[Declude.Virus] Testing Internal Scanner
Hi, I've been watching this now for a few months. The internal scanner NEVER ever catches a virus - while my two other scanner catch them daily. However, since CommTouch doesn't allow the Eicar file to pass, there is no way to easily test the internal scanner. I think this is something that should eventually be addressed - either by a parameter that allows a user to disable CommTouch for a few minutes at night while testing OR by CommTouch recognizing the EICAR file as a good file and letting it pass! Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 17,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 17,402 Virus Infected Messages: 4 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE PDF.DROPPER-3 3 0.02% SUSPECT.DOUBLEEXTENSION-ZIPPWD-9 1 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 17,402 Virus Infected Messages: 1 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE GENERIC.DX!SED TROJAN !!! 1 0.01% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Testing Internal Scanner
Andy what version of Declude are you running ? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, April 28, 2010 8:16 AM To: declude.virus@declude.com Subject: [Declude.Virus] Testing Internal Scanner Hi, I've been watching this now for a few months. The internal scanner NEVER ever catches a virus - while my two other scanner catch them daily. However, since CommTouch doesn't allow the Eicar file to pass, there is no way to easily test the internal scanner. I think this is something that should eventually be addressed - either by a parameter that allows a user to disable CommTouch for a few minutes at night while testing OR by CommTouch recognizing the EICAR file as a good file and letting it pass! Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 17,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 17,402 Virus Infected Messages: 4 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE PDF.DROPPER-3 3 0.02% SUSPECT.DOUBLEEXTENSION-ZIPPWD-9 1 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 17,402 Virus Infected Messages: 1 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE GENERIC.DX!SED TROJAN !!! 1 0.01% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Testing Internal Scanner
Speaking of versions. I'm running 4.10.42 I noticed there is a 4.10.48 available but no email notice or release notes. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 8:12 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Testing Internal Scanner Andy what version of Declude are you running ? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, April 28, 2010 8:16 AM To: declude.virus@declude.com Subject: [Declude.Virus] Testing Internal Scanner Hi, I've been watching this now for a few months. The internal scanner NEVER ever catches a virus - while my two other scanner catch them daily. However, since CommTouch doesn't allow the Eicar file to pass, there is no way to easily test the internal scanner. I think this is something that should eventually be addressed - either by a parameter that allows a user to disable CommTouch for a few minutes at night while testing OR by CommTouch recognizing the EICAR file as a good file and letting it pass! Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 17,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 17,402 Virus Infected Messages: 4 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE PDF.DROPPER-3 3 0.02% SUSPECT.DOUBLEEXTENSION-ZIPPWD-9 1 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 17,402 Virus Infected Messages: 1 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE GENERIC.DX!SED TROJAN !!! 1 0.01% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Testing Internal Scanner
The release was yesterday. I am putting together the release notes today and I will post to the list. From: Scott Fisher sfis...@farmprogress.com Sent: Wednesday, April 28, 2010 9:48 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Testing Internal Scanner Speaking of versions. I'm running 4.10.42 I noticed there is a 4.10.48 available but no email notice or release notes. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 8:12 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Testing Internal Scanner Andy what version of Declude are you running ? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, April 28, 2010 8:16 AM To: declude.virus@declude.com Subject: [Declude.Virus] Testing Internal Scanner Hi, I've been watching this now for a few months. The internal scanner NEVER ever catches a virus - while my two other scanner catch them daily. However, since CommTouch doesn't allow the Eicar file to pass, there is no way to easily test the internal scanner. I think this is something that should eventually be addressed - either by a parameter that allows a user to disable CommTouch for a few minutes at night while testing OR by CommTouch recognizing the EICAR file as a good file and letting it pass! Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 17,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 17,402 Virus Infected Messages: 4 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE PDF.DROPPER-3 3 0.02% SUSPECT.DOUBLEEXTENSION-ZIPPWD-9 1 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 17,402 Virus Infected Messages: 1 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE GENERIC.DX!SED TROJAN !!! 1 0.01% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Testing Internal Scanner
4.10.42-A From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 9:12 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Testing Internal Scanner Andy what version of Declude are you running ? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, April 28, 2010 8:16 AM To: declude.virus@declude.com Subject: [Declude.Virus] Testing Internal Scanner Hi, I've been watching this now for a few months. The internal scanner NEVER ever catches a virus - while my two other scanner catch them daily. However, since CommTouch doesn't allow the Eicar file to pass, there is no way to easily test the internal scanner. I think this is something that should eventually be addressed - either by a parameter that allows a user to disable CommTouch for a few minutes at night while testing OR by CommTouch recognizing the EICAR file as a good file and letting it pass! Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 17,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 17,402 Virus Infected Messages: 4 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE PDF.DROPPER-3 3 0.02% SUSPECT.DOUBLEEXTENSION-ZIPPWD-9 1 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 17,402 Virus Infected Messages: 1 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE GENERIC.DX!SED TROJAN !!! 1 0.01% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New Release Declude 4.10.48
