[Declude.Virus] Which scanner?
In my email reports, is there a way to also signify which scanner caught the virus; ie internal vs one of the external scanners? so my reports now look like; Declude Virus v4.6.35 caught the following: Virus Name: Sanesecurity.Junk.26145.UNOFFICIAL Virus File: Unknown File From: lyris-nore...@listhost.stat.com To : junkm...@stat.com Date: 06 Feb 2010 17:10:56 Subject:Re: You have spam Spool File: D050a00d3693b.smd RemoteIP: 65.163.175.26 SenderHost: listhost.stat.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV
Andy, I must be blind as I try to install this ... I looked at the link below, and found multiple versions, but none of them have an installer ... are you installing the ClamWin version and not the versions are oss.netfarm.it ??? When I take about the archive, I find all of the files, but no setup.exe etc ... Am I missing something from your instructions. I also noticed when I put a logfile path in the freshclam.conf file directly, it stops working ... it just doesn't like that link ... very perplexed. david On Jun 8, 2009, at 7:37 AM, Andy Schmidt wrote: Hi David: The best is http://oss.netfarm.it/clamav - because it's the same one ClamWin is using and it's kept up-to-date. I don't recall any installation difficulty. It did have a successful installer and is able to install itself as a service. There is a .REG file that sets up a registry entry where the path is stored. In their registry, I chose to change the following (because I wanted to keep the CONF files and the DB files out of the program code): [HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV] ConfigDir=C:\\Progra~1\\ClamAV\\conf DataDir=C:\\Progra~1\\ClamAV\\db For FreshClam.conf, I changed these parameters to match my preference: DatabaseDirectory C:\Program Files\clamAV\db UpdateLogFile C:\Program Files\clamAV\log\freshclam.log LogTime yes For ClamD.conf, I changed these: LogFile C:\Program Files\clamAV\log\clamd.log LogTime yes TemporaryDirectory C:\Temp DatabaseDirectory C:\Program Files\clamAV\db For the service, I removed the spaces from the path (not sure if this was needed): C:\Progra~1\ClamAV\clamd.exe --daemon In Declude, I used: #ClamAV SCANFILE1 C:\Progra~1\ClamAV\ClamDScan.exe VIRUSCODE1 1 Of course, that still leaves the problem of Declude having no decent virus report file parser (if you care about seeing the proper virus name in the proper location of the log files). For now, I still use a middleware to reformat the Report file before feeding it to Declude. If you don't care about names, then this isn't necessary. Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Dodell Sent: Monday, June 08, 2009 12:26 AM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV I'm using an older version of ClamAV that needs to be updated as a backup scanner.Unfortunately, it is no longer being developed. Has anyone tried the ClamID from ArmResearch or any other version of ClamAV that is current that works with Declude? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAV
I'm using an older version of ClamAV that needs to be updated as a backup scanner.Unfortunately, it is no longer being developed. Has anyone tried the ClamID from ArmResearch or any other version of ClamAV that is current that works with Declude? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Internal Scanner missing most viruses
G DATA Never heard of this G DATA that was at the top of the list ... anyone familiar if they offer a command line scanner that will work with Declude? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Frustrated with Declude / ClamAV
As posted already, I have now tried THREE variations of ClamAV, and played around with the scanfile in virus.cfg to never get this to work ... it appears that Declude can not find the report file ever ... Since the variation of ClamAV has always worked fine from the command line, I know the ClamAV installations work ... I just can't get Declude to recognize it. Any other ideas on what I could be missing? David - 01/03/2009 08:18:39.168 q81b7032e4d16.smd Could not find report file c:\IMail\spool\proc\work\D81b7032e4d16.vir\report.txt. 01/03/2009 08:18:39.168 q81b7032e4d16.smd Error 2 in virus scanner 1. 01/03/2009 08:18:39.168 q81b7032e4d16.smd Scanned: Error in virus scanner. [MIME: 1 376] 01/03/2009 08:18:39.184 q81b700df4d17.smd Could not find report file c:\IMail\spool\proc\work\D81b700df4d17.vir\report.txt. 01/03/2009 08:18:39.184 q81b700df4d17.smd Error 2 in virus scanner 1. 01/03/2009 08:18:39.184 q81b700df4d17.smd Scanned: Error in virus scanner. [MIME: 1 376] 01/03/2009 08:18:43.762 q81ba02094d1b.smd Could not find report file c:\IMail\spool\proc\work\D81ba02094d1b.vir\report.txt. 01/03/2009 08:18:43.762 q81ba02094d1b.smd Error 2 in virus scanner 1. 01/03/2009 08:18:43.762 q81ba02094d1b.smd Scanned: Error in virus scanner. [MIME: 3 41354] 01/03/2009 08:18:48.637 q81d600944d2a.smd Vulnerability flags = 0 01/03/2009 08:18:48.652 q81d6023e4d2b.smd Vulnerability flags = 0 01/03/2009 08:19:02.027 q81d600944d2a.smd Could not find report file c:\IMail\spool\proc\work\D81d600944d2a.vir\report.txt. 01/03/2009 08:19:02.027 q81d600944d2a.smd Error 2 in virus scanner 1. 01/03/2009 08:19:02.027 q81d600944d2a.smd Scanned: Error in virus scanner. [MIME: 1 378] 01/03/2009 08:19:02.043 q81d6023e4d2b.smd Could not find report file c:\IMail\spool\proc\work\D81d6023e4d2b.vir\report.txt. 01/03/2009 08:19:02.043 q81d6023e4d2b.smd Error 2 in virus scanner 1. 01/03/2009 08:19:02.043 q81d6023e4d2b.smd Scanned: Error in virus scanner. [MIME: 1 378] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Still can't get ClamAV to work
