Re: [Declude.Virus] McAfee DailyDAT download location change.
Well, there's always the Declude.Releases mailing list. Not sure that I've ever received anything on that one. Maybe they need to make another one and call it Declude.News. I'd refer people to Declude's User Forums, but they seem to be extremely under utilized by both Declude users and Declude support. By contrast, the SmarterMail user forums are extremely active, though that may be because SmaterMail doesn't have a mailing list equivalent to Declude.Junkmail. Original Message From: Matt [EMAIL PROTECTED] Sent: Monday, September 12, 2005 4:27 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] McAfee DailyDAT download location change. David, Information such as this is best 'pushed' rather than 'pulled'. Declude should have a notification list that sends announcements of important things concerning all products such as new interims/betas/releases, new and important bugs, updates on known issues and things that can broadly affect customers such as issues like this one. I wouldn't expect more than a few messages per month. There was an earlier list that was to be reserved for the absolute biggest issues that never got used, and the specificity of that list was it's downfall. I would create a list and opt all customers into it but give them an opt-out message for the first mailing. Most Declude customers will never hear about things like this issue with McAfee otherwise. The site doesn't work at all for timely things such as this. BTW, I believe there are probably scripts linked to or contained on the Declude site for McAfee updates. You will want to change those before anyone new adds it in to their system. Thanks, Matt David Barker wrote: I have been monitoring everything that has been said and I agree - there is a place I had setup on the front page for these kinds of alerts and currently working on the best way to provide this information to our customer base using that area on the website. David B www.declude.com http://www.declude.com *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt *Sent:* Monday, September 12, 2005 3:58 PM *To:* Declude.Virus@declude.com *Subject:* Re: [Declude.Virus] McAfee DailyDAT download location change. I changed the subject so that people can be alerted to this. Announcements of things like this would be useful to the entire Declude customer base. I am afraid that we are a little over a month behind. Those with a single scanner would be screwed. I adjusted my scripts to use the link that you provided and it does in fact work just great...so far :) Thanks, Matt Scott Fisher wrote: Great catch Matt. Mine's gone too since August 2 Thank you Declude for multiple virus scanner option. Try: http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip From: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 - Original Message - *From:* Matt mailto:[EMAIL PROTECTED] *To:* Declude.Virus@declude.com mailto:Declude.Virus@declude.com *Sent:* Monday, September 12, 2005 2:26 PM *Subject:* Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htm I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called 1.cpl (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For
[Declude.Virus] Declude virus notification
I've been running with 3.x for over a month, but I just now realized that since I upgraded I am no longer receiving the Declude Virus caught a virus messages. Declude is catching viruses, I'm just not receiving email notification. I don't believe I changed anything in the virus.cfg file that would account for this. What other possible causes could there be? Gary --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude virus notification
So the implication is that Declude knows about this and it will be fixed in the next release, whenever that may be. Original Message From: Bill Landry [EMAIL PROTECTED] Sent: Tuesday, November 22, 2005 5:36 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Declude virus notification We had the same problem, at least with v3.0.5.20, which was not sending notification for all virus caught. We are running a patched version of v3.0.5.20 now (v3.0.5.20.DF3) and that has resolved the issue. Don't know when Declude plans to make it's next release, but you might request the pre-release if you need to have the notifications. Bill - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 22, 2005 2:14 PM Subject: [Declude.Virus] Declude virus notification I've been running with 3.x for over a month, but I just now realized that since I upgraded I am no longer receiving the Declude Virus caught a virus messages. Declude is catching viruses, I'm just not receiving email notification. I don't believe I changed anything in the virus.cfg file that would account for this. What other possible causes could there be? Gary --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] Declude 3.0.5.21 Posted
Does this mean that vulnerability notifications are not available for SmarterMail? Gary Steiner Original Message From: David Barker [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 11:13 AM To: Declude.JunkMail@declude.com, Declude.Virus@declude.com Subject: [Declude.Virus] Declude 3.0.5.21 Posted JM - INVITEFIXON Located in Declude.cfg. Some customers had issues related to Outlook meeting requests appearing as text only. The default for this directive is OFF. JM - Fixed skipping of certain DNSBL tests. JM - STOPALLTESTS is now working correctly EVA - Incorrect log entries regarding to licensing with EVA EVA - Vulnerability Notifications available for Imail David B www.declude.com --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] Notifications
I was told the 3.0.5.21 version fixes the problem in IMail but not in SmarterMail. Since I'm using SmarterMail, I'm waiting for version 3.0.5.22. Gary Steiner Original Message From: John Carter [EMAIL PROTECTED] Sent: Monday, December 05, 2005 3:22 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Notifications Imail 8.21 Declude Pro 3.0.5.21 Is anyone else still having problems with not getting notices? Someone mentioned a patched version that fixed this, but was pre-.21. I would have assumed that those patches would have been in .21. I have all removed except the BANnotify.eml (see below). This one comes to me only, but stopped working before 3.0.5.20. Thanks, John C = BANnotify.eml === From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Email delivery blocked due to file attachment In \spool\virus directory From: %MAILFROM% T0: %ALLRECIPS% Subject: %SUBJECT% Banned Extension: %BANEXT% Queue Name: %QUEUENAME% Headers follow: %HEADERS% --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Is this a Declude issue or an IMail issue? I'm using Declude 3.0.5.22 with the latest version of SmarterMail, and I haven't seen this behavior at all. Have any other SmarterMail users out there seen this behavior? Gary Original Message From: marc [EMAIL PROTECTED] Sent: Saturday, December 10, 2005 8:33 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. Mike, thx for fix this problem with your suggestion adding the SKIPIFVIRUSNAMEHAS Sober in the recip.eml file, this really helps! We had the same problem excatly 1 year before, posting here this problem and discuss on imailforum with no solution. Now after the new Sober flood two weeks ago, again all symptoms like your description, also new users was created like po, post, postma, postmaster, ... so i am sure this is a declude issue. Windows 2000 Server Imail 8.15 HF2 Declude Virus Standard 1.82 F-Prot Marc At 18:49 09.12.2005, you wrote: What I think it might be is a combination of several things and here are some of the common things that I have with information gathered on the different lists: Seems to of first started with IMail 8.x Running Declude Pro, Virus (f-prot), Hijack 1.82 Sober virus seems to trigger this event along with the recip.eml file IMail Client (Imail1.exe) will popup on the server with random address in the To and CC field of the client. It seems that the message that is trying to be sent out is the contents of the recip.eml that Declude uses. Will see the registry changes with the SMTPWIN entry under the Users. It seems that this entry is made if you use the IMail Client on the server. In our case the entries added are part of the email address used in the From field of the recip.eml. The way we stopped this from happening was adding the SKIPIFVIRUSNAMEHAS Sober in the recip.eml file. I'm not sure why it happens on only certain servers, but that's what we have found. I haven't been convinced that the server was hacked. Rebuilding the servers may of corrected the problem, but still not sure the servers are being hacked. Does anyone have the same common items having this problem? Thanks, Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Friday, December 09, 2005 9:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Maybe, but you check the maillist history, quite a few servers have the same problem in the past 1.5 years. and the problem persists, if there is any virus or trojan, some antivirus program should can detect it now. I suspect this is a issue of imail webmail, that's why it bypass the declude. - Original Message - From: John T (Lists) mailto:[EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, December 09, 2005 4:15 PM Subject: RE: [Declude.Virus] Stranger... I do not think this is either an Imail or Declude issue, rather a server security issue, or rather a comprise of server security. Sounds like you have some type of virus or Trojan on that server. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Thursday, December 08, 2005 9:57 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... Does any body find the answer of this problem? After 1.5 years, this problem still remain. and IPSWITCH never give me a clear answer about it. - Original Message - From: serge mailto:[EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, June 08, 2004 7:46 AM Subject: Re: [Declude.Virus] Stranger... i know imail1 is a command line mailer but how do i find what i causing the imail 1 window to be open and filed with all these adresses ? see attached gif - Original Message - From: Darin Cox mailto:[EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, June 07, 2004 10:21 PM Subject: Re: [Declude.Virus] Stranger... Does this shed any light? http://support.ipswitch.com/kb/IM-19980119-DD10.htm Darin. - Original Message - From: Serge mailto:[EMAIL PROTECTED]
RE: [Declude.Virus] Sober.z
