After intalling Client Security 9.3 all emails downloaded from MS Outlook are empty

Previous version 9.2 worked fine, but after the upgrade to version 9.3 all emails, we received with MS Outlook (2003 and 2007) are empty. Empty from, empty to, empty subject, empty body.

If I deactivate the realtime scanner for emails it works fine and the emails are correct.

So what kind of settings are required to get emails with activated realtime scanner?

Find more posts tagged with

Comments

daempii

Hi, tidaltides. Do you have any update regarding this matter for us? Cheers!

tidaltides

I think I am also encountering this type of problem. If this case last much longer, I will be emailing support to check it for me.

Vad

Hi Honker,

The issue is fixed in Client Security 9.31 RC2. Also a hotfix for CS 9.30 is available. Please, contact support if you need it.

Vad

Hi Honker,

We've found the root. No need for further investigation from your side.

Thanks again for your help!

Vad

Hello again, Honker.

It appears, that I gave you a wrong path for driver. Please, put it to c:\windows\system32\drivers, and try again. Also, if possible, please, send the debug log to my email, seems that this community forum makes some text processing.

Thanks in advance

honker

Thank you Vad.
In addition I would like to inform you that I have installed the new version 9.3 on 4 PC's with Windows 7 and this error occurs on all machines.

Vad

Thanks again, Honker. We'll continue investigation and inform you as soon as we'll have a solution.

honker

Vad, I replaced fses.sys (x86) at c:\Program Files\F-Secure\FWES\drivers\ and did a reboot. Same effect, empty emails when I activate "Scan emails for viruses and remove".
If I deactivate the checkbox, emails come normal.

Vad

Honker, the email with drivers in zip archive is sent to mentioned e-mail address.

honker

@ MJ-perComp
yes, the FSES exists in your printed location in the registry. I added the values for debuglevel and debuglog to activate the log (see the first answer of Vad)

honker

Hey Vad,
I can't open the fses_6.00-511.windows.fip to get the fses.sys
It is able to send the fses.sys in zip-format to office@honker.at?

MJ-perComp

The service is not registered correctly, that is why it does not work!!

Was HKLM\system\CurrentControlSet\services\FSES existing? or did you create it?

Vad

Thank you very much for your help. Can I ask you to try one more thing - replace email scan driver (F-Secure\FWES\drivers\fses.sys) with the driver from Client Security 9.20. You can get it from cs 9.20 jar content: program\inst\fses_6.00-511.windows.fip
and inside the fip:
fses_6.00-511.windows.fip\fses\windows-amd64\drivers\fses.sys for 64-bit OS
fses_6.00-511.windows.fip\fses\windows-x86\drivers\fses.sys for 32-bit OS

Does this help?

