RE: [Declude.Virus] Feature request: DELETEVIRUSNAME

2006-01-27 Thread Keith Johnson 
Darrell,
  What happens in this scenario.  Virus file comes in, AVAFTERJM
is turned on, thus Declude scans it for spam content, lets say it is
spam, thus ROUTETO sends it to a specific mailbox for customer to review
for certain amount of days.  Does Declude Virus still run against it
prior to ROUTETO?  My fear is that the virus file will land in their
spam box untouched and the user will fire the virus off by looking at
file.  

Keith

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL PROTECTED])
Sent: Friday, January 27, 2006 10:02 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME


 How does AVAFTERJM cut down on work?  I thought it only affected the 
 order in which JM and AV ran, and that AV ran each time, regardless of

 this setting.

The main benefit is that it cuts down on the amount of messages virus 
scanned thus saving resources.  It has been a MAJOR help for me. 

Darrell
 ---
Check out http://www.invariantsystems.com for utilities for Declude,
Imail, 
mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI 
integration, MRTG Integration, and Log Parsers. 

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Feature request: DELETEVIRUSNAME

2006-01-27 Thread Keith Johnson 
Darrell,
 I guess my question then is what advantage is it to have it run
prior to Virus if the Virus Scanner still scans it, won't it still use
the same CPU cycles?  

Keith

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL PROTECTED])
Sent: Friday, January 27, 2006 10:43 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME


Keith, 

It still gets virus scanned.  I have tons of viruses in my virus drop
point 
for ROUTETO accounts. 

Darrell
 ---
Check out http://www.invariantsystems.com for utilities for Declude,
Imail, 
mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI 
integration, MRTG Integration, and Log Parsers. 


Keith Johnson writes: 

 Darrell,
   What happens in this scenario.  Virus file comes in, 
 AVAFTERJM is turned on, thus Declude scans it for spam content, lets 
 say it is spam, thus ROUTETO sends it to a specific mailbox for 
 customer to review for certain amount of days.  Does Declude Virus 
 still run against it prior to ROUTETO?  My fear is that the virus file

 will land in their spam box untouched and the user will fire the virus
off by looking at
 file.   
 
 Keith
 
 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Darrell
 ([EMAIL PROTECTED])
 Sent: Friday, January 27, 2006 10:02 AM
 To: Declude.Virus@declude.com
 Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
 
 
 How does AVAFTERJM cut down on work?  I thought it only affected the
 order in which JM and AV ran, and that AV ran each time, regardless
of
 
 this setting.
 
 The main benefit is that it cuts down on the amount of messages virus
 scanned thus saving resources.  It has been a MAJOR help for me.  
 
 Darrell
  ---
 Check out http://www.invariantsystems.com for utilities for Declude, 
 Imail, mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, 
 SURBL/URI integration, MRTG Integration, and Log Parsers.
 
 ---
 [This E-mail was scanned for viruses by Declude EVA www.declude.com]
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 ---
 [This E-mail was scanned for viruses by Declude EVA www.declude.com]
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Feature request: DELETEVIRUSNAME

2006-01-27 Thread Keith Johnson 
Markus,
However, Darrell mentioned that the AV scanner still runs once
action is taking agains the SPAM message (i.e. routeto, subject, etc.).
Is this not true?

Keith 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Friday, January 27, 2006 12:03 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME


 So, with or without AVAFTERJM, it looks like each message is scanned 
 by the virus scanner (which makes sense to me).

Wrong... if you block the messages on the servers:

As we know usualy 50% of all incomming messages are spam.
We know too that resource usage of one or two scan-engines is way above
the entire spam filtering even if you use 5-6 external applications like
sniffer, inv-uribl, spamchk, ...

So if you're spam filters are set up properly they will filter out at
least 50% of all incomming messages before they will reach the
av-engines.

Markus

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Declude and IMail 2006

2005-11-30 Thread Keith Johnson 
David,
  If you don't mind, what is the latest revision of Declude?  I know there 
has been several 'hot fixes', just want to make sure I have the latest.  Thanks 
again,
 
Keith



From: [EMAIL PROTECTED] on behalf of David Barker
Sent: Wed 11/30/2005 9:33 AM
To: Declude.JunkMail@declude.com; Declude.Virus@declude.com
Subject: [Declude.Virus] Declude and IMail 2006



We have had access to the Beta and have run all our standard tests
successfully.

The caveat that I will offer is that there is no way in which we can
replicate every combination of tests
and events in our simulated environments. But to the best of our knowledge
Declude and IMail 2006
seem to be OK

David B
www.declude.com

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


winmail.dat

RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted

2005-09-22 Thread Keith Johnson 
David,
Are these to be used to correct issues with Dual-proc, or is
that still an ongoing issue still be looking at?  Thanks for the time.

Keith

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Thursday, September 22, 2005 11:41 AM
To: Declude.JunkMail@declude.com; Declude.Virus@declude.com
Subject: [Declude.Virus] Declude Beta 3.0.4.4 Posted


2 new Directives

WAITFORTHREADS  1500
Located in the Declude.cfg - Defined in milliseconds eg. 1500 = 1.5
seconds this can be changed so that when the maximum threads are in use
this time
specifics the wait before checking to launch more threads.  

WAITBETWEENTHREADS 1
Located in the Declude.cfg - Defined in milliseconds eg. 1 = 1
millisecond The time to wait between spawning one thread and starting to
process another thread.

David B
www.declude.com

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Sudden Internet Slowdown

2005-09-09 Thread Keith Johnson 
I am seeing this as we attempting to get to certain websites and they
can't be displayed.

Keith

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch
Sent: Friday, September 09, 2005 11:30 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Sudden Internet Slowdown

Hello all!

This may be off topic, but has anyone else experienced a sudden Internet
slowdown this morning starting about 11:00 EST?   We have locations
across
the country and are experiencing problems in about half our locations,
most
using SBC DSL for Internet service.  Our primary Telnet app is DOA in
these
locations and e-mail and web surfing is slow everywhere.

Thanks,

Rodney Bertsch

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] f-prot update script

2005-05-02 Thread Keith Johnson 
Daniel,
Give this a try:

http://www.f-prot.com/support/windows/fpwin_faq/88.html

-Keith 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ivey
Sent: Monday, May 02, 2005 11:06 AM
To: 'Declude.Virus@declude.com'
Subject: RE: [Declude.Virus] f-prot update script

I have tried using this script.  I keep getting an error referring to
wget.exe and it doesn't update F-Prot.

Daniel

===
Daniel Ivey
GCR Company / GCR Online
Voice:  434 - 570 - 1765
Fax:434 - 572 - 1981
[EMAIL PROTECTED]

-Original Message-
From: Goran Jovanovic [mailto:[EMAIL PROTECTED]
Sent: Monday, May 02, 2005 11:02 AM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] f-prot update script

Take a look at:

http://www.declude.com/Articles.asp?ID=100

F-Prot for DOS updater - A batch file that automatically updates F-Prot
and its virus definitions (old version here), and a Cygwin version, and
a complete .ZIPed version. Finally, a Simple version!




 Goran Jovanovic
 The LAN Shoppe



 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.Virus- 
 [EMAIL PROTECTED] On Behalf Of Daniel Ivey
 Sent: Monday, May 02, 2005 9:52 AM
 To: 'Declude.Virus@declude.com'
 Subject: [Declude.Virus] f-prot update script

 Does anyone have an f-prot update script that they wouldn't mind
sharing?
 I
 have tried one that I found, but never could get it to work.  Any help
is
 appreciated.

 Thanks,
 Daniel

 ===
 Daniel Ivey
 GCR Company / GCR Online
 Voice:  434 - 570 - 1765
 Fax:434 - 572 - 1981
 [EMAIL PROTECTED]

 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] OT: Installing Sophos/Anti Virus

2005-04-20 Thread Keith Johnson 
Aaron,
I have tried F-prot (www.f-prot.com)?  It is very fast and not
very expensive, and the reliability is outstanding.

Keith 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aaron Moreau-Cook
Sent: Wednesday, April 20, 2005 1:37 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] OT: Installing Sophos/Anti Virus

All,

I have a Imail Server on a Windows 2003 server with Declude Virus 1.82. 

We have been running with three virus scanners, McAfee VirusScan 7.1,
F-Prot 3.16b, and Nod32. After having nothing but trouble with Nod32
crashing on our system we decided to replace Nod32 with another scanner.

We tried to install PC-Cillian, but it won't install on a Windows 2003
Server.
We tried to install Sophos, but it won't install because other
Anti-Virus applications are installed.

So my question is, how do I get another third party scanner installed?
How has everyone else got Sophos installed on their systems?

We'd like to use Sophos, but at this point I don't really care either
way as long as it is reliable and doesn't crash.

Thanks,

Aaron

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Issues

2005-02-18 Thread Keith Johnson 
The past few days I am occuring a lot of these type errors in the virus log:
 
02/18/2005 06:03:21 Qcb35092800dc91ac Couldn't open headers datafile
02/18/2005 06:03:21 Qcb35092800dc91ac ERROR: Could not move virus-infected 
E-mail2!  Code: 2 0 F:\IMail\spool\Qcb35092800dc91ac.SMD 
f:\imail\spool\virus\Qcb35092800dc91ac.SMD
02/18/2005 06:03:21 Qcb35092800dc91ac Error opening mime file 
F:\IMail\spool\Dcb35092800dc91ac.SMD
02/18/2005 06:03:21 Qcb35092800dc91ac Scanned: Error starting scanner
 
02/18/2005 06:03:24 Qcb3e09ed005291c3 Error 183 creating temp directory 
F:\IMail\spool\Dcb3e09ed005291c3.vir\.
02/18/2005 06:03:25 Qcb3e09ed005291c3 Scanned: Error starting scanner
 
02/18/2005 06:03:52 Qcb460a83007a91db Couldn't rename SMD to SM$ [32].  
Priority back to 32.
 
