Hello David,
Ok, back to my original problem ;-)
Is test 22 getting caught for anyone else? It was the only one that
slipped through my Declude setup.
I'm running 1.81 with F-prot and prescan off.
--
Best regards,
Davidmailto:[EMAIL PROTECTED]
---
[This E-mail
#22 was cuaght here., #17 not caught
- Original Message -
From: David Sullivan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, December 20, 2004 9:12 AM
Subject: Re[4]: [Declude.Virus] testvirus.org #22
Hello David,
Ok, back to my original problem ;-)
Is test 22 getting caught for
Greetings:
We are new customers with Declude and with any luck mail for
faculty and staff should be routing thru declude in the next few hours.
Would people like to share there virus.cfg files. How
extensive are admins changing the configs on the virus.cfg.
I am trying to figure out
These seem to be the changes I have
made:
Looking at my config:
Change the BANEXT to ban what extensions you want
to ban.
Decide what to do with Zip files:
BANEXT EZIP to ban encrypted zip files if you can
get away with it
BANZIPEXTSON to apply Banned Extensions to
contents of Zip files
I've
been working with Darrell from Invariant systems using their log
utility.
We've
been running AVAFTERJM based on the following logic:
We
delete about 50% of email as spam via Junkmail(gateway system
only).
If we
delete 50% of the email then we can reduce the load on Declude/FProt AV
Hi;
Just an FYI- it
seems like installation of Beta 2.0 will replace your postmaster and receipt.eml
files. After updating to Beta 2.0 we started getting alerts from forging
viruses and I had to copy the old files back from our backup
copies.
If you update you
may want to make backup
Title: Message
I
think I ran into this too; for my part, it was a thinko.
The
correct usage is:
AVAFTERJM ON
but
with all the talk on this forum about "AVAFTERJM", that's all I used (that is, I
left out the "ON" part).
Andrew
8)
-Original Message-From:
[EMAIL
Hello William,
Monday, December 20, 2004, 9:34:55 AM, you wrote:
WS #22 was cuaght here., #17 not caught
I caught 17 with no problem. But 22 is STILL getting through. What
version of Declude are you running? What virus scanner?
--
Best regards,
Davidmailto:[EMAIL
Title: Message
Ah ha!
Note to Declude staff -- update the documentation.
:)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
AndrewSent: Monday, December 20, 2004 12:17 PMTo:
[EMAIL PROTECTED]Subject: RE: [Declude.Virus] AVAFTERJM not
working
Is there a way to remote the footer:
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
from emails to just one domain? We have one account forwarding alerts to a
cell phone, and with the length of the footer, all messages split into 2.
Thanks
Chris
---
[This E-mail
Is there a way to remote the footer:
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
from emails to just one domain? We have one account forwarding alerts to
a cell phone, and with the length of the footer, all messages split into 2.
No -- the FOOTER option in
v1.81
mcafee,
However, mcafee detects the virus, but declude doesn't see it from the
report.txt
- Original Message -
From: David Sullivan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, December 20, 2004 12:37 PM
Subject: Re[6]: [Declude.Virus] testvirus.org #22
Hello William,
Test #17: Eicar virus hidden using the CR Vulnerability (attachment can
be
opened by all versions of Microsoft Outlook and Outlook Express)
It is not a virus so I think the Vulnerability test of Declude should
catch
it.
Oh well it comes through our system as well.
Regards,
Kami
I plucked the
I turned if off and it still got through.
This test message contains:
Test #17: Eicar virus hidden using the CR Vulnerability (attachment can be
opened by all versions of Microsoft Outlook and Outlook Express)
...
I just checked this one, and it got
But the Mcafee DOES detect the Virus string in the SMD file., But
declude reports no virus.
