[Declude.Virus] Banning open.html
Fighting the latest virus, trying to ban open.html file attacements. Any one able to do this succesfully? I am working with Declude right now to figure out why it is not being stopped.John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Per user setting
Any ideas?John T eServices For You -Original Message- From: John T johnl...@eservicesforyou.com Sent 12/11/2009 11:59:05 AM To: declude.virus declude.virus@declude.com Subject: [Declude.Virus] Per user setting Is there a way possible to allow on a per user basis outgoing banned extensions WITHOUT disabling outgoing virus scanning? If not, could this be something that could be added?John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Per user setting
Is there a way possible to allow on a per user basis outgoing banned extensions WITHOUT disabling outgoing virus scanning? If not, could this be something that could be added?John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BANNotify message
I'd have to dig it up in the archives, if I could find it. Unless it was one of those things that Scott tried to do.John T eServices For You -Original Message- From: David Barker dbar...@declude.com Sent 10/16/2009 6:29:46 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BANNotify messageNot that I am aware of. Do you have information to show otherwise please send it to supp...@declude.comdavid BFrom: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of John TSent: Thursday, October 15, 2009 6:20 PMTo: declude.virusSubject: [Declude.Virus] BANNotify messageWay back when this was introduced, we had the ability to list files names as well as extensions that we did not want the bannotify message to go out on. Example, you could have SKIPIFEXT install.zip and if the banned ext file name was install.zip, the bannotify message would not go out. Has this changed? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] BANNotify message
Way back when this was introduced, we had the ability to list files names as well as extensions that we did not want the bannotify message to go out on. Example, you could have SKIPIFEXT install.zip and if the banned ext file name was install.zip, the bannotify message would not go out. Has this changed? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Virus inoperable for 13% of th year?
I really think these type of comments, while they may be perfectly valid, are
better done off line as they are outside of the scope and purpose of this
list.John T
eServices For You
-Original Message-
From: Patrick Childers pchild...@hgbd.com
Sent 6/4/2009 10:36:30 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th
year?font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 10pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: Calibri,sans-serif
}
LI.MsoNormal {
FONT-SIZE: 10pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: Calibri,sans-serif
}
DIV.MsoNormal {
FONT-SIZE: 10pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: Calibri,sans-serif
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P.MsoListParagraph {
FONT-SIZE: 10pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY:
Calibri,sans-serif; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 10pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY:
Calibri,sans-serif; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 10pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY:
Calibri,sans-serif; mso-style-priority: 34
}
SPAN.EmailStyle18 {
COLOR: windowtext; FONT-FAMILY: Calibri,sans-serif; mso-style-type: personal
}
SPAN.EmailStyle19 {
COLOR: #1f497d; FONT-FAMILY: Calibri,sans-serif; mso-style-type: personal
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: Calibri,sans-serif; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: Calibri,sans-serif; mso-style-type: personal
}
SPAN.EmailStyle24 {
COLOR: #1f497d; FONT-FAMILY: Calibri,sans-serif; mso-style-type:
personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
Irun a business and I work for a business. Thank you. Maybe you should work for
one...~PFrom: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of
David BarkerSent: Thursday, June 04, 2009 1:17 PMTo:
declude.vi...@declude.comsubject: RE: [Declude.Virus] Declude Virus inoperable
for 13% of th year?… but I can spend almost whateverI need to to protect my
network.There are those of us who run businesses and then there are those who
work for them. Either way your feedback is appreciated ;)DavidFrom:
supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Patrick
ChildersSent: Thursday, June 04, 2009 12:50 PMTo:
declude.vi...@declude.comsubject: RE: [Declude.Virus] Declude Virus inoperable
for 13% of th year?Comments are in-line.From: supp...@declude.com
[mailto:supp...@declude.com] On Behalf Of David BarkerSent: Thursday, June 04,
2009 10:03 AMTo: declude.vi...@declude.comsubject: RE: [Declude.Virus] Declude
Virus inoperable for 13% of th year?Sorry no marketing department to give you
the warm and fuzzy spin, just me.Obviously.Couple of suggestions. Declude has
the ability to run upto 5 additional cmd line scanners of your choice, we
provide AVG as a courtesy to our customers as in the past Declude did not have
any internal virus scanner, you would have to go out and purchase that
separatelyWell aware of that.It would be good to run more than 1 virus scanner
for several reasons, one of which is failure of an AV scanner, (admittedly in
this instance failure was on our part) But rest assured false positives, no
virus signatures, lag time are problems ALL AV vendors are faced with. There
are some that are free that work extremely well ClamWin or ClamAV is an example
of this.In addition we have ZEROHOUR as a option for Perpetual license
customers as an additional virus scanners providing ZEROHOUR protection and
additional spam definitions. For the amount of money that this is being offered
for it is a wise investment. If you opted out of this because you didn’t want
to spend the extra few $ on security then you have different issues and it’s
not Declude.LOL. I maybe one of the few, but I can spend almost whateverI need
to to protect my network. I do run multiple scanners as well as virus scanning
on the perimeter firewall.If you didn’t want to spend the extra few $
on making sure your code is up-to-date then you have different issues and it’s
not your customers. Lastly Patrick please contact supp...@declude.com having
looked at your host record it does not look like you are receiving any AV
updates - it could be that your firewall is blocking the AV updates, our
support can work with you to fix that.LOL again. Don't need to. I don't use
AVG. I only chimed in because I felt that your responses to the issue was not
helpful and somewhat offending the users of your product.Again,
[Declude.Virus] HEADS UP, Virus storm right now
I am catching a lot of ZIP-exe files to different addresses from different IPs starting about 25 minutes ago.John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
Any update or information on this?John T
eServices For You
-Original Message-
From: David Barker [EMAIL PROTECTED]
Sent 6/23/2008 11:36:40 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
I will see what we can do for a new directive for the HOLD to be excluded or
included by the admin.
David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
BilbeeSent: Monday, June 23, 2008 2:17 PMTo: [EMAIL PROTECTED]: RE:
[Declude.Virus] F-PROT 6 vs ClamAV SOSDG I have complained about this for a
while now. This process of fix the configuration the place in the proc folder
only works if you are constantly pouring through your hold folders. We do not
do that. We send an email to our users with the message they have in their
hold. They then have the option to deliver the message to their inbox, when
they click the recover link the message is placed in the spool folder and a
copy of the raw email is sent to our admin to then look at the
configuration. This process makes the hold folder completely hands off. How
about an option to VIRUSSCANONHOLD. This would make everyone happy. Kevin
Bilbee From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
AndrewSent: Monday, June 23, 2008 9:57 AMTo: [EMAIL PROTECTED]: RE:
[Declude.Virus] F-PROT 6 vs ClamAV SOSDG For what it's worth, I never move
messages from HOLD to SPOOL. When I do move false positives out, I fix the
problem in my configuration, so that the same circumstance doesn't happen
again, and then I move the files from the HOLD to the PROC folder. By
re-scanning them, they get virus scanned and I am sure that I have saved time
by getting spam scanned as well; it would cost me more time to repeat the
procedure next time than it takes me to override my text filters and re-queue
the messages now. Very few messages get pulled out of the HOLD folder, so not
scanning those messages for viruses saves me a lot of processing
power. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
David BarkerSent: Monday, June 23, 2008 9:00 AMTo: [EMAIL PROTECTED]: RE:
[Declude.Virus] F-PROT 6 vs ClamAV SOSDGCorrect if you send held email directly
to the spool there is a potential for a virus to bypass if running AVAFTERJM
this is why it is important to correct the issue that caused the false positive
then reprocess via Declude. OR alternately ensure you virus scan your HOLD
folders. If you are asking to only to apply AVAFTERJM only to Deleted emails
this would reduce it’s effectiveness as not every Declude customer uses Delete.
David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno
BloksmaSent: Monday, June 23, 2008 11:30 AMTo: [EMAIL PROTECTED]: Re:
[Declude.Virus] F-PROT 6 vs ClamAV SOSDG Hi David, Could you explain this:We
have chosen not to do this otherwise your users will end up with viruses in
their junkmail folders By NOT scanning held junkmail the virus WILL end up in a
users mailbox if I have to reque the mail because it was a FP. Of course you
don't have to scan deleted mail. Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 /
5611 el eindhoven
t 040 296 28 28 / f 040 237 35 [EMAIL PROTECTED] / www.tio.nl- Original
Message - From:David BarkerTo:[EMAIL PROTECTED]: Monday, June 23, 2008 4:28
PMSubject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Dear Bonno, It is not
that we can’t do this. We have chosen not to do this otherwise your users will
end up with viruses in their junkmail folders. AVAFTERJM will skip messages on
DELETE and HOLD actions only. David From:[EMAIL PROTECTED] [mailto:[EMAIL
PROTECTED] On Behalf Of Bonno BloksmaSent: Monday, June 23, 2008 4:20 AMTo:
[EMAIL PROTECTED]: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Hi, (Open mail
request)Dear Declude people. I have asked this before and with the current spam
levels kan we PLEASE have this feature now ASAP? We all want to use AVAFTERJM
but could you PLEASE make it scan all mail which is not deleted?If that is a to
big step at first becasue of all the possible copy, routeto, etc statements can
we at least have it for the HOLD action asap? Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 /
5611 el eindhoven
t 040 296 28 28 / f 040 237 35 [EMAIL PROTECTED] / www.tio.nl- Original
Message - From:Kevin BilbeeTo:[EMAIL PROTECTED]: Friday, June 13, 2008 5:25
PMSubject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Be careful with this
setting. If a message gets held as spam it will not be
virus scanned. Make sure you scan any message moved back into the delivery
queue for viruses before placing it in the delivery queue folder.
Kevin Bilbee
-Original Message
Re: [Declude.Virus] Invalid Zip Vulnerability
No name, just the extenesion?John T eServices For You -Original Message- From: Andy Schmidt [EMAIL PROTECTED] Sent 3/3/2008 9:30:59 AM To: [EMAIL PROTECTED] Cc: declude.virus@declude.com Subject: [Declude.Virus] Invalid Zip VulnerabilityHi, I checked your KB – and it doesn’t document that vulnerability:http://support.declude.com/Customer/KBArticle.aspx?articleid=25KBSearchID=11699 I checked your manual – and it doesn’t document that vulnerability:http://www.declude.com/searchresults.asp?Cat=124 However, I do have a message that fails the vulnerability: File: [.ZIP file] Result: Found[Invalid ZIP Vulnerability] So now I need to determine, why this ZIP file is being rejected. Thanks,Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Banned file ext not caught
I had a client receive an email with a PPS attachment this morning. PPS files are banned. Looking at the Virus log for the message there are warning lines about EOF encountered. I am assuming this means End Of File. Is there a way to catch these? 09/19/2007 09:07:07.231 q492300cc5430.smd Vulnerability flags = 92 09/19/2007 09:07:07.246 q492300cc5430.smd MIME file: [text/html][quoted-printable; Length=2041 Checksum=169730] 09/19/2007 09:07:07.278 q492300cc5430.smd Warning: EOF in middle of MIME segment [] [--_b93bf649-659f-4133-bdea-60207fbe90ef_] 09/19/2007 09:07:07.309 q492300cc5430.smd WARNING: EOF in multipart processing. 09/19/2007 09:07:07.309 q492300cc5430.smd WARNING: EOF in multipart processing. 09/19/2007 09:07:07.309 q492300cc5430.smd WARNING: EOF in multipart processing. 09/19/2007 09:07:07.309 q492300cc5430.smd WARNING: EOF in multipart processing. 09/19/2007 09:07:08.918 q492300cc5430.smd Scanned: Virus Free [MIME: 4 345642] John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] exe in zip file why not blocked...
David, the log snipped posted is of the Declude Virus log, meaning it passed Junkmail and was scanned. John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 30, 2007 9:24 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... AVAFTERJM ON means if the email reaches the JM either HOLD or DELETE to not call the AV in the Declude code. Try switching this OFF to see if it resolves the issue. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, July 30, 2007 10:27 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... Declude 4.3.57 AVAFTERJM ON YES. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 30, 2007 7:48 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... Scott, What version of Declude ? Are you using the directive AVAFTERJM ON? David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, July 27, 2007 3:06 PM To: declude.virus@declude.com Subject: [Declude.Virus] exe in zip file why not blocked... I was looking at my spam folder and noticed an email with a zip that contained an exe. 07/27/2007 11:10:14.234 q18d4010e464c.smd Vulnerability flags = 862 07/27/2007 11:10:14.234 q18d4010e464c.smd MIME file: fungame.zip [base64; Length=19363 Checksum=2473579] 07/27/2007 11:10:17.749 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:20.390 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:23.015 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:25.640 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:28.374 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:30.374 q18d4010e464c.smd Could not find parse string Found in report.txt 07/27/2007 11:10:30.374 q18d4010e464c.smd Error 8 in virus scanner 2. 07/27/2007 11:10:30.374 q18d4010e464c.smd Scanned: Error in virus scanner. [MIME: 2 19668] virus.cfg lines: BANEXTexe BANZIPEXTS ON I believe this should have been blocked (regardless of the problem with scanner 2). Scott Fisher Dir of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 Tel: 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] banning EZIP but....