This is a Win2K SP4 machine with Dual Xeon 2.4 GHz w/1GB RAM.  Running F-prot 
(1st) and then Computer Assoc (2nd).  A few days ago, I uninstalled F-prot and 
reinstalled it.  Copied in a fresh Declude.exe file (ver. 1.82).  When this 
occurs above, it is a domino effect, it causes mail to backup in the overflow 
queue and thus email is not delivered.  Is there anything else I can do to fix 
this issue. Thanks for the aid.
 
-Keith
Nf_ynub!
0u%dj)\jgr[yXXX:.mfynu(*^{.n+ynubrzjm
j)Zb(

RE: [Declude.Virus] Issues

2005-02-18 Thread Keith Johnson 
Scott,
   We are not running on access scanners (very careful about that), we are 
running Imail 8.15.  I didn't even install the Realtime Scanner in f-prot and 
have CA Realtime disabled as a service.Anything else that I can look at?
 
Keith

-Original Message- 
From: [EMAIL PROTECTED] on behalf of R. Scott Perry 
Sent: Fri 2/18/2005 7:12 AM 
To: Declude.Virus@declude.com 
Cc: 
Subject: Re: [Declude.Virus] Issues




The past few days I am occuring a lot of these type errors in the 
virus log: 
 
02/18/2005 06:03:21 Qcb35092800dc91ac Couldn't open headers datafile 

This indicates that something happened to the D*.SMD file, which 
contains 
the E-mail body.  If you are running an on-access virus scanner, for 
example, the on-access virus scanner may have deleted the E-mail. 

02/18/2005 06:03:21 Qcb35092800dc91ac ERROR: Could not move 
virus-infected 
E-mail2!  Code: 2 0 F:\IMail\spool\Qcb35092800dc91ac.SMD 
f:\imail\spool\virus\Qcb35092800dc91ac.SMD 

And this one means that the Q*.SMD file isn't there, either.  This 
would 
seem unusual, except we then get: 

02/18/2005 06:03:24 Qcb3e09ed005291c3 Error 183 creating temp 
directory 
F:\IMail\spool\Dcb3e09ed005291c3.vir\. 

This one means that the F:\IMail\spool\Dcb3e09ed005291c3.vir\ directory 
already exists.  That is a major clue, as Declude Virus is the only 
program 
that will create a directory with that name. 

This means that IMail is calling Declude multiple times.  We've seen 
this 
happen a few times before -- you may want to make sure that you are 
running 
the latest version of IMail. 

-Scott 
--- 
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000. 
Declude Virus: Ultra reliable virus detection and the leader in 
mailserver 
vulnerability detection. 
Find out what you've been missing: Ask for a free 30-day evaluation. 

--- 
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)] 

--- 
This E-mail came from the Declude.Virus mailing list.  To 
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
type unsubscribe Declude.Virus.The archives can be found 
at http://www.mail-archive.com. 

winmail.dat

RE: [Declude.Virus] Issues

2005-02-18 Thread Keith Johnson 
Title: Re: [Declude.Virus] Issues



Scott,
 Continue to see a lot of these type things, at 
times, the only to aid the situation is stop/restart the Queue 
Mgr/SMTP

02/18/2005 11:44:11 Q1b3d04d2006a5060 ERROR: Could not open 
recip file F:\IMail\spool\_1b3d04d2006a5060.~MD [2]02/18/2005 11:44:11 
Q1a58046e00fc4c6c ERROR: Could not open recip file 
F:\IMail\spool\_1a58046e00fc4c6c.~MD [2]02/18/2005 11:44:11 
Q1b4902b000745089 ERROR: Could not open recip file 
F:\IMail\spool\_1b4902b000745089.~MD [2]02/18/2005 11:44:11 
Q1a58046e00fc4c6c ERROR: Could not open recip file 
F:\IMail\spool\_1a58046e00fc4c6c.~MD [2]02/18/2005 11:44:11 
Q1b37039c00b25045 ERROR: Could not open recip file 
F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:11 
Q1b37039c00b25045 ERROR: Could not open recip file 
F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 
Q1b43039c00b2507a ERROR: Could not open recip file 
F:\IMail\spool\_1b43039c00b2507a.~MD [2]02/18/2005 11:44:12 
Q1b37039c00b25045 ERROR: Could not open recip file 
F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 
Q1b43039c00b2507a ERROR: Could not open recip file 
F:\IMail\spool\_1b43039c00b2507a.~MD [2]02/18/2005 11:44:12 
Q1b37039c00b25045 ERROR: Could not open recip file 
F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 
Q1b4a020101285097 ERROR: Could not open recip file 
F:\IMail\spool\_1b4a020101285097.~MD [2]02/18/2005 11:44:12 
Q1b43039c00b2507a ERROR: Could not open recip file 
F:\IMail\spool\_1b43039c00b2507a.~MD [2]02/18/2005 11:44:12 
Q1b37039c00b25045 ERROR: Could not open recip file 
F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 
Q1b4a020101285097 ERROR: Could not open recip file 
F:\IMail\spool\_1b4a020101285097.~MD [2]02/18/2005 11:44:12 
Q1b43039c00b2507a ERROR: Could not open recip file 
F:\IMail\spool\_1b43039c00b2507a.~MD [2]02/18/2005 11:44:12 
Q1b37039c00b25045 ERROR: Could not open recip file 
F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 
Q1b4a020101285097 ERROR: Could not open recip file 
F:\IMail\spool\_1b4a020101285097.~MD [2]02/18/2005 11:44:12 
Q1b43039c00b2507a ERROR: Could not open recip file 
F:\IMail\spool\_1b43039c00b2507a.~MD [2]02/18/2005 11:44:12 
Q1b37039c00b25045 ERROR: Could not open recip file 
F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 
Q1b37039c00b25045 ERROR: Could not open recip file 
F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 
Q1b37039c00b25045 ERROR: Could not open recip file 
F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 
Q1b37039c00b25045 ERROR: Could not open recip file 
F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 
Q1b32017700ee5028 ERROR: Could not open recip file 
F:\IMail\spool\_1b32017700ee5028.~MD [2]02/18/2005 11:44:12 
Q1b4a03a500a05092 ERROR: Could not open recip file 
F:\IMail\spool\_1b4a03a500a05092.~MD [2]02/18/2005 11:44:12 
Q1b38021800b8504b ERROR: Could not open recip file 
F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:12 
Q1b38021800b8504b ERROR: Could not open recip file 
F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:12 
Q1b38021800b8504b ERROR: Could not open recip file 
F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:12 
Q1b38021800b8504b ERROR: Could not open recip file 
F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:12 
Q1b38021800b8504b ERROR: Could not open recip file 
F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:12 
Q1b38021800b8504b ERROR: Could not open recip file 
F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:13 
Q1b38021800b8504b ERROR: Could not open recip file 
F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:13 
Q1b38021800b8504b ERROR: Could not open recip file 
F:\IMail\spool\_1b38021800b8504b.~MD [2]

Any ideas or suggestions?

Keith


From: Keith Johnson 
[mailto:[EMAIL PROTECTED] On Behalf Of Keith 
JohnsonSent: Friday, February 18, 2005 7:57 AMTo: 
Declude.Virus@declude.comSubject: RE: [Declude.Virus] 
Issues

Scott,
 We are not running on access scanners 
(very careful about that), we are running Imail 8.15.I didn't even 
install the Realtime Scanner in f-prot and have CA Realtime disabled as a 
service.  Anything else that I can look at?

Keith

  -Original Message- From: 
  [EMAIL PROTECTED]on behalf ofR. Scott Perry 
  Sent: Fri 2/18/2005 7:12 AM To: 
  Declude.Virus@declude.com Cc: Subject: Re: 
  [Declude.Virus] Issues
  The past few days I am occuring a lot of these type errors 
  in the virus log:  02/18/2005 06:03:21 Qcb35092800dc91ac Couldn't open headers 
  datafile 
  This indicates that something happened to the D*.SMD file, 
  which contains the E-mail body. If you are 
  running an on-access virus scanner, for example, the 
  on-access virus scanner may have deleted the E-mail. 
  02/18/2005 06:03:21 Qcb35092800dc91ac ERROR: Could not 
  move virus-infected E-mail2! Code: 2 0 
  F:\IMail\spool\Qcb35092800dc91ac.SMD f:\imail\spool\virus\Qcb35092800dc91ac.SMD

[Declude.Virus] Error on Scanners

2005-01-21 Thread Keith Johnson 
What would the following indicate:

01/21/2005 15:04:06 Q5df1239b014af8b3 Error 183 creating temp directory
F:\IMail\spool\D5df1239b014af8b3.vir\.
01/21/2005 15:04:06 Q5df1239b014af8b3 Scanned: Error starting scanner

Thanks for the aid.

Keith
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Declude Licensing codes

2004-12-23 Thread Keith Johnson 
Andy,
   Upon your phone call with Barry, should we as Declude Users (4 lic. in 
my case), contact Barry directly before upgrading or should we await for a post 
on this forum for new procedures?  I too have a cold spare, however, Declude is 
not loaded there until necessary and upon written procedures that we have in 
place to shutdown the current server (whether down by failure or otherwise), 
rename it and re-ip it and the like.  Thanks for the info.
 
Keith

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Andy Schmidt 
Sent: Thu 12/23/2004 9:05 AM 
To: Declude.Virus@declude.com; Declude.JunkMail@declude.com 
Cc: 
Subject: RE: [Declude.Virus] Declude Licensing  codes



Hi,

At the end, there are two components to this:

A) the technique used to validate licenses (e.g., an activation code,
hardware detection, etc.)

B) the procedures on how a questionable situation is handled.

I really don't have a problem with ANY technique as long as I can be
comfortable with the procedures.  If the procedures could even 
remotely
result in an accidental automatic disabling, I'd no longer be able to
justify use of the product.  Per example, if the procedures involve a 
long
grace period, or, if the procedures simply allow a License Validation
Staff to REVIEW a questionable license with a customer at a mutually
convenient time, or similar safeguards - then I'm absolutely okay with 
it.