Just looking at my server stats for yesterday, there were only two Sobers caught by EVA as viruses. All the rest were caught by Junkmail as spam. Original Message From: Colbeck, Andrew [EMAIL PROTECTED] Sent: Saturday, January 07, 2006 12:11 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sober.z Easy way to check if your Declude Junkamil is catching your viruses. Check for the subject lines and see if you held those messages (or whatever you do with your spam). I just sorted out the subject lines for the sober.z only messages, and here are the ones I received: Paris Hilton Nicole Richie You visit illegal websites You_visit_illegal_websites Your IP was logged Your_IP_was_logged Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, January 06, 2006 8:53 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sober.z I haven't checked today's results with fpcmd 3.16f, but here are yesterday's quick stats with fpcmd 3.16e 8 W32/[EMAIL PROTECTED] 3 W32/[EMAIL PROTECTED] 27 W32/[EMAIL PROTECTED] 1 W32/[EMAIL PROTECTED] 10 W32/[EMAIL PROTECTED] 9 W32/[EMAIL PROTECTED] 81 W32/[EMAIL PROTECTED] So, yes, Sober is detected by at least 3.16f ... and going the extra mile, I've just looked up a few samples from yesterday's log and scanned those manually with fpcmd, and sure enough, 3.16f also detects them and produces the same output. Perhaps you are not seeing Sober hits in Declude virus because you're using the AVAFTERJM setting and your Declude JunkMail is doing a fantastic job of catching them as spam before your Declude Virus would get called. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J Porter Sent: Friday, January 06, 2006 7:53 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sober.z Yep... I upgraded to FProt 3.16e and noticed the slowdown. I thought it was a problem with that version, so I upgraded to the 3.16f which was released today. Still no Sober viruses caught. I'm still wondering if I should go back to 3.16d. Anyone seeing Sober caught with these last 2 updates of F-Prot?? ~Joe - Original Message - From: Bruce Loughlin [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, January 06, 2006 10:03 AM Subject: [Declude.Virus] Sober.z Has any one else noticed that sober.z just stopped today? I was getting hundreds a day and now I have 0. Wasn't this the day it was to morph? Bruce L. AFM --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Outlook 'Space Gap' Vulnerability
One of my customers is receiving email from one of her customers that is getting flagged on my server by EVA with the Outlook 'Space Gap' Vulnerability. What exactly is this? Is this a problem with the Outlook client, and if so, can it be fixed by changing something in the sender's Outlook settings? I see in the EVA manual that I can turn this off using ALLOWVULNERABILITY OLSPACEGAP but do I really want to do that? Thanks, Gary Steiner --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAV for Windows
Is anyone using one of the various Windows ports for ClamAV under W2K3? If so, which one is best? Thanks, Gary Steiner --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] language specific messages
Can the following be done in Declude EVA? I have customers who are english speakers, and customers who are spanish speakers. When a customer is sent a virus, they receive a messsage telling them about the virus (recip.eml). I want to be able to have a different message sent to each of my domains depending on the language of the customer (recip-en.eml and recip-es.eml). I believe this can be done in Junkmail, but can it be done in EVA? Thanks, Gary Steiner --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Switches
If you take a look at the DOS version of F-Prot ftp://ftp.f-prot.com/pub/dos/fp-316b.zip you will find that it contains a file called COMMAND.TXT that seems to explain everything. I've attached it below: The command-line options F-PROT.EXE is usually run without any parameters and will then enter interactive mode, but if the /HARD option is used, or a drive, file or directory is specified, it will enter command-line mode. Syntax for command-line mode: F-PROT [drive, file or directory] [options] The available command-line options are /APPEND Appends the report to an existing file (Only used with /REPORT). /ARCHIVE=n Scans inside .ARJ, .CAB, .LZH and .ZIP archives. F-PROT currently supports only RAR archives created by RAR 2.5 and older - support for RAR 3.0 will be added soon. The parameter n specifies how many levels (archives inside archives) to scan. /AUTO May be specified with /DISINF, /DELETE or /RENAME so F-PROT will not request permission before rremoving each virus. /BEEP Produces an annoying beep when a virus is found. NOT recommended when scanning a virus collection. /COLLECT Assumes what is being scanned is a virus collection, where viruses might be found in abnormal locations. In particular, selecting this option will enable detection of file images of boot sector viruses. This switch also provides the same features as the old /GURU option. Note that using /COLLECT will slow down the scan. /DELETE Deletes infected files. /DISINF Disinfects whenever possible. It is possible to specify the following combinations of switches: /DISINF /DELETE Disinfects when possible, otherwise deletes infected files. /DISINF /RENAME Disinfects when possible, otherwise attempts to rename infected COM/EXE files to VOM/VXE. /DISINF /RENAME /DELETE Disinfects when possible, otherwise attempts to rename infected COM/EXE files to VOM/VXE, but if that fails the files are deleted. /DUMB Does a dumb scan of all files. This option is often not necessary, and /TYPE can be used instead. The only cases where it might be needed are the following: If you are scanning a virus collection, where infected files have non-standard extensions, such as .VOM instead of .COM, they will not be scanned for viruses, unless this switch is specified. If you are cleaning up a virus infection you should use this switch. /EXT By default F-PROT will open every file and try to determine its type, so it will for example scan Word files, even if they do not use a DOC/DOT extension. By using /EXT the scanning can be speeded up slightly as F-PROT will then only scan files with default extensions. /FREEZE Freezes the program if a virus is found anywhere. /HARD Scans all files on all hard disks in the computer. /HELP Displays the list of command-line options. /INTER Forces the program to enter interactive mode, even when a path, directory or file name is given on the command line. /LIST Lists all files that are scanned. /LOADDEF Load the DEF files into memory. /NOBOOT Does not scan boot sectors. /NOBREAK Disables ESC and ^C during scanning. /NOFILE Does not scan files. Only useful if you cleaning up a boot sector infection and do not want to spend unnecessary time scanning files. /NOFLOPPY For use on systems without floppy drives. /NOHEUR Version 3 has a smaller, more reliable set of heuristics than version 2, but they are enabled by default, unlike version 2. This option allows you to turn the heuristics off. /NOMEM Does not scan memory for viruses. Not recommended, unless you are absolutely certain that no viruses are present in memory. /NOSUB Does not scan subdirectories. /PACKED Scans inside various types of compressed executables (PKLITE for example), by emulating the execution of the decompressor. As this option can slow the scan down significantly, we only recommend using it when scanning new software before installation. /PAGE Pauses after each page (command-line mode only). /REMOVEALL Removes all macros from all documents. Useful if you encounter a new macro virus, and you know that the document did not contain any macros before it got infected. /REMOVENEW If a new variant of a macro virus is found in a document, all macros are removed from that particular document. /RENAME Renames infected COM/EXE files to VOM/VXE. If files with those extensions already exist, .VVV is used instead. Infected document files are not renamed, as that would be pointless - they would be equally infectious afterwards. /REPORT=file Sends the output to a file, in addition to displaying it on the screen. /SAFEREMOVE Removes all macros from documents, if a known virus is found. /SERVER Enable mail-server heuristics. Will for example complain about encrypted executables inside archives. /SILENT Does not generate any screen output (command-line mode only). /TYPE Scan every file, but skip those which do not seem
RE: [Declude.Virus] F-Prot Switches
What is the value of the AI switch? I see it (and others related) explained on the F-Prot web site, but I don't understand why one would use it or not use it. Nor does it tell you what the default is. /HEUR - Uses heuristic scanning of files. /NOHEUR - Doesn't use heuristic scanning of files. /AI - Uses Neural network heuristic scanning of files. /NOAI - Doesn't use Neural network heuristic scanning of files. Original Message From: Colbeck, Andrew [EMAIL PROTECTED] Sent: Tuesday, March 28, 2006 11:53 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot Switches #Dec-10-2004 AC Note that I've added 'ai' and 'packed' to the switches suggested in the manual. The noboot and nomem options # are not listed when you ask fpcmd.exe for help, but they are definitely in the logs. SCANFILED:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed /dumb /noboot /nomem /silent /report=report.txt Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Tuesday, March 28, 2006 8:46 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot Switches After seeing Matt's response I'm curious what other users are using for their F-prot switches. Some of the switches Matt uses seem like they should be used but Declude does not include them in the config shown in their EVA manual. What do the majority of you all use? Mark Reimer IT Project Manager American CareSource 214-596-2464 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] banned file mentioned in header?
Wnen Declude uses a virus scanner to detect a virus, you are able to place a message in the header of the held file such as: X-Declude-Virus: Detected W32/[EMAIL PROTECTED] [from IP 200.52.83.152 (152.83.52.200.in-addr.arpa)]. However, when a banned file (such as a .exe in a .zip) is held, no message is appended to the header to indicate why the file was held. You have to go back to the log file to dig out this information. Is there any way to make Declude add this information to the header of the held message? Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] banned file mentioned in header?
Original Message From: Gary Steiner [EMAIL PROTECTED] Sent: Monday, April 24, 2006 8:46 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] banned file mentioned in header? Wnen Declude uses a virus scanner to detect a virus, you are able to place a message in the header of the held file such as: X-Declude-Virus: Detected W32/[EMAIL PROTECTED] [from IP 200.52.83.152 (152.83.52.200.in-addr.arpa)]. However, when a banned file (such as a .exe in a .zip) is held, no message is appended to the header to indicate why the file was held. You have to go back to the log file to dig out this information. Is there any way to make Declude add this information to the header of the held message? Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] reque slips by Declude?
Back on May 9 my server was hit by the Feebs virus. I am using F-Prot, which did not detect it. But I am using BANEXT hta which caught it. Two days ago I upgraded to SmarterMail 3.1 and Declude 4.2.3. Among other things, I've been looking at the addition of AVG to Declude. I noticed that F-Prot still doesn't detect that version of the Feebs virus, but AVG does. So I thought I would test it. I still have a copy of the virus I received on May 9, so I requed it unchanged and unrenamed to let it got through the new Declude to see what would happen. To my surprise it was delivered! No new Declude headers were added to the message. Though SmarterMail did modify it because it detected it as spam. I checked the virus logs (LOGLEVEL set to HIGH) and there was no listing at all for this message. Naturally I am now quite nervous. Why did this happen? Have any other Feebs viruses slipped through? Unfortunately the eicar tests don't have an hta to use, so the only way I have to test this is with a live virus. The Feebs virus isn't one of the more common ones, but all it takes is one to get through to spoil the day of one of my customers. Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] reque slips by Declude?