Still having a problem getting ClamAV to work ... this is what i have in my virus.cfg SCANFILE1 C:\imail\declude\clamav\runclamscan.exe log=1 C:\imail \declude\clamav\clamdscan.exe --quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND But my virus logs show this error; any ideas??? David --- 12/30/2008 19:46:25.560 qdcff0228950e.smd Log Level set to LOW 12/30/2008 19:48:21.669 qdd6b02ec954b.smd Vulnerability flags = 0 12/30/2008 19:48:35.388 qdd6b02ec954b.smd Could not find report file c:\IMail\spool\proc\work\Ddd6b02ec954b.vir\report.txt. 12/30/2008 19:48:35.388 qdd6b02ec954b.smd Error 2 in virus scanner 1. 12/30/2008 19:48:35.388 qdd6b02ec954b.smd Scanned: Error in virus scanner. [MIME: 1 6] 12/30/2008 19:48:37.200 qdd790304955c.smd Vulnerability flags = 0 12/30/2008 19:48:40.013 qdd7801e5955b.smd Vulnerability flags = 0 12/30/2008 19:48:51.169 qdd790304955c.smd Could not find report file c:\IMail\spool\proc\work\Ddd790304955c.vir\report.txt. 12/30/2008 19:48:51.169 qdd790304955c.smd Error 2 in virus scanner 1. 12/30/2008 19:48:51.169 qdd790304955c.smd Scanned: Error in virus scanner. [MIME: 1 16] 12/30/2008 19:48:53.435 qdd7801e5955b.smd Could not find report file c:\IMail\spool\proc\work\Ddd7801e5955b.vir\report.txt. 12/30/2008 19:48:53.435 qdd7801e5955b.smd Error 2 in virus scanner 1. 12/30/2008 19:48:53.435 qdd7801e5955b.smd Scanned: Error in virus scanner. [MIME: 2 1865] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Still Can't Get ClamAV to work
Still having a problem getting ClamAV to work ... any new suggestions ... this is what my virus.cfg configuration looks like: SCANFILE1 C:\imail\declude\clamav\runclamscan.exe log=1 C:\imail \declude\clamav\clamdscan.exe --quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND But the declude virus log shows error: 12/30/2008 19:46:25.560 qdcff0228950e.smd Log Level set to LOW 12/30/2008 19:48:21.669 qdd6b02ec954b.smd Vulnerability flags = 0 12/30/2008 19:48:35.388 qdd6b02ec954b.smd Could not find report file c:\IMail\spool\proc\work\Ddd6b02ec954b.vir\report.txt. 12/30/2008 19:48:35.388 qdd6b02ec954b.smd Error 2 in virus scanner 1. 12/30/2008 19:48:35.388 qdd6b02ec954b.smd Scanned: Error in virus scanner. [MIME: 1 6] 12/30/2008 19:48:37.200 qdd790304955c.smd Vulnerability flags = 0 12/30/2008 19:48:40.013 qdd7801e5955b.smd Vulnerability flags = 0 12/30/2008 19:48:51.169 qdd790304955c.smd Could not find report file c:\IMail\spool\proc\work\Ddd790304955c.vir\report.txt. 12/30/2008 19:48:51.169 qdd790304955c.smd Error 2 in virus scanner 1. 12/30/2008 19:48:51.169 qdd790304955c.smd Scanned: Error in virus scanner. [MIME: 1 16] 12/30/2008 19:48:53.435 qdd7801e5955b.smd Could not find report file c:\IMail\spool\proc\work\Ddd7801e5955b.vir\report.txt. 12/30/2008 19:48:53.435 qdd7801e5955b.smd Error 2 in virus scanner 1. 12/30/2008 19:48:53.435 qdd7801e5955b.smd Scanned: Error in virus scanner. [MIME: 2 1865] Any ideas ??? Thanks David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Re: ClamAv with Declude
On Dec 29, 2008, at 8:18 AM, Scott Fisher wrote: I use the runclamscan program to call clamav. Here's my virus.cfg lines SCANFILE1 c:\clamav\runclamscan.exe log=1 C:\clamav\clamdscan.exe -- quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND Scott, the version of clamdscan I have did not have a runclamscan.exe in its directory.Can you send it along to me as an attachment? So declude can't call clamdscan directly? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAv with Declude
On Dec 28, 2008, at 8:36 AM, Hirthe, Alexander wrote: http://www.mail-archive.com/declude.virus@declude.com/msg14082.html Ok, thanks for the excellent beginning ... I'm using the Clamav-win32 from sosdg.org Freshclam installed all the latest files just fine Got it all installed ... but something still not working: (1) I got clamd installed as a service (2) In my virus.cfg I have scanfile c:\imail\declude\clamav\clamdscan.exe --quiet -l report.txt viruscode 1 report FOUND (3) In my logs it reports Could Not Parse String FOUND in report.txt Error 2 in virus scanner 1 Scanned: Error in Virus scanner [MIME: 1 991] - So I'm assuming I need another type code or way for freshclam to exit cleanly if it doesn't find a virus? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAv with Declude
On Dec 28, 2008, at 10:28 AM, David Dodell wrote: (2) In my virus.cfg I have scanfile c:\imail\declude\clamav\clamdscan.exe --quiet -l report.txt viruscode 1 report FOUND (3) In my logs it reports Could Not Parse String FOUND in report.txt Error 2 in virus scanner 1 Scanned: Error in Virus scanner [MIME: 1 991] Ok, found Error 2 is a problem in the scanner.The scanner is working fine from the command line, so I'm now assume declude is not passing something correctly, or I'm missing something fundamental? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Force AVG update
Anyway to force declude to update the AVG files ... my dates run from 12/17 to 12/23 ... are these really current dates? David (I have my update frequency set at every 2 hrs) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Force AVG update