honker

09:52:07 insert_connection: cookie 1 active 1
09:52:08 stream ClassifyFn: PID 0, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 <- 81.223.239.102:110 82 bytes, flags 00000011
09:52:08 First net buffer list: 82 bytes
09:52:08 MDL offset 12 Byte count 82, offset 0
09:52:08 +OK POP3 server ready <fa08c02a-d417-44ff-a59c-3aa6df57bf28@mail2.dotnethost.at>
09:52:08 process_data, 82 incoming bytes
09:52:08 command_complete, 0 bytes delayed
09:52:08 Allowed 82 incoming bytes
09:52:08 stream ClassifyFn: PID 3440, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 -> 81.223.239.102:110 7 bytes, flags 00010000
09:52:08 First net buffer list: 7 bytes
09:52:08 MDL offset 0 Byte count 7, offset 0
09:52:08 AUTH
09:52:08 process_data, 7 outgoing bytes
09:52:08 feed_outbound:: token 5
09:52:08 Allowed 7 outgoing bytes
09:52:08 stream ClassifyFn: PID 0, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 <- 81.223.239.102:110 22 bytes, flags 00000011
09:52:08 First net buffer list: 22 bytes
09:52:08 MDL offset 72 Byte count 22, offset 0
09:52:08 -ERR Invalid command
09:52:08 process_data, 22 incoming bytes
09:52:08 command_complete, 0 bytes delayed
09:52:08 Allowed 22 incoming bytes
09:52:08 stream ClassifyFn: PID 3440, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 -> 81.223.239.102:110 25 bytes, flags 00010000
09:52:08 First net buffer list: 25 bytes
09:52:08 MDL offset 0 Byte count 25, offset 0
09:52:08 USER UserName
09:52:08 process_data, 25 outgoing bytes
09:52:08 feed_outbound: Command not recognized
09:52:08 Allowed 25 outgoing bytes
09:52:08 stream ClassifyFn: PID 0, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 <- 81.223.239.102:110 34 bytes, flags 00000011
09:52:08 First net buffer list: 34 bytes
09:52:08 MDL offset 60 Byte count 34, offset 0
09:52:08 +OK User:'UserName' ok
09:52:08 process_data, 34 incoming bytes
09:52:08 command_complete, 0 bytes delayed
09:52:08 Allowed 34 incoming bytes
09:52:08 stream ClassifyFn: PID 3440, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 -> 81.223.239.102:110 18 bytes, flags 00010000
09:52:08 First net buffer list: 18 bytes
09:52:08 MDL offset 0 Byte count 18, offset 0
09:52:08 PASS xxxx
09:52:08 process_data, 18 outgoing bytes
09:52:08 feed_outbound: Command not recognized
09:52:08 Allowed 18 outgoing bytes
09:52:08 stream ClassifyFn: PID 0, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 <- 81.223.239.102:110 17 bytes, flags 00000011
09:52:08 First net buffer list: 17 bytes
09:52:08 MDL offset 76 Byte count 17, offset 0
09:52:08 +OK Password ok
09:52:08 process_data, 17 incoming bytes
09:52:08 command_complete, 0 bytes delayed
09:52:08 Allowed 17 incoming bytes
09:52:08 stream ClassifyFn: PID 3440, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 -> 81.223.239.102:110 6 bytes, flags 00010000
09:52:08 First net buffer list: 6 bytes
09:52:08 MDL offset 0 Byte count 6, offset 0
09:52:08 STAT
09:52:08 process_data, 6 outgoing bytes
09:52:08 feed_outbound: Command not recognized
09:52:08 Allowed 6 outgoing bytes
09:52:08 stream ClassifyFn: PID 0, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 <- 81.223.239.102:110 13 bytes, flags 00000011
09:52:08 First net buffer list: 13 bytes
09:52:08 MDL offset 80 Byte count 13, offset 0
09:52:08 +OK 2 13335
09:52:08 process_data, 13 incoming bytes
09:52:08 command_complete, 0 bytes delayed
09:52:08 Allowed 13 incoming bytes
09:52:08 stream ClassifyFn: PID 3440, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 -> 81.223.239.102:110 6 bytes, flags 00010000
09:52:08 First net buffer list: 6 bytes
09:52:08 MDL offset 0 Byte count 6, offset 0
09:52:08 UIDL
09:52:08 process_data, 6 outgoing bytes
09:52:08 feed_outbound:: token 4
09:52:08 Allowed 6 outgoing bytes
09:52:08 stream ClassifyFn: PID 0, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 <- 81.223.239.102:110 31 bytes, flags 00000011
09:52:08 First net buffer list: 31 bytes
09:52:08 MDL offset 64 Byte count 31, offset 0
09:52:08 +OK 2 messages (13335 octets)
09:52:08 process_data, 31 incoming bytes
09:52:08 Allowed 31 incoming bytes
09:52:08 stream ClassifyFn: PID 0, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 <- 81.223.239.102:110 99 bytes, flags 00000011
09:52:08 First net buffer list: 99 bytes
09:52:08 MDL offset 76 Byte count 99, offset 0
09:52:08 1 sm_00001506_5c551bffdd454107a65836b05b16a071
2 sm_00001507_5c551bffdd454107a65836b05b16a071
.
09:52:08 process_data, 99 incoming bytes
09:52:08 command_complete, 0 bytes delayed
09:52:08 Allowed 99 incoming bytes
09:52:08 stream ClassifyFn: PID 3440, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 -> 81.223.239.102:110 6 bytes, flags 00010000
09:52:08 First net buffer list: 6 bytes
09:52:08 MDL offset 0 Byte count 6, offset 0
09:52:08 LIST
09:52:08 process_data, 6 outgoing bytes
09:52:08 feed_outbound:: token 2
09:52:08 Allowed 6 outgoing bytes
09:52:08 stream ClassifyFn: PID 0, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 <- 81.223.239.102:110 31 bytes, flags 00000011
09:52:08 First net buffer list: 31 bytes
09:52:08 MDL offset 64 Byte count 31, offset 0
09:52:08 +OK 2 messages (13335 octets)
09:52:08 process_data, 31 incoming bytes
09:52:08 Allowed 31 incoming bytes
09:52:08 stream ClassifyFn: PID 0, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 <- 81.223.239.102:110 20 bytes, flags 00000011
09:52:08 First net buffer list: 20 bytes
09:52:08 MDL offset 76 Byte count 20, offset 0
09:52:08 1 1756
2 11579
.
09:52:08 process_data, 20 incoming bytes
09:52:08 command_complete, 0 bytes delayed
09:52:08 Allowed 20 incoming bytes
09:52:08 stream ClassifyFn: PID 3440, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 -> 81.223.239.102:110 8 bytes, flags 00010000
09:52:08 First net buffer list: 8 bytes
09:52:08 MDL offset 0 Byte count 8, offset 0
09:52:08 RETR 2
09:52:08 process_data, 8 outgoing bytes
09:52:08 feed_outbound:: token 1
09:52:08 Allowed 8 outgoing bytes
09:52:08 stream ClassifyFn: PID 0, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 <- 81.223.239.102:110 18 bytes, flags 00000011
09:52:08 First net buffer list: 18 bytes
09:52:08 MDL offset 76 Byte count 18, offset 0
09:52:08 +OK 11579 octets
09:52:08 process_data, 18 incoming bytes
09:52:08 Receiving 11579 bytes
09:52:08 Injecting 5 incoming bytes, flags 1
09:52:08 scan_data_begin (1), total 11579
09:52:08 send_msg_to_user, type 19
09:52:08 Blocked 18 incoming bytes
09:52:08 inject_request_complete, status 00000000, length 5
09:52:08 stream ClassifyFn: PID 0, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 <- 81.223.239.102:110 1452 bytes, flags 00000001
09:52:08 First net buffer list: 1452 bytes
09:52:08 MDL offset 0 Byte count 1452, offset 0
09:52:08 Return-Path: <office@honker.at>
Received: from HonkerMobile (85-126-151-74.work.xdsl-line.inode.at [85.126.151.74]) by mail2.dotnethost.at with SMTP;
Tue, 20 Dec 2011 10:49:45 +0100
From: =?iso-8859-1?Q?G=FCnter_Honsdorf?= <office@honker.at>
To: <g.honsdorf@wisi.at>
Subject: test
Date: Tue, 20 Dec 2011 10:49:49 +0100
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAHC9FrLcdKxIqosaa3WquD7CgAAAEAAAAOzoHuse4TVAm5tjdRdq8OkBAAAAAA==@honker.at>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_002F_01CCBF05.18BBBC00"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Acy+/LavN2G6MRBORlOQSs7CcmaIwg==
Content-Language: de-at
Disposition-Notification-To: =?iso-8859-1?Q?G=FCnter_Honsdorf?= <office@honker.at>
X-SmarterMail-TotalSpamWeight: 0 (Authenticated)

