ORF 4.4 Trial: not work with external agents? RSS

1

Hi,
I would like to try your product but have one question included in title:
ORF 4.4 Trial: not work with external agents?
Why i am asking?
Because i used article from here to install and configure ClamAV
www.vamsoft.com/clamav-guide-part1.asp
I used EICAR virus (http://www.eicar.org/anti_virus_test_file.htm) for testing purpose and try to send mail with powershell script:
==========================
$executingScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
cd $executingScriptDirectory

$fileresults = ".\eicar.txt"

$messageParameters = @{
Subject = "[TEST] virus included"
Body = "Checking your antivirus system

Best regards,
HAKER"
From = "VIRUS "
To = "d.ilyin@domain.local"
# To = "d.ilyin@domain.local"
# CC = "d.ilyin@domain.local"
SmtpServer = "mail.domain.local"
Priority = "Normal" # High Low
Attachments = $fileresults

}
Send-MailMessage @messageParameters
===========================
But mail still arrive.
When i run command
===================================
c:\Scripts>"c:\clamav\clamdscan.exe" --no-summary --stdout --config-file=c:\clamav\clamd.conf .\eicar.txt
c:\Scripts\eicar.txt: Eicar-Test-Signature FOUND
===================================
It returned that virus found.
But still no luck with ORF :(

Is it linked with trial or configuration mistakes?

Thanks!

by Dmitiy 8 years ago
2

@Dmitiy: the External Agent feature is fully functional in the trial version, I guess the problem is that you send using the powershell script. Please note that ORF ignores email sent from intranet IPs (including the localhost address 127.0.0.1) by default, though if the problem is caused by that, you should still see an On Arrival entry in the log, and the email should go through unchecked. I recommend trying this method:

http://blog.vamsoft.com/2009/08/14/tales-from-tech-support-part-4-testing-our-external-agent/

and keep monitoring the logs using the Log Viewer Tool:

http://blog.vamsoft.com/2010/04/21/using-the-orf-log-viewer/

by Krisztian Fekete (Vamsoft) 8 years ago
(in reply to this post)

3

@Krisztian Fekete (Vamsoft): @Krisztian: Thanks for quick response!
Well, i realy used some variants to send virus from:
- hub transport
- member server in the same subnet
- class C subnet
And mail logged in Log Viewer Tool.

Ok. I understand my problem. Thanks a lot!

BUT: It was not expected :).
I thought that these setiing in ORF Administration tool should fix this:
ORF Administration tool - Configuration - Tests - Tests - Whitelist Test Exceptions - Configure - External agents test * -- checked
* Only agent with "Antivirus or other email security role"

But it didn't help :(.
Am i was wrong?

by Dmitriy 8 years ago
(in reply to this post)

4

@Dmitriy: This is because two whitelists always take precedence over any of the blacklists (even when excepted) - the IP Whitelist and the Authenticated User Whitelist. A subrule of the IP Whitelist is responsible for whitelisting emails originated from the intranet, hence the whitelisting.

The logic behind this is quite complex, but the main reason is that ORF does not really have a concept of "inbound" and "outbound" emails ("inbound" emails would be those sent from an external sender to a local user and "outbound" are those sent from a local user to an external recipient). Differentiating between the two types of email is crucial, because most can may be applied to inbound emails only, like Recipient Validation, SPF check, and so on.

The strategy most frequently employed by spam filters to idenfity inbound/outbound difference is to request the administrator to maintain a list of local domains in the spam filter configuration. This allows the spam filter to check if the recipient is local or external, but it also comes at a maintenance cost. I can tell if I were to add a new domain one year after I set up my spam filter, it would hardly occur to me I need to update the spam filter configuration.

So instead of the above, ORF chooses a different path when it says "Hey, if the email originates from the intranet or it is coming from the outside, but from an authenticated user, it is surely trusted, right?". This also conveniently overlaps with the definition of "outbound emails" 99% of the time. The price to pay is that emails from the intranet are always whitelisted, even when you want to perform tests.

by Peter Karsai (ORF Team) 8 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed