RE: [Declude.Virus] CLAMAV - 88.3-1 - 7/11/2006 Release
Well since you noticed it and I am setting up a new serverI will try it tomorrow. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Sunday, July 30, 2006 9:18 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] CLAMAV - 88.3-1 - 7/11/2006 Release I noticed a new build from the SOSDG group has been released (88.3-1). http://www.sosdg.org/clamav-win32/index.php Anyone running it yet? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV error
Gary, You said CLAM was your third AV yet your config shows it is your second one SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Change the SCANFILE2, VIRUSCODE2, REPORT2 to 3. That might help Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, July 14, 2006 1:16 PM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV error I recently installed ClamAv as my third scanner after AVG and F-Prot. For some reason it indicates an error related to the attachment when it detects a virus (Attachment=[Unknown: Err]). Here is an example from the Declude virus log file: 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; Length=17424 Checksum=1974090] 07/13/2006 19:32:18.843 366626185 Banning file with pif extension [application/octet-stream]. 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D: 7] 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=your_letter.pif [1] I 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 (366626185.eml,366626) 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D Attachment=[Unknown: Err] [1] I 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 17604] 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 72.82.177.22] 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter It doesn't seem to matter what kind of virus is involved. Even when it detects a phishing attempt you still see the same error. Here is what I have in the virus.cfg: SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Is anyone else experiencing this, or have any ideas? Thanks, Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New feature needed
Hi, I would like to suggest a new feature to be added to the virus notification capabilities. Right now to notify a recipient that I stopped a virus I have a recip.eml file in my main delude directory. There is another recip-vulnerability.eml file that is used if the virus is a vulnerability. These two files are all or nothing files. Meaning that all recipients for all the domains that I process are in the same file. I need to be able to specify a per domain recip.eml file. This way I can tailor the notifications to each domain as appropriate. These files should be in the domain subdirectory along with the $default$.junkfile etc. I am faced with the challenge right now for a single domain to send all virus notification to one person only or to stop all notifications to that domain. To the best of my knowledge I cannot redirect all the notifications to the one person for that domain and to the original recipients for all the other domains. Another feature that should be added to the *.eml files is the ability to do a BCC to a monitoring address. This is a good way to monitor what is happening with banned files, viruses or whatever notification processes we have setup. So can you please add this to the to do list Thank you Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New feature needed
David, Any idea when it might make it as a feature in the code? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, June 20, 2006 2:58 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New feature needed Added to the development wish list. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Tuesday, June 20, 2006 2:12 PM To: declude.virus@declude.com Subject: [Declude.Virus] New feature needed Hi, I would like to suggest a new feature to be added to the virus notification capabilities. Right now to notify a recipient that I stopped a virus I have a recip.eml file in my main delude directory. There is another recip-vulnerability.eml file that is used if the virus is a vulnerability. These two files are all or nothing files. Meaning that all recipients for all the domains that I process are in the same file. I need to be able to specify a per domain recip.eml file. This way I can tailor the notifications to each domain as appropriate. These files should be in the domain subdirectory along with the $default$.junkfile etc. I am faced with the challenge right now for a single domain to send all virus notification to one person only or to stop all notifications to that domain. To the best of my knowledge I cannot redirect all the notifications to the one person for that domain and to the original recipients for all the other domains. Another feature that should be added to the *.eml files is the ability to do a BCC to a monitoring address. This is a good way to monitor what is happening with banned files, viruses or whatever notification processes we have setup. So can you please add this to the to do list Thank you Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New feature needed
Gary, I have not even thought of something like that (since all my customers are English speaking) but you are absolutely right. So David will we be seeing this new feature next week? :) Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, June 20, 2006 3:24 PM To: declude.virus@declude.com Subject: re: [Declude.Virus] New feature needed I asked about the possibility of per domain replies several months ago. I would hope that it has already been placed on the wish list. It is especially useful when you have users speaking different languages and you want to have language specific messages linked to each domain. Gary Original Message From: Goran Jovanovic [EMAIL PROTECTED] Sent: Tuesday, June 20, 2006 2:30 PM To: declude.virus@declude.com Subject: [Declude.Virus] New feature needed Hi, I would like to suggest a new feature to be added to the virus notification capabilities. Right now to notify a recipient that I stopped a virus I have a recip.eml file in my main delude directory. There is another recip-vulnerability.eml file that is used if the virus is a vulnerability. These two files are all or nothing files. Meaning that all recipients for all the domains that I process are in the same file. I need to be able to specify a per domain recip.eml file. This way I can tailor the notifications to each domain as appropriate. These files should be in the domain subdirectory along with the $default$.junkfile etc. I am faced with the challenge right now for a single domain to send all virus notification to one person only or to stop all notifications to that domain. To the best of my knowledge I cannot redirect all the notifications to the one person for that domain and to the original recipients for all the other domains. Another feature that should be added to the *.eml files is the ability to do a BCC to a monitoring address. This is a good way to monitor what is happening with banned files, viruses or whatever notification processes we have setup. So can you please add this to the to do list Thank you Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New feature needed
I do some limited customization using filters/rules on the domain in Imail ... This might work for you but I gateway most of my domains so this does not seem like a good option for me. Also since I have per-domain configs in Declude these notifications should be handled in the same way Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus
My F-Prot is finding it but it does not know what it is. Both the MAIL FROM and the RCPT TO are the same address 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Vulnerability flags = 64 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: [text/html][7bit; Length=43 Checksum=2820] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: 06.zip [base64; Length=10548 Checksum=1347367] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Banning .ZIP file with exe extension. 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Virus scanner 1 reports exit code of 8 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Could not find parse string Infection: in report.txt 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd File(s) are INFECTED [: 8] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Scanned: CONTAINS A VIRUS [MIME: 2 10657] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 209.239.24.62] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Subject: 05 Goran Jovanovic Omega Network Solutions Tel: 416 322-0333 Cell: 416 805-HELP (4357) [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 5:31 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus This is what I've received recently: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FB REPBOT%2EAVSect=T My F-Prot and Trend Micro do detect it. When I submit the executable inside the payload to http://virusscan.jotti.org or http://www.virustotal.com I get these results: AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 Authentium4.93.8 06.16.2006 W32/Brepibot.gen Avast 4.7.844.0 06.15.2006 no virus found AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN BitDefender 7.2 06.16.2006 Backdoor.IRCbot.JD CAT-QuickHeal 8.0006.16.2006 no virus found ClamAVdevel-20060426 06.16.2006 Trojan.IRCBot-638 DrWeb 4.3306.16.2006 BackDoor.IRC.Boxer eTrust-InoculateIT23.72.4006.16.2006 no virus found eTrust-Vet12.6.2259 06.16.2006 no virus found Ewido 3.5 06.16.2006 no virus found Fortinet 2.77.0.006.16.2006 W32/Brepibot.AS!tr F-Prot3.16f 06.16.2006 W32/Brepibot.gen Ikarus0.2.65.006.16.2006 photo3.exe Kaspersky 4.0.2.2406.16.2006 Backdoor.Win32.Breplibot.ai McAfee478606.16.2006 W32/Brepibot.gen Microsoft 1.1441 06.16.2006 no virus found NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH Norman5.90.21 06.16.2006 W32/Malware Panda 9.0.0.4 06.16.2006 Suspicious file Sophos4.06.0 06.16.2006 Troj/Stinx-W Symantec 8.0 06.16.2006 Backdoor.Naninf.E TheHacker 5.9.8.160 06.16.2006 no virus found Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 2:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus It might be this, if my F-Prot is more up to date than yours, as mine has identified a few zip files with a plus sign in the name as W32/Brepibot.gen http://www.f-secure.com/weblog/archives/archive-062006.html#0902 The fake HELO names were CNN.com and TradersWorld.com if that's any use. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ncl Admin Sent: Friday, June 16, 2006 2:03 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] new virus Yes, 04dotzip just came through here but McAfee stopped it. But F-prot not getting it. At 04:30 PM 6/16/2006 -0400, you wrote: Is anyone else seeing new virus zip files getting past F-Prot? the last one was just numbers.zip Earlier a few came through with name.zip Bruce Loughlin --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http
RE: [Declude.Virus] new virus
Yup I got it. I think that the message Could not find parse string Infection: in report.txt Means that it did not find the word infection in the file SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /TYPE /SILENT /ARCHIVE=5 /DUMB /NOBOOT /NOMEM /PACKED /SERVER /REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE 8 VIRUSCODE 9 VIRUSCODE 10 REPORT1 Infection: Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, June 16, 2006 6:59 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] new virus Goran, Do you have exit code 8 also listed for F-Prot in your virus.cfg? If not you should. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 16, 2006 6:04 PM Subject: RE: [Declude.Virus] new virus My F-Prot is finding it but it does not know what it is. Both the MAIL FROM and the RCPT TO are the same address 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Vulnerability flags = 64 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: [text/html][7bit; Length=43 Checksum=2820] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: 06.zip [base64; Length=10548 Checksum=1347367] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Banning .ZIP file with exe extension. 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Virus scanner 1 reports exit code of 8 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Could not find parse string Infection: in report.txt 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd File(s) are INFECTED [: 8] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Scanned: CONTAINS A VIRUS [MIME: 2 10657] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 209.239.24.62] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Subject: 05 Goran Jovanovic Omega Network Solutions Tel: 416 322-0333 Cell: 416 805-HELP (4357) [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 5:31 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus This is what I've received recently: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FB REPBOT%2EAVSect=T My F-Prot and Trend Micro do detect it. When I submit the executable inside the payload to http://virusscan.jotti.org or http://www.virustotal.com I get these results: AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 Authentium 4.93.8 06.16.2006 W32/Brepibot.gen Avast 4.7.844.0 06.15.2006 no virus found AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN BitDefender 7.2 06.16.2006 Backdoor.IRCbot.JD CAT-QuickHeal 8.00 06.16.2006 no virus found ClamAV devel-20060426 06.16.2006 Trojan.IRCBot-638 DrWeb 4.33 06.16.2006 BackDoor.IRC.Boxer eTrust-InoculateIT 23.72.40 06.16.2006 no virus found eTrust-Vet 12.6.2259 06.16.2006 no virus found Ewido 3.5 06.16.2006 no virus found Fortinet 2.77.0.0 06.16.2006 W32/Brepibot.AS!tr F-Prot 3.16f 06.16.2006 W32/Brepibot.gen Ikarus 0.2.65.0 06.16.2006 photo3.exe Kaspersky 4.0.2.24 06.16.2006 Backdoor.Win32.Breplibot.ai McAfee 4786 06.16.2006 W32/Brepibot.gen Microsoft 1.1441 06.16.2006 no virus found NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH Norman 5.90.21 06.16.2006 W32/Malware Panda 9.0.0.4 06.16.2006 Suspicious file Sophos 4.06.0 06.16.2006 Troj/Stinx-W Symantec 8.0 06.16.2006 Backdoor.Naninf.E TheHacker 5.9.8.160 06.16.2006 no virus found Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 2:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus It might be this, if my F-Prot is more up to date than yours, as mine has identified a few zip files with a plus sign in the name as W32/Brepibot.gen http://www.f-secure.com/weblog/archives/archive-062006.html#0902 The fake HELO names were CNN.com and TradersWorld.com if that's any use. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ncl Admin Sent: Friday, June 16, 2006 2:03 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] new virus Yes, 04dotzip just came through here but McAfee stopped it. But F-prot not getting it. At 04:30 PM 6/16/2006 -0400, you wrote: Is anyone else seeing new virus zip