So you are saying that the X is no longer needed? You just drop stuff in the spool directory and Declude will ignore it? That in order for Declude to rescan something it now has to be put in the proc directory? Original Message From: David Barker [EMAIL PROTECTED] Sent: Thursday, May 18, 2006 8:02 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] reque slips by Declude? I Remove the x and place the files in the \proc directory. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, May 18, 2006 7:59 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] reque slips by Declude? With older versions of Declude and Smartermail you used to have to do the X rename to skip Declude processing. If you left the X off it would be rescanned by Declude. However, now that Declude is intergrated into Smartermail v3 what is the correct requeing process? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Dean Lawrence [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, May 18, 2006 7:48 AM Subject: Re: [Declude.Virus] reque slips by Declude? Gary, I do believe that messages that have been re-queued do not get scanned a second time. If they did, you would never be able to re-queue anything since it would be continually caught. Dean On 5/18/06, Gary Steiner [EMAIL PROTECTED] wrote: Back on May 9 my server was hit by the Feebs virus. I am using F-Prot, which did not detect it. But I am using BANEXT hta which caught it. Two days ago I upgraded to SmarterMail 3.1 and Declude 4.2.3. Among other things, I've been looking at the addition of AVG to Declude. I noticed that F-Prot still doesn't detect that version of the Feebs virus, but AVG does. So I thought I would test it. I still have a copy of the virus I received on May 9, so I requed it unchanged and unrenamed to let it got through the new Declude to see what would happen. To my surprise it was delivered! No new Declude headers were added to the message. Though SmarterMail did modify it because it detected it as spam. I checked the virus logs (LOGLEVEL set to HIGH) and there was no listing at all for this message. Naturally I am now quite nervous. Why did this happen? Have any other Feebs viruses slipped through? Unfortunately the eicar tests don't have an hta to use, so the only way I have to test this is with a live virus. The Feebs virus isn't one of the more common ones, but all it takes is one to get through to spoil the day of one of my customers. Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] New feature needed
I asked about the possibility of per domain replies several months ago. I would hope that it has already been placed on the wish list. It is especially useful when you have users speaking different languages and you want to have language specific messages linked to each domain. Gary Original Message From: Goran Jovanovic [EMAIL PROTECTED] Sent: Tuesday, June 20, 2006 2:30 PM To: declude.virus@declude.com Subject: [Declude.Virus] New feature needed Hi, I would like to suggest a new feature to be added to the virus notification capabilities. Right now to notify a recipient that I stopped a virus I have a recip.eml file in my main delude directory. There is another recip-vulnerability.eml file that is used if the virus is a vulnerability. These two files are all or nothing files. Meaning that all recipients for all the domains that I process are in the same file. I need to be able to specify a per domain recip.eml file. This way I can tailor the notifications to each domain as appropriate. These files should be in the domain subdirectory along with the $default$.junkfile etc. I am faced with the challenge right now for a single domain to send all virus notification to one person only or to stop all notifications to that domain. To the best of my knowledge I cannot redirect all the notifications to the one person for that domain and to the original recipients for all the other domains. Another feature that should be added to the *.eml files is the ability to do a BCC to a monitoring address. This is a good way to monitor what is happening with banned files, viruses or whatever notification processes we have setup. So can you please add this to the to do list Thank you Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] another new virus
I just started receiving copies of a new virus that F-Prot flags, but with the descriptive label of "Unknown" (at least out of Declude). The messages are all around 86k in size, and contain a gif and an encrypted zip file. It pretends to be sending you a password for some unnamed account.Following is what VirusTotoal says: Antivirus Version Update Result AntiVir 6.35.0.13 06.20.2006 no virus found Authentium 4.93.8 06.20.2006 Not scanned (encrypted) Avast 4.7.844.0 06.20.2006 no virus found AVG 386 06.20.2006 no virus found BitDefender 7.2 06.20.2006 no virus found CAT-QuickHeal 8.00 06.20.2006 no virus found ClamAV devel-20060426 06.20.2006 no virus found DrWeb 4.33 06.20.2006 no virus found eTrust-InoculateIT 23.72.43 06.20.2006 no virus found eTrust-Vet 12.6.2265 06.20.2006 no virus found Ewido 3.5 06.20.2006 no virus found Fortinet 2.77.0.0 06.20.2006 no virus found F-Prot 3.16f 06.20.2006 suspicious Ikarus 0.2.65.0 06.20.2006 no virus found Kaspersky 4.0.2.24 06.20.2006 no virus found McAfee 4788 06.20.2006 no virus found Microsoft 1.1441 06.20.2006 password protected NOD32v2 1.1611 06.20.2006 error - password-protected file Norman 5.90.21 06.20.2006 Mitglied.gen Panda 9.0.0.4 06.20.2006 no virus found Sophos 4.06.0 06.20.2006 no virus found Symantec 8.0 06.20.2006 no virus found TheHacker 5.9.8.162 06.20.2006 no virus found UNA 1.83 06.20.2006 no virus found VBA32 3.11.0 06.20.2006 no virus found VirusBuster 4.3.7:9 06.20.2006 I-Worm.Bagle.ZIP.Gen ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
re: [Declude.Virus] stopping Detected Outlook 'CR' Vulnerability emails
In your virus.cfg, make sure you have this: BANCRVIRUSESON and do not have this: ALLOWVULNERABILITY OLCR That should do it. Original Message From: Rick O'Connor [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 1:19 PM To: declude.virus@declude.com Subject: [Declude.Virus] stopping Detected Outlook 'CR' Vulnerability emails How do you go about stopping emails that fail Outlook CR Vulnerability check from being delivered? Any help would be much appreciated. Thanks, Rick -- Blu Sky Web Solutions 1200 Harris Ave, Suite 104 Bellingham, WA 98225 www.bswsolutions.com [EMAIL PROTECTED] Phone: 888.7.BLUSKY Fax: 800.867.0473 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAV error
I recently installed ClamAv as my third scanner after AVG and F-Prot. For some reason it indicates an error related to the attachment when it detects a virus (Attachment=[Unknown: Err]). Here is an example from the Declude virus log file: 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; Length=17424 Checksum=1974090] 07/13/2006 19:32:18.843 366626185 Banning file with pif extension [application/octet-stream]. 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D: 7] 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=your_letter.pif [1] I 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 (366626185.eml,366626) 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D Attachment=[Unknown: Err] [1] I 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 17604] 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 72.82.177.22] 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter It doesn't seem to matter what kind of virus is involved. Even when it detects a phishing attempt you still see the same error. Here is what I have in the virus.cfg: SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Is anyone else experiencing this, or have any ideas? Thanks, Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV error
AVG is my first one (it's everybody's first one, it's built in). Original Message From: Goran Jovanovic [EMAIL PROTECTED] Sent: Friday, July 14, 2006 3:26 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV error Gary, You said CLAM was your third AV yet your config shows it is your second one SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Change the SCANFILE2, VIRUSCODE2, REPORT2 to 3. That might help Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, July 14, 2006 1:16 PM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV error I recently installed ClamAv as my third scanner after AVG and F-Prot. For some reason it indicates an error related to the attachment when it detects a virus (Attachment=[Unknown: Err]). Here is an example from the Declude virus log file: 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; Length=17424 Checksum=1974090] 07/13/2006 19:32:18.843 366626185 Banning file with pif extension [application/octet-stream]. 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D: 7] 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=your_letter.pif [1] I 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 (366626185.eml,366626) 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D Attachment=[Unknown: Err] [1] I 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 17604] 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 72.82.177.22] 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter It doesn't seem to matter what kind of virus is involved. Even when it detects a phishing attempt you still see the same error. Here is what I have in the virus.cfg: SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Is anyone else experiencing this, or have any ideas? Thanks, Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Declude error, not ClamAV error
Upon further research, the statement Attachment=[Unknown: Err] is generated by Declude, not ClamAV. So does Declude have a problem with ClamAV? Original Message From: Gary Steiner [EMAIL PROTECTED] Sent: Friday, July 14, 2006 1:32 PM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV error I recently installed ClamAv as my third scanner after AVG and F-Prot. For some reason it indicates an error related to the attachment when it detects a virus (Attachment=[Unknown: Err]). Here is an example from the Declude virus log file: 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; Length=17424 Checksum=1974090] 07/13/2006 19:32:18.843 366626185 Banning file with pif extension [application/octet-stream]. 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D: 7] 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=your_letter.pif [1] I 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 (366626185.eml,366626) 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D Attachment=[Unknown: Err] [1] I 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 17604] 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 72.82.177.22] 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter It doesn't seem to matter what kind of virus is involved. Even when it detects a phishing attempt you still see the same error. Here is what I have in the virus.cfg: SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Is anyone else experiencing this, or have any ideas? Thanks, Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude error, not ClamAV error