On Dec 27, 2008, at 9:59 AM, Andy Schmidt wrote: Hi, The general experience has been (as reported by several individuals in two different lists over the past 3 months), that the Declude AVG updates are frequently 48 hours behind - which means they are only effective for old viruses. I even posted the stats for several days where it showed that every few days new viruses were being caught by my secondary scanner (McAfee), which truly does have hourly updates - and would have been passed through to my desktops if I had relied on Decludes AVG scanner. Then I guess, is it worth for me to renew my Declude support ... things run pretty much very smoothly now, the spam tests are all external engines, and was only keeping Declude update to get the AVG updates ... with budget cuts, maybe I should be investing into a secondary scanner versus a Declude contract? What can I get for the same pricing $395 or less since this is all we have budgeted. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] AVG updates
I've been seeing viruses get through our Declude/AVG end over the past few months ... they are being caught on the Desktop by F-Prot. I look at the files in the declude/scanner/AVG directory, and the last one is updated 12/23, two days ago ... while AVG website says their last update was 12/25 Is there some type of parameter to force the updates to be more frequent ... are the updates coming from Declude and being delayed? Obviously I need a second scanner, any inexpensive solutions since F- Prot changed their licensing? We don't have a budget for this ... I've read mixed things about the Opensource free virus scanners. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Re: AVG updates
On Dec 25, 2008, at 9:34 PM, David Dodell wrote: I've been seeing viruses get through our Declude/AVG end over the past few months ... they are being caught on the Desktop by F-Prot. I look at the files in the declude/scanner/AVG directory, and the last one is updated 12/23, two days ago ... while AVG website says their last update was 12/25 Is there some type of parameter to force the updates to be more frequent ... are the updates coming from Declude and being delayed? Ok, found the switch, and it was previously set to 4 hr updates, I've updated to 2 hr updates ... hopefully that will kick it and get something more recent? Obviously I need a second scanner, any inexpensive solutions since F- Prot changed their licensing? We don't have a budget for this ... I've read mixed things about the Opensource free virus scanners. Looked at ClamAV ... any good installation instructions for usage with Declude/Imail ??? Looked through Google, did not find anything well written ... any pointers, suggestions? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot Version 6
Been using F-Prot version 3 for years ... and now getting notices to upgrade to version 6. Anyone done this yet, and is it still compatible with Declude/Imail, etc? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot down?
I haven't seen a good connection from F-Prot for about 24 hours ... just checked for their website, can't connect there. This is on our primary Sprint connection. Tried our backup DSL from Qwest that is totally separate (we use for testing etc) and can't connect there either ... Anyone else noticing this? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot down?
On Dec 18, 2006, at 9:27 PM, Ncl Admin wrote: Down here as well on two different circuits. Tracert times out in Germany somewhere or other. Obviously a good reason to be running multiple scanners. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Re: notification stopped? .. now Why GSC
-Original Message-From: "John T (Lists)" [EMAIL PROTECTED] What happens if you restart the Queue Manager service? -Original MessageOk, just did that a few seconds ago to see if that helps ... but why would only the virus notifications be put in the spool as GSC files, but not anything else?David ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
[Declude.Virus] notification stopped?
I just realized I haven't been seeing any notifications for the past few weeks from my Declude software showing it had stopped a virus. I checked the virus log on the server, and it shows it is stopping several virues a day. Is there a switch now that turns off/on virus notification in declude? david --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Re: notification stopped? .. now Why GSC
-Original Message-I just realized I haven't been seeing any notifications for the past few weeks from my Declude software showing it had stopped a virus.I checked the virus log on the server, and it shows it is stopping several virues a day.---I just checked the spool directory ... there are thousands of GSC files, all containing the virus notification that I'm looking for. They are all addressed to [EMAIL PROTECTED] which is working from tests from outside email accounts.Why are the virus notifications getting stuck thousands at a time as GSC files in the spool directory instead of being delivered?David ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] New feature needed
I would like to suggest a new feature to be added to the virus notification capabilities. I need to be able to specify a per domain recip.eml file. This way I can tailor the notifications to each domain as appropriate. These files should be in the domain subdirectory along with the $default$.junkfile etc. I do some limited customization using filters/rules on the domain in Imail ... this has let me filter out notifications and deleting the message automatically for domains that didn't want the notifications, or redirect the notifications to another administrator if needed. It adds an extra layer to the mail movement, but it works for now. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] AVG not updating?