This is a multipart message in MIME format.

------=_NextPart_000_002F_01CCBF05.18BBBC00
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0030_01CCBF05.18BBBC00"

------=_NextPart_001_0030_01CCBF05.18BBBC00
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

=20

=20

mit freundlichen Gr=FC=DFen,

=20

G=FCnter Honsdorf

honker :: Simplify your work
EDV-Dienstleistungen / Handel

----------------------------------------------------

Obere Hauptstrasse 20

A-7372 Weingraben

Tel + Fax: +43(0)2617/25803
Mobil: +43(0)680/2020548

Email: <mailto Smiley Surprised

ffice@honker.process_data, 1452 incoming bytes
09:52:08 Blocked 1452 incoming bytes
09:52:08 stream ClassifyFn: PID 0, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 <- 81.223.239.102:110 1452 bytes, flags 00000001
09:52:08 First net buffer list: 1452 bytes
09:52:08 MDL offset 0 Byte count 1452, offset 0
09:52:08 at> office@honker.at

Web: <http://www.honker.at/> www.honker.at
UID: ATU57921716

----------------------------------------------------

<http://www.facebook.com/Honker.Austria> Beschreibung: FB-Logo_link
<https://twitter.com/#!/Honsdorf> Beschreibung: Twitter_Logo_link=20

=20

honker

Here is the complete log for 1 email. I changed Username and Password.