When Barry called yesterday, I listened and agreed wholeheartedly, that
Declude owes it to is PAYING customers to identify and go after
non-compliant customers.  After all - it's money stolen from the paying
customer (by either having to raise prices or by not being able to 
invest
into future development as much).

But, I repeated my expectations that NOT details of the techniques 
need to
be disclosed - but there should be sufficient disclosure of the
procedures.  And that should be disclosed BEFORE the software is 
offered
for download - not AFTER people are starting to get suspicious.

With the information that I was given, I'm perfectly satisfied that I 
can
continue to use Declude - and I fully support their efforts (in 
general) of
license enforcement.

However, I still hope that Barry recognizes the need that ALL customers 
need
to know enough about the procedures to regain (!) MY level of comfort 
and
confidence in the company and the product.

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Thursday, December 23, 2004 02:01 AM
To: Declude.Virus@declude.com; Declude.JunkMail@declude.com
Subject: [Declude.Virus] Declude Licensing  codes


Here is some information for all who have concerns about the new 
licensing
and tie in to IPs and/or MACs:

I have spoken to Barry today, and while I will not reveal the little 
bit of
information I was given, I will state on my honor that I have no problem
with the new license code process what ever you want to call it.

Additionally, Declude has designed and taken steps to make sure there 
will
be no problems in the event you need to change IPs or hardware 
overnight, on
a weekend, on an extended weekend or even if disaster were to strike 
and the
Declude offices were not available for a week.

Hopefully, you can now rest assured that Declude will not stop working 
if
you have to fix your server.

FYI, there is also a process in place for a cold spare server to be 
prepared
and ready ahead of time. You will need to contact Declude to 
specifically
set that up.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
just
send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL

[Declude.Virus] What are these

2004-10-25 Thread Keith Johnson 
Q06634053002e6803 Error 183 creating temp directory
F:\IMail\spool\D06634053002e6803.vir\.
10/25/2004 10:26:26 Q06634053002e6803 Scanned: Error starting scanner

Thanks for the aid, running 1.81 



---
Keith Johnson
Senior Network Engineer
Network Advocates, Inc.
9001 Shelbyville Road
Burhans Hall, Suite 260
Louisville, KY 40228
TEL: 502.992.5928
FAX: 502.412.1058
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] What are these

2004-10-25 Thread Keith Johnson 
Also,

ERROR: Could not open recip file F:\IMail\spool\_08dc4c3a0030129f.~MD
[2]

Please advise to what this is, thanks,

Keith 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson
Sent: Monday, October 25, 2004 10:24 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] What are these

Q06634053002e6803 Error 183 creating temp directory
F:\IMail\spool\D06634053002e6803.vir\.
10/25/2004 10:26:26 Q06634053002e6803 Scanned: Error starting scanner

Thanks for the aid, running 1.81 



---
Keith Johnson
Senior Network Engineer
Network Advocates, Inc.
9001 Shelbyville Road
Burhans Hall, Suite 260
Louisville, KY 40228
TEL: 502.992.5928
FAX: 502.412.1058
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] What are these

2004-10-25 Thread Keith Johnson 
Also getting:

Q08b8153d00e2843a Couldn't rename SMD to SM$ [32].  Priority back to 32.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson
Sent: Monday, October 25, 2004 10:24 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] What are these

Q06634053002e6803 Error 183 creating temp directory
F:\IMail\spool\D06634053002e6803.vir\.
10/25/2004 10:26:26 Q06634053002e6803 Scanned: Error starting scanner

Thanks for the aid, running 1.81 



---
Keith Johnson
Senior Network Engineer
Network Advocates, Inc.
9001 Shelbyville Road
Burhans Hall, Suite 260
Louisville, KY 40228
TEL: 502.992.5928
FAX: 502.412.1058
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] What are these

2004-10-25 Thread Keith Johnson 
John,
Both are turned off, use F-prot (Realtime not install), Inoc
turned off and Disabled.

Keith 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Monday, October 25, 2004 10:53 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] What are these

Do you have an on-access scanner running?

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
 On Behalf Of Keith Johnson
 Sent: Monday, October 25, 2004 7:38 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.Virus] What are these
 
 Also,
 
 ERROR: Could not open recip file F:\IMail\spool\_08dc4c3a0030129f.~MD
 [2]
 
 Please advise to what this is, thanks,
 
 Keith
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson
 Sent: Monday, October 25, 2004 10:24 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.Virus] What are these
 
 Q06634053002e6803 Error 183 creating temp directory 
 F:\IMail\spool\D06634053002e6803.vir\.
 10/25/2004 10:26:26 Q06634053002e6803 Scanned: Error starting scanner
 
 Thanks for the aid, running 1.81
 
 
 
 ---
 Keith Johnson
 Senior Network Engineer
 Network Advocates, Inc.
 9001 Shelbyville Road
 Burhans Hall, Suite 260
 Louisville, KY 40228
 TEL: 502.992.5928
 FAX: 502.412.1058
 ---
 [This E-mail was scanned for viruses by Declude Virus 
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] What are these

2004-10-25 Thread Keith Johnson 
Scott,
We are backing up in our Queue of about 8000 emails and we
started seeing the below messages as well:


Q08b8153d00e2843a Couldn't rename SMD to SM$ [32].  Priority back to 32.

ERROR: Could not open recip file F:\IMail\spool\_08dc4c3a0030129f.~MD
[2]

Are these related?

Keith

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Monday, October 25, 2004 10:55 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] What are these


Q06634053002e6803 Error 183 creating temp directory 
F:\IMail\spool\D06634053002e6803.vir\.
10/25/2004 10:26:26 Q06634053002e6803 Scanned: Error starting scanner

That error means that the .vir directory already exists -- this will
happen if IMail accidentally calls Declude multiple times.  Although you
will see the warnings in the log file, Declude will still function
properly.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in
mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Fprot GDI Scanner lines.

2004-09-28 Thread Keith Johnson 
I too am seeing this same behavior.  I am running HIGH logging and 1.80 version.  All 
I see is my scanners detecting it, no extra lines from Declude that it stopped it, 
same behavior under 1.79.  I also wanted to see if there would be any additional aid 
with F-prot not being able to report the virus correctly do to it yielding an Error 
#8.  Seems there was discussion that the Report line changed in the latest 3.15b, 
where it also reports:
 
REPORTInfection:
REPORTContains the exploit named

As I understand it, we can only have 1 report line per scanner, is this true?  

Thanks for the aid,

Keith

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Nick 
Sent: Tue 9/28/2004 9:40 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [Declude.Virus] Fprot GDI Scanner lines.



On 27 Sep 2004 at 17:31, R. Scott Perry wrote:

 The latest release of Declude Virus will automatically detect the
 GDIPlus.dll JPEG exploit.

How can I confirm this? When I send myself the exploit I do not
receive the email - good-  but in my virus logs all I see is 'error
in scannerx' and nothing in the declude log file.

This is with v180

-Nick Hayer

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


winmail.dat

RE: [Declude.Virus] Fprot GDI Scanner lines.

2004-09-27 Thread Keith Johnson 
Mark,
 What did you use to generate the GDI Exploit test file?  Thanks
 
Keith

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Mark Smith 
Sent: Mon 9/27/2004 1:55 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [Declude.Virus] Fprot GDI Scanner lines.



Send a GDI Exploit test file through.
You'll get the error Can't Parse Virus type in the Declude Virus log.



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
 Sent: Saturday, September 25, 2004 11:22 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.Virus] Fprot GDI Scanner lines.

 - Original Message -
 From: Mark Smith [EMAIL PROTECTED]


  Actually this breaks Declude because Declude Virus can't
 look for multiple
  REPORT lines.
 
  Scott,
  How can we setup Declude Virus to look for multiple lines in the
 report.txt
  file?

 I've been running F-Prot Version 3.15b since it was released
 yesterday and
 have not had to make any changes to my virus config to support the new
 version.  It has been running exactly the way it always has.

 Bill

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


winmail.dat

RE: [Declude.Virus] Fprot GDI Scanner lines.

2004-09-27 Thread Keith Johnson 
Nevermind, found a copy of it, just had trouble with the German.  It seems my Inoc 
caught it correctly, however, the Fprot didn't, gave me error.  
 
Q6f7408d2006085b0 Scanner 1 reported error code #8, which is listed as OK
09/27/2004 15:52:20 Q6f7408d2006085b0 Scanner 2: Virus= JPEG.MS04-028.Exploit.Trojan 
Attachment=jpegcompoc.zip.ZIP [1] I
09/27/2004 15:52:20 Q6f7408d2006085b0 File(s) are INFECTED [ 
JPEG.MS04-028.Exploit.Trojan: 101]
 
Keith

-Original Message- 
From: Keith Johnson on behalf of Keith Johnson 
Sent: Mon 9/27/2004 3:02 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [Declude.Virus] Fprot GDI Scanner lines.


Mark,
 What did you use to generate the GDI Exploit test file?  Thanks
 
Keith

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Mark Smith 
Sent: Mon 9/27/2004 1:55 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [Declude.Virus] Fprot GDI Scanner lines.



Send a GDI Exploit test file through.
You'll get the error Can't Parse Virus type in the Declude Virus log.



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
 Sent: Saturday, September 25, 2004 11:22 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.Virus] Fprot GDI Scanner lines.

 - Original Message -
 From: Mark Smith [EMAIL PROTECTED]


  Actually this breaks Declude because Declude Virus can't
 look for multiple
  REPORT lines.
 
  Scott,
  How can we setup Declude Virus to look for multiple lines in the
 report.txt
  file?

 I've been running F-Prot Version 3.15b since it was released
 yesterday and
 have not had to make any changes to my virus config to support the 
new
 version.  It has been running exactly the way it always has.

 Bill

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


winmail.dat

[Declude.Virus] Future Question

2004-08-11 Thread Keith Johnson 
Scott,
It seems that social engineering will be play a huge part in
future viruses (already seen it will passwords listed in body of
encrypted zips), what are your thoughts on the following:

  I have recently saw a bounce message that contained the recent
Bagle.aq virus that contained the following words in the body.

