RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
Darrell, I guess my question then is what advantage is it to have it run prior to Virus if the Virus Scanner still scans it, won't it still use the same CPU cycles? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:43 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME Keith, It still gets virus scanned. I have tons of viruses in my virus drop point for ROUTETO accounts. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude and IMail 2006
David, If you don't mind, what is the latest revision of Declude? I know there has been several 'hot fixes', just want to make sure I have the latest. Thanks again, Keith From: [EMAIL PROTECTED] on behalf of David Barker Sent: Wed 11/30/2005 9:33 AM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] Declude and IMail 2006 We have had access to the Beta and have run all our standard tests successfully. The caveat that I will offer is that there is no way in which we can replicate every combination of tests and events in our simulated environments. But to the best of our knowledge Declude and IMail 2006 seem to be OK David B www.declude.com --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted
David, Are these to be used to correct issues with Dual-proc, or is that still an ongoing issue still be looking at? Thanks for the time. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, September 22, 2005 11:41 AM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] Declude Beta 3.0.4.4 Posted 2 new Directives WAITFORTHREADS 1500 Located in the Declude.cfg - Defined in milliseconds eg. 1500 = 1.5 seconds this can be changed so that when the maximum threads are in use this time specifics the wait before checking to launch more threads. WAITBETWEENTHREADS 1 Located in the Declude.cfg - Defined in milliseconds eg. 1 = 1 millisecond The time to wait between spawning one thread and starting to process another thread. David B www.declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sudden Internet Slowdown
I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] f-prot update script
Daniel, Give this a try: http://www.f-prot.com/support/windows/fpwin_faq/88.html -Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ivey Sent: Monday, May 02, 2005 11:06 AM To: 'Declude.Virus@declude.com' Subject: RE: [Declude.Virus] f-prot update script I have tried using this script. I keep getting an error referring to wget.exe and it doesn't update F-Prot. Daniel === Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] -Original Message- From: Goran Jovanovic [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 11:02 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] f-prot update script Take a look at: http://www.declude.com/Articles.asp?ID=100 F-Prot for DOS updater - A batch file that automatically updates F-Prot and its virus definitions (old version here), and a Cygwin version, and a complete .ZIPed version. Finally, a Simple version! Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Daniel Ivey Sent: Monday, May 02, 2005 9:52 AM To: 'Declude.Virus@declude.com' Subject: [Declude.Virus] f-prot update script Does anyone have an f-prot update script that they wouldn't mind sharing? I have tried one that I found, but never could get it to work. Any help is appreciated. Thanks, Daniel === Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] OT: Installing Sophos/Anti Virus
Aaron, I have tried F-prot (www.f-prot.com)? It is very fast and not very expensive, and the reliability is outstanding. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Moreau-Cook Sent: Wednesday, April 20, 2005 1:37 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] OT: Installing Sophos/Anti Virus All, I have a Imail Server on a Windows 2003 server with Declude Virus 1.82. We have been running with three virus scanners, McAfee VirusScan 7.1, F-Prot 3.16b, and Nod32. After having nothing but trouble with Nod32 crashing on our system we decided to replace Nod32 with another scanner. We tried to install PC-Cillian, but it won't install on a Windows 2003 Server. We tried to install Sophos, but it won't install because other Anti-Virus applications are installed. So my question is, how do I get another third party scanner installed? How has everyone else got Sophos installed on their systems? We'd like to use Sophos, but at this point I don't really care either way as long as it is reliable and doesn't crash. Thanks, Aaron --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Issues
The past few days I am occuring a lot of these type errors in the virus log: 02/18/2005 06:03:21 Qcb35092800dc91ac Couldn't open headers datafile 02/18/2005 06:03:21 Qcb35092800dc91ac ERROR: Could not move virus-infected E-mail2! Code: 2 0 F:\IMail\spool\Qcb35092800dc91ac.SMD f:\imail\spool\virus\Qcb35092800dc91ac.SMD 02/18/2005 06:03:21 Qcb35092800dc91ac Error opening mime file F:\IMail\spool\Dcb35092800dc91ac.SMD 02/18/2005 06:03:21 Qcb35092800dc91ac Scanned: Error starting scanner 02/18/2005 06:03:24 Qcb3e09ed005291c3 Error 183 creating temp directory F:\IMail\spool\Dcb3e09ed005291c3.vir\. 02/18/2005 06:03:25 Qcb3e09ed005291c3 Scanned: Error starting scanner 02/18/2005 06:03:52 Qcb460a83007a91db Couldn't rename SMD to SM$ [32]. Priority back to 32. This is a Win2K SP4 machine with Dual Xeon 2.4 GHz w/1GB RAM. Running F-prot (1st) and then Computer Assoc (2nd). A few days ago, I uninstalled F-prot and reinstalled it. Copied in a fresh Declude.exe file (ver. 1.82). When this occurs above, it is a domino effect, it causes mail to backup in the overflow queue and thus email is not delivered. Is there anything else I can do to fix this issue. Thanks for the aid. -Keith Nf_ynub! 0u%dj)\jgr[yXXX:.mfynu(*^{.n+ynubrzjm j)Zb(
RE: [Declude.Virus] Issues
Scott, We are not running on access scanners (very careful about that), we are running Imail 8.15. I didn't even install the Realtime Scanner in f-prot and have CA Realtime disabled as a service.Anything else that I can look at? Keith -Original Message- From: [EMAIL PROTECTED] on behalf of R. Scott Perry Sent: Fri 2/18/2005 7:12 AM To: Declude.Virus@declude.com Cc: Subject: Re: [Declude.Virus] Issues The past few days I am occuring a lot of these type errors in the virus log: 02/18/2005 06:03:21 Qcb35092800dc91ac Couldn't open headers datafile This indicates that something happened to the D*.SMD file, which contains the E-mail body. If you are running an on-access virus scanner, for example, the on-access virus scanner may have deleted the E-mail. 02/18/2005 06:03:21 Qcb35092800dc91ac ERROR: Could not move virus-infected E-mail2! Code: 2 0 F:\IMail\spool\Qcb35092800dc91ac.SMD f:\imail\spool\virus\Qcb35092800dc91ac.SMD And this one means that the Q*.SMD file isn't there, either. This would seem unusual, except we then get: 02/18/2005 06:03:24 Qcb3e09ed005291c3 Error 183 creating temp directory F:\IMail\spool\Dcb3e09ed005291c3.vir\. This one means that the F:\IMail\spool\Dcb3e09ed005291c3.vir\ directory already exists. That is a major clue, as Declude Virus is the only program that will create a directory with that name. This means that IMail is calling Declude multiple times. We've seen this happen a few times before -- you may want to make sure that you are running the latest version of IMail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.Virus] Issues
Title: Re: [Declude.Virus] Issues Scott, Continue to see a lot of these type things, at times, the only to aid the situation is stop/restart the Queue Mgr/SMTP 02/18/2005 11:44:11 Q1b3d04d2006a5060 ERROR: Could not open recip file F:\IMail\spool\_1b3d04d2006a5060.~MD [2]02/18/2005 11:44:11 Q1a58046e00fc4c6c ERROR: Could not open recip file F:\IMail\spool\_1a58046e00fc4c6c.~MD [2]02/18/2005 11:44:11 Q1b4902b000745089 ERROR: Could not open recip file F:\IMail\spool\_1b4902b000745089.~MD [2]02/18/2005 11:44:11 Q1a58046e00fc4c6c ERROR: Could not open recip file F:\IMail\spool\_1a58046e00fc4c6c.~MD [2]02/18/2005 11:44:11 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:11 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b43039c00b2507a ERROR: Could not open recip file F:\IMail\spool\_1b43039c00b2507a.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b43039c00b2507a ERROR: Could not open recip file F:\IMail\spool\_1b43039c00b2507a.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b4a020101285097 ERROR: Could not open recip file F:\IMail\spool\_1b4a020101285097.~MD [2]02/18/2005 11:44:12 Q1b43039c00b2507a ERROR: Could not open recip file F:\IMail\spool\_1b43039c00b2507a.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b4a020101285097 ERROR: Could not open recip file F:\IMail\spool\_1b4a020101285097.~MD [2]02/18/2005 11:44:12 Q1b43039c00b2507a ERROR: Could not open recip file F:\IMail\spool\_1b43039c00b2507a.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b4a020101285097 ERROR: Could not open recip file F:\IMail\spool\_1b4a020101285097.~MD [2]02/18/2005 11:44:12 Q1b43039c00b2507a ERROR: Could not open recip file F:\IMail\spool\_1b43039c00b2507a.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b32017700ee5028 ERROR: Could not open recip file F:\IMail\spool\_1b32017700ee5028.~MD [2]02/18/2005 11:44:12 Q1b4a03a500a05092 ERROR: Could not open recip file F:\IMail\spool\_1b4a03a500a05092.~MD [2]02/18/2005 11:44:12 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:12 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:12 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:12 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:12 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:12 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:13 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:13 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2] Any ideas or suggestions? Keith From: Keith Johnson [mailto:[EMAIL PROTECTED] On Behalf Of Keith JohnsonSent: Friday, February 18, 2005 7:57 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Issues Scott, We are not running on access scanners (very careful about that), we are running Imail 8.15.I didn't even install the Realtime Scanner in f-prot and have CA Realtime disabled as a service. Anything else that I can look at? Keith -Original Message- From: [EMAIL PROTECTED]on behalf ofR. Scott Perry Sent: Fri 2/18/2005 7:12 AM To: Declude.Virus@declude.com Cc: Subject: Re: [Declude.Virus] Issues The past few days I am occuring a lot of these type errors in the virus log: 02/18/2005 06:03:21 Qcb35092800dc91ac Couldn't open headers datafile This indicates that something happened to the D*.SMD file, which contains the E-mail body. If you are running an on-access virus scanner, for example, the on-access virus scanner may have deleted the E-mail. 02/18/2005 06:03:21 Qcb35092800dc91ac ERROR: Could not move virus-infected E-mail2! Code: 2 0 F:\IMail\spool\Qcb35092800dc91ac.SMD f:\imail\spool\virus\Qcb35092800dc91ac.SMD
