SpamFilter + antivirus plugin beta avail. |
Post Reply 
|
Page 12> |
| Author | ||
LogSat 
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: SpamFilter + antivirus plugin beta avail.Posted: 03 March 2005 at 10:59pm |
|
|
We have released the public beta for the
new version of SpamFilter ISP v2.5. The following information, along
with the download links, is also available on the beta page at www.logsat.com/sfi-beta.asp.
Major Changes introduced in SpamFilter ISP v2.5 - The new SpamFilter ISP v2.5 includes support for an anti-virus plug-in. LogSat Software has partnered with Norman to provide optional antivirus protection for email traffic. The antivirus plug-in will be available for purchase separately from SpamFilter ISP and will be an optional component. Unlike SpamFilter ISP's licenses, the antivirus plug-in will be offered as a subscription service with a yearly subscription fee. The amount of the fee has not been finalized yet, but it will not exceed the price of a SpamFilter's license. The availability of the antivirus plug-in for the free version of SpamFilter ISP has not been determined yet. Technical notes - SpamFilter can run with or without the antivirus plug-in. When SpamFilter starts, it will check for the plug-in files. If they are found, antivirus support will automatically be enabled. We recommend installing the antivirus plug-in after installing SpamFilter. Restart SpamFilter after installing the plug-in to activate it. Known Issues - In this beta version, virus definition files will not be automatically updated. We may make updates available form our website in the near future. There are cases when the antivirus plug-in installation program does not update the Registry correctly. If the key HKEY_LOCAL_MACHINE\SOFTWARE\Norman Data Defense Systems is not created, please issue the following DOS command from the \SpamFilter\Norman\Nvc\Nse directory: NSE /INSTALL This will add the correct registry entries. Disclaimer - This version is a pre-release beta. As such, problems are expected. This beta will expire on March 31, 2005. |
||
 |
||
|
mikek
Senior Member 
Joined: 22 February 2005 Location: Switzerland Status: Offline Points: 133 |
Post Options
Thanks(0)
Quote Reply
Posted: 04 March 2005 at 8:27am |
|
|
I already have a Norman NVC Server Version running on the machine that SpamFilter is running on. Is it possible (or planned) to be able to configure the plug-in to use that version?
|
||
|
||
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 04 March 2005 at 12:25pm |
|
|
Mikek, The Beta version will discover the existance of Norman and use the engine. However, you will need to make sure that you "Exclude" the SpamFilter install folder from any real-time scanning. Dan S.
|
||
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
||
|
||
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 04 March 2005 at 2:19pm |
|
|
Mikek,
Let me add on to what Dan mentioned. SpamFilter does use the existing Norman engine (provided it's engine v12 or higher). There's a few caveats in this beta build however: The antivirus plugin consists of 3 DLLs used by SpamFilter: dwnse.dll, ncl.dll and nselapi.dll. These files are currently being installed by the antivirus plugin installation program. However the install program is currently not smart enough to see the existing Norman install, and will add another instance of the engine files in the SpamFilter\nvc\nse directory, and registry entries (the key mentioned inthe beta page). This will be fixed shortly. If SpamFilter sees an existing install of Norman, it will use that engine, provided the 3 plugin DLLs are present in the SpamFilter directory. |
||
|
||
|
JimMeredith
Newbie 
Joined: 27 January 2005 Location: United States Status: Offline Points: 28 |
Post Options
Thanks(0)
Quote Reply
Posted: 05 March 2005 at 6:12pm |
|
|
Hi Roberto, Does the virus scan take precedence over all other checks that SpamFilter performs, including the whitelists? If not, where does the virus scan fit in the order of blacklist/whitelist checks? (I've quoted one of your "order of precedence" messages below for convenience.)
Thanks, Jim |
||
|
||
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 March 2005 at 12:35am |
|
|
Jim,
For now in this first beta, the antivirus filter is the last on the list. However within the next builds we'll be changing that and moving it before the keywords filter. It cannot be moved even sooner order-wise, as the email content has not been received yet when the other filters are processing the email. |
||
|
||
|
gsforsyth
Guest Group 
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 March 2005 at 11:54am |
|
|
Hi, After installing the new beta I am getting this error.