I do not ban EZIP outright, but instead I ban EZIPEXTS. John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Thursday, June 28, 2007 5:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] banning EZIP but Hi, Just ran into a problem that *I* could resolve but still I had a problem with my backup tool Yosemite Backup and they have a tool on their site that they want you to run. It collects all kind of relevant data to help pinpointing the problem. The output in the latest version is an encrypted ZIP file which gets blocked when I try to send it via email. :-( Of course I could just change the Declude config for a few seconds but that's just me. What I would like Declude to do is: - Block all inbound EZIP files - Block oubound EZIP files UNLESS the user authenticates via SMTP AUTH. Currently this is not possible I think, would be a nice option though. How do others currently circumvent this problem? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] / http://www.tio.nl www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request - Notification emails generated on vulnerabilities
Why not use vulnerability.eml? SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability ONLYSENDIFREMOTESENDER From: [EMAIL PROTECTED] To: %ALLRECIPS% Subject: We blocked a suspected malicious email sent to you! Delivery blocked: %LOCALRECIPS% The mail server for %LOCALHOST% scans each e-mail for Viruses, junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities are those which can allow a virus or other malicious content to hide from virus scanners and junk mail filters.) We caught an e-mail addressed to you that is formatted with %VIRUSNAME%, and have quarantined it for your protection. If you recognize the below information as a valid email that you want or should have received, please reply to this notification, and we will review and requeue the message for delivery. (Note, there may be a delay until the message is delivered to you.) Otherwise, the e-mail will be deleted automatically after 5 days. FROM: %MAILFROM% TO: %ALLRECIPS% SUBJECT: %SUBJECT% Remote IP: %REMOTEIP% DATE: %DATE% @ %TIME% SPOOL FILE: %QUEUENAME% Headers of the e-mail in question: %HEADERS% John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, May 25, 2007 6:48 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Feature request - Notification emails generated on vulnerabilities It would be wonderful to be able to send out notifications on vulnerabilities like the current notifications on virus found/banned files. We still have to process the virus queue due to legit email that may be held due to vulnerabilities that we do not want to turn off in the config. For legit email in virus/banned file scanning notifications are sent and the requeue message link we include in our notifications allows the users to receive the message without us touching it. But since this notification does not get sent for vulnerabilities, we still have to manually review this queue. Being able to send out notifications on vulnerabilities would keep us from having to touch the virus hold queue at all, saving us time very day. Thoughts? Darin. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BanNotify email not being sent
I wonder if the name of the file you are testing with is on the forging list at Declude. Try creating a text file and renaming it to something like john.bat and then see what happens. John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Thursday, May 03, 2007 2:33 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BanNotify email not being sent
1) Put your virus log into debug and then try sending a banned extension attachement. 2) Post your bannotify.eml file as a text attachment John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Wednesday, May 02, 2007 5:48 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent I just upgraded to 4.3.46 and same thing - BANnotify is not being sent... Randy A. _ From: John T \(lists\) [EMAIL PROTECTED] Sent: Monday, April 30, 2007 8:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent What version of Declude? I am using 4.3.47 and it is working. What does the Virus log say? John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Monday, April 30, 2007 12:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] BanNotify email not being sent It was recently brought to my attention by a customer that the BanNotify email is not being sent out from our server when necessary - I tried sending myself a test email with an ..exe file attached, and sure enough, the message is trapped but the notice is not sent out. Using declude v4.x Thanks! Randy A. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BanNotify email not being sent
Sorry to bother, but please post the rest of the lines from the debug log for that message. John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Wednesday, May 02, 2007 2:36 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent John, I should have known to go to DEBUG mode first Here's what is showing there: 05/02/2007 17:27:31.265 q0225028073d8.smd Not sending .eml file since AUTOFORGING detected a forging virus. I sent a regular .exe program install file in the test. The question now is - why is this being picked up as a forging virus? Randy A. _ From: John T \(lists\) [EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 12:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent Put your virus log into debug and then try sending a banned extension attachement. Post your bannotify.eml file as a text attachment John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Wednesday, May 02, 2007 5:48 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent I just upgraded to 4.3.46 and same thing - BANnotify is not being sent... Randy A. _ From : John T \(lists\) [EMAIL PROTECTED] Sent: Monday, April 30, 2007 8:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent What version of Declude? I am using 4.3.47 and it is working. What does the Virus log say? John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Monday, April 30, 2007 12:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] BanNotify email not being sent It was recently brought to my attention by a customer that the BanNotify email is not being sent out from our server when necessary - I tried sending myself a test email with an ..exe file attached, and sure enough, the message is trapped but the notice is not sent out. Using declude v4.x Thanks! Randy A. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BanNotify email not being sent
What version of Declude? I am using 4.3.47 and it is working. What does the Virus log say? John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Monday, April 30, 2007 12:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] BanNotify email not being sent It was recently brought to my attention by a customer that the BanNotify email is not being sent out from our server when necessary - I tried sending myself a test email with an ..exe file attached, and sure enough, the message is trapped but the notice is not sent out. Using declude v4.x Thanks! Randy A. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
Until Declude resolves the issue with BANEXT EZIP, I've had to ban all rar files. Unfortunately some of my customers regularly send rar attachments, so I've had to check the virus hold directory on a regular basis and manually resubmit any false positives there. Gary Instead of manually checking for legit files, use the BANEXT.eml file to send a postmaster message that you get and/or the recipient and/or sender get and that notice can be reviewed a lot easier than manually checking the hold directory. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] re: new virus with .rar attachment
Only if you also have BANEXT rar. Do you have junkmail scanning before virus? John T-Original Message-From: "Gary Steiner" [EMAIL PROTECTED]Sent 4/25/2007 10:44:37 AMTo: declude.virus@declude.comSubject: [Declude.Virus] re: new virus with .rar attachmentAs a followup to this, in my virus.cfg I have BANEXT EZIP. Shouldn't this have caught the password-protected .rar file? Declude passed the message to SmarterMail without holding it. I'm running Declude 4.3.46. Original Message From: "Gary Steiner" [EMAIL PROTECTED] Sent: Wednesday, April 25, 2007 1:31 PM To: declude.virus@declude.com Subject: new virus with .rar attachment I started getting some messages today that were picked up as spam, but we re not being identified as viruses. They looked suspicious, having subject lines of Virus Activity Detected! Spyware Alert! It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. I ran it on www.virustotal.com, and the only scanner that picked it up wa s McAfee, and it identified it as "W32/[EMAIL PROTECTED]". http://vil.nai.com/vil/content/v_142094.htm Since this a password protected .rar file, should we now be blocking thes e? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] You should not use an on-access virus scanner that scans the ....
1) 86 the read receipt requests! 2) You should be running 4.3.46 at this point due to a problem with a recent change in AVG. 3) Is this happening on every email, or random? 4) Since you are only running one virus scanner (aside from the built in AVG,) I do not think you need to have the number 1 for each line, i.e. SCANFILE1 and VIRUSCODE1. John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Tuesday, April 17, 2007 12:29 AM To: declude.virus@declude.com Subject: [Declude.Virus] You should not use an on-access virus scanner that scans the Hello, after updating to 4.0.46 I've got these entries in one of our Mailservers: 04/17/2007 08:49:18.391 q6de201f80068.smd Virus scanner 1 reports exit code of 0 04/17/2007 08:49:18.391 q6de201f80068.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. 04/17/2007 08:49:18.391 q6de201f80068.smd Scanned: Virus Free [MIME: 1 2108] Yes, I know I should disable to on-access Scanner :) But: - there is a local AVG installed, *without* real-time scanner - and ClamAV - and nothing else (F-Prot is removed after changing the licensing :) so I can't find anything that could delete a virus. Could it be a wrong setting from ClamAV (not ClamWin)? SCANFILE1 C:\imail\declude\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND Clam is running with Sanesecurity and malware.com.br signatures. Alex _ Siller AG, Wannenäckerstraße 43, 74078 Heilbronn Vorstand: Prof. H.-F. Siller (Vorsitzender), Jörn Bülow, Ralf Michi Aufsichtsratsvorsitzender: Armin Sohler Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955 _ --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] You should not use an on-access virus scanner that scans the ....
Unfortunately, I am still up, at least for another 15 minutes or so. If you want to zip and send me a log file I will have a look see. John Tolmachoff eServices For You [EMAIL PROTECTED] (626) 737-6003 Fax (626) 737-6004 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Tuesday, April 17, 2007 1:54 AM To: declude.virus@declude.com Subject: AW: [Declude.Virus] You should not use an on-access virus scanner that scans the Hello John, 1) 86 the read receipt requests! Sorry. I'm trying, but sometimes I forget to disable it. 2) You should be running 4.3.46 at this point due to a problem with a recent change in AVG. Typo, it *is* 4.3.46 3) Is this happening on every email, or random? This morning (after updating) it happend all times, now I can't see any entries in the log. (and we are getting virusmails :) I'll keep an eye on the logfiles. 4) Since you are only running one virus scanner (aside from the built in AVG,) I do not think you need to have the number 1 for each line, i.e. SCANFILE1 and VIRUSCODE1. modified (and no entry before and after) Alex _ Siller AG, Wannenäckerstraße 43, 74078 Heilbronn Vorstand: Prof. H.-F. Siller (Vorsitzender), Jörn Bülow, Ralf Michi Aufsichtsratsvorsitzender: Armin Sohler Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955 _ --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude 4.3.46 Release
Just got off the phone with Tech Support. A file pcres.dll was not included in the original upgrade executable and if that file is not in the \Imail directory the decludeproc service will not start. She had to send me the file separately and they will now be changing the upgrade executable. John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, April 16, 2007 11:24 AM To: declude.virus@declude.com Subject: [Declude.Virus] Declude 4.3.46 Release Addresses this AVG issue. If you currently only have AVG as your virus scanner I would consider this a critical update. EVA ADD Improved AVG virus database format for optimization EVA ADD Improved speed of AVG scanning by 15-20% EVA ADD Updated AVG (avgsdk.dll 1.2.449) DEC ADD Updated Commtouch ZEROHOUR (asapsdk.dll 5.03.0013) JMFIX Smartermail HELO was being picked up from the headers rather than the envelope JMFIX Fixed log entry for PCRE when matching on location SUBJECT David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Monday, April 16, 2007 10:09 AM To: declude.virus@declude.com Subject: AW: [Declude.Virus] AVG Virus updates - No updates from declude since 4/7/7 Hello Darell, are you (or David :) sure with the return codes? I'm getting 0.0.0.1 and these files on both servers: DarellAlex incavi.avm - 4/15/2007 - 4/06/2007 microavi.avg - 4/5/2007 - 4/05/2007 miniavg.avg - 2/16/2007 - 2/16/2007 avi7.avg - 2/21/2007 - 21/02/2007 I stopped decludeproc, renamed the AVG Files and started decludeproc and I got the same files, all from today, but with the same size than bevor. Alex Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Darrell ([EMAIL PROTECTED]) Gesendet: Montag, 16. April 2007 14:37 An: declude.virus@declude.com Betreff: Re: [Declude.Virus] AVG Virus updates - No updates from declude since 4/7/7 Honestly, I am not sure what all the individual files are, but here are my dates incavi.avm - 4/15/2007 microavi.avg - 4/5/2007 miniavg.avg - 2/16/2007 avi7.avg - 2/21/2007 Howard - you can try this post from David from the Archive- http://www.mail- archive.com/declude.virus@declude.com/msg13473.html Darrell --- - Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Howard Smith (N.O.R.A.D.) mailto:[EMAIL PROTECTED] To: declude.virus@declude.com Cc: [EMAIL PROTECTED] ; 'David Barker' mailto:[EMAIL PROTECTED] Sent: Monday, April 16, 2007 6:28 AM Subject: [Declude.Virus] AVG Virus updates - No updates from declude since 4/7/7 I have not had a virus update from decludes AVG builtin scanner since 4/6/7 , has any one received any later updates , or suggestions to fix problem Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. Siller AG, Wannenäckerstraße 43, 74078 Heilbronn Vorstand: Prof. H.-F. Siller (Vorsitzender), Jörn Bülow, Ralf Michi Aufsichtsratsvorsitzender: Armin Sohler Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E
RE: [Declude.Virus] Declude Upgrade on IMail - Key Trouble
Bill, I will be back on in a couple of hours if you are still around and need help. John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Green dfn Systems Sent: Thursday, March 22, 2007 6:15 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble Is there an actual set of instructions for a Declude Upgrade for IMail? The Declude site lists Installation Instructions, but they are for SmarterMail. The Knowledge Base is no help. Declude Support has gone Home. My Upgrade has gone horribly wrong and I now seem to have a hybrid monster. Bill Green dfn Systems - Original Message - From: Bill Green dfn Systems [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, March 22, 2007 6:31 PM Subject: [Declude.Virus] Declude Upgrade on IMail - Key Trouble I've just upgraded to the 4.x suite from 3.0. I'm getting the Invalid Key message. According to the Archives, I need to put the Key in the declude.cfg file, but what is the correct syntax? License Key (KEY#) ? or Product Key (Key#) ? or just Key # ? Bill Green dfn Systems --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot Version 6