RE: [Declude.Virus] Testing the Boards
Pong Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, April 27, 2006 9:22 AM To: Declude.Virus@declude.com; Declude.JunkMail@declude.com Subject: [Declude.Virus] Testing the Boards PING --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] CLAMSCAN Scanner Command Line
Hi, I have just added the CLAM scanner to my config and was wondering about the command lines described in the Declude manual. I am using the first option SCANFILE [Drive:]\[Path]\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE 1 or SCANFILE [Drive:]\[Path]\clamwin\bin\clamscan.exe --verbose --database=[Drive:]\[Path]\db --tempdir=c:\Temp -- no-summary -l report.txt VIRUSCODE 1 What is the database the second version is pointing to? I have no DB directory in C:\clamav-devel nor are there any files called DB in that directory. From what I understand the virus and phishing signatures are in C:\clamav-devel\share\clamav and clamscan.exe figures it out automatically. Am I missing something here? Goran Jovanovic Omega Network Solutions
RE: [Declude.Virus] CLAMSCAN Scanner Command Line
I see. Do most people run CLAM as a daemon or just call it for every message? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of george kulman Sent: Monday, March 06, 2006 2:26 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] CLAMSCAN Scanner Command Line The first is for the Windows port of Clam-AV. The second is for ClamWin. Different setups. George -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Monday, March 06, 2006 10:45 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] CLAMSCAN Scanner Command Line Hi, I have just added the CLAM scanner to my config and was wondering about the command lines described in the Declude manual. I am using the first option SCANFILE [Drive:]\[Path]\bin\clamscan.exe --quiet --log-verbose --no- summary --max-ratio 0 -l report.txt VIRUSCODE 1 or SCANFILE [Drive:]\[Path]\clamwin\bin\clamscan.exe --verbose -- database=[Drive:]\[Path]\db --tempdir=c:\Temp -- no-summary -l report.txt VIRUSCODE 1 What is the database the second version is pointing to? I have no DB directory in C:\clamav-devel nor are there any files called DB in that directory. From what I understand the virus and phishing signatures are in C:\clamav- devel\share\clamav and clamscan.exe figures it out automatically. Am I missing something here? Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] language specific messages
You could always put the English and Spanish messages into the same recip.eml file. I see a lot of that type of thing up here in Canada except it is English and French. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Thursday, February 23, 2006 2:04 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] language specific messages Can the following be done in Declude EVA? I have customers who are english speakers, and customers who are spanish speakers. When a customer is sent a virus, they receive a messsage telling them about the virus (recip.eml). I want to be able to have a different message sent to each of my domains depending on the language of the customer (recip-en.eml and recip-es.eml). I believe this can be done in Junkmail, but can it be done in EVA? Thanks, Gary Steiner --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] language specific messages
Andrew, Do you do anything to decrease the change of the alert message going out to real spammers or forged addresses? This would get sent out to e-mail that failed REVDNS and were not deleted as SPAM? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, February 23, 2006 2:35 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages Example attached (sorry, German/English in this case). Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 02:12 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages You could always put the English and Spanish messages into the same recip.eml file. I see a lot of that type of thing up here in Canada except it is English and French. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Thursday, February 23, 2006 2:04 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] language specific messages Can the following be done in Declude EVA? I have customers who are english speakers, and customers who are spanish speakers. When a customer is sent a virus, they receive a messsage telling them about the virus (recip.eml). I want to be able to have a different message sent to each of my domains depending on the language of the customer (recip-en.eml and recip-es.eml). I believe this can be done in Junkmail, but can it be done in EVA? Thanks, Gary Steiner --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] language specific messages
Andrew, I do not send any outbound alerts/bounces etc. The only ones I send are for banned files and that goes to the recipient(s). Having said that I kind of like the ideal of sending a REVDNS alert to legitimate senders in the hope that they will act to cleanup their system. Question is how do you tell if they are a legitimate mail rather than spam? Perhaps with a filter like this run as the last one in global.cfg SKIPIFWEIGHT 10 TESTFAILED 0 CONTAINS REVDNS Then do an alert in the $default$.junkmail file for this test I tag at 10 and delete at 30 so this would only trigger on legit messages Just a thought Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, February 23, 2006 3:04 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages Goran, I actually avoid any bounce and alerts to recipients and senders. I only use alerting to send virus alerts inbound to our postmaster account. I do this because I know firsthand how hard it is to keep junk alerts from the Internet from coming in to my users' mailboxes. Likewise, I recommend NOT sending user notifications regarding viruses. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 11:43 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages Andrew, Do you do anything to decrease the change of the alert message going out to real spammers or forged addresses? This would get sent out to e-mail that failed REVDNS and were not deleted as SPAM? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, February 23, 2006 2:35 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages Example attached (sorry, German/English in this case). Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 02:12 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages You could always put the English and Spanish messages into the same recip.eml file. I see a lot of that type of thing up here in Canada except it is English and French. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Thursday, February 23, 2006 2:04 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] language specific messages Can the following be done in Declude EVA? I have customers who are english speakers, and customers who are spanish speakers. When a customer is sent a virus, they receive a messsage telling them about the virus (recip.eml). I want to be able to have a different message sent to each of my domains depending on the language of the customer (recip-en.eml and recip-es.eml). I believe this can be done in Junkmail, but can it be done in EVA? Thanks, Gary Steiner --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED
[Declude.Virus] F-Prot 3.16e
I found this blurb on their site saying what is new for version 3.16e http://www.f-prot.com/news/gen_news/060104_release_win316e_exchange123.h tml FRISK Software has released versions 3.16e of F-Prot Antivirus for Windows and version 1.2.3 of F-Prot Antivirus for Exchange. These newest versions of F-Prot Antivirus for Windows and F-Prot Antivirus for Exchange include a number of important bugfixes as well as providing enhanced scanning of Windows Metafile images (WMF) for embedded malware. WMF files disguised, among other things, as JPG images have increasingly been taking advantage of a recently discovered yet serious vulnerability in Windows in order to run malicious code on susceptible machines. Successful exploitation of this vulnerability can allow an attacker to gain complete control over an affected computer who can then use it to send out spam e-mail or spread viruses and other malware further. A number of different exploits have a appeared over recent days and these newest versions of F-Prot Antivirus for Windows and F-Prot Antivirus for Exchange detect and delete all known exploits as well as detecting previously unknown malware attempting to take advantage of this WMF vulnerability. I have not found any other release notes except for one that comes up talking about 3.16c http://www.f-prot.com/version_release_dates.html 3.16d and e do not have release notes on the web page. Are there any other release notes? Thanx Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Another round of Bagle?
I am getting a ton of ZIP-EXE being banned. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Thursday, December 22, 2005 11:25 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Another round of Bagle? Looks like another round of Bagle is starting? John T eServices For You --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Where to send exe's to check if they are a virus?
Hi, I am getting a bunch of exe in zip files being banned right now. I have grabbed one of them it is called marie.zip and has a single exe in it called s3700020.exe and when you put it on your desktop is has the standard jpeg icon associated with it. My F-Prot, McAfee and Symantec scanners are not finding a virus. Where is the place that you can send it to and have it checked out by a ton of virus scanners? Thanx Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Where to send exe's to check if they are a virus?
I tried www.totalvirus.com and it is an ad site. Thank you Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Thursday, December 15, 2005 10:45 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Where to send exe's to check if they are a virus? www.virustotal.com (se me previous posting for results) At the moment i consider blocking at least temporaly eye in zips and update the virus definitions Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, December 15, 2005 4:26 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Where to send exe's to check if they are a virus? Hi, I am getting a bunch of exe in zip files being banned right now. I have grabbed one of them it is called marie.zip and has a single exe in it called s3700020.exe and when you put it on your desktop is has the standard jpeg icon associated with it. My F-Prot, McAfee and Symantec scanners are not finding a virus. Where is the place that you can send it to and have it checked out by a ton of virus scanners? Thanx Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Where to send exe's to check if they are a virus?
Yup this is the one I got as well. I just did a manual update of F-Prot and it found a new SIGN.DEF and SIGN2.DEF Maybe these signatures will find it now. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Thursday, December 15, 2005 10:46 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Where to send exe's to check if they are a virus? www.virustotal.com This is a very small e-mail, the D file being only 11 kb. Some of the small AV companies are reporting it as a Bagle variant and F-Prot is reporting it as MitGlieder.GU although it is not catching it on the server. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, December 15, 2005 7:26 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Where to send exe's to check if they are a virus? Hi, I am getting a bunch of exe in zip files being banned right now. I have grabbed one of them it is called marie.zip and has a single exe in it called s3700020.exe and when you put it on your desktop is has the standard jpeg icon associated with it. My F-Prot, McAfee and Symantec scanners are not finding a virus. Where is the place that you can send it to and have it checked out by a ton of virus scanners? Thanx Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Where to send exe's to check if they are a virus?
As one of my clients like to say It is a Code 18 problem Problem is 18 inches from the keyboard They are a school so it is true a lot of the time :) Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Thursday, December 15, 2005 11:07 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Where to send exe's to check if they are a virus? Uh, keyboard virus? ;) John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, December 15, 2005 7:53 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Where to send exe's to check if they are a virus? I tried www.totalvirus.com and it is an ad site. Thank you Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Thursday, December 15, 2005 10:45 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Where to send exe's to check if they are a virus? www.virustotal.com (se me previous posting for results) At the moment i consider blocking at least temporaly eye in zips and update the virus definitions Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, December 15, 2005 4:26 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Where to send exe's to check if they are a virus? Hi, I am getting a bunch of exe in zip files being banned right now. I have grabbed one of them it is called marie.zip and has a single exe in it called s3700020.exe and when you put it on your desktop is has the standard jpeg icon associated with it. My F-Prot, McAfee and Symantec scanners are not finding a virus. Where is the place that you can send it to and have it checked out by a ton of virus scanners? Thanx Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Notifications
This also fixed my logging problems that were introduced in 3.0.5.21 for JunkMail logs. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, December 05, 2005 4:51 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Notifications Not released yet but has tested fine as an interim, should have the virus notifications for SM, you can try the latest version: Imail http://www.declude.com/version/Upgrade/IM/Decludeproc30522.exe SmarterMail http://www.declude.com/version/Upgrade/SM/Decludeproc30522.exe David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Monday, December 05, 2005 3:19 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Notifications Imail 8.21 Declude Pro 3.0.5.21 Is anyone else still having problems with not getting notices? Someone mentioned a patched version that fixed this, but was pre-.21. I would have assumed that those patches would have been in .21. I have all removed except the BANnotify.eml (see below). This one comes to me only, but stopped working before 3.0.5.20. Thanks, John C = BANnotify.eml === From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Email delivery blocked due to file attachment In \spool\virus directory From: %MAILFROM% T0: %ALLRECIPS% Subject: %SUBJECT% Banned Extension: %BANEXT% Queue Name: %QUEUENAME% Headers follow: %HEADERS% --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Requeueing Banned Files in 3.x
Hi, There was a discussion a while ago on where to put a message with a banned attachment when using Declude 3.x. I tried it by putting it back in the spool directory and the msg promptly ended back in the spool\virus directory. I tried putting the D/Q files back in the proc directory and they got banned again. Can someone point me to the right directory Thanx Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Requeueing Banned Files in 3.x
I found the problem. Because my new server has the SPOOL directory on the D drive I had to add the IUSR... account back to the directory. Now it works copying back to the SPOOL directory Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Saturday, November 05, 2005 4:27 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Requeueing Banned Files in 3.x Hi, There was a discussion a while ago on where to put a message with a banned attachment when using Declude 3.x. I tried it by putting it back in the spool directory and the msg promptly ended back in the spool\virus directory. I tried putting the D/Q files back in the proc directory and they got banned again. Can someone point me to the right directory Thanx Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Confirm SKIPIFRECIP syntax
Thank you I will implement that. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Thursday, August 25, 2005 12:08 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Confirm SKIPIFRECIP syntax Yes with that command will not send the notification if the recipient of the virus is one that you specify. So the line SKIPIFRECIP [EMAIL PROTECTED] Won't send the notification to [EMAIL PROTECTED] if he/she is the recipient of the vulnerability you mention. Luis Arango -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Martes, 23 de Agosto de 2005 10:47 a.m. To: Declude.Virus@declude.com Subject: [Declude.Virus] Confirm SKIPIFRECIP syntax Hi, I just want to confirm that if I put a SKIPIFRECIP [EMAIL PROTECTED] In my recip-vulnerability.eml file that the person mentioned above will not get VULNERABILITY ALERTs but every one else will. Thanks Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses] [Email escaneado contra virus] __ [Email scanned for viruses] [Email escaneado contra virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Confirm SKIPIFRECIP syntax
Hi, I just want to confirm that if I put a SKIPIFRECIP [EMAIL PROTECTED] In my recip-vulnerability.eml file that the person mentioned above will not get VULNERABILITY ALERTs but every one else will. Thanks Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] blocking by IP address
Susan, You could also block port 25 from that IP at your firewall and that would prevent it from even reaching your IMail server I have had to do that in the past a couple of time. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Susan Duncan Sent: Monday, June 20, 2005 11:11 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] blocking by IP address Thanks. I'd forgotten about that option. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: June 20, 2005 10:36 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] blocking by IP address If you are using Imail just add it into the SMTP Access Control List. This will block them from connecting to them. Darrell -- DLAnalyzer - Comprehensive reporting for Declude Junkmail and SPAM. Try it today http://www.dlanalyzer.com Susan Duncan writes: I have the standard version of Declude virus and spam. I am receiving viruses every day from a particular IP address. I've contacted the admin for that IP address to no avail. I would just like to block everything from that IP so that we aren't getting messages about all the viruses we're blocking from that address. Is there an easy way to do that? --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot update
Now why did I not receive an update?? I received the update fro 3.16b a couple of months after it was out. Maybe Canada gets notices very late? Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn Sent: Thursday, June 09, 2005 2:52 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot update They always said it!! Here's the previous update notice We recommend that users of F-Prot Antivirus for Windows update their programs to version 3.16b as soon as possible. Please visit our update center to update your program now: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J Porter Sent: Thursday, June 09, 2005 2:14 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot update I received a notice for 3.16c update from Frisk. I don't recall it being normal for them to recommend updating ASAP. Anyone tried it yet? ~Joe
RE: [Declude.Virus] F-Prot update
Title: Message Andrew, I looked at the sign and sign2.def files and they are binary junk to me. What did you use to check the def files? I resubscribed to the announcements and maybe now I will get 1 announcement J Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, June 09, 2005 9:54 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot update According to their website, this isa stability update; comparing a new install on my test box shows that lots of datestamps have been updated but actually notmany fileschanged. The Help file has not changed, and there is no text file that describes the changes/updates. As an aside, Matt and I each contacted their Support desk regarding slow processing of certain UPX encrypted hostiles, and also an overlapping issue where variants of MyTob being caught as error code 8 suspicious were just as viral as other variants that were caught as error code 3 virus... well, I went back and checked and with the current *.def files, both of those issues have been fixed. Andrew 8) p.s. I'm also in Canada, and didn't receive an email update notice for this update, nor the previous one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J Porter Sent: Thursday, June 09, 2005 11:14 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot update I received a notice for 3.16c update from Frisk. I don't recall it being normal for them to recommend updating ASAP. Anyone tried it yet? ~Joe
RE: [Declude.Virus] .EML file syntax
Title: Message Yes this is what I want FROM: [EMAIL PROTECTED] TO: %ALLRECIP% CC: [EMAIL PROTECTED] SUBJECT: blah blah blah I tried to add a CC: [EMAIL PROTECTED] after the TO: line but it does not work in 2.0.6.6 This should be something that Declude should be able to address. I will step away from asking for a BC: [EMAIL PROTECTED] if it is too difficult to create based on Andys comments below. But in my opinion the BANNotify.EML file produces a brand new e-mail so there should not be, IMO, any reason why the BCC functionality could not be added. Declude: Is this on the feature request list somewhere? Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Stillwell Sent: Wednesday, June 01, 2005 8:22 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] .EML file syntax I think your confused, He wants the Template files to be CC'd to another recip. ie, now: FROM: [EMAIL PROTECTED] TO: %ALLRECIP% SUBJECT: blah blah blah He wants to add CC: , I have tried TO: %ALLRECIP%;[EMAIL PROTECTED] and that doesn't work either, at least in 1.82. - Original Message - From: Andy Schmidt To: Declude.Virus@declude.com Sent: Wednesday, June 01, 2005 12:21 AM Subject: RE: [Declude.Virus] .EML file syntax Hi Goran: The cc: information is part of the (spoofable) SMTP header - the bcc: is not ANYWHERE. The only entitythat knows about the bccs is the sending mail sever, it will simply distribute the message to anyone in the bcc and cc header. To each BCC or CC recipient's server it will look like a message that wasaddressed from one third party to another third party - they will not see the BCC information. While the cc: (but not bcc) information can be found in the SMTP header in the receiving server (and thus Declude) there is no way to say whether that header is true or spoofed (although there is little motivation to spoof that header, that I can think of). There simply is no way on earth for anythingbeyond the sending mail server to do anything with BCCs since the information simply is omitted and thus not available. Therefore, there is no reason to believe that it will (or could) ever be added to a future DEclude version. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Tuesday, May 31, 2005 09:27 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
RE: [Declude.Virus] .EML file syntax
Title: Message Yes that is what I have resorted to but it would have been nice to be able to put it as a BCC so that the recipients do not know that it is monitored. Declude Support has told me that this feature is now on the which list. Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Childers Sent: Wednesday, June 01, 2005 3:01 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] .EML file syntax You could add a comma and then another address on the TO: line. This is what I do for my BANnotify message. FROM: [EMAIL PROTECTED] TO: %ALLRECIP%, [EMAIL PROTECTED] SUBJECT: blah blah blah HTH, Patrick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Wednesday, June 01, 2005 8:56 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] .EML file syntax Yes this is what I want FROM: [EMAIL PROTECTED] TO: %ALLRECIP% CC: [EMAIL PROTECTED] SUBJECT: blah blah blah I tried to add a CC: [EMAIL PROTECTED] after the TO: line but it does not work in 2.0.6.6 This should be something that Declude should be able to address. I will step away from asking for a BC: [EMAIL PROTECTED] if it is too difficult to create based on Andys comments below. But in my opinion the BANNotify.EML file produces a brand new e-mail so there should not be, IMO, any reason why the BCC functionality could not be added. Declude: Is this on the feature request list somewhere? Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Stillwell Sent: Wednesday, June 01, 2005 8:22 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] .EML file syntax I think your confused, He wants the Template files to be CC'd to another recip. ie, now: FROM: [EMAIL PROTECTED] TO: %ALLRECIP% SUBJECT: blah blah blah He wants to add CC: , I have tried TO: %ALLRECIP%;[EMAIL PROTECTED] and that doesn't work either, at least in 1.82. - Original Message - From: Andy Schmidt To: Declude.Virus@declude.com Sent: Wednesday, June 01, 2005 12:21 AM Subject: RE: [Declude.Virus] .EML file syntax Hi Goran: The cc: information is part of the (spoofable) SMTP header - the bcc: is not ANYWHERE. The only entitythat knows about the bccs is the sending mail sever, it will simply distribute the message to anyone in the bcc and cc header. To each BCC or CC recipient's server it will look like a message that wasaddressed from one third party to another third party - they will not see the BCC information. While the cc: (but not bcc) information can be found in the SMTP header in the receiving server (and thus Declude) there is no way to say whether that header is true or spoofed (although there is little motivation to spoof that header, that I can think of). There simply is no way on earth for anythingbeyond the sending mail server to do anything with BCCs since the information simply is omitted and thus not available. Therefore, there is no reason to believe that it will (or could) ever be added to a future DEclude version. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Tuesday, May 31, 2005 09:27 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
[Declude.Virus] .EML file syntax
Title: Message Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
RE: [Declude.Virus] .EML file syntax
Title: Message Urgh. I tried CC: but that did not work. I would be nice to be able to do this. Thanx Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, May 31, 2005 10:09 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] .EML file syntax Not unless it has been introduced as a feature in 2.x. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Tuesday, May 31, 2005 6:27 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
RE: [Declude.Virus] .EML file syntax
Title: Message Darin, Not sure if you understood what I was looking for. I want to take an EML file say for a banned file notification and send it TO: %ALLRECIPS% And BCC: me (or a monitor account). This is the functionality that does not exist. Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, May 31, 2005 10:43 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] .EML file syntax I asked about this about a month ago. >From what I was told, Declude cannot determine who is on the CC or BCC list due to where they look for that info. Darin. - Original Message - From: Goran Jovanovic To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 9:27 PM Subject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
RE: [Declude.Virus] f-prot update script
Take a look at: http://www.declude.com/Articles.asp?ID=100 F-Prot for DOS updater - A batch file that automatically updates F-Prot and its virus definitions (old version here), and a Cygwin version, and a complete .ZIPed version. Finally, a Simple version! Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Daniel Ivey Sent: Monday, May 02, 2005 9:52 AM To: 'Declude.Virus@declude.com' Subject: [Declude.Virus] f-prot update script Does anyone have an f-prot update script that they wouldn't mind sharing? I have tried one that I found, but never could get it to work. Any help is appreciated. Thanks, Daniel === Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Viruses appearing to be getting through...
I also started catching them at 16:21 Eastern Time Scanner 1 is FPROT 05/02/2005 16:21:48 Q8BBB4614012AF05F Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=account_info.zip [2] O 05/02/2005 16:21:49 Q8BBB4614012AF05F Scanner 2: Virus= the W32/[EMAIL PROTECTED] Attachment=account_info.zip [2] O I have the same defs as Bonno SIGN.DEF 2-may-2005, 13:32 SIGN2.DEF 2-may-2005, 16:46 Using f-prot 3.16b Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 3:36 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Viruses appearing to be getting through... F-Prot Seems to be catching it now as X-Declude-Virus: Detected W32/[EMAIL PROTECTED] Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 12:55 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Viruses appearing to be getting through... Mine has the 01:32 PM time stamp and the last update time was at 10:00 AM which is after when I saw the problem, so I would have to say the 01:32 time stamp is the problem one. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, May 02, 2005 11:38 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Viruses appearing to be getting through... F-Prot may have already fixed their pattern file. My current sign.def is timestamped: 05/02/2005 03:53 AM and checking their website and downloading the current version manually shows that the current version is: 05/02/2005 01:32 PM Can anybody with the issue confirm which pattern file they are using that has the problem? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 11:20 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Viruses appearing to be getting through... Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot (although I have F-Prot updates disabled for now, until they get there problem with HTML/[EMAIL PROTECTED] fixed). Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 11:11 AM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... I saw a big bunch about 2 hours ago that were stopped by banned zip extensions. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 10:58 AM To: Declude. Virus Subject: [Declude.Virus] Viruses appearing to be getting through... I am seeing several files getting through that appear to have viruses attached as zip files. I am running Declude with F-Prot. We ban encrypted zips and I have error code 8 included. Anyone else seeing this behavior? Here is part of the log. 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 Scanned: Virus Free [MIME: 2 53979] Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com
[Declude.Virus] How to check VIRUSCODEs
This was originally a thread from the Junkmail list but I am moving it over to the virus list. Check your virus log and you may see some code 8 errors in it. Adding viruscode 8 will at least stop them. How do you see if there are any code 8s in the virus log file. I use F-Prot and McAfee. My viruscodes for F-Prot are 3 and 6 and for McAfee is only 13 An example of a virus 04/20/2005 05:03:10 Q1AB803D9008C6B32 MIME file: demo.exe [base64; Length=40800 Checksum=4318001] 04/20/2005 05:03:10 Q1AB803D9008C6B32 Banning file with exe extension [application/x-msdownload]. 04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 1: Virus= W32/Plexus.G Attachment=demo.exe [2] O 04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 2: Virus= the MultiDropper-KR trojan !!! Attachment=demo.exe [2] O 04/20/2005 05:03:10 Q1AB803D9008C6B32 File(s) are INFECTED [ W32/Plexus.G: 13] 04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanned: CONTAINS A VIRUS [MIME: 2 40959] 04/20/2005 05:03:10 Q1AB803D9008C6B32 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 213.59.118.9] 04/20/2005 05:03:10 Q1AB803D9008C6B32 Subject: Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me... The only thing that I see that resembles my viruscodes is the line File(s) are INFECTED [ W32/Plexus.G: 13] and the 13 in this line is from McAfee (scanner2). I do not see any result from F-Prot (scanner1). I am logging on high. Am I missing something here? Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Tyler Jensen Sent: Wednesday, April 20, 2005 8:22 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] New Spam or Virus!! I had something similar over the weekend. Standard zip file. If you are using F-Prot you may want to add VirusCode 8 to the config. This will stop them as Unknown Virus. Check your virus log and you may see some code 8 errors in it. Adding viruscode 8 will at least stop them. Ouside of email NAV was calling it Trojan.Tooso.H and F-Prot was calling it w32/mitglieder.c. I submitted my findings to Declude support earlier in the week and spoke with a someone yesterday. Sent the file to him and he said the AVG called it a Bagle of some sort. What is strange is outside of email, f-prot was detecting it. But without viruscode 8, nothing. Tyler -- Original Message -- From: Chuck Schick [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Wed, 20 Apr 2005 18:05:08 -0600 Starting to see messages that have a zip attachement with the format 5.zip or 7.zip - I do not know if it is spam or a virus. Anyone else seeing this? Virus scanner is not catching it so I do not know if it is a virus or not. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot 3.16b
Odd - I did not get any notification until last week. Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, April 11, 2005 4:11 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot 3.16b It's not all that new, we have been running it since early March without issue. Bill - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, April 11, 2005 12:36 PM Subject: [Declude.Virus] F-Prot 3.16b Hi, Anyone know anything about the new version that just came out? Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot 3.16b
Hi, Anyone know anything about the new version that just came out? Goran Jovanovic The LAN Shoppe image001.gif
RE: [Declude.Virus] Windows Update!
Title: Message Kami, What do you do in Global.cfg when an e-mail fails the MS Filter? Subtract a bunch of points? Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Sunday, April 10, 2005 6:41 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Windows Update! Hi Andrew: We have Microsoft in our spam domains- but the problem is Microsoft sends email from so many different reverse DNS. ISV, MSDN, MSN, Office Newsletter-- all are sent from different providers. For example: Here is our MS filter: MINWEIGHTTOFAIL 2 MAILFROM1ENDSWITH@microsoft.com MAILFROM1ENDSWITH.microsoft.com MAILFROM1ENDSWITH.arvatousa.net REVDNS1ENDSWITH.microsoft.com REVDNS1ENDSWITH.zomax.com But I have seen them send from other reverse dns. So it is not that easy- at least I don't think it is. These emails are being held at 30+ weight in our system. All these emails will go to a spam folder for the user (under weight 50) and are deleted at 50. I am afraid they can think it is a valid email in their spam folder.. who knows. I think we should track this one closely. Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Sunday, April 10, 2005 6:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Windows Update! No, that email address is not valid. Those emails have been easily held over on my system. You can certainly block that bogus MAILFROM but since the bad guys will continue to change it as they hatch new spoofs, why not split out your SPAMDOMAINS into groups that are likely to be abused, and weight those high enough to meet your HOLD weight? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Sunday, April 10, 2005 12:38 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Windows Update! Hi; In the past hour I have seen several emails caught as spam but the weight still not high enough to be deleted with subject: Urgent Windows Update. As everyone (?) knows this is the recent attempt to install a worm on the visitor's computer- there is a link to the Express install and no attachments. The link is an IP address. I think ClamAV detects such behavior but it is not catching it yet and I just checked the update. I think for now I created a filter that if the email is from Microsoft and there is an IP address in the body for the email to be blocked. This one email came from [EMAIL PROTECTED] - I really don't think that is a valid MS address. Anyone knows if this is a valid address? May be it is worthwhile to block it for now. This week MS will be releasing some major updates and from what I read this scam was about to be released today.. so it is starting at least one our system. Regards, Kami image001.gif
RE: [Declude.Virus] RAR Support - why not?
Hi Markus, Back to the topic: If someone want I can publish the script-part who moves the D file back to the spool folder and runs smtp32.exe with the associated Q-file so that it will be delivered immediatly. If you were to send me the part or publish it somewhere I would take a crack at integrating into the ASP script. I used to program so I hope I can figure it out. In any case thank you for the REQUEUE.ASP script that you did many moons ago. Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] RAR Support - why not?
Andy, Someone posted on this list a while ago a small ASP page that I am using to requeue a banned file. I send out a bannotify.eml what has the link back to the server with the appropriate file name. The user says I really really want this file and clicks on the link. It gets requeued automatically into the spool directory and it is not scanned/banned again and the user gets it within 30 minutes. I remember that there was some discussion on the list a while ago about having the users authenticate and fill in a form etc. I decided not to bother with that. I can send you my bannotify.eml and the asp file if you wish. Let me know Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, January 27, 2005 6:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] RAR Support - why not? 1.82 will treat encrypted .RAR files the same as encrypted .ZIP files, and will block banned file extensions in .RAR files the same way as it blocks banned file extensions in .ZIP files. Beautiful! Now we just need McAfee to scan inside RAR files G (Globally banning zipped .EXE files is not an option for me - I gotta give those customers SOME practical way to send/receive restricted file types.) Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] RAR Support - why not?
Hi Andy, Yes I keep all virus files VIRDIR spool\virus But I have a process that runs every night and cleans out the 6th day of files. That way I only hold 5 days of files. Right now in my spool\virus directory I have 2818 files which is 1409 mail messages. Total space of 27.7 MB. Of course your mail system is MUCH bigger than mine if memory serves me correctly. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Friday, January 28, 2005 5:05 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] RAR Support - why not? Hi Goran: Oh, I've been thinking about just that. However does that mean you hold all virus files? I don't think I could afford the additional disk space (the spool file is already too big as it is.) Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, January 28, 2005 12:48 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] RAR Support - why not? Andy, Someone posted on this list a while ago a small ASP page that I am using to requeue a banned file. I send out a bannotify.eml what has the link back to the server with the appropriate file name. The user says I really really want this file and clicks on the link. It gets requeued automatically into the spool directory and it is not scanned/banned again and the user gets it within 30 minutes. I remember that there was some discussion on the list a while ago about having the users authenticate and fill in a form etc. I decided not to bother with that. I can send you my bannotify.eml and the asp file if you wish. Let me know Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, January 27, 2005 6:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] RAR Support - why not? 1.82 will treat encrypted .RAR files the same as encrypted .ZIP files, and will block banned file extensions in .RAR files the same way as it blocks banned file extensions in .ZIP files. Beautiful! Now we just need McAfee to scan inside RAR files G (Globally banning zipped .EXE files is not an option for me - I gotta give those customers SOME practical way to send/receive restricted file types.) Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] RAR Support - why not?
Darin, What do you do with the old log files? Do you put them on another machine for processing/analysis/archiving? If you are archiving how long do you keep the data? Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, January 28, 2005 5:15 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] RAR Support - why not? Notices only go out for banned files. We include a statement that the email will be available to be requeued for x number of days...so automatic processes clean it up if it's unclaimed. Regarding the space problem, are you moving logs off to another partition on a nightly basis? Between that, automatic cleanup, and zipping old logs ours stays pretty clean. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, January 28, 2005 5:05 PM Subject: RE: [Declude.Virus] RAR Support - why not? Hi Goran: Oh, I've been thinking about just that. However does that mean you hold all virus files? I don't think I could afford the additional disk space (the spool file is already too big as it is.) Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, January 28, 2005 12:48 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] RAR Support - why not? Andy, Someone posted on this list a while ago a small ASP page that I am using to requeue a banned file. I send out a bannotify.eml what has the link back to the server with the appropriate file name. The user says I really really want this file and clicks on the link. It gets requeued automatically into the spool directory and it is not scanned/banned again and the user gets it within 30 minutes. I remember that there was some discussion on the list a while ago about having the users authenticate and fill in a form etc. I decided not to bother with that. I can send you my bannotify.eml and the asp file if you wish. Let me know Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, January 27, 2005 6:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] RAR Support - why not? 1.82 will treat encrypted .RAR files the same as encrypted .ZIP files, and will block banned file extensions in .RAR files the same way as it blocks banned file extensions in .ZIP files. Beautiful! Now we just need McAfee to scan inside RAR files G (Globally banning zipped .EXE files is not an option for me - I gotta give those customers SOME practical way to send/receive restricted file types.) Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot 3.16 New Exit Codes
Hi All, There are 2 new Exit Codes for FPCMD.EXE now (9 and 10). Exit Code 9 indicates that something was unscannable for some sort of reason Exit Code 10 indicates that the scanner reached the max depth in the /ARCHIVE=N option. It seems that we should now be specifying: VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 9 VIRUSCODE1 10 Thought and comments? From the release notes: Archive handling has been improved and is now more consistent. Version 3.16 also includes detection against so-called archive bombs, archives that are constructed in such a way that a seemingly innocent file will expand tremendously, consuming all available memory and CPU on the computer. A part of this change is that the scanners now only scan to a certain number of levels. Of particular note is that the Command-Line Scanner (fpcmd.exe) only scans by default to a depth of 5 levels. This can be changed by using the command-line switch /ARCHIVE=N where N can be 1 through 99, or 0 for infinite. If the limit is exceeded then it will exit with a new exit code 10 (some files were not scanned; in this case because maximum archive level was reached). The OnDemand Scanner scans an infinite number of levels by default but this behaviour can be changed using the same command-line switch. The RealTime Protector scans to a depth of one level by default. Another new exit code has been added to the OnDemand Scanner and the Command-Line Scanner, exit code 9. This exit code indicates that some files were not scanned, e.g., encrypted files, because of unsupported/unknown compression methods, because of unsupported/unknown file formats, corrupted or invalid files. Both exit code 9 and 10 indicate that some files were not scanned and, therefore, they can not be guaranteed to be clean. The difference between them is that if exit code 10 occurs then some settings can be changed (e.g., increase the maximum allowed archive depth) and the scanner might be able to scan the file. If, however, exit code 9 occurs then the scanner is not able to scan the file. Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot Update Problems
Well if you get an answer to this personally can you please share? :) Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Wednesday, September 08, 2004 5:12 AM To: [EMAIL PROTECTED] Cc: FRISK Tech Support Subject: Re: [Declude.Virus] F-Prot Update Problems Hi, I am running F-Prot 3.15a (this was also happening with 3.15). When I installed I also installed the Scheduler and Updater. Now the Scheduler is running as a service and has been told to update the definitions every 4 hours. This works a lot of the time but sporadically the Updater ends up with an error message on the screen that I was not able to reach the Internet and it is waiting for a click. At this point no more Updates are run until you click (not good). [] I haven't seen that problem in my server. Occasionally I see it in my personal pc that runs f-prot, but when I double check I just realize that I actually don't have an internet connection. Perhaps it is a problem with your network card that is sporadically down, or your internet is not being very stable lately. Nope, I have *seen* this problem happen on my mailserver, while I was doing some maintenance unrelated to this problem. The server is 100% of the time connected to the internet and was sending/receiving mail at the time. However, right after the click I restarted the update manually and noticed it got an update. So MAYBE there is a problem with the update routine when the servers are in the process of being updated themselves and don't accept connections, or something like it. Hmmm I think I'll CC this to [EMAIL PROTECTED] Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot Update Problems
I think mine is scheduled at 37 minutes after the hour. I saw that comment on the Frisk site. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Fritz Squib Sent: Wednesday, September 08, 2004 9:01 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-Prot Update Problems Are you scheduling updates on the hour or at a few minutes after ? Try setting the scheduler for x minutes after the hour to avoid the heavier traffic. See http://www.f-prot.com/support/windows/fpwin_faq/47.html Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] JS/Zerolin
Hi, I am seeing my McAfee scanner catch these JS/Zerolin viruses but FProt (3.15a) does not see them at all. Does anyone know why that might be? Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] JS/Zerolin
Scott, What is interesting is that I do not get the warning message that you get! What version of F-Prot are you using? Declude? I am using 1.79i8 09/07/2004 01:55:09 Q4d2710a401bcc5b2 MIME file: [text/html][quoted printable; Length=1452 Checksum=129510] 09/07/2004 01:55:10 Q4d2710a401bcc5b2 Scanner 2: Virus= the JS/Zerolin trojan !!! Attachment= [2] O 09/07/2004 01:55:10 Q4d2710a401bcc5b2 File(s) are INFECTED [ the JS/Zerolin trojan !!!: 13] 09/07/2004 01:55:10 Q4d2710a401bcc5b2 Scanned: CONTAINS A VIRUS [MIME: 2 1718] 09/07/2004 01:55:10 Q4d2710a401bcc5b2 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 218.13.55.73] 09/07/2004 01:55:10 Q4d2710a401bcc5b2 Subject: appointment reminder Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, September 07, 2004 5:35 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] JS/Zerolin Like you, AVG and F-Prot don't catch them here but Virusscan does. Declude Virus does toss out a warning: Warning: file#=224 (0224.js ... ) Also seems to be a dictionary type attack given the recipients names. 09/05/2004 11:08:01 Q39d809bf029cc654 MIME file: [text/html][quoted- printable; Length=2086 Checksum=144666] 09/05/2004 11:08:01 Q39d809bf029cc654 Found potentially dangerous stuff in D:\IMail\spool\D39d809bf029cc654.vir\0.! 09/05/2004 11:08:02 Q39d809bf029cc654 Warning: file#=224 (0224.js ... ) 09/05/2004 11:08:02 Q39d809bf029cc654 Scanner 3: Virus= the JS/Zerolin trojan !!! Attachment=[Unknown: Err] [26] O 09/05/2004 11:08:02 Q39d809bf029cc654 File(s) are INFECTED [ the JS/Zerolin trojan !!!: 13] 09/05/2004 11:08:02 Q39d809bf029cc654 Scanned: CONTAINS A VIRUS [MIME: 2 2344] 09/05/2004 11:08:02 Q39d809bf029cc654 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 203.200.31.7] 09/05/2004 11:08:02 Q39d809bf029cc654 Subject: submissions end september 28th - Sun, 05 Sep 2004 14:05:50 -0200 Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 09/07/04 04:26PM Hi, I am seeing my McAfee scanner catch these JS/Zerolin viruses but FProt (3.15a) does not see them at all. Does anyone know why that might be? Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot Update Problems