Could not initialize Norman A/V engine - error $00010000 During install of the Beta I get a 16bit application error from the application and the av install is missing some install required file. Is there any instructions on how to use or what to expect? g |
||
|
||
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 March 2005 at 12:55pm |
|
|
SpamFilter's error is probably caused by the incomplete av install. You
can try to install the av on a different computer, and then copy the
directory tree /SpamFilter/nvc/nse from the alternate computer to the
one where the install fails. After the copy, from the
SpamFilter/nvc/nse directory on the SpamFilter server try issuing the
following command at a DOS prompt:
NSE /INSTALL That should inistialize the av engine, and then restart SpamFilter. |
||
|
||
|
kspare
Senior Member
Joined: 26 January 2005 Location: Canada Status: Offline Points: 334 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 March 2005 at 1:40pm |
|
|
So how do you know if it is working ok or not?
|
||
|
||
|
JimMeredith
Newbie
Joined: 27 January 2005 Location: United States Status: Offline Points: 28 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 March 2005 at 7:36pm |
|
|
Kevin, The first thing I did was send a message from an outside mail account with the EICAR test file attached. The EICAR file is not a real virus, but every antivirus program is programmed to treat it as a virus for testing purposes. You can download the EICAR file from Norman's web site. Another way is to look at your logs to see if you have had any traps. Here is a log entry with a virus trap. 03/05/05 05:30:41:070 -- (191) Connection from: 213.171.61.35 - Originating country : Russian Federation A SQL query should also reveal antivirus activity. SELECT COUNT(*) 'Virus_Messages', RejectDetails FROM tblquarantine WHERE RejectID=17 GROUP BY RejectDetails ORDER BY COUNT(*) DESC I just ran this query on my SpamFilter test server (handling traffic for one low-volume domain only) and it returned the following resultset. Virus_Messages RejectDetails Jim
|
||
|
||
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 March 2005 at 9:18pm |
|
|
Jim, 33917 infected with the virus Sober.K@mm I think it is working. Dan |
||
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
||
|
||
|
gsforsyth
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 March 2005 at 9:29pm |
|
|
The install on differant system worked.
Thx |
||
|
||
|
kspare
Senior Member
Joined: 26 January 2005 Location: Canada Status: Offline Points: 334 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 March 2005 at 9:56pm |
|
|
Antivirus is not working on my system. I did the install as suggested and just sent through the eicar test file, and it went right through. Wouldn't it make sense to have something similar to the database to show the antivirus is active? perhaps later to show the datfile version?
|
||
|
||
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 March 2005 at 10:32pm |
|
|
This is an early beta, so things will not be perfect, but... if you
check under the Settings - Anti Virus tab, you'll see, although
incomplete, a few lines in a status box describing the status of the
antivirus engine.
|
||
|
||
|
kspare
Senior Member
Joined: 26 January 2005 Location: Canada Status: Offline Points: 334 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 March 2005 at 10:36pm |
|
|
I checked that and its blank. Any suggestions?
I installed it to c:\program files\spamfilterav if that helps at all? |
||
|
||
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 March 2005 at 10:54pm |
|
|
The av plugin must be installed in the same directory where SpamFilter
is installed, from the path you posted it would not seem that is the
case. If the directory is not the same, that would definetly not work
correctly.
|
||
|
||
|
kspare
Senior Member
Joined: 26 January 2005 Location: Canada Status: Offline Points: 334 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 March 2005 at 10:59pm |
|
|
Roberto, can you please email me...
|
||
|
||
|
JimMeredith
Newbie
Joined: 27 January 2005 Location: United States Status: Offline Points: 28 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 March 2005 at 11:10pm |
|
Dan, you show-off! But based on the resultset you posted, the query I posted earlier needs to be modified to give accurate totals by virus type. Looks like the RejectDetails field sometimes includes a leading space, sometimes it does not... no biggie, it's easy to just trim it. SELECT COUNT(*) 'Virus_Messages', LTRIM(RejectDetails) 'Details' FROM tblquarantine WHERE RejectID=17 GROUP BY LTRIM(RejectDetails) ORDER BY COUNT(*) DESC Jim |
||
|
||
|
mikek
Senior Member
Joined: 22 February 2005 Location: Switzerland Status: Offline Points: 133 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 March 2005 at 3:46am |
|
|
ok, so after installing the av plugin, I delete the mentioned registry entry and the SpamFilter\nvc\nse directories, except for the 3 DLLs mentioned? will there be a reduced license fee for users like me that only need the plugin but not the norman engine? |
||
|
||
|
mikek
Senior Member
Joined: 22 February 2005 Location: Switzerland Status: Offline Points: 133 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 March 2005 at 4:15am |
|
|
already have it working! installed the beta version of spamfilter, installed the av plugin on a different machine, copied the 3 dlls into the spamfilter directory, that's it!
