RE: [Declude.Virus] ClamAV
Thanks Michael for the effort to 'splain! I appreciated it. Make sure you are using the sanesecurity sigs as well as the MSRBL's -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Michael Cummins mich...@i-magery.com Sent: Thursday, April 29, 2010 3:02 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps up FreshClam as a service and gets everything pointed and configured for Declude to use. It includes pthreadVC2.dll , but I don't know if it uses it once we replace the files here in a bit, because. .when FreshClam goes to update the DB, it mangles the DB dies, because version 0.92 isn't supported anymore. Immediately after installing ClamAID I stopped the ClamAVSvc and FreshClam services and I commented out the lines it added in virus.cfg so I could get it all running properly again. I downloaded the clamav-win32-0.96.7z from http://oss.netfarm.it/clamav/ and extracted the files to a folder. I grabbed all the .exe and .dll files and replaced the old ones in \Program Files\Clam AV. I edited \conf\clamd.conf and commented out the deprecated MailFollowURLs on line 226. I deleted the files in \data\ and crated a \db\. I set the log levels in clamd.conf and freshclam.conf to high so I could see things chugging along until I was comfortable. I hard set the database to \db\ in the conf files, and set verbose logging. I cranked up the services, and watched FreshClam download new profiles to \db\. Once the db was downloaded, I tested Clam from the command prompt as described on the armresearch page, and everything looked like it was working fine. I uncommented the lines in Declude, restarted Declude, and watched it all start humming. Now I am just keeping an eye on things, and waiting for Clam to catch a virus. -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
David - At times like this its OK to sigh these emails: David your pinata Barker :) -Nick From: David Barker dbar...@declude.com Sent: Wednesday, June 03, 2009 4:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Nice. Thank you for your feedback Markus. MANY if not most of all Declude users has initially chosen the Swiss army knife as their tool who they can customize, enhance and integrate in their FULLY email filter system. This is true from the past and for many older Declude customers, but the market has changed over the years - there are not enough people looking for the Swiss army knife approach anymore. With managed services, hardware appliances etc. anti-spam and AV is a cost center for most ISP's and they would rather not have to deal with it at all. IMail themselves started losing market share for the same reasons which had a direct impact on the Declude business. So what was is no more. evolution and new functionality in order to be able to stay ahead or at least near on top of the market leaders. Agreed, but also take into account the changing Mail systems, we support both IMail and Smartermail, specifically supporting Smartermail as they were growing while IMail was shrinking. Every time a new release of IMail or Smartermail comes out something inevitably changes meaning we have to deal with the MUST do's rather than innovation. Again to combat this we just need additional developer/s so that we can dedicate one to maintenance and the other/s to innovation. To do this we need $ and that cost will always be carried over to you the customer, which I have done my utmost best to avoid. noted the active community who has definitively helped to let Declude become what it is/was isn't there anymore. Yes that community was (and what is left) is extremely helpful and useful. All this isn't there anymore. Why? Because people who was ready to contribute hasn't received back what they want and need: If such people has asked for a new feature even if it was a little piece of thing the maximum to hear was that it will be placed on a long list of planned to-do's. Depending on when this was and who was making the Declude decisions at the time. But if I should speak for myself. I realize I can't make everyone happy its part of my job. Here is a case in point, let's use this scenario. 1. AVG fails 2.IMail release version 11 which is incompatible with Declude If I choose to fix AVG first - IMail users scream If I choose to fix IMail first - All users scream So in this instance best decision is to let IMail users complain. Either way Declude in one group of people is going to be the company that is not doing enough for its customers. This is not really true but rather the perception. In the case you hasn't discovered it yet, from the begin of April on there was a big increase of spam activity This information is very useful and this is why the lists exist if we can share information we have a community that benefits. If there would be really someone taking technical care of this product he has should put more then on eye in the past 2 months in order to keep this product at least near to other spam filtering products. The cow was milked and milked and milked and does urgently need now some fresh grass, water and maybe also a new clean stable. The only thing that would change this current situation is revenues which means price increase. (Maybe it is time?) David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Gufler Markus | Limitis Sent: Wednesday, June 03, 2009 3:26 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal Hi David, I'm observing not only this AVG issue but many different things in the past 4 years (while paying SA fee's). Your price is not that much that other Spamfilter vendors ask for but keep in mind that MANY if not most of all Declude users has initially chosen the Swiss army knife as their tool who they can customize, enhance and integrate in their FULLY email filter system. Maybe we could start a long and never ending thread if Declude should be a flexible tool or a complete suite for customers, but in any case both type of customers would need definitively one thing, and this is evolution and new functionality in order to be able to stay ahead or at least near on top of the market leaders. At the moment Declude stand-alone without additional external tests, additional external AV-engines and additional pre-filtering gateways like Alligate, IMHO is not a full, secure and reliable solution. Its still an important piece but as you maybe has also noted the active community who has definitively helped to let Declude become what it is/was isn't there anymore
[Declude.Virus] [Fwd: [clamav-announce] ClamAV/SOSDG 0.90.2-1 has been released! (Security Fix)]
fyi - Original Message Subject: [clamav-announce] ClamAV/SOSDG 0.90.2-1 has been released! (Security Fix) Date: Fri, 13 Apr 2007 17:05:54 -0400 From: Brie Bruns [EMAIL PROTECTED] Organization: The Summit Open Source Development Group To: [EMAIL PROTECTED] Hello all, I've released ClamAV/SOSDG 0.90.2-1 today, in response to notification of a security issue with the older 0.90.1-4 version. You can find more info about the security issue here: http://secunia.com/advisories/24891/ In the meantime, you can download 0.90.2-1 from our website, or directly at: http://code.google.com/p/clamav-sosdg/ Please let me know of any issues! -- Brie Bruns The Summit Open Source Development Group http://www.sosdg.org --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] [Fwd: [clamav-announce] ClamAV/SOSDG For Windows 0.90.1-3 Is Now Available]
fyi - Original Message Subject: [clamav-announce] ClamAV/SOSDG For Windows 0.90.1-3 Is Now Available Date: Wed, 14 Mar 2007 16:02:48 -0400 From: Bri Bruns [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hello all, With help from various people, I've got a new build of ClamAV/SOSDG For Windows 0.90.1 available - release 3 fixes bugs in -1 and -2 that people reported. I believe the problem was relating to fixes once needed in pre-0.90.1 versions of ClamAV. http://www.sosdg.org/clamav-win32/ Direct download: http://www.sosdg.org/clamav-win32/clamav-devel.exe Once again, thanks to everyone who provided feedback. -- Bri Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org ___ ClamAV For Windows Announcement Mailing List http://lists.sosdg.org/mailman/listinfo/clamav-announce --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV 0.90.1-2 problems
Exit code of 2 means ClamAV had an error - Is clamd running? will clamdscan.exe file to be scanned work? eg no parameters? -Nick Gary Steiner wrote: Ever since I upgraded to ClamAV 0.90.1-2 (the SOSDG windows port), I've been unable to get it to work. The Declude log files show an error like this: 03/12/2007 19:17:29.359 62376245 Vulnerability flags = 861 03/12/2007 19:17:29.359 62376245 MIME file: [text/html][7bit; Length=429 Checksum=38095] 03/12/2007 19:17:30.171 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:32.218 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:34.265 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:36.312 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:38.359 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:40.359 62376245 Could not find report file c:\SmarterMail\Spool\proc\work\62376245.vir\report.txt. 03/12/2007 19:17:40.359 62376245 Error 2 in virus scanner 1. 03/12/2007 19:17:40.562 62376245 Virus scanner 2 reports exit code of 0 03/12/2007 19:17:40.562 62376245 Scanned: Error in virus scanner. [MIME: 2 815] If I try to run it from the command line using the parameters from my virus.cfg file, I get the following: C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt 62376245.eml /cygdrive/c/clamav-devel/bin/clamdscan: unrecognized option `--mbox' ERROR: Unknown option passed. ERROR: Can't parse the command line Anyone else seeing anything like this? Did something change in 0.90 to make these paramenters invalid? Thanks, Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] [Fwd: [clamav-announce] Problems with ClamAV/SOSDG For WIndows 0.90.1-1 and -2]
fyi - Original Message Subject: [clamav-announce] Problems with ClamAV/SOSDG For WIndows 0.90.1-1 and -2 Date: Tue, 13 Mar 2007 14:20:20 -0400 From: Bri Bruns [EMAIL PROTECTED] To: [EMAIL PROTECTED] Okay, been getting reports of people having problems with the 0.90.1 builds of ClamAV/SOSDG For Windows I've been releasing lately. Please do not use 0.90.1-1, as the clamd.exe it has is outdated, I'm not quite sure how such an old version got into the build, but it is unreliable, and you probably are getting errors if you are using it. 0.90.1-2 is also having problems for some people, which I'm looking into now. I'm not sure of the cause, but there appears to have been alot of underlying changes in ClamAV over the past few months. For now, if you are having problems with -2, I suggest going back to 0.90-1, which you can grab from here: http://downloads.sosdg.org/clamav/clamav-0.90-1.exe And is known to work well for most people. Please keep any bug reports for -2 coming in, as its helping me narrow down the cause of the issues. -- Brie Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org ___ ClamAV For Windows Announcement Mailing List http://lists.sosdg.org/mailman/listinfo/clamav-announce --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude 4.3.40 Released
Thanks David -Nick David Barker wrote: FIX ZEROHOUR passing weight to SM when email WHITELISTED FIX Ignore Case checking in Imail Address book 2006 FIX Improved performance when OUTBOUNDSPAMSCANNING OFF FIX Updated CommTouch ZEROHOUR Dll FIX EXITSCANONVIRUSDETECT ON works between AVG and Commtouch ADD SM allows both email addresses and domains in their trusted sender list, declude will match on either ADD Support for Regular Expressions http://support.declude.com/Customer/KBArticle.aspx?articleid=97 in the Filters using PCRE library We will also be sending an email to notify customers of important changes. David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Release Update
Hi David, What will this release contain? -Nick David Barker wrote: We had scheduled a release for 31 January 2007, which we are delaying for some changes next date is Monday 5 February 2007 Thanks David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin.
