activation code and click on "Activate", you should see some status "stuff" appearing below the "Activate" button, and only after that happened the AV plugin is loaded. Can you describe what happens after you click on the Activate button?

Originally posted by gsforsyth gsforsyth wrote:

The C:\NRMTEMP folder idea didn't work. I think that this is something Norman will have to build into the plugin. As I stated in an earlier post, it would be best if the plugin kept it's files in it's directory rather then use the system root. Currently no matter what drive you install Spamfilter on the AV plugin will still write it's temp files to the system root.

The fact that the plugin write a infected file to the drive bothers me. The fact that it is writing to the system root scares me to the point of considering dropping the beta until this is fixed.



That is why the AV plugin is a beta, because it's being tested to get rid of all the problems/bugs. We agree that the issue you reported is a (big) problem, and we're working with Norman for a fix. During the last 24 hours we poinpointed the problem and are preparing a fix. If all goes well we should have it ready within the next 6-24 hours.

Roberto Franceschetti" rel="nofollow - LogSat Software" rel="nofollow - Spam Filter ISP

Posted By: JimMeredith
Date Posted: 30 March 2005 at 6:43pm

Just FYI... not a SpamFilter problem, but something you need to be aware of.

The email containing the activation code can apparently be corrupted by Microsoft Outlook.  I installed the new beta earlier today, and requested the activation code through the online form.  The activation code email that was sent to me appeared to have the code split across two lines.  My first thought was that it was just a line-wrap issue, so I just concatenated the two lines manually... this didn't work.

Finally, after trying several other measures, I requested another activation code, but this time opened it in a Web Mail client (non-Microsoft).  The activation code displayed properly, and the problem became clear.

For some reason, Outlook is breaking-up the activation code after the 72nd character.  On the next line, the first 12 characters of the activation code are REPEATED, followed by the remaining few characters of the activation code.

Again, this isn't a LogSat or SpamFilter problem, it's an Outlook issue... and may even be more specific than that, it might only be CERTAIN VERSIONS of Outlook, I don't know.  But if anyone else is seeing this same issue (the activation code split across two lines, with the first 12 characters repeated on both lines) you might consider using a different mail client to get the activation code.

Posted By: Guests
Date Posted: 30 March 2005 at 9:25pm
Glad to hear that a fix is on the way. Since user level is low I done have near the worries that the bigger user might have. So far the since that last reboot after lockup, the plugin has caught 30 infected files. Mcafee has stopped 52 files from the Plugin tmp files.

Other than that the plugin is working as it should. CPU/Memory/HD activity all are bearly noticable.

Total blocked emails since reboot is 5370.

No emails infected with virus's have been pasted on to the pop server so it is working.

Looking forward to knowing what it is going to cost for the subscription from Norman.


Posted By: LogSat
Date Posted: 30 March 2005 at 11:48pm
We've hopefully fixed the issue reported 1st by gsforsyth regarding the temp files placed under the root of the C drive. A new antivirus plugin is available for download on the beta page. Only the plugin needs to be updated, not the whole SpamFilter installation.

Please read the update notes carefully, as a complete removal of the previous plugin files and registry entries is strongly advised. The registry removal does not apply if another Norman product is installed on the server.

Roberto Franceschetti" rel="nofollow - LogSat Software" rel="nofollow - Spam Filter ISP

Posted By: mikek
Date Posted: 31 March 2005 at 1:40am

Originally posted by LogSat LogSat wrote:

The plugin will not initialize until a valid activation code has been entered. Once you paste the activation code and click on "Activate", you should see some status "stuff" appearing below the "Activate" button, and only after that happened the AV plugin is loaded. Can you describe what happens after you click on the Activate button?

Hi Roberto,

Thanks for your reply. When I click on "Activate" I can not see anything happen. The "Activation Status" Windows remains empty... I tried activating with a bogus key as well - same here - no display of any kind...

Posted By: Guests
Date Posted: 31 March 2005 at 1:51am
Originally posted by LogSat LogSat wrote:

We've hopefully fixed the issue reported 1st by gsforsyth regarding the temp files placed under the root of the C drive. A new antivirus plugin is available for download on the beta page. Only the plugin needs to be updated, not the whole SpamFilter installation.

Please read the update notes carefully, as a complete removal of the previous plugin files and registry entries is strongly advised. The registry removal does not apply if another Norman product is installed on the server.


Success... see below. You guys are great at getting the fixes out.

The file C:\Program Files\SpamFilter\temp\4a41f049.TMP\EICAR.COM is infected with EICAR test file Test. Detected with Scan Engine 4.3.20 DAT version 4.0.4457. (from (name removed by me) IP (IP removed by me) user NT AUTHORITY\SYSTEM running NetShield 2000 4.5 OAS)

Posted By: LogSat
Date Posted: 31 March 2005 at 7:19am
Originally posted by mikek mikek wrote:

Hi Roberto,

Thanks for your reply. When I click on "Activate" I can not see anything happen. The "Activation Status" Windows remains empty... I tried activating with a bogus key as well - same here - no display of any kind...


That would explain everything... Only a valid activation code will "trigger" the display below, we do not have any "invalid code" notices and similar yet. If you can please forward us the email you received from our website with the code we'll try to understand why it's not working for you.

Roberto Franceschetti" rel="nofollow - LogSat Software" rel="nofollow - Spam Filter ISP

Posted By: mikek
Date Posted: 01 April 2005 at 8:05am

The AV plugin will not activate if the regional settings of the server define a date format different from the standard "English" date (mm/dd/yyyy). My server is running "German (Switzerland)" (, that's why the AV plugin will not activate.

Roberto and I have verified this and he is working on a fix for this problem as I type

Posted By: LogSat
Date Posted: 03 April 2005 at 9:34pm
The problem should be solved by build 439 that will be released shortly.

Roberto Franceschetti" rel="nofollow - LogSat Software" rel="nofollow - Spam Filter ISP

Posted By: Guests
Date Posted: 11 April 2006 at 3:48am
Originally posted by Desperado Desperado wrote:


Roberto has addressed this and I have verified the fix on build 435. Re-Download the Beta and you will get the new build.


Print Page | Close Window