As Andrew pointed out, you did not read the fine print. John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn Sent: Tuesday, March 13, 2007 8:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] F-Prot Version 6 F-prot is $50 for 10 licenses per year. $5 per machine per year. Version 6 Why is that not still reasonable? Please explain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Thursday, February 01, 2007 8:33 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] F-Prot Version 6 Changed when they released the new version. About 3 months back. Check the archives of this list. We were complaining about it. We dumped using their product and just use the AVG built into Declude. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 01, 2007 3:33 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-Prot Version 6 When did their licensing change? F-Prot used to be extremely reasonable. Don - Original Message - From: Kevin Bilbee [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, January 31, 2007 11:14 PM Subject: RE: [Declude.Virus] F-Prot Version 6 Read the license. It may be compatible but the licensing is expensive. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Wednesday, January 31, 2007 7:26 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot Version 6 Been using F-Prot version 3 for years ... and now getting notices to upgrade to version 6. Anyone done this yet, and is it still compatible with Declude/Imail, etc? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New virus - PiggiA
With the extensions listed, any one know if the payload is only in the executuables? W32/Piggi-A is a mass-mailing worm for the Windows platform. W32/Piggi-A spreads via email and may pretend: - to offer a free gift - that your myspace, anti-virus, tax, financial or personal details have been hacked or expired - that an email sent, was failed to deliver - to be showing you a picture, movie, game, sound or website - to offer a gambling, casino or poker technique or strategy Attached files may contain any of the following extensions: - .wav - .wma - .mp3 - .rtf - .html - .txt - .gif - .jpeg - .com - .exe John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to block an IP
Using Imail rules, no! Imail rules are the last to run of all other items. Exactly what are you intending to do? John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J Porter Sent: Monday, December 25, 2006 8:07 PM To: declude.virus@declude.com Subject: [Declude.Virus] How to block an IP Is there a way to block an IP address before analysis by Declude's AV (Ver 1.82 - Imail 8.x)? I thought I should be able to do this with rules.ima by looking for a line in the header. So I have a line that says H~xxx\.yyy\.zz\. but it doesn't work. (In case you can't see it, the lines read \. = slash dot per Ipswitch docs) I don't think the H~ (header contains) command reads everything in the header. ~Joe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to block an IP
If you want to block IP addresses from any access, your best bet is to use Imail Control Access list in the SMTP service, that way neither Imail nor Declude ever have to touch it in the first place. John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J Porter Sent: Monday, December 25, 2006 10:30 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] How to block an IP I guess I've forgotten the order in which processes occur. I thought it was kill.lst, rules.ima, and then Declude. I thought I was clear. I want to block certain IP addresses which get stopped by Declude AV for a vulnerability. Certain ones are prolific and tend to leave a couple of hundred in my virus hold file each day. I want to have them deleted so I don't have to deal with them. They don't get caught by my Declude IP blacklist since they are stopped by AV first. It's only about 6 or 8 IP blocks which have never show a valid email in over 2 years. BTW.. I responded to you off-list on my last subject a few days ago. After thinking about it, I didn't think the subject had much place on the Declude list. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, December 25, 2006 11:38 PM Subject: RE: [Declude.Virus] How to block an IP Using Imail rules, no! Imail rules are the last to run of all other items. Exactly what are you intending to do? John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J Porter Sent: Monday, December 25, 2006 8:07 PM To: declude.virus@declude.com Subject: [Declude.Virus] How to block an IP Is there a way to block an IP address before analysis by Declude's AV (Ver 1.82 - Imail 8.x)? I thought I should be able to do this with rules.ima by looking for a line in the header. So I have a line that says H~xxx\.yyy\.zz\. but it doesn't work. (In case you can't see it, the lines read \. = slash dot per Ipswitch docs) I don't think the H~ (header contains) command reads everything in the header. ~Joe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses at HNB.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Posting etiquette
Do not use Digital email Signatures when posting to a list. John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Couldn't rename SMD to SM$ [183]
Search for all log lines for that message in both the junkmail and virus logs to see if there is another error message preceding that. John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Monday, December 18, 2006 2:54 PM To: declude.virus@declude.com Subject: [Declude.Virus] Couldn't rename SMD to SM$ [183] Hello, what should this message tell me? :) - 12/18/2006 23:51:47.687 q1a18019903bb.smd Couldn't rename SMD to SM$ [183]. Priority back to 32. Error String: [Cannot create a file when that file already exists.] [C:\IMail\spool\proc\work\D1a18019903bb.smd] [C:\IMail\spool\proc\work\D1a18019903bb.sm$] - and why does it happen? I found it multiple times in the logfile, running declude v4.3.14 with AVG Built-In and ClamAV. Alex --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Problem after upgrade to Declude 4.3.23
Did you put it into the Declude.cfg file? John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wolf Tombe Sent: Sunday, December 17, 2006 10:53 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Problem after upgrade to Declude 4.3.23 I have finally made the move and upgraded Declude to version 4.3.23 (from version 3.1) but I'm now having trouble getting it to run. I've used my product Key listed on my account area of the Declude website for version 4.x; but the Declude process will not start and continually responds with the error FATAL ERROR: Product license key not in configuration INVALID KEY. I've doubled checked the product key and it appears correct. I've checked the Declude Support and on-line help areas but nothings references this error. Has anyone else have this problem when upgrading? Wolf --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Re: notification stopped? .. now Why GSC
What happens if you restart the Queue Manager service? John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Thursday, December 07, 2006 10:47 PM To: declude.virus@declude.com Subject: [Declude.Virus] Re: notification stopped? .. now Why GSC -Original Message- I just realized I haven't been seeing any notifications for the past few weeks from my Declude software showing it had stopped a virus. I checked the virus log on the server, and it shows it is stopping several virues a day. --- I just checked the spool directory ... there are thousands of GSC files, all containing the virus notification that I'm looking for. They are all addressed to [EMAIL PROTECTED] which is working from tests from outside email accounts. Why are the virus notifications getting stuck thousands at a time as GSC files in the spool directory instead of being delivered? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] EXE in RAR file
RAR files should be treated the same as ZIP files, so unless something has changed if you have BANZIPEXTS ON and have BANEXT EXE it should be banned. John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, December 06, 2006 7:40 AM To: declude.virus@declude.com Subject: [Declude.Virus] EXE in RAR file Does Declude check for banned extension in RAR files? If not, please add this to the wish list. RAR files are becoming more popular and it is difficult to ban RAR files. I had an email come in with an .EXE file in a RAR file. So I believe it doesn't. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AUTOFORGE
Also, how is FORGINGVIRUS different from SKIPIFVIRUSNAME? Do you need to have both statements in the virus.cfg or is that redundant? FORGINGVIRUS is in the virus.cfg file and it is to list those viruses that forge the from address. Then, in your various eml files, you just need to put in SKIPIFFORGINGVIRUS instead of having list list each SKIPIFVIRUSNAMEHAS John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AUTOFORGE
OOPS, brainfart. John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, October 27, 2006 5:07 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AUTOFORGE I think you meant to say SKIPIFFORGING not SKIPIFFORGINGVIRUS. Original Message From: John T \(Lists\) [EMAIL PROTECTED] Sent: Friday, October 27, 2006 7:52 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AUTOFORGE Also, how is FORGINGVIRUS different from SKIPIFVIRUSNAME? Do you need to have both statements in the virus.cfg or is that redundant? FORGINGVIRUS is in the virus.cfg file and it is to list those viruses that forge the from address. Then, in your various eml files, you just need to put in SKIPIFFORGINGVIRUS instead of having list list each SKIPIFVIRUSNAMEHAS John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] stration work
Andrew, wouldnt the second line include the first meaning only the second line is needed? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, October 02, 2006 3:49 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] stration work Those of us still running F-Prot* as a primary virus scanner will want to add one or both of these to their virus.cfg in order to block notifications for detection of the Stration malware: FORGINGVIRUS W32/Tricky-Malware-based!Maximus FORGINGVIRUS Tricky-Malware-based! The first is the most explicit, and the second is a fragment that will catch future detections that are based on heuristics. And in the unlikely event that someone is using Trend Micro OfficeScan or SysClean: FORGINGVIRUS Possible_Strat-2 FORGINGVIRUS Possible_ Andrew 8) * The new price is unjustifiably high for using fpcmd on a mailserver. Plan to switch to a different vendor before you renew this licence. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, October 02, 2006 7:27 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] stration work It looks like the Stration worm is causing backscatter today: The W32/Stration.drvirus drops the mass mailing worm W32/[EMAIL PROTECTED]. that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer. The W32/Stration.dr is written using Microsoft Visual C++ and also contains functionality to connect to a remote web server to download a file. I've added it as a forging virus FORGINGVIRUSStration - Scott Fisher Director of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] New feature needed
Sorry, forgot to make an all inclusive list:
To my knowledge, there is no BounceNotify.eml.
JunkMail uses the following eml files ONLY:
SpamAttach.eml
Confirm uses the following eml file ONLY:
Confirm.eml
When EVA finds a vulnerability (list in the EVA manual further down from the
allow section) it uses the following file ONLY:
Vulnerability.eml
When EVA finds a banned attachment and the associated email is not found to
be virus laden or contain a vulnerability, EVA will use the following file
ONLY:
BanNotify.eml
ANY OTHER eml file contained in the \declude directory will be used by EVA
when a virus is found according to parameters within each file. So, if you
have 50 eml files aside from the above specifically mentioned 4, EVA will
try to use all 50 when it finds a virus.
The reason for this along with the original 4 other eml files normally found
(postmaster.eml, otherpostmaster.eml, sender.eml and recipient.eml) was so
that a appropriately worded notice be set to each respective party as
desired. However, that also allows for plenty of customization. Example, I
have a client that the manager wants a copy of each notice sent. So I have
created 2 specific eml files for that client, one for if the infected email
is incoming and one for if the infected email is outgoing.
John T
eServices For You
Seek, and ye shall find!
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
Steiner
Sent: Thursday, August 10, 2006 9:05 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New feature needed
But what defines a vulnerability? Are you referring to the list of
vulnerabilities
associated with the ALLOWVULNERABILITY statement in the EVA manual? I'm
confused by the various .eml files Declude provides and how it decides to
use them,
whether EVA or Junkmail. None of the .eml files that come with Declude
have the
name of a vulnerability.
Here is a list of the E-mail template files that came with the Declude 4.x
installation
and how I guess that they are used (since there doesn't seem to be some
centralized
description/list of what these files are and how they are used):
spamattach.eml - Used by Junkmail when ATTACH action is implemented.
postmaster.eml - Used by EVA to warn the postmaster of the local machine
that a
virus was detected.
BOUNCEnotify.eml - Used by EVA to warn the local sender that his
(outgoing) E-mail
attachment contained a banned extension.
BANnotify.eml - Used by EVA to warn the sender that his (incoming) E-mail
attachment contained a banned extension.
otherpostmaster.eml - Used by EVA to warn the postmaster of a host that a
virus
came from his server (typically not used due to virus forging).
sender.eml - Used by EVA to warn the sender that an E-mail sent by him was
detected as a virus (typically not used due to virus forging).
recip.eml - Used by EVA to warn the recipient that Declude detected a
virus send to
him.
confirm.eml - Used by Declude Confirm
(http://www.declude.com/Articles.asp?ID=127). Is this a discontinued
product? If
not, does it work with SmarterMail?
So it seems that most of the files are used by EVA, one by Junkmail and
one by
Confirm. Does that mean that Junkmail and Confirm only use their one
specific .eml
file and ignore all the others? If I create a randomly named .eml file,
will it only be
used by EVA?
Original Message
From: John T \(Lists\) [EMAIL PROTECTED]
Sent: Thursday, August 10, 2006 9:37 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New feature needed
When a vulnerability is detected, it looks for vulnerability.eml only.
When
a virus is detected, it uses any and all .eml files except for
vulnerability.eml.
So yes, you could do that.
John T
eServices For You
Seek, and ye shall find!
