RE: [Declude.Virus] Updates from Declude
I agree, Declude Security Suite sounds a lot like Norton or McAffee's desktop suites, or even some encryption suite of tools (Steganos Security Suite comes to mind). Since Declude is a messaging-only product, it should include some indication of that in the name. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert E. SpivackSent: Friday, March 03, 2006 2:42 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Updates from Declude Hmmm its your product but Security Suite sounds more like malware, spyware, and firewall functions. The first think I of is Norton or Symantec security software, not anti-virus/spam blocking services. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, March 02, 2006 2:04 PMTo: Declude.JunkMail@declude.com; Declude.Virus@declude.comSubject: [Declude.Virus] Updates from Declude Product Naming After considering all the choices we have decided to rename the new product "Declude Security Suite". I will be notifying the winner(s) of the competition shortly. Declude Security Suite for IMail We have now released additional versions of the software for different levels of IMail and these can be found at http://www.declude.com//Purchase.asp?cat=13 As usual if anyone has questions please contact me and we will do our best to answer. Barry [EMAIL PROTECTED] Office: (978) 499-2933 Cell: (978) 853-9593 CONFIDENTIALITY NOTICE:This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476)
RE: [Declude.Virus] ? Name Voting Time
Come on, everything is EXTREME nowadays, so where's the votes for: Declude EXTREME Email Protection or just Declude EXTREME -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Comerford Sent: Thursday, February 16, 2006 9:22 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] ? Name Voting Time I'd defintely have to agree that if the products in the suite are the same versions as the standalones that If the standalone is Declude 3 then the Suite should be Declude Suite 3, or Declude Total 3, etc I think the biggest reason for the confusion in the first place was the introduction of a new version to indicate a bundle of products. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans Martin Sent: Thursday, February 16, 2006 9:14 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] ? Name Voting Time I agree with everything except the final outcome. I think SUITE should be the winning choice. Declude Suite X with the x being the current version. This would differentiate this product from the individual declude products and should have the same version that the individual products have at the moment. Evans Martin --- EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net PROGRAMMING: http://www.martekware.com iPlus Info Browser - IPB's IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Imail Admin Sent: Wednesday, February 15, 2006 6:12 PM To: [EMAIL PROTECTED] Cc: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: Fw: [Declude.Virus] ? Name Voting Time First, I vote AGAINST anything with 4 in it. Why 4? You were calling it version 4, but that's a complete misnomer. Currently, it represents the same feature set as the so-called version 3, so there is no reason to call it version 4. In addition, there are three components in it (AVA, JM, HJ), so again there is nothing to indicate four. Am I missing something here? It seems that any name with four in it or indicating a four (such as the cute Quattro) is actually misleading. That's as bad as your current process of naming it version 4. By process of elimination: 1. Quattro is not only inappropriate but a rip-off of the old Borland name. And it leaves no room for future changes to the suite. 2. DEC4 is a waste, but DEC alone is redundant from Declude, not to mention confusing with Digital Equipment. So that's out. 3. Suite4 can be salvaged by shortening to Suite. This is completely unoriginal, but at least it's honest and clear, leaving no room for doubt. 4. R/4 is another rip-off, and really doesn't explain the collective nature of the different products. 5. Total is probably best, because it is just as clear as Suite but a little more original. And it doesn't have a stupid 4 in it. 6. Power Suite4. Again, let's dump the 4. Is Power Suite really any better than just Suite? Only to marketing types who live on tropical islands and worship Donald Trump. 7. Max4 is another rip-off, and it doesn't explain the collective nature of the combined products. 8. ForePlay sounds good to me. What's your problem? 9. ES4 can be shortened to ES, but that's really just another wordplay on Suite and Power Suite. You guys are kind of in a rut, huh? Sounds like #5 is best, since your Puritan hearts won't let you pick #8. Personally, I think you need to start the contest over and get some new names altogether. Is this really all the names you received? Heck, I could think up better names than this... wait, I did send in some names, and none of them made the list. So you guys filtered the choices before presenting for a vote? I thought you already admitted you don't know how to name products? So why would you try to list only your favorites. Time to go back to #8 (wish I had thought of that one, even though it does have a stupid 4 in it). Ben BC Web - Original Message - From: Barry Simpson [EMAIL PROTECTED] To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Sent: Wednesday, February 15, 2006 2:39 PM Subject: [Declude.Virus] ? Name Voting Time Here are the choices: Please send your votes to [EMAIL PROTECTED] no later than 5pm Eastern Time Friday 17th February. - Declude Quattro - DEC4 - Suite4 - R/4 (release four) - Declude Total - Declude Power Suite 4 - Declude Max4 - Declude ForePlay just making sure you're paying attention) - Declude-ES4 (E-mail security 4) Thanks Barry --- [This E-mail was scanned for viruses by Declude EVA www.declude.com]
