ORF 4.4 Trial: not work with external agents? RSS Back to forum
@Dmitiy:
the External Agent feature is fully functional in the trial version, I guess the problem is that you send using the powershell script. Please note that ORF ignores email sent from intranet IPs (including the localhost address 127.0.0.1) by default, though if the problem is caused by that, you should still see an On Arrival entry in the log, and the email should go through unchecked. I recommend trying this method:
http://blog.vamsoft.com/2009/08/14/tales-from-tech-support-part-4-testing-our-external-agent/
and keep monitoring the logs using the Log Viewer Tool:
http://blog.vamsoft.com/2010/04/21/using-the-orf-log-viewer/
@Krisztian Fekete (Vamsoft):
@Krisztian: Thanks for quick response!
Well, i realy used some variants to send virus from:
- hub transport
- member server in the same subnet
- class C subnet
And mail logged in Log Viewer Tool.
Ok. I understand my problem. Thanks a lot!
BUT: It was not expected :).
I thought that these setiing in ORF Administration tool should fix this:
ORF Administration tool - Configuration - Tests - Tests - Whitelist Test Exceptions - Configure - External agents test * -- checked
* Only agent with "Antivirus or other email security role"
But it didn't help :(.
Am i was wrong?
@Dmitriy:
This is because two whitelists always take precedence over any of the blacklists (even when excepted) - the IP Whitelist and the Authenticated User Whitelist. A subrule of the IP Whitelist is responsible for whitelisting emails originated from the intranet, hence the whitelisting.
The logic behind this is quite complex, but the main reason is that ORF does not really have a concept of "inbound" and "outbound" emails ("inbound" emails would be those sent from an external sender to a local user and "outbound" are those sent from a local user to an external recipient). Differentiating between the two types of email is crucial, because most can may be applied to inbound emails only, like Recipient Validation, SPF check, and so on.
The strategy most frequently employed by spam filters to idenfity inbound/outbound difference is to request the administrator to maintain a list of local domains in the spam filter configuration. This allows the spam filter to check if the recipient is local or external, but it also comes at a maintenance cost. I can tell if I were to add a new domain one year after I set up my spam filter, it would hardly occur to me I need to update the spam filter configuration.
So instead of the above, ORF chooses a different path when it says "Hey, if the email originates from the intranet or it is coming from the outside, but from an authenticated user, it is surely trusted, right?". This also conveniently overlaps with the definition of "outbound emails" 99% of the time. The price to pay is that emails from the intranet are always whitelisted, even when you want to perform tests.
Hi,
I would like to try your product but have one question included in title:
ORF 4.4 Trial: not work with external agents?
Why i am asking?
Because i used article from here to install and configure ClamAV
www.vamsoft.com/clamav-guide-part1.asp
I used EICAR virus (http://www.eicar.org/anti_virus_test_file.htm) for testing purpose and try to send mail with powershell script:
==========================
$executingScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
cd $executingScriptDirectory
$fileresults = ".\eicar.txt"
$messageParameters = @{
Subject = "[TEST] virus included"
Body = "Checking your antivirus system
Best regards,
HAKER"
From = "VIRUS <[email protected]>"
To = "[email protected]"
# To = "[email protected]"
# CC = "[email protected]"
SmtpServer = "mail.domain.local"
Priority = "Normal" # High Low
Attachments = $fileresults
}
Send-MailMessage @messageParameters
===========================
But mail still arrive.
When i run command
===================================
c:\Scripts>"c:\clamav\clamdscan.exe" --no-summary --stdout --config-file=c:\clamav\clamd.conf .\eicar.txt
c:\Scripts\eicar.txt: Eicar-Test-Signature FOUND
===================================
It returned that virus found.
But still no luck with ORF :(
Is it linked with trial or configuration mistakes?
Thanks!