OK, I'm at my end. I cannot get EW to delete an invected email.
I have the rule:

If message is incoming
and message has a virus
Then delete message

Here is what the log says.

16:
9/2/2004 8:18:12 PM ID:299058 16: Filters loaded ...
9/2/2004 8:18:12 PM ID:299058 16: Processing filter 'Virus'
9/2/2004 8:18:12 PM ID:299058 16: Checking condition 'message is incoming'
9/2/2004 8:18:12 PM ID:299058 16: Checking condition 'message has a virus'
9/2/2004 8:18:12 PM ID:299058 16: Running eTrust EZ Antivirus
9/2/2004 8:18:13 PM ID:299058 156: Message is infected by Win32.Klez.H worm
9/2/2004 8:18:13 PM ID:299058 156: Applying action 'delete message'


But it doesn't delete it. it still goes to their inbox. Any ideas?

Dave

How are you checking the "if it has a virus"? Have you tried using the
status code.

Carl

Perhaps, they goes to theirs mailboxes using other doors than eWall. If
message marked for deletion eWall won't forward data to server. The server
logs at same time period will show the clue.

- Alex

have you actually checked how many vectors exist in the "invected" email? I
heard too many vectors causes Ewall to spin in place :-) Vectors are realy
hard, if not impossible, to delete

RB

I'm using it thru EW.
The command line is

I:PROGRA~1CAETRUST~1ETRUST~1VET32.EXE <file> /nobootscan /nomemoryscan
/compressed /nosub /infect=reportonly /display=none /logfile=<report>

Always a comedian in the crowd.

I'm replying to my own post but o well. Looks like I had report only
in the infect stitch in the command line. I changed to infect=delete.
That should do it I hope.

Thanks for the help.

Dave

Your welcome

KB Inc.

Normally, you create a second rule that says "if the return code was 2, then
delete". At least in version 1 of EW.

Carl

According to your logs /infect=reportonly works perfectly for you and I
don't recommend to change it. eWall parse the report and says it's infected.
Have you checked server logs as I asked?

- Alex

I changed it to delete and tested it with 12 virus emails and it didn't let
any thru once it was changed to infect=delete

I'll still look at the other logs Aex.

Dave

Yes, I checked the logs and it sent it on to the email server.

Dave

if infected, delete email AND stop processing message...

Otherwise, the next rule will recreate the message from EWall's buffer...

- Jason J Ellingson

Thats what I have and it DOES NOT WORK

Logs:
E-Wall Log

9/23/2004 9:09:43 PM - Requesting connection from United States
216.214.204.163
9/23/2004 9:09:43 PM ID:5988 Checking '216.214.204.163' in
'bl.spamcop.net'...
9/23/2004 9:09:43 PM ID:5988 Checking '216.214.204.163' in
'sbl.spamhaus.org'...
9/23/2004 9:09:44 PM ID:5988 Handling by server 192.168.1.***:2525
9/23/2004 9:09:44 PM ID:5988 220 n4zkf.com ArGoSoft Mail Server Pro for
WinNT/2000/XP, Version 1.8 (1.8.6.0) - eWall v2.0.132
9/23/2004 9:09:47 PM ID:5988 EHLO domain.com
9/23/2004 9:09:47 PM ID:5988 250-Welcome, 192.168.1.*** [192.168.1.***],
pleased to meet you
9/23/2004 9:09:47 PM ID:5988 250-AUTH=LOGIN
9/23/2004 9:09:47 PM ID:5988 250-AUTH LOGIN
9/23/2004 9:09:47 PM ID:5988 250-SIZE 10485760
9/23/2004 9:09:47 PM ID:5988 250 HELP
9/23/2004 9:09:58 PM ID:5988 MAIL FROM:<*****@aol.com>
9/23/2004 9:09:58 PM ID:5988 250 Sender "*****@aol.com" OK...
9/23/2004 9:10:02 PM ID:5988 RCPT TO:<*****@domain.com>
9/23/2004 9:10:03 PM ID:5988 250 Recipient "*****@domain.com" OK...
9/23/2004 9:10:06 PM ID:5988 DATA
9/23/2004 9:10:06 PM ID:5988 354 Ready
9/23/2004 9:10:37 PM ID:5988 Received: 41269 bytes (579 lines)
9/23/2004 9:10:37 PM ID:5988 15: ====== *****@aol.com -> *****@domain.com
9/23/2004 9:10:37 PM ID:5988 15: ---> Processing group 'IncommingGlobal'
9/23/2004 9:10:37 PM ID:5988 15: Filters loaded ...
9/23/2004 9:10:37 PM ID:5988 15: Processing filter 'Virus'
9/23/2004 9:10:37 PM ID:5988 15: Checking condition 'message is incoming'
9/23/2004 9:10:37 PM ID:5988 15: Checking condition 'message has a virus'
9/23/2004 9:10:37 PM ID:5988 15: Running eTrust EZ Antivirus
9/23/2004 9:10:38 PM ID:5988 156: Message is infected by Win32.Netsky.P worm
9/23/2004 9:10:38 PM ID:5988 156: Applying action 'delete message'
9/23/2004 9:10:38 PM ID:5988 156: Applying action 'stop all filters'
9/23/2004 9:10:38 PM ID:5988 250 OK
9/23/2004 9:10:39 PM ID:5988 QUIT
9/23/2004 9:10:39 PM ID:5988 221 Aba he
9/23/2004 9:10:39 PM ID:5988 Disconnected




Mail Log

9/23/2004 9:10:03 PM - ( 1251) RCPT TO:<*****@domain.com>
9/23/2004 9:10:03 PM - ( 1251) 250 Recipient "*****@domain.com" OK...
9/23/2004 9:10:38 PM - ( 1251) RSET
9/23/2004 9:10:38 PM - ( 1251) 250 Reset state
9/23/2004 9:10:39 PM - ( 1251) QUIT
9/23/2004 9:10:39 PM - ( 1251) 221 Aba he
9/23/2004 9:10:39 PM - { 1251} END SMTP