I have the latest version of Declude installed ... have the new virus set to update every 2 hours ... but my latest DB files are dated 5/25/06 ... I've seen F-Prot update several times in the past 6 days ... but nothing from AVG ... doesn't make sense ... is there still a problem with the internal scanner not updating, or something I need to check? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVG Database file dates?
This makes no sense why we shouldn't be all on the same dates ... it gets me nervous that the AVG system is not updating correctly, and stuff may pass through ... Hopefully someone from Declude can lend an answer?David-Original Message-From: "John Dobbin" [EMAIL PROTECTED]Sent 5/26/2006 5:41:18 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] AVG Database file dates?Mine are:Avi7.avg 2/21Incavi.avg 5/25Microavi.avg 5/18Miniavi.avg 5/22We just upgraded to declude 4.2.12. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Thursday, May 25, 2006 10:23 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] AVG Database file dates? We just started to use the AVG internal scanner with F-Prot as a backup ... since I have no comparison, just wanted to make sure my files were up to date; I have avi.avg 2/21 incavi.avm 5/25 microavi.avg 5/10 miniavi.avg 5/25 Does that match? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
[Declude.Virus] AVG Database file dates?
We just started to use the AVG internal scanner with F-Prot as a backup ... since I have no comparison, just wanted to make sure my files were up to date; I have avi.avg 2/21 incavi.avm 5/25 microavi.avg 5/10 miniavi.avg 5/25 Does that match? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Stuck as GSC Files
All of my email virus notifications are all of a sudden stuck in the Imail queue as GSC files ... I'm using the latest declude with Imail 9.01 No changes to the server and till last night was working fine ... how do I unstick GSC files? - Internet Dental Forum www.internetdentalforum.org Dentalcast Podcast www.dentalcast.net --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Second scanner
I use F-Prot 1, McAfee 2, Clam 3 What version of McAfee do you use? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
I noticed that my virus scanner is no longer sending me notices when it intercepts a virus ... before I used to get email notice from declude that a virus, and/or spam was intercepted, but now that seemed to have stopped ... is there a switch I need to turn on / off? It appears messages are getting stuck in my spool ... I see messages addressed from [EMAIL PROTECTED] to david david (same user twice) Any ideas? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.Virus] Update on Upgrade
Saturday, November 5, 2005, 12:50:59 PM, Bill Landry wrote: Strange, what do the IMail logs says about these particular messages? Yep, it is strange .. it is taking about 20 to 30 minutes from once the message is scanned till the Email message is being generated. The log looks normal, but don't know why they are being generated out by the postmaster account as GSC files? 20051105 110625 127.0.0.1 SMTPD (25FB0282)[63.246.13.85] MAIL FROM: [EMAIL PROTECTED] 20051105 110625 127.0.0.1 SMTPD (25FB0282)[63.246.13.85] RCPT TO: [EMAIL PROTECTED] 20051105 110625 127.0.0.1 SMTPD (25FB0282)[63.246.13.85] c:\IMail\spool\Df4a125fb0282f87e.SMD 1593 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
Saturday, November 5, 2005, 1:43:11 PM, Darrell ([EMAIL PROTECTED]) wrote: When you say messages are getting stuck in the spool do you mean after they are processed by Declude? When you upgraded to Declude 3.x did you replace the declude.exe file? As I mentioned in another post, it appears that the Postmaster generated messages are sitting in the \imail\spool directory, but with a GSE or GSC extension instead of SMD ... and are eventually processed within 20 or 30 minutes, I'm assuming being caught by the queue being reprocessed in that time period?? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
Saturday, November 5, 2005, 2:13:21 PM, Darrell ([EMAIL PROTECTED]) wrote: I caught that in the later thread. On my system I see the same behavior where the gsc/gse will get processed by the next queue run as well. I do seem to remember in older versions that they were tried to be delivered right away. Ok, then this is normal behaviour obviously sigh Yep, when I was running 1.85 this morning, they were delivered immediately which threw me off terribly. Usually after I update a version of Declude Virus, I use the web tests at www.declude.com to send myself a few EICAR viruses to make sure they get caught correctly ... it had me worried when I wasn't getting the normal notification messages immediately. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
My virus caught messages are being delivered right away with version 3.0.5.18. Bill, are you using Imail? If so, how fast is your queue being retried since it appears to be tied to that --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[6]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
I am running IMail 8.21/Declude 3.0.5.18. My queue retry timer is set to 30 minutes. And both postmaster and recipient virus notifications are being delivered immediately. Strange ... the only difference is I'm running Imail 8.05 ... my service contract arrives Monday to upgrade to 8.21 ... I'll have to contact Declude and find out why the difference Thanks. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Second scanner
