eMails scanned twice?

Discussion in 'NOD32 version 2 Forum' started by tBB, Sep 9, 2003.

Thread Status:
Not open for further replies.
  1. tBB

    tBB Registered Member

    Joined:
    Mar 27, 2003
    Posts:
    25
    Location:
    .de
    Hello!

    NOD (IMon) is running on my server and it seems that every mail I get is checked twice. It looks like:


    __________ NOD32 1.502 (20030905) Notification __________

    Warning: NOD32 Antivirus System found the following infiltrations in the message:
    q413720.exe - Win32/Gibe.B worm - renamed to q413720.vxe

    http://www.nod32.com

    __________ NOD32 1.502 (20030905) Notification __________

    Warning: NOD32 Antivirus System found the following infiltrations in the message:
    q413720.vxe - Win32/Gibe.B worm - renamed to q413720.vxe

    http://www.nod32.com


    Note that in the second part the attachment was already renamed to .vxe and IMon renamed it again :)

    I assume the problem is the Spam filtering mailproxy (SpamPal) which is accessed by the mailserver thru localhost/port 110. IMon is configured to monitor port 110.

    Is there something I can do or do I have to live with it?

    Tnx, tBB
     
  2. DiGi

    DiGi Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    114
    Location:
    in the middle of nowhere
    No it isn't - there are only two notices... After scan is message clean so any other scan can't found anything else...

    I wrote this as "wish-to-fix-or-add-feature"

    http://www.wilderssecurity.com/showthread.php?t=12710;start=msg81524#msg81524
     
  3. tBB

    tBB Registered Member

    Joined:
    Mar 27, 2003
    Posts:
    25
    Location:
    .de
    Well, after the scan the message isn't actually "clean" because IMon just renames the attachment to .vxe. As far as I know, IMon doesn't identify files by their extension but by their header so from that point it would be ok that the renamed .vxe was checked again.

    As you can see, IMon renamed the Attachment to .vxe in the first run, then scanned the already renamed .VXE (and renamed it again to .VXE) I assume, IMon checks the file the first time when my Mailserver accesses the local Mailproxy at port 110 and the second time, when the local Mailproxy fetches my mail from the Pop-Server, also at 110.

    After a bit of research it seems that this problem is very common on machines with IMon and local Mailproxys installed (like SpamPal, SpamAssassin, PopFile and so on)

    -tBB
     
  4. DiGi

    DiGi Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    114
    Location:
    in the middle of nowhere
    I have simple rule in IMON - if you found virus - just delete it. Why it leave in message?

    And I get most of Sobig.F mails with two notify texts...
     
  5. tBB

    tBB Registered Member

    Joined:
    Mar 27, 2003
    Posts:
    25
    Location:
    .de
    I have no clue but I thought the NOD developers were reading this Forum. Obviously I was wrong :(

    -tBB
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Wrong conclusion, tBB ;)

    regards.

    paul
     
  7. tBB

    tBB Registered Member

    Joined:
    Mar 27, 2003
    Posts:
    25
    Location:
    .de
    Oh, the chief himself :)

    Could you please tell me the right conclusion then? Is

    1) the whole NOD team on vacation?
    2) the NOD team just too busy?
    3) my question just to stupid?
    4) nobody in the NOD team who has an answer?
    5) All of the above

    Tnx & bye

    -tBB
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Nice meeting you ;)

    I'll give it a try ;)

    No.

    As usual, the Eset/NOD32 team indeed is very busy - but not too busy.

    If I'm not mistaken, I've reacted to your presumption - not to questions asked in regard to the software. Since I never gave the impression you are stupid in any way; where does this question come from?

    If you would bother to read threads over on this forum as well as the other NOD32 forums over here, you'll notice several Eset techs answering to many questions.

    Grin..Nice try tBB. Unfortunately, trolling doesn't work that well over here.

    You're most welcome.

    regards.

    paul
     
  9. tBB

    tBB Registered Member

    Joined:
    Mar 27, 2003
    Posts:
    25
    Location:
    .de
    Why should I read threads not related to my problem? Also I was referring to my question. I've never said that Eset techs wouldn't answer questions at all.

    Sorry? It was not meant as "trolling" nor to insult someone and I don't think it sounded alike. Have you tried caffeineless coffee yet? :rolleyes:

    Anyway, as I'm a registered user I'll try the official supportform at the Eset page now.

    Thanks, tBB
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    tBB,

    Here's a quote from your statement:

    In case they don't read the Forum(s), the wouldn't be able to answer questions, could they?

    These questions at least are highly suggestive and do come close:

    There's nothing wrong in wanting answers to questions: that's what these Official NOD32 forums are all about. They way you've worded some statements (see the last one) has quite a negative tone at the least. I for one fail to see the reason for such posts.

    That's your perogative no doubt ;). I do hope you'll receive an answer that satisfies you soon!

    regards.

    paul
     
Thread Status:
Not open for further replies.