I get the error no matter what the virus, Netsky, Bagle, Feebs, even when ClamAV detects a fishing attempt the error is there. Original Message From: John T \(Lists\) [EMAIL PROTECTED] Sent: Friday, July 14, 2006 9:46 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude error, not ClamAV error In other log lines Declude states it is an invalid/bogus pif file. That might explain it. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, July 14, 2006 2:43 PM To: declude.virus@declude.com Subject: [Declude.Virus] Declude error, not ClamAV error Upon further research, the statement Attachment=[Unknown: Err] is generated by Declude, not ClamAV. So does Declude have a problem with ClamAV? Original Message From: Gary Steiner [EMAIL PROTECTED] Sent: Friday, July 14, 2006 1:32 PM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV error I recently installed ClamAv as my third scanner after AVG and F-Prot. For some reason it indicates an error related to the attachment when it detects a virus (Attachment=[Unknown: Err]). Here is an example from the Declude virus log file: 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; Length=17424 Checksum=1974090] 07/13/2006 19:32:18.843 366626185 Banning file with pif extension [application/octet-stream]. 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D: 7] 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=your_letter.pif [1] I 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 (366626185.eml,366626) 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D Attachment=[Unknown: Err] [1] I 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 17604] 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 72.82.177.22] 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter It doesn't seem to matter what kind of virus is involved. Even when it detects a phishing attempt you still see the same error. Here is what I have in the virus.cfg: SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav- devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Is anyone else experiencing this, or have any ideas? Thanks, Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude error, not ClamAV error
Yes the command line works fine. Nowhere in the output from the command line does it say anything about an attachment, nor do I see the Attachment=[Unknown: Err] statement. That's why I believe it is something generated by Declude not by ClamAV. Original Message From: John T \(Lists\) [EMAIL PROTECTED] Sent: Saturday, July 15, 2006 2:13 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude error, not ClamAV error Have you tried running the command line by itself against a file in question to see what the return code is? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, July 14, 2006 7:08 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude error, not ClamAV error I get the error no matter what the virus, Netsky, Bagle, Feebs, even when ClamAV detects a fishing attempt the error is there. Original Message From: John T \(Lists\) [EMAIL PROTECTED] Sent: Friday, July 14, 2006 9:46 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude error, not ClamAV error In other log lines Declude states it is an invalid/bogus pif file. That might explain it. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, July 14, 2006 2:43 PM To: declude.virus@declude.com Subject: [Declude.Virus] Declude error, not ClamAV error Upon further research, the statement Attachment=[Unknown: Err] is generated by Declude, not ClamAV. So does Declude have a problem with ClamAV? Original Message From: Gary Steiner [EMAIL PROTECTED] Sent: Friday, July 14, 2006 1:32 PM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV error I recently installed ClamAv as my third scanner after AVG and F-Prot. For some reason it indicates an error related to the attachment when it detects a virus (Attachment=[Unknown: Err]). Here is an example from the Declude virus log file: 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; Length=17424 Checksum=1974090] 07/13/2006 19:32:18.843 366626185 Banning file with pif extension [application/octet-stream]. 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I- Worm/Netsky.D: 7] 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=your_letter.pif [1] I 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 (366626185.eml,366626) 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D Attachment=[Unknown: Err] [1] I 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 17604] 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 72.82.177.22] 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter It doesn't seem to matter what kind of virus is involved. Even when it detects a phishing attempt you still see the same error. Here is what I have in the virus.cfg: SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav- devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Is anyone else experiencing this, or have any ideas? Thanks, Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail
RE: [Declude.Virus] New feature needed
I was wondering if there might be a work-around for this. Could a combination of multiple .eml files utilizing SKIPIFRECIP work? I guess the first question is what .eml files does Declude look for when it detects a virus? Does EVA specifically look for a file named recip.eml? Or does it look at all the .eml files in the main Declude directory? Could you have two files, one called recip-en.eml (English) and one called recip-es.eml (Spanish), and then list in those files using SKIPIFRECIP all the domains that want the other language? Gary Original Message From: Goran Jovanovic [EMAIL PROTECTED] Sent: Tuesday, June 20, 2006 3:57 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New feature needed Gary, I have not even thought of something like that (since all my customers are English speaking) but you are absolutely right. So David will we be seeing this new feature next week? :) Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, June 20, 2006 3:24 PM To: declude.virus@declude.com Subject: re: [Declude.Virus] New feature needed I asked about the possibility of per domain replies several months ago. I would hope that it has already been placed on the wish list. It is especially useful when you have users speaking different languages and you want to have language specific messages linked to each domain. Gary Original Message From: Goran Jovanovic [EMAIL PROTECTED] Sent: Tuesday, June 20, 2006 2:30 PM To: declude.virus@declude.com Subject: [Declude.Virus] New feature needed Hi, I would like to suggest a new feature to be added to the virus notification capabilities. Right now to notify a recipient that I stopped a virus I have a recip.eml file in my main delude directory. There is another recip-vulnerability.eml file that is used if the virus is a vulnerability. These two files are all or nothing files. Meaning that all recipients for all the domains that I process are in the same file. I need to be able to specify a per domain recip.eml file. This way I can tailor the notifications to each domain as appropriate. These files should be in the domain subdirectory along with the $default$.junkfile etc. I am faced with the challenge right now for a single domain to send all virus notification to one person only or to stop all notifications to that domain. To the best of my knowledge I cannot redirect all the notifications to the one person for that domain and to the original recipients for all the other domains. Another feature that should be added to the *.eml files is the ability to do a BCC to a monitoring address. This is a good way to monitor what is happening with banned files, viruses or whatever notification processes we have setup. So can you please add this to the to do list Thank you Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New feature needed
But what defines a vulnerability? Are you referring to the list of vulnerabilities associated with the ALLOWVULNERABILITY statement in the EVA manual? I'm confused by the various .eml files Declude provides and how it decides to use them, whether EVA or Junkmail. None of the .eml files that come with Declude have the name of a vulnerability. Here is a list of the E-mail template files that came with the Declude 4.x installation and how I guess that they are used (since there doesn't seem to be some centralized description/list of what these files are and how they are used): spamattach.eml - Used by Junkmail when ATTACH action is implemented. postmaster.eml - Used by EVA to warn the postmaster of the local machine that a virus was detected. BOUNCEnotify.eml - Used by EVA to warn the local sender that his (outgoing) E-mail attachment contained a banned extension. BANnotify.eml - Used by EVA to warn the sender that his (incoming) E-mail attachment contained a banned extension. otherpostmaster.eml - Used by EVA to warn the postmaster of a host that a virus came from his server (typically not used due to virus forging). sender.eml - Used by EVA to warn the sender that an E-mail sent by him was detected as a virus (typically not used due to virus forging). recip.eml - Used by EVA to warn the recipient that Declude detected a virus send to him. confirm.eml - Used by Declude Confirm (http://www.declude.com/Articles.asp?ID=127). Is this a discontinued product? If not, does it work with SmarterMail? So it seems that most of the files are used by EVA, one by Junkmail and one by Confirm. Does that mean that Junkmail and Confirm only use their one specific .eml file and ignore all the others? If I create a randomly named .eml file, will it only be used by EVA? Original Message From: John T \(Lists\) [EMAIL PROTECTED] Sent: Thursday, August 10, 2006 9:37 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New feature needed When a vulnerability is detected, it looks for vulnerability.eml only. When a virus is detected, it uses any and all .eml files except for vulnerability.eml. So yes, you could do that. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Thursday, August 10, 2006 4:43 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New feature needed I was wondering if there might be a work-around for this. Could a combination of multiple .eml files utilizing SKIPIFRECIP work? I guess the first question is what .eml files does Declude look for when it detects a virus? Does EVA specifically look for a file named recip.eml? Or does it look at all the .eml files in the main Declude directory? Could you have two files, one called recip-en.eml (English) and one called recip- es.eml (Spanish), and then list in those files using SKIPIFRECIP all the domains that want the other language? Gary Original Message From: Goran Jovanovic [EMAIL PROTECTED] Sent: Tuesday, June 20, 2006 3:57 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New feature needed Gary, I have not even thought of something like that (since all my customers are English speaking) but you are absolutely right. So David will we be seeing this new feature next week? :) Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, June 20, 2006 3:24 PM To: declude.virus@declude.com Subject: re: [Declude.Virus] New feature needed I asked about the possibility of per domain replies several months ago. I would hope that it has already been placed on the wish list. It is especially useful when you have users speaking different languages and you want to have language specific messages linked to each domain. Gary Original Message From: Goran Jovanovic [EMAIL PROTECTED] Sent: Tuesday, June 20, 2006 2:30 PM To: declude.virus@declude.com Subject: [Declude.Virus] New feature needed Hi, I would like to suggest a new feature to be added to the virus notification capabilities. Right now to notify a recipient that I stopped a virus I have a recip.eml file in my main delude directory. There is another recip-vulnerability.eml file that is used if the virus is a vulnerability. These two files are all or nothing files. Meaning that all recipients for all the domains that I process are in the same file. I need to be able to specify a per domain recip.eml file. This way I can tailor the notifications to each domain as appropriate. These files
RE: [Declude.Virus] New feature needed