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Gary
Steiner
Sent: Thursday, August 10, 2006 4:43 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New feature needed
I was wondering if there might be a work-around for this. Could a
combination of
multiple .eml files utilizing SKIPIFRECIP work?
I guess the first question is what .eml files does Declude look for
when
it detects a
virus? Does EVA specifically look for a file named recip.eml? Or
does
it look at all
the .eml files in the main Declude directory?
Could you have two files, one called recip-en.eml (English) and one
called
recip-
es.eml (Spanish), and then list in those files using SKIPIFRECIP all
the
domains that
want the other language?
Gary
Original Message
From: Goran Jovanovic [EMAIL PROTECTED]
Sent: Tuesday, June 20, 2006 3:57 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New feature needed
Gary,
I have not even thought of something like
RE: [Declude.Virus] New feature needed
When a vulnerability is detected, it looks for vulnerability.eml only. When
a virus is detected, it uses any and all .eml files except for
vulnerability.eml.
So yes, you could do that.
John T
eServices For You
Seek, and ye shall find!
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
Steiner
Sent: Thursday, August 10, 2006 4:43 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New feature needed
I was wondering if there might be a work-around for this. Could a
combination of
multiple .eml files utilizing SKIPIFRECIP work?
I guess the first question is what .eml files does Declude look for when
it detects a
virus? Does EVA specifically look for a file named recip.eml? Or does
it look at all
the .eml files in the main Declude directory?
Could you have two files, one called recip-en.eml (English) and one called
recip-
es.eml (Spanish), and then list in those files using SKIPIFRECIP all the
domains that
want the other language?
Gary
Original Message
From: Goran Jovanovic [EMAIL PROTECTED]
Sent: Tuesday, June 20, 2006 3:57 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New feature needed
Gary,
I have not even thought of something like that (since all my customers
are English speaking) but you are absolutely right.
So David will we be seeing this new feature next week? :)
Goran Jovanovic
Omega Network Solutions
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Gary
Steiner
Sent: Tuesday, June 20, 2006 3:24 PM
To: declude.virus@declude.com
Subject: re: [Declude.Virus] New feature needed
I asked about the possibility of per domain replies several months
ago. I
would hope that it has already been placed on the wish list.
It is especially useful when you have users speaking different
languages
and you want to have language specific messages linked to each domain.
Gary
Original Message
From: Goran Jovanovic [EMAIL PROTECTED]
Sent: Tuesday, June 20, 2006 2:30 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] New feature needed
Hi,
I would like to suggest a new feature to be added to the virus
notification capabilities.
Right now to notify a recipient that I stopped a virus I have a
recip.eml file in my main delude directory. There is another
recip-vulnerability.eml file that is used if the virus is a
vulnerability. These two files are all or nothing files. Meaning
that
all recipients for all the domains that I process are in the same
file.
I need to be able to specify a per domain recip.eml file. This way I
can
tailor the notifications to each domain as appropriate. These files
should be in the domain subdirectory along with the
$default$.junkfile
etc.
I am faced with the challenge right now for a single domain to send
all
virus notification to one person only or to stop all notifications
to
that domain. To the best of my knowledge I cannot redirect all the
notifications to the one person for that domain and to the original
recipients for all the other domains.
Another feature that should be added to the *.eml files is the
ability
to do a BCC to a monitoring address. This is a good way to monitor
what
is happening with banned files, viruses or whatever notification
processes we have setup.
So can you please add this to the to do list
Thank you
Goran Jovanovic
Omega Network Solutions
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
[Declude.Virus] Virus in at HTA inside of ZIP seen
FYI By banning potentially malicious extensions, including within zip files, I caught an email with the FEEBS virus. Per VirusTotal, ClamAV, McCrappy, AVG, F-Prot is not catching these. John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude error, not ClamAV error
Have you tried running the command line by itself against a file in question
to see what the return code is?
John T
eServices For You
Seek, and ye shall find!
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
Steiner
Sent: Friday, July 14, 2006 7:08 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] Declude error, not ClamAV error
I get the error no matter what the virus, Netsky, Bagle, Feebs, even when
ClamAV
detects a fishing attempt the error is there.
Original Message
From: John T \(Lists\) [EMAIL PROTECTED]
Sent: Friday, July 14, 2006 9:46 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] Declude error, not ClamAV error
In other log lines Declude states it is an invalid/bogus pif file. That
might explain it.
John T
eServices For You
Seek, and ye shall find!
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Gary
Steiner
Sent: Friday, July 14, 2006 2:43 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] Declude error, not ClamAV error
Upon further research, the statement Attachment=[Unknown: Err] is
generated by
Declude, not ClamAV. So does Declude have a problem with ClamAV?
Original Message
From: Gary Steiner [EMAIL PROTECTED]
Sent: Friday, July 14, 2006 1:32 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] ClamAV error
I recently installed ClamAv as my third scanner after AVG and
F-Prot.
For some
reason it indicates an error related to the attachment when it detects
a
virus
(Attachment=[Unknown: Err]). Here is an example from the Declude
virus
log file:
07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861
07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif
[base64;
Length=17424 Checksum=1974090]
07/13/2006 19:32:18.843 366626185 Banning file with pif extension
[application/octet-stream].
07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D
07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-
Worm/Netsky.D:
7]
07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code
of 3
07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL
PROTECTED]
Attachment=your_letter.pif [1] I
07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code
of 1
07/13/2006 19:32:19.718 366626185 Warning: file#=366626185
(366626185.eml,366626)
07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D
Attachment=[Unknown: Err] [1] I
07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability
07/13/2006 19:32:19.718 366626185 Found a bogus .pif file
07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2
17604]
07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [incoming from 72.82.177.22]
07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter
It doesn't seem to matter what kind of virus is involved. Even when
it
detects a
phishing attempt you still see the same error.
Here is what I have in the virus.cfg:
SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1
C:\clamav-
devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l
report.txt
VIRUSCODE2 1
REPORT2 FOUND
Is anyone else experiencing this, or have any ideas?
Thanks,
Gary
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
RE: [Declude.Virus] Declude error, not ClamAV error
In other log lines Declude states it is an invalid/bogus pif file. That might explain it. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, July 14, 2006 2:43 PM To: declude.virus@declude.com Subject: [Declude.Virus] Declude error, not ClamAV error Upon further research, the statement Attachment=[Unknown: Err] is generated by Declude, not ClamAV. So does Declude have a problem with ClamAV? Original Message From: Gary Steiner [EMAIL PROTECTED] Sent: Friday, July 14, 2006 1:32 PM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV error I recently installed ClamAv as my third scanner after AVG and F-Prot. For some reason it indicates an error related to the attachment when it detects a virus (Attachment=[Unknown: Err]). Here is an example from the Declude virus log file: 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; Length=17424 Checksum=1974090] 07/13/2006 19:32:18.843 366626185 Banning file with pif extension [application/octet-stream]. 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D: 7] 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=your_letter.pif [1] I 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 (366626185.eml,366626) 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D Attachment=[Unknown: Err] [1] I 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 17604] 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 72.82.177.22] 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter It doesn't seem to matter what kind of virus is involved. Even when it detects a phishing attempt you still see the same error. Here is what I have in the virus.cfg: SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav- devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Is anyone else experiencing this, or have any ideas? Thanks, Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Odd lines in Declude Virus log.
Declude 4.2.12 for Imail 9.10 preview2 on Windows Server 2003 This is my new server currently being fully configured and tested before going into production. I have one domain live on it right now, my personal domain. I have uu files blocked in the virus.cfg file, so the following log lines strike me as odd, especially since there was no attachment on this message. Can some one explain what this means about the uu file? 07/11/2006 10:16:50.727 qdcfa012a008d.smd Vulnerability flags = 64 07/11/2006 10:16:50.727 qdcfa012a008d.smd uu file: the wrong question. What's the first step to reinventing [S:\Spool\proc\work\Ddcfa012a008d.vir\1_1.] 07/11/2006 10:16:51.274 qdcfa012a008d.smd Virus scanner 1 reports exit code of 0 07/11/2006 10:16:51.274 qdcfa012a008d.smd Scanned: Virus Free [UU: 1 0][MIME: 2 17360] John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Back to the matter indicated in the subject line, how are others dealing with this? Is F-Prot and AVG and others catching this now? Which AV scanners are indeed catching it? Now for the bigger question: How do we combat this and future such versions without outright blocking of the file extension? We all know that relaying on users to not open attachments is problematic. John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Sure it is not some form or the Pebcak virus Andrew? Sorry, couldn't resist. I needed the laugh. ;-) John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, June 28, 2006 2:26 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Importance: Low I don't know where that character in front of my From sentence came from. The first character on that line should have been an F. It must be some kind of weird auto-quoting software; that character is not in the email that I sent. Andrew 8) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I know. :( Declude, this is a feature who's time has come. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Testing the Boards
PPPOONNGGG! John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, April 27, 2006 6:22 AM To: Declude.Virus@declude.com; Declude.JunkMail@declude.com Subject: [Declude.Virus] Testing the Boards PING --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] url file extensions
You nor I nor Declude nor any one knows where that leads too. You can not scan the destination for a url. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, April 11, 2006 12:10 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] url file extensions I been asked to remove the block I have on these - and since I have forgotten why I am blocking them Is there a valid reason to block these? Thanks in advance -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] url file extensions
Yep, exactly what I meant. I ban them as there is no way to scan them (Although Bill says ClamAV can do it) to know what they are going to lead to. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, April 11, 2006 1:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] url file extensions Hi John, I was referring to file attachments that had a .url extension - I have that extension banned in my virus.cfg and wondered why - -Nick John T (Lists) wrote: You nor I nor Declude nor any one knows where that leads too. You can notscan the destination for a url. John TeServices For YouSeek, and ye shall find! -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Tuesday, April 11, 2006 12:10 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] url file extensionsI been asked to remove the block I have on these - and since I haveforgotten why I am blocking them Is there a valid reason to blockthese?Thanks in advance-Nick---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype unsubscribe Declude.Virus. The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype unsubscribe Declude.Virus. The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] Updates from Declude
Fine, make a guy feel guilty. Ok, I am over it now. ;) Ill get to it tonight. I promise. I think. ;-) John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Wednesday, March 08, 2006 9:47 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude Is anyone else using confirm and can let me know if it is working for you now or not? I know John is busy and may not of had time to try it yet and Declude is not responding. Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Monday, March 06, 2006 8:06 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude Sounds good John, was just curious if you were still seeing the issue also. Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Friday, March 03, 2006 5:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude No I have not tested lately. I have been extremely busy this week. I will try on Saturday. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Friday, March 03, 2006 5:38 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude Barry, Wasnt the confirm issues supposed to be resolved in this version? I just tested it and it still does not subscribe the user after they confirm be replying to the message?!?! John, have you tried this yet with the same results? Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 02, 2006 5:04 PM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] Updates from Declude Product Naming After considering all the choices we have decided to rename the new product Declude Security Suite. I will be notifying the winner(s) of the competition shortly. Declude Security Suite for IMail We have now released additional versions of the software for different levels of IMail and these can be found at http://www.declude.com//Purchase.asp?cat=13 As usual if anyone has questions please contact me and we will do our best to answer. Barry [EMAIL PROTECTED] Office: (978) 499-2933 Cell: (978) 853-9593
RE: [Declude.Virus] Updates from Declude
No I have not tested lately. I have been extremely busy this week. I will try on Saturday. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Friday, March 03, 2006 5:38 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude Barry, Wasnt the confirm issues supposed to be resolved in this version? I just tested it and it still does not subscribe the user after they confirm be replying to the message?!?! John, have you tried this yet with the same results? Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 02, 2006 5:04 PM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] Updates from Declude Product Naming After considering all the choices we have decided to rename the new product Declude Security Suite. I will be notifying the winner(s) of the competition shortly. Declude Security Suite for IMail We have now released additional versions of the software for different levels of IMail and these can be found at http://www.declude.com//Purchase.asp?cat=13 As usual if anyone has questions please contact me and we will do our best to answer. Barry [EMAIL PROTECTED] Office: (978) 499-2933 Cell: (978) 853-9593
[Declude.Virus] New Virus?
