Submitting file from Quarantine

If you have quarantined a suspicious file that was not detected by the program, or if a file was incorrectly evaluated as infected (e.g., by heuristic analysis of the code) and subsequently quarantined, please send the file to ESET‘s Threat Lab. To submit a file from quarantine, right-click the file and select Submit for analysis from the context menu.

4.5 Log files

Logs store information about important events: detected infiltrations, logs from the on-demand scanner, logs from the resident scanners and system information.

Antispam and greylisting protection logs (found under other logs under Tools > Log files) contain detailed information about messages that were subject to scanning and the consequent actions performed on those messages. Logs can be very useful when looking for undelivered email, trying to figure why a message was marked as spam, etc.

Antispam

All messages categorized by the ESET Mail Security as spam or probable spam are recorded here.

Columns description:

Time – time of entry into the antispam log Sender – sender's address

Recipient – recipient's address Subject – message subject

Score – spam score assigned to the message (in range from 0 to 100)

Reason – is an indicator which caused the message to be classified as spam. The displayed indicator is the

strongest. If you want to see the other indicators, double-click the entry. The Reason window will open containing the remaining indicators sorted descending by strength.

URL Spammy Reputation URL addresses in messages can often be an indication of spam.

HTML Formatting (Fonts, colors, etc) Formatting of elements in the HTML part of the message shows signs characteristic for spam (font type and size, it's color etc.)

Spam Tricks: Obfuscation Words typical for spam tend to be masked by using other characters. A typical example is the word "Viagra", which is often written as "V1agra"

to evade anstispam detection.

HTML Image Type spam Spam messages often take the form of pictures as another evasive strategy applied against antispam detection methods. Such pictures usually contain interactive links to web pages.

URL formatting hosting service

domain URL address contains the hosting service domain.

Spammy keyword ... Message contains words typical for spam.

Email header inconsistency Information in the header is altered to pose as a source other than the original sender.

Virus Message contains a suspicious attachment.

Phish Message contains text that is typical to phishing messages.

Replica Message contains text that is typical for a category of spam oriented at offering replicas.

Generic spam indicator Message containing words/characters that is typical for spam, as e.g.

"Dear friend", "hello winner", "!!!" etc.

Ham indicator This is an indicator that has the opposite function as the other listed indicators. It analyzes elements characteristic for regular solicited mail.

It lowers the overall spam score.

Non-specific spam indicator Message contains other spam elements, such as base64 coding.

Custom spam phrases Other typical spam phrases.

URL is blacklisted URL in the message is on a blacklist.

IP %s is on RBL IP address ... is on a RBL list.

URL %s is on DNSBL URL address ... is on a DNSBL list.

URL %s is on RBL or the server is not

entitled to send mail URL address ... is on a RBL list, or the server does not have the required privileges to send email messages. Addresses which were part of the email's route are verified against the RBL list. The last address is tested regarding its connectivity rights to public mail servers. If it's impossible to detect valid connectivity rights, the address is on the LBL list.

Messages marked as spam, because of an LBL indicator have the

following text stated in their Reason field: "server is not entitled to send mail".

Action – action performed on the message. Possible actions:

Retained No action has been performed on the message.

Quarantined Message was moved into quarantine.

Cleaned and quarantined The virus had been removed from the message and the message was quarantined.

Rejected Message was denied and the SMTP reject answer sent to the sender.

Deleted Message was deleted using silent drop .

Received – time the message was received by the server.

NOTE: If mails are received via an email server, the times in the Time and Received fields are practically identical.

18 18

Greylisting

All messages that have been evaluated using the greylisting method are recorded in this log.

Columns description:

Time – time of entry into the antispam log

HELO Domain – domain name used by the sending server to identify itself towards the receiving server IP address – sender's IP address

Sender – sender's address Recipient – recipient's address

Action – may contain the following statuses:

Rejected The incoming message was denied using the basic precept of greylisting (first delivery attempt)

Rejected (not verified) The incoming message was redelivered by the sending server, but the time limit to deny the connection has not elapsed yet (Time limit for the initial connection denial).

Verified The incoming message was redelivered several times by the sending server, the Time limit for the initial connection denial has elapsed and the message was successfully verified and delivered. See also Transport agent .

Time remaining – the time left until the Time limit for the initial connection denial will be met

Detected threats

Threat log offers detailed information about infiltrations detected by ESET Mail Security modules. The information includes the time of detection, scanner type, object type, object name, infiltration name, location, the performed action and the name of the user logged in at the time the infiltration was detected. To copy or delete one or more lines from the log (or to delete the whole log), use the context menu (right-click on the item).

Events

The Event log contains information about events and errors that have occurred in the program. Often the

35

information found here can help you find a solution for a problem occurring in the program.

On-demand computer scan

The scanner log stores information about manual or planned scan results. Each line corresponds to a single computer control. It lists the following information: scan date and time, total number of scanned, infected, and cleaned files and the current scan status.

In On-demand scanner logs, double-click the log entry to display its detailed content in a separate window.

Use the context menu (right click) to copy one or more marked entries (in all types of logs).