I'm just trying to narrow these files down. I don't want to stick something in the Declude directory and have it exhibit unexpected behavior. Also there are many other files in the Declude directory that are unexplained and may be left over from older versions, but I have no way to know if I can delete them or not. BounceNotify.eml is there, it was installed by Declude. Though I just tested it by sending myself a banned file, and it did not work, so maybe Declude discontinued it at some point (David?). There is no file called Vulnerabilty.eml in the Declude directory, so I assume Declude does not install this by default. Original Message From: John T \(Lists\) [EMAIL PROTECTED] Sent: Friday, August 11, 2006 3:56 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New feature needed Sorry, forgot to make an all inclusive list: To my knowledge, there is no BounceNotify.eml. JunkMail uses the following eml files ONLY: SpamAttach.eml Confirm uses the following eml file ONLY: Confirm.eml When EVA finds a vulnerability (list in the EVA manual further down from the allow section) it uses the following file ONLY: Vulnerability.eml When EVA finds a banned attachment and the associated email is not found to be virus laden or contain a vulnerability, EVA will use the following file ONLY: BanNotify.eml ANY OTHER eml file contained in the \declude directory will be used by EVA when a virus is found according to parameters within each file. So, if you have 50 eml files aside from the above specifically mentioned 4, EVA will try to use all 50 when it finds a virus. The reason for this along with the original 4 other eml files normally found (postmaster.eml, otherpostmaster.eml, sender.eml and recipient.eml) was so that a appropriately worded notice be set to each respective party as desired. However, that also allows for plenty of customization. Example, I have a client that the manager wants a copy of each notice sent. So I have created 2 specific eml files for that client, one for if the infected email is incoming and one for if the infected email is outgoing. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Thursday, August 10, 2006 9:05 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New feature needed But what defines a vulnerability? Are you referring to the list of vulnerabilities associated with the ALLOWVULNERABILITY statement in the EVA manual? I'm confused by the various .eml files Declude provides and how it decides to use them, whether EVA or Junkmail. None of the .eml files that come with Declude have the name of a vulnerability. Here is a list of the E-mail template files that came with the Declude 4.x installation and how I guess that they are used (since there doesn't seem to be some centralized description/list of what these files are and how they are used): spamattach.eml - Used by Junkmail when ATTACH action is implemented. postmaster.eml - Used by EVA to warn the postmaster of the local machine that a virus was detected. BOUNCEnotify.eml - Used by EVA to warn the local sender that his (outgoing) E-mail attachment contained a banned extension. BANnotify.eml - Used by EVA to warn the sender that his (incoming) E-mail attachment contained a banned extension. otherpostmaster.eml - Used by EVA to warn the postmaster of a host that a virus came from his server (typically not used due to virus forging). sender.eml - Used by EVA to warn the sender that an E-mail sent by him was detected as a virus (typically not used due to virus forging). recip.eml - Used by EVA to warn the recipient that Declude detected a virus send to him. confirm.eml - Used by Declude Confirm (http://www.declude.com/Articles.asp?ID=127). Is this a discontinued product? If not, does it work with SmarterMail? So it seems that most of the files are used by EVA, one by Junkmail and one by Confirm. Does that mean that Junkmail and Confirm only use their one specific .eml file and ignore all the others? If I create a randomly named .eml file, will it only be used by EVA? Original Message From: John T \(Lists\) [EMAIL PROTECTED] Sent: Thursday, August 10, 2006 9:37 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New feature needed When a vulnerability is detected, it looks for vulnerability.eml only. When a virus is detected, it uses any and all .eml files except for vulnerability.eml. So yes, you could do that. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Thursday, August 10, 2006 4:43
[Declude.Virus] Oversized.RAR FOUND in ClamAV
I have an email that was held as a virus after ClamAV was triggered with the result Oversized.RAR FOUND. I looked for an explanation but couldn't find anything detailed. Apparently this is due to some type of bug in ClamAV that shows up with certain RAR or ZIP files. I found one posting that suggested that the problem could be fixed by adjusting the max-ratio value. The default max-ratio value for ClamAV is 250. The suggested value for running it with Declude is 0. What would be the safest value to run with and why? Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
If you want to submit a virus, don't forget about ClamAV: http://www.clamav.net/sendvirus.html The nice thing about them is when they've used your sample to update their definitions, they will actually send you an email telling you this. Original Message From: Colbeck, Andrew [EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 1:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus? Sounds like a very popular eBay scam, not a virus. Was there actually a hostile application attached? Submit the executable to: http://www.virustotal.com/en/indexf.html Or: http://virusscan.jotti.org/ I believe that both services share unknown executables with the antivirus vendors. Or you directly submit the executable to your preferred antivirus vendor, usually through a web submission form, e.g.: http://subwiz.trendmicro.com/SubWiz/Default.asp Or: http://www.f-prot.com/virusinfo/submission_form.html But the vendor websites are notorious for hoarding information to get a competitive advantage (at the expense of the customers of every other antivirus vendor!). Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Tuesday, October 10, 2006 10:21 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus? Hey All Has anyone seen the email saying that you purchased a Sony VAIO for $2,500? We received a bunch of these this morning in our mailboxes and am trying to figure out how they made it thru the scanners. What is the place to send them to see if it is begin caught? Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications http://www.etczone.com 812-932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AUTOFORGE
Is the command FORGINGVIRUS still used? It doesn't seem to be mentioned in the new manuals on the Declude web site, or in the knowledgebase either. My main question is how does FORGINGVIRUS work? Is it looking for any string within the virus name? For example, will the statement FORGINGVIRUS Stration pick up both Worm.Stration.YY and I-Worm.Stration as matches? Also, how is FORGINGVIRUS different from SKIPIFVIRUSNAME? Do you need to have both statements in the virus.cfg or is that redundant? Thanks, Gary Original Message From: Colbeck, Andrew [EMAIL PROTECTED] Sent: Friday, October 27, 2006 3:56 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AUTOFORGE I suggested adding STRATION a week or more ago. Likewise, the string WAREZOV should be added to the AUTOFORGE database (or your own virus.cfg e.g. FORGINGVIRUS WAREZOV). There have been many interations of this virus, and according to F-Secure, the creators are still pumping out new versions. Andrew. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Friday, October 27, 2006 6:03 AM To: 'Declude Virus List' Subject: [Declude.Virus] AUTOFORGE Hi, is this still being actively maintained? If so, W32/Stration.dldr should be added as forging. Based on bounces that I'm seeing (from inbound-only mailboxes on our domain) it is forging the sender. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AUTOFORGE
I think you meant to say SKIPIFFORGING not SKIPIFFORGINGVIRUS. Original Message From: John T \(Lists\) [EMAIL PROTECTED] Sent: Friday, October 27, 2006 7:52 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AUTOFORGE Also, how is FORGINGVIRUS different from SKIPIFVIRUSNAME? Do you need to have both statements in the virus.cfg or is that redundant? FORGINGVIRUS is in the virus.cfg file and it is to list those viruses that forge the from address. Then, in your various eml files, you just need to put in SKIPIFFORGINGVIRUS instead of having list list each SKIPIFVIRUSNAMEHAS John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] runclamd and runclamscan
Looks like the web page for runclamd and runclamscan http://www.smartbusiness.com/imail/declude/ has been removed. Hopefully it will continue to be included in future releases of ClamAv for Windows. Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Security Suite 4.3.23 Released / AVG Vulnerability?
Good question. David? Original Message From: Stephan [EMAIL PROTECTED] Sent: Friday, December 08, 2006 12:21 AM To: declude.virus@declude.com Subject: [Declude.Virus] Re: [Declude.Virus] Declude Security Suite 4.3.23 Released / AVG Vulnerability? Is the built-in avg version included still vulnerable? Or has it been fixed already? Very glad to see the imail 2006 authowhite is now working. Thanks. -Original Message- From: David Barker [EMAIL PROTECTED] Sent 11/24/2006 8:08:51 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AVG Vulnerability From AVG the update has been released for beta testing, if there are no troubles, we publish it as an official build during the next week. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Friday, November 24, 2006 4:29 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] AVG Vulnerability Hi, And...? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: David Barker To: declude.virus@declude.com Sent: Tuesday, November 21, 2006 10:24 PM Subject: RE: [Declude.Virus] AVG Vulnerability We have a request in with Grisoft remember there is a time zone difference as they are in CZ David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Tuesday, November 21, 2006 4:01 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AVG Vulnerability Any updates on this yet? Should we be turning off AVG scanning? Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, November 21, 2006 9:24 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AVG Vulnerability Darrell, We are currently looking into this new report and are contacting AVG we will post here as soon as we have an answer. David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, November 21, 2006 8:48 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] AVG Vulnerability David / Declude, Is the integrated AVG scanner vulnerable? How do we deterimine what version of AVG is embedded inside of Declude? Darrell MODERATE: Grisoft AVG Anti-Virus Multiple Vulnerabilities Affected: AVG Anti-Virus versions prior to 7.1.407 Description: AVG Anti-Virus, a popular anti-virus system, contains multiple vulnerabilities. By sending a specially-crafted file through the system, an attacker could exploit these vulnerabilities to execute arbitrary code with the privileges of the anti-virus process. No technical details for these vulnerabilities are currently available. Status: Grisoft confirmed, updates available. Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary. References: Grisoft Release Notes http://www.grisoft.com/doc/36365/lng/us/tpl/tpl01 SecurityFocus BID http://www.securityfocus.com/bid/21029 Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
re: [Declude.Virus] Sender.eml was sent even though forging virus?
I've seen similar behavior with viruses found by AVG. Original Message From: Andy Schmidt [EMAIL PROTECTED] Sent: Wednesday, December 13, 2006 12:42 PM To: 'Declude Virus List' declude.virus@declude.com Subject: [Declude.Virus] Sender.eml was sent even though forging virus? Hi, My sender.eml has the line: SKIPIFFORGING And my virus.CFG has: AUTOFORGE ON FORGINGVIRUS Anonymous Driver FORGINGVIRUS Antiman FORGINGVIRUS Avril FORGINGVIRUS Bagle Yet, declude virus just sent the sender.eml for the following details: File:Unknown File Result: FoundI-Worm/Bagle Message ID:[EMAIL PROTECTED] Our Domain:Schmidt.AS for Schmidt.AS Queue ID: D324e0153b795.smd Based on these headers: -Original Message Headers- Received: from [62.93.44.11] [62.93.44.11] by hm-software.com with ESMTP (SMTPD-9.10) id A24E331D0; Wed, 13 Dec 2006 12:03:10 -0500 Date: Wed, 13 Dec 2006 18:03:11 +0100 To: Andy [EMAIL PROTECTED] From: Webmaster [EMAIL PROTECTED] Subject: price 13-Dec-2006 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=oibzhbgyvnajpcxfwpdt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] Any one heard about or seen this one yet?