Seeing HQX, BHX and UUEs being blocked this morning. John T eServices For You Seek, and ye shall find! --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
Upon further investigation and uploading to VirusTotal, these are a group that came in from one IP that had corrupted/incomplete file attachments and were non-viable Kasper viruses. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Saturday, February 25, 2006 9:04 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? Seeing HQX, BHX and UUEs being blocked this morning. John T eServices For You Seek, and ye shall find! --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Encoded viruses...worried
I have been blocking them for about 2 weeks now and the only legit one caught was a file sent to a MAC user. They followed the instructions in my policy and resent it without problem. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Thursday, February 16, 2006 12:26 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried I'm curious. Are people banning BHX, HQX, UUE, UU, and MIM since the Kapser/Blackmal.E/MyWife.d virus hit? If so have you seen any negative effects from doing this. I'm thinking of blocking them as well. Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 7:37 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried Matt, are you saying the attachment as Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, what harm would be in blocking those for now? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 31, 2006 4:50 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Encoded viruses...worried Someone just reported to me that MyWife.d (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month payload that will overwrite a bunch of files. It's really nasty. More can be found at these links: http://isc.sans.org/diary.php?storyid=1067 http://vil.nai.com/vil/content/v_138027.htm This started hitting my system on the 17th, possibly seeded through Yahoo! Groups. The problem is that it often sent encoded attachments in BinHex (BHX, HQX), Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), and I'm not sure that Declude is decoding all of these to see what is inside. For instance, I found that some BHX files that clearly contained an executable payload, showed up in my Virus logs like so: 01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: [text/html][7bit; Length=1953 Checksum=154023] 01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: Attachments001.BHX [base64; Length=134042 Checksum=8624521] There was no mention about the payload inside of it, and there almost definitely was. The same attachment name with the same length was repeatedly detected as a virus later on that day. This likely was a PIF file inside, though it could also have been a JPG according the notes on this virus. I, like most of us here, don't allow PIF's to be sent through our system, but when the PIF is encoded in at least BinHex format, it gets past this type of protection. Here's the conundrum. This mechanism could be exploited just like the Zip files were by the Sober writers and continually seeded, but instead of requiring some of us to at least temporarily block Zips with executables inside, an outbreak of continually seeded variants with executables within one of these standard encoding mechanisms would cause us to have to block all such encodings. I therefore think it would be prudent for Declude to support banned extensions within any of these encoding mechanisms if it doesn't already. I readily admit that this could be a lot of work, but it could be very bad if this mechanism becomes more common. This particular virus is so destructive that a single copy could cause severe damage to one's enterprise. I cross my fingers hoping that none of this would be necessary, but that's not enough to be safe. Matt
RE: [Declude.Virus] Encoded viruses...worried
Andrew, the output ended up being 255 characters long and then wrapping. How do I do this so each find is on a separate line for reading? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, January 31, 2006 6:35 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried On the plus side, there are mitigating circumstances... First, let me point out that although the antivirus companies will lag behind the virus authors, the antivirus guys aren't sleeping. For many years, the bad guys have been using encoding methods and 3rd party applications to obfusticate their software as a cheaper alternative on their time than writing polymorphic code whose very technique gave them away. PKLite was probably the first 3rd party tool used. I've recently seen PAK, UPX and FSG... all three of which were caught by F-Prot because the antivirus guys simply make signatures for the binary itself, and don't bother including unpacking methods for all possible compression/encryption methods. This explains why we have relatively few upgrades on the engines themselves. The F-Prot documentation mentions (I think) only zip decoding, but we know that it certainly does UPX and RAR decoding based on issues that have been raised with each (for the former, pathetic speed and the former, a buffer overflow). If you want to see what your virMMDD.log might reveal about this latest malware this month and what attachments you're seeing anyway, try this: egrep \.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME vir01??.log (if you don't want the filename, stick a -h parameter and a space before that first quotation mark) By doing this, against my virMMDD.log I just discovered that F-Prot decodes BHX and HQX attachments too. By doing something similar against my nightly virus-scan-the-spam-folder logs I also discovered that I have zero non-viral messages using the unconventional attachment formats in the last two months. You can take that as an indication that it's okay to ban those formats if you wish, but I'll warn that I have a pretty homogeneous Windows user base. and that'sa wrapfor tonight. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, January 31, 2006 6:04 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried John, the other formats are common (or, were common) on Macintosh and Unix based systems for binary attachments and for attached messages. Eudora for Windows used to expose several of these formats for message construction. They've fallen into disuse in favour of MIME attachments, but they are still extant. Blockingmessages containing those attachment formats may be reasonable for you if you're doing postmaster alerts and can check whether you've found false positives. Like Matt, I'm somewhat worried that this technique will become as common a nuisance as encrypted zips. Until recently, I've put my faith in the combination of Declude unpacking the attachments (I've assumed MIME encoding only) and F-Prot's packed and server options to otherwise do message decoding before virus scanning. I've been watching for copies of Blackworm that might be caught on my system so that I check if Declude+F-Prot would catch these other packing formats, but no luck so far (or rather, I've had the good luck to receive so few copies in so few formats). Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 5:44 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried Actually, I am already blocking hqz and uue so I went and added the others and will see what happens. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 5:37 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried Matt, are you saying the attachment as Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, what harm would be in blocking those for now? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 31, 2006 4:50 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Encoded viruses...worried Someone just reported to me that MyWife.d (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month payload that will overwrite a bunch of files. It's really nasty. More can be found at these links: http://isc.sans.org/diary.php?storyid=1067 http://vil.nai.com/vil/content/v_138027.htm This started hitting my
RE: [Declude.Virus] Encoded viruses...worried
Did a search on all logs for January. Found 337 hits, all HQX files. All but 2 were viruses, and those 2 had suspicious looking from addresses and I am assuming were unviable corrupt versions of viruses. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, February 01, 2006 6:40 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried I've grep'ed trough the logfiles for the last 7 days on my servers 2981 lines has sources of \.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME (ignoring double counts for the second av scanner) After filtering out all lines containing Kapser and Mywife there remains the following 4 lines 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; assuming .exe 01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with mismatched extensions [Attachments00.HQX-Removed Attachment.txt]; assuming .exe 01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; assuming .exe 01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning: EOF in middle of MIME segment [] [--=_NextPart_001_0008_01C6238B.B6472520] This looks very promising that declude is already handling it in order to catch malicious code inside such attachments. Note: the 4.th line is listed due the MIME Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, February 01, 2006 3:19 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Encoded viruses...worried You know, I was going to ask if you would do a search, but I figured you might do it anyway :) You did leave out the .uue extension, but I doubt that would have changed your results. I suppose that if these extensions aren't hardly ever used anymore, it might be prudent enough to just watch for the possibility of the tactic to become widespread and then take action. I do have a fair number of Mac users and probably more overseas traffic that you do, so I think that I am going to have to search a little on my own. Unfortunately I zip all of my logs nightly, so it isn't practical to search through all of them. Matt Colbeck, Andrew wrote: On the plus side, there are mitigating circumstances... First, let me point out that although the antivirus companies will lag behind the virus authors, the antivirus guys aren't sleeping. For many years, the bad guys have been using encoding methods and 3rd party applications to obfusticate their software as a cheaper alternative on their time than writing polymorphic code whose very technique gave them away. PKLite was probably the first 3rd party tool used. I've recently seen PAK, UPX and FSG... all three of which were caught by F-Prot because the antivirus guys simply make signatures for the binary itself, and don't bother including unpacking methods for all possible compression/encryption methods. This explains why we have relatively few upgrades on the engines themselves. The F-Prot documentation mentions (I think) only zip decoding, but we know that it certainly does UPX and RAR decoding based on issues that have been raised with each (for the former, pathetic speed and the former, a buffer overflow). If you want to see what your virMMDD.log might reveal about this latest malware this month and what attachments you're seeing anyway, try this: egrep \.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME vir01??.log (if you don't want the filename, stick a -h parameter and a space before that first quotation mark) By doing this, against my virMMDD.log I just discovered that F-Prot decodes BHX and HQX attachments too. By doing something similar against my nightly virus-scan-the-spam-folder logs I also discovered that I have zero non-viral messages using the unconventional attachment formats in the last two months. You can take that as an indication that it's okay to ban those formats if you wish, but I'll warn that I have a pretty homogeneous Windows user base. and that'sa wrapfor tonight. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Tuesday, January 31, 2006 6:04 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried John, the other formats are common (or, were common) on Macintosh and Unix based systems for binary attachments and for attached messages. Eudora for Windows used to expose several of these formats for message construction. They've fallen into disuse in favour of MIME attachments, but they are still extant. Blockingmessages containing those attachment formats may be reasonable for you if you're doing postmaster alerts and can check whether you've found false positives. Like Matt
RE: [Declude.Virus] F-prot exit code 8 and body content
I am using viruscode 8 and it is not blocking password protected zips. I think like Markus said it is looking for a combination of a password protected zip, and executable and the phrase he listed. Markus, did that attachment have an executable within the zip file? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 31, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-prot exit code 8 and body content Markus, I believe that this is something that several of us railed against and tried to get F-Prot to change. Formerly no known viruses would be tagged with an exit code of 8, but then they suddenly started tagging some known viruses this way, essentially requiring us to add that code in for detection. The downside of this is that this exit code also blocks things like encrypted zips. It was a real shame. It's worth checking to see if F-Prot is tagging more recent known viruses with exit code 8 because if they are no longer doing this, I would assume that turning it off would be wise so long as you had two virus scanners running. Note that I'm not dismissing your primary intention of pointing out the FP issue with virus scanning and a way to deal with it. Matt Markus Gufler wrote: Today I've had a message hold as false positive (unknown virus exit code 8) F-Prot seems ending with this exit code if there is attached a password protected zip file and in the body is something like password: . This message was definitively no false positive and so I requeued it. I've noted it due the low number of postmaster virus warnings I receive because they are send to me only if the detected virus is not a forging one. Fortunately this legit message wasn't deleted from the virus folder between thousands of unwanted netsky's and sober's. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot exit code 8 and body content
Markus, even though I know others have said they can not do this; I am blocking any zip, including ezips that have an executable within them. All of my clients know this and I have a published policy on it which includes instructions on what to do if you must get these through. As such, IMHO, this issue is fine. Others mileage may vary. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, January 31, 2006 10:39 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-prot exit code 8 and body content Matt, John, F-Prot is not catching simple e-zips. I supposed it was the password string in the mailbody. Now after an additional test it turned out that F-Prot is exiting with code 8 if there is an attached e-zip containing .exe files. The mail-body seems not interfering to F-prot's result. This is a problem for thus who need allow any extensions in zip-files. Maybe we can ask F-Prot if they can change the singnatures to catch only exe in ezip's if they are larger then ... Usualy legit ezip's should be much larger then 100 kByte. I wouldn't remove exit code 8 from my configuration because most of the outbreaks in the last year was catched by this exit code before any AV-scanner has had updated signatures. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 7:17 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-prot exit code 8 and body content I am using viruscode 8 and it is not blocking password protected zips. I think like Markus said it is looking for a combination of a password protected zip, and executable and the phrase he listed. Markus, did that attachment have an executable within the zip file? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 31, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-prot exit code 8 and body content Markus, I believe that this is something that several of us railed against and tried to get F-Prot to change. Formerly no known viruses would be tagged with an exit code of 8, but then they suddenly started tagging some known viruses this way, essentially requiring us to add that code in for detection. The downside of this is that this exit code also blocks things like encrypted zips. It was a real shame. It's worth checking to see if F-Prot is tagging more recent known viruses with exit code 8 because if they are no longer doing this, I would assume that turning it off would be wise so long as you had two virus scanners running. Note that I'm not dismissing your primary intention of pointing out the FP issue with virus scanning and a way to deal with it. Matt Markus Gufler wrote: Today I've had a message hold as false positive (unknown virus exit code 8) F-Prot seems ending with this exit code if there is attached a password protected zip file and in the body is something like password: . This message was definitively no false positive and so I requeued it. I've noted it due the low number of postmaster virus warnings I receive because they are send to me only if the detected virus is not a forging one. Fortunately this legit message wasn't deleted from the virus folder between thousands of unwanted netsky's and sober's. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com