Due to the nature of the current virii, we are stripping Microsoft
.zipattachments. To send these, please rename the extension to .piz by
rightclicking and using rename file. Let the recipient know to change it
back to.zip and it should get past.

  Is it possible to build in some parameter that allows for banning
all extensions, except some listing that is provided within the config
file?   However, keeping the functionality of blocking file extensions
within compression files. 

  I know this is most likely a huge undertaking, however, if I look
back over my conversations with some of my users and them wanting to
send some much needed exe (or the like) file through inside a zip, and
my response is rename the extension to something other than .zip and
send it and let the end user know to alter it back.  I can't help but
imagine the virus writers will social engineer something soon to do the
same.  

  Thanks for the time.

Keith

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Extension Modify

2004-07-19 Thread Keith Johnson 
We modify extensions at our Firewall that changes an executable listing and removes 
the last character and adds an underscore (no harm to file).  For example, an exe 
would be modified to ex_   Works great, however, it seems that Declude will not see it 
in our Banned Extension listing even though we have it listed as BANEXT ex_Does 
Declude Pro Virus (1.79+) allow for this?   \
 
I have tested it with varying sizes of files and none get banned. 
 
Thanks for the aid.
 
Keith
Nf_ynub!
0u%dj)\jgr[yXXX:.mfynu(*^{.n+ynubrzjm
j)Zb(

RE: [Declude.Virus] Extension Modify

2004-07-19 Thread Keith Johnson 
Scott,
 Thanks for the email and quick follow-up. Below is the log snippet and it 
shows:
 
07/19/2004 20:21:30 Q658a1246012405b6 MIME file: happy.pi_ [base64; Length=80 
Checksum=8732]
07/19/2004 20:21:30.546 Q658a1246012405b6 Comparing |pi| to SKIPEXTs and BANEXTs
07/19/2004 20:21:31.171 Q658a1246012405b6 Starting EXT check .
07/19/2004 20:21:31.171 Q658a1246012405b6 1: happy.pi_ adfa
07/19/2004 20:21:31.171 Q658a1246012405b6 Starting EXT check pi.


  It seems Declude drops the _ in pi_ and checks pi   Is this by design?  
Thanks again.
 
Keith

-Original Message- 
From: [EMAIL PROTECTED] on behalf of R. Scott Perry 
Sent: Mon 7/19/2004 8:19 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re: [Declude.Virus] Extension Modify




We modify extensions at our Firewall that changes an executable listing
and removes the last character and adds an underscore (no harm to
file).  For example, an exe would be modified to ex_   Works great,
however, it seems that Declude will not see it in our Banned Extension
listing even though we have it listed as BANEXT ex_Does Declude Pro
Virus (1.79+) allow for this?   \

I believe the problem here is that the underscore is not a valid character
for file extensions.  If you change it to BANEXT ex, it should take care
of the problem.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


winmail.dat

RE: [Declude.Virus] Extension Modify

2004-07-19 Thread Keith Johnson 
Scott,
  Is there a limit on the BANEXT?  I thought I read somewhere it was 100?  
Thanks again for your time.  Just need a few more entries to over the _ character.
 
Keith

-Original Message- 
From: [EMAIL PROTECTED] on behalf of R. Scott Perry 
Sent: Mon 7/19/2004 8:19 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re: [Declude.Virus] Extension Modify




We modify extensions at our Firewall that changes an executable listing
and removes the last character and adds an underscore (no harm to
file).  For example, an exe would be modified to ex_   Works great,
however, it seems that Declude will not see it in our Banned Extension
listing even though we have it listed as BANEXT ex_Does Declude Pro
Virus (1.79+) allow for this?   \

I believe the problem here is that the underscore is not a valid character
for file extensions.  If you change it to BANEXT ex, it should take care
of the problem.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


winmail.dat

RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files

2004-03-03 Thread Keith Johnson 
Scott,
 I believe it is only with the new encrypted (password) zip files.  I saw in 
my log (when running i8) that my Scanners were picking up and detecting normal zip's, 
normal pifs, normal scr. etc. of all virus flavors (if there is such thing as normal). 
 I believe I wouldn't see (as long as we have a sig file) any banning of normal zips 
(un-passworded) since the AV scanner would pick it and process it first before 
banning.   
 
 For whatever reason, any password laid virus zip files containing com, pif, 
scr, exe, or others are not getting picked up on our system with i8, however, they are 
with i7.   I hope this helps.  
 
 I just used to test this was the Eicar.com virus zipped up with WinZip with 
an applied password.  Ran it through both to an address on the system and also to 
another Declude protected Imail system, both came straight through.
 
Keith


I'm not clear on exactly what is happening.  Is the problem *only* with
.ZIP files, or is it also occurring with other types of files?

-Scott


winmail.dat

RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files

2004-03-03 Thread Keith Johnson 
Scott,
I am not using BANEXT EZIP with i7 nor i8 per your instructions to remove it 
in place of the new commands:
 
BANEZIPEXTS and BANZIPEXTS ON
 
   I used that encoded file to test it under i8 first and it went straight 
through, that is what tipped me off that something was not right.  I then turned 
around and made my own test from eicar.com and it went through.  I just tested it 
under i7 and it got caught.  I am unsure where to turn as our .vir directories are off 
the charts.  
 
Keith

-Original Message- 
From: [EMAIL PROTECTED] on behalf of R. Scott Perry 
Sent: Wed 3/3/2004 9:01 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus 
.bat, .com, .pif, and .scr files




  For whatever reason, any password laid virus zip files
 containing com, pif, scr, exe, or others are not getting picked up on our
 system with i8, however, they are with i7.   I hope this helps.

I assume you are using BANEXT EZIP with i7.  Are you using it with i8 as
well?  Do you have BANEXT com, BANEXT pif, etc. in your virus.cfg file?

  I just used to test this was the Eicar.com virus zipped up with
 WinZip with an applied password.  Ran it through both to an address on
 the system and also to another Declude protected Imail system, both came
 straight through.

Do the eicarencodedzip E-mail from the Test Virus Sender at
http://www.declude.com/tools/ get caught?

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


winmail.dat

RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files

2004-03-03 Thread Keith Johnson 
Scott,
 This is my top portion of my virus.cfg file under i7 and i8.  
 
Keith

-Original Message- 
From: Keith Johnson on behalf of Keith Johnson 
Sent: Wed 3/3/2004 8:10 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus 
.bat, .com, .pif, and .scr files


Scott, 
 This is a 'top' sample of what I have listed in my Virus.CFG file:
 
BANEZIPEXTS ON
BANZIPEXTS ON
BANEXT exe
BANEXT ex_
BANEXT pif
BANEXT pi_
BANEXT scr
BANEXT sc_
BANEXT bat
BANEXT ba_
BANEXT com
BANEXT co_
 
 Since we modify extensions at our Firewall, you see the different 
alternate extensions above.  I made no modifications to the above moving to i8.  I 
noticed in my log (tried MID and HIGH) after moving to i8 that I no longer saw any 
Banning extension with (EXT) lines.  Thus, I got concerned.  On average, we get a 
virus every few seconds, and moving back to i7, within a minute, I was catching the 
banned extension inside of zip's again.  When I was on i8, I did a simple test of 
zipping an Eicar .com virus and password protecting it.  I ran it through and it went 
straight to my inbox.  I then dropped back to i7 and ran the same file through and it 
was picked up and logged, however, the directory couldn't be removed.  Thus, this 
morning I had well over 200 plus .vir directories to delete.  Any thoughts?  Thanks 
for the aid.
 
Keith
 
-Original Message- 
From: [EMAIL PROTECTED] on behalf of R. Scott Perry 
Sent: Wed 3/3/2004 7:57 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus 
.bat, .com, .pif, and .scr files




I'll second that. Running 1.78i8, with BANZIPEXTS and BANEZIPEXTS ON, 
the
encoded zip eicar test passes through. The regular zip version of the 
eicar
test is caught.

Just to clarify, this IS the expected behavior with 1.78i18.

BANZIPEXTS ON and BANEZIPEXTS ON will *only* block .ZIP files *if* they
contain files that have a banned file extension.  So unless you also 
have a
line BANEXT com in the virus.cfg file, an encrypted eicar.com file 
won't
get caught.

For others having issues with these new features, please be very clear 
what
is happening.  There are a lot of possibilities here.  You'll need to
specify [1] Whether you are using BANZIPEXTS ON or BANEZIPEXTS ON (or 
the
not-recommended-but-still-useful BANEXT EZIP), [2] Whether you have a
BANEXT line to block the appropriate file (BANEXT com, for example), 
[3]
What type of file you are sending through (.com? .com within a .zip?), 
[4]
If it is a .ZIP file, is the file inside it encrypted?

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


winmail.dat

RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files

2004-03-03 Thread Keith Johnson 
Scott,
I don't know that our firewall is the issue due to it working
under i7 and all prior Declude versions.  The Firewall only modifies the
extension, it does not in anyway alter the file.  When you wrote that i7
will not block encrypted zips without the BANEXT EZIP line, it was my
understanding if you have the following:

BANEZIPEXTS ON
BANEXT com

then it will block encrypted zip files containg .com files?  Am
I wrong?  Do I need to have all the following lines in there?

BANEZIPEXTS ON
BANEXT EZIP
BANEXT com

I thought you mentioned that BANEXT EZIP was 'undesireable' and
using the first example above was ideal? 

Version i7 is causing the .vir directories and the lines in the
log that indicate Declude could not remove the .vir directory.  Inside
those directories are files called 0.zi and 1.zi   It was my
understanding that i8 fixed this issue with the .vir directory and also
added new features for attacking .bat, .scr. Etc.  

I am currently on i7, due to i8 not catching encrypted .zip
files with extensions in my BANEXT listing.  This was tested from the
encoded zip file as well as an eicar.com file zipped and password
protected.  



Keith

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, March 03, 2004 10:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block
bogus .bat, .com, .pif, and .scr files


 I am not using BANEXT EZIP with i7 nor i8 per your 
 instructions to remove it in place of the new commands:

In that case, i7 will *not* block any encrypted .ZIP files.

BANEZIPEXTS and BANZIPEXTS ON

I used that encoded file to test it under i8 first and it went 
 straight through, that is what tipped me off that something was not
right.

What extension does the attachment in your mail client show?  I'm
thinking that the firewall is mucking things up (if it renames the .ZIP
to .ZI or .ZI_, for example, Declude Virus won't look at it).

I am unsure where to turn as our .vir directories are off the charts.

Unfortunately, this isn't useful information without knowing which
version(s) caused them, and preferably the log file entries for them as
well.  There was an old interim that could cause this, but the latest
should not.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files

2004-03-03 Thread Keith Johnson 
Matt,
I had a space in mine, not a tab.  For what it is worth.

Keith 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, March 03, 2004 11:31 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block
bogus .bat, .com, .pif, and .scr files

Here's a thought.

Since this is working in some cases and not in others, maybe there is a
syntax bug.

I have the following:

BANEZIPEXTStabON
BANEXTtabEXE
BANEXTtabCOM
etc.

What if someone had spaces, multiple spaces or multiple tabs?  How about
a space or tab following one of the lines?  Maybe Declude isn't parsing
this correctly from the config file???

I think it's worth a quick look.

Matt






R. Scott Perry wrote:


 I apologize for the flood of emails to you as I know your 
 time is precious.  However, I pulled the following that BANZIPEXTS 
 and BANEZIPEXTS was added in i7:


 Sorry, my mistake.

 I am unsure on the .zip to .zi_ as I have no issues with 
 Declude with versions 1.78i7 and prior.  It was only with i8 that 
 Declude was not seeing the zip with hiding file extensions any
longer.


 Unfortunately, I'm not sure what you are referring to regarding the 
 hiding file extensions.

 Again, it is vital that people be very clear in their posts.  I'm very

 close to turning this into a moderated list until this all blows over.

 What we are looking for is to get as much information about bugs in 
 the new interim as quickly as possible on this list, while at the same

 time minimizing the amount of posts to this list.


-Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail 
 mailservers since 2000.
 Declude Virus: Catches known viruses and is the leader in mailserver 
 vulnerability detection.
 Find out what you've been missing: Ask for a free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus 
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.



--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files

2004-03-03 Thread Keith Johnson 
Matt,
Is yours working with the TAB, I'll try anything?

Keith 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, March 03, 2004 11:31 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block
bogus .bat, .com, .pif, and .scr files

Here's a thought.

Since this is working in some cases and not in others, maybe there is a
syntax bug.

I have the following:

BANEZIPEXTStabON
BANEXTtabEXE
BANEXTtabCOM
etc.

What if someone had spaces, multiple spaces or multiple tabs?  How about
a space or tab following one of the lines?  Maybe Declude isn't parsing
this correctly from the config file???

I think it's worth a quick look.

Matt






R. Scott Perry wrote:


 I apologize for the flood of emails to you as I know your 
 time is precious.  However, I pulled the following that BANZIPEXTS 
 and BANEZIPEXTS was added in i7:


 Sorry, my mistake.

 I am unsure on the .zip to .zi_ as I have no issues with 
 Declude with versions 1.78i7 and prior.  It was only with i8 that 
 Declude was not seeing the zip with hiding file extensions any
longer.


 Unfortunately, I'm not sure what you are referring to regarding the 
 hiding file extensions.

 Again, it is vital that people be very clear in their posts.  I'm very

 close to turning this into a moderated list until this all blows over.

 What we are looking for is to get as much information about bugs in 
 the new interim as quickly as possible on this list, while at the same

 time minimizing the amount of posts to this list.


-Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail 
 mailservers since 2000.
 Declude Virus: Catches known viruses and is the leader in mailserver 
 vulnerability detection.
 Find out what you've been missing: Ask for a free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus 
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.



--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus]

2004-03-03 Thread Keith Johnson 

Scott,
Thanks for creating the following tool on your website, is a lot
easier than creating Eicar zip encrypted test files.  

eicardynamicencodedzip

I will be attempting to move to i9 from i7 tonight.  Due to the
volume of viruses today, I just couldn't chance it in full live
production.  I am also going to refresh my virus.cfg file, maybe there
is something in it that is causing i8 and i9 problems.  Thanks again,

Keith
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Scan Password Protected Zip's

2004-03-02 Thread Keith Johnson 
I know this has been touched on a few times, however, I just needed some
clarification.  I just got a note from CA that informed me that their
engine was unable to scan inside a password protected file.  Will F-prot
do this with the latest defs?  I know that Scott put EZIP in place, many
thanks.  Thanks for the aid.

Keith
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Scan Password Protected Zip's

2004-03-02 Thread Keith Johnson 
When I upgraded to 1.78i6 and added the BANEXT EZIP line to my virus.cfg
file, all of a sudden I am receiving the following when it encounters
these zips:

WARNING: Couldn't remove .vir directory
F:\IMail\spool\Ddf56c4e7006acd96.vir\: EXTRA FILES THERE.
03/02/2004 14:24:32 Qdf56c4e7006acd96 Likely problem: Your virus scanner
is leaving extra files/directories behind, so Declude can't delete the
directory. 

Any thoughts...

Keith

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson
Sent: Tuesday, March 02, 2004 2:03 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Scan Password Protected Zip's

I know this has been touched on a few times, however, I just needed some
clarification.  I just got a note from CA that informed me that their
engine was unable to scan inside a password protected file.  Will F-prot
do this with the latest defs?  I know that Scott put EZIP in place, many
thanks.  Thanks for the aid.

Keith
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Backdoor.Coreflood Virus new variant?

2004-02-02 Thread Keith Johnson 
Paul,
I think this was out awhile back...

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.coreflo
od.html

Keith 

-Original Message-
From: paul [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 24, 2003 3:16 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Backdoor.Coreflood Virus new variant?

I've not seen any info about this virus yet, but have an XP system
infected with it. What a mess! It brings the system to a crawl..

Paul


 Does anyone know whether the new variant of the Backdoor.Coreflood is 
 detected with F-Prot?  We have the latest version of virus definitions

 for F-Prot, but one of our users received this virus and it looks like

 it may have come through email.  Has anyone ran into the new variant 
 of this
virus?
 It looks like it was only started to be detected by Symantec's Virus 
 definitions in yesterdays update and that is the only reason our user 
 initially picked it up.  Does anyone know if this virus even spreads 
 via email?

 Jim Matuska Jr.
 Computer Tech II
 CCNA
 Nez Perce Tribe
 Information Systems
 [EMAIL PROTECTED]


 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

 just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 ---
 [This E-mail scanned for viruses by Declude Virus]





---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Multi-scanner Question

2004-01-30 Thread Keith Johnson 
Scott,
I have had at times, with both scanners (up to date sig files,
both catching mydoom) taking a pounding (we are getting mydoom.a in 1
every second), when Scanner1 (f-prot) would pick up the virus and
Scanner2 (InoculateIT) would not show anything, and at other times
Scanner1 would not pick it up, but Scanner2 would, as well as both
Scanners picking it up.  I figured it was due to the volume we are
receiving on this and the Scanners could not keep up.  

Keith

-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 30, 2004 1:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Multi-scanner Question


If they are run in series, then wouldn't it be best to run the next 
scanner only if the previous scanner passed? In other words why scan 
the email again if it already failed one of the scanners?

The logic behind that is the only a small fraction of E-mail contains a
virus.  Since the majority of E-mail has to go through both scanners,
having the viruses go through both doesn't take much extra resources.
The benefit is that you can tell from the log files if both scanners are
detecting viruses, and if one is not able to report the virus/file name,
the information from the other can be used.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Offtopic question

2003-12-15 Thread Keith Johnson 
It seems that this file maybe related to Microsoft's InstallShield
erroring out.  Did you install any 'major' products lately?  

Keith 

-Original Message-
From: Djerr C. de Meijer [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 15, 2003 11:01 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Offtopic question

You all are the only admins I know so lemme ask you. :)

Does anyone have a idea what a iserror.log file is? I have no clue.
these files be in folders with pictures. Go to any search engine, type
iserror.log and hit search. All hits are examples of these files. (big
yay
:S)

The only place I saw ppl asking what it was, was at a german forum.
(note that my german is near 0) Yet if I read it correct, noone knew.

So you got any ideas? I know I don't.

D.C.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] f-prot question

2003-11-26 Thread Keith Johnson 
Does anyone know what the command line string is for scanning your sig file to see if 
it is catching a certain named virus file?  I saw it posted over 6 months ago, 
however, I guess my search isn't picking it up.  Thanks,
 
Keith
+,qyo r[yXm
ynu(8bIWkax7^V*f)+-Nrz;uj)l^r[yjwmmr[yXy+mwZm
   Vry

RE: [Declude.Virus] Scanning Question

2003-11-12 Thread Keith Johnson 

In this case, you can use the per-user settings to turn off virus
scanning completely for the recipient.

Scott,
Is is possible (using per user settings) to simply suspend the
vulnerability scanning, yet still keep the main virus scanning on?  