[Declude.Virus] Error on Scanners
What would the following indicate: 01/21/2005 15:04:06 Q5df1239b014af8b3 Error 183 creating temp directory F:\IMail\spool\D5df1239b014af8b3.vir\. 01/21/2005 15:04:06 Q5df1239b014af8b3 Scanned: Error starting scanner Thanks for the aid. Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Licensing codes
Andy, Upon your phone call with Barry, should we as Declude Users (4 lic. in my case), contact Barry directly before upgrading or should we await for a post on this forum for new procedures? I too have a cold spare, however, Declude is not loaded there until necessary and upon written procedures that we have in place to shutdown the current server (whether down by failure or otherwise), rename it and re-ip it and the like. Thanks for the info. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Andy Schmidt Sent: Thu 12/23/2004 9:05 AM To: Declude.Virus@declude.com; Declude.JunkMail@declude.com Cc: Subject: RE: [Declude.Virus] Declude Licensing codes Hi, At the end, there are two components to this: A) the technique used to validate licenses (e.g., an activation code, hardware detection, etc.) B) the procedures on how a questionable situation is handled. I really don't have a problem with ANY technique as long as I can be comfortable with the procedures. If the procedures could even remotely result in an accidental automatic disabling, I'd no longer be able to justify use of the product. Per example, if the procedures involve a long grace period, or, if the procedures simply allow a License Validation Staff to REVIEW a questionable license with a customer at a mutually convenient time, or similar safeguards - then I'm absolutely okay with it. When Barry called yesterday, I listened and agreed wholeheartedly, that Declude owes it to is PAYING customers to identify and go after non-compliant customers. After all - it's money stolen from the paying customer (by either having to raise prices or by not being able to invest into future development as much). But, I repeated my expectations that NOT details of the techniques need to be disclosed - but there should be sufficient disclosure of the procedures. And that should be disclosed BEFORE the software is offered for download - not AFTER people are starting to get suspicious. With the information that I was given, I'm perfectly satisfied that I can continue to use Declude - and I fully support their efforts (in general) of license enforcement. However, I still hope that Barry recognizes the need that ALL customers need to know enough about the procedures to regain (!) MY level of comfort and confidence in the company and the product. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, December 23, 2004 02:01 AM To: Declude.Virus@declude.com; Declude.JunkMail@declude.com Subject: [Declude.Virus] Declude Licensing codes Here is some information for all who have concerns about the new licensing and tie in to IPs and/or MACs: I have spoken to Barry today, and while I will not reveal the little bit of information I was given, I will state on my honor that I have no problem with the new license code process what ever you want to call it. Additionally, Declude has designed and taken steps to make sure there will be no problems in the event you need to change IPs or hardware overnight, on a weekend, on an extended weekend or even if disaster were to strike and the Declude offices were not available for a week. Hopefully, you can now rest assured that Declude will not stop working if you have to fix your server. FYI, there is also a process in place for a cold spare server to be prepared and ready ahead of time. You will need to contact Declude to specifically set that up. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL
[Declude.Virus] What are these
Q06634053002e6803 Error 183 creating temp directory F:\IMail\spool\D06634053002e6803.vir\. 10/25/2004 10:26:26 Q06634053002e6803 Scanned: Error starting scanner Thanks for the aid, running 1.81 --- Keith Johnson Senior Network Engineer Network Advocates, Inc. 9001 Shelbyville Road Burhans Hall, Suite 260 Louisville, KY 40228 TEL: 502.992.5928 FAX: 502.412.1058 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] What are these
Also, ERROR: Could not open recip file F:\IMail\spool\_08dc4c3a0030129f.~MD [2] Please advise to what this is, thanks, Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, October 25, 2004 10:24 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] What are these Q06634053002e6803 Error 183 creating temp directory F:\IMail\spool\D06634053002e6803.vir\. 10/25/2004 10:26:26 Q06634053002e6803 Scanned: Error starting scanner Thanks for the aid, running 1.81 --- Keith Johnson Senior Network Engineer Network Advocates, Inc. 9001 Shelbyville Road Burhans Hall, Suite 260 Louisville, KY 40228 TEL: 502.992.5928 FAX: 502.412.1058 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] What are these
Also getting: Q08b8153d00e2843a Couldn't rename SMD to SM$ [32]. Priority back to 32. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, October 25, 2004 10:24 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] What are these Q06634053002e6803 Error 183 creating temp directory F:\IMail\spool\D06634053002e6803.vir\. 10/25/2004 10:26:26 Q06634053002e6803 Scanned: Error starting scanner Thanks for the aid, running 1.81 --- Keith Johnson Senior Network Engineer Network Advocates, Inc. 9001 Shelbyville Road Burhans Hall, Suite 260 Louisville, KY 40228 TEL: 502.992.5928 FAX: 502.412.1058 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] What are these
John, Both are turned off, use F-prot (Realtime not install), Inoc turned off and Disabled. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, October 25, 2004 10:53 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] What are these Do you have an on-access scanner running? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, October 25, 2004 7:38 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] What are these Also, ERROR: Could not open recip file F:\IMail\spool\_08dc4c3a0030129f.~MD [2] Please advise to what this is, thanks, Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, October 25, 2004 10:24 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] What are these Q06634053002e6803 Error 183 creating temp directory F:\IMail\spool\D06634053002e6803.vir\. 10/25/2004 10:26:26 Q06634053002e6803 Scanned: Error starting scanner Thanks for the aid, running 1.81 --- Keith Johnson Senior Network Engineer Network Advocates, Inc. 9001 Shelbyville Road Burhans Hall, Suite 260 Louisville, KY 40228 TEL: 502.992.5928 FAX: 502.412.1058 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] What are these
Scott, We are backing up in our Queue of about 8000 emails and we started seeing the below messages as well: Q08b8153d00e2843a Couldn't rename SMD to SM$ [32]. Priority back to 32. ERROR: Could not open recip file F:\IMail\spool\_08dc4c3a0030129f.~MD [2] Are these related? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, October 25, 2004 10:55 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] What are these Q06634053002e6803 Error 183 creating temp directory F:\IMail\spool\D06634053002e6803.vir\. 10/25/2004 10:26:26 Q06634053002e6803 Scanned: Error starting scanner That error means that the .vir directory already exists -- this will happen if IMail accidentally calls Declude multiple times. Although you will see the warnings in the log file, Declude will still function properly. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
