I saw a woefully inadequate report on this virus on Fox 5 NY last night -
don't even get me started, do these reporters even talk to people who deal
with viruses? Love how they report it as new yesterday - but anyway, the
reported called it net-ski. I have been inclined to call it that as well.
I've heard from several consultants I know where Norton and McAfee will miss
viruses they have definitions loaded for, one of them switched to Trend
Micro and said he uses Trend to clean systems with Norton or McAfee when
they miss one. I find it interesting that an open source *nix based AV can
John, I'm going to try it out as well on a test box.
Troy
From: John Tolmachoff \(Lists\) [EMAIL PROTECTED]
Organization: eServices For You
Reply-To: [EMAIL PROTECTED]
Date: Tue, 2 Mar 2004 00:14:34 -0800
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Symantec AV Command line scanner
I've seen that NAI's engine is now able to detect Bagle.h even if contained
in passworded zip files.
03/02/2004 17:29:04 Qb64d05700068a0de Scanner 2: Virus=W32/Bagle.h!pwdzip
virus !!! Attachment=Readme.zip [18] I
03/02/2004 17:29:04 Qb64d05700068a0de File(s) are INFECTED [[Encrypted .ZIP
file]:
Title: I've officially given up
Are
you talking about the creators or the users who open them anyways?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt
Sent:
Title: I've officially given up
Makes you wonder what sort of people have no life that they
have to do this.
People like http://www.heise.de/english/newsticker/news/44879making
28,000.- USD per month by selling their zombies to spammers.
Markus
LibClamAV Error: cli_cvdload(): Can't create temporary directory
/tmp/ccb31b8aace2b2fc
ERROR: Unable to create temporary directory.
Oh I'm sorry - I had this problem.
Create a C:\tmp directory is easiest solution.
---
[This E-mail was scanned for viruses by Declude Virus
Title: Message
Are you talking about
the creators or the users who open them anyways?
LOL! I was talking about the creators, however, if the
shoe fits.
Sharyn
Didn't Scott say yesterday that most virus scanner will catch the password
protected zip files; however you HAD to update the ENGINE, not just the
DEFINITIONS?
I am still using F-Prot version b as I heard of too many problems with the C
version, does anyone know if the C version is fixed yet?
Scott,
Can I configure the bannotify.eml to not send messages to the sender of
the file, but to send them only to the recipient and to me.
Not currently.
Isn't it possible to modify the Bannotify.eml file and only include the recipient and
postmaster? Would it still send a notice to the
I updated the bannotify.eml file to send to our tech support email, will
this not work? I have not received any of them, but just set this up this
morning...
Sincerely,
Grant Griffith, Vice President
EI8HT LEGS Web Management Co., Inc.
http://www.getafreewebsite.com
877-483-3393
-Original
As far as I can tell, there have been no issues with freshclam. Every
manual test runs fine. I haven't had the time to dedicate to it that I
really need to though. I am thinking about downloading and compiling the
source on Cygwin myself so I can alter some of the settings, maybe even make
it
Can I configure the bannotify.eml to not send messages to the sender of
the file, but to send them only to the recipient and to me.
Not currently.
Actually, I believe this can be done, by using a line To:
%ALLRECIPS%,[EMAIL PROTECTED] in the \IMail\Declude\BANnotify.eml file.
Scott:
Have you
considered adding the ClamAV to the list of scanners on your
site?
If you can put the
configuration entries it would be a great help.
Just a
thought..
Kami
My server stopped updating since last Wednesday. I have updated manually.
I don't know what is going on. It downloads signatures files, but it doesn't
update them at all. You can notice it because signature files dates don't
change. When you click 'update' again, it downloads the file again but
Have you considered adding the ClamAV to the list of scanners on your site?
We should have it there soon. :)
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Catches known viruses
Sad thing is $28,000 is probably the low end of what they make per
subscriber. If there wasn't a ton of money involved, there wouldn't be a
spam problem.