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
IIRC, the HOLD action was where the risk came in. Messages that are held by Declude using AVAFTERJM and then manually re-queued (via, say, the old SpamReview app) would NOT be scanned for viruses at all, since re-queued messages bypass Declude altogether. HOLD is the only 'semi-final' action. All other actions either deliver the email to an mbox (in which case it is scanned by EVA), or remove the message completely (which is where the saved cycles come in). IMO, AVAFTERJM should be changed so that only deleted emails, not held ones, by pass the AV scan. In other words, all messages should be first scanned for spam, then the ones that are not DELETED should all be scanned for viruses. This would close the security risk from re-queued messages. The AVAFTERJM option would then only be useful for those that use the DELETE action, but with the huge security risk involved in requeueing unscanned messages I think that it is ALREADY only useful for those that use the DELETE action. Unfortunately the manual isn't clear on this point. At the very least, Declude should add a warning to the manual around AVAFTERJM that says that AVAFTERJM and HOLD should not be used in the same configuration. --DH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
Dan, this is all implementation dependent. Your observed behaviour is not universal to Declude deployments.Specifically, re-queued messages on IMail systems do indeed get scanned by Declude JunkMail and EVA when the Q*.SMD is moved to the overflow folder (as opposed to being moved to the spoolfolder with the D*.SMD file).Yes, but copying the files into the overflow directory is a work-around that was come up with some time ago on this list. Declude themselves, in the Junkmail manual, state:"The HOLD action will move the E-mail into the \{MAILSERVER}\spool\spam directory. This way, you can check messages to make sure they are spam before deleting them manually (or, you can move the files (Q*.SMD and D*.SMD for Imail...) back to the spool directory to have them delivered on the next queue run (about 20-30 minutes))." (my emphasis)So while YOU may not requeue the messages this way, it IS the way that DECLUDE recommends requeueing the messages in the manual. Therefore, it follows that the vast majority of implementations WILL requeue messages this way. --DH CONFIDENTIALITY NOTICE:This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476)
RE: [Declude.Virus] Sober.X Variant
Virus pro only, IIRC. -Dan Horne John T (Lists) wrote on Thursday, January 05, 2006 12:31 PM: Into the Virus.cfg file: BANEZIPEXTS ON BANZIPEXTSON John T eServices For You CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476) --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] NetSky and Sasser author sentenced, Microsoft pays up
So if I write a virus, who wants to turn me in and split the bounty with me? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, July 08, 2005 4:18 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] NetSky and Sasser author sentenced, Microsoft pays up Slap on the wrist and his friends got paid for turning him in... Looks like a win-win for all of them. Darrell John Tolmachoff (Lists) writes: So the virus writer got a slap on the wrist. Boy, that will sure send a message to would be virus writers. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, July 08, 2005 11:40 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] NetSky and Sasser author sentenced, Microsoft pays up Well, the speculation on whether Microsoft would make good on their bounty to Sven Jaschen's friends is over. http://www.f-secure.com/weblog/ Andrew 8) -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] .EML file syntax
Title: Message No one seems to actually be reading the OP. He doesn't want to do anything with any BCC's in incoming mail. All he wants to be able to do is BCC the virus notifications to himself. Declude has a set of .eml files that it sends out when a virus is found (postmaster, otherpostmaster, etc). In that file, you specify who gets the email by putting in a TO: line at the top. He was simply asking if that file could use a BCC: line as well. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy SchmidtSent: Wednesday, June 01, 2005 12:22 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] .EML file syntax Hi Goran: The "cc:" information is part of the (spoofable) SMTP header - the "bcc:" is not ANYWHERE. The only entitythat knows about the "bcc"s is the sending mail sever, it will simply distribute the message to anyone in the bcc and cc header. To each BCC or CC recipient's server it will look like a message that wasaddressed from one third party to another third party - they will not see the BCC information. While the "cc:" (but not bcc) information can be found in the SMTP header in the receiving server (and thus Declude) there is no way to say whether that header is "true" or spoofed (although there is little motivation to spoof that header, that I can think of). There simply is no way on earth for anythingbeyond the sending mail server to do anything with BCCs since the information simply is omitted and thus not available. Therefore, there is no reason to believe that it will (or could) ever be added to a future DEclude version. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Tuesday, May 31, 2005 09:27 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
RE: [Declude.Virus] High CPU F-Prot
"apparently could add another virus code to Declude for these situations (not yet verified), " Oh, it's verified. As I said, I have been running VIRUSCODE 3,6,8,9 and 10 for at least two years now and not a single report from any customer that ANYthing caught as a virus was needed, meaning no false positives. We run close to a hundred client domains (all businesses)andsee about 20,000 emails a day (the ones that get past our postfix gateway). There has never been a report of a VIRUSCODE 8 catching someone's Word document because of a macro or anything such. The recent rash of new viruses that were getting through other's Declude/Fprot configs never got a single one through mine. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 5:24 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-Prot You should be fine with a second scanner. That's why we use them anyway. McAfee has caught every one of these that I have seen, and I've looked at about 40 examples so far. Many would fail banned extensions otherwise anyway.While you apparently could add another virus code to Declude for these situations (not yet verified), I'm worried that this is more of a general error and it could cause false positives. A corrupted file isn't what I would consider to be uncommon in legit E-mail, although the primary issue is that we only have once sentence with which to evaluate this exit code from F-Prot.Most Declude users that use only F-Prot are probably experiencing significant leakage of otherwise detectable viruses, and are also probably creating extra backscatter for banned extensions where no virus was detected.Besides that there's the fact that F-Prot is taking so long. It appears to also coincide with increased CPU utilization which might explain Darrell's experience, and in a different respect, mine yesterday with all of the F-Prot timeouts. This has been going on for at least a month. I assume that the increased time corresponds to not only keeping more Declude processes open, but also increased CPU utilization. Such a condition is ripe for exploiting, and I'm concerned that it has existed for so long without resolution, and maybe even detection...MattNick wrote: On 28 Apr 2005 at 16:44, Matt wrote: Hi Matt, I assume that this is probably resulting in an exit code of 9 or 10 then because I'm not using either at the moment, and you are the first that I definitively know has them configured. I do not use these codes either - I had 4 "Could not find parse string Infection" in my logs today. The average delay was 4 seconds. Is the answer to add the additl exit codes or is there a downside to that? -Nick 9 - At least one object was not scanned (encrypted file, unsupported/unknown compression method, unsupported/unknown file format, corrupted or invalid file). 10 - At lest one archive object was not scanned (contains more then N levels of nested archives, as specified with -archive switch). Since some of these are not zip files on my system, I am going to assume that it is an exit code of 9 that is being spit out. A file corruption might also explain the issues with F-Prot taking longer on my system. Anyway, I just started to not delete viruses so I should catch one of these soon and then I can work at processing it manually to see what I find. Thanks for sharing. This was helpful. Matt Bill Landry wrote: Matt, I searched 2 weeks of logs on both of my servers (both of which run F-Prot and TrendMicro) and could only find 4 instances of "Could not find parse string Infection", and they were found on the server that is very heavily loaded. I use the following F-Prot strings in my virus.cfg: # F-Prot SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT - REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 8 VIRUSCODE1 9 VIRUSCODE1 10 REPORT1 Infection: Here is a sample of what I find if I parse for 5 lines before and after the target Q-ID: 04/20/2005 11:53:22 Qa51de08d00e25919 Scanned: Virus Free [MIME: 3 36875] 04/20/2005 11:53:25 Qa523e08f00e25924 MIME file: [text/html][quoted- printable; Length=10177 Checksum=774898] 04/20/2005 11:53:26 Qa523e08f00e25924 Scanned: Virus Free [MIME: 2 11904] 04/20/2005 11:53:27 Qa510a96d00c4590a MIME file: [text/html][quoted- printable; Length=11036 Checksum=792412] 04/20/2005 11:53:28 Qa510a96d00c4590a Scanned: Virus Free [MIME: 2 14609] 04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: [text/html][7bit; Length=52 Checksum=3520] 04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: 5.zip [base64; Length=19404 Checksum=2507990] 04/20/2005 11:53:29 Qa51fa9a300ec591e Could not find parse string Infection: in report.txt 04/20/2005 11:53:30 Qa51fa9a300ec591e File(s) are INFECTED [: 0]