Darrell ([EMAIL PROTECTED]) wrote: Also, for me to get the virus name I had to use the wrapper. fyi - The names are otherwise recorded in the clamd.log -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fw: A secret e-card has been sent fot you!!
Darrell ([EMAIL PROTECTED]) wrote: Pretty nice peice of social engineering below - how many of your users will click on this tomorrow :) Who can resist the temptation of a "secret" greeting card. I get quite a few of these - here is my postcard-phish.txt SKIPIFWEIGHT 26 REVDNS END ENDSWITH 1001.com BODY END NOTCONTAINS postcards.org HEADERS 5 CONTAINS @postcards1001.com BODY 5 CONTAINS .exe -Nick The link actually takes you to http://www.lkkm.cz/help/postcard.gif.exe Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: e-greetings.com To: [EMAIL PROTECTED] Sent: Thursday, September 28, 2006 10:20 PM Subject: A secret e-card has been sent fot you!! Hello friend ! A friend has sent you an ecard from e-greetings.com Send free ecards from e-greetings.com with your choice of colors, words and music. Your ecard will be available with us for the next 10 days. If you wish to keep the greeting longer, you may save it on your computer or take a print. To view your ecard, click on the following Internet address. http://www.e-greetings.com/view.php?sid=1246 Hope you will visit us, e-greetings.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV Exit codes
Failure I do believe, probably ClamD is not running? -Nick Markus Gufler wrote: Does anyone know what exit codes ClamAV has and what they mean? From 2006-09-27 06:50PM on I can see a huge number of Virus scanner 2 reports exit code of 2 ...in the virus-logfile. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVG Updates
Mine is 9/8. -Nick Mark Reimer wrote: What are the latest AVG updates that everyone has? Im worried that my AVG stopped updating for some reason. Or is it from Declude moving all their stuff around? Mark Reimer IT Project Manager American CareSource 214-596-2464 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
[Declude.Virus] ClamAV
I have noticed now with 4x that if ClamAv is the first scanner it fails - it cannot find the file to scan. However it it is moved to the 2 'hole' or 3 'hole' - identical config otherwise - it works like a charm. Does any one else see this anomolie? -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 4.2.3 Built-in scanner slight off topic reply
I just switched to 4x and noticed in the logs that scan times are recorded - here are some sample scan times against the same email - 2062ms Clamscan 468ms Mcafee scan.exe 171ms fprot These relative scan time proportional differences appear to remain the same against other emails. Switching from clamscan.exe to clamdscan.exe ClamAV averages 15ms against all emails it sees. That is like a factor of 10 faster than fprot its closest performance competitor. Since its free and w/Sanesecurity phish sigs I give it an editors choice :) It would be nice to see [feature request?] the ms response time for AVG - -Nick John Shacklett wrote: Sorry for the tardy response, I've been traveling. I used mcafee on my old system in combination with f-prot, and never had any problems there either. On my new box [new since May], I started out with a different program from eTrust because we're moving away from McAfee across the board, but I had issues with the new program and switched to scan.exe. I don't remember exactly when I made that last switch, but I have NEVER gotten scan to return anything on anything it has scanned. I send myself a report daily on activity for the previous day, and it always says in the virus detections that "0 mcafee detected for 07-10-2006", a day when clamav found 82 and f-prot and AVG each found four more. I'm away from my office until next week, and I'm going to do some more experimenting then to figure out why mcafee fails. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, 06 July 2006 4:51 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] 4.2.3 Built-in scanner John, What problems are you having with scan.exe? A lot of us use McAfee and have no issues. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. John Shacklett writes: After loading 4.2.20 this afternoon, my AVG scanner is now finally detecting viruses. Oh happy day. Now if I can just get scan.exe to work, I'll have a full house. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Shacklett Sent: Thursday, 11 May 2006 11:44 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner "Declude 4.2.3 Diagnostics" right on the top line. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Carter Sent: Thursday, 11 May 2006 9:30 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Just curious, what does your diags.txt? Did 4.2.3 in fact get fully installed and running? John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Shacklett Sent: Thursday, May 11, 2006 6:56 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner I guess I should have been more dramatic. What I intended this to mean was that I still don't see any evidence that AVG is working at all. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Shacklett Sent: Tuesday, 09 May 2006 3:04 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Just for fun, I completely commented out the three scanners in my virus.cfg and resent the eicar plain test file, and it made it to my Inbox. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Shacklett Sent: Tuesday, 09 May 2006 9:58 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Forget my last post, I have different problems. Sorry. I followed John C's suggestion and sent myself a standard base64 MIME encoded eicar.com file [which should have occurred to me earlier], and I ended up with the following lines in the debug output: 05/09/2006 09:50:57.007 q9e3d01cb331c.smd AVG Reports No Virus 05/09/2006 09:50:57.178 q9e3d01cb331c.smd Virus scanner 1 reports exit code of 3 05/09/2006 09:50:58.444 q9e3d01cb331c.smd Virus scanner 2 reports exit code of 0 05/09/2006 09:50:58.616 q9e3d01cb331c.smd Virus scanner 3 reports exit code of 0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Carter Sent: Tuesday, 09 May 2006 9:41 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Temporarily go to LOGLEVEL DEBUG and use the test virus sender. It should show AVG working. MID and HIGH levels didn't show which scanner caught EICAR, but DEBUG did. John C 05/09/2006 08:34:55.687 q9a7b016d30e4.smd AVG Virus detected. Not continuing with any remaining scanners. 05/09/2006 08:34:55.687 q9a7b
[Declude.Virus] url file extensions
I been asked to remove the block I have on these - and since I have forgotten why I am blocking them Is there a valid reason to block these? Thanks in advance -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] url file extensions
Hi John, I was referring to file attachments that had a .url extension - I have that extension banned in my virus.cfg and wondered why - -Nick John T (Lists) wrote: You nor I nor Declude nor any one knows where that leads too. You can not scan the destination for a url. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Tuesday, April 11, 2006 12:10 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] url file extensions I been asked to remove the block I have on these - and since I have forgotten why I am blocking them Is there a valid reason to block these? Thanks in advance -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] url file extensions
Bill, Will you kindly elaborate? :) I see in clamd.conf the MailFollowURLs but the advice is not to use it - -Nick Bill Landry wrote: ClamAV can be configured to scan URLs, if so desired. Bill - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, April 11, 2006 12:40 PM Subject: RE: [Declude.Virus] url file extensions You nor I nor Declude nor any one knows where that leads too. You can not scan the destination for a url. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, April 11, 2006 12:10 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] url file extensions I been asked to remove the block I have on these - and since I have forgotten why I am blocking them Is there a valid reason to block these? Thanks in advance -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] url file extensions
Thanks!
-Nick
John T (Lists) wrote:
Yep,
exactly what I meant. I ban them as
there is no way to scan them (Although Bill says ClamAV can do it) to
know what
they are going to lead to.
John T
eServices
For You
"Seek,
and ye shall
find!"