RE: [Declude.Virus] Encoded viruses...worried
Matt, are you saying the attachment as Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, what harm would be in blocking those for now? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 31, 2006 4:50 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Encoded viruses...worried Someone just reported to me that MyWife.d (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month payload that will overwrite a bunch of files. It's really nasty. More can be found at these links: http://isc.sans.org/diary.php?storyid=1067 http://vil.nai.com/vil/content/v_138027.htm This started hitting my system on the 17th, possibly seeded through Yahoo! Groups. The problem is that it often sent encoded attachments in BinHex (BHX, HQX), Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), and I'm not sure that Declude is decoding all of these to see what is inside. For instance, I found that some BHX files that clearly contained an executable payload, showed up in my Virus logs like so: 01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: [text/html][7bit; Length=1953 Checksum=154023] 01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: Attachments001.BHX [base64; Length=134042 Checksum=8624521] There was no mention about the payload inside of it, and there almost definitely was. The same attachment name with the same length was repeatedly detected as a virus later on that day. This likely was a PIF file inside, though it could also have been a JPG according the notes on this virus. I, like most of us here, don't allow PIF's to be sent through our system, but when the PIF is encoded in at least BinHex format, it gets past this type of protection. Here's the conundrum. This mechanism could be exploited just like the Zip files were by the Sober writers and continually seeded, but instead of requiring some of us to at least temporarily block Zips with executables inside, an outbreak of continually seeded variants with executables within one of these standard encoding mechanisms would cause us to have to block all such encodings. I therefore think it would be prudent for Declude to support banned extensions within any of these encoding mechanisms if it doesn't already. I readily admit that this could be a lot of work, but it could be very bad if this mechanism becomes more common. This particular virus is so destructive that a single copy could cause severe damage to one's enterprise. I cross my fingers hoping that none of this would be necessary, but that's not enough to be safe. Matt
RE: [Declude.Virus] Encoded viruses...worried
Actually, I am already blocking hqz and uue so I went and added the others and will see what happens. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 5:37 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried Matt, are you saying the attachment as Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, what harm would be in blocking those for now? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 31, 2006 4:50 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Encoded viruses...worried Someone just reported to me that MyWife.d (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month payload that will overwrite a bunch of files. It's really nasty. More can be found at these links: http://isc.sans.org/diary.php?storyid=1067 http://vil.nai.com/vil/content/v_138027.htm This started hitting my system on the 17th, possibly seeded through Yahoo! Groups. The problem is that it often sent encoded attachments in BinHex (BHX, HQX), Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), and I'm not sure that Declude is decoding all of these to see what is inside. For instance, I found that some BHX files that clearly contained an executable payload, showed up in my Virus logs like so: 01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: [text/html][7bit; Length=1953 Checksum=154023] 01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: Attachments001.BHX [base64; Length=134042 Checksum=8624521] There was no mention about the payload inside of it, and there almost definitely was. The same attachment name with the same length was repeatedly detected as a virus later on that day. This likely was a PIF file inside, though it could also have been a JPG according the notes on this virus. I, like most of us here, don't allow PIF's to be sent through our system, but when the PIF is encoded in at least BinHex format, it gets past this type of protection. Here's the conundrum. This mechanism could be exploited just like the Zip files were by the Sober writers and continually seeded, but instead of requiring some of us to at least temporarily block Zips with executables inside, an outbreak of continually seeded variants with executables within one of these standard encoding mechanisms would cause us to have to block all such encodings. I therefore think it would be prudent for Declude to support banned extensions within any of these encoding mechanisms if it doesn't already. I readily admit that this could be a lot of work, but it could be very bad if this mechanism becomes more common. This particular virus is so destructive that a single copy could cause severe damage to one's enterprise. I cross my fingers hoping that none of this would be necessary, but that's not enough to be safe. Matt
RE: [Declude.Virus] Another day, another Bagle
Just got this from Sophos: http://www.sophos.com/virusinfo/analyses/trojbagledlbj.html John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, January 25, 2006 10:14 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Another day, another Bagle F-Secure reports in their blog that another round of Bagle is starting up. No details yet. Andrew 8) --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
But if we are cycling the held viruses on a x day basis, (my cycle is 5 days,) why would that be needed? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, January 25, 2006 2:37 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Feature request: DELETEVIRUSNAME Maybe someone has already requested it: Why not allow commands like DELETEVIRUSNAME Netsky DELETEVIRUSNAME Bagle ... in the virus.cfg file? I won't and can't delete all viruses on our server because there is always the possibility that a scanner is catching something as suspicious or generic But commands to delete certain virusnames should be very easy to implement and allow us to eliminate 95% of all hold viruses on out servers. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
As a work around until and if Declude adds the requested feature, you could write a script to search the files on a timed based for a phrase (virus name) and have it delete them. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, January 25, 2006 3:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME But if we are cycling the held viruses on a x day basis, (my cycle is 5 days,) why would that be needed? 5 days x 2 viruses x 2 (d q-file) = 200k files Around 99% of this files contains the same 5 types of malware that are stored, moved and defragmented unnecessary. I asked only because as I understand it should be very easy and unproblematic to add such a feature. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Virus Feebs variant warning
Why not catch it with less resources via banning hta files and BANZIPEXTS and BANEZIPEXTS? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Wednesday, January 25, 2006 4:56 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Virus Feebs variant warning I just got a message from a gmail account (forged) With a data.zip attached. It has a hta file inside. subject: Secure Mail The body says ID: 46271 Password: zgbvndwdx Message is attached. Sincerely, Protected Mail System, Gmail.com Using virustotal.com it is only catched by very few companies. This is a report processed by VirusTotal on 01/26/2006 at 01:38:32 (CET) after scanning the file data.zip file. This is a report processed by VirusTotal on 01/26/2006 at 01:38:32 (CET) after scanning the file data.zip file. Antivirus Version Update Result AntiVir 6.33.0.77 01.25.2006 no virus found Avast 4.6.695.0 01.25.2006 no virus found AVG 718 01.25.2006 Worm/Feebs Avira 6.33.0.77 01.25.2006 no virus found BitDefender 7.2 01.26.2006 no virus found CAT-QuickHeal 8.00 01.25.2006 no virus found ClamAV devel-20051123 01.26.2006 no virus found DrWeb 4.33 01.25.2006 Win32.HLLM.Graz eTrust-InoculateIT 23.71.60 01.25.2006 no virus found eTrust-Vet 12.4.2056 01.25.2006 Win32/Feeb!ZIP Ewido 3.5 01.25.2006 no virus found Fortinet 2.54.0.0 01.26.2006 JS/Feebs.fam-mm F-Prot 3.16c 01.25.2006 no virus found Ikarus 0.2.59.0 01.25.2006 no virus found Kaspersky 4.0.2.24 01.25.2006 Worm.Win32.Feebs.gen McAfee 4682 01.25.2006 no virus found NOD32v2 1.1380 01.25.2006 JS/TrojanDownloader.Tivso.gen Norman 5.70.10 01.25.2006 JS/[EMAIL PROTECTED] Panda 9.0.0.4 01.25.2006 no virus found Sophos 4.01.0 01.25.2006 no virus found Symantec 8.0 01.26.2006 W32.Feebs TheHacker 5.9.3.081 01.26.2006 no virus found UNA 1.83 01.25.2006 no virus found VBA32 3.10.5 01.25.2006 no virus found F-prot, Mcaffe, ClamAV are not catching it. meanwhile I am banning it via the body of the email. Catching Protected Mail System
RE: [Declude.Virus] Mail.zip from AOL Encrypted Messaging Service?
Title: Mail.zip from AOL Encrypted Messaging Service? Well, neither the HELO nor the IP received from looks to be anything from AOL. I would say it is a virus. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Thursday, January 19, 2006 11:51 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Mail.zip from AOL Encrypted Messaging Service? Hello, I got a mail.zip from AOL Encrypted Messaging Service, including a .hta file with encrypted content. Does'nt look good to me :) Has anyone else seen this mail? Does anyone know DadaMail? --- Received: from thbafiqcm.com [217.198.112.101] by siller.de with ESMTP (SMTPD-8.22) id A9DB33088; Thu, 19 Jan 2006 19:26:35 +0100 Date: Thu, 19 Jan 2006 19:28:38 +0100 From: [EMAIL PROTECTED] X-Mailer: DadaMail 2.1 Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Suspect Mail]Encrypted Message Service MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=ABCD6E90 X-Antivirus: avast! (VPS 0603-3, 18.01.2006), Outbound message X-Antivirus-Status: Clean X-OriginalArrivalTime: 19 Jan 2006 18:36:26.0852 (UTC) FILETIME=[419F3240:01C61D27] --ABCD6E90 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --ABCD6E90 Content-Type: application/x-zip-compressed; name=mail.zip Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=mail.zip --ABCD6E90-- --- Alex
RE: [Declude.Virus] Sober.X Variant
Is this what you are seeing? http://www.sophos.com/virusinfo/analyses/w32feebsa.html John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JT Sent: Thursday, January 05, 2006 6:44 AM To: declude.virus@declude.com Subject: [Declude.Virus] Sober.X Variant Has anyone seen an influx of this virus come through? I've upgraded to the latest F-Prot and it seems like it still sneaking through. Although the Z variant is being stopped by F-prot. Any light that could be shed on this would be greatly appreciated. Also I've tried setting up ClamAV for Windows on our imail server as a scanner. I've got it to scan but it randomly generated an exit code of 50. Does anyone know what exit code 50 from ClamAV means? Thanks, JT --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sober.X Variant
That means you are not blocking banned extensions within zip files? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JT Sent: Thursday, January 05, 2006 8:45 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sober.X Variant What I am experiencing is that the server lets the virus go through the system. It scans and result is clean, the end user gets the email and their Symantec Enterprise snags it and tags it as [EMAIL PROTECTED] On Thu, 2006-01-05 at 08:25 -0800, John T (Lists) wrote: Is this what you are seeing? http://www.sophos.com/virusinfo/analyses/w32feebsa.html John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JT Sent: Thursday, January 05, 2006 6:44 AM To: declude.virus@declude.com Subject: [Declude.Virus] Sober.X Variant Has anyone seen an influx of this virus come through? I've upgraded to the latest F-Prot and it seems like it still sneaking through. Although the Z variant is being stopped by F-prot. Any light that could be shed on this would be greatly appreciated. Also I've tried setting up ClamAV for Windows on our imail server as a scanner. I've got it to scan but it randomly generated an exit code of 50. Does anyone know what exit code 50 from ClamAV means? Thanks, JT --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sober.X Variant
Are you using the correct switches for F-Prot? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JT Sent: Thursday, January 05, 2006 12:49 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sober.X Variant Andrew, I suspected that but we'll see my results. I did what John suggested and I also have ClamAV and F-Prot running simultaneously. Doing this has seemed to cut down the Sober.Xs completely but now I have a customer complaining that trojan.lodear and sober.l variant is getting through, I haven't investigated yet but I'll keep you posted. JT On Thu, 2006-01-05 at 11:31 -0800, Colbeck, Andrew wrote: I just saw two today. This may not be what you're seeing, JT, but here goes: What I saw were two broken Sober.X messages that were bounced with the original message (the viral message) truncated. F-Prot didn't trigger on the broken attachment and the bounce didn't trigger my custom filters to weed out junk bounces. The messages made it into my internal mail system, where they were caught by Trend Micro ScanMail for Exchange. When I looked up the details on the virus that was named, the alias matched the Symantec name for the virus. Given that it was broken, I regard this as a spam issue, and not a case of F-Prot failing to detect the damaged Sober virus. If I can get the original, I'll submit to F-Prot anyway in the hope that they will come with a signature. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JT Sent: Thursday, January 05, 2006 10:39 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sober.X Variant John, Thanks for the help! Regards, JT On Thu, 2006-01-05 at 09:31 -0800, John T (Lists) wrote: Into the Virus.cfg file: BANEZIPEXTS ON BANZIPEXTS ON John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JT Sent: Thursday, January 05, 2006 9:20 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sober.X Variant John, What do I need to do to block banned extensions within zip files Thanks, JT On Thu, 2006-01-05 at 09:14 -0800, John T (Lists) wrote: That means you are not blocking banned extensions within zip files? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JT Sent: Thursday, January 05, 2006 8:45 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sober.X Variant What I am experiencing is that the server lets the virus go through the system. It scans and result is clean, the end user gets the email and their Symantec Enterprise snags it and tags it as [EMAIL PROTECTED] On Thu, 2006-01-05 at 08:25 -0800, John T (Lists) wrote: Is this what you are seeing? http://www.sophos.com/virusinfo/analyses/w32feebsa.html John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JT Sent: Thursday, January 05, 2006 6:44 AM To: declude.virus@declude.com Subject: [Declude.Virus] Sober.X Variant Has anyone seen an influx of this virus come through? I've upgraded to the latest F-Prot and it seems like it still sneaking through. Although the Z variant is being stopped by F-prot. Any light that could be shed on this would be greatly appreciated. Also I've tried setting up ClamAV for Windows on our imail server as a scanner. I've got it to scan but it randomly generated an exit code of 50. Does anyone know what exit code 50 from ClamAV means? Thanks, JT --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com
[Declude.Virus] Another round of Bagle?
Looks like another round of Bagle is starting? John T eServices For You --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Virus Feebsa
Great news, not. Any one know if F-Prot or AVG or BitDefender is catching this yet? http://www.sophos.com/virusinfo/analyses/w32feebsa.html John T eServices For You --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Where to send exe's to check if they are a virus?
www.virustotal.com This is a very small e-mail, the D file being only 11 kb. Some of the small AV companies are reporting it as a Bagle variant and F-Prot is reporting it as MitGlieder.GU although it is not catching it on the server. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, December 15, 2005 7:26 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Where to send exe's to check if they are a virus? Hi, I am getting a bunch of exe in zip files being banned right now. I have grabbed one of them it is called marie.zip and has a single exe in it called s3700020.exe and when you put it on your desktop is has the standard jpeg icon associated with it. My F-Prot, McAfee and Symantec scanners are not finding a virus. Where is the place that you can send it to and have it checked out by a ton of virus scanners? Thanx Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Where to send exe's to check if they are a virus?