After many years of using Virus Standard, I upgraded to Virus Pro to take advantage of a second scanner. I've scanned the previous threads on what others like for a second scanner to F-Prot, but can't seem to find any common thread ... So I would appreciate what seems to be the next most popular virus scanner to run as a secondary scanner to F-Prot? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
John, if I turn it off ... what else is being turned off, all of the vulnerability tests?? I couldn't even find a switch for that ... -- Original Message -- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] Reply-To: Declude.Virus@declude.com Date: Fri, 12 Aug 2005 00:14:16 -0700 In older versions, it is off all or on all. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
Thursday, August 11, 2005, 11:43:50 PM, Colbeck, Andrew wrote: David, with your version of Declude Virus, you'd have to turn off all 10 of the CR vulnerability checks at one go. I'm at the same or similar version, and that's what I've decided to do. This directive goes in your virus.cfg: BANCRVIRUSESOFF I understand I'm putting myself at some risk by doing this, but is it great? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
Had email from a company today (Photodex) rejected due to the Outlook 'CR' Vulnerability but from the headers it looks like the email originated from Thunderbird as the email client ... see headers below ... Is it time to drop the Outlook vunerbility test?? David Received: from eman.photodex.com http://eman.photodex.com [64.132.190.157http://64.132.190.157] by drdodell.com http://drdodell.com (SMTPD32-8.05) id AB6E1D23028A; Thu, 11 Aug 2005 10:31:26 -0700 Received: (qmail 7712 invoked from network); 11 Aug 2005 17:31:26 - X-AntiVirus: gadoyanvirus 0.3 Received: from unknown (HELO ?10.10.0.149?) (10.10.0.149http://10.10.0.149 ) by eman.vpn.photodex.com http://eman.vpn.photodex.com with SMTP; 11 Aug 2005 17:31:26 - Message-ID: [EMAIL PROTECTED] X-Photodex-Original-Date: Thu, 11 Aug 2005 12:32:11 -0500 From: Photodex Corporation - Chris [EMAIL PROTECTED] User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 Subject: Re: ProShow Gold Support Request References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 11 Aug 2005 12:31:26 -0500 David, X-Declude-Sender: [EMAIL PROTECTED] [64.132.190.157http://64.132.190.157 ]X-Spam-Tests-Failed: None [0] X-Country-Chain: X-Note: This E-mail was sent from ([64.132.190.157 http://64.132.190.157 ]). X-Hello: X-Declude-Virus: Detected [ Outlook 'CR' Vulnerability]. - Internet Dental Forum www.internetdentalforum.net Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
Thursday, August 11, 2005, 8:50:32 PM, Matt wrote: With 2.0.6.16, which is available from the Declude site, you can turn off the Outlook CR Vulnerability. I have turned off all but a couple of these because of numerous false positive issues. Unfortunately, I'm still at 1.82 due to budget limitations ... our new budget kicks in December, and I'm still debating if I should upgrade Imail and Declude or switch to Smartmail and Declude (definitely will be staying with Declude virus/spam) ... I thought there was a way to turn off the testing with 1.82 too, but couldn't find it in the control file ?? there was ever an exploit spreading actively in the wild, I would rethink my position. I believe that Microsoft has long since patched the flaw, though it can certainly cause parsing issues in virus scanners that could lead to missing the payloads due to a message that was improperly formatted. My experience is similar, but 99% of the stuff caught has been spam anyway, so I haven't worried about it ... when I realized today it had caught a legitimate email, I was worried. Anyone know if there is a way to turn this off in 1.82?? - Internet Dental Forum www.internetdentalforum.net Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Keep sending out viruses notice for forging virus?
My machine keeps sending out viruses notices for the Swen virus. I have: SKIPIFVIRUSNAMEHAS Swen in the top of my otherpostmaster.eml file. I also have: FORGINGVIRUS Swen In my virus.cfg file. Am I missing something why the notices are still sent out? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] CPL corrupted?
From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] CPL files should be banned no matter what. John, I am ... was more curious why they aren't being caught as viruses ... I even took one and scanned it manually with f-prot and it came up clean. David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] CPL corrupted?
Our virus definitions from F-Prot are up to date, but still seeing multiple CPL files passing through. I decided to block them using the Ban Extension. Are these CPL files actually infected, or corrupted so the virus scanners aren't detecting them? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] BANnotify.eml
Can someone send me a copy of their Bannotify.eml ... David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Help, New F-Prot not working!
-- Original Message -- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] Did you change anything in the scan line? Just checked my logs, and it appears to be working ok ... just got two interceptions with the usual service message of: Declude Virus v1.78i4 caught the following: Virus Name: W32/[EMAIL PROTECTED] Virus File: resume.zip Strange ... wonder what caused that error originally? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Help, New F-Prot not working!