Thanks again for your time,

Keith

 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

FW: [Declude.Virus] Suppressing Notif. to Single Domain

2003-10-29 Thread Keith Johnson 
Just wanted to confirm, if I want to suspend virus notifications to all users on a 
single domain that we host, I would do the following:
 
In the appropriate .eml files, add a line:

SKIPIFRECIP @domaintoskip.com

Thanks,
 
Keith
Nf_ynub!
0u%dj)\jgr[yXXX:.mfynu(*^{.n+ynubrzjm
j)Zb(

[Declude.Virus] Suppressing Notif. to Single Domain

2003-09-23 Thread Keith Johnson 
Is it possible to not send out virus notifications to a specific domain that we host 
within Imail?  For example, if we host 100 domains, and only 1 of the domains says 
they do not care to receive the virus notifies (i.e. recep.eml).  Thanks,
 
Keith
áŠÁj)pjËjyÞuú+¾*î±ëÈ7œ–ç^V*î²m§ÿðÃ^r[yÊN¬f¢•yúèšØ^
ç%¹Š»¬™¨¥Šx%ŠËS¢é®ë-±éÝjqj)m¢)šŠ[+½–ç^r‰šÛr¥æìr¸›x7œ–ç^V*î±8^j·!Š÷¬q©Ûyú.†Ûiÿü0Âf¢•ª+Þr‰

[Declude.Virus] Log File Errors

2003-06-05 Thread Keith Johnson 
Scott,
 Today we had a 'horrible' thing happened with our scanner (have two in place 
F-Prot and InoculateIT),  not sure which one had issues: 
 
06/04/2003 14:51:29 Q3ef6000501666762 ERROR: Virus scanner didn't finish after 60 
seconds; terminating.
06/04/2003 14:51:29 Q3ef6000501666762 WARNING: Couldn't remove .vir directory 
C:\IMail\spool\D3ef6000501666762.vir\: SHARING VIOLATION.
06/04/2003 14:51:29 Q3ef6000501666762 Likely problem: An on-access scanner is 
interfering; disable or set not to scan subdirectories off of \IMail\spool.
06/04/2003 14:52:45 Q3ef60005015e65fb Error 183 creating temp directory 
C:\IMail\spool\D3ef60005015e65fb.vir\.
06/04/2003 14:52:45 Q3ef60005015e65fb Scanned: Error starting scanner
06/04/2003 14:52:58 Q3ef60005015e65fb Couldn't rename SMD to SM$ [32].  Priority back 
to 32.
06/04/2003 14:54:12 Q3efb000101a07b86 ERROR: Virus scanner didn't finish after 60 
seconds; terminating.
06/04/2003 14:54:12 Q3efb000101a07b86 WARNING: Couldn't remove .vir directory 
C:\IMail\spool\D3efb000101a07b86.vir\: SHARING VIOLATION.
06/04/2003 14:54:12 Q3efb000101a07b86 Likely problem: An on-access scanner is 
interfering; disable or set not to scan subdirectories off of \IMail\spool.
06/04/2003 14:54:35 Q3efc0004018a7d8a ERROR: Virus scanner didn't finish after 60 
seconds; terminating.
06/04/2003 14:54:35 Q3efc000101a67e74 ERROR: Virus scanner didn't finish after 60 
seconds; terminating.
06/04/2003 14:54:35 Q3efc0004018a7d8a WARNING: Couldn't remove .vir directory 
C:\IMail\spool\D3efc0004018a7d8a.vir\: SHARING VIOLATION.
06/04/2003 14:54:35 Q3efc000101a67e74 WARNING: Couldn't remove .vir directory 
C:\IMail\spool\D3efc000101a67e74.vir\: SHARING VIOLATION.
06/04/2003 14:54:35 Q3efc0004018a7d8a Likely problem: An on-access scanner is 
interfering; disable or set not to scan subdirectories off of \IMail\spool.
06/04/2003 14:54:35 Q3efc000101a67e74 Likely problem: An on-access scanner is 
interfering; disable or set not to scan subdirectories off of \IMail\spool.
06/04/2003 14:55:33 Q3efc000101aa80c6 Error 183 creating temp directory 
C:\IMail\spool\D3efc000101aa80c6.vir\.
06/04/2003 14:55:33 Q3efc000101aa80c6 Scanned: Error starting scanner
06/04/2003 14:56:14 Q3efe0002019285e6 Error 183 creating temp directory 
C:\IMail\spool\D3efe0002019285e6.vir\.
06/04/2003 14:56:14 Q3efe0002019285e6 Scanned: Error starting scanner
06/04/2003 14:56:49 Q3f07000101d8abdd ERROR: Virus scanner didn't finish after 60 
seconds; terminating.
06/04/2003 14:56:49 Q3f07000101d8abdd WARNING: Couldn't remove .vir directory 
C:\IMail\spool\D3f07000101d8abdd.vir\: SHARING VIOLATION.
06/04/2003 14:56:49 Q3f07000101d8abdd Likely problem: An on-access scanner is 
interfering; disable or set not to scan subdirectories off of \IMail\spool.
06/04/2003 14:57:02 Q3efe0002019285e6 Couldn't rename SMD to SM$ [32].  Priority back 
to 32.
06/04/2003 14:57:04 Q3ef60006016a67b0 Error 183 creating temp directory 
C:\IMail\spool\D3ef60006016a67b0.vir\.
06/04/2003 14:57:04 Q3ef60006016a67b0 Scanned: Error starting scanner
06/04/2003 14:57:28 Q3ef60006016a67b0 Couldn't rename SMD to SM$ [32].  Priority back 
to 32.
 
This took our server to a crawl as it couldn't scan emails, there was 30 min. of 
living he.. there.  When I checked the spool folder we were in overflow due to the 
backup of the virus scanning.  We are also still continuing to receive a ton of these 
in my logs:
 
06/04/2003 08:45:39 Qe9ec092201523842 No filename in disp Content-Disposition: 
attachment.
06/04/2003 08:45:39 Qe9ec092201523842 No filename in disp Content-Disposition: 
attachment.
06/04/2003 08:53:52 Qebde168600f8d098 No filename in disp Content-Disposition: 
attachment.
06/04/2003 08:55:12 Qec2d09cf0056085d No filename in disp Content-Disposition: 
attachment.
06/04/2003 08:55:12 Qec2d09cf0056085d No filename in disp Content-Disposition: 
attachment.
06/04/2003 08:55:12 Qec2d09cf0056085d No filename in disp Content-Disposition: 
attachment.
06/04/2003 08:55:12 Qec2d09cf0056085d No filename in disp Content-Disposition: 
attachment.
06/04/2003 08:55:12 Qec2d09cf0056085d No filename in disp Content-Disposition: 
attachment.
06/04/2003 08:55:12 Qec2d09cf0056085d No filename in disp Content-Disposition: 
attachment.
 
We are running 1.69beta.  Should I have logging turned up higher than LOW?  Also, if I 
have issues with the scanners, what should be the sequence to aid in the problem 
above.  We simply had to reboot the machine (I removed the .vir directories) so that 
viruses would not be allowed to pass.  Within 10 min. of the reboot all returned to a 
normal operation.  During the 30 min. the scanners were reporting errors, we had lots 
of Declude.exe processes running and smtp32.exe processes running.  Any aid would be 
helpful, thanks.
 
Keith 
†+™¨¥Á«,q©çy×è®ø«ºo Þr[yX«ºÈm¶ŸÿÃ
yÉnuç(™8b°IšŠW™çë¢kax7œ–ç^V*î²f¢–)à–+-N‹§²æìr¸›z;¬¶u©¨¥¶ˆ¦j)l®÷^r[yÊjwm®ž±ÊâmàÞr[yX«ºÄáyª+mçèºwZ¶m§ÿðÃ
   šŠV«r¯yÊ

RE: [Declude.Virus] Log File Errors

2003-06-05 Thread Keith Johnson 
Does the new beta 1.70 with interims address the issues of the No filename in disp
Content-Disposition: attachment? 

Should I be running it (i.e. more stable) than the 1.69beta?  Is the 60sec delay on 
timeout for scanning pretty normal, or should I be setting that to less.  My only 
concern is large attachment scanning.  

Thanks again for being a sounding board.

Keith Johnson


-Original Message- 
From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
Sent: Wed 6/4/2003 6:31 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re: [Declude.Virus] Log File Errors




  Today we had a 'horrible' thing happened with our scanner (have two
 in place F-Prot and InoculateIT),  not sure which one had issues:

06/04/2003 14:51:29 Q3ef6000501666762 ERROR: Virus scanner didn't finish
after 60 seconds; terminating.

This is the problem -- one of the virus scanners was getting stuck, and
not finishing its scanning (which also indirectly caused further problems,
such as the sharing violation).

his took our server to a crawl as it couldn't scan emails, there was 30
min. of living he.. there.  When I checked the spool folder we were in
overflow due to the backup of the virus scanning.  We are also still
continuing to receive a ton of these in my logs:

06/04/2003 08:45:39 Qe9ec092201523842 No filename in disp
Content-Disposition: attachment.

Searching through viruses we've received, we found a W32/[EMAIL PROTECTED] that
could cause this unusual warning.  It should not normally appear for
legitimate E-mails, however.

Also, if I have issues with the scanners, what should be the sequence to
aid in the problem above.

The key here would be to find out which of the two scanners wasn't
finishing, and fix it.  However, that may be difficult to do.  The next
release of Declude Virus will log which scanner didn't finish.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


winmail.dat

[Declude.Virus] Log File

2003-06-04 Thread Keith Johnson 
We have started to get numerous of these in our log file, do you know what these may 
be.
 
06/02/2003 09:02:09 Q4acf0c270148af58 No filename in disp Content-Disposition: 
attachment.
06/02/2003 09:02:09 Q4acf0c270148af58 No filename in disp Content-Disposition: 
attachment.
06/02/2003 09:07:09 Q4b9f09b40106db1d No filename in disp Content-Disposition: 
attachment.
06/02/2003 09:07:09 Q4b9f09b40106db1d No filename in disp Content-Disposition: 
attachment.
06/02/2003 09:07:09 Q4b9f09b40106db1d No filename in disp Content-Disposition: 
attachment.
06/02/2003 09:07:18 Q4bfe09b401064e73 No filename in disp Content-Disposition: 
attachment.
06/02/2003 09:07:18 Q4bfe09b401064e73 No filename in disp Content-Disposition: 
attachment.
06/02/2003 09:09:57 Q4ca209d80106cea6 No filename in disp Content-Disposition: 
attachment.
06/02/2003 09:09:57 Q4ca209d80106cea6 No filename in disp Content-Disposition: 
attachment.
06/02/2003 09:09:57 Q4ca209d80106cea6 No filename in disp Content-Disposition: 
attachment.
06/02/2003 09:09:57 Q4ca209d80106cea6 No filename in disp Content-Disposition: 
attachment.
 