|
||
|
||
|
kspare
Senior Member
Joined: 26 January 2005 Location: Canada Status: Offline Points: 334 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 March 2005 at 7:58am |
|
|
that worked for me too. I did notice that, even though I block *.com files, when I sent through the eicar test virus, it blocked the file via the black list but it also found that it had a virus and ultimatly blocked the message because of the virus. |
||
|
||
|
JimMeredith
Newbie
Joined: 27 January 2005 Location: United States Status: Offline Points: 28 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 March 2005 at 12:41pm |
|
Yes, I've noticed the same thing on all attachment types that we are allowing to be quarantined. (The attachment types that we have listed with ":null" to NOT quarantine are not even received, therefore not scanned by the antivirus... and that's fine.) The great thing about this is that the virus block becomes the reason logged in the database. I'm modifying our web interface to prevent a user from delivering a virus-infected message from quarantine. |
||
|
||
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 March 2005 at 3:27pm |
|
Jim, Better? 45973 infected with the virus Sober.K@mm Dan |
||
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
||
|
||
|
kspare
Senior Member
Joined: 26 January 2005 Location: Canada Status: Offline Points: 334 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 March 2005 at 5:14pm |
|
|
Jim, can you let me know what you come up with in regards to preventing users from forwarding on virus' |
||
|
||
|
JimMeredith
Newbie
Joined: 27 January 2005 Location: United States Status: Offline Points: 28 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 March 2005 at 5:43pm |
|
|
Kevin, I'd be glad to, but I don't think it will help, since it's not in ASP. We have a proprietary quarantine management page and "reportlet" that is written in ColdFusion. We don't use the SpamFilter ASP code at all. |
||
|
||
|
mikek
Senior Member
Joined: 22 February 2005 Location: Switzerland Status: Offline Points: 133 |
Post Options
Thanks(0)
Quote Reply
Posted: 08 March 2005 at 3:59am |
|
I have my own quarantine front-end as well, but for my part I just modified the SQL SELECT to include a WHERE RejectID<>17 and the user never sees mails that were blocked because of viruses... |
||
|
||
|
dcook
Senior Member
Joined: 31 January 2005 Location: United States Status: Offline Points: 174 |
Post Options
Thanks(0)
Quote Reply
Posted: 08 March 2005 at 12:18pm |
|
|
I have had the Beta running successfully under moderate load. I am increasing the load on the beta today. I had about 40 discovered and blocked viruses. I agree filtering on file extensions is preventing a higher count. The install was smooth on both windows 2000 and 2003 server. Everything registered correctly. So far vary stable. Will the final release include the ability for signature to be updated on a schedule? Dwight
|
||
|
Dwight
www.vividmix.com |
||
|
||
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 08 March 2005 at 4:16pm |
|
|
Dwight,
Absolutely yes on the automatic updates. We're still working the details with Norman (the AV engine owners) on how this will work, but the next beta will probably have this feature enabled. |
||
|
||
|
kspare
Senior Member
Joined: 26 January 2005 Location: Canada Status: Offline Points: 334 |
Post Options
Thanks(0)
Quote Reply
Posted: 08 March 2005 at 6:49pm |
|
|
A bit off topic, but does this version or others support dual or quad cpus?
|
||
|
||
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 09 March 2005 at 1:47pm |
|
|
I am running with Quad xeon which looks like 8 CPUs as far as the OS sees it. San |
||
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
||
|
||
Topic Options
LogSat wrote:
Actually, I'm glad you posted your results... good to see performance under load.
|
Post Reply
|
Page 12> |
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.406 seconds.