Hi there,

Thanks for your suggestions.
I think I have the conversions. file set properly:

$ type conversions.
in-channel=*; in-type=*; in-subtype=*;
parameter-symbol-0=NAME; parameter-copy-0=*;
dparameter-symbol-0=FILENAME; dparameter-copy-0=*;
message-header-file=2; original-header-file=1;


David Priebe
Coordinator IT Systems & Networks
Renfrew County District School Board

-----Original Message-----
From: Bill MacAllister [mailto:bill@macallister.grass-valley.ca.us]
Sent: February 6, 2004 12:35 AM
To: info-pmdf@process.com
Subject: Re: Pmdf with vsweep

--On Thursday, February 05, 2004 11:43:48 PM -0500 David Priebe

> $ pmdf ver
> %PMDF-I-VERSION, PMDF version is PMDF V6.2
> COMPAQ AlphaServer DS10 617 MHz running OpenVMS Alpha V7.2-1
> PMDF_SHARE_LIBRARY version V6.2-X21; linked 10:35:46, Dec 17
> 2003
> $
> Hi all,
> This question is slightly off-topic, but I believe many pmdf users are
> also using vsweep if running on OpenVMS.
> - Background.
> I have the conversions file in pmdf running the .com file which is only
> slightly modified from the one posted on Process's web site. If a virus
> is found by vsweep, I substitute the attachment and let the message
> continue on it's way.
> The clients have McAfee's Virusscan installed, and email scanning is
> included.
> Vsweep updates are triggered by a special account I have set up
> (mail.delivery) and subscribed to Sophos's mailing list for new ide's.
> Virusscan is automatically updated daily against our server.
> Each of these pieces email our tech's to let them know a virus was
> found.
> So, most email viruses should be caught by vsweep, and if it's not up
> date for some reason, then they should be caught by Virusscan.
> - Enter Mydoom.
> I checked the logs and Jan 26 at 8:00pm is when vsweep was automatically
> updated with the ide for mydoom.
> So, I'm not sure when the virus first got to our site, but if it was
> before vsweep was updated, then I would expect to have it in users
> inboxes. To check, I did a manual scan of my entire msgstore tree and
> found only 1 copy of the virus. The problem is I am continually being
> notified by virusscan that it is finding more copies of the mydoom
> virus. We're using imap (msgstore), so with all their folders manually
> scanned, I don't know why virusscan on the PC is still finding the
> virus. I checked, and these users do not have multiple accounts set up
> in Outlook. The only thing I can think of is that vsweep is not finding
> the virus for some reason.
> One thing I noticed is that the vsweep example on Process's web site
> does not include the /arch, but I do. I thought that was required in
> order to have vsweep look in .zip files.
> Has anyone else come across this, or might have some suggestions on what
> to check next?
> My sweep command is:
> $!
> $ CONVERTER_COMMAND=="$vsweep_exe:vsweep_axp.exe"
> $ CONVERTER_COMMAND 'INPUT_FILE'/ff/ns/il/arch/nooutput
> The virus I have seen get through is inside .zip files

Are you sure the .zip files are being scanned? What does your conversions
file look like?


> Ideas anyone?
> David Priebe
> Coordinator IT Systems & Networks
> Renfrew County District School Board

| Bill MacAllister
| 14219 Auburn Road
| Grass Valley, CA 95949
| 530-272-8555