==============================================
09:46:35 FSES.SYS 2.00.515 built Oct 3 2011 14:32:08. Windows 6.1.7601 SP 1.0 32bit
09:46:35 FwpmEngineOpen0 failed: C0020035
09:46:36 FwpmEngineOpen0 failed: C0020035
09:46:37 FwpmEngineOpen0 failed: C0020035
09:46:38 FwpmEngineOpen0 failed: C0020035
09:46:39 FwpmEngineOpen0 failed: C0020035
09:46:40 FwpmEngineOpen0 failed: C0020035
09:46:41 FwpmEngineOpen0 failed: C0020035
09:46:42 FwpmEngineOpen0 failed: C0020035
09:46:43 FwpmEngineOpen0 failed: C0020035
09:46:44 FwpmEngineOpen0 failed: C0020035
09:46:45 FwpmEngineOpen0 failed: C0020035
09:46:46 FwpmEngineOpen0 failed: C0020035
09:46:47 FwpmEngineOpen0 failed: C0020035
09:46:48 FwpmEngineOpen0 failed: C0020035
09:46:49 FwpmEngineOpen0 failed: C0020035
09:46:50 FwpmEngineOpen0 failed: C0020036
09:46:51 stream NotifyFn: filter added to flow
09:46:51 stream NotifyFn: filter added to flow
09:46:51 flow_estab NotifyFn: filter added to flow
09:46:51 flow_estab NotifyFn: filter added to flow
09:46:51 install_filters: OK
09:46:54 flow_estab ClassifyFn: PID 2420, IRQL 2 192.168.72.72:49187 -> 192.168.72.102:135
09:46:54 flow_estab ClassifyFn: PID 2420, IRQL 2 192.168.72.72:49188 -> 192.168.72.102:1026
09:46:54 flow_estab ClassifyFn: PID 2420, IRQL 2 192.168.72.72:49189 -> 192.168.72.102:389
09:46:54 User PID 2504
09:46:55 flow_estab ClassifyFn: PID 4, IRQL 2 192.168.72.72:49190 -> 192.168.72.101:445
09:46:55 flow_estab ClassifyFn: PID 640, IRQL 2 192.168.72.72:49191 -> 192.168.72.102:88
09:46:56 flow_estab ClassifyFn: PID 2400, IRQL 2 192.168.72.72:49192 -> 217.110.97.198:80
09:46:57 flow_estab ClassifyFn: PID 2400, IRQL 2 192.168.72.72:49194 -> 217.110.97.198:80
09:46:57 flow_estab ClassifyFn: PID 640, IRQL 2 192.168.72.72:49195 -> 192.168.72.102:88
09:46:57 flow_estab ClassifyFn: PID 640, IRQL 2 192.168.72.72:49196 -> 192.168.72.102:88
09:46:57 flow_estab ClassifyFn: PID 640, IRQL 2 192.168.72.72:49197 -> 192.168.72.102:88
09:46:58 flow_estab ClassifyFn: PID 1112, IRQL 2 192.168.72.72:49198 -> 192.168.72.102:135
09:46:58 flow_estab ClassifyFn: PID 1112, IRQL 2 192.168.72.72:49199 -> 192.168.72.102:1026
09:46:59 flow_estab ClassifyFn: PID 640, IRQL 2 192.168.72.72:49200 -> 192.168.72.102:88
09:46:59 flow_estab ClassifyFn: PID 4, IRQL 2 192.168.72.72:49201 -> 192.168.72.102:445
09:46:59 flow_estab ClassifyFn: PID 640, IRQL 2 192.168.72.72:49202 -> 192.168.72.102:88
09:46:59 flow_estab ClassifyFn: PID 640, IRQL 2 192.168.72.72:49203 -> 192.168.72.102:88
09:46:59 flow_estab ClassifyFn: PID 4, IRQL 2 192.168.72.72:49204 -> 192.168.72.102:445
09:46:59 flow_estab ClassifyFn: PID 640, IRQL 2 192.168.72.72:49205 -> 192.168.72.102:88
09:46:59 flow_estab ClassifyFn: PID 1112, IRQL 2 192.168.72.72:49206 -> 192.168.72.102:389
09:46:59 flow_estab ClassifyFn: PID 640, IRQL 2 192.168.72.72:49207 -> 192.168.72.102:88
09:46:59 flow_estab ClassifyFn: PID 1112, IRQL 2 192.168.72.72:49208 -> 192.168.72.102:389
09:47:01 flow_estab ClassifyFn: PID 1408, IRQL 2 192.168.72.72:49210 -> 213.199.181.90:80
09:47:09 flow_estab ClassifyFn: PID 1112, IRQL 2 192.168.72.72:49212 -> 192.168.72.254:80
09:47:15 flow_estab ClassifyFn: PID 4, IRQL 2 192.168.72.72:49213 -> 192.168.72.102:445
09:47:20 flow_estab ClassifyFn: PID 2976, IRQL 2 192.168.72.72:49211 -> 209.85.148.138:80
09:47:25 flow_estab ClassifyFn: PID 3676, IRQL 2 192.168.72.72:49214 -> 192.168.72.102:389
09:47:25 flow_estab ClassifyFn: PID 3676, IRQL 2 192.168.72.72:49215 -> 192.168.72.102:389
09:47:25 flow_estab ClassifyFn: PID 640, IRQL 2 192.168.72.72:49216 -> 192.168.72.102:88
09:47:25 flow_estab ClassifyFn: PID 640, IRQL 2 192.168.72.72:49217 -> 192.168.72.102:88
09:47:25 flow_estab ClassifyFn: PID 640, IRQL 2 192.168.72.72:49218 -> 192.168.72.102:88
09:47:33 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49219 -> 204.9.163.247:80
09:47:34 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49220 -> 2.21.246.71:80
09:47:36 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49221 -> 84.241.93.42:4248
09:47:37 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49222 -> 193.120.199.13:12350
09:47:37 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49223 -> 78.141.177.89:12350
09:47:38 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49224 -> 88.221.18.161:443
09:47:38 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49225 -> 88.221.18.161:443
09:47:38 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49227 -> 2.21.175.139:443
09:47:38 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49226 -> 2.21.175.139:443
09:47:38 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49228 -> 173.194.65.95:443
09:47:38 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49229 -> 94.245.69.236:443
09:47:39 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49230 -> 64.4.21.39:443
09:47:39 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49232 -> 192.168.72.254:80
09:47:39 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49231 -> 78.141.177.124:443
09:47:40 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49233 -> 88.221.17.195:443
09:47:40 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49234 -> 65.55.8.8:443
09:47:41 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49235 -> 192.168.72.254:4444
09:47:42 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49237 -> 192.168.72.254:4444
09:47:42 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49236 -> 130.117.72.100:12350
09:47:43 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49238 -> 192.168.72.254:4444
09:47:44 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49239 -> 192.168.72.254:4444
09:47:45 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49240 -> 192.168.72.254:4444
09:47:46 flow_estab ClassifyFn: PID 2972, IRQL 2 192.168.72.72:49241 -> 192.168.72.254:4444
09:47:58 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49243 -> 127.0.0.1:49244