-Original
Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer
Sent: Tuesday,
April 11, 2006 1:09
PM
To:
Declude.Virus@declude.com
Subject: Re:
[Declude.Virus] url
file extensions
Hi John,
I was referring to file attachments that had a .url extension - I have
that
extension banned in my virus.cfg and wondered why -
-Nick
John T (Lists) wrote:
You nor I nor Declude nor any one knows where that leads too. You can not
scan the destination for a url.
John T
eServices For You
"Seek, and ye shall find!"
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Nick Hayer
Sent: Tuesday, April 11, 2006 12:10 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] url file extensions
I been asked to remove the block I have on these - and since I have
forgotten why I am blocking them Is there a valid reason to block
these?
Thanks in advance
-Nick
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.Virus] url file extensions
I enabled it on one of the windows clamav boxes. I'll see what happens. Thanks -Nick Bill Landry wrote: Nick, it's advised not to use it because it take additional time to process e-mails with embedded or attached URLs, since it has to simulate a user and access the URL in order to scan it. If you already have a heavily utilized system, then you would be wise not to enable this feature. However, if you have available resources, you should be fine. Also, at least on Linux, you need to have curl installed and compile with libcurl support: Optional Packages: --with-PACKAGE[=ARG]use PACKAGE [ARG=yes] --with-libcurl support URLs downloading with libcurl (default=no) However, I don't know if this is the case with the Windows version of ClamAV, since I have never actually run it on Windows. We have been running with this feature enabled on our two Linux gateways for about a year now and thus far have had no problems with it. Bill - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, April 11, 2006 1:30 PM Subject: Re: [Declude.Virus] url file extensions Bill, Will you kindly elaborate? :) I see in clamd.conf the MailFollowURLs but the advice is not to use it - -Nick Bill Landry wrote: ClamAV can be configured to scan URLs, if so desired. Bill - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, April 11, 2006 12:40 PM Subject: RE: [Declude.Virus] url file extensions You nor I nor Declude nor any one knows where that leads too. You can not scan the destination for a url. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, April 11, 2006 12:10 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] url file extensions I been asked to remove the block I have on these - and since I have forgotten why I am blocking them Is there a valid reason to block these? Thanks in advance -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Switches
Hi Mark, Mark Reimer wrote: After seeing Matt's response I'm curious what other users are using for their F-prot switches. here are mine: SCANFILE1e:\Progra~1\FSI\F-Prot\fpcmd.exe /ARCHIVE=5 /DUMB /NOBOOT /NOMEM /PACKED /SERVER /SILENT /TYPE /REPORT=report.txt VIRUSCODE13 VIRUSCODE16 VIRUSCODE18 VIRUSCODE19 VIRUSCODE110 REPORT1Infection: #2 SCANFILE2e:\mcafee\scan.exe /ALL /ANALYZE /MAILBOX /MIME /NOBEEP /NOBOOT /NOBREAK /NODDA /NOMEM /PROGRAM /SILENT /UNZIP /REPORT report.txt VIRUSCODE213 REPORT2Found #3 SCANFILE3c:\clamav-devel\bin\clamdscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE31 -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Updates from Declude
David Barker wrote: The next release of Declude which is currently being tested and soon to be released ahh David - wanna share? What will the new ver have to offer? :) -Nick David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grant Griffith Sent: Wednesday, March 08, 2006 12:47 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude Is anyone else using confirm and can let me know if it is working for you now or not? I know John is busy and may not of had time to try it yet and Declude is not responding. Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grant Griffith Sent: Monday, March 06, 2006 8:06 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude Sounds good John, was just curious if you were still seeing the issue also. Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: Friday, March 03, 2006 5:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude No I have not tested lately. I have been extremely busy this week. I will try on Saturday. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grant Griffith Sent: Friday, March 03, 2006 5:38 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude Barry, Wasnt the confirm issues supposed to be resolved in this version? I just tested it and it still does not subscribe the user after they confirm be replying to the message?!?! John, have you tried this yet with the same results? Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 02, 2006 5:04 PM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] Updates from Declude Product Naming After considering all the choices we have decided to rename the new product "Declude Security Suite". I will be notifying the winner(s) of the competition shortly. Declude Security Suite for IMail We have now released additional versions of the software for different levels of IMail and these can be found at http://www.declude.com//Purchase.asp?cat=13 As usual if anyone has questions please contact me and we will do our best to answer. Barry [EMAIL PROTECTED] Office: (978) 499-2933 Cell: (978) 853-9593
Re: [Declude.Virus] Encoded viruses...worried topic change - to Bill Landry
With these, you don't need to run CygWin ports or the Microsoft Windows Services for Unix. Bill Landry put the Declude and Message Sniffer mailing list users on to these a long time ago, and I'm still grateful to him. Well I am grateful and frustrated at times- because it can do so much and I have such hard time getting the results I want! Bill, As I recall you were putting together a group of neat scripts to run against our logs - did that ever happen and I missed it? It sure would be helpful... ! Thanks -Nick I did some speed tests a long time ago, and found that the grep tool mentioned above was an order of magnitude faster than the find.exe that comes with Windows. John T: Sorry, you were probably viewing the output with NotePad. I use a different editor that accomodates CR or CR/LF as the end-of-line sequence. Good old edit and WordPad will do the trick. So will using "less.exe" instead of piping to "more". Markus: Great tip, I just might make that part of my standard commands anyway. Matt: No problem, the .UU part of the search will also find all the lines that mention the .UUE format. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Don Brown Sent: Wednesday, February 01, 2006 7:24 AM To: Markus Gufler Subject: Re: [Declude.Virus] Encoded viruses...worried Off list - what grep do you use or which is the best for a W32 box? Wednesday, February 1, 2006, 8:40:19 AM, Markus Gufler [EMAIL PROTECTED] wrote: MG MG MG I've grep'ed trough the logfiles for the last 7 days on my servers MG MG MG MG 2981 lines has sources of "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" MG (ignoring double counts for the second av scanner) MG MG MG MG After filtering out all lines containing "Kapser" and "Mywife" MG there remains the following 4 lines MG MG MG MG 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with MG mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG assuming .exe MG 01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with MG mismatched extensions [Attachments00.HQX-Removed Attachment.txt]; MG assuming .exe MG 01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with MG mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG assuming .exe MG 01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning: EOF in middle MG of MIME segment [] [--=_NextPart_001_0008_01C6238B.B6472520] MG MG MG MG This looks very promising that declude is already handling it in MG order to catch malicious code inside such attachments. MG MG Note: the 4.th line is listed due the "MIME" MG MG MG MG Markus MG MG MG MG MG MG MG MG MG From: [EMAIL PROTECTED] MG [mailto:[EMAIL PROTECTED]] On Behalf Of Matt MG Sent: Wednesday, February 01, 2006 3:19 PM MG To: Declude.Virus@declude.com MG Subject: Re: [Declude.Virus] Encodedviruses...worried MG MG You know, I was going to ask if you would do a search, but I MG figured you might do it anyway :) You did leave out the ".uue" MG extension, but I doubt that would have changed your results. MG I supposethat if these extensions aren't hardly ever used MG anymore, it might be prudentenough to just watch for the MG possibility of the tactic to become widespreadand then take action. MG I do have a fair number of Mac users and probablymore MG overseas traffic that you do, so I think that I am going to have MG tosearch a little on my own. Unfortunately I zip all of my MG logs nightly,so it isn't practical to search through all ofthem. MG Matt MG Colbeck, Andrew wrote: MG MG On the plus side, there are mitigating circumstances... MG MG First, let me point out that although the antivirus MG companies will lag behind the virus authors, the antivirus guys aren't sleeping. MG MG For many years, the bad guys have been using encoding MG methods and 3rd party applications to obfusticate their software MG as a cheaper alternative on their time than writing MG polymorphic code whose very technique gave them away. MG MG PKLite was probably the first 3rd party tool used. I've MG recently seen PAK, UPX and FSG... all three of which were MG caught by F-Prot because the antivirus guys simply make signatures MG for the binary itself, and don't bother including unpacking MG methods for all possible compression/encryption methods. MG This explains why we have relatively few upgrades on the engines themselves. MG MG The F-Prot documentation mentions (I think) only zip MG decoding, but we know that it certainly does UPX and RAR decoding MG based on issues that have been raised with each (for the MG former, pathetic speed and the former, a buffer overflow). MG MG If you wa
Re: [Declude.Virus] Encoded viruses...worried topic change - to Bill Landry