(This is for test #17)
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Monday, December 20, 2004 3:08 PM
Subject: RE: Re[6]: [Declude.Virus]
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
This is exactly why Scott and I had that whole e-mail exchange a few
weeks
ago. I have found a few viruses now that are not caught when decoded by
Declude but when the D*.SMD files is scanned manually at the command line
by
For TEST 17, Whatever the technical vulnerability is called - there is a
copy of eicar encoded in the headers that Outlook (at least) can see -
haven't tested OE or others.
Symantec and Trend gateways catch it, as do the command line scanners
previously noted.
Jerry
-Original Message-
[1] Phishing E-mails were sometimes not getting caught. This is beyond the
scope of Declude Virus, as those are spam, not viruses. However, if your
AV program can detect phishing E-mails, you can easily get it to work with
Declude Virus by making sure not to use the PRESCAN ON option in
But the Mcafee DOES detect the Virus string in the SMD file., But
declude reports no virus.
(This is for test #17)
Declude Virus doesn't detect a virus, because there are no vulnerabilities
in the E-mail (despite what the test description says).
McAfee does not detect it when called by Declude
I turned if off and it still got through.
Test #17: Eicar virus hidden using the CR Vulnerability (attachment can be
opened by all versions of Microsoft Outlook and Outlook Express)
RSP I just checked this one, and it got through here, too. I examined the raw
RSP source of the E-mail, and there
Ahhh..
So Declude doesn't actually Send the SMD file to the Scanner..
It takes the Message Body, wirtes it to a Tmp File, and then scans it?
Why not just scan the SMD file , Headers and All ?
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent:
Ditto. I thought Declude called the scanner(s) on the d*.smd, plus
extracted all the segments out and scanned those too. Is that
incorrect?
Also, does Declude recursively unpack MIME segments, if one of the
attachments is itself a .eml file or .smd file, would any attachments
inside it be
Also, does Declude recursively unpack MIME segments, if one of the
attachments is itself a .eml file or .smd file, would any attachments
inside it be unpacked and the scanner(s) called on those?
Yes.
-Scott
---
Declude JunkMail: The advanced
So Declude doesn't actually Send the SMD file to the Scanner..
Correct.
It takes the Message Body, wirtes it to a Tmp File, and then scans it?
Why not just scan the SMD file , Headers and All ?
Because very few AV programs can read a .SMD file. They make their big
bucks by selling mailserver
Hello everyone,
It appears one of my IIS servers has been compromised :(
All valid pages return a black page with the following red text:
This site is defaced!!!
NeverEverNoSanity WebWorm generation 10.
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Monday, December 20, 2004 1:57 PM
Subject: RE: Re[8]: [Declude.Virus] testvirus.org #22
Ditto. I thought Declude called the scanner(s) on the d*.smd,
plus extracted all the segments out
Scott, what do you get for test #22. Some have reported it caught
while others haven't. My F-Prot config is:
It's caught here.
Unfortunately, I can't find any information on that vulnerability, so I
can't explain why it might or might not get caught.
have both fprot and mcafee
Prescan off
#22 getting caught without a problem
#17 going thru
Andrew is catching #17, can it have anything to do with AVAFTERJM ON ?
- Original Message -
From: David Sullivan [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Monday, December 20, 2004 9:47
Thanks, Scott. I constructed 2 tests anyway, one with an executable in
an attached .eml file and one where that executable is a virus.
It *looks* like this is a special case, i.e. where all unpacked
attachments, including .smd are unpacked, and then the folder scanned:
So with a single message,
I am trying to upgrade to 2.0B
Getting an error of:
Error copying file to taret directory
With status at removing backup files
Need Help,
TIA
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
I am trying to upgrade to 2.0B
Getting an error of:
Error copying file to taret directory
With status at removing backup files
The best thing to do here would be to E-mail [EMAIL PROTECTED] -- the
person responsible for the install program should be able to figure out
what the problem is.
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
So Declude doesn't actually Send the SMD file to the Scanner..
Correct.
It takes the Message Body, wirtes it to a Tmp File, and then scans it?
Why not just scan the SMD file , Headers and All ?
Because very few AV
32 matches
Mail list logo