I was receiving copies of it yesterday (Thursday), but nothing today. All messages contained a .exe attachment. Since I'm running AVAFTERJM, all the messages were caught as spam. I did not receive any that were not caught as spam. Original Message From: Heimir Eidskrem [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:24 PM To: declude.virus@declude.com Subject: [Declude.Virus] Any one heard about or seen this one yet? Storm Worm Hits Computers Around the World By Reuters January 19, 2007 HELSINKI (Reuters)-Computer virus writers started to use raging European storms on Friday to attack thousands of computers in an unusual real-time assault, head of research at Finnish data security firm F-Secure told Reuters. The virus, which the company named Storm Worm, is sent to hundreds of thousands of e-mail addresses globally, with the e-mail's subject line saying 230 dead as storm batters Europe. The attached file contains the so-called malware that can infiltrate computer systems. What makes this exceptional is the timely nature of the attack, Mikko Hypponen, head of research at F-Secure said. Hypponen said thousands of computers around the world, most in private use, had been affected. He said most users would not notice the malware, or trojan, which creates a back door to the computer that can be exploited later to steal data or to use the computer to post spam Regards, Dennis Curry System Administrator SNC-Lavalin GDS --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] pay-pal phishing
ClamAV catches a lot of them. Original Message From: Darin Cox [EMAIL PROTECTED] Sent: Thursday, February 15, 2007 5:58 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] pay-pal phishing Message Sniffer does a pretty good job. You can also use the spamdomains and SPF tests, though their SPF policy is only soft fail at the moment, which Declude does not check. Darin. - Original Message - From: Bob McGregor [EMAIL PROTECTED] To: Declude-List Declude.Virus@declude.com Sent: Thursday, February 15, 2007 5:16 PM Subject: [Declude.Virus] pay-pal phishing Anyone configured a way to stop some of the pay-pal scam emails? thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Exploit-Dropper.1Table
Here's a strange one. Declude reports that it is detecting a virus in a file attachment that is a Word document. AVG Reports VIRUS: Exploit-Dropper.1Table Yet when I send that same email to VirsuTotal.com, AVG states no virus detected. And none of the other programs listed on VirusTotal.com detect anything either. I guess I need to send this one to Declude support. Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Current Version of Clam AV
I see that SOSDG released a new version (0.90-1) of their Windows port of ClamAV on 02-22-2007. http://www.sosdg.org/clamav-win32/ Has anyone upgraded to it yet? Any problems? Gary Steiner Original Message From: Mark Reimer [EMAIL PROTECTED] Sent: Friday, February 16, 2007 2:04 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Current Version of Clam AV Clam AV releases prior to 0.90 have Dos issues I believe. Is their a 0.90 release for windows? Mark Reimer IT System Admin American CareSource 972-308-6887 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Friday, February 16, 2007 10:06 AM To: declude.virus@declude.com Subject: [Declude.Virus] Current Version of Clam AV What is the current release of Clam AV for windows? I saw 0.90 stable is out now. Mark Reimer IT System Admin American CareSource 972-308-6887 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Current Version of Clam AV
Does anyone want to comment on what might be causing the error? Is this a ClamAV problem or a Declude problem? It seems that the normal mechanism for deleting those files is somehow interrupted. Is there a way in Declude to increase the time allocated to each antivirus process? Though since I upgraded to SOSDG's version 0.90-1, I haven't seen any leftover .vir directories. Original Message From: Brian T. [EMAIL PROTECTED] Sent: Thursday, March 01, 2007 11:53 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV Does anyone know of a way to fix this problem with the leftover .vir directories? I was thinking about switching to ClamAV from F-Prot but don't want to constantly be cleaning up leftover files. Thanks, Brian - Original Message - From: Darrell ([EMAIL PROTECTED]) To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 11:44 AM Subject: Re: [Declude.Virus] Current Version of Clam AV In my normal maintenance window (once a week) all services are stopped and I clean out the work, error, proc, spool, and review folders. Since I stop CLAMAV as well I am able to delete those directories. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Stephan To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 11:22 AM Subject: Re: [Declude.Virus] Current Version of Clam AV Thanks for responding. I can't delete them until I restart the ClamAV service. Do you have a way of automatically deleting them, or do you schedule a task to restart ClamAV and then delete them? I tried using a schedule task but for some reason they still don't get deleted (but it's possible to do it manually.) -Original Message- From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] Sent 2/27/2007 10:17:46 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV ? FWIW - I have always had left over directories from .84 on up. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Stephan To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 8:41 AM Subject: Re: [Declude.Virus] Current Version of Clam AV I am also running the 0.90-1, and it's working fine, except I still get leftover .vir directories inside the declude/proc dir. The error in the clamav log shows: - d:\imail\spool\proc\work\d716a0~1.vir\/0: Unable to create temporary directory ERROR I've tried checking permissions, and made sure I have the clamav tmpdir variable set to my clamav tmp dir (which fixed a similar error that stopped the clamav service from starting.) But I haven't been able to fix this one. Anyone know how to fix this error? Thanks. -Original Message- From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] Sent 2/26/2007 1:30:43 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV Gary, I upgraded on Friday and have not ran into any issues. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, February 26, 2007 1:01 PM Subject: RE: [Declude.Virus] Current Version of Clam AV I see that SOSDG released a new version (0.90-1) of their Windows port of ClamAV on 02-22-2007. http://www.sosdg.org/clamav-win32/ Has anyone upgraded to it yet? Any problems? Gary Steiner Original Message From: Mark Reimer [EMAIL PROTECTED] Sent: Friday, February 16, 2007 2:04 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Current Version of Clam AV Clam AV releases prior to 0.90 have Dos issues I believe. Is their a 0.90 release for windows? Mark Reimer IT System Admin American CareSource 972-308-6887 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Friday, February 16, 2007 10:06 AM To: declude.virus@declude.com Subject: [Declude.Virus] Current Version of Clam AV What
[Declude.Virus] ClamAV 0.90.1-2 problems
Ever since I upgraded to ClamAV 0.90.1-2 (the SOSDG windows port), I've been unable to get it to work. The Declude log files show an error like this: 03/12/2007 19:17:29.359 62376245 Vulnerability flags = 861 03/12/2007 19:17:29.359 62376245 MIME file: [text/html][7bit; Length=429 Checksum=38095] 03/12/2007 19:17:30.171 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:32.218 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:34.265 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:36.312 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:38.359 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:40.359 62376245 Could not find report file c:\SmarterMail\Spool\proc\work\62376245.vir\report.txt. 03/12/2007 19:17:40.359 62376245 Error 2 in virus scanner 1. 03/12/2007 19:17:40.562 62376245 Virus scanner 2 reports exit code of 0 03/12/2007 19:17:40.562 62376245 Scanned: Error in virus scanner. [MIME: 2 815] If I try to run it from the command line using the parameters from my virus.cfg file, I get the following: C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt 62376245.eml /cygdrive/c/clamav-devel/bin/clamdscan: unrecognized option `--mbox' ERROR: Unknown option passed. ERROR: Can't parse the command line Anyone else seeing anything like this? Did something change in 0.90 to make these paramenters invalid? Thanks, Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV 0.90.1-2 problems
I uninstalled 0.90.1-2 and reinstalled 0.90.1. It seems to be working okay. I ran the program (0.90.1-2) but removed the --mbox parameter. It then gave me an error message about --max-ratio. I removed that one, and it then gave me an error about --max-space. I removed that one as well, and it was finally able to run. But there was an error in the report.txt file: 62376245.eml: lstat() failed. ERROR For now I am just going to keep running with 0.90.1 and see how it goes. The message I received on the clamav-announce mailing list about 0.90.1-2 stated, Basically, this version corrects some build problems and incorrect linkage to cygclamav1.dll by clamd. Gary Original Message From: Mark Reimer [EMAIL PROTECTED] Sent: Tuesday, March 13, 2007 11:21 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV 0.90.1-2 problems Gary, I had the same problem after upgrading to 0.90.1-2. I had to go back to 0.90-1. I was getting the same error code. After this upgrade if I go back to 0.90.1-1 I get error code 40. I have not been able to figure out what is going on. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, March 13, 2007 8:01 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] ClamAV 0.90.1-2 problems Exit code of 2 means ClamAV had an error - Is clamd running? will clamdscan.exe file to be scanned work? eg no parameters? -Nick Gary Steiner wrote: Ever since I upgraded to ClamAV 0.90.1-2 (the SOSDG windows port), I've been unable to get it to work. The Declude log files show an error like this: 03/12/2007 19:17:29.359 62376245 Vulnerability flags = 861 03/12/2007 19:17:29.359 62376245 MIME file: [text/html][7bit; Length=429 Checksum=38095] 03/12/2007 19:17:30.171 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:32.218 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:34.265 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:36.312 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:38.359 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:40.359 62376245 Could not find report file c:\SmarterMail\Spool\proc\work\62376245.vir\report.txt. 03/12/2007 19:17:40.359 62376245 Error 2 in virus scanner 1. 03/12/2007 19:17:40.562 62376245 Virus scanner 2 reports exit code of 0 03/12/2007 19:17:40.562 62376245 Scanned: Error in virus scanner. [MIME: 2 815] If I try to run it from the command line using the parameters from my virus.cfg file, I get the following: C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt 62376245.eml /cygdrive/c/clamav-devel/bin/clamdscan: unrecognized option `--mbox' ERROR: Unknown option passed. ERROR: Can't parse the command line Anyone else seeing anything like this? Did something change in 0.90 to make these paramenters invalid? Thanks, Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV 0.90.1-2 problems
The following was just posted to clamav-announce: Original Message From: Bri Bruns [EMAIL PROTECTED] Sent: Tuesday, March 13, 2007 2:43 PM To: [EMAIL PROTECTED] Subject: [clamav-announce] Problems with ClamAV/SOSDG For WIndows 0.90.1-1 and -2 Okay, been getting reports of people having problems with the 0.90.1 builds of ClamAV/SOSDG For Windows I've been releasing lately. Please do not use 0.90.1-1, as the clamd.exe it has is outdated, I'm not quite sure how such an old version got into the build, but it is unreliable, and you probably are getting errors if you are using it. 0.90.1-2 is also having problems for some people, which I'm looking into now. I'm not sure of the cause, but there appears to have been alot of underlying changes in ClamAV over the past few months. For now, if you are having problems with -2, I suggest going back to 0.90-1, which you can grab from here: http://downloads.sosdg.org/clamav/clamav-0.90-1.exe And is known to work well for most people. Please keep any bug reports for -2 coming in, as its helping me narrow down the cause of the issues. -- Brie Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org ___ ClamAV For Windows Announcement Mailing List http://lists.sosdg.org/mailman/listinfo/clamav-announce --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV 0.90.1-2 problems