I am running F-Prot 3.15a (this was also happening with 3.15). When I installed I also installed the Scheduler and Updater. Now the Scheduler is running as a service and has been told to update the definitions every 4 hours. This works a lot of the time but sporadically the Updater ends up with an error message on the screen that I was not able to reach the Internet and it is waiting for a click. At this point no more Updates are run until you click (not good). I tried running the updater.exe /internet /quit command from a batch file but I found that it also seemed to get the same problem occasionally. Now I am not sure if it was the updater batch file of if the scheduler was creating the problem. When I was running the batch file (via Windows Task Scheduler) I had tried to disable the scheduler but it always seemed to want to run even if I told it not to run on startup. For you folks out there using the 3.15(a) version are you seeing the same problems or not? Any help on this would be appreciated. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in mydoom /Archive=3
I just checked my version 3.14e and indeed it is able to accept the /archive=3 parameter even though the help option does not show that as a valid option C:\Testq:\progra~1\fsi\f-prot\fpcmd /? Usage: f-prot [drive, file or directory] [options] -ai Enable neural-network virus detection. -append Append to existing report file. -archiveScan inside .ZIP and .ARJ files. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Tuesday, July 27, 2004 11:23 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Blocking the files in mydoom /Archive=3 Correct if you do not use that option F-prot will only search one level, that option tells F-Prot to search zips within zips. I think you need Version 3.14e or better to use this option /Archive=2 will catch the current mydoom variants /Archive=3 will search a third level if it exists you can easily test this with the eicar test file Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Jim Matuska [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 27, 2004 11:12 AM Subject: Re: [Declude.Virus] Blocking the files in mydoom /Archive=3 Scott, Can I get a clarification on this /Archive=3 Option. Should we be setting this option? If we don't will F-Prot not see past the first zip file? If we do set the 3 will it let us pick up viruses in the second or 3rd zip file? Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 26, 2004 4:33 PM Subject: RE: [Declude.Virus] Blocking the files in mydoom For F-Prot do you need the /ARCHIVE parameter to scan zip within zip or do you need the /ARCHIVE=3 option? I checked the help on fpcmd command and there is no indication that the /ARCHIVE takes any options. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, July 26, 2004 7:18 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Blocking the files in mydoom Scott, Thanks for the clarifications. I have the latest definitions from both McAfee and F-Prot, and I have F-Prot set to scan 3 deep into zips. I have dozens of these files in my spam capture account. It seems however that many of the more recent ones are very small files on the order of just 2K, and I would imagine that these are damaged payloads and that's why they are passing through Declude Virus with F-Prot and McAfee. My real issue though is that my logs show absolutely no indications of MyDoom.O. I fear that I have no protection against this virus, and I fear that there is an issue with the detection of double-zips. I am definitely seeing double zips. Matt R. Scott Perry wrote: Please excuse me, but I'm having trouble figuring out exactly what is going on here. It sounds like this virus is double-zipping files, and that this technique is tricking the virus scanners. Is that correct? McAfee is reporting that *some* copies are being double-zipped (a .ZIP file within a .ZIP file). I'm not aware of any virus scanners that will be fooled by that. I'm guessing only a very small percentage are double-zipped. If so, BANZIPEXTS, which will by default ban double-zips in addition to other banned extensions, is the presumeably best work-around? If not that, then custom filters in Declude? All BANZIPEXTS does is checks to see if the .ZIP file has a file in it with an extension that you ban, and if so, will ban it. BANZIPEXTS doesn't check .ZIP files within .ZIP files. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail
RE: [Declude.Virus] New Virus?
Hi Jeff, I just got one of these as well with our domain.com.zip and inside it was a domain.com.htm.(a lot of spaces).com My winzip would not extract it to the desktop. Neither F-Prot nor McAfee on the e-mail server found it and my desktop Symantec v9 did not find it either. Bad news Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Jeff Maze Sent: Monday, July 26, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] New Virus? Anyone hear of this one. It just popped in on an old e-mail account I reactivated for SPAM testing/control/rule building. There was an attachment named %domain%.com.zip (e.g. declude.com.zip). Is it a new variant? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
Scott, Do you want a copy of it? If so to what address? Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, July 26, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] New Virus? Anyone hear of this one. It just popped in on an old e-mail account I reactivated for SPAM testing/control/rule building. There was an attachment named %domain%.com.zip (e.g. declude.com.zip). Is it a new variant? It seems to be a new virus/variant. People are going to open it because it looks to them like a domain name (example.com) rather than filename (puppy.com). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BanNotify Problem
I did not think that I had another scanner in the way but now I am going to have to go back and check further. Thank you for the explanation. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Dan Horne Sent: Friday, July 23, 2004 8:50 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] BanNotify Problem It would seem that in your setup, before Declude processes the message, it gets sent to another program for processing (possibly on a gateway server, or another antivirus program on the same server). 1) From your setup, Declude shouldn't have banned the first message, and it didn't (AFAIK, Declude doesn't strip attachments, it holds the entire email). 2) The second one seems to have had the EXE stripped out of the zip file, which as before, Declude doesn't strip attachments, it blocks them. When the exe was stripped out, it broke the zip file, therefore you got the vulnerability. 3) Your first scanner apparently doesn't have the ability to scan inside encrypted zips, so it let the last one pass, but Declude blocked it correctly. Dan Horne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, July 22, 2004 4:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] BanNotify Problem Goran, Are you running any other software or hardware that might be inspecting these messages? The EXE response doesn't seem very Declude'ish. Matt Goran Jovanovic wrote: I have Virus Pro latest interim release 179i8. I have BANEXT EXE and BANEXT EZIP in my config file. I do not have BANEXT ZIP, BANZIPEXT nor BANEZIPEXTS I have a bannotify.eml file in my \imail\declude directory So I sent a couple of tests EXE only attachment: I did NOT get my bannotify message. I got the following appended to my email File attachment: MarchBreak2004infoflyer.exe The file attached to this email was removed because the file name is not allowed. EXE in a ZIP file I got a Vulnerability Alert message telling me that I had the Outlook Vulnerability [Invalid ZIP Vulnerability]. This should have got through. EXE in an encrypted ZIP I actually got my BANNOTIFY on this one. Why did the EXE only not send me the BANNOTIFY? Why did the EXE in a ZIP send me a vulnerability message? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Extra the in the log file
Hi, I am seeing an extra the in the vir*.log files 07/22/2004 11:56:03 Qe38302800104c34d Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=me.zip [2] O 07/22/2004 11:56:05 Qe38302800104c34d Scanner 2: Virus= the W32/[EMAIL PROTECTED] Attachment=me.zip [2] O After the Scanner 1: Virus= it has the name of the virus After the Scanner 2: Virus= it has an extra the then name of the virus Scanner 1 is F-Prot Scanner 2 is McAfee Any reason why? Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] BanNotify Problem
I have Virus Pro latest interim release 179i8. I have BANEXT EXE and BANEXT EZIP in my config file. I do not have BANEXT ZIP, BANZIPEXT nor BANEZIPEXTS I have a bannotify.eml file in my \imail\declude directory So I sent a couple of tests EXE only attachment: I did NOT get my bannotify message. I got the following appended to my email File attachment: MarchBreak2004infoflyer.exe The file attached to this email was removed because the file name is not allowed. EXE in a ZIP file I got a Vulnerability Alert message telling me that I had the Outlook Vulnerability [Invalid ZIP Vulnerability]. This should have got through. EXE in an encrypted ZIP I actually got my BANNOTIFY on this one. Why did the EXE only not send me the BANNOTIFY? Why did the EXE in a ZIP send me a vulnerability message? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Odd directories under \spool
Scott, Looking at my imail\spool directory I have found three directories all created July 1 within an hour of each other. D79d0001f02001d77.vir D79d70007023a1d91.vir D89d4299a010aa32a.vir All of them have a report.txt with info from McAfee on doing a virus scan. I assume it is safe to delete these directories but my question would be why did they get left behind. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] virus increment
Wow a picture is really worth thousands of words. Seeing those stats as a coloured graph is very informative. Maybe one day I will get there :) for now I am going to attempt something simpler. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, June 23, 2004 5:28 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] virus increment Ahh and here I thought that you would have some sort of fancy program that would do this. Yes some vbscripts, but that wouldn't run out of the box on your system. This scripts are part of our CRM and read/write data from a big database. It would took some hours to prepare it for public distribution and additional hours to adapt it for your own needs. Attached you can see one of the resulting diagrams. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MacAfee Error
I was just thinking about adding McAfee as the second scanner to F-Prot and now I am rethinking that idea. :( Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Jonathan Sent: Wednesday, June 16, 2004 9:20 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MacAfee Error I think we're seeing something as well -- in fact, I think McAfee's failure is causing declude to eat the mail .. somehow. :\ Jonathan At 07:43 PM 6/16/2004, you wrote: 06/16/2004 16:25:59 Qbada003b03f8f42d Error -1 in virus scanner 2. All of a sudden I am getting this error in McAfee. I did not change anything. Any one know what this means? Someone else reported an issue today with the McAfee virus definitions causing a crash within McAfee -- you may want to revert to the previous definitions, or download the latest ones. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Virus bypassing newer MX records
Andy You ARE aware that there are well-documented situations where Imail can get messages past Declude - so they never show up in the Declude logs? This may be have been fixed in the latest Imail 8 fixes - but I don't know this for certain. Where would I find this documented? Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] What is Partial Vulnerability on a PDF