I too am seeing this same behavior. I am running HIGH logging and 1.80 version. All I see is my scanners detecting it, no extra lines from Declude that it stopped it, same behavior under 1.79. I also wanted to see if there would be any additional aid with F-prot not being able to report the virus correctly do to it yielding an Error #8. Seems there was discussion that the Report line changed in the latest 3.15b, where it also reports: REPORTInfection: REPORTContains the exploit named As I understand it, we can only have 1 report line per scanner, is this true? Thanks for the aid, Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Nick Sent: Tue 9/28/2004 9:40 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. On 27 Sep 2004 at 17:31, R. Scott Perry wrote: The latest release of Declude Virus will automatically detect the GDIPlus.dll JPEG exploit. How can I confirm this? When I send myself the exploit I do not receive the email - good- but in my virus logs all I see is 'error in scannerx' and nothing in the declude log file. This is with v180 -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.Virus] Fprot GDI Scanner lines.
Mark, What did you use to generate the GDI Exploit test file? Thanks Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Mark Smith Sent: Mon 9/27/2004 1:55 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Send a GDI Exploit test file through. You'll get the error Can't Parse Virus type in the Declude Virus log. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Saturday, September 25, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Fprot GDI Scanner lines. - Original Message - From: Mark Smith [EMAIL PROTECTED] Actually this breaks Declude because Declude Virus can't look for multiple REPORT lines. Scott, How can we setup Declude Virus to look for multiple lines in the report.txt file? I've been running F-Prot Version 3.15b since it was released yesterday and have not had to make any changes to my virus config to support the new version. It has been running exactly the way it always has. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.Virus] Fprot GDI Scanner lines.
Nevermind, found a copy of it, just had trouble with the German. It seems my Inoc caught it correctly, however, the Fprot didn't, gave me error. Q6f7408d2006085b0 Scanner 1 reported error code #8, which is listed as OK 09/27/2004 15:52:20 Q6f7408d2006085b0 Scanner 2: Virus= JPEG.MS04-028.Exploit.Trojan Attachment=jpegcompoc.zip.ZIP [1] I 09/27/2004 15:52:20 Q6f7408d2006085b0 File(s) are INFECTED [ JPEG.MS04-028.Exploit.Trojan: 101] Keith -Original Message- From: Keith Johnson on behalf of Keith Johnson Sent: Mon 9/27/2004 3:02 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Mark, What did you use to generate the GDI Exploit test file? Thanks Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Mark Smith Sent: Mon 9/27/2004 1:55 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Send a GDI Exploit test file through. You'll get the error Can't Parse Virus type in the Declude Virus log. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Saturday, September 25, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Fprot GDI Scanner lines. - Original Message - From: Mark Smith [EMAIL PROTECTED] Actually this breaks Declude because Declude Virus can't look for multiple REPORT lines. Scott, How can we setup Declude Virus to look for multiple lines in the report.txt file? I've been running F-Prot Version 3.15b since it was released yesterday and have not had to make any changes to my virus config to support the new version. It has been running exactly the way it always has. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
[Declude.Virus] Future Question
Scott, It seems that social engineering will be play a huge part in future viruses (already seen it will passwords listed in body of encrypted zips), what are your thoughts on the following: I have recently saw a bounce message that contained the recent Bagle.aq virus that contained the following words in the body. Due to the nature of the current virii, we are stripping Microsoft .zipattachments. To send these, please rename the extension to .piz by rightclicking and using rename file. Let the recipient know to change it back to.zip and it should get past. Is it possible to build in some parameter that allows for banning all extensions, except some listing that is provided within the config file? However, keeping the functionality of blocking file extensions within compression files. I know this is most likely a huge undertaking, however, if I look back over my conversations with some of my users and them wanting to send some much needed exe (or the like) file through inside a zip, and my response is rename the extension to something other than .zip and send it and let the end user know to alter it back. I can't help but imagine the virus writers will social engineer something soon to do the same. Thanks for the time. Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Extension Modify
We modify extensions at our Firewall that changes an executable listing and removes the last character and adds an underscore (no harm to file). For example, an exe would be modified to ex_ Works great, however, it seems that Declude will not see it in our Banned Extension listing even though we have it listed as BANEXT ex_Does Declude Pro Virus (1.79+) allow for this? \ I have tested it with varying sizes of files and none get banned. Thanks for the aid. Keith Nf_ynub! 0u%dj)\jgr[yXXX:.mfynu(*^{.n+ynubrzjm j)Zb(
RE: [Declude.Virus] Extension Modify
Scott, Thanks for the email and quick follow-up. Below is the log snippet and it shows: 07/19/2004 20:21:30 Q658a1246012405b6 MIME file: happy.pi_ [base64; Length=80 Checksum=8732] 07/19/2004 20:21:30.546 Q658a1246012405b6 Comparing |pi| to SKIPEXTs and BANEXTs 07/19/2004 20:21:31.171 Q658a1246012405b6 Starting EXT check . 07/19/2004 20:21:31.171 Q658a1246012405b6 1: happy.pi_ adfa 07/19/2004 20:21:31.171 Q658a1246012405b6 Starting EXT check pi. It seems Declude drops the _ in pi_ and checks pi Is this by design? Thanks again. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of R. Scott Perry Sent: Mon 7/19/2004 8:19 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [Declude.Virus] Extension Modify We modify extensions at our Firewall that changes an executable listing and removes the last character and adds an underscore (no harm to file). For example, an exe would be modified to ex_ Works great, however, it seems that Declude will not see it in our Banned Extension listing even though we have it listed as BANEXT ex_Does Declude Pro Virus (1.79+) allow for this? \ I believe the problem here is that the underscore is not a valid character for file extensions. If you change it to BANEXT ex, it should take care of the problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.Virus] Extension Modify
Scott, Is there a limit on the BANEXT? I thought I read somewhere it was 100? Thanks again for your time. Just need a few more entries to over the _ character. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of R. Scott Perry Sent: Mon 7/19/2004 8:19 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [Declude.Virus] Extension Modify We modify extensions at our Firewall that changes an executable listing and removes the last character and adds an underscore (no harm to file). For example, an exe would be modified to ex_ Works great, however, it seems that Declude will not see it in our Banned Extension listing even though we have it listed as BANEXT ex_Does Declude Pro Virus (1.79+) allow for this? \ I believe the problem here is that the underscore is not a valid character for file extensions. If you change it to BANEXT ex, it should take care of the problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, I believe it is only with the new encrypted (password) zip files. I saw in my log (when running i8) that my Scanners were picking up and detecting normal zip's, normal pifs, normal scr. etc. of all virus flavors (if there is such thing as normal). I believe I wouldn't see (as long as we have a sig file) any banning of normal zips (un-passworded) since the AV scanner would pick it and process it first before banning. For whatever reason, any password laid virus zip files containing com, pif, scr, exe, or others are not getting picked up on our system with i8, however, they are with i7. I hope this helps. I just used to test this was the Eicar.com virus zipped up with WinZip with an applied password. Ran it through both to an address on the system and also to another Declude protected Imail system, both came straight through. Keith I'm not clear on exactly what is happening. Is the problem *only* with .ZIP files, or is it also occurring with other types of files? -Scott winmail.dat