RE: [Declude.Virus] High CPU F-Prot
Using FProt only and this is NOT occuring on my machine:3 instances of "Could not find parse string Infection" in today's log and none have a gap, they are all hitting on VIRUSCODE 8 apparently:04/28/2005 00:07:59 Q619E01AA1367 MIME file: document.zip [base64; Length=142606 Checksum=17710290]04/28/2005 00:07:59 Q619E01AA1367 Could not find parse string Infection: in report.txt04/28/2005 00:07:59 Q619E01AA1367 File(s) are INFECTED [: 8]04/28/2005 00:07:59 Q619E01AA1367 Deleting file with virus04/28/2005 00:07:59 Q619E01AA1367 Deleting E-mail with virus!04/28/2005 00:07:59 Q619E01AA1367 Scanned: CONTAINS A VIRUS [MIME: 2 142806]04/28/2005 00:07:59 Q619E01AA1367 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 68.118.154.7]04/28/2005 00:07:59 Q619E01AA1367 Subject: HELLO 04/28/2005 00:35:56 Q682B01AA14BE MIME file: document.zip [base64; Length=142458 Checksum=17704773]04/28/2005 00:35:56 Q682B01AA14BE Could not find parse string Infection: in report.txt04/28/2005 00:35:56 Q682B01AA14BE File(s) are INFECTED [: 8]04/28/2005 00:35:56 Q682B01AA14BE Deleting file with virus04/28/2005 00:35:56 Q682B01AA14BE Deleting E-mail with virus!04/28/2005 00:35:56 Q682B01AA14BE Scanned: CONTAINS A VIRUS [MIME: 2 142636]04/28/2005 00:35:56 Q682B01AA14BE From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 68.118.154.7]04/28/2005 00:35:56 Q682B01AA14BE Subject: Status04/28/2005 10:34:47 QF48701991704 MIME file: body.zip [base64; Length=142598 Checksum=17709450]04/28/2005 10:34:47 QF48701991704 Could not find parse string Infection: in report.txt04/28/2005 10:34:47 QF48701991704 File(s) are INFECTED [: 8]04/28/2005 10:34:47 QF48701991704 Deleting file with virus04/28/2005 10:34:47 QF48701991704 Deleting E-mail with virus!04/28/2005 10:34:47 QF48701991704 Scanned: CONTAINS A VIRUS [MIME: 2 142775]04/28/2005 10:34:47 QF48701991704 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 68.118.154.7]04/28/2005 10:34:47 QF48701991704 Subject: Good day From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 1:58 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-Prot Andrew,If you are only using F-Prot, you should be able to find evidence of at least the delays by searching for "Could not find parse string Infection" and then checking for a gap above that point to where the message began to be scanned.If I'm correct about this, and it seems that I am, F-Prot has been missing a fair number of viruses every day at least going back to April 11th. Their new scan engine, 3.16b was released back on March 7th and this may be related, but I don't have logs going back past April to confirm.F-Prot users should all probably pay very close attention to this. I haven't yet contacted F-Prot because I'm busy at this moment and this was only just confirmed by someone else. I would have to say that Scott would be quite useful in a situation like this because it appeared that he had a line of contact with them (Scott, are you out there?).MattColbeck, Andrew wrote: The "could not parse" string occurs whenever F-Prot returns a result that *isn't* equal to 3. Only return code 3 provides a string in the result file that says "Infection: " followed by the virus name. I'd like to help you out with this Matt, but with only one antivirus scanner, I don't see the evidence of a space gap. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Sent: Thursday, April 28, 2005 10:29 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot On 28 Apr 2005 at 12:57, Matt wrote: Matt - If this becomes a real problem that you see and can monitor I would revert back to an older scan.exe to eliminate the issue of versions. This is a possible clue: " Could not find parse string Infection: in report.txt" What does this mean? Your virus.cfg needs a different setup parameter or report.txt cannot be found? -Nick 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. --- 6 second gap where F-Prot scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt 04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus! 04/28/2005
RE: [Declude.Virus] High CPU F-Prot
I also have 9 and 10 configured, and as before, no gap. The lines are coming with a result code of 8. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 4:44 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-Prot Bill,I assume that this is probably resulting in an exit code of 9 or 10 then because I'm not using either at the moment, and you are the first that I definitively know has them configured. 