Thanks for any aid.
áŠÁj)pjËjyÞuú+¾*î±ëÈ7œ–ç^V*î²m§ÿðÃ^r[yÊN¬f¢•yúèšØ^
ç%¹Š»¬™¨¥Šx%ŠËS¢é®ë-±éÝjqj)m¢)šŠ[+½–ç^r‰šÛr¥æìr¸›x7œ–ç^V*î±8^j·!Š÷¬q©Ûyú.†Ûiÿü0Âf¢•ª+Þr‰

RE: [Declude.Virus] Log File

2003-06-04 Thread Keith Johnson 
Scott,
We have had a lot of viruses get through today (new Backdoor
AVF), seems McAffee is the only one that has it available (sig file).
Luckily we already alter .exe files so that can't be executed.  Should I
be concerned with these Content-Disposition, I just started to see a lot
(100's a day) of these the last few days.  I am running 1.69beta.
Thanks again for the aid.

Keith

 -Original Message-
 From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
 Sent: Tuesday, June 03, 2003 4:25 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.Virus] Log File
 
 
 
 We have started to get numerous of these in our log file, do 
 you know 
 what
 these may be.
 
 06/02/2003 09:02:09 Q4acf0c270148af58 No filename in disp
 Content-Disposition: attachment.
 
 That's quite unusual -- it indicates that the E-mail has an 
 attachment, but 
 no name was given to it.
 
 Technically, the filename isn't required -- but I have no 
 idea how a mail 
 client would handle the attachment if it had no name.
 
 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail 
 mailservers. Declude Virus: Catches known viruses and is the 
 leader in mailserver 
 vulnerability detection.
 Find out what you have been missing: Ask for a free 30-day evaluation.
 
 ---
 [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Error in Virus Scanner

2003-05-30 Thread Keith Johnson 
Are there any other entries for the E-mail?  
 
Here is a list of two in a row:
 
05/29/2003 06:26:39 Qe05301090146bcae Could not find parse string Infection: in 
report.txt
05/29/2003 06:26:42 Qe05301090146bcae Error 0 in virus scanner.
05/29/2003 06:26:42 Qe05301090146bcae Scanned: Error in virus scanner. [Prescan 
OK][MIME: 2 27178]
05/29/2003 06:26:54 Qe06201100146f552 Could not find parse string Infection: in 
report.txt
05/29/2003 06:26:57 Qe06201100146f552 Error 0 in virus scanner.
05/29/2003 06:26:57 Qe06201100146f552 Scanned: Error in virus scanner. [Prescan 
OK][MIME: 2 26947]
 
 
Do you know what version you
were running before?  That Error 0 in virus scanner should only occur
along with other log file entries.

I was running 1.67beta.  I upgraded on May 26th and since then I am receiving about 
100 or so a day with the above error, prior to that all logs are clean of error 0.  
Thanks for the aid.

Keith
winmail.dat

RE: [Declude.Virus] Error in Virus Scanner

2003-05-30 Thread Keith Johnson 

Are you using two or more virus scanners?  
 
Yes, I am using F-prot 3.13a as my 1st scanner and InoculateIT 6.0 SP2 as my 2nd 
scanner
 
There does appear to be an issue
with 1.70 where this message will appear in the log file if one or more
scanners report an error, but the last one does not.  This will be fixed in
the next release (an interim release can be made available immediately if
necessary).
 
Does this affect the 1.69beta as well?  I am afraid since I am getting a 100 or so a 
day that viruses/vuln are slipping thru due to this error 0.  Is there anything I can 
do to fix this issue?  Thanks for your help.

Keith

[Declude.Virus] Error in Virus Scanner

2003-05-29 Thread Keith Johnson 
Does anyone know what this means (use Declude Virus Pro / F-prot 3.13a / Win2K SP3)
 
05/28/2003 22:29:57 Q709502a6010c3baf Error 0 in virus scanner.
05/28/2003 22:29:57 Q709502a6010c3baf Scanned: Error in virus scanner. [Prescan 
OK][MIME: 2 27056]
 
I have started to see several of these since upgrading to 1.69beta, thanks for the aid.
 
Keith Johnson
 
N¬f¢—¬±ç_¢»â®ë±¼ƒyÉnuåb®ë!¶Úÿ
0uç%¹¢dáŠÁj)\jgŸ®‰­…àÞr[yX«ºŠX§‚X¬µ:.ž±Êâmèî²Ûf¢–Ú™¨¥²»ÝyÉnuç(™©*^º{.nÇ+‰·ƒyÉnuåb®ë…æ«r¯zǝ·Ÿ¢éÝjØm¶ŸÿÃ
j)Z­Èb½ç(

[Declude.Virus] Log Question

2003-02-19 Thread Keith Johnson 
Title: Log Question






Scott,

 What level logging will show the emails being sent out for virus notifications. We are still experiencing an issue with two or more people needing to be notified, in our case, only one is receiving the email (postmaster.eml). Thanks for the aid.

___


Keith Johnson, MCP

Network Engineer

Network Advocates, Inc.

Tel: 502.412.1050

Fax: 502.412.1058

Email: [EMAIL PROTECTED]


Good pings come in small packets

[Declude.Virus] Efficiency

2002-12-22 Thread Keith Johnson 
Scott,
  During the initial setup of Declude Virus we copied down the virus_domain.txt 
and the virus_users.txt file and placed them in the Declude directory.  Since then, by 
default, we are scanning all incoming/outgoing email for all domains.  Is it more 
efficient (hence faster scans) for Declude to have those files there are not have them 
there or does it really make no difference, since we are scanning all domains and all 
users.  Thanks for the aid.
áŠÁj)pjËjyÞuú+¾*î±ëÈ7œ–ç^V*î²m§ÿðÃ^r[yÊN¬f¢•Æ¦yúèšØ^
ç%¹×•Š»¬™¨¥Šx%ŠËS¢éì¹»®ÞŽë-±éÝjqj)m¢)šŠ[+½×œ–ç^r‰šÛr¥ë§²æìr¸›x7œ–ç^V*î±8^j·!Š÷¬q©Ûyú.Ö­†Ûiÿü0Âf¢•ªÜ†+Þr‰

[Declude.Virus] Monitoring of Declude Virus

2002-12-20 Thread Keith Johnson 
Title: Monitoring of Declude Virus






I have downloaded and installed/tested the Virus Log Analyzer to take a look at what is being caught in the way of viruses. However, I wanted to see what others are using to 'real' time monitor the virus logs. Outside of using WinTail to watch the log files, I didn't know if others are using some program to query activity within the logs, i.e. scanner failures, and other such events. Since we virtual host email for our customers, I needed to ensure that it is always running properly. Thanks for any suggestions.

-Keith

[Declude.Virus] Issues running the fpcmd.exe scanner

2002-12-20 Thread Keith Johnson 
Title: Issues running the fpcmd.exe scanner






Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe. Upon testing the f-prot.exe works great, reports in the log just fine, and sends out the notifications emails. If I use the fpcmd file, the file gets seen, however nothing is done with it and the original email gets sent on its way. I set the log to DEBUG for this test and below is my trace, any aid would be greatly appreciated. This test used the eicar2.zip test file from www.eicar.com and sent locally using Outlook Express. 

12/20/2002 12:59:44 Q5a90002f0078444b Declude Virus Pro Registered
12/20/2002 12:59:44 Q5a90002f0078444b Starting locality check
12/20/2002 12:59:44 Q5a90002f0078444b CL Opening HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains
12/20/2002 12:59:44 Q5a90002f0078444b [EMAIL PROTECTED] [0] is local domain1
12/20/2002 12:59:44 Q5a90002f0078444b [EMAIL PROTECTED] [0] is local main domain
12/20/2002 12:59:44 Q5a90002f0078444b Local host = ntad.com
12/20/2002 12:59:44 Q5a90002f0078444b [EMAIL PROTECTED] Offset=9 Flags=1
12/20/2002 12:59:44 Q5a90002f0078444b Msgid: 000901c2a851$93ec27e0$[EMAIL PROTECTED]
12/20/2002 12:59:44 Q5a90002f0078444b Subject: testing virus10
12/20/2002 12:59:44 Q5a90002f0078444b C:\IMail\spool\Q5a90002f0078444b.SMD
12/20/2002 12:59:44 Q5a90002f0078444b Starting virus scanning section...
12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER=0
12/20/2002 12:59:44 Q5a90002f0078444b Exclude Default=1
12/20/2002 12:59:44 Q5a90002f0078444b Exclude Domain=0
12/20/2002 12:59:44 Q5a90002f0078444b Exclude peruser=-1
12/20/2002 12:59:44 Q5a90002f0078444b DoAv( C:\IMail\spool\D5a90002f0078444b.SMD );
12/20/2002 12:59:44 Q5a90002f0078444b avtempdir=C:\IMail\spool
12/20/2002 12:59:44 Q5a90002f0078444b Temp dir set to: C:\IMail\spool\D5a90002f0078444b.vir\
12/20/2002 12:59:44 Q5a90002f0078444b fp=444d40
12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++
12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START
12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: multipart/mixed;boundary==_NextPart_000_0
12/20/2002 12:59:44 Q5a90002f0078444b Got boundary; =--=_NextPart_000_0005_01C2A827.AB057E10.
12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers
12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=multipart/mixed NameEnd= 0 0
12/20/2002 12:59:44 Q5a90002f0078444b ISMULTI
12/20/2002 12:59:44 Q5a90002f0078444b Hit boundary... Recursing... 0 (3-0-).
12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++
12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START
12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: multipart/alternative;boundary==_NextPart
12/20/2002 12:59:44 Q5a90002f0078444b Got boundary; =--=_NextPart_001_0006_01C2A827.AB057E10.
12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers
12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=multipart/alternative NameEnd= 0 0
12/20/2002 12:59:44 Q5a90002f0078444b ISMULTI
12/20/2002 12:59:44 Q5a90002f0078444b Hit boundary... Recursing... 0 (3-0-).
12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++
12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START
12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: text/plain;charset=iso-8859-1
12/20/2002 12:59:44 Q5a90002f0078444b Got Encoding quoted-printable.
12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers
12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=text/plain NameEnd= 0 0
12/20/2002 12:59:44 Q5a90002f0078444b !ISMULTI
12/20/2002 12:59:44 Q5a90002f0078444b Handling a MIME segment [Boundary=--=_NextPart_001_0006_01C2A827.AB057E10].
12/20/2002 12:59:44 Q5a90002f0078444b Encoding type: quoted-printable [1/]
12/20/2002 12:59:44 Q5a90002f0078444b Starting BASE64
12/20/2002 12:59:44 Q5a90002f0078444b Hit new boundary (fseek)
12/20/2002 12:59:44 Q5a90002f0078444b curpos=920
12/20/2002 12:59:44 Q5a90002f0078444b Deleting (1) plaintext segment C:\IMail\spool\D5a90002f0078444b.vir\0..
12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER--
12/20/2002 12:59:44 Q5a90002f0078444b Done Recursing...
12/20/2002 12:59:44 Q5a90002f0078444b Hit boundary... Recursing... 1 (3-0-).
12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++
12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START
12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: text/html;charset=iso-8859-1
12/20/2002 12:59:44 Q5a90002f0078444b Got Encoding quoted-printable.
12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers
12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=text/html NameEnd= 0 0
12/20/2002 12:59:44 Q5a90002f0078444b !ISMULTI
12/20/2002 12:59:44 Q5a90002f0078444b Handling a MIME segment [Boundary=--=_NextPart_001_0006_01C2A827.AB057E10].
12/20/2002 12:59:44 Q5a90002f0078444b Encoding type: quoted-printable [1/htm]
12/20/2002 12:59:44 Q5a90002f0078444b Starting BASE64
12/20/2002 12:59:44