Declude Virus and F-Prot reported X-Declude-Virus: Detected [Partial Vulnerability]. This is an e-mail that has been cut into 5 part and it has a PDF attached to it. --=_NextPart_000_0019_01C4494C.0AFFE0A0 Content-Type: application/octet-stream; name=Report.pdf Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Report.pdf We stopped the 5 e-mails but why would it have triggered on a PDF file? Also how does the client out the PDF back together??? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] What is Partial Vulnerability on a PDF
I guess it would be nice to say BANPARTIAL EXE BANPARTIAL COM BANPARTIAL VBS Etc I don't think a PDF can be infected but then again you never know so maybe . In any case it is almost a damned if you do damned if you don't Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, June 03, 2004 3:28 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] What is Partial Vulnerability on a PDF Goran, Outlook/Outlook Express allows a sender to split messages over a certain size into multiple attachments. Messages of this type can bypass virus scanning and therefore represent a vulnerability. I have however personally determined that because it is so easy to turn on, and because I have yet to find any viruses that are currently exploiting this flaw, that it is better to leave it off for now rather than comb over my hold file looking for such messages and alerting those that are set up for this. Scott does provide a stitch for your Virus.cfg that can turn this off with the following: BANPARTIALOFF I don't feel that this is a set it and forget it type of setting, so use at your own risk, and keep your eyes and ears pealed for exploits in the event that a virus does start exploiting the flaw. Thankfully the trickery has gone down since the arrested that German teenager :) Matt Goran Jovanovic wrote: Declude Virus and F-Prot reported X-Declude-Virus: Detected [Partial Vulnerability]. This is an e-mail that has been cut into 5 part and it has a PDF attached to it. --=_NextPart_000_0019_01C4494C.0AFFE0A0 Content-Type: application/octet-stream; name=Report.pdf Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Report.pdf We stopped the 5 e-mails but why would it have triggered on a PDF file? Also how does the client out the PDF back together??? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] What is Partial Vulnerability on a PDF
Yes I looked again and you are right. So Declude would have to keep track of e-mail to e-mail and possible out of sequence and different clients marking the split stuff in different ways On/Off switch is the way to go (unfortunately) Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, June 03, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] What is Partial Vulnerability on a PDF I think the problem is, that while the extension may show up in one of the 5, it would not be in all 5 and therefore not an accurate test. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, June 03, 2004 12:37 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] What is Partial Vulnerability on a PDF I guess it would be nice to say BANPARTIAL EXE BANPARTIAL COM BANPARTIAL VBS Etc I don't think a PDF can be infected but then again you never know so maybe . In any case it is almost a damned if you do damned if you don't Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, June 03, 2004 3:28 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] What is Partial Vulnerability on a PDF Goran, Outlook/Outlook Express allows a sender to split messages over a certain size into multiple attachments. Messages of this type can bypass virus scanning and therefore represent a vulnerability. I have however personally determined that because it is so easy to turn on, and because I have yet to find any viruses that are currently exploiting this flaw, that it is better to leave it off for now rather than comb over my hold file looking for such messages and alerting those that are set up for this. Scott does provide a stitch for your Virus.cfg that can turn this off with the following: BANPARTIALOFF I don't feel that this is a set it and forget it type of setting, so use at your own risk, and keep your eyes and ears pealed for exploits in the event that a virus does start exploiting the flaw. Thankfully the trickery has gone down since the arrested that German teenager :) Matt Goran Jovanovic wrote: Declude Virus and F-Prot reported X-Declude-Virus: Detected [Partial Vulnerability]. This is an e-mail that has been cut into 5 part and it has a PDF attached to it. --=_NextPart_000_0019_01C4494C.0AFFE0A0 Content-Type: application/octet-stream; name=Report.pdf Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Report.pdf We stopped the 5 e-mails but why would it have triggered on a PDF file? Also how does the client out the PDF back together??? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing
Re: [Declude.Virus] Notification for forwarded messages
Doug How do you deal with IIS and IMail web servers both running on the same box and both wanting port 80? I have broken up iissocketpooling in the past but it requires 2 IP addresses to work. Is that what you have done or are you running one on a non standard port? Thanx -Original Message- From: Douglas Cohn [EMAIL PROTECTED] Date: Fri, 28 May 2004 12:28:22 To:[EMAIL PROTECTED] Subject: RE: [Declude.Virus] Notification for forwarded messages We do this as well using Vbscript only. It does exactly what you do. Anytime a virus is quarantined an email with a link to the file is sent to the recepient with a warning of the dangers involved in retrieving the files. We then delete everything over 5 days old to avoid getting too many files in the virus dir. We also require IIS to be running. It was written by an ISP that uses it on his shared IMAIL server. He deletes them in 2 days. = You add this to the recip.eml = If you would like a copy of the infected email please follow the link below AT YOUR OWN RISK!!! http://serverwithvirus.com:port/declude.asp?msgid=%QUEUENAME% REMEMBER IT IS AN INFECTED EMAIL. The email will be deleted in 5 days. The declude.asp file [EMAIL PROTECTED] % var virusdir=c:\\imail\\spool\\virus\\; var spooldir=c:\\imail\\spool\\; var file=+Request.QueryString(msgid); file=file.substr(1); fso = new ActiveXObject (Scripting.FileSystemObject); if (fso.FileExists(virusdir+D+file)) { fso.MoveFile(virusdir+D+file, spooldir+D+file); fso.MoveFile(virusdir+Q+file, spooldir+Q+file); Response.Write(Please check your e-mail in a few minutes for the virus infected message you requested.); } % Very simple as well. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Friday, May 28, 2004 11:01 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Notification for forwarded messages I have written a simple app using ASP and PERL that will move the quarantined file from the virus directory back to the spool for delivery. It requires IIS to run on the same box as Imail, I run gateway servers so it is a bit easier for me. I include the spool name and a link to the gateway server that held the file in the BanNotify message, the user copies the file name and pastes it to text box on the ASP page, clicking submit sends it to the PERL script which moves the file back to the spool. I then intercept all notifications for banned files that I dont want them retreiving such as mpegs and mp3s Works great I dont mind sharing the code if anyone wants it Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Hermann Strassner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 28, 2004 6:39 AM Subject: [Declude.Virus] Notification for forwarded messages Hello! We block ZIPs and some executable extensions and want to leave it this way. Because some folks need to send them, we have to check the quarantined files (for viruses) and forward the mails without viruses manually. Is there a way to inform the user that his mail is now forwarded? Alternatively, is it possible for the user to answer to the automatic generated mail and forward the mail by himself? Is it possible somehow? I think of it as follows: User sends email with ZIP, gets a notification, answers to the notification with YES or something like that, Declude sees it and forwards this email. I think this is enough to make sure the user sends the email intentionally. Hermann --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] Goran Jovanovic The LAN Shoppe O: (416) 440-1167 x-2113 C: (416) 931-0688 E: [EMAIL PROTECTED] Sent from my Wireless Blackberry --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list
RE: [Declude.Virus] BANnotify.eml
Yes this all make sense. Now I think that what I would do is to send to both recipient and sender to inform them of the situation. So I would need to do something like this in the bannotify.eml To: %MAILFROM%,%ALLRECIPS% Can I send to multiple like this? Is the delimiter a ,? Thanx Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, May 26, 2004 12:13 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] BANnotify.eml bannotify.eml is the only template used for banned extensions or banned file names. You can customize this file to be sent to anyone that you wish. Note that this will only get sent if a banned extension or banned file name is detected AND Declude virus doesn't detect a vunerability or your virus scanner doesn't detect an infection. The incidence of this being sent should be less than 1% of all Declude Virus blocked messages, and most will be the result of encoded zip files if you are configured for that (currently that can't be turned off). The general thought for this is to bounce back to the %MAILFROM% instead of to the recipient, so you can inform the sender that they have sent a type of file that is not accepted on your server, and give them instructions as to how to send the file in a way that passes your system (such as zipping up executables). If it wasn't for banned file names and encrypted archives being bounced, there would hardly be any of these sent out, and I expect that resolving that is high on Scott's list of enhancements, so the condition is hopefully temporary. If you send these notices to local users, you might run the risk of having them tell you to turn them off for their account, in which case they might not realize that a legitimate message was blocked. Maybe that all makes sense? Matt Goran Jovanovic wrote: Hi, The documentation shows that the bannotify.eml file send mail back to %MAILFROM%. Can I just modify this to send mail to %ALLRECIPS% instead or is there another .eml file that I should be using to inform the recipient that a banned attachment was dropped? Thanx Goran Jovanovic The LAN Shoppe -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Good list of SKIPIFVIRUSNAMEHAS
Actually, those should be sender.eml and otherpostmaster.eml (Declude doesn't use any .txt files). Yes I was just quoting the web site since I could not look at the eml files online :) Can I still send out notifications for the Vulnerability? It would be possible, but strongly discouraged, as you'll end up becoming a spammer by doing so. The only notifications that I would be sending out would be to the recipient and not to the sender or the postmaster of the sending domain. I think it is a waste of bandwidth. If the user gets a notification that the file contained a virus and if the user really wants the file then the user will notify the sender and get it fixed. IMHO Goran --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Good list of SKIPIFVIRUSNAMEHAS
Ah, that makes sense. In that case, you can copy the \IMail\Declude\recip.eml file to \IMail\Declude\recip-vulnerability.eml (or whatever name you want), and use a line ONLYSENDIFVIRUSNAMEHAS Vulnerability (without any SKIPIFVIRUSNAMEHAS or SKIPIFFORGING lines). OK that is great. Now can I do this? Create a recip-vulnerability.eml with the ONLYSENDIFVIRUSNAMEHAS Vulnerability command in it and customize the text to talk about Vulnerabilities. Do I have to change anything in virus.cfg? Also still have the recip.eml file with a bunch of SKIPIFVIRUSNAMEHAS Klez/Vulneravility/etc and SKIPIFFORGING and customize the text in that file to talk about viruses. Will Declude send out either depending on if it is a vulnerability or a virus? Thanx Goran --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Good list of SKIPIFVIRUSNAMEHAS