Thanks,
Chuck Frolick
ArgoLink.net
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus
Haven't heard anything back from F-Prot since I reported it a week ago.
Darin.
- Original Message -
From: Grant Griffith [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, March 02, 2004 12:07 PM
Subject: RE: [Declude.Virus] [Encrypted .ZIP file]
Didn't Scott say yesterday that
OK, I have it the other way around, does that matter?
No. Any E-mail addresses that appear after To: and that are separated
by commas will work.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
OK, I have it the other way around, does that matter?
[EMAIL PROTECTED],%MailFrom% or something like that?
Sincerely,
Grant Griffith, Vice President
EI8HT LEGS Web Management Co., Inc.
http://www.getafreewebsite.com
877-483-3393
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
The top 10 is:
uu.net
chinanet-gd
kornet.net
above.net
chinanet-cq
level3.net
exodus.net
hinet.net
cw.net
interbusiness.it
http://www.theregister.co.uk/content/55/35937.html
~Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus
Marcus,
interesting because NAI is not catching for us... we're at defs version
4.0.4331 and scan engine 4.3.20
Weird thing for us is that if we use the command line to scan file that is
infected with bagle.h, then mcafee catches it. But not when it runs with
declude using same command line
What was the url for the interim release that catches password protected
zip files? I managed to delete it instead of saving the thin.
Tyran Ormond
Programmer/LAN Administrator
Central Valley Water Reclamation Facility
[EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude
What was the url for the interim release that catches password protected
zip files? I managed to delete it instead of saving the thin.
http://www.declude.com/interim . You need to add a line BANEXT EZIP to
the \IMail\Declude\virus.cfg file with the latest interim, and then
password protected
The top 10 is:
uu.net
chinanet-gd
kornet.net
above.net
chinanet-cq
level3.net
exodus.net
hinet.net
cw.net
interbusiness.it
So position 10 for Interbusiness in the top10 network provider list and pos
1,4,6,7,9 for the USA.
Can someone explain me why I can't find any source of
interesting because NAI is not catching for us... we're at
defs version
4.0.4331 and scan engine 4.3.20
Same status here.
Do you have anything special in your config?
Nothing special.
I'm running the latest declude interim and can see 3 banned EZIP atachments
in the latest 20 hours. All
I know this has been touched on a few times, however, I just needed some
clarification. I just got a note from CA that informed me that their
engine was unable to scan inside a password protected file. Will F-prot
do this with the latest defs? I know that Scott put EZIP in place, many
thanks.
Installed newest declude file and I'm still getting
(X-Declude-Status: Waiting for activation code) within the email header
Anyone know of a hack or hex editor I can use to fix this?
If you upgrade to the latest interim it will remove that line.
Installed newest declude file and I'm still getting
(X-Declude-Status: Waiting for activation code) within the
email header
Anyone know of a hack or hex editor I can use to fix this?
If you upgrade to the latest interim it will remove that line.
Scott.. I did download and installed
When I upgraded to 1.78i6 and added the BANEXT EZIP line to my virus.cfg
file, all of a sudden I am receiving the following when it encounters
these zips:
WARNING: Couldn't remove .vir directory
F:\IMail\spool\Ddf56c4e7006acd96.vir\: EXTRA FILES THERE.
03/02/2004 14:24:32 Qdf56c4e7006acd96 Likely
Installed newest declude file and I'm still getting
(X-Declude-Status: Waiting for activation code) within the
email header
If you upgrade to the latest interim it will remove that line.
Scott.. I did download and installed it..
Declude 1.78i6 (C) Copyright 2000-2004 Computerized
WARNING: Couldn't remove .vir directory
F:\IMail\spool\Ddf56c4e7006acd96.vir\: EXTRA FILES THERE.
03/02/2004 14:24:32 Qdf56c4e7006acd96 Likely problem: Your virus scanner
is leaving extra files/directories behind, so Declude can't delete the
directory.
What file(s) are left over in that
03/02/2004 15:52:16 Qf3fc18350038f46d Couldn't delete
D:\IMail\spool\Df3fc18350038f46d.vir\1.zip: 32.