The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44 Optimize code for moving files to the spool directory for Smartermail 4.10.43 Fixed variable names in the MoveToError function which were declared globally 4.10.42-A Fix for SNF Authentication to turn off without having to restart Decludeproc 4.10.42 Message Sniffer integrated into Declude 4.10.41 Added variable %AUTH% to show the authenticated sender of the email 4.10.40 XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,SORBS-D UL=5,FIVETENRC=2,ZEN=7,SORBS=7,DYNHELO=5,FROMNOMATCH=2,WEIGHT10=10,WEIGHT14= 14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In declude.cfg file: POSTINIFIXON in order for the Postini Fix to work 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Release Declude 4.10.48
The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44 Optimize code for moving files to the spool directory for Smartermail 4.10.43 Fixed variable names in the MoveToError function which were declared globally 4.10.42-A Fix for SNF Authentication to turn off without having to restart Decludeproc 4.10.42 Message Sniffer integrated into Declude 4.10.41 Added variable %AUTH% to show the authenticated sender of the email 4.10.40 XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,SORBS-D UL=5,FIVETENRC=2,ZEN=7,SORBS=7,DYNHELO=5,FROMNOMATCH=2,WEIGHT10=10,WEIGHT14= 14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In declude.cfg file: POSTINIFIXON in order for the Postini Fix to work 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
Generally, ClamD catches most viruses that AVG misses (during those times when it actually runs), and McAfee catches the occasional virus that ClamD misses. ClamD downloads updates automatically (using the FreshClam). I found the http://oss.netfarm.it/clamav build very useful. I don't recall any installation difficulty. It did have a successful installer and is able to install itself as a service. There is a .REG file that sets up a registry entry where the path is stored. In their registry, I use the following: [HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV] ConfigDir=C:\\Progra~1\\ClamAV\\conf DataDir=C:\\Progra~1\\ClamAV\\db For FreshClam.conf, I changed these parameters: DatabaseDirectory C:\Program Files\clamAV\db UpdateLogFile C:\Program Files\clamAV\log\freshclam.log LogTime yes For ClamD.conf, I changed these: LogFile C:\Program Files\clamAV\log\clamd.log LogTime yes TemporaryDirectory C:\Temp DatabaseDirectory C:\Program Files\clamAV\db For the service, I removed the spaces from the path (not sure if this was needed): C:\Progra~1\ClamAV\clamd.exe --daemon In Declude, you'd use: #ClamAV SCANFILE1 C:\Progra~1\ClamAV\ClamDScan.exe VIRUSCODE1 1 Of course, that still leaves the problem of the virus report file. I had contacted Declude and they said they would check if they can natively parse the report file. For now I still use a simple script to reformat the Report file to suit Declude. ClamAV now has an official Windows build AND compiles under Visual Studio. So, ideally, Declude would just integrate ClamAV as an internal scanner instead of having to deal with all this command-line jazz. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Wednesday, April 28, 2010 1:30 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Internal Scanner - Nonfunctional? What's the best way to look into using Clam as a second scanner? I found this at ARM, does anyone else use this install aid? http://www.armresearch.com/tools/arm/clamAID.jsp What's your general opinion of Clam when compared to McAffee, or another favorite scanner? How do you update your Clam database files? Thanks for the discussion and feedback! -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
Thanks John, Yes, that'll work too. Of course, rather than you having to modify the source code of 2 or 3 modules for every build - or me having to write a report file parser, the REAL solution is for Declude to provide at least a minimum amount of flexibility in parsing report files (or - to integrate the ClamLib and eliminate any command line needs). Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Cert Sent: Wednesday, April 28, 2010 7:26 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] ClamAV Hello! The sherpya Clam port at oss.netfarm.it is very easy to build and use, and there are only about 10 lines of code in 2 or 3 modules where you need to add a VirusName- prefix before the actual name of the virus so Declude can pick it up in the report file. I just mod the code and recompile instead of trying to manipulate the report file. I do not use any sort of installer. I just setup the conf files, spawn a clamd process on startup, schedule a freshclam run periodically, and point Declude to the clamdscan scanner. I also grab the MSRBL Images spam database for use with Clam. The clamd/clamdscan combo are very light and fast. Take care! John On 4/28/2010 1:13 PM, Andy Schmidt wrote: Generally, ClamD catches most viruses that AVG misses (during those times when it actually runs), and McAfee catches the occasional virus that ClamD misses. ClamD downloads updates automatically (using the FreshClam). I found the http://oss.netfarm.it/clamav build very useful. I don't recall any installation difficulty. It did have a successful installer and is able to install itself as a service. There is a .REG file that sets up a registry entry where the path is stored. In their registry, I use the following: [HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV] ConfigDir=C:\\Progra~1\\ClamAV\\conf DataDir=C:\\Progra~1\\ClamAV\\db For FreshClam.conf, I changed these parameters: DatabaseDirectory C:\Program Files\clamAV\db UpdateLogFile C:\Program Files\clamAV\log\freshclam.log LogTime yes For ClamD.conf, I changed these: LogFile C:\Program Files\clamAV\log\clamd.log LogTime yes TemporaryDirectory C:\Temp DatabaseDirectory C:\Program Files\clamAV\db For the service, I removed the spaces from the path (not sure if this was needed): C:\Progra~1\ClamAV\clamd.exe --daemon In Declude, you'd use: #ClamAV SCANFILE1 C:\Progra~1\ClamAV\ClamDScan.exe VIRUSCODE1 1 Of course, that still leaves the problem of the virus report file. I had contacted Declude and they said they would check if they can natively parse the report file. For now I still use a simple script to reformat the Report file to suit Declude. ClamAV now has an official Windows build AND compiles under Visual Studio. So, ideally, Declude would just integrate ClamAV as an internal scanner instead of having to deal with all this command-line jazz. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Wednesday, April 28, 2010 1:30 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Internal Scanner - Nonfunctional? What's the best way to look into using Clam as a second scanner? I found this at ARM, does anyone else use this install aid? http://www.armresearch.com/tools/arm/clamAID.jsp What's your general opinion of Clam when compared to McAffee, or another favorite scanner? How do you update your Clam database files? Thanks for the discussion and feedback! -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