09:47:58 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49244 <- 127.0.0.1:49243
09:47:58 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49242 -> 127.0.0.1:49245
09:47:58 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49245 <- 127.0.0.1:49242
09:47:58 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49246 -> 74.125.230.211:80
09:47:58 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49247 -> 74.125.230.211:80
09:48:03 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49248 -> 127.0.0.1:49250
09:48:03 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49250 <- 127.0.0.1:49248
09:48:03 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49249 -> 127.0.0.1:49251
09:48:03 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49251 <- 127.0.0.1:49249
09:48:03 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49252 -> 81.223.239.102:443
09:48:03 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49253 -> 81.223.239.102:443
09:48:14 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49254 -> 127.0.0.1:49260
09:48:14 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49260 <- 127.0.0.1:49254
09:48:14 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49255 -> 127.0.0.1:49261
09:48:14 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49261 <- 127.0.0.1:49255
09:48:14 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49256 -> 127.0.0.1:49262
09:48:14 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49262 <- 127.0.0.1:49256
09:48:14 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49257 -> 127.0.0.1:49263
09:48:14 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49263 <- 127.0.0.1:49257
09:48:14 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49258 -> 127.0.0.1:49264
09:48:14 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49264 <- 127.0.0.1:49258
09:48:14 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49259 -> 127.0.0.1:49265
09:48:14 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49265 <- 127.0.0.1:49259
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49272 -> 127.0.0.1:49274
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49274 <- 127.0.0.1:49272
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49273 -> 127.0.0.1:49275
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49275 <- 127.0.0.1:49273
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49266 -> 69.71.61.107:443
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49267 -> 69.71.61.107:443
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49268 -> 69.71.61.107:443
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49269 -> 69.71.61.107:443
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49270 -> 69.71.61.107:443
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49271 -> 69.71.61.107:443
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49276 -> 74.125.230.212:443
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49277 -> 74.125.230.212:443
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49278 -> 127.0.0.1:49279
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49279 <- 127.0.0.1:49278
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49281 -> 127.0.0.1:49282
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49282 <- 127.0.0.1:49281
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49283 -> 127.0.0.1:49284
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49284 <- 127.0.0.1:49283
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49285 -> 127.0.0.1:49288
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49288 <- 127.0.0.1:49285
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49287 -> 127.0.0.1:49289
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49289 <- 127.0.0.1:49287
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49290 -> 74.125.230.212:443
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49286 -> 74.125.230.212:443
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49291 -> 74.125.230.212:443
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49292 -> 74.125.230.212:443
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49293 -> 127.0.0.1:49294
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49294 <- 127.0.0.1:49293
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49296 -> 127.0.0.1:49297
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49297 <- 127.0.0.1:49296
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49280 -> 69.71.61.107:443
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49299 -> 127.0.0.1:49300
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49300 <- 127.0.0.1:49299
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49302 -> 127.0.0.1:49303
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49303 <- 127.0.0.1:49302
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49305 -> 127.0.0.1:49306
09:48:15 flow_estab ClassifyFn: PID 5216, IRQL 2 127.0.0.1:49306 <- 127.0.0.1:49305
09:48:16 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49295 -> 69.71.61.107:443
09:48:16 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49298 -> 69.71.61.107:443
09:48:16 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49301 -> 69.71.61.107:443
09:48:16 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49304 -> 69.71.61.107:443
09:48:16 flow_estab ClassifyFn: PID 5216, IRQL 2 192.168.72.72:49307 -> 69.71.61.107:443
09:49:22 FSES_SET_PORTS: SMTP=25 POP3=110 IMAP4=143
09:50:02 flow_estab ClassifyFn: PID 1112, IRQL 2 192.168.72.72:49308 -> 65.55.184.152:443
09:50:07 flow_estab ClassifyFn: PID 3740, IRQL 2 192.168.72.72:49309 -> 192.168.72.101:1521
09:51:27 flow_estab ClassifyFn: PID 4, IRQL 2 192.168.72.72:49310 -> 192.168.72.102:445
09:51:57 flow_estab ClassifyFn: PID 472, IRQL 2 192.168.72.72:49311 -> 193.110.109.103:80
09:52:07 flow_estab ClassifyFn: PID 3440, IRQL 2 192.168.72.72:49312 -> 81.223.239.102:110