Excellent. Thanks Bill - -Nick Bill Landry wrote: Nick, I put this together quite some time ago and have sent it to people upon request. Hopefully posting it here will make it more widely accessible. At least it can point you to some tutorials and give you a sampling of how the tools can be used and maybe will inspire others to create some cool scripts that they would be willing to share with others on the list. Bill - Original Message - From: Nick Hayer Well I am grateful and frustrated at times- because it can do so much and I have such hard time getting the results I want! Bill, As I recall you were putting together a group of neat scripts to run against our logs - did that ever happen and I missed it? It sure would be helpful... ! Thanks -Nick
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Don Brown wrote: #1 "The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources." correct. #2 "It still gets virus scanned." only those emails that get past the junkmail scanning. If you do not delete any junkmail then there is no benefit -Nick So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). If that is so, then how does it cut down on machine resources? Friday, January 27, 2006, 9:43:19 AM, Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] wrote: Dsic Keith, Dsic It still gets virus scanned. I have tons of viruses in my virus drop point Dsic for ROUTETO accounts. Dsic Darrell Dsic --- Dsic Check out http://www.invariantsystems.com for utilities for Declude, Imail, Dsic mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI Dsic integration, MRTG Integration, and Log Parsers. Dsic Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. Dsic Dsic --- Dsic [This E-mail was scanned for viruses by Declude EVA www.declude.com] Dsic --- Dsic This E-mail came from the Declude.Virus mailing list. To Dsic unsubscribe, just send an E-mail to [EMAIL PROTECTED], and Dsic type "unsubscribe Declude.Virus".The archives can be found Dsic at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Declude.JunkMail] Declude Hardware Issue
David, David Franco-Rocha wrote: B) Your software is NEVER downgraded for any reason, either automatically or otherwise hmm - would you kindly shut down your key server for awhile and monitor the list in the meantime? -Nick We have had a few reports from customers who have licensed versions of Pro, saying that they are receiving messages in their log files that they do not have the Pro version. We will identify the source of that issue tomorrow when the office reopens and will resolve it. It does not have any relation to the key authentication mechanism with the server, since the actual authentication with IMail versions of Declude continues to be via the old codes entered into the configuration files. David Franco-Rocha Declude Technical / Engineering
Re: [Declude.Virus] Hardware Issue
Hi David, Would you kindly elaborate on the ramifications of such a failure? I am interested in when its fixed but more importantly its ramifications. Are you saying that a hardware/network/software issue on your end can in anyway disarm/defuse/alter/change the way Declude functions on its installed user base? Thanks! -Nick David Franco-Rocha wrote: Due to the long holiday weekend, we have been away from the office for a few days. Unfortunately it has come to our attention that there could be a problem with key validation on the server there. After some testing, we have determined that there is in fact a hardware issue that we expect to have resolved today. We appreciate that you have taken the time to bring this matter to our attention and appreciate your patience while we rectify the situation. We will once again post to this list when the issue has been corrected. Declude Technical / Engineering David Franco-Rocha wrote: Due to the long holiday weekend, we have been away from the office for a few days. Unfortunately it has come to our attention that there could be a problem with key validation on the server there. After some testing, we have determined that there is in fact a hardware issue that we expect to have resolved today. We appreciate that you have taken the time to bring this matter to our attention and appreciate your patience while we rectify the situation. We will once again post to this list when the issue has been corrected. Declude Technical / Engineering
Re: [Declude.Virus] Declude 3.0.5.18 Posted
Thanks for the info David! -Nick David Barker wrote: Declude 3.0.5.18 ALL - Fixed un-defined variables causing intermittent stop/start with the decludeproc service. JM - Fixed SmarterMail incoming email recipient domain aliases. AV - Fixed un-defined variables, causing incorrect Virus Names. David B www.declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second scanner
Hi David, Mcafee is one - the command line scanner is only $11 - if you can find a vendor to sell it to you. ClamAV is another choice and its free. I use it w/clamd. http://www.sosdg.org/clamav-win32/index.php I use all three.. -Nick David Dodell wrote: After many years of using Virus Standard, I upgraded to Virus Pro to take advantage of a second scanner. I've scanned the previous threads on what others like for a second scanner to F-Prot, but can't seem to find any common thread ... So I would appreciate what seems to be the next most popular virus scanner to run as a secondary scanner to F-Prot? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 3.0.5.10
Thanks David! -Nick David Barker wrote: 3.0.5.10 - Change was made to reset the winsock when the \proc directory reached 0 messages 3.0.5.11 - Change was made to reset the winsock when the \proc directory reached 0 messages and threads in the \work had completed processing I will update documentation etc. and post changes for releases, as soon as I have the relevant information. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Saturday, October 22, 2005 12:27 AM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] 3.0.5.10 This one is just for the record since .10 is not on the website anymore -- thank goodness. Put 3.0.5.10 in place to this afternoon (before I knew .11 was available). MISTAKE! Things looked ok at first, but didn't realize mail was stacking up in \proc\. When I was not getting anything at the house, came back in (around 11pm) and found 6,500 msgs in \proc. Put in .11 and restarted. It is flowing now. Wonder if that is the reason .10 disappeared from the web site so fast. This raises (at least for me) an old discussion. I know new documentation for each little update is not possible or even reasonable to expect. But maybe a quick and dirty page on what the update fixed.?? John --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] error line in log file
Hi - would anyone know what Couldn't create map1 would mean in the Declude virus log file? Thanks! -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Beta 3.0.4.4 Posted
Hi Andy, Andy Schmidt wrote: Thanks Bill. I had gotten the impression as if everyone with dual-processor system was reporting this and that people were still seeing it with the latest version. If you will would you let me know more about this issue. I haven't been following exactly so I do not know what I should be looking for :) I have 3.0.4.4 running on my quad processor [with hyper threading] box without ant problems - at least as far as I can tell. If I'm I missing something I will revert back to 2.0.6.16 in a heartbeat! -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Beta 3.0.4.4 Posted
Andy Schmidt wrote: Hi Nick: I'm only repeating what I'm told - I don't have factual information on my own. chuckle chuckle chuckle. you are very funny at times! Declude is supposed to check the /proc folder and ONLY go to sleep (for 30 seconds), if the folder contains no messages. On systems that have that problem, Declude goes to sleep even though there ARE messages to process. Gotcha. No biggie for me to monitor at least. Haven't seen that symptom yet but now the other emails regarding this make sense. Thanks - -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
Hi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. This link works - ftp.nai.com /pub/antivirus/datfiles/4.x -Nick Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Patch Tuesday and graphic images
Thanks Andrew! -Nick Colbeck, Andrew wrote: Today is Microsoft Patch Tuesday for July 2005. One of the bulletins is: http://www.microsoft.com/technet/security/Bulletin/MS05-036.mspx Which fails to indicate which graphics formats are affected by this vulnerability. It does mention that abuse thereof is indeed in the wild. Presumably on websites, but if you want to make sure that it is not happening in email, you will want to remove these optimizations from your Declude virus.cfg file: SKIPEXT JPG SKIPEXT JPEG SKIPEXT PNG SKIPEXT TIF SKIPEXT TIFF This contradicts my posting in May 2005 that Scott Perry said that JPG skipping was ok vis a vis MS04-028 Q833987 because Declude Virus checks for corrupt JPG regardless of the SKIPEXT behaviour. That is, unless the Declude code is so good that it checks all three of these formats for rigorous adherence to their standards such that it protects the Microsoft libraries! Andrew 8) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] what does this mean in the virus log file?
Thanks David! David Franco-Rocha [ Declude ] wrote: Nick, With the enhancement of turning off checking for individual vulnerabilities, this information indicates for Declude which vulnerabilities are being checked and which ones are not. David Franco-Rocha Declude Technical Support - Original Message - From: NIck Hayer [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, June 06, 2005 5:51 PM Subject: Re: [Declude.Virus] what does this mean in the virus log file? Vulnerability flags = 76 Thanks! -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
I am not real clear on this thread - but if it has to do with clamd - it w/Declude no question has a problem in Windows. I have stopped using it - it may take a week or even a month but it will crash... -Nick Terry Fritts wrote: I can't find anything in the event or application logs that looks bad around this time either. I can't either. I've switched my clamd.conf file settings to run on TCP/IP rather than local socket. In the clamd.log file there were accept() errors recorded when this occurs which is a socket command error. I don't know that running in TCP/IP will help but the conf file says it can help some stability issues on windows servers. I also see that once this starts the other scanners never get a return either - not sure why that would be. --- Terry --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] what does this mean in the virus log file?