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, I am not using BANEXT EZIP with i7 nor i8 per your instructions to remove it in place of the new commands: BANEZIPEXTS and BANZIPEXTS ON I used that encoded file to test it under i8 first and it went straight through, that is what tipped me off that something was not right. I then turned around and made my own test from eicar.com and it went through. I just tested it under i7 and it got caught. I am unsure where to turn as our .vir directories are off the charts. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of R. Scott Perry Sent: Wed 3/3/2004 9:01 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files For whatever reason, any password laid virus zip files containing com, pif, scr, exe, or others are not getting picked up on our system with i8, however, they are with i7. I hope this helps. I assume you are using BANEXT EZIP with i7. Are you using it with i8 as well? Do you have BANEXT com, BANEXT pif, etc. in your virus.cfg file? I just used to test this was the Eicar.com virus zipped up with WinZip with an applied password. Ran it through both to an address on the system and also to another Declude protected Imail system, both came straight through. Do the eicarencodedzip E-mail from the Test Virus Sender at http://www.declude.com/tools/ get caught? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, This is my top portion of my virus.cfg file under i7 and i8. Keith -Original Message- From: Keith Johnson on behalf of Keith Johnson Sent: Wed 3/3/2004 8:10 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Scott, This is a 'top' sample of what I have listed in my Virus.CFG file: BANEZIPEXTS ON BANZIPEXTS ON BANEXT exe BANEXT ex_ BANEXT pif BANEXT pi_ BANEXT scr BANEXT sc_ BANEXT bat BANEXT ba_ BANEXT com BANEXT co_ Since we modify extensions at our Firewall, you see the different alternate extensions above. I made no modifications to the above moving to i8. I noticed in my log (tried MID and HIGH) after moving to i8 that I no longer saw any Banning extension with (EXT) lines. Thus, I got concerned. On average, we get a virus every few seconds, and moving back to i7, within a minute, I was catching the banned extension inside of zip's again. When I was on i8, I did a simple test of zipping an Eicar .com virus and password protecting it. I ran it through and it went straight to my inbox. I then dropped back to i7 and ran the same file through and it was picked up and logged, however, the directory couldn't be removed. Thus, this morning I had well over 200 plus .vir directories to delete. Any thoughts? Thanks for the aid. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of R. Scott Perry Sent: Wed 3/3/2004 7:57 AM To: [EMAIL PROTECTED] Cc: Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files I'll second that. Running 1.78i8, with BANZIPEXTS and BANEZIPEXTS ON, the encoded zip eicar test passes through. The regular zip version of the eicar test is caught. Just to clarify, this IS the expected behavior with 1.78i18. BANZIPEXTS ON and BANEZIPEXTS ON will *only* block .ZIP files *if* they contain files that have a banned file extension. So unless you also have a line BANEXT com in the virus.cfg file, an encrypted eicar.com file won't get caught. For others having issues with these new features, please be very clear what is happening. There are a lot of possibilities here. You'll need to specify [1] Whether you are using BANZIPEXTS ON or BANEZIPEXTS ON (or the not-recommended-but-still-useful BANEXT EZIP), [2] Whether you have a BANEXT line to block the appropriate file (BANEXT com, for example), [3] What type of file you are sending through (.com? .com within a .zip?), [4] If it is a .ZIP file, is the file inside it encrypted? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, I don't know that our firewall is the issue due to it working under i7 and all prior Declude versions. The Firewall only modifies the extension, it does not in anyway alter the file. When you wrote that i7 will not block encrypted zips without the BANEXT EZIP line, it was my understanding if you have the following: BANEZIPEXTS ON BANEXT com then it will block encrypted zip files containg .com files? Am I wrong? Do I need to have all the following lines in there? BANEZIPEXTS ON BANEXT EZIP BANEXT com I thought you mentioned that BANEXT EZIP was 'undesireable' and using the first example above was ideal? Version i7 is causing the .vir directories and the lines in the log that indicate Declude could not remove the .vir directory. Inside those directories are files called 0.zi and 1.zi It was my understanding that i8 fixed this issue with the .vir directory and also added new features for attacking .bat, .scr. Etc. I am currently on i7, due to i8 not catching encrypted .zip files with extensions in my BANEXT listing. This was tested from the encoded zip file as well as an eicar.com file zipped and password protected. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 03, 2004 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files I am not using BANEXT EZIP with i7 nor i8 per your instructions to remove it in place of the new commands: In that case, i7 will *not* block any encrypted .ZIP files. BANEZIPEXTS and BANZIPEXTS ON I used that encoded file to test it under i8 first and it went straight through, that is what tipped me off that something was not right. What extension does the attachment in your mail client show? I'm thinking that the firewall is mucking things up (if it renames the .ZIP to .ZI or .ZI_, for example, Declude Virus won't look at it). I am unsure where to turn as our .vir directories are off the charts. Unfortunately, this isn't useful information without knowing which version(s) caused them, and preferably the log file entries for them as well. There was an old interim that could cause this, but the latest should not. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Matt, I had a space in mine, not a tab. For what it is worth. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, March 03, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Here's a thought. Since this is working in some cases and not in others, maybe there is a syntax bug. I have the following: BANEZIPEXTStabON BANEXTtabEXE BANEXTtabCOM etc. What if someone had spaces, multiple spaces or multiple tabs? How about a space or tab following one of the lines? Maybe Declude isn't parsing this correctly from the config file??? I think it's worth a quick look. Matt R. Scott Perry wrote: I apologize for the flood of emails to you as I know your time is precious. However, I pulled the following that BANZIPEXTS and BANEZIPEXTS was added in i7: Sorry, my mistake. I am unsure on the .zip to .zi_ as I have no issues with Declude with versions 1.78i7 and prior. It was only with i8 that Declude was not seeing the zip with hiding file extensions any longer. Unfortunately, I'm not sure what you are referring to regarding the hiding file extensions. Again, it is vital that people be very clear in their posts. I'm very close to turning this into a moderated list until this all blows over. What we are looking for is to get as much information about bugs in the new interim as quickly as possible on this list, while at the same time minimizing the amount of posts to this list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Matt, Is yours working with the TAB, I'll try anything? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, March 03, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Here's a thought. Since this is working in some cases and not in others, maybe there is a syntax bug. I have the following: BANEZIPEXTStabON BANEXTtabEXE BANEXTtabCOM etc. What if someone had spaces, multiple spaces or multiple tabs? How about a space or tab following one of the lines? Maybe Declude isn't parsing this correctly from the config file??? I think it's worth a quick look. Matt R. Scott Perry wrote: I apologize for the flood of emails to you as I know your time is precious. However, I pulled the following that BANZIPEXTS and BANEZIPEXTS was added in i7: Sorry, my mistake. I am unsure on the .zip to .zi_ as I have no issues with Declude with versions 1.78i7 and prior. It was only with i8 that Declude was not seeing the zip with hiding file extensions any longer. Unfortunately, I'm not sure what you are referring to regarding the hiding file extensions. Again, it is vital that people be very clear in their posts. I'm very close to turning this into a moderated list until this all blows over. What we are looking for is to get as much information about bugs in the new interim as quickly as possible on this list, while at the same time minimizing the amount of posts to this list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus]
Scott, Thanks for creating the following tool on your website, is a lot easier than creating Eicar zip encrypted test files. eicardynamicencodedzip I will be attempting to move to i9 from i7 tonight. Due to the volume of viruses today, I just couldn't chance it in full live production. I am also going to refresh my virus.cfg file, maybe there is something in it that is causing i8 and i9 problems. Thanks again, Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Scan Password Protected Zip's
I know this has been touched on a few times, however, I just needed some clarification. I just got a note from CA that informed me that their engine was unable to scan inside a password protected file. Will F-prot do this with the latest defs? I know that Scott put EZIP in place, many thanks. Thanks for the aid. Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Scan Password Protected Zip's
When I upgraded to 1.78i6 and added the BANEXT EZIP line to my virus.cfg file, all of a sudden I am receiving the following when it encounters these zips: WARNING: Couldn't remove .vir directory F:\IMail\spool\Ddf56c4e7006acd96.vir\: EXTRA FILES THERE. 03/02/2004 14:24:32 Qdf56c4e7006acd96 Likely problem: Your virus scanner is leaving extra files/directories behind, so Declude can't delete the directory. Any thoughts... Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Tuesday, March 02, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Scan Password Protected Zip's I know this has been touched on a few times, however, I just needed some clarification. I just got a note from CA that informed me that their engine was unable to scan inside a password protected file. Will F-prot do this with the latest defs? I know that Scott put EZIP in place, many thanks. Thanks for the aid. Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Backdoor.Coreflood Virus new variant?