9 - At least one object was not scanned (encrypted file, unsupported/unknown compression method, unsupported/unknown file format, corrupted or invalid file).10 - At lest one archive object was not scanned (contains more then N levels of nested archives, as specified with -archive switch).Since some of these are not zip files on my system, I am going to assume that it is an exit code of 9 that is being spit out. A file corruption might also explain the issues with F-Prot taking longer on my system.Anyway, I just started to not delete viruses so I should catch one of these soon and then I can work at processing it manually to see what I find.Thanks for sharing. This was helpful.MattBill Landry wrote: Matt, I searched 2 weeks of logs on both of my servers (both of which run F-Prot and TrendMicro) and could only find 4 instances of "Could not find parse string Infection", and they were found on the server that is very heavily loaded. I use the following F-Prot strings in my virus.cfg: # F-ProtSCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT -REPORT=report.txtVIRUSCODE1 3VIRUSCODE1 6VIRUSCODE1 8VIRUSCODE1 9VIRUSCODE1 10REPORT1 Infection: Here is a sample of what I find if I parse for 5 lines before and after the target Q-ID: 04/20/2005 11:53:22 Qa51de08d00e25919 Scanned: Virus Free [MIME: 3 36875]04/20/2005 11:53:25 Qa523e08f00e25924 MIME file: [text/html][quoted-printable; Length=10177 Checksum=774898]04/20/2005 11:53:26 Qa523e08f00e25924 Scanned: Virus Free [MIME: 2 11904]04/20/2005 11:53:27 Qa510a96d00c4590a MIME file: [text/html][quoted-printable; Length=11036 Checksum=792412]04/20/2005 11:53:28 Qa510a96d00c4590a Scanned: Virus Free [MIME: 2 14609]04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: [text/html][7bit; Length=52 Checksum=3520]04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: 5.zip [base64; Length=19404 Checksum=2507990]04/20/2005 11:53:29 Qa51fa9a300ec591e Could not find parse string Infection: in report.txt04/20/2005 11:53:30 Qa51fa9a300ec591e File(s) are INFECTED [: 0]04/20/2005 11:53:30 Qa51fa9a300ec591e Scanned: CONTAINS A VIRUS [MIME: 2 19522]04/20/2005 11:53:30 Qa51fa9a300ec591e From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 165.165.221.208]04/20/2005 11:53:30 Qa51fa9a300ec591e Subject:04/20/2005 11:53:32 Qa52aa9a400ec592a Scanned: Virus Free [MIME: 1 2087]04/20/2005 11:53:34 Qa52b4d30fdb9 Scanned: Virus Free [MIME: 1 672]04/20/2005 11:53:35 Qa52c4f880105 Scanned: Virus Free [MIME: 1 752]04/20/2005 11:53:35 Qa52ea9ab00ec592c MIME file: [text/html][8bit; Length=8334 Checksum=681405]04/20/2005 11:53:37 Qa52ea9ab00ec592c Scanned: Virus Free [MIME: 2 13549] I didn't find a time gap in any of the "Could not find parse string Infection" log entries I found. Bill - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Thursday, April 28, 2005 10:58 AM Subject: Re: [Declude.Virus] High CPU F-Prot Andrew,If you are only using F-Prot, you should be able to find evidence of at least the delays by searching for "Could not find parse string Infection" and then checking for a gap above that point to where the message began to be scanned.If I'm correct about this, and it seems that I am, F-Prot has been missing a fair number of viruses every day at least going back to April 11th. Their new scan engine, 3.16b was released back on March 7th and this may be related, but I don't have logs going back past April to confirm.F-Prot users should all probably pay very close attention to this. I haven't yet contacted F-Prot because I'm busy at this moment and this was only just confirmed by someone else. I would have to say that Scott would be quite useful in a situation like this because it appeared that he had a line of contact with them (Scott, are you out there?).MattColbeck, Andrew wrote: The "could not parse" string occurs whenever F-Prot returns a result that *isn't* equal to 3. Only return code 3 provides a string in the result file
RE: [Declude.Virus] F-Prot - Error 8
From the Fprot site: EXIT CODES - 0 Normal exit. Nothing found, nothing done. - 1 Unrecoverable error (e.g., missing virus signature files). - 2 Selftest failed (program has been modified). - 3 At least one virus-infected object was found. - 4 Reserved, not currently in use. - 5 Abnormal termination (scanning did not finish). - 6 At least one virus was removed. - 7 Error, out of memory. - 8 At least one suspicious object was found. - 9 At least one object was not scanned (encrypted file, unsupported/unknown compression method, unsupported/unknown file format, corrupted or invalid file). - 10 At lest one archive object was not scanned (contains more then N levels of nested archives, as specified with -archive switch). I have actually been using viruscodes 3,6,8,9 and 10 for a couple of years now with no complaints or false-positives. Dan Horne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Fisher Sent: Tuesday, April 26, 2005 12:45 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot - Error 8 I have never used VIRUSCODE 6. What does that define? Kyle -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wind Sent: Monday, April 25, 2005 5:17 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot - Error 8 I had problems with F-Prot the last weeks in combination with new Bagle variants. The BAgles slipped through, althouh I have a multi scanner environment. In the log file there was always an error 8 code in combination with F-Prot . I got this info from Declude, which solved my probles till now: Add VIRUSCODE 8 to the virus config so it reads VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 FProt returns virus code 8 now. (in the past there were only VIRUSCODE 3 and VIRUSCODE 6 the default) Uwe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude and Linux?