Vulnerability flags = 76 Thanks! -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] MS05-16 Exploit
Title: Message Hi Andy, Colbeck, Andrew wrote: Declude Virus will *not* detect abuse of MS05-16 with the Declude CLSID vulnerability detector. They are entirely different animals, which happen to have CLSID at their heart. You are sure up to date with this stuff! The only way to attack MS05-16 abuse with Declude Virus is with a) keep your virus scanner up to date, This is good news. That can be easily accomplished - and/or b) to watch for virus news and ban extensions that are deliberately crafted as bogus, e.g. .d0c or .doc_ instead of .doc Well this won't be effective becase folks now rename extensions as a matter of course to get clean files through eg - .exe .e_x_e :) Leave it up to your antivirus scanner. Perfect and thanks for the insight. -Nick
Re: [Declude.Virus] not catching W32.Sober.O@mm!enc
On 9 May 2005 at 9:27, Susan Duncan wrote: Hi Susan - 2 things - What do your logs show - eg Is Declude scanning the suspect email? 2- If it is I bet Symantec is giving a false positive - non virulent positive. -Nick Not sure if I should be posting this here or sending something to f-prot. We're running Declude Virus with F-Prot and some of the email messages getting through to the client are coming up with [EMAIL PROTECTED] getting caught by Symantec. I've been getting these since late last week and I've updated f-prot. Am I just not configured properly or is f-prot just that far behind in updates? Susan Duncan Web/Communications Officer / Agent des Communications/web Union of Taxation Employees / Syndicat des employées de l'Impôt Tel: 613-235-6704 ext 240 Fax: 613-234-7290 e-mail: [EMAIL PROTECTED] http://www.ute-sei.org/ --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude virus bug?
On 5 May 2005 at 11:39, Doug Anderson wrote: Below is the information. It shows that that it's coming from a local host, yet it's not. Mail server has been scanned for viruses/trogans and found none. Anyone got an idea what's going, what I'm not seeing, virus or if it's a program bug? Well I just scanned my virus logs for the past week. Today only I have 2 emails that are spam, claim to be virii that originated from 127.0.0.1 So I cannot explain this - it may be normal but rare? -Nick 05/05/2005 08:48:51 Q16324B9301BCB06D Outlook 'CR' vulnerability [From: Tro] in line 7 05/05/2005 08:48:51 Q16324B9301BCB06D Scanned: CONTAINS A VIRUS [MIME: 0 0] 05/05/2005 08:48:51 Q16324B9301BCB06D From: info- [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 127.0.0.1] 05/05/2005 08:48:51 Q16324B9301BCB06D Subject: Inks Toners for Much Less ## 05/05/2005 08:26:13 Q10E53DBC01C2AF0B Outlook 'CR' vulnerability [From: Tro] in line 7 05/05/2005 08:26:13 Q10E53DBC01C2AF0B Scanned: CONTAINS A VIRUS [MIME: 0 0] 05/05/2005 08:26:13 Q10E53DBC01C2AF0B From: info- [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 127.0.0.1] 05/05/2005 08:26:13 Q10E53DBC01C2AF0B Subject: Inks Toners for Much Less --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Incremental Release
On 5 May 2005 at 14:15, [EMAIL PROTECTED] wrote: For the foreseeable future Declude will be following a different release strategy. WOW! Barry - you the man! -Nick Beginning today we will be issuing Incremental Releases on a regular basis. These releases should be regarded as Beta Code although they will be fully documented and supported. After a number of releases have been issued and tested a new version will be made available consisting of the rolled up Incremental Releases. The release is available as usual for those customers with valid service agreements from the 'My Account' page. If you have any questions please feel free to contact me. Barry Simpson www.declude.com Office (866) 332-5833 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] vunerabilities
Does anyone know or have a list of the vulnerabilities that are a real problem and should be blocked or conversely the vulnerabilities that are not a virus/worm threat? Thanks! -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ALLOWVULNERABILITIES Directive
On 4 May 2005 at 9:11, Ralph Krausse wrote: Ralph - Excellent! Excellent for Declude list participation - I really appreciate it! Thanks -Nick We are currently looking into a possible issue with this directive. We will be shortly releasing a incremental version with some enhancements and fixes. If ALLOWVULNERABILITIES does have an issue, it will be dealt with and documented. Thank you Declude Development --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Who is minding the store
On 2 May 2005 at 9:51, Douglas Cohn wrote: Douglas - I agree with what you are saying. And I miss Scott for his slant on techsupport and philosphy [ Remember Len Scott dialogs? :) ] That said we need to give the new Declude a chance. [That is coming from a guy that has been posting some negativity lately]. They are learning the new turf. And they have some good email admins supporting them (for now) If Declude misses the point competition will but thenm out of business. -Nick Plus, if they actually integrate our feedback, we'll buy the support agreement in order to download the latest fruits of our labor. :) Yes that is a key point and the reason I always rushed out to renew in the past. I sent this email because now I am not so sure. And I know others that have the same feelings. Renew or not renew. I was told the company would be run in the same high quality manner as before. Clearly that is not the case. Without knowing the coders know their stuff relating to spam it is quite risky to take the chance with such a small company. We knew Scott was the best, who are the people that took over the reins and what credentials do they have. I mean Symantec cannot do it right and I should trust someone who won't participate in their own forums? If Scott would chime in here and say DON'T worry Doug these people know their stuff, you are in good hands. I would order a renewal. But he left. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Sent: Sunday, May 01, 2005 5:59 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Who is minding the store Douglas Cohn wrote: Using this forum for support is certainly less expensive to the company ... unless you're charging for support, then it could be viewed as a losing proposition to assist in free support. I fear this may be the mindset. This view, is, of course, entirely wrong; as you mentioned, our RD feedback is very valuable-worth more than a support contract. Plus, if they actually integrate our feedback, we'll buy the support agreement in order to download the latest fruits of our labor. :) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Alternative
On 2 May 2005 at 15:02, Chuck Schick wrote: We have been running F-prot as the virus scanner with Declude for over a year but lately it seems to have more and more bugs in it. What do others recommend as low-cost scanners to work with declude? Hi Chuck - Well Mcafee is hard to beat for their command line scanner [scan.exe] @ $11 but the real trick is finding a source to purchase it from. I got mine through my day job via government purchasing. -Nick Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] High CPU F-Prot
On 28 Apr 2005 at 12:57, Matt wrote: Matt - If this becomes a real problem that you see and can monitor I would revert back to an older scan.exe to eliminate the issue of versions. This is a possible clue: Could not find parse string Infection: in report.txt What does this mean? Your virus.cfg needs a different setup parameter or report.txt cannot be found? -Nick 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. --- 6 second gap where F-Prot scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt 04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus! 04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string Infection: in report.txt 04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605] 04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject: hello 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64; Length=56320 Checksum=6982245] 04/28/2005 09:47:55 QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension [application/octet-stream]. --- 9 second gap where F-Prot scans message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find parse string Infection: in report.txt 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2 56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good day I'm virtually certain that this is what was happening yesterday, but under heavier load, F-Prot was taking longer to scan the messages than the 30 seconds that I allow it to. There are no other long delays like this that I can find. F-Prot based on past testing should detect a typical virus in 100 ms on my system, but it is not only taking much more time to scan a very small file, it is also missing the virus. I suspect that this is happening on other systems, but the timeout issue probably wasn't seen as often because I have my timeout set to 30 seconds instead of 60 seconds, and I had very heavy load for much of the day yesterday. If others are running two virus scanners including F-Prot, it would help to confirm my findings by searching for a hit on the second virus scanner hitting, but F-Prot missing and also taking several seconds or more to return a result. If you search your logs for Could not find parse string Infection: in report.txt, it might help to narrow down the results. I even tested with McAfee run first and then F-Prot and these messages would still appear when F-Prot didn't detect anything and McAfee did. Here's an example with McAfee run first, detected a virus, and then F- Prot took it's time, generated a report.txt file but didn't return a virus result code: 04/28/2005 01:37:50 Q76AE2D3600E0E263 MIME file: text.zip [base64; Length=56434 Checksum=6987682] 04/28/2005 01:37:51 Q76AE2D3600E0E263 Scanner 1: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O --- 7 second gap while F-Prot scans --- 04