No, nothing ... I just installed F-Prot in the it's update mode ... no changes made to the declude files at all. David -- Original Message -- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] Did you change anything in the scan line? -Original Message- Just installed the new version of F-Prot c ... now my log is showing the following: 02/24/2004 20:50:11 Q1b67002602988c25 Could not find parse string Infection: in report.txt 02/24/2004 20:50:11 Q1b67002602988c25 Error 5 in virus scanner 1. 02/24/2004 20:50:11 Q1b67002602988c25 Scanned: Error in virus scanner. [MIME: 2 5383] 02/24/2004 20:55:55 Q1cc000120288cf50 Could not find parse string Infection: in report.txt 02/24/2004 20:55:55 Q1cc000120288cf50 Error 5 in virus scanner 1. 02/24/2004 20:55:55 Q1cc000120288cf50 Scanned: Error in virus scanner. [MIME: 2 5428] 02/24/2004 21:20:33 Q22910008025485a5 File(s) are INFECTED [ EICAR_Test_File: 3] 02/24/2004 21:20:33 Q22910008025485a5 Deleting file with virus 02/24/2004 21:20:33 Q22910008025485a5 Deleting E-mail with virus! 02/24/2004 21:20:33 Q22910008025485a5 Scanned: CONTAINS A VIRUS [MIME: 2 684] What is this error 5 problem and how do I fix it? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] confused what is happening with Swen
We are intercepting the Swen virus, but do not have it setup as a Forging virus at this time (is it??) Anyway, we send out a notification message to the sender, and they are being rejected by remote systems saying We sent them a virus Since declude strips off and deletes the virus, how are the remote servers thinking we are sending them the virus? Confused! David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] confused what is happening with Swen
Ignore this message, fiqured out the problem ... see second posting. -- Original Message -- From: David Dodell [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Sat, 20 Sep 2003 10:48:23 -0700 We are intercepting the Swen virus, but do not have it setup as a Forging virus at this time (is it??) Anyway, we send out a notification message to the sender, and they are being rejected by remote systems saying We sent them a virus Since declude strips off and deletes the virus, how are the remote servers thinking we are sending them the virus? Confused! David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] stupid me
Just realized the remote messages returned from postmaster are just notifications that there is an unattended mailbox that is receiving my virus notifications. Can you have multiple addresses in the email file such as: To: [EMAIL PROTECTED],[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] RE:No wonder viruses spread
-- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Comparing it to the headers generated by the copies of Sobig.F we've looked at, it appears that it was indeed a bounce message. Then I'm confused .. to me it appeared from the headers that it was received from another internal IP number, then sent to their exchange server ... am I missing something when I see the two IP numbers in the header? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Ooops, I was wrong
Just sent a test message to the domain, and the headers are the same: Received: from guava.uch.edu [168.200.2.37] by stat.com with ESMTP (SMTPD32-8.02) id A882145022C; Sun, 24 Aug 2003 10:40:18 -0700 Received: from mail pickup service by guava.uch.edu with Microsoft SMTPSVC; Sun, 24 Aug 2003 11:40:18 -0600 Received: from uchaex2.uch.ad.pvt ([168.200.32.18]) by guava.uch.edu with Microsoft SMTPSVC(5.0.2195.5329); Sun, 24 Aug 2003 11:40:10 -0600 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Received: by uchaex2.uch.ad.pvt with Internet Mail Service (5.5.2653.19) id RLYYQ30V; Sun, 24 Aug 2003 It appears the uch.edu uses one IP for inbound, must due some processing at 168.200.32.18 and then 168.200.2.37 for outbound traffic. Now I feel like a real idiot ... I wish the LAN administrator would have just told me that and it all would have made more sense. Or it is easier just to keep out of everyone's else's problem. I been hit for 3 days now by a DSL circuit with the Sobig virus. I sent off email to the BellSouth Abuse department, don't ever expect to see an answer. I would block the IP, but it keeps jumping to a new one every 6 hours or so. I assume this is BellSouth way of reassigning ip's so DSL circuits don't get static numbers for free. David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] No wonder viruses spread
Received: from guava.uch.edu [168.200.2.37] by stat.com with ESMTP (SMTPD32-8.02) id A94AD300BE; Sat, 23 Aug 2003 13:06:34 -0700 Received: from mail pickup service by guava.uch.edu with Microsoft SMTPSVC; Sat, 23 Aug 2003 14:06:33 -0600 Received: from uchaex2.uch.ad.pvt ([168.200.32.18]) by guava.uch.edu with Microsoft SMTPSVC(5.0.2195.5329); Sat, 23 Aug 2003 14:06:23 -0600 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Received: by uchaex2.uch.ad.pvt with Internet Mail Service (5.5.2653.19) I understand everyone's logic that this might indeed be a bounce, however, this is the part that keeps confusing me ... The header shows 168.200.2.27 sent it to me, but guava.uch.edu (which is their SMTP machine MX) got it from 168.200.32.18 about 11 seconds earlier (if their clocks are accurate). 168.200.32.18 is in their block too, so I'm assuming that is the machine that originate the message. If 168.200.2.27 is their inbound SMTP server, wouldn't you just see that as the only IP number, and not the second IP number? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] No wonder viruses spread