RE: [Declude.Virus] Issues running the fpcmd.exe scanner

2002-12-20 Thread Keith Johnson 
Reading some of the archives suggested that if using F-Prot it was best

to
use the fpcmd.exe over the f-prot.exe due to some errors encountered
with 
using f-prot.exe


  12/20/2002 12:59:44 Q5a90002f0078444b Starting scanner #1: 
C:\Progra~1\FSI\F-Prot\fpcmd.exe
  /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB
/REPORT=report.txt 
C:\IMail\spool\D5A900~1.VIR\

The problem is that you need to remove the /NOFLOPPY from the SCANFILE

line in your \IMail\Declude\virus.cfg file.  F-Prot.exe requires this,
but 
fpcmd.exe doesn't need it and will actually not work if the /NOFLOPPY is
there.
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Issues running the fpcmd.exe scanner

2002-12-20 Thread Keith Johnson 
Scott,
Thank you for your wisdom, you are awesome.

-Keith

-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED]] 
Sent: Friday, December 20, 2002 2:03 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Issues running the fpcmd.exe scanner



Reading some of the archives suggested that if using F-Prot it was best

to
use the fpcmd.exe over the f-prot.exe due to some errors encountered
with 
using f-prot.exe


  12/20/2002 12:59:44 Q5a90002f0078444b Starting scanner #1: 
C:\Progra~1\FSI\F-Prot\fpcmd.exe
  /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB
/REPORT=report.txt 
C:\IMail\spool\D5A900~1.VIR\

The problem is that you need to remove the /NOFLOPPY from the SCANFILE

line in your \IMail\Declude\virus.cfg file.  F-Prot.exe requires this,
but 
fpcmd.exe doesn't need it and will actually not work if the /NOFLOPPY is
there.
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Treatment of double layered extension files

2002-12-19 Thread Keith Johnson 
Title: Treatment of double layered extension files






Scott,

 I saw a few weeks ago about a thread discussion that talked about the 'catching' of double layered extension files (i.e. file.shs.txt), however I couldn't find it in the archive. I wanted to see if these indeed get caught as banext (i.e. shs) , as I think this maybe a dull point if they contain a virus as the scanner should catch it and thus tip Declude to quarantine it, however my thoughts were if it was not a virus file. Thanks for the info.

___


Keith Johnson, MCP

Network Engineer

Network Advocates, Inc.

Tel: 502.412.1050

Fax: 502.412.1058

Email: [EMAIL PROTECTED]


Good pings come in small packets

[Declude.Virus] Customized Footer for domain

2002-12-19 Thread Keith Johnson 
Title: Customized Footer for domain






Scott,

 Thanks for the aid on other question. We currently have the virus footer disabled, but I have one client who would like a footer added to his email that it was scanned for viruses. Is there a way to do this except globally in the virus.cfg file? Again, thank you.

___


Keith Johnson, MCP

Network Engineer

Network Advocates, Inc.

Tel: 502.412.1050

Fax: 502.412.1058

Email: [EMAIL PROTECTED]


Good pings come in small packets

RE: [Declude.Virus] bogus files.....

2002-12-19 Thread Keith Johnson 
I got this same bogus file showing up in the log (MID) when I sent the eicar virus 
(zipped format) off the eicar.com website to our server.  
 
Keith

-Original Message- 
From: John Tolmachoff [mailto:[EMAIL PROTECTED]] 
Sent: Thu 12/19/2002 7:14 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [Declude.Virus] bogus files.



   That log file entry is part of an experimental system in Declude Virus
   designed to find files that aren't what they claim to be (for example,
if
   someone renamed an .exe file to a .jpg extension).  However, I believe
   there was a recent beta that would falsely detect these bogus files.
In
   any case, the only damage is the extra log file entries.
 
 Ok, that's what I figured it had to be, as it appeared no actions are
taken.
 Is that planned for a later release? If the attachment is bogus to
 hold/warn/delete?

 That's planned for a future release.  We haven't decided yet how the
 E-mails would be handled (HOLD/WARN/DELETE sound like they would be good
 options).

Hold with postmaster and possible recipient notification sounds good.

John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA  92835
www.reliancesoft.com



---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.





winmail.dat

[Declude.Virus] Scanning Process

2002-12-16 Thread Keith Johnson 
Title: Scanning Process






We are testing two virus scanners with Declude Pro and wanted to confirm or thoughts. Is it true that the scanners scan the file first, whether you have one, two, or five and then once done, the action on the virus is taken (i.e. quarantined)? 

___


Keith Johnson, MCP

Network Engineer

Network Advocates, Inc.

Tel: 502.412.1050

Fax: 502.412.1058

Email: [EMAIL PROTECTED]


Good pings come in small packets

[Declude.Virus] Problems with catching Virus

2002-12-10 Thread Keith Johnson 
Title: Problems with catching Virus






Scott,

 We are in the testing phase of deploying the antivirus across our Imail server, thus we are using the virus domains file to limit testing to a few domains. We are using the Computer Associates InoculateIT 6.0 engine to scan for viruses. Our scanner reads:

C:\Progra~1\CA\Common\ScanEn~1\inocmd32.exe /ARC /LIS:report.txt


 To test this, we simply copied down the EICAR test virus into a directory on the local machine (Imail Server w/Declude). I ran the the command line above to test the virus to ensure it would detect it and it did (no on-access scanning is running, has been disabled). I opened up the Imail Client on the default domain and emailed my username on my domain (which is included in the virus domains file as ON). I received the email and the virus attached to the email. Once I popped it off the Imail Server, my onboard Antivirus caught it. I checked the virxx.log file and it showed it was scanned as OK. Is there anything else I can check to see what it going on. I could increase the logging to DEBUG from MID. Thanks for the aid.

___


Keith Johnson, MCP

Network Engineer

Network Advocates, Inc.

Tel: 502.412.1050

Fax: 502.412.1058

Email: [EMAIL PROTECTED]


Good pings come in small packets

[Declude.Virus] Spoofing Connecting IP Address

2002-12-09 Thread Keith Johnson 
Title: Spoofing Connecting IP Address






Just wanted to gain some additional knowledge from the forum on the following. With the Klez virus (among others), it is widely known that the from address will most likely be spoofed. However, if you look at the full header, does Klez and the like, also attempt to spoof the IP address in which the request originated from to your (my) server. For example, some headers list Received from 'server name' (IP address) by domain.name with SMTP ID  for email.address on Date Does Klez spoof the server name and IP address from the originator. Thank you for your aid and knowledge!!

___


Keith Johnson, MCP

Network Engineer

Network Advocates, Inc.

Tel: 502.412.1050

Fax: 502.412.1058

Email: [EMAIL PROTECTED]


Good pings come in small packets

[Declude.Virus] Virus Scanning Question

2002-12-06 Thread Keith Johnson 
Title: Virus Scanning Question






According to the Virus Manual (Declude) it lists the following:

(for outgoing web messaging E-mails, you can have an on-access scanner scanning only the \IMail\spool\ directory).

I was wondering how others were handling your users Outgoing email sent our your Server (scanning wise). Thanks for the aid...


___


Keith Johnson, MCP

Network Engineer

Network Advocates, Inc.

Tel: 502.412.1050

Fax: 502.412.1058

Email: [EMAIL PROTECTED]


Good pings come in small packets

[Declude.Virus] Is this safely ignored...

2002-12-06 Thread Keith Johnson 
Title: Is this safely ignored...






In the virxxx.log, I found this error. Can this be safely ignored? 

Warning: EOF in middle of MIME segment [] [---



___


Keith Johnson, MCP

Network Engineer

Network Advocates, Inc.

Tel: 502.412.1050

Fax: 502.412.1058

Email: [EMAIL PROTECTED]


Good pings come in small packets

RE: [Declude.Virus] Opinion on Virus Scanner

2002-12-03 Thread Keith Johnson 
John,
Thank you for the info.  With the Dos Version, how are you
getting your auto sig updates and on what interval can you obtain these.


-Original Message-
From: John Tolmachoff [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, December 03, 2002 11:12 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Opinion on Virus Scanner


F-Prot seems to be the flavor.  Do you guys run (under Windows 2000
Server) the DOS version, Windows version or the F-Secure version.

Windows 2000 Server using F-Prot DOS version.

John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA  92835
www.reliancesoft.com


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.