Re: [Declude.Virus] High CPU F-Prot
On 28 Apr 2005 at 13:50, Matt wrote: Sorry about being wrong on both counts.. but I was trying to help! -Nick Nick, Thanks for the reply, but I think you missed part of the discussion.This is an F-Prot issue. Also, regardless of not finding a parse string in report.txt, F-Prot isn't throwing one of the three codes that people around here consider to be a virus, i.e. 3, 6 or 8. If it threw that code, Declude would pick it up as a virus tagged by F-Prot regardless of what the report.txt showed. The Report.txt is only used for identifying the virus, but in this case it is a clue that tells us that F-Prot is probably throwing an error of some sort since this file is being generated and shouldn't otherwise be. Matt Nick wrote: On 28 Apr 2005 at 12:57, Matt wrote: Matt - If this becomes a real problem that you see and can monitor I would revert back to an older scan.exe to eliminate the issue of versions. This is a possible clue: Could not find parse string Infection: in report.txt What does this mean? Your virus.cfg needs a different setup parameter or report.txt cannot be found? -Nick 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. --- 6 second gap where F-Prot scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt 04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus! 04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string Infection: in report.txt 04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605] 04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject: hello 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64; Length=56320 Checksum=6982245] 04/28/2005 09:47:55 QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension [application/octet-stream]. --- 9 second gap where F-Prot scans message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find parse string Infection: in report.txt 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2 56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good day I'm virtually certain that this is what was happening yesterday, but under heavier load, F-Prot was taking longer to scan the messages than the 30 seconds that I allow it to. There are no other long delays like this that I can find. F-Prot based on past testing should detect a typical virus in 100 ms on my system, but it is not only taking much more time to scan a very small file, it is also missing the virus. I suspect that this is happening on other systems, but the timeout issue probably wasn't seen as often
Re: [Declude.Virus] High CPU F-Prot
On 28 Apr 2005 at 16:44, Matt wrote: Hi Matt, I assume that this is probably resulting in an exit code of 9 or 10 then because I'm not using either at the moment, and you are the first that I definitively know has them configured. I do not use these codes either - I had 4 Could not find parse string Infection in my logs today. The average delay was 4 seconds. Is the answer to add the additl exit codes or is there a downside to that? -Nick 9 - At least one object was not scanned (encrypted file, unsupported/unknown compression method, unsupported/unknown file format, corrupted or invalid file). 10 - At lest one archive object was not scanned (contains more then N levels of nested archives, as specified with -archive switch). Since some of these are not zip files on my system, I am going to assume that it is an exit code of 9 that is being spit out. A file corruption might also explain the issues with F-Prot taking longer on my system. Anyway, I just started to not delete viruses so I should catch one of these soon and then I can work at processing it manually to see what I find. Thanks for sharing. This was helpful. Matt Bill Landry wrote: Matt, I searched 2 weeks of logs on both of my servers (both of which run F-Prot and TrendMicro) and could only find 4 instances of Could not find parse string Infection, and they were found on the server that is very heavily loaded. I use the following F-Prot strings in my virus.cfg: # F-Prot SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT - REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 8 VIRUSCODE1 9 VIRUSCODE1 10 REPORT1 Infection: Here is a sample of what I find if I parse for 5 lines before and after the target Q-ID: 04/20/2005 11:53:22 Qa51de08d00e25919 Scanned: Virus Free [MIME: 3 36875] 04/20/2005 11:53:25 Qa523e08f00e25924 MIME file: [text/html][quoted- printable; Length=10177 Checksum=774898] 04/20/2005 11:53:26 Qa523e08f00e25924 Scanned: Virus Free [MIME: 2 11904] 04/20/2005 11:53:27 Qa510a96d00c4590a MIME file: [text/html][quoted- printable; Length=11036 Checksum=792412] 04/20/2005 11:53:28 Qa510a96d00c4590a Scanned: Virus Free [MIME: 2 14609] 04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: [text/html][7bit; Length=52 Checksum=3520] 04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: 5.zip [base64; Length=19404 Checksum=2507990] 04/20/2005 11:53:29 Qa51fa9a300ec591e Could not find parse string Infection: in report.txt 04/20/2005 11:53:30 Qa51fa9a300ec591e File(s) are INFECTED [: 0] 04/20/2005 11:53:30 Qa51fa9a300ec591e Scanned: CONTAINS A VIRUS [MIME: 2 19522] 04/20/2005 11:53:30 Qa51fa9a300ec591e From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 165.165.221.208] 04/20/2005 11:53:30 Qa51fa9a300ec591e Subject: 04/20/2005 11:53:32 Qa52aa9a400ec592a Scanned: Virus Free [MIME: 1 2087] 04/20/2005 11:53:34 Qa52b4d30fdb9 Scanned: Virus Free [MIME: 1 672] 04/20/2005 11:53:35 Qa52c4f880105 Scanned: Virus Free [MIME: 1 752] 04/20/2005 11:53:35 Qa52ea9ab00ec592c MIME file: [text/html][8bit; Length=8334 Checksum=681405] 04/20/2005 11:53:37 Qa52ea9ab00ec592c Scanned: Virus Free [MIME: 2 13549] I didn't find a time gap in any of the Could not find parse string Infection log entries I found. Bill - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Thursday, April 28, 2005 10:58 AM Subject: Re: [Declude.Virus] High CPU F-Prot Andrew, If you are only using F-Prot, you should be able to find evidence of at least the delays by searching for Could not find parse string Infection and then checking for a gap above that point to where the message began to be scanned. If I'm correct about this, and it seems that I am, F-Prot has been missing a fair number of viruses every day at least going back to April 11th. Their new scan engine, 3.16b was released back on March 7th and this may be related, but I don't have logs going back past April to confirm. F-Prot users should all probably pay very close attention to this. I haven't yet contacted F-Prot because I'm busy at this moment and this was only just confirmed by someone else. I would have to say that Scott would be quite useful in a situation like this because it appeared that he had a line of contact with them (Scott, are you out there?). Matt Colbeck, Andrew wrote: The could not parse string occurs whenever F-Prot returns a result that *isn't* equal to 3. Only return code 3 provides a string in the result file that says Infection: followed by the virus name. I'd like to help you out with this Matt, but with only one antivirus scanner, I don't see the evidence of a space gap. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED
Re: [Declude.Virus] Revisiting the McAfee command line arguments
On 27 Apr 2005 at 8:55, Scott Fisher wrote: Thanks Scott - you have some switches I haven't seen ! Also - Declude tech support - Declude Scott used to make excellent recommendations regarding command line switches - can anyone with Declude tech support continue with same? This list used to be a support form from Declude but is support now only on a per incident basis? Thanks! -Nick I'm using: SCANFILE3 D:\VIRUSSCAN\scan.exe /ALL /NOMEM /NOBEEP /NOBREAK /UNZIP /SILENT /NODDA /MANALYZE /MIME /PANALYZE /PROGRAM /REPORT report.txt Haven't seen any FPs with /MANALYZE or /PANALYZE I run PRESCAN OFF and the /MAILBOX isn't needed to find Phish/Links I sense a frustration with virus protection from you. I think this CPU intensive process could be improved. If a virus is found with scanner 1, I'd like an option to avoid calling later scanners. While it's good for comparison sakes, if a virus is found, I don't need 2 other programs to confirm that. I'd also like to have the PRESCAN ON/OFF setting moved within the virus scanner definitions. I could then have one of the scanners scan all of the e-mail, and the less effective scanner would run a Prescan ON. Example: SCANFILE1 ... VIRUSCODE1 3 REPORT1 Infection: PRESCAN1 OFF SCANFILE2 ... VIRUSCODE2 13 REPORT2 Found PRESCAN2 ON - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Tuesday, April 26, 2005 10:53 PM Subject: [Declude.Virus] Revisiting the McAfee command line arguments I've searched the archives and came up with nothing specific regarding this, but that's not to say that there wasn't a discussion. I seem to remember Bill Landry having some of his own tweaks to the McAfee command line, but I really can't recall. Anyway, I found that using the published config for McAfee, it was scanning the boot records, in fact I believe it scans all of them. Checking the /? I found that there is a switch to turn this off in the 4.4.00 scan engine, /NOBOOT. From the command line I verified that this does in fact not scan the MBR's and my Declude log shows that it is still detecting viruses. This could be a big improvement for McAfee if this switch was used, however I wouldn't recommend doing it without further discussion or testing. I also found what appears to be a new switch called /PROGRAM. McAfee's notes describes this as, Scan for potentially unwanted applications. I turned it on and noted a change in the way that McAfee was detecting some things. It appears that Declude reports the first virus found in the report.txt file and before the change on some Netsky viruses, F-Prot would detect an HTML/[EMAIL PROTECTED] in the HTML segment and McAfee would detect W32/[EMAIL PROTECTED] in the executable attachment. After using the /PROGRAM switch, McAfee is now detecting the exploit in the HTML segment as potentially unwanted program Exploit-MIME.gen.c. Here are a before and after using the switch from my logs of what I assume to be the same virus in different messages: Before 04/26/2005 23:02:48 Q00D885AA00904BD6 Scanner 1: Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML segment] [0] O 04/26/2005 23:02:49 Q00D885AA00904BD6 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=message.scr [0] O After 04/26/2005 23:09:27 Q0264DA3401104E3C Scanner 1: Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML segment] [0] O 04/26/2005 23:09:28 Q0264DA3401104E3C Scanner 2: Virus=potentially unwanted program Exploit-MIME.gen.c. Attachment=[HTML segment] [0] O I am assuming that McAfee would/is still detecting the virus in the attachment, but Declude is just simply logging the first matching string that is found in the Report.txt, and therefore this would appear to be a good switch to use. Based on the above, and assuming that no problems arise as a result of either switch, it would then be a good idea to modify McAfee's command line options using the 4.4.00 scan engine (released late last year) to the following: C:\[McAfee Path]\scan.exe /ALL /NOBOOT /NOMEM /NOBEEP /NOBREAK /UNZIP /SILENT /NODDA /PROGRAM /REPORT report.txt There are some other switches that I also came across and don't recall seeing before, but may be beneficial. They are as follows along with some comments on why I think they might be useful, but note that I have no experience with any of these and am only speculating: /TIMEOUT seconds - Set the maximum time to spend scanning any one file. I'm thinking that this might be a good way to help protect a Declude system from overloaded conditions. While Declude will timeout on a scan, if you are using two virus scanners and where the first (F- Prot) is more efficient than McAfee, this might be a good way to disable the second scanner under high load conditions after a reasonable amount of time so as to not overwhelm the server as much as without
Re: [Declude.Virus] Declude Update
On 11 Apr 2005 at 20:45, Barry Simpson wrote: Declude Version 2.0.6 was posted to www.declude.com earlier today. Updated Release Notes and Documentation are also available. Hi - Where is the virus manual? I wasn't able to find it. Reason was looking was BANEZIPEXTS is not listed in the sample virus.cfg file - I want to verify this option still exists [or not] Thanks -Nick Barry --- [This E-mail scanned for viruses by Findlay Internet] --- This E- mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail- archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] wuaurlt.exe
Has anyone seen or heard of a virus/worm that uses this file? It seems to be attacking several pc's at my day job.. Thanks! -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] wuaurlt.exe
On 14 Dec 2004 at 12:31, Nick wrote: Has anyone seen or heard of a virus/worm that uses this file? It seems to be attacking several pc's at my day job.. As a follow up - I just found this - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_R BOT.ADGVSect=T Nothing on mcafee or fprot though. Is there an alias that exists? Thanks again - -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] wuaurlt.exe
On 14 Dec 2004 at 11:19, Colbeck, Andrew wrote: Thanks Andrew! You are sharp. I spent quite a bit of time on google and on the AV sites without any results. -Nick Subject:RE: [Declude.Virus] wuaurlt.exe Date sent: Tue, 14 Dec 2004 11:19:50 -0800 Priority: normal From: Colbeck, Andrew [EMAIL PROTECTED] To: [EMAIL PROTECTED] Send reply to: [EMAIL PROTECTED] I've seen a variant of RBOT that was similar; the naming format is try to confuse you that it is part of windows update, which is wuauserv.exe There is a gray area between the antivirus scanners and the spyware scanners in picking this stuff up. You'll want to get that machine patched, the registry cleaned for the HKLM, HKDU and the HKCU for whomever was logged in when it ran. If the affected OS has one, you'll also need to empty the %windir%\prefetch folder, as some antivirus scanners won't find it because the extension is renamed (or they have a blind spot for that folder). Since this worm has a dropper and an active component, you'll need to clean out both. If your antivirus scanner isn't picking it up, you can use: http://housecall.trendmicro.com which downloads an ActiveX control version of their scanner, which will do a full sweep of the local hard drive. And yes, this TrendMicro name does have aliases. Depending on which vendor you talk to, you'll also see it as GAOBOT or SDBOT. This specific name has no alias, according to this site, which is the only one I know of that tracks the virus lingo across vendors: http://www.virusbtn.com/resources/vgrep/index.xml There is also this site, to which you can upload a virus to have it checked by multiple vendors' scan engines and email you a report. Some engines have been removed due to legal pressures: http://www.virustotal.com/flash/index_en.html Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Sent: Tuesday, December 14, 2004 9:40 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] wuaurlt.exe On 14 Dec 2004 at 12:31, Nick wrote: Has anyone seen or heard of a virus/worm that uses this file? It seems to be attacking several pc's at my day job.. As a follow up - I just found this - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_R BOT.ADGVSect=T Nothing on mcafee or fprot though. Is there an alias that exists? Thanks again - -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] log file grepping
On 6 Dec 2004 at 10:25, Johan Driesmans wrote:
Hi Johan,
I'm interested in your mrtg configuration, can you send me this as
an
example?
Below is the cfg file - it will give you total virus vs total
scanned. Bill did unxtools extract which I munged slightly to make
mrtg like it better. I am running this in Windows w/Active State perl
the latest mrtg program. If you need to know more let me know.
Note: The Target[index]:. is _one_ line.
[Also I believe Darrell ([EMAIL PROTECTED]) is working on
a mrtg ver of a virus analyzer which does this and more... No idea
of a release date - ]
-Nick
###
WorkDir: E:\mrtg-graphs\Imail\grep_virus
Title[index]: Connections MRTG
PageTop[index]: hrbrh3Server: MX1.MADRIVERACCESS.COMbr
Viruses Detected / Total Email Scanned/h3
MaxBytes[index]: 100
AbsMax[index]: 100
Options[index]: gauge,unknaszero,nopercent,growright
Target[index]: `egrep File\(|Scanned: (Virus|Error)|Skipping
e:\imail\spool\vir1206.log | gawk {print $1,$4,$5,$6} | sed
s/\/2004 / TOTAL\n/g | egrep File|TOTAL | gawk {print $(NF)} |
usort | uniq -c | cut -b -8 | sed $!N;s/\n//`
YLegend[index]: Scanned
ShortLegend[index]: Scanned
Legend1[index]: Viruses
Legend2[index]: Scanned
LegendI[index]: nbsp;Scanned
LegendO[index]: nbsp;Viruses
###
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
Re: [Declude.Virus] clamAV - OT ClamAV For Windows 0.80-10
I just received the folloing from the Clam list - there appears to be an issue with UDP ports and cygwin -Nick On 6 Dec 2004 at 9:24, Brian Bruns wrote: From: Brian Bruns [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date sent: Mon, 6 Dec 2004 09:24:37 -0500 Subject:[clamav-announce] ClamAV For Windows 0.80-10 Hello all, Its been a while since I sent out a notice of a new version, so here it is - v0.80-10 of ClamAV. Its fresh off the compiler and should be working well. However, I've been notified of a serious issue surrounding ClamAV and Cygwin. Apparently, clamd.exe causes UDP ports to be opened for no reason, and they hang in the open state. The only way to really fix this is to kill off clamd.exe and restart it. I use a program from http://www.beyondlogic.org/consulting/processutil/processutil.htm which makes it rather easy to kill off clamd.exe cleanly. Using the regular clamscan.exe is the only way to completely avoid this issue - but you end up taking a major performance hit. We believe this problem is with Cygwin and not ClamAV, so theres limited I can do on my end until I can hash out the issue with a Cygwin developer. Anyways, latest version is up at: http://www.sosdg.org/clamav-win32 Enjoy! -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / The AHBL http://www.sosdg.org / http://www.ahbl.org ___ ClamAV For Windows Announcement Mailing List http://lists.sosdg.org/mailman/listinfo/clamav-announce --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV fyi
For those that use ClamAV the latest ver appears to be Nov20 - I had the Oct24 ver which would randomly crash - in this latest ver in the release notes there is reference to fixing this -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] log file grepping
On 1 Dec 2004 at 15:26, Bill Landry wrote: Hi Bill - Total messages scanned for the day and the total number of viruses found for that day (not count of individual virus)? Correct.I have no interest in this case of an indv virus count. Just totals. That is what I want to feed to mrtg to get realtine graphs. As you probably are aware mrtg likes 2 values to graph so in this case I'm looking for total scanned vs virus found. [For total virus's I think it would have to be by individual scanner so could see how each AV program compares. An overall total would be helpful as well if possible.] -Nick Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] log file grepping
On 2 Dec 2004 at 14:57, Bill Landry wrote:
Very kool. I really tried to do this and figured there was no way!
Thanks!
-Nick
Well, here is a bit a trickery to make it a single liner:
egrep File\(|Scanned: (Virus|Error)|Skipping l:\virus\vir1201.log |
gawk {print $1,$4,$5,$6} | sed s/\/2004 / TOTAL\n/g | egrep
File|TOTAL | gawk {print $(NF-0)} | usort | uniq -c
Which will give you an output like:
735 INFECTED
37023 TOTAL
You will need to adjust the path info to you log files, and can
manipulate the output to your liking, but this should give you a
starting point to work with...