Uh, keyboard virus? ;) John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, December 15, 2005 7:53 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Where to send exe's to check if they are a virus? I tried www.totalvirus.com and it is an ad site. Thank you Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Thursday, December 15, 2005 10:45 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Where to send exe's to check if they are a virus? www.virustotal.com (se me previous posting for results) At the moment i consider blocking at least temporaly eye in zips and update the virus definitions Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, December 15, 2005 4:26 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Where to send exe's to check if they are a virus? Hi, I am getting a bunch of exe in zip files being banned right now. I have grabbed one of them it is called marie.zip and has a single exe in it called s3700020.exe and when you put it on your desktop is has the standard jpeg icon associated with it. My F-Prot, McAfee and Symantec scanners are not finding a virus. Where is the place that you can send it to and have it checked out by a ton of virus scanners? Thanx Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Stranger...
Title: Strange... I do not think this is either an Imail or Declude issue, rather a server security issue, or rather a comprise of server security. Sounds like you have some type of virus or Trojan on that server. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Thursday, December 08, 2005 9:57 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... Does any body find the answer of this problem? After 1.5 years, this problem still remain. and IPSWITCH never give me a clear answer about it. - Original Message - From: serge To: Declude.Virus@declude.com Sent: Tuesday, June 08, 2004 7:46 AM Subject: Re: [Declude.Virus] Stranger... i know imail1 is a command line mailer but how do i find what i causing the imail 1 window to be open and filed with all these adresses ? see attached gif - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Monday, June 07, 2004 10:21 PM Subject: Re: [Declude.Virus] Stranger... Does this shed any light? http://support.ipswitch.com/kb/IM-19980119-DD10.htm Darin. - Original Message - From: Serge To: Declude.Virus@declude.com Sent: Monday, June 07, 2004 3:55 PM Subject: [Declude.Virus] Stranger... hi all urgent help needed I have imail1 client window (create mail message) pop up on my server with all kind of real and strange addresses in the TO: and CC: Fields. The windows remains open on the server desktop. Is this a virus ? how can i identify the service/virus/application causing this ? TIA
RE: [Declude.Virus] Another Sober out. (= idea)
Interesting thought. However, on my system, that would not work. I am scanning for viruses first. I block executables within zips. So my point of adding the BANNAME is so that the banned file notice that goes out (until the AV scanners update their defs) does not just have the generic banned file (ZIP-EXE). John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, November 25, 2005 12:21 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Another Sober out. (= idea) Thank you John but, BANNAME mailtext.zip ...is this really the only name used by this variant? I'm feeling a little bit bad, while adding and adding BANNAMEs to the virus.cfg file. First as sayd yesterday I feel there are many many BANNAME entries that are not more accurate or spreading in the wild and so unneccessary load in my and our config files. Second it's always the two steps behind if we have to adapt our config files manualy after someone else has discovered a new variant. Wouldn't be possible to write a junkmail external test, or maybe also an AV-Engine that does nothing else then looking at a central database for filenames that are suspsicious. I'm not 100% familiar with the ip4r/rbl tecnique but why not set up a DNS-server containing TLD-zones like .zip .exe .com Then some of us can act as operators and add additional zones like mailtext Looking at the case two days ago that I reported with the new bagle variant it would also be possible to add something like 1.exe.ester.zip 12.exe.ester.zip 1.exe.emanuel.zip ... Are maybe also with wildcards like *.exe.mailtext.zip By having bitmasked result codes it would maybe also possible to entries like *.exe*.zip with a suspicious result code and other more concrete definitions with an accurate result code. so admins can use it at they want. Our administrative work should decrease while new banname definitions will be available as soon the first of the operators will detect and add it to the database. +as having one (or more replicated) central points we should be able to notice a relativ high increase of request for exe in zips and so know that something seems going on. What do you think? My opinion is that last week av-companies showed that they are not able to provide accurate detection-quality. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Another Sober out. (= idea)
Well, I would say it is more like a restaurant but you can not get blow fish, alcohol, cigarettes, 10 Lbs of greasy French fries, etc. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, November 25, 2005 12:46 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Another Sober out. (= idea) I am scanning for viruses first. I block executables within zips. Yes I know you can do this. But on my systems banning exe in zips is like having a restaurant where people can eat but drinking is not allowed. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.Virus] how is Declude 3.x?
FYI, any server hardware that is not being used I disable. Removes items from equations when trying to solve problems. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sbsi lists Sent: Friday, November 25, 2005 11:25 AM To: Chris Ulrich Subject: Re[2]: [Declude.Virus] how is Declude 3.x? Thank you Chris. I just disabled it and will watch it. It's been up now 4 hrs so if it follows any pattern, it should fail around now. I upgraded the drivers already as they were 2 yrs old so maybe that helps too. much appreciated. -jason - - - - - - - - - - - - - - - - - - Friday, November 25, 2005, 1:15:47 PM, you wrote: CU It *shouldn't* be a problem, but having the 2nd NIC in the machine (we also CU use Poweredge) and not having it plugged in can have an effect on things at CU times. CU It isn't enough to leave it unplugged - go into Control Panel - Network, CU select the second port, right click and DISABLE it. CU This actually addressed a few occasional funky network lockups CU - Chris CU At 09:26 AM 11/25/2005, you wrote: I just moved colos and servers. On the new(er) box, I installed Imail 8.21, Sniffer, Declude 3.0.5.20 Pro-Virus/JM. Box is Dell Poweredge 1750, Dual Proc Xeon 2.4 Ghz, 3x73Gb Raid5, Nics onboard (Broadcom Gigs, dual) So far, I like the newer Declude - we were using 1.82 on Imail 8.05. It was nice to get a clean start ... HOWEVER, I am having problems after moving server into production and into live performance. The box seems to lose connectivity and I have to hard reboot it to get ability of the network to come back up. There's no messages in the EVENT VIEWER - nada. I know IMAIL had issues a long time ago with certain NICS - does anyone know the status of that? I am thinking it has to be the NIC I am using - the onboard Broadcom. So, I updated the drivers to it and thinking that might help. If not, I'll try the 2nd onboard and hoping it will help. Next thing to try is IF I can get a nic in the box, I'll try that but unsure if I have room. Last will be putting new box in there and doing all this over again. I don't think my Declude is causing it... anyone have thoughts on this. Thanks. -jason - - - - - - - - - - - - - - - - - - Thursday, November 24, 2005, 12:24:22 PM, you wrote: IA I just realized I hadn't seen any new versions of Declude in a while, and I IA wonder if that means it's finally stable. We wanted to upgrade to 3.x, but IA it seems like there were so many errors being reported here, and new IA iterations being released every few days. We prefer to wait until the smoke IA clears. So what do people think now? Is 3.x fully reliable now? IA Thanks, and Happy Thanksgiving, --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. CU --- CU This E-mail came from the Declude.Virus mailing list. To CU unsubscribe, just send an E-mail to [EMAIL PROTECTED], and CU type unsubscribe Declude.Virus.The archives can be found CU at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] blocking exe in zips
# # BANZIPEXT will block files based on EXT within ZIP files. EXT as declared with BANEXT # BANEZIPEXT will do the same for ecrypted ZIPs. # # BB 1-11-05 # Added BANxZIPEXT directives, BANEZIPEXT not neccesary as we block ALL EZIP files. BANZIPEXT on #BANEZIPEXT on Try BANZIPEXTS ON noting the s in there. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] how is Declude 3.x?
P4 2 Ghz 1 GB memory 2 ATA 133 drives mirrored 3 SCSI 10K drives configured with 3 mirrored partitions Windows 2000 Server fully patched Imail 8.20 HF2 Declude 3.0.5.20 Declude JM Pro Declude Virus Pro Declude Hijack F-Prot 32 bit AVG Kiwi Syslog Volume of aprox 5K messages per day Sniffer SortMonster AutoWhite for Declude INV-URIBL Aprox 35 filter tests 27 IP4R tests 12 RHSBL 17 Declude JM tests (REVDNS, HELO, PERCENT, ROUTING, SUBJECTCHARACHTERS, SUBJECTSPACES, etc.) No known issues with Declude 3.0.5.20 John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Another Sober out.
BANNAME mailtext.zip The ones I saw were bounces, but they may be made to look like bounces. Only Norman and Avast found it on VirusTotal as a Sober variant, and NOD32 suspects it is a variant. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
If you have Pro version you should be always blocking using BANZIPEXTS ON and BANEZIPEXTS ON. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
Looks like F-Prot is now catching it as SoberZ John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Sober to be released, possible variation?
And another: BANNAME packed-password_text.zip John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 10:16 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Another one to block... BANNAME Accept_e-Text.zip The list so far is # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME Accept_e-Text.zip BANNAME email_photo.zip BANNAME excel_table.zip BANNAME foto.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip BANNAME word-text.zip As mentioned before, we keep these in place even after the virus definitions are catching them. That way new variants that use the names are caught before definitions are available. Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 11:57 AM Subject: RE: [Declude.Virus] New Sober to be released, possible variation? There are very interesting details in Trend Micro's writeup. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS OBER%2EADVSect=T i.e. it uses its own SMTP server plus a hardcoded list of accounts and IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious Software Removal Tool. It may be worth mentioning that the BANNAME list that Darin provided will be useful for those of us using F-Prot only, as they are still not detecting the variant I've been receiving since this thread started. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 6:05 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Most the new Sober variants are expected to be low volume, so I'm not surprised that Netsky.P continues to outstrip them. Security vendors are varying as to what they are detecting with 6 new Sober variants yesterday and today. Best bet is to ban the files at least until virus definition files have caught up. We keep the bans in place for the usual overlap in new variants. Darin. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:44 AM Subject: RE: [Declude.Virus] New Sober to be released, possible variation? Thank you Darin. just curious after watching our virus logfiles today Anyone else can confirm that there are only a few of the today new virus and far more netsky (most .p variant) showing up in the logfiles? Today I've had some reports that certain varaints of the new virus slipped trough while it was definitively catching some others. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 2:33 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? I just went through all of the reports. Here's a list of new filenames to ban: # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME email_photo.zip BANNAME excel_table.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip Darin. - Original Message - From: Doug Anderson [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:24 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Looks like varying attachment names. I got one thats excel_table.zip - Original Message - From: David Dodell [EMAIL PROTECTED] To: John T (Lists) Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 6:50 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote: Sophos is now calling it Sober-R. Possible variation received this morning ... the text discussed receiving a problem email, and the attachment was email_photo.zip --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E
RE: [Declude.Virus] New Sober to be released, possible variation?
Yes. I also like to add known file names so that when the user receives a message about a banned file, if they see the file name they are less likely to send me a message saying that the banned file could be OK as it looks like from some one they know. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Tuesday, November 15, 2005 12:49 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Sober to be released, possible variation? If we are banning extensions within zip files we should be ok right? Mark Reimer IT Project Manager American CareSource 800-370-5994 ext. 267 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John T (Lists) Sent: Tuesday, November 15, 2005 2:30 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Sober to be released, possible variation? And another: BANNAME packed-password_text.zip John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 10:16 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Another one to block... BANNAME Accept_e-Text.zip The list so far is # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME Accept_e-Text.zip BANNAME email_photo.zip BANNAME excel_table.zip BANNAME foto.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip BANNAME word-text.zip As mentioned before, we keep these in place even after the virus definitions are catching them. That way new variants that use the names are caught before definitions are available. Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 11:57 AM Subject: RE: [Declude.Virus] New Sober to be released, possible variation? There are very interesting details in Trend Micro's writeup. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS OBER%2EADVSect=T i.e. it uses its own SMTP server plus a hardcoded list of accounts and IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious Software Removal Tool. It may be worth mentioning that the BANNAME list that Darin provided will be useful for those of us using F-Prot only, as they are still not detecting the variant I've been receiving since this thread started. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 6:05 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Most the new Sober variants are expected to be low volume, so I'm not surprised that Netsky.P continues to outstrip them. Security vendors are varying as to what they are detecting with 6 new Sober variants yesterday and today. Best bet is to ban the files at least until virus definition files have caught up. We keep the bans in place for the usual overlap in new variants. Darin. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:44 AM Subject: RE: [Declude.Virus] New Sober to be released, possible variation? Thank you Darin. just curious after watching our virus logfiles today Anyone else can confirm that there are only a few of the today new virus and far more netsky (most .p variant) showing up in the logfiles? Today I've had some reports that certain varaints of the new virus slipped trough while it was definitively catching some others. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 2:33 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? I just went through all of the reports. Here's a list of new filenames to ban: # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME email_photo.zip BANNAME excel_table.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip Darin. - Original Message - From: Doug Anderson [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:24 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Looks like varying attachment names. I got one thats excel_table.zip - Original Message - From: David Dodell [EMAIL
RE: [Declude.Virus] New Sober to be released Nov-15-2005 ?