This will be fixed in the next interim release.
In my bounce email, is it suppose to show ZIP-pif rather than
ZIP-theactualextension??
Yes, if it was a .PIF file that was supposed to be
Yea, that what I was looking for, but I did find it (I was lookin for the
earl..)
thanky,
backwoods Andy
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, March 02, 2004 4:19 PM
Subject: Re: [Declude.Virus] Scan Password Protected Zip's
I just swept the hard drives looking for the global.cfg file and there isn't
any. So.. Maybe I should reboot the server?
That won't do it.
Could those headers be generated by a remote mailserver (you may see them
on E-mails sent from this list, for example).
I've had the same error. Installing it on the preconfigured
directory (c:\clamav-devel) solved thisproblem.
After this there was another error, that I've solved after
Terry's tipp to create the c:\tmp folder.
At them moment I've a problem with freshclam (MD5
error)
So I downloaded all the
After this there was another error, that I've solved after Terry's tipp to
create the c:\tmp folder.
At them moment I've a problem with freshclam (MD5 error)
So I downloaded all the updates manualy from an mirror.
I fear after the next available update I will have this error again. But
Scott,
Thank You!
Bill
-- Original Message --
From: R. Scott Perry [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Tue, 02 Mar 2004 14:58:40 -0500
FYI, we now have a new interim release 1.78i7 (at
http://www.declude.com/interim ) that will allow
I am trying to understand this, but the reality doesn't work like I think
you are saying it should. If I have the following in my virus.cfg file:
BANEXT EZIP
with or without:
BANZIPEXTS ON
BANEZIPEXTS ON
I catch the encrypted/password protected virus files. However, if I use
just:
Feature request:
List number by extension messages held for banned extension.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
I am trying to understand this, but the reality doesn't work like I think
you are saying it should. If I have the following in my virus.cfg file:
BANEXT EZIP
Note that BANEXT EZIP is the original quickly-implemented format that may
have problems.
with or without:
BANZIPEXTS ON
BANEZIPEXTS
I am also seeing the issue below. The files that are being left in the
directories are named like this
0.zip (or)
1.zip
There is a new interim release 1.78i8 at http://www.declude.com/interim
that should take care of this issue.
-Scott
---
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
The new format will ban the same extensions that you are already banning,
but will do so in .ZIP files. The BANZIPEXTS ON option will ban the
files
if they are un-encrypted, the BANEZIPEXTS ON will ban the files if they
We now have a new interim release 1.78i8 of Declude Virus Pro at
http://www.declude.com/interim that will look for invalid .bat, .com, .pif,
and .scr files, and will treat them as vulnerabilities. It is expected
that this will cut down significantly on the impact of future viruses in
the time
Okay, so if I want to continue to ban any zip file that is encrypted,
whether I have defined the extension to be band or not, I should continue to
use BANEXT EZIP, correct?
That is correct.
-Scott
---
Declude JunkMail: The advanced anti-spam
Scott,
Can I have a million dollars???
:)
R. Scott Perry wrote:
We now have a new interim release 1.78i8 of Declude Virus Pro at
http://www.declude.com/interim that will look for invalid .bat, .com,
.pif, and .scr files, and will treat them as vulnerabilities. It is
expected that this
Does BANEXT ZIP cover BANEXT EZIP?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL
Title: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
If we are already blocking those extensions, how would that help?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry
Sent:
Does BANEXT ZIP cover BANEXT EZIP?
BANEXT ZIP will ban all .ZIP files, regardless of what files or encryption
may be used.
BANEXT EZIP is a temporary measure that blocks .ZIP files where the first
file in encrypted.
-Scott
---
Declude
If we are already blocking those extensions, how would that help?
If you are already blocking .bat, .com, .pif, and .scr files, the new
interim release won't help.
However, if you are not blocking all those files (most of our customers are
not), it will help.
It can also be used if you want
50 matches
Mail list logo