Bill
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
RE: [Declude.Virus] log file grepping
Bill?.. or anyone :) Is there a way in a single line to use grep or a similar tool on a virus log file and have it return 2 values: total_scanned and viruses found? I have been able to do this in multiple lines with temp files but am stuck trying to do it on a single command line. The purpose here is to use mrtg to graph virus traffic - I can do it with one value but when I try to combine both I am lost. Thanks in advance - -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] log file grepping
On 1 Dec 2004 at 17:58, DLAnalyzer Support wrote: What is your time table on this? If you can wait a couple days I will add virus graphing to the mrtg stuff I already make available. No rush. And thanks for doing this. I've wanted this for awhile - today I just caved in in a weak moment and had to ask for help! -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] MRTG
Is anyone aware of a port of declude virus logs to mrtg? Thanks! -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV scan time
On 15 Nov 2004 at 16:44, John Carter wrote: I have had some issues as well. I edited clamd.conf with so far non- detrimental results.. I changed ReadTimeout 40 [120] MaxConnectionQueueLength 50 [30] MaxThreads 30 [10] I wanted to change this setting but was unclear if it referred to time or size. SO I left it to see if other changes helped - # Close the connection if this limit is exceeded. StreamMaxLength 3M -Nick From: John Carter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:[Declude.Virus] ClamAV scan time Date sent: Mon, 15 Nov 2004 16:44:35 -0600 Send reply to: [EMAIL PROTECTED] Has anyone using ClamAV had problems with it taking longer than 60 seconds to run? After installing it last week and working out a few problems, it has done well. Today I noticed a number of *.vir folders left on the drive. The VIR*.log showed that ClamAV was not completing in 60 seconds. This has happened about three different times when we were hit with a lot of mail at once. John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] PRESCAN
On 10 Nov 2004 at 16:33, Matt wrote: Matt - Would you elaborate on the Passler app? Where from how much? -Nick Bill Landry wrote: Matt, thanks for the analysis. I would very much like to know what the additional load is on your server by setting PRESCAN to OFF. Please do post your results if you test this. I have had PRESCAN OFF for a few weeks now, and have not noticed much of an increase on my servers, but I was not near capacity anyway. Bill, I've got a handy app from Passler that provides me with nice graphs including processor utilization that I am sampling every minute (minute averages). I just turned PRESCAN OFF a short while ago and it's actually a bit worse than a 25% relative increase on my system. My hourly average went directly from 33% to 46% with PRESCAN OFF, which is a 39% increase. I've attached an image of the minute averages with a green line marking the point when I turned PRESCAN OFF. Take note that I run both F-Prot and McAfee on my system, so systems with only one virus scanner won't see the same degree of a jump, though it should be rather large. On systems with plenty of capacity, this is not a concern and the increase would be not very noticeable despite being relatively high, but I would like to fill this box to capacity and add more, but not before I have to. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BitDefender
On 3 Nov 2004 at 8:55, John Tolmachoff (Lists) wrote: Hi John, I use ClamAV without any issues at all.. Excellent product from what I can tell - -Nick Has any tried using BitDefender with Declude Virus, or ClamAV for that matter? Does it work? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Re:Alternative to Imail
Scott, What other MTA's do you support or intend to support in the near future with Declude like functionality? Can you suggest one other than Imail? -Nick - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] DELETEVIRUSES Not working.
On 19 Oct 2004 at 19:29, R. Scott Perry wrote: Can 'by design' mean a switch be addeded to allow deletion? I would like to be able to make that decision - not declude. Thanks -Nick It seems that DELETEVIRUSES ON isn't working in Declude Virus 1.81 I have it set to: DELETEVIRUSES ON In my virus.cfg but they're staying in my E:\IMail\spool\virus folder. That is by design. Viruses are getting deleted, other E-mails (vulnerabilities and banned file extensions) are not, as they usually do not contain viruses or other dangerous code. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BankFraud (phishing) e-mails
On 7 Oct 2004 at 6:54, System Administrator wrote: on 10/6/04 6:55 PM, Darrell ([EMAIL PROTECTED]) wrote: Not to switch the subject, but what would be nice is the option not scan with the other scanners once a virus is found... Than you can have scanners that in general require less CPU like F-Prot versus Mcafee. Yes, I'd like that option! I think we all would 'cept Scott :) -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
On 27 Sep 2004 at 17:31, R. Scott Perry wrote: The latest release of Declude Virus will automatically detect the GDIPlus.dll JPEG exploit. How can I confirm this? When I send myself the exploit I do not receive the email - good- but in my virus logs all I see is 'error in scannerx' and nothing in the declude log file. This is with v180 -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fprot GDI Scanner lines. - slight change of topic multiple scanners
On 28 Sep 2004 at 10:43, Greg Little wrote: Greg, As I recall, IF a virus scanner calls it bad, there is no further checking. Is this for an individual scanner or multiple scanners? All the scanners run (sic) even if the one before discovers a virus on my system. -Nick . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fprot GDI Scanner lines.
On 28 Sep 2004 at 13:18, Terry Fritts wrote: Terry - Scott clarified it for me - I was scanning a zip - when the regular jpeg comes through I do get a log entry like you do below. Now I understand the thread about multiple report lines for a scanner... Regards, -Nick Date sent: Tue, 28 Sep 2004 13:18:15 -0500 From: Terry Fritts [EMAIL PROTECTED] Organization: Smart Business Solutions, Inc. To: Nick [EMAIL PROTECTED] Subject:Re: [Declude.Virus] Fprot GDI Scanner lines. Send reply to: [EMAIL PROTECTED] How can I confirm this? When I send myself the exploit I do not receive the email - good- but in my virus logs all I see is 'error in scannerx' and nothing in the declude log file. Here's what I'm seeing (also 1.80): 09/28/2004 10:07:56 Q7e4a0ec70222a6ae File(s) are INFECTED [[Microsoft GDIPlus.DLL JPEG Vulnerability]: 0] This was a jpg. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] virus increment
On 23 Jun 2004 at 15:50, Goran Jovanovic wrote: What reporting tool do you use to figure out how many viruses you are stopping per day? Goran, I use grep Bill Landry is the tutor - awhile back I posted the whole script that counts connections, viruses, etal and mails it to me nightly. http://www.mail-archive.com/[EMAIL PROTECTED]/msg08938.html -Nick I do not have anything setup at this point and am wondering what others do. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Nick Sent: Wednesday, June 23, 2004 10:50 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] virus increment On 23 Jun 2004 at 15:49, Markus Gufler wrote: Someone else has noted a drastic increment of virus/worm messages? Hi Markus - Yupper. We normally do 4-500 a day. However last week were were doing 4000 a day. Now its droped to 150 a day. Dunno. We just keep killing them as they arrive :) -Nick Hayer In the last 2 days our server has blocked more then 3 times more infected messages as before. )No new viruses, no internal user sending out viruses.) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Log error with latest interim release
Scott, I to am recording an error: Could not find parse string Infection: in report.txt Circumstances are occuring only with fprot, and only on banned extensions or on [banned] encrypted zips. I only looked at todays logs so I really do not know if it started with the latest interim release. I am running fprot 3.14e latest defs -Nick Hayer 03/18/2004 11:20:01 Qcc24005d0536a2e6 Error 128 in virus scanner 1. 03/18/2004 11:21:09 Qcc661aa8032aa581 Error 128 in virus scanner 1. F-Prot doesn't define an exit code of 128 -- I would recommend reinstalling F-Prot and/or moving to the latest version of F-Prot. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Log error with latest interim release
Could not find parse string Infection: in report.txt That is normal, if the virus scanner does not detect a virus (but instead reports a vulnerability). Gotcha. So it just different virus scanners clsify threats differently?[ The other scanners are flagging these as viruses.] Is there a way to display different strings from reportt.txt? Thanks! -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] NAV 2003 catches passworded virus??
On 16 Mar 2004 at 17:20, marc catuogno wrote: Marc, I do not have Norton so I cannot test it - have you sent to your desktop the EicarDynamicEncodedZip from Scott's site? Results? http://www.declude.com/tools/mailsend.html From what I understand static zips are easy its the the dynamic zip/rars that are the challenge -Nick Hayer Sorry, I know Ive brought this up before but Im befuddled as to how plan old Norton Antivirus 2003 on my XP desktop using outlook 2002 can pick up this virus within a passworded file without the password. This was held in the virus directory by Declude and I released it to see if it would be caught, and it was - before it was opened. Again, this isnt really important, but Id like to know how it is happening. Any theories??? Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: Re: Document Your file is attached. Password - This was the replacement attachment: Norton AntiVirus removed the attachment: Info.zip. The attachment was infected with the [EMAIL PROTECTED] virus. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