I'd definitely like to see Declude plug into postfix. But then wouldn't that be kind of like Len and Scott holding hands? ~Shudder~ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha Sent: Wednesday, March 30, 2005 4:52 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Declude and Linux? That is definitely in the stack of cards, Jeff. But we cannot yet project a release date. We will, however, keep you informed as we get closer to formulating that project. We would be interested in hearing any input you would care to provide, such as: your Linux platform, the mail server(s) you would like to see targeted, etc. David Franco-Rocha - Original Message - From: Jeff Kratka [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, March 30, 2005 4:29 PM Subject: [Declude.Virus] Declude and Linux? Will there be a version of Declude for Linux? Jeff Kratka TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SCR question
If you also use Declude Junkmail, you can add a line to your global.cfg like: XSPOOLNAME ON And it will add the queue file number to the headers of each email it scans. I do not know if this will work in the virus.cfg. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chase Seibert Sent: Thursday, February 24, 2005 9:49 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] SCR question I just got an email in my inbox with a file attachment called: Beethoven's_Symphony_No.XP2002.Zip.scr I looked as the eml file, and the attachment is referenced there as: Content-Type: application/octet-stream; Name = Beethoven's_Symphony_No.XP2002.Zip.scr Content-Transfer-Encoding: Base64 Content-Disposition: attachment; FileName = Beethoven's_Symphony_No.XP2002.Zip.scr My question is, why is this being passed by Declude virus? I have the following lines in my virus.cfg: BANEXT scr .. BANZIPEXTS ON I cannot find the string Beethoven at all in my virus log files, which typically contains file names that were scanned. The logs make it seem as if other SCR files are getting blocked, such as this line for another message: 02/24/2005 00:09:34 Q618d326e00fe66d1 Invalid SCR Vulnerability 02/24/2005 00:09:34 Q618d326e00fe66d1 Banning file with scr extension [audio/x-wav]. I'm having some trouble locating this message in my logs. The logs appear to identify messages by the Q* file name, which is not carried over into the delivered message headers. Is there a way to insert that identifier in the message header? How about recording X-UIDL or Message-Id in the log file? Thanks! -Chase Chase Seibert | Network and Systems Engineer | Bullhorn Inc. | 617.464.2440 x119 | www.bullhorn.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Issues with F-prot 3.16 or not?
I'm getting that same issue. The updater doesn't find anything either. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Wednesday, November 24, 2004 4:45 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Issues with F-prot 3.16 or not? I've tried the link several times and don't seem to be getting anywhere. The news release about 3.16a comes up, directs you to the Updates page, but when I log in the updates page only offers 3.16 dated November 17th. Anyone have a direct link to the update? Thanks, Rodney Bertsch IS Coordinator Kirk NationaLease Co. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Douglas Cohn Sent: Wednesday, November 24, 2004 1:18 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Issues with F-prot 3.16 or not? OOOPs Just got this. FRISK Software has released version 3.16a of F Prot Antivirus for Windows. More information on this release can be found on our website: http://www.f-prot.com/news/gen_news/041124_release_win316a.html We recommend that users of F-Prot Antivirus for Windows update their programs to version 3.16a as soon as possible == I see a lot of posts surrounding F-prot 3.16. I have not updated my server yet. Is there an issue with it and declude? Should the fpcmd.exe line be changed from prior to 3.16? (Scott?) One thing I do notice when using the desktop scanner version of 3.16. It detects Word macros as viruses much more frequently. It also detects several utility programs as viruses that neither previous versions of F-prot nor Norton Corp 8.0 were detecting before. Zebra's printer driver--- C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K52VK16B\ZNetUtil.zip could be an archive bomb MSDN downloads D:\CD Flat\msdn-extract\sms20sp3enu.exe-SP3enuCD/SMSSETUP/NETMON/ALPHA/McSvcps.dl l could be a corrupted executable file D:\CD Flat\W2K Server Reskit\W2KRESKIT\APPS\CRYSTAL\DISK12\CRWEXE.00_-(PackWord) could be a corrupted executable file D:\CD Flat\W2K Server Reskit\W2KRESKIT\APPS\CRYSTAL\DISK4\CRPEDLL.00_-(PackWord) could be a corrupted executable file Scan settings: Safe tools. E:\storage\Foundstone\udpflood.zip-udpflood.exe is a destructive program Virus-infected files in archives cannot be disinfected. E:\storage\InfoZip\Wiz.exe could be a corrupted executable file The scanning was aborted by the user, with infected or suspicious --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude for Exchange?