Paul, I think this was out awhile back... http://securityresponse.symantec.com/avcenter/venc/data/backdoor.coreflo od.html Keith -Original Message- From: paul [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 3:16 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Backdoor.Coreflood Virus new variant? I've not seen any info about this virus yet, but have an XP system infected with it. What a mess! It brings the system to a crawl.. Paul Does anyone know whether the new variant of the Backdoor.Coreflood is detected with F-Prot? We have the latest version of virus definitions for F-Prot, but one of our users received this virus and it looks like it may have come through email. Has anyone ran into the new variant of this virus? It looks like it was only started to be detected by Symantec's Virus definitions in yesterdays update and that is the only reason our user initially picked it up. Does anyone know if this virus even spreads via email? Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Multi-scanner Question
Scott, I have had at times, with both scanners (up to date sig files, both catching mydoom) taking a pounding (we are getting mydoom.a in 1 every second), when Scanner1 (f-prot) would pick up the virus and Scanner2 (InoculateIT) would not show anything, and at other times Scanner1 would not pick it up, but Scanner2 would, as well as both Scanners picking it up. I figured it was due to the volume we are receiving on this and the Scanners could not keep up. Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 1:02 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Multi-scanner Question If they are run in series, then wouldn't it be best to run the next scanner only if the previous scanner passed? In other words why scan the email again if it already failed one of the scanners? The logic behind that is the only a small fraction of E-mail contains a virus. Since the majority of E-mail has to go through both scanners, having the viruses go through both doesn't take much extra resources. The benefit is that you can tell from the log files if both scanners are detecting viruses, and if one is not able to report the virus/file name, the information from the other can be used. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Offtopic question
It seems that this file maybe related to Microsoft's InstallShield erroring out. Did you install any 'major' products lately? Keith -Original Message- From: Djerr C. de Meijer [mailto:[EMAIL PROTECTED] Sent: Monday, December 15, 2003 11:01 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Offtopic question You all are the only admins I know so lemme ask you. :) Does anyone have a idea what a iserror.log file is? I have no clue. these files be in folders with pictures. Go to any search engine, type iserror.log and hit search. All hits are examples of these files. (big yay :S) The only place I saw ppl asking what it was, was at a german forum. (note that my german is near 0) Yet if I read it correct, noone knew. So you got any ideas? I know I don't. D.C. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] f-prot question
Does anyone know what the command line string is for scanning your sig file to see if it is catching a certain named virus file? I saw it posted over 6 months ago, however, I guess my search isn't picking it up. Thanks, Keith +,qyo r[yXm ynu(8bIWkax7^V*f)+-Nrz;uj)l^r[yjwmmr[yXy+mwZm Vry
RE: [Declude.Virus] Scanning Question
In this case, you can use the per-user settings to turn off virus scanning completely for the recipient. Scott, Is is possible (using per user settings) to simply suspend the vulnerability scanning, yet still keep the main virus scanning on? Thanks again for your time, Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
FW: [Declude.Virus] Suppressing Notif. to Single Domain
Just wanted to confirm, if I want to suspend virus notifications to all users on a single domain that we host, I would do the following: In the appropriate .eml files, add a line: SKIPIFRECIP @domaintoskip.com Thanks, Keith Nf_ynub! 0u%dj)\jgr[yXXX:.mfynu(*^{.n+ynubrzjm j)Zb(
[Declude.Virus] Suppressing Notif. to Single Domain
Is it possible to not send out virus notifications to a specific domain that we host within Imail? For example, if we host 100 domains, and only 1 of the domains says they do not care to receive the virus notifies (i.e. recep.eml). Thanks, Keith áÁj)pjËjyÞuú+¾*î±ëÈ7ç^V*î²m§ÿðÃ^r[yÊN¬f¢yúèØ^ ç%¹»¬¨¥x%ËS¢é®ë-±éÝjqj)m¢)[+½ç^rÛr¥æìr¸x7ç^V*î±8^j·!÷¬q©Ûyú.Ûiÿü0Âf¢ª+Þr
[Declude.Virus] Log File Errors
Scott, Today we had a 'horrible' thing happened with our scanner (have two in place F-Prot and InoculateIT), not sure which one had issues: 06/04/2003 14:51:29 Q3ef6000501666762 ERROR: Virus scanner didn't finish after 60 seconds; terminating. 06/04/2003 14:51:29 Q3ef6000501666762 WARNING: Couldn't remove .vir directory C:\IMail\spool\D3ef6000501666762.vir\: SHARING VIOLATION. 06/04/2003 14:51:29 Q3ef6000501666762 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. 06/04/2003 14:52:45 Q3ef60005015e65fb Error 183 creating temp directory C:\IMail\spool\D3ef60005015e65fb.vir\. 06/04/2003 14:52:45 Q3ef60005015e65fb Scanned: Error starting scanner 06/04/2003 14:52:58 Q3ef60005015e65fb Couldn't rename SMD to SM$ [32]. Priority back to 32. 06/04/2003 14:54:12 Q3efb000101a07b86 ERROR: Virus scanner didn't finish after 60 seconds; terminating. 06/04/2003 14:54:12 Q3efb000101a07b86 WARNING: Couldn't remove .vir directory C:\IMail\spool\D3efb000101a07b86.vir\: SHARING VIOLATION. 06/04/2003 14:54:12 Q3efb000101a07b86 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. 06/04/2003 14:54:35 Q3efc0004018a7d8a ERROR: Virus scanner didn't finish after 60 seconds; terminating. 06/04/2003 14:54:35 Q3efc000101a67e74 ERROR: Virus scanner didn't finish after 60 seconds; terminating. 06/04/2003 14:54:35 Q3efc0004018a7d8a WARNING: Couldn't remove .vir directory C:\IMail\spool\D3efc0004018a7d8a.vir\: SHARING VIOLATION. 06/04/2003 14:54:35 Q3efc000101a67e74 WARNING: Couldn't remove .vir directory C:\IMail\spool\D3efc000101a67e74.vir\: SHARING VIOLATION. 06/04/2003 14:54:35 Q3efc0004018a7d8a Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. 06/04/2003 14:54:35 Q3efc000101a67e74 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. 06/04/2003 14:55:33 Q3efc000101aa80c6 Error 183 creating temp directory C:\IMail\spool\D3efc000101aa80c6.vir\. 06/04/2003 14:55:33 Q3efc000101aa80c6 Scanned: Error starting scanner 06/04/2003 14:56:14 Q3efe0002019285e6 Error 183 creating temp directory C:\IMail\spool\D3efe0002019285e6.vir\. 06/04/2003 14:56:14 Q3efe0002019285e6 Scanned: Error starting scanner 06/04/2003 14:56:49 Q3f07000101d8abdd ERROR: Virus scanner didn't finish after 60 seconds; terminating. 06/04/2003 14:56:49 Q3f07000101d8abdd WARNING: Couldn't remove .vir directory C:\IMail\spool\D3f07000101d8abdd.vir\: SHARING VIOLATION. 06/04/2003 14:56:49 Q3f07000101d8abdd Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. 06/04/2003 14:57:02 Q3efe0002019285e6 Couldn't rename SMD to SM$ [32]. Priority back to 32. 06/04/2003 14:57:04 Q3ef60006016a67b0 Error 183 creating temp directory C:\IMail\spool\D3ef60006016a67b0.vir\. 