A new version (0.90.1-3) was posted on the SOSDG web site. Bri Bruns told me that the --mbox parameter no longer works, so you should remove it from the line in your virus.cfg file before installing 0.90.1-3. Gary Original Message From: Gary Steiner [EMAIL PROTECTED] Sent: Tuesday, March 13, 2007 3:13 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV 0.90.1-2 problems The following was just posted to clamav-announce: Original Message From: Bri Bruns [EMAIL PROTECTED] Sent: Tuesday, March 13, 2007 2:43 PM To: [EMAIL PROTECTED] Subject: [clamav-announce] Problems with ClamAV/SOSDG For WIndows 0.90.1-1 and -2 Okay, been getting reports of people having problems with the 0.90.1 builds of ClamAV/SOSDG For Windows I've been releasing lately. Please do not use 0.90.1-1, as the clamd.exe it has is outdated, I'm not quite sure how such an old version got into the build, but it is unreliable, and you probably are getting errors if you are using it. 0.90.1-2 is also having problems for some people, which I'm looking into now. I'm not sure of the cause, but there appears to have been alot of underlying changes in ClamAV over the past few months. For now, if you are having problems with -2, I suggest going back to 0.90-1, which you can grab from here: http://downloads.sosdg.org/clamav/clamav-0.90-1.exe And is known to work well for most people. Please keep any bug reports for -2 coming in, as its helping me narrow down the cause of the issues. -- Brie Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org ___ ClamAV For Windows Announcement Mailing List http://lists.sosdg.org/mailman/listinfo/clamav-announce --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] Virus notifications
What do you mean by virus notifications? Email from some mailing list? Updates to your anti-virus definitions? Gary Original Message From: Dan Shadix [EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 6:55 PM To: declude.virus@declude.com declude.virus@declude.com Subject: [Declude.Virus] Virus notifications Since switching to SmarterMail, I haven't been receiving virus notifications. Can someone give me a quick fix? Thanks in advance, Dan --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Temp files ClamAV Windows not deleting
We've always used the SOSDG port of ClamAV with little problem. The current version is quite stable. We have it on a W2K3 server using runclamd and runclamscan. http://www.sosdg.org/clamav-win32 This is also the same version that SmarterMail has incorporated into their 4.x release. I don't know if this is relevant or not, but a problem I ran into a while back was while installing the ClamAV port, it was installed from an administrator account that wasn't THE Administrator account. It created some permissions problems that were solved by uninstalling then reinstalling using the main Administrator account. Original Message From: Jared Pickerell [EMAIL PROTECTED] Sent: Tuesday, April 17, 2007 6:29 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Temp files ClamAV Windows not deleting I'm running into the same problem. I ended up with a server out of hard drive space before I figured out what was going on. What can you do to let Declude/ClamWin delete them in the first place? As the administrator I can already delete the folders/files after the fact, but that doesn't solve the problem. Who needs to have ownership of the temp directory for Declude/ClamWin to delete these on its own? Also ClamWin was using very high CPU. Is ClamWin know for high CPU usage? With the temp files not deleting and the high CPU utilization, I ended up just removing ClamWin as one of the scanners. When the AVG fix came out it wasn't really an issue, but I would like to use Clam as a secondary scanner if possible? Any thoughts? Thanks Jared From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, April 17, 2007 1:58 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Temp files ClamAV Windows not deleting You need to take ownership of the files as the administrator and then you can delete them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Tuesday, April 17, 2007 2:41 PM To: declude.virus@declude.com Subject: [Declude.Virus] Temp files ClamAV Windows not deleting Hi; I am having problem with viruses not being deleted from the temp directory when using the ClamWin - the following is the config entries: # CLAM- 1st Scanner #SCANFILE1 C:\Progra~1\ClamWin\bin\clamscan.exe --verbose --database=C:\Progra~1\ClamWin\db --tempdir=c:\Temp --no-summary -l report.txt #VIRUSCODE1 1 Any idea what I can do to have the virus files deleted from C:\temp? Thanks -Kami --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] new virus with .rar attachment
I started getting some messages today that were picked up as spam, but were not being identified as viruses. They looked suspicious, having subject lines of Virus Activity Detected! Spyware Alert! It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. I ran it on www.virustotal.com, and the only scanner that picked it up was McAfee, and it identified it as W32/[EMAIL PROTECTED]. http://vil.nai.com/vil/content/v_142094.htm Since this a password protected .rar file, should we now be blocking these? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] re: new virus with .rar attachment
As a followup to this, in my virus.cfg I have BANEXT EZIP. Shouldn't this have caught the password-protected .rar file? Declude passed the message to SmarterMail without holding it. I'm running Declude 4.3.46. Original Message From: Gary Steiner [EMAIL PROTECTED] Sent: Wednesday, April 25, 2007 1:31 PM To: declude.virus@declude.com Subject: new virus with .rar attachment I started getting some messages today that were picked up as spam, but were not being identified as viruses. They looked suspicious, having subject lines of Virus Activity Detected! Spyware Alert! It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. I ran it on www.virustotal.com, and the only scanner that picked it up was McAfee, and it identified it as W32/[EMAIL PROTECTED]. http://vil.nai.com/vil/content/v_142094.htm Since this a password protected .rar file, should we now be blocking these? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] new virus with .rar attachment
ClamAV is now picking this up as Email.Phishing.RB-686 Original Message From: Gary Steiner [EMAIL PROTECTED] Sent: Wednesday, April 25, 2007 1:48 PM To: declude.virus@declude.com Subject: [Declude.Virus] new virus with .rar attachment I started getting some messages today that were picked up as spam, but were not being identified as viruses. They looked suspicious, having subject lines of Virus Activity Detected! Spyware Alert! It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. I ran it on www.virustotal.com, and the only scanner that picked it up was McAfee, and it identified it as W32/[EMAIL PROTECTED]. http://vil.nai.com/vil/content/v_142094.htm Since this a password protected .rar file, should we now be blocking these? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAV lstat() failed. ERROR
In pursuing the problem of the new worm with a password-protected RAR file, I found a problem with ClamAV. I'm running the SOSDG ClamAV Windows port version 0.90.2-2 (along with runclamd and runclamscan). Declude uses the following string: C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt If I try to use it at a command prompt, I get the lstat() failed error. If I type in the full path for my command string, such as C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt C:\temp\123456789.eml it works. The problem is that Declude scans a file in a different directory each time, so the path changes. So for Declude to work now, it would require a significant change in Declude. But ClamAV worked before. What changed? Can it be changed back? Is this a problem with ClamAV in general, or just with the SOSDG Windows port? Do the other ClamAV ports have this problem? Any suggestions you might have are greatly appreciated. Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV lstat() failed. ERROR
I'll try to be more specific. What I have in my virus.cfg file is essentially what has been posted here on the list by several different people as the accepted info to put in the file. SCANFILE1 C:\clamav-devel\thirdparty\runclamscan\runclamscan.exe log=2 C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND So I should be able to type the following at a command prompt and have it work: C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt 123456789.eml It used to work, but now it doesn't. It generates the lstat error. After some experimentation, I found that typing the following does work: C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt C:\temp\123456789.eml and so does this: C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt C:\temp\123456789.eml In setting virus.cfg to DEBUG, it shows Declude creating the long pathname. But since it deletes the report.txt file, I can't see what is being generated. When I reprocess the new RAR file worm, the Declude log lines show ClamAV giving a return code of zero. When I do it from the command prompt, ClamAV says Email.Phishing.RB-686 FOUND. When I test another message that is an image spam that is picked up by the Sanesecurity phishing files, Declude finds it with ClamAV, and ClamAV finds it using the command prompt. So maybe this problem and the lstat error are unrelated. Original Message From: Andy Schmidt [EMAIL PROTECTED] Sent: Wednesday, April 25, 2007 8:33 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV lstat() failed. ERROR Gary, I'm not sure I understand your point. What you define in Virus.cfg, e.g.: SCANFILEC:\Progra~1\Common~1\Networ~1\Engine\SCAN.EXE /LOAD D:\IMAIL\Declude\SCAN.CFG is only the START of the command line, to which Declude appends the full path for the file it tries to scan. So, if you defined: SCANFILEC:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt and the Declude is processing the file c:\temp\123456789.eml then it would issue the command c:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt c:\temp\123456789.eml I recommend you turn on the debug mode for Declude virus and then inspect the relevant lines of the log (or send them to the list so that we can take a look at it). Obviously, you'd also need to share your virus.cfg configuration so that we understand the context. Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, April 25, 2007 6:39 PM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV lstat() failed. ERROR In pursuing the problem of the new worm with a password-protected RAR file, I found a problem with ClamAV. I'm running the SOSDG ClamAV Windows port version 0.90.2-2 (along with runclamd and runclamscan). Declude uses the following string: C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt If I try to use it at a command prompt, I get the lstat() failed error. If I type in the full path for my command string, such as C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt C:\temp\123456789.eml it works. The problem is that Declude scans a file in a different directory each time, so the path changes. So for Declude to work now, it would require a significant change in Declude. But ClamAV worked before. What changed? Can it be changed back? Is this a problem with ClamAV in general, or just with the SOSDG Windows port? Do the other ClamAV ports have this problem? Any suggestions you might have are greatly appreciated. Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus with .rar attachment
Basically that is what ClamAV is doing. It detects it as a phishing spam. Original Message From: Colbeck, Andrew [EMAIL PROTECTED] Sent: Thursday, April 26, 2007 6:11 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus with .rar attachment Gary, you beat them by a day with your own assessment, but Symantec blogged about this virus twice today: http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam _attack_rared_trojan.html An interesting point is that they have blocked 1.2 million messages by tackling the text of the message as spam. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, April 25, 2007 10:31 AM To: declude.virus@declude.com Subject: [Declude.Virus] new virus with .rar attachment I started getting some messages today that were picked up as spam, but were not being identified as viruses. They looked suspicious, having subject lines of Virus Activity Detected! Spyware Alert! It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. I ran it on www.virustotal.com, and the only scanner that picked it up was McAfee, and it identified it as W32/[EMAIL PROTECTED]. http://vil.nai.com/vil/content/v_142094.htm Since this a password protected .rar file, should we now be blocking these? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
