SpamFilter + antivirus plugin beta avail.
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5086
Printed Date: 05 February 2025 at 4:39pm
Topic: SpamFilter + antivirus plugin beta avail.
Posted By: LogSat
Subject: SpamFilter + antivirus plugin beta avail.
Date Posted: 03 March 2005 at 10:59pm
|
We have released the public beta for the
new version of SpamFilter ISP v2.5. The following information, along
with the download links, is also available on the beta page at http://www.logsat.com/sfi-beta.asp - www.logsat.com/sfi-beta.asp . Major Changes introduced in SpamFilter ISP v2.5 - The new SpamFilter ISP v2.5 includes support for an anti-virus plug-in. LogSat Software has partnered with http://www.norman.com/ - Norman to provide optional antivirus protection for email traffic. The antivirus plug-in will be available for purchase separately from SpamFilter ISP and will be an optional component. Unlike SpamFilter ISP's licenses, the antivirus plug-in will be offered as a subscription service with a yearly subscription fee. The amount of the fee has not been finalized yet, but it will not exceed the price of a SpamFilter's license. The availability of the antivirus plug-in for the free version of SpamFilter ISP has not been determined yet. Technical notes - SpamFilter can run with or without the antivirus plug-in. When SpamFilter starts, it will check for the plug-in files. If they are found, antivirus support will automatically be enabled. We recommend installing the antivirus plug-in after installing SpamFilter. Restart SpamFilter after installing the plug-in to activate it. Known Issues - In this beta version, virus definition files will not be automatically updated. We may make updates available form our website in the near future. There are cases when the antivirus plug-in installation program does not update the Registry correctly. If the key HKEY_LOCAL_MACHINE\SOFTWARE\Norman Data Defense Systems is not created, please issue the following DOS command from the \SpamFilter\Norman\Nvc\Nse directory: NSE /INSTALL This will add the correct registry entries. Disclaimer - This version is a pre-release beta. As such, problems are expected. This beta will expire on March 31, 2005. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Replies:
Posted By: mikek
Date Posted: 04 March 2005 at 8:27am
| I already have a Norman NVC Server Version running on the machine that SpamFilter is running on. Is it possible (or planned) to be able to configure the plug-in to use that version? |
Posted By: Desperado
Date Posted: 04 March 2005 at 12:25pm
|
Mikek, The Beta version will discover the existance of Norman and use the engine. However, you will need to make sure that you "Exclude" the SpamFilter install folder from any real-time scanning. Dan S.
------------- The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
Posted By: LogSat
Date Posted: 04 March 2005 at 2:19pm
|
Mikek, Let me add on to what Dan mentioned. SpamFilter does use the existing Norman engine (provided it's engine v12 or higher). There's a few caveats in this beta build however: The antivirus plugin consists of 3 DLLs used by SpamFilter: dwnse.dll, ncl.dll and nselapi.dll. These files are currently being installed by the antivirus plugin installation program. However the install program is currently not smart enough to see the existing Norman install, and will add another instance of the engine files in the SpamFilter\nvc\nse directory, and registry entries (the key mentioned inthe beta page). This will be fixed shortly. If SpamFilter sees an existing install of Norman, it will use that engine, provided the 3 plugin DLLs are present in the SpamFilter directory. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: JimMeredith
Date Posted: 05 March 2005 at 6:12pm
|
Hi Roberto, Does the virus scan take precedence over all other checks that SpamFilter performs, including the whitelists? If not, where does the virus scan fit in the order of blacklist/whitelist checks? (I've quoted one of your "order of precedence" messages below for convenience.)