06/04/2003 14:57:04 Q3ef60006016a67b0 Scanned: Error starting scanner 06/04/2003 14:57:28 Q3ef60006016a67b0 Couldn't rename SMD to SM$ [32]. Priority back to 32. This took our server to a crawl as it couldn't scan emails, there was 30 min. of living he.. there. When I checked the spool folder we were in overflow due to the backup of the virus scanning. We are also still continuing to receive a ton of these in my logs: 06/04/2003 08:45:39 Qe9ec092201523842 No filename in disp Content-Disposition: attachment. 06/04/2003 08:45:39 Qe9ec092201523842 No filename in disp Content-Disposition: attachment. 06/04/2003 08:53:52 Qebde168600f8d098 No filename in disp Content-Disposition: attachment. 06/04/2003 08:55:12 Qec2d09cf0056085d No filename in disp Content-Disposition: attachment. 06/04/2003 08:55:12 Qec2d09cf0056085d No filename in disp Content-Disposition: attachment. 06/04/2003 08:55:12 Qec2d09cf0056085d No filename in disp Content-Disposition: attachment. 06/04/2003 08:55:12 Qec2d09cf0056085d No filename in disp Content-Disposition: attachment. 06/04/2003 08:55:12 Qec2d09cf0056085d No filename in disp Content-Disposition: attachment. 06/04/2003 08:55:12 Qec2d09cf0056085d No filename in disp Content-Disposition: attachment. We are running 1.69beta. Should I have logging turned up higher than LOW? Also, if I have issues with the scanners, what should be the sequence to aid in the problem above. We simply had to reboot the machine (I removed the .vir directories) so that viruses would not be allowed to pass. Within 10 min. of the reboot all returned to a normal operation. During the 30 min. the scanners were reporting errors, we had lots of Declude.exe processes running and smtp32.exe processes running. Any aid would be helpful, thanks. Keith +¨¥Á«,q©çy×è®ø«ºo Þr[yX«ºÈm¶ÿà yÉnuç(8b°IWçë¢kax7ç^V*î²f¢)à+-N§²æìr¸z;¬¶u©¨¥¶¦j)l®÷^r[yÊjwm®±ÊâmàÞr[yX«ºÄáyª+mçèºwZ¶m§ÿðà V«r¯yÊ
RE: [Declude.Virus] Log File Errors
Does the new beta 1.70 with interims address the issues of the No filename in disp Content-Disposition: attachment? Should I be running it (i.e. more stable) than the 1.69beta? Is the 60sec delay on timeout for scanning pretty normal, or should I be setting that to less. My only concern is large attachment scanning. Thanks again for being a sounding board. Keith Johnson -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Wed 6/4/2003 6:31 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [Declude.Virus] Log File Errors Today we had a 'horrible' thing happened with our scanner (have two in place F-Prot and InoculateIT), not sure which one had issues: 06/04/2003 14:51:29 Q3ef6000501666762 ERROR: Virus scanner didn't finish after 60 seconds; terminating. This is the problem -- one of the virus scanners was getting stuck, and not finishing its scanning (which also indirectly caused further problems, such as the sharing violation). his took our server to a crawl as it couldn't scan emails, there was 30 min. of living he.. there. When I checked the spool folder we were in overflow due to the backup of the virus scanning. We are also still continuing to receive a ton of these in my logs: 06/04/2003 08:45:39 Qe9ec092201523842 No filename in disp Content-Disposition: attachment. Searching through viruses we've received, we found a W32/[EMAIL PROTECTED] that could cause this unusual warning. It should not normally appear for legitimate E-mails, however. Also, if I have issues with the scanners, what should be the sequence to aid in the problem above. The key here would be to find out which of the two scanners wasn't finishing, and fix it. However, that may be difficult to do. The next release of Declude Virus will log which scanner didn't finish. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
[Declude.Virus] Log File
We have started to get numerous of these in our log file, do you know what these may be. 06/02/2003 09:02:09 Q4acf0c270148af58 No filename in disp Content-Disposition: attachment. 06/02/2003 09:02:09 Q4acf0c270148af58 No filename in disp Content-Disposition: attachment. 06/02/2003 09:07:09 Q4b9f09b40106db1d No filename in disp Content-Disposition: attachment. 06/02/2003 09:07:09 Q4b9f09b40106db1d No filename in disp Content-Disposition: attachment. 06/02/2003 09:07:09 Q4b9f09b40106db1d No filename in disp Content-Disposition: attachment. 06/02/2003 09:07:18 Q4bfe09b401064e73 No filename in disp Content-Disposition: attachment. 06/02/2003 09:07:18 Q4bfe09b401064e73 No filename in disp Content-Disposition: attachment. 06/02/2003 09:09:57 Q4ca209d80106cea6 No filename in disp Content-Disposition: attachment. 06/02/2003 09:09:57 Q4ca209d80106cea6 No filename in disp Content-Disposition: attachment. 06/02/2003 09:09:57 Q4ca209d80106cea6 No filename in disp Content-Disposition: attachment. 06/02/2003 09:09:57 Q4ca209d80106cea6 No filename in disp Content-Disposition: attachment. Thanks for any aid. áÁj)pjËjyÞuú+¾*î±ëÈ7ç^V*î²m§ÿðÃ^r[yÊN¬f¢yúèØ^ ç%¹»¬¨¥x%ËS¢é®ë-±éÝjqj)m¢)[+½ç^rÛr¥æìr¸x7ç^V*î±8^j·!÷¬q©Ûyú.Ûiÿü0Âf¢ª+Þr
RE: [Declude.Virus] Log File
Scott, We have had a lot of viruses get through today (new Backdoor AVF), seems McAffee is the only one that has it available (sig file). Luckily we already alter .exe files so that can't be executed. Should I be concerned with these Content-Disposition, I just started to see a lot (100's a day) of these the last few days. I am running 1.69beta. Thanks again for the aid. Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2003 4:25 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Log File We have started to get numerous of these in our log file, do you know what these may be. 06/02/2003 09:02:09 Q4acf0c270148af58 No filename in disp Content-Disposition: attachment. That's quite unusual -- it indicates that the E-mail has an attachment, but no name was given to it. Technically, the filename isn't required -- but I have no idea how a mail client would handle the attachment if it had no name. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Error in Virus Scanner
Are there any other entries for the E-mail? Here is a list of two in a row: 05/29/2003 06:26:39 Qe05301090146bcae Could not find parse string Infection: in report.txt 05/29/2003 06:26:42 Qe05301090146bcae Error 0 in virus scanner. 05/29/2003 06:26:42 Qe05301090146bcae Scanned: Error in virus scanner. [Prescan OK][MIME: 2 27178] 05/29/2003 06:26:54 Qe06201100146f552 Could not find parse string Infection: in report.txt 05/29/2003 06:26:57 Qe06201100146f552 Error 0 in virus scanner. 05/29/2003 06:26:57 Qe06201100146f552 Scanned: Error in virus scanner. [Prescan OK][MIME: 2 26947] Do you know what version you were running before? That Error 0 in virus scanner should only occur along with other log file entries. I was running 1.67beta. I upgraded on May 26th and since then I am receiving about 100 or so a day with the above error, prior to that all logs are clean of error 0. Thanks for the aid. Keith winmail.dat
RE: [Declude.Virus] Error in Virus Scanner