This is good. I like it. Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, May 25, 2004 9:57 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Good list of SKIPIFVIRUSNAMEHAS Create a recip-vulnerability.eml with the ONLYSENDIFVIRUSNAMEHAS Vulnerability command in it and customize the text to talk about Vulnerabilities. Do I have to change anything in virus.cfg? Also still have the recip.eml file with a bunch of SKIPIFVIRUSNAMEHAS Klez/Vulneravility/etc and SKIPIFFORGING and customize the text in that file to talk about viruses. Will Declude send out either depending on if it is a vulnerability or a virus? Correct. However, maybe I should double check my server for the correct names. ;) John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Agobot anonymous driver forging variant
OK that is fine I just thought it was a new command that I had not seen anywhere and went looking for it. :) Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, May 25, 2004 9:56 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Agobot anonymous driver forging variant Ahh John I thought the command is SKIPIFVIRUSNAMEHAS Agobot in the .eml file? Or is DONOTSENDIFVIRUSNAMEHAS a filter of some sort? Ah, what is in a name? That is what I get for trying to go off memory at the same time as doing 5 other things. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] BANnotify.eml
Hi, The documentation shows that the bannotify.eml file send mail back to %MAILFROM%. Can I just modify this to send mail to %ALLRECIPS% instead or is there another .eml file that I should be using to inform the recipient that a banned attachment was dropped? Thanx Goran Jovanovic The LAN Shoppe
RE: Possible Spam: [Declude.Virus] OT - Need IP from MAC address
OK try this Go and get AngryIP from http://www.angryziber.com/ipscan/ (it is free). Scan your subnet. This utility will report all IPs it finds and the host name if it can resolve it. Now if you want to correlate to MAC address drop into DOS and do an arp -a to list all the arps your computer knows about. Do the arp -a quickly after you run AngryIP as there is a finite time the arp table live in Windows memory. There is also an amazing tool from SolarWinds called MAC address discovery which scans a subnet and lists very nicely in a table the IP Address, MAC address, DNS/Host name and the Network Card Manufacturer. This is not free it is part of the Engineers Toolkit Hope this helps. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Jeff Pereira Sent: Sunday, May 23, 2004 3:35 PM To: [EMAIL PROTECTED] Subject: Re: Possible Spam: [Declude.Virus] OT - Need IP from MAC address Thanks for the reply, but I think you misunderstood I know the IP of my computer, I don't know the IP of a piece of equipment that I have, but I do know what the MAC address is. jeff - Original Message - From: Don Brown [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 23, 2004 2:40 PM Subject: Re: Possible Spam: [Declude.Virus] OT - Need IP from MAC address Get a command prompt and type ipconfig (without the quotes) and a carriage return. To get a command prompt, Select Start/Run and type CMD (without the quotes) in the box and click the ok button. If you need to change the IP address, then Select Start/Settings/Network Connections. Select something other than make a new network connection. Next, click properties, choose Internet Protocol (TCP/IP) and click Properties. You should be able to find your way around from there. HTH Thanks, Sunday, May 23, 2004, 12:05:12 PM, Jeff Pereira [EMAIL PROTECTED] wrote: JP Windows..sorry I left that out. JP JP jeff JP - Original Message - JP From: Rich JP To:[EMAIL PROTECTED] JP Sent: Sunday, May 23, 2004 11:57 AM JP Subject: Re: Possible Spam: [Declude.Virus] OT - Need IP from MAC address JP What OS? JP - Original Message - JP From: Jeff Pereira JP To:[EMAIL PROTECTED] JP Sent: Sunday, May 23, 2004 8:22 AM JP Subject: Possible Spam: [Declude.Virus] OT - Need IP from MAC address JP Sorry for the OT post, but I am in need of help. JP JP I have a piece of equipment that I inherited that was JP assigned a fixed IP address, but I do not know what it is. JP JP I am pretty sure that there is a way to determine the IP JP by way of the MAC address, but I am unable to figure out how. JP JP Any help will be appreciated. JP JP jeff JP Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] TOT TCP/IP Protocol driver service
I use the BGINFO on all the servers I support. It is absolutely great especially since I terminal server into many at a time and it very clearly tells me what server I am on. Also tells the less sophisticated network admins which server they are on when using the KVM switch. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Douglas Cohn Sent: Friday, May 21, 2004 1:39 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] TOT TCP/IP Protocol driver service I also have the 2002 Admin pack. Back then we paid $999 for it. I have saved several shared servers with it more than covering the $999 but now it is closer to $5000 I believe. It may be worth it as well. All their products are great. Go to the freeware site sysinternals.com and get all their tools. Even the simple Bginfo screen background is the handiest utility. It builds a very simply BMP that has all your system info and becoms the desktop background. Nothing fancy just the info. You can run it on boot up or schedule it to update every few hours if needed. Great on desktops and servers. DC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, May 20, 2004 12:14 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] TOT TCP/IP Protocol driver service ERD commander is an awesome tool, helps change service/device startup values, registry, connect through the network to other machines, chkdsk, etc etc... Might take a look at that, helps me a TON. I was going to recommend that, as I have the 2002 version, but their new licensing terms has priced the newer version completely out of reach for the average small business. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Correct me if I am wrong
I believe this is correct. If a virus in an attachment is detected then the whole message will be held and the recip.eml notification will be sent out. Is there a way to allow the e-mail to go through to the user with a notification that the attachment was stripped? Goran Jovanovic The LAN Shoppe image001.gif
RE: [Declude.Virus] Feature Request: Deletion of banned files
Thanx I am going to shamelessly plagiarize. : Goran Jovanovic The LAN Shoppe 2345 Yonge Street, Suite 302 Toronto, Ontario M4P 2E5 Phone: (416) 440-1167 x-2113 Cell: (416) 931-0688 E-Mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, May 07, 2004 3:11 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Feature Request: Deletion of banned files What it does is moving everything in the virus folder to a folder called day1, move everything in day1 to day2 and so forth and deletes what is in day 5. Attached is the script. Runs daily at 12:05 AM. I am sure some one can come up with a cleaner one, but it works. It also sends a report. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, May 06, 2004 8:36 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Feature Request: Deletion of banned files John, Does this script delete just the files with the banned attachments or anything over 5 days old? Are you willing to share the script? Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, April 30, 2004 11:06 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Feature Request: Deletion of banned files I have a script that runs just after midnight each day that in effect deletes those held after 5 days. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, April 30, 2004 6:21 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Feature Request: Deletion of banned files Hi Scott, We seem to be spending more and more time deleting from the virus hold queue files that have .PIF and .SCR extensions. We'd like to request a little more granular control over banning of extensions...specifically, a setting to go ahead a delete some of them. For example, instead of BANEXT PIF perhaps we could use DELEXT PIF Obviously there are a number of other extensions we would continue to ban, and check for legitimacy, but this would be helpful. Thoughts? Darin. image001.gif
RE: [Declude.Virus] Unknown Viruses?
Scott, From the virus.cfg file SCANFILED:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 Here are some examples from the log file. Seems I do not have a virus name in any of the log messages. 05/06/2004 00:14:48 Qbba90921010cfa85 Invalid PIF Vulnerability 05/06/2004 00:14:48 Qbba90921010cfa85 File(s) are INFECTED [: 3] 05/06/2004 00:14:48 Qbba90921010cfa85 Scanned: CONTAINS A VIRUS [MIME: 2 17600] 05/06/2004 10:38:34 Q4de7012901160c06 File(s) are INFECTED [: 3] 05/06/2004 10:38:34 Q4de7012901160c06 Scanned: CONTAINS A VIRUS [MIME: 2 22573] 05/06/2004 10:39:02 Q4df9058801180c08 Scanned: Virus Free [MIME: 1 4836] I have lots of these types but these are from declude checking the Outlook vulnerabilities. 05/06/2004 12:13:25 Q6421067d01180f35 Invalid SCR Vulnerability 05/06/2004 12:13:25 Q6421067d01180f35 File(s) are INFECTED [[Outlook 'MIME Header' Vulnerability]: 3] 05/06/2004 12:13:26 Q6421067d01180f35 Scanned: CONTAINS A VIRUS [MIME: 3 30458] Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, May 07, 2004 7:10 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Unknown Viruses? I am using F-Prot and it is working but I keep getting these unidentified viruses. Unknown Virus virus in the Unknown File attachment Can anyone shed any light on this? Do you ever get the correct virus name (without Vulnerability in the name)? If not, then the F-Prot settings aren't correct (either it is not saving the report.txt file, or there is no REPORT line or an invalid REPORT line in the \IMail\Declude\virus.cfg file). If the virus name is shown sometimes, the log file entries should help determine what happened. If you are blocking suspicious files (with VIRUSCODE 8 in the virus.cfg file), then the Unknown Virus will appear if F-Prot detects a suspicious file (since it can't know the name of a virus that it cannot detect). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Unknown Viruses?
Hi, I am using F-Prot and it is working but I keep getting these unidentified viruses. Unknown Virus virus in the Unknown File attachment Can anyone shed any light on this? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature Request: Deletion of banned files
John, Does this script delete just the files with the banned attachments or anything over 5 days old? Are you willing to share the script? Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, April 30, 2004 11:06 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Feature Request: Deletion of banned files I have a script that runs just after midnight each day that in effect deletes those held after 5 days. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, April 30, 2004 6:21 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Feature Request: Deletion of banned files Hi Scott, We seem to be spending more and more time deleting from the virus hold queue files that have .PIF and .SCR extensions. We'd like to request a little more granular control over banning of extensions...specifically, a setting to go ahead a delete some of them. For example, instead of BANEXT PIF perhaps we could use DELEXT PIF Obviously there are a number of other extensions we would continue to ban, and check for legitimacy, but this would be helpful. Thoughts? Darin. image001.gif
RE: [Declude.Virus] What is it?
Try restarting the machine in Safe Mode and then deleting it. You can also try to rename it and then reboot to see if you can break the startup of it. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Doug Anderson Sent: Thursday, April 29, 2004 4:55 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Declude.Virus] What is it? Anyone deal with a file called AkAAMON.DLL or AkAAMON.CPY.DLL Adaware found it but couldn't remove it on one of our workstations. Mcafee doesn't worry about it. Anyone know what it is? Only way to get rid of it is via a repair console cause it was always in use/locked. *Scanned for viruses by Declude Virus* --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.