Yeah, yeah. Bundle it with Sniffer and quintuple the cost. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim MatuskaSent: Friday, October 29, 2004 5:06 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.Virus] Declude for Exchange? I like the ring of Declude Collaboration Suite. Sounds like a winner to me. - Original Message - From: Scott Fisher To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 1:57 PM Subject: Re: [Declude.Virus] Declude for Exchange? It's Friday afternoon and I've cleared out my 1000 messages from the Imail Forum, so I can't resist... Isn't Declude for Exchange part of the soon-to-be-announced Declude Collaboration Suite (DCS)? ;) or is it :( ? - Original Message - From: Jim Matuska To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 3:30 PM Subject: [Declude.Virus] Declude for Exchange? I seem to recall someone on this list mentioning something about a upcoming declude version for Exchange? Any truth to this rumor? Jim Matuska Jr.Computer Tech IICCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
RE: [Declude.Virus] Moving IMail and Declude
FWIW, Declude uses the Imail OHN to generate its license, not the server name. The Imail OHN MUST be the same as on the old server, or you will have to get a new activation code. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Wolff Sent: Wednesday, August 18, 2004 2:52 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Moving IMail and Declude Just figured this out by looking in the log files (sorry, I know it should be the first place I go, but usually my last attempt). It's telling me the activation code is invalid. Thanks for the help. Sorry I was stupid and didn't check the logs first before crying for help! Regards, -Don Age doesn't always bring wisdom -- Sometimes age comes alone. === Don Wolff- Technology Coordinator Phoenix-Talent School District #4 mailto:[EMAIL PROTECTED] Office- 541-535-0200 Mobile- 541-621-4717 FAX-541-535-7552 From: IS - Systems Eng. \(Karl Drugge\) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 18 Aug 2004 14:31:17 -0400 To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Moving IMail and Declude I did this a few months ago.. EVERYTHING has to match; IP, machine name and IMAIL server name ( under the Imail server properties, in Imail ). If they don't, it won't work. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Moving IMail and Declude
Official Host Name Imail Administrator--localhost, in the Host Name field. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ncl Admin Sent: Wednesday, August 18, 2004 5:06 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Moving IMail and Declude At 04:44 PM 8/18/2004 -0400, Dan Horne wrote: FWIW, Declude uses the Imail OHN to generate its license, not the server name. The Imail OHN MUST be the same as on the old server, or you will have to get a new activation code. I give up whats an OHN? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BanNotify Problem
It would seem that in your setup, before Declude processes the message, it gets sent to another program for processing (possibly on a gateway server, or another antivirus program on the same server). 1) From your setup, Declude shouldn't have banned the first message, and it didn't (AFAIK, Declude doesn't strip attachments, it holds the entire email). 2) The second one seems to have had the EXE stripped out of the zip file, which as before, Declude doesn't strip attachments, it blocks them. When the exe was stripped out, it broke the zip file, therefore you got the vulnerability. 3) Your first scanner apparently doesn't have the ability to scan inside encrypted zips, so it let the last one pass, but Declude blocked it correctly. Dan Horne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, July 22, 2004 4:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] BanNotify Problem Goran, Are you running any other software or hardware that might be inspecting these messages? The EXE response doesn't seem very Declude'ish. Matt Goran Jovanovic wrote: I have Virus Pro latest interim release 179i8. I have BANEXT EXE and BANEXT EZIP in my config file. I do not have BANEXT ZIP, BANZIPEXT nor BANEZIPEXTS I have a bannotify.eml file in my \imail\declude directory So I sent a couple of tests EXE only attachment: I did NOT get my bannotify message. I got the following appended to my email File attachment: MarchBreak2004infoflyer.exe The file attached to this email was removed because the file name is not allowed. EXE in a ZIP file I got a Vulnerability Alert message telling me that I had the Outlook Vulnerability [Invalid ZIP Vulnerability]. This should have got through. EXE in an encrypted ZIP I actually got my BANNOTIFY on this one. Why did the EXE only not send me the BANNOTIFY? Why did the EXE in a ZIP send me a vulnerability message? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot Version 3.15 w/Declude
Problem wih above is that when there is a new fprot version, the virus def update will fail I have never experienced that problem. Not even with the latest version 3.15. This updates the virus defs regardless of version, and has never failed once in the two years we have been running F-Prot.. C:\Program Files\FSI\F-Prot\FP-Updater\Updater.exe /RUN /INTERNET /QUIT It does NOT update the program, which is EXACTLY the behavior I expect. I don't want ANY program updates unless I have tested or gotten feedback on it. This includes F-Prot. -Dan Horne --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] pif file got through