Are you using two or more virus scanners? Yes, I am using F-prot 3.13a as my 1st scanner and InoculateIT 6.0 SP2 as my 2nd scanner There does appear to be an issue with 1.70 where this message will appear in the log file if one or more scanners report an error, but the last one does not. This will be fixed in the next release (an interim release can be made available immediately if necessary). Does this affect the 1.69beta as well? I am afraid since I am getting a 100 or so a day that viruses/vuln are slipping thru due to this error 0. Is there anything I can do to fix this issue? Thanks for your help. Keith
[Declude.Virus] Error in Virus Scanner
Does anyone know what this means (use Declude Virus Pro / F-prot 3.13a / Win2K SP3) 05/28/2003 22:29:57 Q709502a6010c3baf Error 0 in virus scanner. 05/28/2003 22:29:57 Q709502a6010c3baf Scanned: Error in virus scanner. [Prescan OK][MIME: 2 27056] I have started to see several of these since upgrading to 1.69beta, thanks for the aid. Keith Johnson N¬f¢¬±ç_¢»â®ë±¼yÉnuåb®ë!¶Úÿ 0uç%¹¢dáÁj)\jg® àÞr[yX«ºX§X¬µ:.±Êâmèî²Ûf¢Ú¨¥²»ÝyÉnuç(©*^º{.nÇ+·yÉnuåb®ë æ«r¯zÇ·¢éÝjØm¶ÿà j)ZÈb½ç(
[Declude.Virus] Log Question
Title: Log Question Scott, What level logging will show the emails being sent out for virus notifications. We are still experiencing an issue with two or more people needing to be notified, in our case, only one is receiving the email (postmaster.eml). Thanks for the aid. ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] Good pings come in small packets
[Declude.Virus] Efficiency
Scott, During the initial setup of Declude Virus we copied down the virus_domain.txt and the virus_users.txt file and placed them in the Declude directory. Since then, by default, we are scanning all incoming/outgoing email for all domains. Is it more efficient (hence faster scans) for Declude to have those files there are not have them there or does it really make no difference, since we are scanning all domains and all users. Thanks for the aid. áÁj)pjËjyÞuú+¾*î±ëÈ7ç^V*î²m§ÿðÃ^r[yÊN¬f¢Æ¦yúèØ^ ç%¹×»¬¨¥x%ËS¢éì¹»®Þë-±éÝjqj)m¢)[+½×ç^rÛr¥ë§²æìr¸x7ç^V*î±8^j·!÷¬q©Ûyú.ÖÛiÿü0Âf¢ªÜ+Þr
[Declude.Virus] Monitoring of Declude Virus
Title: Monitoring of Declude Virus I have downloaded and installed/tested the Virus Log Analyzer to take a look at what is being caught in the way of viruses. However, I wanted to see what others are using to 'real' time monitor the virus logs. Outside of using WinTail to watch the log files, I didn't know if others are using some program to query activity within the logs, i.e. scanner failures, and other such events. Since we virtual host email for our customers, I needed to ensure that it is always running properly. Thanks for any suggestions. -Keith
[Declude.Virus] Issues running the fpcmd.exe scanner
Title: Issues running the fpcmd.exe scanner Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe. Upon testing the f-prot.exe works great, reports in the log just fine, and sends out the notifications emails. If I use the fpcmd file, the file gets seen, however nothing is done with it and the original email gets sent on its way. I set the log to DEBUG for this test and below is my trace, any aid would be greatly appreciated. This test used the eicar2.zip test file from www.eicar.com and sent locally using Outlook Express. 12/20/2002 12:59:44 Q5a90002f0078444b Declude Virus Pro Registered 12/20/2002 12:59:44 Q5a90002f0078444b Starting locality check 12/20/2002 12:59:44 Q5a90002f0078444b CL Opening HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains 12/20/2002 12:59:44 Q5a90002f0078444b [EMAIL PROTECTED] [0] is local domain1 12/20/2002 12:59:44 Q5a90002f0078444b [EMAIL PROTECTED] [0] is local main domain 12/20/2002 12:59:44 Q5a90002f0078444b Local host = ntad.com 12/20/2002 12:59:44 Q5a90002f0078444b [EMAIL PROTECTED] Offset=9 Flags=1 12/20/2002 12:59:44 Q5a90002f0078444b Msgid: 000901c2a851$93ec27e0$[EMAIL PROTECTED] 12/20/2002 12:59:44 Q5a90002f0078444b Subject: testing virus10 12/20/2002 12:59:44 Q5a90002f0078444b C:\IMail\spool\Q5a90002f0078444b.SMD 12/20/2002 12:59:44 Q5a90002f0078444b Starting virus scanning section... 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER=0 12/20/2002 12:59:44 Q5a90002f0078444b Exclude Default=1 12/20/2002 12:59:44 Q5a90002f0078444b Exclude Domain=0 12/20/2002 12:59:44 Q5a90002f0078444b Exclude peruser=-1 12/20/2002 12:59:44 Q5a90002f0078444b DoAv( C:\IMail\spool\D5a90002f0078444b.SMD ); 12/20/2002 12:59:44 Q5a90002f0078444b avtempdir=C:\IMail\spool 12/20/2002 12:59:44 Q5a90002f0078444b Temp dir set to: C:\IMail\spool\D5a90002f0078444b.vir\ 12/20/2002 12:59:44 Q5a90002f0078444b fp=444d40 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++ 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START 12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: multipart/mixed;boundary==_NextPart_000_0 12/20/2002 12:59:44 Q5a90002f0078444b Got boundary; =--=_NextPart_000_0005_01C2A827.AB057E10. 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers 12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=multipart/mixed NameEnd= 0 0 12/20/2002 12:59:44 Q5a90002f0078444b ISMULTI 12/20/2002 12:59:44 Q5a90002f0078444b Hit boundary... Recursing... 0 (3-0-). 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++ 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START 12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: multipart/alternative;boundary==_NextPart 12/20/2002 12:59:44 Q5a90002f0078444b Got boundary; =--=_NextPart_001_0006_01C2A827.AB057E10. 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers 12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=multipart/alternative NameEnd= 0 0 12/20/2002 12:59:44 Q5a90002f0078444b ISMULTI 12/20/2002 12:59:44 Q5a90002f0078444b Hit boundary... Recursing... 0 (3-0-). 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++ 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START 12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: text/plain;charset=iso-8859-1 12/20/2002 12:59:44 Q5a90002f0078444b Got Encoding quoted-printable. 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers 12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=text/plain NameEnd= 0 0 12/20/2002 12:59:44 Q5a90002f0078444b !ISMULTI 12/20/2002 12:59:44 Q5a90002f0078444b Handling a MIME segment [Boundary=--=_NextPart_001_0006_01C2A827.AB057E10]. 12/20/2002 12:59:44 Q5a90002f0078444b Encoding type: quoted-printable [1/] 12/20/2002 12:59:44 Q5a90002f0078444b Starting BASE64 12/20/2002 12:59:44 Q5a90002f0078444b Hit new boundary (fseek) 12/20/2002 12:59:44 Q5a90002f0078444b curpos=920 12/20/2002 12:59:44 Q5a90002f0078444b Deleting (1) plaintext segment C:\IMail\spool\D5a90002f0078444b.vir\0.. 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER-- 12/20/2002 12:59:44 Q5a90002f0078444b Done Recursing... 12/20/2002 12:59:44 Q5a90002f0078444b Hit boundary... Recursing... 1 (3-0-). 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++ 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START 12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: text/html;charset=iso-8859-1 12/20/2002 12:59:44 Q5a90002f0078444b Got Encoding quoted-printable. 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers 12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=text/html NameEnd= 0 0 12/20/2002 12:59:44 Q5a90002f0078444b !ISMULTI 12/20/2002 12:59:44 Q5a90002f0078444b Handling a MIME segment [Boundary=--=_NextPart_001_0006_01C2A827.AB057E10]. 12/20/2002 12:59:44 Q5a90002f0078444b Encoding type: quoted-printable [1/htm] 12/20/2002 12:59:44 Q5a90002f0078444b Starting BASE64 12/20/2002 12:59:44
