Bill,

I just want to make sure I understand.
What your suggesting is that if an email message is not formatted properly
then it wouldn't match the conversion entry I had, and therefore it wouldn't
be scanned?

Questions:
Would the vsweep_pmdf.com file (basically the longer one posted on
process.com) handle a message that is not formatted properly, or would I
need to make changes to it?

Would it be better to add those 4 lines after my existing stuff or simply
remove the NAME and FILENAME lines from what I had?

Would having the 2 mean that something is scanned twice?

Thanks for your help,

David Priebe
Coordinator IT Systems & Networks
Renfrew County District School Board

-----Original Message-----
From: Bill MacAllister [mailto:bill@macallister.grass-valley.ca.us]
Sent: February 6, 2004 11:20 AM
To: info-pmdf@process.com
Subject: RE: Pmdf with vsweep


I seem to remember from some of my testing that with a conversion
specification like you have below that if you don't have FILENAME and NAME
mime parameters the conversion does not happen. Try adding:

in-channel=*; in-type=*; in-subtype=*;
message-header-file=2; original-header-file=1;
override-header-file=1;
command="@vsweep_com:vsweep_pmdf.com"

after the conversion specification that you already have in the conversions
file.

Bill

--On Friday, February 06, 2004 09:09:31 AM -0500 David Priebe
wrote:

>
> Hi there,
>
> Thanks for your suggestions.
> I think I have the conversions. file set properly:
>
> $ type conversions.
> in-channel=*; in-type=*; in-subtype=*;
> parameter-symbol-0=NAME; parameter-copy-0=*;
> dparameter-symbol-0=FILENAME; dparameter-copy-0=*;
> message-header-file=2; original-header-file=1;
> override-header-file=1;
> command="@vsweep_com:vsweep_pmdf.com"
>
> $
>
>
> David Priebe
> Coordinator IT Systems & Networks
> Renfrew County District School Board
>
> -----Original Message-----
> From: Bill MacAllister [mailto:bill@macallister.grass-valley.ca.us]
> Sent: February 6, 2004 12:35 AM
> To: info-pmdf@process.com
> Subject: Re: Pmdf with vsweep
>
>
>
>
> --On Thursday, February 05, 2004 11:43:48 PM -0500 David Priebe
> wrote:
>
>> $ pmdf ver
>> %PMDF-I-VERSION, PMDF version is PMDF V6.2
>> COMPAQ AlphaServer DS10 617 MHz running OpenVMS Alpha V7.2-1
>> PMDF_SHARE_LIBRARY version V6.2-X21; linked 10:35:46, Dec 17
>> 2003
>> $
>>
>> Hi all,
>>
>> This question is slightly off-topic, but I believe many pmdf users are
>> also using vsweep if running on OpenVMS.
>>
>> - Background.
>> I have the conversions file in pmdf running the .com file which is only
>> slightly modified from the one posted on Process's web site. If a virus
>> is found by vsweep, I substitute the attachment and let the message
>> continue on it's way.
>> The clients have McAfee's Virusscan installed, and email scanning is
>> included.
>> Vsweep updates are triggered by a special account I have set up
>> (mail.delivery) and subscribed to Sophos's mailing list for new ide's.
>> Virusscan is automatically updated daily against our server.
>> Each of these pieces email our tech's to let them know a virus was
>> found.
>>
>> So, most email viruses should be caught by vsweep, and if it's not up
>> date for some reason, then they should be caught by Virusscan.
>>
>> - Enter Mydoom.
>> I checked the logs and Jan 26 at 8:00pm is when vsweep was automatically
>> updated with the ide for mydoom.
>>
>> So, I'm not sure when the virus first got to our site, but if it was
>> before vsweep was updated, then I would expect to have it in users
>> inboxes. To check, I did a manual scan of my entire msgstore tree and
>> found only 1 copy of the virus. The problem is I am continually being
>> notified by virusscan that it is finding more copies of the mydoom
>> virus. We're using imap (msgstore), so with all their folders manually
>> scanned, I don't know why virusscan on the PC is still finding the
>> virus. I checked, and these users do not have multiple accounts set up
>> in Outlook. The only thing I can think of is that vsweep is not finding
>> the virus for some reason.
>>
>> One thing I noticed is that the vsweep example on Process's web site
>> does not include the /arch, but I do. I thought that was required in
>> order to have vsweep look in .zip files.
>>
>> Has anyone else come across this, or might have some suggestions on what
>> to check next?
>>
>> My sweep command is:
>> $ SOPHOS_SWEEP: SUBROUTINE
>> $!
>> $ CONVERTER_COMMAND=="$vsweep_exe:vsweep_axp.exe"
>> $ CONVERTER_COMMAND 'INPUT_FILE'/ff/ns/il/arch/nooutput
>>
>> The virus I have seen get through is inside .zip files

>
> Are you sure the .zip files are being scanned? What does your
> conversions file look like?
>
> Bill
>
>> Ideas anyone?
>>
>> David Priebe
>> Coordinator IT Systems & Networks
>> Renfrew County District School Board
>>
>>
>>

>
>
>
> +---------------------------------------------------
>| Bill MacAllister
>| 14219 Auburn Road
>| Grass Valley, CA 95949
>| 530-272-8555
>




+---------------------------------------------------
| Bill MacAllister
| 14219 Auburn Road
| Grass Valley, CA 95949
| 530-272-8555