Here is a snipet of some on going email I'm having with a LAN administrator at a university hospital. I forwarded a copy of the Declude virus catch, to show them the IP #'s of the machine that sent the Sobig virus. I can't get it through his head that the headers are forged, and irrevelant. My last message to him pleaded to have him establish a telephone dialog with me so I could explain the message to him ... I politely told him if he wants to take the chance that a workstation is infected within their LAN based on the assumption that he might really be wrong, he was welcomed to the havoc it will cause. sigh David Dodell ===Original message text=== David, In looking at the header you sent Marcy, the subject of the message is Undeliverable: Re: Details which means our e-mail system was sending you a message back that it couldn't deliver a message from you. My best guess is that Sobig may be on your pc, and you have a contact somewhere to someone at uch that is no longer here or valid. Not too uncommon for we changed our domain last year. Furthermore, our e-mail system doesn't allow .pif or .scr attachments and will strip them if attempted whether infected or not. We appreciate the heads up, but based upon the header it looks like it was a bounced message from you that was infected and thus the hit by your antivirus. If you have any additional questions, comments, or concerns don't hesitate to let me know. -Original Message- This came from David who said this came from one of our computers. He said he was this stat technology. Marcy -Original Message- From: David Dodell [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 2:22 PM To: left out to protect identity Subject: Fwd: Virus Notification ===Original message text=== Declude Virus v1.75i2 caught the following: Virus Name: W32/[EMAIL PROTECTED] Virus File: movie0045.pif From: [Forged] To : [EMAIL PROTECTED] Date: 08/23/2003 13:06:35 Subject:Undeliverable: Re: Details Spool File: Dc94a00d300be355a.SMD RemoteIP: 168.200.2.37 SenderHost: Unknown Received: from guava.uch.edu [168.200.2.37] by stat.com with ESMTP (SMTPD32-8.02) id A94AD300BE; Sat, 23 Aug 2003 13:06:34 -0700 Received: from mail pickup service by guava.uch.edu with Microsoft SMTPSVC; Sat, 23 Aug 2003 14:06:33 -0600 Received: from uchaex2.uch.ad.pvt ([168.200.32.18]) by guava.uch.edu with Microsoft SMTPSVC(5.0.2195.5329); Sat, 23 Aug 2003 14:06:23 -0600 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Received: by uchaex2.uch.ad.pvt with Internet Mail Service (5.5.2653.19) id RLYYQK7T; Sat, 23 Aug 2003 14:06:23 -0600 Message-ID: [EMAIL PROTECTED] from: System Administrator [EMAIL PROTECTED] to: [EMAIL PROTECTED] [EMAIL PROTECTED] subject: Undeliverable: Re: Details Date: Sat, 23 Aug 2003 14:06:22 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) X-MS-Embedded-Report: Content-Type: multipart/mixed; boundary=_=_NextPart_000_01C369B2.066CB0EC Return-Path: X-OriginalArrivalTime: 23 Aug 2003 20:06:23.0921 (UTC) FILETIME=[07029210:01C369B2] End of original message text=== End of original message text=== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Mimail passing all of a sudden
Scott, Mimail is passing all of a sudden: I'm running the latest of F-Prot (the new engine), latest def, latest beta of Declude ... it was stopping it yesterday ... I've installed 8.02 and MiMail not stopping ... actually haven't seen anything in the last several hours except Outlook vulnerability. Ran virus check, eicar and that gets stopped. Declude Virus v1.75i2 caught the following: Virus Name: EICAR_Test_File Virus File: eicar.com From: [EMAIL PROTECTED] To : [EMAIL PROTECTED] Date: 08/16/2003 06:53:18 Subject:Test eicar.com file [eicarplain] Spool File: D374d004201e81505.SMD RemoteIP: 216.58.174.203 SenderHost: declude.com I ran the virus through again with loglevel set high and get this. Any ideas? David ===Original message text=== 08/16/2003 06:47:49 Q3605005e021012db MIME file: message.zip [base64; Length=0 Checksum=1382] 08/16/2003 06:48:07 Q3617006a0256593a MIME file: [text/html][7bit; Length=10102 Checksum=724572] End of original message text=== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] followup, Mimail getting through
Just saved the message.zip file to my local machine and ran f-prot against it ... virus free. Thoughts? Maybe a new variant? Or maybe corrupted? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] followup, Mimail getting through
Saturday, August 16, 2003, 7:40:00 AM, Bill Landry wrote: What's the message.zip file size? The only one's I've seen pass are corrupted, zero-byte files. Well, it looks like I'm safe ... the file is zero-bytes so it was corrupted BIG SIGH Now, I took out the little patch Scott put in to catch the message.zip file when F-Prot had not issue the update ... What is the line to catch a specific file again? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot Mimail
Finally caught my first W32/Mimail virus tonight using the new F-Prot 3.14a / new defs ... I'm so relieved sigh And I'm running the 32 bit command line version. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot Scheduler
I like to keep things easy ... I use F-Prot scheduler to check for new definitions every 4 hours. However, occasionally it times out, and I'm left with a failed connection notice on the screen. And this seems to stop the automatic polling. Any way to stop this, some switch someplace, but I don't see anything in the scheduler itself. David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Scheduler
From: Serge [EMAIL PROTECTED] Try to schedule kill.exe 1 hour after each updater run Serge, what is this kill.exe ... I don't have it on my hard drive. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] blocking email to Klez virus
I have FORGINGVIRUS Klez in my virus.cfg file, but can't locate in the docs what to put in my EML files so notifications aren't sent out to the forged addresses. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Version of F-Prot?