While going through the SPAM hold, I found a message that had a .pif file attached. We are banning .pif files with Declude Virus. Below are the necessary snippets, and I sent the zipped SMD files to the virus email address. Luckily this message got caught by JunkMail. ***Virus log:*** -- Y:\logs\viruslogs\vir0508.log/7168: 05/08/2004 13:02:18 Q1266200a01083fb8 Scanned: Virus Free [MIME: 1 25108] ***Declude -diag output:*** -- Declude 1.79i6 (C) Copyright 2000-2004 Computerized Horizons. Diagnostics ON (Declude v1.79i6). Declude JunkMail: Config file found (M:\Imail\Declude\global.CFG). Declude Virus: Config file found (M:\Imail\Declude\Virus.CFG). Declude Hijack:Not installed (no M:\Imail\Declude\Hijack.CFG file). Declude Confirm: Not installed (no M:\Imail\Declude\Confirm.CFG file). 84 spam tests defined: (edited for brevity) IMail reports Official Host Name as: mail.taisweb.net. IMail's SendName registry seems OK: m:\imail\Declude.exe. DNS Server: 127.0.0.1 Declude JunkMail Status: PRO version registered. Declude Virus Status:Standard Version Registered. Declude Hijack Status: NOT REGISTERED: No activation code. End of diagnostics. ***Virus.cfg (edited to remove OEM instructional comments):*** -- CODE LOGFILE logs\viruslogs\vir.log LOGLEVELHIGH CONSOLE OFF SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=3 /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 OKCODE 8 REPORTInfection: VIRDIR virus MAXATONCE 0 INCOMINGON OUTGOINGON ONACCESSOFF SCANNERTIMEOUT 60 BANEXT ade BANEXT adp BANEXT asx BANEXT bas BANEXT bat BANEXT chm BANEXT cmd BANEXT com BANEXT cpl BANEXT crt BANEXT exe BANEXT hlp BANEXT hta BANEXT inf BANEXT ins BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT mda BANEXT mdb BANEXT mde BANEXT mdt BANEXT mdw BANEXT mdz BANEXT msc BANEXT msi BANEXT msp BANEXT mst BANEXT ops BANEXT pcd BANEXT pif BANEXT prf BANEXT reg BANEXT scf BANEXT scr BANEXT sct BANEXT shb BANEXT shs BANEXT url BANEXT vb BANEXT vbe BANEXT vbs BANEXT wsc BANEXT wsf BANEXT wsh BANEXT EZIP BANNAME testattach.zip BANNAME text.zip BANNAME test.zip BANNAME data.zip BANNAME document.zip PRESCAN ON BANCLSIDON DELETEVIRUSES OFF DELIVERERRORS ON BANCRVIRUSESON FORGINGVIRUSKlez FORGINGVIRUSSobig - Dan Horne Web Services Administrator TAIS Web Wilcox World Travel Tours [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] pif file got through
No, -diag shows Standard (see first post for -diag output). Dan Horne Web Services Administrator TAIS Web Wilcox World Travel Tours [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476) -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, May 10, 2004 12:31 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] pif file got through While going through the SPAM hold, I found a message that had a .pif file attached. We are banning .pif files with Declude Virus. Below are the necessary snippets, and I sent the zipped SMD files to the virus email address. Luckily this message got caught by JunkMail. Are you running Declude Virus Lite? The BANEXT option does not work with Declude Virus Lite. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] pif file got through
I already did (I zipped up both the d and q file into a file called hold.zip and sent it to the virustrap addy before my first post to the list) Dan Horne Web Services Administrator TAIS Web Wilcox World Travel Tours [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476) -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, May 10, 2004 1:26 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] pif file got through No, -diag shows Standard (see first post for -diag output). In that case, would it be possible to send the D1266200a01083fb8.SMD file to our virustrap@ address, so we can run some tests on it here? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] pif file got through
Not sure if that was what happened, but I went ahead and sent it via my yahoo account, so look for it (texastoast78 is my yahoo email). Dan Horne Web Services Administrator TAIS Web Wilcox World Travel Tours [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476) -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, May 10, 2004 2:10 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] pif file got through I already did (I zipped up both the d and q file into a file called hold.zip and sent it to the virustrap addy before my first post to the list) We don't have a record of that E-mail coming in. Was it caught going out on your end? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Virus config file
Scott, I looked at the .eml files linked to from the manual at /virus/manual.htm and none of them have the forging viruses in them. I also looked at the default virus.cfg for the FORGINGVIRUS lines, but it only has Klez. Is there a list of the known forging viruses? If not at Declude.com, does anyone know of a list or would be willing to share theirs? Dan Horne, CCNA Systems Administrator TAIS Web Wilcox World Travel Tours [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, September 04, 2003 2:48 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Virus config file I'm trying to update my virus.cfg file and was wondering if anyone can send me a list of viruses that are considered forging viruses. At the manual page, the default .eml files include the latest list of the known forging viruses. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Log analyzer question
I know this is an old message I'm responding to, but I just noticed that the latest version of Sawmill at www.sawmill.net includes support for processing Declude Spam, Declude Virus, and something called Declude Log Format. It also supports iMail Log Format, iMail Log Format (Alternate), and IMail7 Log Format. I haven't tested any of those, but I will do so this weekend. Dan Horne, CCNA Systems Administrator TAIS Web Wilcox World Travel Tours [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, September 04, 2003 3:32 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Log analyzer question I have not had time in the last couple of weeks to go through the Virus Log analyzers available, so I have a question: Do any of them list in the report the number of infections and/or virus name by sending IP address, including be able to detect and bypass a backup mail server IP address? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.