Filter Script logic issue

Discussion forum for Enterprise Edition.
Post Reply
aahq
Posts: 183
Joined: Sat Aug 07, 2010 11:08 am

Filter Script logic issue

Post by aahq » Wed Apr 06, 2016 1:19 pm

Can anyone give me an idea on where I have gone wrong with the below:

In the header of the message if my unpack process finds an exe in a zip it marks the header up with a "SV-Unwanted" line.
My External Spam Assassin marks up with "X-Spam-Status: Yes" if it has spam.
I am using the ME Internal CriteriaMet for ClamAV to detect the virus.

My logic is that if it has "an exe in zip" (HASVIRUS) or if SA has marked it up (HASSPAM) and NOT have Clam AV detect then Filter is triggered...

I am checking my filter logs and this is just being ignored. Maybe it is my syntax. Maybe it is my logic.

I am doing this so I can have messages that arent being detected by ClamAV but have spam or a nasty zip sent to myself.

Once I get past this I will have smaller subset of messages that I can submit to sanesecurity for samples that have not been detected.

If anyone can see the issue let me know.

Thanks,

Scott


--------------

FilterResult=0
MEResultData=""
MEResultData1=""
MEResultData2=""

If CriteriaMet([ME_HEADERS_CONTAIN],"SV-Unwanted") Then
MEResultData = "HasVirus"
End If

If CriteriaMet([ME_HASVIRUS],"1") Then
MEResultData1 = "ClamAVDetected"
End If

If CriteriaMet([ME_HEADERS_CONTAIN],"X-Spam-Status: Yes") Then
MEResultData2 = "HasSpam"
End If

If MEResultData = "HasVirus" or MEResultData2 = "HasSpam" and not MEResultData1 = "ClamAVDetected" Then
FilterResult=1
End If

Brett Rowbotham
Posts: 537
Joined: Mon Nov 03, 2003 7:48 am
Location: Cape Town

Re: Filter Script logic issue

Post by Brett Rowbotham » Thu Apr 07, 2016 4:58 am

Try with a bracketed second expression:

If MEResultData = "HasVirus" or (MEResultData2 = "HasSpam" and not MEResultData1 = "ClamAVDetected") Then

aahq
Posts: 183
Joined: Sat Aug 07, 2010 11:08 am

Re: Filter Script logic issue

Post by aahq » Thu Apr 07, 2016 9:42 am

Thanks,

Think I got it now. I think the

CriteriaMet([ME_HASVIRUS], 1)

had to be a literal 1 rather than inside ""

I broke the script down into individual logic statements which still works.

I found I had to set the "Sender Authenticated" to override the other filter results to reduce my internal false positives for spam.

I put a rule in Outlook to put these into a Vsample folder on arrival and I can periodically check these lump them together and send to samples@sanesecurity.me.uk

I will see how this goes.

Thanks again for looking.


Scott



------------

FilterResult=0
MEResultData=""
MEResultData1=""
MEResultData2=""
MEResultData3=""

If CriteriaMet([ME_HEADERS_CONTAIN],"SV-Unwanted") Then
MEResultData = "HasVirus"
End If

If CriteriaMet([ME_HASVIRUS], 1) Then
MEResultData1 = "ClamAVDetected"
Else
MEResultData1 = "ClamAVNotDetected"
End If


If CriteriaMet([ME_HEADERS_CONTAIN],"*X-Spam-Status: Yes*") Then
MEResultData2 = "HasSpam"
End If

If (MEResultData = "HasVirus" and MEResultData1 = "ClamAVNotDetected") Then
FilterResult=1
End If

If (MEResultData2 = "HasSpam" and MEResultData1 = "ClamAVNotDetected") Then
FilterResult=1
End If

If CriteriaMet([ME_SENDERAUTH], 1) Then
FilterResult=0
End If

Post Reply