This was on the Frisk web site, dated today May 27th: F-Prot Antivirus version 3.12a A new version of F-Prot Antivirus for Windows, version 3.12a, has been released and is now ready for download. This new version has been improved from previous version 3.12 but the most notable change lies in greater scanning speed. The F-Prot Antivirus helpfile has been made more extensive version in 3.12a and more detailed insturctions added. F-Prot Antivirus has in addition been improved in many ways that are not as clearly visible to the user as these, but will make the use of F-Prot Antivirus simpler and even more effective than before --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] I'm confused, which is correct?
When I get the following notice from Declude; which is the true sender knowing the Klez forges headers .. and which one is getting the virus notice from the server? The From: that declude reports, or the from in the headers, or neither? David -= Declude Virus v1.53 caught the following: Virus Name: : W32/Klez.H@mm Virus File: May 9.bat From: [EMAIL PROTECTED] To : [EMAIL PROTECTED] Date: 05/19/2002 08:47:51 Subject:Worm Klez.E immunity Spool File: Dc925006701aaa3dd.SMD Received: from host.netfronts.com [209.239.38.95] by stat.com with ESMTP (SMTPD32-7.07) id A9256701AA; Sun, 19 May 2002 08:47:49 -0700 Received: from Ujnlfgai ([65.174.147.202]) by host.netfronts.com (8.10.2/8.10.2) with SMTP id g4JFllo13953 for [EMAIL PROTECTED]; Sun, 19 May 2002 11:47:47 -0400 Date: Sun, 19 May 2002 11:47:47 -0400 Message-Id: [EMAIL PROTECTED] From: aluscre [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Worm Klez.E immunity MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=M24JxCE0GyJ4F4434rW8 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] warning ... check your f-prot installations
Just a note ... I downloaded an installed the f-prot 3.12 program since everybody said it was working fine. I'm using Declude 1.45 Today, the W32/Magistr.32768 infected my wife's machine. My virus definitions are updated every 6 hours. The declude logs show everything normal ... I ran the test eicar files from declude/tools and it passes right through. Something has changed from 3.11b to 3.12 that I'm not catching viruses all of a sudden. FALSE sense of security ... you might want to check your virus installation against the Declude EICAR test to make sure your installation is working. I've sent the logs / cfg files to Scott hoping to find an answer ... David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] F-Prot Notification List
Just found this on their website dated today: F-Prot Antivirus Alert Service To better serve our customers, FRISK Software International has launched an Alert Service to provide you with the vital information you need to stay ahead of threats to your computer security. This Alert Service will help you to take the necessary precautions before the actual outbreak of a virus. This new Alert Service is threefold. First we provide you with the option of receiving an e-mail each time we update our virus signature files. This helps you make sure that your F-Prot Antivirus is at all times able to handle the latest viruses. Secondly we can send you an e-mail with information on potential virus outbreaks. By getting information on such threats before they knock on your door, you can be prepare yourself and your computer in time. And finally you can register to receive news on updates for your F-Prot Antivirus product. To register for F-Prot Antivirus Alert Service simply follow the link below link and you will soon benefit from receiving the latest information http://alerts.f-prot.com/cgi-bin/mf?lang=en --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re[2]: [Declude.Virus] Badtrans got through...
Saturday, February 02, 2002, 6:51:34 AM, you wrote: does anyone else have a problem with f-prot updating... my system says it can not find the server Mine just updated about 5 minutes ago without problems 7 am MST --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re[2]: [Declude.Virus] f-prot 3.11b
A much more important (undocumented) development with 3.11b was the inclusion of a native WIN32/Console command line scanner - fpcmd.exe. This theoretically should give a performance boost over the DOS version. We'll have to do some collective testing and see. Jerry, are you saying we should drop the f-prot.exe and replace it with this new win32 command line program? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re[4]: [Declude.Virus] Fw: New version of F-PROT (3.11b)
Saturday, December 22, 2001, 1:56:35 AM, you wrote: got a serius problem with the 3.11b version it slipped through a lot of virus tonight, I downloaded the version for Europe, this morning i changed back to the 3.11a from the US based ftp and voila i started imedialy caching virus, anything special we have to look up for in the new engine ? Where is the us ftp site for the (a) version ... I'm having problems too. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] f-prot auto update
Instead of using the f-prot updater (since it will only run once daily), I'm going to use a different program to run the updates ... what is the command line I need to get f-prot to update? Thanks, David Dodell This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] not storing viruses
At the moment, Declude moves my viruses into the imail/spool/virus subdirectory Anyway to just have declude delete everything ... I have no desire to store the messages especially if they are infected. David This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re[2]: [Declude.Virus] not storing viruses
Saturday, October 06, 2001, 8:10:04 AM, you wrote: There is no way to have Declude automatically delete them. That's mainly a safety feature, in case of problems with the virus scanner (if it starts reporting that all files have viruses, for example). Would you consider adding a switch for the config file to do this in the next version if others here thing there is a need? David This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