RE: [Declude.Virus] Issues running the fpcmd.exe scanner
Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe 12/20/2002 12:59:44 Q5a90002f0078444b Starting scanner #1: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt C:\IMail\spool\D5A900~1.VIR\ The problem is that you need to remove the /NOFLOPPY from the SCANFILE line in your \IMail\Declude\virus.cfg file. F-Prot.exe requires this, but fpcmd.exe doesn't need it and will actually not work if the /NOFLOPPY is there. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Issues running the fpcmd.exe scanner
Scott, Thank you for your wisdom, you are awesome. -Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 2:03 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Issues running the fpcmd.exe scanner Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe 12/20/2002 12:59:44 Q5a90002f0078444b Starting scanner #1: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt C:\IMail\spool\D5A900~1.VIR\ The problem is that you need to remove the /NOFLOPPY from the SCANFILE line in your \IMail\Declude\virus.cfg file. F-Prot.exe requires this, but fpcmd.exe doesn't need it and will actually not work if the /NOFLOPPY is there. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Treatment of double layered extension files
Title: Treatment of double layered extension files Scott, I saw a few weeks ago about a thread discussion that talked about the 'catching' of double layered extension files (i.e. file.shs.txt), however I couldn't find it in the archive. I wanted to see if these indeed get caught as banext (i.e. shs) , as I think this maybe a dull point if they contain a virus as the scanner should catch it and thus tip Declude to quarantine it, however my thoughts were if it was not a virus file. Thanks for the info. ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] Good pings come in small packets
[Declude.Virus] Customized Footer for domain
Title: Customized Footer for domain Scott, Thanks for the aid on other question. We currently have the virus footer disabled, but I have one client who would like a footer added to his email that it was scanned for viruses. Is there a way to do this except globally in the virus.cfg file? Again, thank you. ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] Good pings come in small packets
RE: [Declude.Virus] bogus files.....
I got this same bogus file showing up in the log (MID) when I sent the eicar virus (zipped format) off the eicar.com website to our server. Keith -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED]] Sent: Thu 12/19/2002 7:14 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] bogus files. That log file entry is part of an experimental system in Declude Virus designed to find files that aren't what they claim to be (for example, if someone renamed an .exe file to a .jpg extension). However, I believe there was a recent beta that would falsely detect these bogus files. In any case, the only damage is the extra log file entries. Ok, that's what I figured it had to be, as it appeared no actions are taken. Is that planned for a later release? If the attachment is bogus to hold/warn/delete? That's planned for a future release. We haven't decided yet how the E-mails would be handled (HOLD/WARN/DELETE sound like they would be good options). Hold with postmaster and possible recipient notification sounds good. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
[Declude.Virus] Scanning Process
Title: Scanning Process We are testing two virus scanners with Declude Pro and wanted to confirm or thoughts. Is it true that the scanners scan the file first, whether you have one, two, or five and then once done, the action on the virus is taken (i.e. quarantined)? ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] Good pings come in small packets
[Declude.Virus] Problems with catching Virus
Title: Problems with catching Virus Scott, We are in the testing phase of deploying the antivirus across our Imail server, thus we are using the virus domains file to limit testing to a few domains. We are using the Computer Associates InoculateIT 6.0 engine to scan for viruses. Our scanner reads: C:\Progra~1\CA\Common\ScanEn~1\inocmd32.exe /ARC /LIS:report.txt To test this, we simply copied down the EICAR test virus into a directory on the local machine (Imail Server w/Declude). I ran the the command line above to test the virus to ensure it would detect it and it did (no on-access scanning is running, has been disabled). I opened up the Imail Client on the default domain and emailed my username on my domain (which is included in the virus domains file as ON). I received the email and the virus attached to the email. Once I popped it off the Imail Server, my onboard Antivirus caught it. I checked the virxx.log file and it showed it was scanned as OK. Is there anything else I can check to see what it going on. I could increase the logging to DEBUG from MID. Thanks for the aid. ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] Good pings come in small packets
[Declude.Virus] Spoofing Connecting IP Address
Title: Spoofing Connecting IP Address Just wanted to gain some additional knowledge from the forum on the following. With the Klez virus (among others), it is widely known that the from address will most likely be spoofed. However, if you look at the full header, does Klez and the like, also attempt to spoof the IP address in which the request originated from to your (my) server. For example, some headers list Received from 'server name' (IP address) by domain.name with SMTP ID for email.address on Date Does Klez spoof the server name and IP address from the originator. Thank you for your aid and knowledge!! ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] Good pings come in small packets
[Declude.Virus] Virus Scanning Question
Title: Virus Scanning Question According to the Virus Manual (Declude) it lists the following: (for outgoing web messaging E-mails, you can have an on-access scanner scanning only the \IMail\spool\ directory). I was wondering how others were handling your users Outgoing email sent our your Server (scanning wise). Thanks for the aid... ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] Good pings come in small packets
[Declude.Virus] Is this safely ignored...
Title: Is this safely ignored... In the virxxx.log, I found this error. Can this be safely ignored? Warning: EOF in middle of MIME segment [] [--- ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] Good pings come in small packets
RE: [Declude.Virus] Opinion on Virus Scanner
John, Thank you for the info. With the Dos Version, how are you getting your auto sig updates and on what interval can you obtain these. -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 11:12 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Opinion on Virus Scanner F-Prot seems to be the flavor. Do you guys run (under Windows 2000 Server) the DOS version, Windows version or the F-Secure version. Windows 2000 Server using F-Prot DOS version. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.