Thanks, Jim |
LogSat wrote:Posted By: LogSat
Date Posted: 06 March 2005 at 12:35am
|
Jim, For now in this first beta, the antivirus filter is the last on the list. However within the next builds we'll be changing that and moving it before the keywords filter. It cannot be moved even sooner order-wise, as the email content has not been received yet when the other filters are processing the email. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: Guests
Date Posted: 06 March 2005 at 11:54am
|
Hi, After installing the new beta I am getting this error. Could not initialize Norman A/V engine - error $00010000 During install of the Beta I get a 16bit application error from the application and the av install is missing some install required file. Is there any instructions on how to use or what to expect? g |
Posted By: LogSat
Date Posted: 06 March 2005 at 12:55pm
|
SpamFilter's error is probably caused by the incomplete av install. You
can try to install the av on a different computer, and then copy the
directory tree /SpamFilter/nvc/nse from the alternate computer to the
one where the install fails. After the copy, from the
SpamFilter/nvc/nse directory on the SpamFilter server try issuing the
following command at a DOS prompt: NSE /INSTALL That should inistialize the av engine, and then restart SpamFilter. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: kspare
Date Posted: 06 March 2005 at 1:40pm
| So how do you know if it is working ok or not? |
Posted By: JimMeredith
Date Posted: 06 March 2005 at 7:36pm
|
Kevin, The first thing I did was send a message from an outside mail account with the EICAR test file attached. The EICAR file is not a real virus, but every antivirus program is programmed to treat it as a virus for testing purposes. You can http://www.norman.com/Virus/Antivirus_testfile/en - download the EICAR file from Norman's web site . Another way is to look at your logs to see if you have had any traps. Here is a log entry with a virus trap. 03/05/05 05:30:41:070 -- (191) Connection from: 213.171.61.35 - Originating country : Russian Federation A SQL query should also reveal antivirus activity. SELECT COUNT(*) 'Virus_Messages', RejectDetails FROM tblquarantine WHERE RejectID=17 GROUP BY RejectDetails ORDER BY COUNT(*) DESC I just ran this query on my SpamFilter test server (handling traffic for one low-volume domain only) and it returned the following resultset. Virus_Messages RejectDetails Jim
|
Posted By: Desperado
Date Posted: 06 March 2005 at 9:18pm
|
Jim, 33917 infected with the virus mailto:Sober.K@mm - Sober.K@mm I think it is working. Dan ------------- The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
Posted By: Guests
Date Posted: 06 March 2005 at 9:29pm
|
The install on differant system worked. Thx |
Posted By: kspare
Date Posted: 06 March 2005 at 9:56pm
| Antivirus is not working on my system. I did the install as suggested and just sent through the eicar test file, and it went right through. Wouldn't it make sense to have something similar to the database to show the antivirus is active? perhaps later to show the datfile version? |
Posted By: LogSat
Date Posted: 06 March 2005 at 10:32pm
|
This is an early beta, so things will not be perfect, but... if you
check under the Settings - Anti Virus tab, you'll see, although
incomplete, a few lines in a status box describing the status of the
antivirus engine.
------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: kspare
Date Posted: 06 March 2005 at 10:36pm
|
I checked that and its blank. Any suggestions?
I installed it to c:\program files\spamfilterav if that helps at all? |
Posted By: LogSat
Date Posted: 06 March 2005 at 10:54pm
|
The av plugin must be installed in the same directory where SpamFilter
is installed, from the path you posted it would not seem that is the
case. If the directory is not the same, that would definetly not work
correctly.
------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: kspare
Date Posted: 06 March 2005 at 10:59pm
| Roberto, can you please email me... |
Posted By: JimMeredith
Date Posted: 06 March 2005 at 11:10pm
Dan, you show-off! But based on the resultset you posted, the query I posted earlier needs to be modified to give accurate totals by virus type. Looks like the RejectDetails field sometimes includes a leading space, sometimes it does not... no biggie, it's easy to just trim it. SELECT COUNT(*) 'Virus_Messages', LTRIM(RejectDetails) 'Details' FROM tblquarantine WHERE RejectID=17 GROUP BY LTRIM(RejectDetails) ORDER BY COUNT(*) DESC Jim |
Actually, I'm glad you posted your results... good to see performance under load.Posted By: mikek
Date Posted: 07 March 2005 at 3:46am
|
ok, so after installing the av plugin, I delete the mentioned registry entry and the SpamFilter\nvc\nse directories, except for the 3 DLLs mentioned? will there be a reduced license fee for users like me that only need the plugin but not the norman engine? |
Posted By: mikek
Date Posted: 07 March 2005 at 4:15am
|
already have it working! installed the beta version of spamfilter, installed the av plugin on a different machine, copied the 3 dlls into the spamfilter directory, that's it!
