Antivirus Scanner returing False Positive

Antivirus Scanner returing False Positive

Postby cristo369 » Mon Apr 04, 2011 10:25 pm

I was wondering if anybody else has had this problem. I am currently using AMS 2.7 with ESET NOD32 v4.2 with default settings. When the users send/rec. encrypted attachments (PGP zip file or password protected zip) ESET is failing and AMS flags as a virus. I have disabled "Classify File as Virus if Application Fails" with no avail. I have evening tried "/no-sfx" switch but does not seem to work. Please let me know if anybody has come across this before or has any ideas?
cristo369
 
Posts: 10
Joined: Tue Oct 27, 2009 2:12 pm

Re: Antivirus Scanner returing False Positive

Postby Code Crafters » Fri Apr 08, 2011 8:29 am

All you can do is untick the "Classify File as Virus if Application Fails" option as you have already done. This stops classifying as virus if the application fails. Note that this means the application couldn't run (due to too many already running or similar) and doesn't mean that the antivirus scanned the mail and found a virus there.

As for the recommended settings, we get these by running the command line scanner from a command prompt (Run: cmd). If you do this with a -? parameter you usually are given details of all the parameters and their use. If you cannot resolve this issue from this then maybe you need to contact ESET NOD32 developers to ask what settings you can use.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: Antivirus Scanner returing False Positive

Postby cristo369 » Fri Apr 08, 2011 6:02 pm

Thanks for the reply, I know that ESET is capable of returning multiple values when if finishes scanning. Could you elaborate on AMS "Return Value 1:*." What are the possible options, you can list here.
cristo369
 
Posts: 10
Joined: Tue Oct 27, 2009 2:12 pm

Re: Antivirus Scanner returing False Positive

Postby Code Crafters » Mon Apr 11, 2011 7:03 am

An application can only exit with a single code on any run. Usually 0 indicates success (safe) and 1 or more indiciates some error (i.e. a virus) meaning something different for each value. Therefore, 1:* normally indicates an error with * meaning infinity (i.e. 1 or higher). Check the doucmentation but if we set this in the recommended settings then this is probably what you want to go with.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: Antivirus Scanner returing False Positive

Postby cristo369 » Tue Apr 12, 2011 8:00 am

So if I change the return value to 1:50, it will still work (in theory). According to ESET any value above 100 is a scan failure.
0 - no threat found
1 - threat found and cleaned
10 - some files could not be scanned (may be threats)
50 - threat found
100 - error
*If you receive an error message with an exit code greater than 100, the file was not scanned and thus could be infected.
http://kb.eset.com/esetkb/index?page=content&id=SOLN2285&pmv=print&impressions=false

Is it possible to insert text into body of email if scanner fails, as to alert the user?
cristo369
 
Posts: 10
Joined: Tue Oct 27, 2009 2:12 pm

Re: Antivirus Scanner returing False Positive

Postby Code Crafters » Wed Apr 13, 2011 8:31 am

Yes, you can use 1:50 to mean that a result of 1-50 means a virus and anything else doesn't. However, if you wanted to act on 2 different results for different actions you'd have to setup 2 antivirus scanners; the first for 1-50 with actions of delete or move to folder etc, and the second with a result of 100:* to edit the subject or similar to indicate the virus scan failed.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm


Return to General

Who is online

Users browsing this forum: No registered users and 36 guests

cron