Following next comment...

Vad

Is this a complete log? The impression is that it's interrupted in the middle.

honker

Here is the log from a test email wich is empty received.

===============================================
09:52:08 process_data, 20 incoming bytes
09:52:08 command_complete, 0 bytes delayed
09:52:08 Allowed 20 incoming bytes
09:52:08 stream ClassifyFn: PID 3440, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 -> 81.223.239.102:110 8 bytes, flags 00010000
09:52:08 First net buffer list: 8 bytes
09:52:08 MDL offset 0 Byte count 8, offset 0
09:52:08 RETR 2
09:52:08 process_data, 8 outgoing bytes
09:52:08 feed_outbound:: token 1
09:52:08 Allowed 8 outgoing bytes
09:52:08 stream ClassifyFn: PID 0, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 <- 81.223.239.102:110 18 bytes, flags 00000011
09:52:08 First net buffer list: 18 bytes
09:52:08 MDL offset 76 Byte count 18, offset 0
09:52:08 +OK 11579 octets
09:52:08 process_data, 18 incoming bytes
09:52:08 Receiving 11579 bytes
09:52:08 Injecting 5 incoming bytes, flags 1
09:52:08 scan_data_begin (1), total 11579
09:52:08 send_msg_to_user, type 19
09:52:08 Blocked 18 incoming bytes
09:52:08 inject_request_complete, status 00000000, length 5
09:52:08 stream ClassifyFn: PID 0, IRQL 2, metavalues 00000042
09:52:08 stream ClassifyFn: 192.168.72.72:49312 <- 81.223.239.102:110 1452 bytes, flags 00000001
09:52:08 First net buffer list: 1452 bytes
09:52:08 MDL offset 0 Byte count 1452, offset 0
09:52:08 Return-Path: <office@honker.at>
Received: from HonkerMobile (85-126-151-74.work.xdsl-line.inode.at [85.126.151.74]) by mail2.dotnethost.at with SMTP;

MJ-perComp

problem reported here by customer and our lab as well.

Vad

Please, collect the email scanning log:

To enable logging for ES driver follow these steps:
1. Registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FSES
2. Value: debuglevel (type DWORD)
3. 20 - verbose logging
4. Value: debuglog (type String), for example, c:\fses.log
5. Reboot

Dmitriy

I've sent your problem report forward to the development team.