|
Posted By: kspare
Date Posted: 07 March 2005 at 7:58am
|
that worked for me too. I did notice that, even though I block *.com files, when I sent through the eicar test virus, it blocked the file via the black list but it also found that it had a virus and ultimatly blocked the message because of the virus. |
Posted By: JimMeredith
Date Posted: 07 March 2005 at 12:41pm
Yes, I've noticed the same thing on all attachment types that we are allowing to be quarantined. (The attachment types that we have listed with ":null" to NOT quarantine are not even received, therefore not scanned by the antivirus... and that's fine.) The great thing about this is that the virus block becomes the reason logged in the database. I'm modifying our web interface to prevent a user from delivering a virus-infected message from quarantine. |
Posted By: Desperado
Date Posted: 07 March 2005 at 3:27pm
Jim, Better? 45973 infected with the virus mailto:Sober.K@mm - Sober.K@mm Dan ------------- The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
Posted By: kspare
Date Posted: 07 March 2005 at 5:14pm
|
Jim, can you let me know what you come up with in regards to preventing users from forwarding on virus' |
Posted By: JimMeredith
Date Posted: 07 March 2005 at 5:43pm
|
Kevin, I'd be glad to, but I don't think it will help, since it's not in ASP. We have a proprietary quarantine management page and "reportlet" that is written in ColdFusion. We don't use the SpamFilter ASP code at all. |
Posted By: mikek
Date Posted: 08 March 2005 at 3:59am
I have my own quarantine front-end as well, but for my part I just modified the SQL SELECT to include a WHERE RejectID<>17 and the user never sees mails that were blocked because of viruses... |
Posted By: dcook
Date Posted: 08 March 2005 at 12:18pm
|
I have had the Beta running successfully under moderate load. I am increasing the load on the beta today. I had about 40 discovered and blocked viruses. I agree filtering on file extensions is preventing a higher count. The install was smooth on both windows 2000 and 2003 server. Everything registered correctly. So far vary stable. Will the final release include the ability for signature to be updated on a schedule? Dwight
------------- Dwight www.vividmix.com |
Posted By: LogSat
Date Posted: 08 March 2005 at 4:16pm
|
Dwight, Absolutely yes on the automatic updates. We're still working the details with Norman (the AV engine owners) on how this will work, but the next beta will probably have this feature enabled. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: kspare
Date Posted: 08 March 2005 at 6:49pm
| A bit off topic, but does this version or others support dual or quad cpus? |
Posted By: Desperado
Date Posted: 09 March 2005 at 1:47pm
|
I am running with Quad xeon which looks like 8 CPUs as far as the OS sees it. San ------------- The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
Posted By: LogSat
Date Posted: 09 March 2005 at 4:05pm
|
The code is not complied to specifically make use of any cpu-specific
features. Insimple terms, what Windows gives SpamFilter is what
SpamFilter will use...
------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: mikek
Date Posted: 15 March 2005 at 11:13am
| does this version have the same limitation as the trial version? (not delivering e-mails marked as good directly in the database) |
Posted By: LogSat
Date Posted: 15 March 2005 at 4:07pm
|
The limitation is *not* present in the beta.
------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: JimMeredith
Date Posted: 17 March 2005 at 1:04am
|
Roberto, Would it be possible to post the updated Norman virus patterns on your web site, so that we can download them and (manually) update them for now? Since it's a beta, we're not using this as our only line of virus defense... but it would still be a good idea to make updated virus patterns available at least every week or two during the beta, for continued effectiveness. Thanks |
Posted By: LogSat
Date Posted: 17 March 2005 at 4:36pm
|
Jim, Soon (we're hoping days rather than weeks) we should have another beta that will also include automatic download of virus updates. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |