8 Replies Latest reply on Aug 2, 2012 6:08 AM by asabban

    AV load failed

    DBO

      Yesterday, for the first time in at least 2 years, I have started receiving the following messages (at least 200 copies) from 207.67.117.137, a Secure Computing (McAfee) address from Minneapolis.  At the same time, one of our appliance was reporting problem updating it's AV sig...  So, the question now is How is it that the warning e-mail is coming from McAfee and not from the appliance itself???

       

       

      ----------

      Dear administrator,

       

      AV Engine load for 'SCANM7.11.37.154.2799' failed. Webwasher uses previous version 'SCANM7.11.27.14.2776'.

       

       

      --------------

       

      Received: from ([207.67.117.137]) by smtp2.loto-quebec.com with SMTP  id

      1FDHWG1.33554424; Wed, 25 Jul 2012 13:51:39 -0400

      Date: Wed, 25 Jul 2012 17:33:54 +0000

      Subject: AV load failed

      Content-Type: text/plain

      From: <lq500-sw01@webwasher.com>

      Return-Path: lq500-sw01@webwasher.com

      X-Auto-Response-Suppress: DR, OOF, AutoReply

      X-OriginalArrivalTime: 26 Jul 2012 12:12:54.0521 (UTC) FILETIME=[FC592690:01CD6B27]

       

       

       

       

       

        • 1. Re: AV load failed

          Do you have email notifications turned on?

          Have you defined a FROM address for the notification as @webwasher.com?

           

          What version?

          • 2. Re: AV load failed
            DBO

            Yes and I just change the source e-mail adresss from @webwasher.com to our own domain but, whatever the source address, the e-mail is coming from the outside...  From your own server!!!  That is the strange thing...

             

            Version 6.8.7 build 9396

             

             

             

            Ce message a été modifié par: DBO on 26/07/12 22:00:20 CDT
            • 3. Re: AV load failed
              asabban

              Hello,

               

              as far as I know this is the external IP address the support lab over there uses. Is it maybe possible that they have setup a feedback with your configuration for troubleshooting that has your eMail notification settings still in place? This is something I have seen in the past. If the SMTP server configured on your machine is available from the outside also a node running in our labs will be able to send notifications and they may look closely like your notifications, but certainly come from the outside.

               

              Can you let us know if you have provided a feedback to support in the last days ?

              If there is an open SR in regards to this system where you have provided a feedback please reply to the SR owner and ask if this is possible.

               

              Note: Usually when setting up a customers configuration all notifications are turned off automatically. In some cases it is required  to manually set up ALL the customers settings manually, in this case the above can happen.

               

              Note2: This is just an idea how this could happen...

               

              Best,

              Andre

              • 4. Re: AV load failed
                DBO

                No open case as far as I know but I just ask around..  There is a feedback file dating from july 12th on the server but I doubt that we ever had a live feedback to support, ever... 

                 

                Funny thing is that If I run an alert test for the av, the warning come from our internal smtp server.  This morning, I have received another warning about the AV engine having problem with it's update, again coming from a McAfee external server...  Our proxy don't have smtp active and are not accesible from the outside.

                • 5. Re: AV load failed
                  asabban

                  Hello,

                   

                  very strange. Do you mind sending me one of those eMails in its complete source? I would like to have a look at all the headers, maybe that helps finding our where that eMail comes from. You could contact me via IM and I will share my eMail address. We probably do not want to expose all the information on the community.

                   

                  Best,

                  Andre

                  • 6. Re: AV load failed
                    DBO

                    No problem.  How can I send that via private mail?

                    • 7. Re: AV load failed
                      DBO

                      Evidently, found out just after posting...

                      • 8. Re: AV load failed
                        asabban

                        No problem :-)

                         

                        I asked some colleagues to research. I will get back to you shortly.

                         

                        Best,

                        Andre