Sophos is now calling it Sober-R. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, November 14, 2005 8:33 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released Nov-15-2005 ? Yep...seeing them here as well. Darin. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 14, 2005 7:57 PM Subject: RE: [Declude.Virus] New Sober to be released Nov-15-2005 ? Well, I am not sure about tomorrow, but in the last hour I have started to see some messages being caught with banned ZIP-EXE with a subject line of Thanks for your registration and a file name of reg_text.zip and a D file size of 184 Kb that I have not seen before. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, November 14, 2005 3:36 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Sober to be released Nov-15-2005 ? Hmmm, now that's interesting. http://www.f-secure.com/weblog/#0705 Andrew. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Second scanner
I use AVG as the second scanner and am happy with the results. I like BitDefender as they publish updates on average a dozen or more times per day, but it is more resource costly. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Thursday, November 03, 2005 9:25 PM To: declude.virus@declude.com Subject: [Declude.Virus] Second scanner After many years of using Virus Standard, I upgraded to Virus Pro to take advantage of a second scanner. I've scanned the previous threads on what others like for a second scanner to F-Prot, but can't seem to find any common thread ... So I would appreciate what seems to be the next most popular virus scanner to run as a secondary scanner to F-Prot? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blast of zips coming in
What is the payload inside? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Tuesday, November 01, 2005 7:51 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Blast of zips coming in We are currently getting hit with a blast of emails with ZIP attachments. They are showing clean, at least with F-Prot and ClamAV under Declude, plus a manual scan by Trend Micro. They fake our user as sender. Attachments are among others: info_price.zip, text_sms.zip, max.zip, Health_and_knowledge.zip, and others. John C --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blast of zips coming in
Well ... ;-) John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of System Administrator Sent: Tuesday, November 01, 2005 9:48 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blast of zips coming in on 11/1/05 11:38 AM, John T (Lists) wrote: What is the payload inside? .exe files John's post about what we all should do with .exe files in zip attachments will follow in 3 ... 2 ... 1 ... :) Don't let me down John, Greg --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Possible BANnotify.EML problem with Declude 1.82
SKIPIFFORGING is only for virus notifications, so it should not be in any other .eml file. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, October 12, 2005 12:30 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Possible BANnotify.EML problem with Declude 1.82 Just ran across a possible problem with the BANnotify.EML in Declude Virus 1.82. If a SKIPIFFORGING line is in it, it doesn't send the notification. Is this an inappropriate setting? i.e. If virus checking is done first then SKIPIFFORGING would not apply. Darin.
RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content
What is wrong with sharp objects? They make nice clean cuts. Now, it's the blunt ones that I worry about. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, October 11, 2005 1:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content I block all encrypted zips based on the fact that I can't virus scan them. But then again I'm slightly paranoid and should not be trusted with sharp objects. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 3:08 PM Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content So it's this forum's consensus that if I have PRO I should not block all EZIPs - I should just block the other extensions even if they are found within ZIP files? I do send out notices when a file gets blocked, but I don't have a requeue script in place. I'll search for one and see what I can do. Thanks. Darin Cox wrote: If you have Declude Virus/EVA Pro you can switch to banning extensions within zips. With Standard, you may want to continue to ban encrypted zips. In either case, you will probably want to send out notices for banned files, notifying the intended recipient that a file sent to them was blocked. Include a link in the notification for them to requeue the message if it was legit and they want to receive it. Scripts to requeue messages have been posted to the list in the past, but they are very simple to create by just moving the Q and D files back to the spool directory... possibly going as far as launching the SMTP32 process to immediately send the message if you don't want your user to wait for the next queue run. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 1:26 AM Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content We're looking for a simple way to opportunistically allow our users to encrypt or password-protect certain emails and/or their attachments that contain sensitive data. We're running Declude Pro and have banned EZIP extensions (the highly recommended suggestion from several people on this forum), so that kinda rules out PKZIP and any kind of ZIP program (because as soon as you password-protect a ZIP file, it becomes an EZIP file). We looked at PGP, but it seems very complex and seems to require a hardware proxy in between our mail server and the Net. Is there a simple and effective way to encrypt or password protect documents for email transmission that doesn't cause problems with Imail or Declude and doesn't require software to be installed on the recipient's end? Thanks. Kevin --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content
Yah, those doctors and their instruments. Ouch. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, October 11, 2005 2:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content Please no talk about sharp objects - I just had a vasectomy a couple of hours ago - oh the pain... Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 5:00 PM Subject: RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content What is wrong with sharp objects? They make nice clean cuts. Now, it's the blunt ones that I worry about. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, October 11, 2005 1:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content I block all encrypted zips based on the fact that I can't virus scan them. But then again I'm slightly paranoid and should not be trusted with sharp objects. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 3:08 PM Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content So it's this forum's consensus that if I have PRO I should not block all EZIPs - I should just block the other extensions even if they are found within ZIP files? I do send out notices when a file gets blocked, but I don't have a requeue script in place. I'll search for one and see what I can do. Thanks. Darin Cox wrote: If you have Declude Virus/EVA Pro you can switch to banning extensions within zips. With Standard, you may want to continue to ban encrypted zips. In either case, you will probably want to send out notices for banned files, notifying the intended recipient that a file sent to them was blocked. Include a link in the notification for them to requeue the message if it was legit and they want to receive it. Scripts to requeue messages have been posted to the list in the past, but they are very simple to create by just moving the Q and D files back to the spool directory... possibly going as far as launching the SMTP32 process to immediately send the message if you don't want your user to wait for the next queue run. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 1:26 AM Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content We're looking for a simple way to opportunistically allow our users to encrypt or password-protect certain emails and/or their attachments that contain sensitive data. We're running Declude Pro and have banned EZIP extensions (the highly recommended suggestion from several people on this forum), so that kinda rules out PKZIP and any kind of ZIP program (because as soon as you password-protect a ZIP file, it becomes an EZIP file). We looked at PGP, but it seems very complex and seems to require a hardware proxy in between our mail server and the Net. Is there a simple and effective way to encrypt or password protect documents for email transmission that doesn't cause problems with Imail or Declude and doesn't require software to be installed on the recipient's end? Thanks. Kevin --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail
RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content
Well, the answer lies within how those features were introduced. When the first wave of viruses came out using zip files, we blocked zip files entirely. But then we asked for a way to pass EZIP files, so Scott added that feature whereby BANEXT ZIP did not ban EZIPs, instead introducing BANEXT EZIP. Then when waves of viruses started to come out using EZIP files, the first thing we did was ban then and then asked Scott to come up with a work around. He did this by introducing BANZIPEXTs and BANEZIPEXTS which only banned a zip or EZIP if it had a file in it that was banned. But that is only for Pro version. So if you are using Pro version, you can just use BANZIPEXTS and BANEZIPEXTS if desired, leaving BANEXT ZIP and BANEXT EZIP in the virus.cfg but commented out. That way, if there is a sudden need to do so, it can be done quickly. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Tuesday, October 11, 2005 3:36 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content Ok OK already. lol So some people block EZIPs and some don't. If you don't block EZIPs but do block certain file extensions within EZIPs, is it the same security as if you blocked them outright? Or are there ways to slip bad stuff through an EZIP even if you block most bad extensions? Or can you really not scan EZIPs as well as other files. Thanks Scott Fisher wrote: I block all encrypted zips based on the fact that I can't virus scan them. But then again I'm slightly paranoid and should not be trusted with sharp objects. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 3:08 PM Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content So it's this forum's consensus that if I have PRO I should not block all EZIPs - I should just block the other extensions even if they are found within ZIP files? I do send out notices when a file gets blocked, but I don't have a requeue script in place. I'll search for one and see what I can do. Thanks. Darin Cox wrote: If you have Declude Virus/EVA Pro you can switch to banning extensions within zips. With Standard, you may want to continue to ban encrypted zips. In either case, you will probably want to send out notices for banned files, notifying the intended recipient that a file sent to them was blocked. Include a link in the notification for them to requeue the message if it was legit and they want to receive it. Scripts to requeue messages have been posted to the list in the past, but they are very simple to create by just moving the Q and D files back to the spool directory... possibly going as far as launching the SMTP32 process to immediately send the message if you don't want your user to wait for the next queue run. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 1:26 AM Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content We're looking for a simple way to opportunistically allow our users to encrypt or password-protect certain emails and/or their attachments that contain sensitive data. We're running Declude Pro and have banned EZIP extensions (the highly recommended suggestion from several people on this forum), so that kinda rules out PKZIP and any kind of ZIP program (because as soon as you password-protect a ZIP file, it becomes an EZIP file). We looked at PGP, but it seems very complex and seems to require a hardware proxy in between our mail server and the Net. Is there a simple and effective way to encrypt or password protect documents for email transmission that doesn't cause problems with Imail or Declude and doesn't require software to be installed on the recipient's end? Thanks. Kevin --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list
RE: [Declude.Virus] New variant as of 15 minutes ago
Matt, what is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, October 06, 2005 9:32 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] New variant as of 15 minutes ago Same servers, but this time it has a Regis.info.zip attachment and the subject is Registration Confirmation. Basically I converted to blocking any zips below 200 KB that come from these providers with some filtering and it seems to be working. Matt
RE: [Declude.Virus] Virus directory
From the manual: DELETEONVIRUS YES or TRUE However, once deleted it is gone for good. Better is to rotate and delete via a scheduled batch file. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, October 04, 2005 10:33 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Virus directory Declude puts all e-mails with viruses into a separate directory I find I always have to go there and delete files. Is there a way to set the system to just delete those e-mails rather than move them into a separate directory? Thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Info Wind Sent: Friday, September 30, 2005 8:29 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Version 3.0.5.5 same to me, there seams to be problems when not uninstalling. I had the same issue. Thanks John for the proper procedure, that helped me. Bye, Uwe - Original Message - From: Harry Vanderzand To: Declude.Virus@declude.com Sent: Friday, September 30, 2005 1:50 PM Subject: RE: [Declude.Virus] Version 3.0.5.5 that is what I thought, but I had to go into add remove programs and remove the service before I could use the install procedure. If I had the decludeproc.exe file then I could likely have copied the new file Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Thursday, September 29, 2005 6:09 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Version 3.0.5.5 The proper procedure is: Stop Imail SMTP Stop Imail Queue Manager Make sure spool\proc and spool\proc\work are empty of files. If not, wait until they are processed. Stop Decludeproc Copy in the new file Start Decludeproc Start Imail SMTP Start Imail Queue Manager John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Thursday, September 29, 2005 2:07 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Version 3.0.5.5 You need to stop SMTP and queuemanager. It probably got started back up. By the stub program. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Harry Vanderzand Sent: Thursday, September 29, 2005 1:59 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Version 3.0.5.5 I downloaded this update stopped decludeproc ran the update got message: Another version is already running, cannot update what's up with that? Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Billman Sent: Thursday, September 29, 2005 2:53 PM To: Declude.Virus@declude.com; Declude.JunkMail@declude.com Subject: [Declude.Virus] Version 3.0.5.5 Declude Version 3.0.5.5 is available on the website for download. There are two changes from version 3.0.5.3 Fix for special character scanning causing abnormal termination. Special thanks to John Tolmachoff for identifying and helping us fix this nasty. For SmarterMail only. Correctly handle parsing the XML file for the email installation path. SY, Bill Billman Declude -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.7/112 - Release Date: 9/26/2005 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Version 3.0.5.5
The proper procedure is: Stop Imail SMTP Stop Imail Queue Manager Make sure spool\proc and spool\proc\work are empty of files. If not, wait until they are processed. Stop Decludeproc Copy in the new file Start Decludeproc Start Imail SMTP Start Imail Queue Manager John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Thursday, September 29, 2005 2:07 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Version 3.0.5.5 You need to stop SMTP and queuemanager. It probably got started back up. By the stub program. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Harry Vanderzand Sent: Thursday, September 29, 2005 1:59 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Version 3.0.5.5 I downloaded this update stopped decludeproc ran the update got message: Another version is already running, cannot update what's up with that? Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Billman Sent: Thursday, September 29, 2005 2:53 PM To: Declude.Virus@declude.com; Declude.JunkMail@declude.com Subject: [Declude.Virus] Version 3.0.5.5 Declude Version 3.0.5.5 is available on the website for download. There are two changes from version 3.0.5.3 Fix for special character scanning causing abnormal termination. Special thanks to John Tolmachoff for identifying and helping us fix this nasty. For SmarterMail only. Correctly handle parsing the XML file for the email installation path. SY, Bill Billman Declude -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.7/112 - Release Date: 9/26/2005