It's not that difficult. The legitimate messages with rar attachments are big (usually 10MB and up) so it's not hard to separate them from the image spam and common viruses being held in the virus directory. As mentioned by Craig in an earlier post, it would be nice if Declude added the capability to skip banning on files of large size. Original Message From: John T \(lists\) [EMAIL PROTECTED] Sent: Friday, April 27, 2007 3:56 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Until Declude resolves the issue with BANEXT EZIP, I've had to ban all rar files. Unfortunately some of my customers regularly send rar attachments, so I've had to check the virus hold directory on a regular basis and manually resubmit any false positives there. Gary Instead of manually checking for legit files, use the BANEXT.eml file to send a postmaster message that you get and/or the recipient and/or sender get and that notice can be reviewed a lot easier than manually checking the hold directory. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] Interesting notes on recent virus activity from Kaspersky
Or does this show that there are too many people out there who don't have anti-virus software on their computers? Original Message From: Colbeck, Andrew [EMAIL PROTECTED] Sent: Tuesday, May 01, 2007 1:11 PM To: declude.virus@declude.com Subject: [Declude.Virus] Interesting notes on recent virus activity from Kaspersky http://www.viruslist.com/en/weblog?calendar=2007-04 For example, here is point 8 of 10: * Most Common Malicious Program in Email Traffic - Email-Worm.Win32.NetSky.q http://www.viruslist.com/en/viruses/encyclopedia?virusid=22760 , which has been around for years, but still managed to account for 14% of all malicious email traffic in March, which just goes to show that the older malware is still going strong. Andrew. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] re: new virus with .rar attachment
So, how's the investigation going? Original Message From: David Barker [EMAIL PROTECTED] Sent: Wednesday, April 25, 2007 6:43 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] re: new virus with .rar attachment Not sure if it is a bug just yet, I have submitted it for investigation. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, April 25, 2007 6:28 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] re: new virus with .rar attachment Yes, junkmail is scanning before virus. I was referring to http://manuals.declude.com/proconlinehelp/eva_4.0.8_automatically_banning_al l_encrypted_archive_files.htm According to the manual, BANEXT EZIP should also pick up password protected RAR files. I've just been told by Declude support that the failure to pick up the password-protected RAR file is a bug, and that they are working on fixing it. Original Message From: John T [EMAIL PROTECTED] Sent: Wednesday, April 25, 2007 5:41 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] re: new virus with .rar attachment Only if you also have BANEXT rar. Do you have junkmail scanning before virus? John T -Original Message- From: Gary Steiner [EMAIL PROTECTED] Sent 4/25/2007 10:44:37 AM To: declude.virus@declude.com Subject: [Declude.Virus] re: new virus with .rar attachment As a followup to this, in my virus.cfg I have BANEXT EZIP. Shouldn't this have caught the password-protected .rar file? Declude passed the message to SmarterMail without holding it. I'm running Declude 4.3.46. Original Message From: Gary Steiner [EMAIL PROTECTED] Sent: Wednesday, April 25, 2007 1:31 PM To: declude.virus@declude.com Subject: new virus with .rar attachment I started getting some messages today that were picked up as spam, but we re not being identified as viruses. They looked suspicious, having subject lines of Virus Activity Detected! Spyware Alert! It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. I ran it on www.virustotal.com, and the only scanner that picked it up wa s McAfee, and it identified it as W32/[EMAIL PROTECTED]. http://vil.nai.com/vil/content/v_142094.htm Since this a password protected .rar file, should we now be blocking thes e? --- --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
I am confused as to how this would work, as BANEXT RAR in EVA will hold those files regardless of the weight. Has anyone worked out a way to ban small RAR files that would contain the virus, and pass large RAR files that most likely would not? I'm trying to find a work around until Declude figures out how to detect encrypted RAR files. Right now I'm banning all RAR files, then have to go in and manually re-submit the legitimate RAR files that my customers are sending. Gary Original Message From: David Barker [EMAIL PROTECTED] Sent: Friday, April 27, 2007 5:52 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures You may be able to do something with the MSGSIZE test in conjunction with AVAFTERJM ON eg. SIZE-10MB msgsize 10240 x -50 0 David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, April 27, 2007 4:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures It's not that difficult. The legitimate messages with rar attachments are big (usually 10MB and up) so it's not hard to separate them from the image spam and common viruses being held in the virus directory. As mentioned by Craig in an earlier post, it would be nice if Declude added the capability to skip banning on files of large size. Original Message From: John T \(lists\) [EMAIL PROTECTED] Sent: Friday, April 27, 2007 3:56 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Until Declude resolves the issue with BANEXT EZIP, I've had to ban all rar files. Unfortunately some of my customers regularly send rar attachments, so I've had to check the virus hold directory on a regular basis and manually resubmit any false positives there. Gary Instead of manually checking for legit files, use the BANEXT.eml file to send a postmaster message that you get and/or the recipient and/or sender get and that notice can be reviewed a lot easier than manually checking the hold directory. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
I received a message over the weekend from Declude stating that my ticket on this issue has been closed. When I read it, I assumed this meant that Declude has fixed the bug and has released a version that is now able to detect encrypted RAR files. When will we be able to download this newly fixed version? Gary Steiner Original Message From: David Barker [EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 4:19 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Yes I apologize I only realized the next day (Saturday) that this would not work because the message will be scanned if it is under a HOLD or DELETE threshold. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, May 02, 2007 4:03 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures I am confused as to how this would work, as BANEXT RAR in EVA will hold those files regardless of the weight. Has anyone worked out a way to ban small RAR files that would contain the virus, and pass large RAR files that most likely would not? I'm trying to find a work around until Declude figures out how to detect encrypted RAR files. Right now I'm banning all RAR files, then have to go in and manually re-submit the legitimate RAR files that my customers are sending. Gary Original Message From: David Barker [EMAIL PROTECTED] Sent: Friday, April 27, 2007 5:52 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures You may be able to do something with the MSGSIZE test in conjunction with AVAFTERJM ON eg. SIZE-10MB msgsize 10240 x -50 0 David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, April 27, 2007 4:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures It's not that difficult. The legitimate messages with rar attachments are big (usually 10MB and up) so it's not hard to separate them from the image spam and common viruses being held in the virus directory. As mentioned by Craig in an earlier post, it would be nice if Declude added the capability to skip banning on files of large size. Original Message From: John T \(lists\) [EMAIL PROTECTED] Sent: Friday, April 27, 2007 3:56 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Until Declude resolves the issue with BANEXT EZIP, I've had to ban all rar files. Unfortunately some of my customers regularly send rar attachments, so I've had to check the virus hold directory on a regular basis and manually resubmit any false positives there. Gary Instead of manually checking for legit files, use the BANEXT.eml file to send a postmaster message that you get and/or the recipient and/or sender get and that notice can be reviewed a lot easier than manually checking the hold directory. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] OT: Prevx and malware detection
Does anyone have any experience with Prevx for malware detection? I've been looking at different products and after googling this one seems to be well recommended. I was playing around with WIndows Defender, but since it is a beta, I'm not sure how serious Microsoft is taking it at this point. Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] ClamAV with a strong aroma
I'm using the SOSDG port which is currently at version 0.90.3-3c and have not encountered the problem you describe. Then again, I'm also using SmarterMail, so don't know if this may be an IMail compatibility problem. Original Message From: John Shacklett [EMAIL PROTECTED] Sent: Tuesday, June 26, 2007 8:25 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] ClamAV with a strong aroma Is anyone using ClamWin 0.90.2.1 with Declude AV? I was, using the following line from the virus.cfg: SCANFILE4 C:\Progra~1\ClamWin\bin\clamscan.exe --verbose --database=C:\Docume~1\AllUse~1\.clamwin\db --tempdir=C:\PROGRA~1\IPSWITCH\IMAIL\Declude\Scanners\ClamAV --no-summary -l report.txt All of a sudden last week, it started filling my C:\PROGRA~1\IPSWITCH\IMAIL\Declude\Scanners\ClamAV folder with *.clamtmp folders that wouldn't clear [and chewed up 100GB of free space in a couple of days], and I also started getting did not finish in time messages in the vir.logs, and it threw my CPU usage to 100% constantly. I commented clam back out and the performance went right back to normal. Has anyone else seen anything unusual with clamav performance recently? John S. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] bit OT: RunClamD on 64 Bit Windows 2003?
Don't know if this relates to your situation, but hope it helps. I ran into a problem similar to this, but on a 32-bit machine. It was caused when the software was installed with an account that had administrator privileges, but not THE Administrator account. So possibly you are looking at some type of permissions problem. Gary Original Message From: Hirthe, Alexander [EMAIL PROTECTED] Sent: Thursday, March 20, 2008 3:42 AM To: declude.virus@declude.com declude.virus@declude.com Subject: [Declude.Virus] bit OT: RunClamD on 64 Bit Windows 2003? Hello, has anyone tried runclamd on 64 Bit Windows 2003? I can't get it to work :-/ --- 03-20-2008 11:15:39Status: 2 03-20-2008 11:15:39 SERVICE_START_PENDING 03-20-2008 11:15:39Status: 4 03-20-2008 11:15:39 startfailed 0 --- That's the only error I'm getting. Nothing in /log, nothing in the eventlog, just this startfailed. The Service RunClamD is running, but ClamD does not work (no log and clamdscan says can't connect to ClamD) I tried the one I got from my IMail / Declude installation (on 32 Bit 2003 Server), I tried the one from ClamAV (\clamav-devel\thirdparty\runclamd\runclamd.exe) Same error. It's running on the 32 Bit machines, so I think (hope :) it could be the 64 Bit OS and not me :)) If I start ClamD from the command line it works. Path is correct, Logfile could be written, Security is ok. I don't know, what else it should be. Alex Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi Aufsichtsratsvorsitzender: Armin Sohler Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] ClamAV
I've been using the SOSDG version of ClamAV (http://www.sosdg.org/clamav-win32) with no problem. The is the same version/port of ClamAV that SmarterMail ships with their product. The trick is setting it up to run as a service with runclamscan and runclamd. These are included with ClamAV in the thirdparty directory. This is what I have in virus.cfg: SCANFILE1 C:\clamav-devel\thirdparty\runclamscan\runclamscan.exe log=2 C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND Original Message From: Bonno Bloksma [EMAIL PROTECTED] Sent: Thursday, June 05, 2008 1:45 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] ClamAV Hi, Been using the old F-prot v3 as a second scanner but I disabled it today. As the new F-prot 6 scanner is not allowed with Declude, well sort of but I don't want to pay that mucht ;-) I wanted to use ClamAV asn an extra scanner. In the past it was a bit dificult I seem to remember but Is it realy as easy as 1-2-3 today? Go to http://w32.clamav.net/ and download - The Windows msi file - The initial virus sigantures - Pthreads (I seem to need it). Install the msi Copy the initial signature files to C:\Program Files\clamAV\data or something like it. But then Make sure the sig files are updated... but how? Let Declude (according to http://www.declude.com/searchresults.asp?Cat=124) call ClamAV using: SCANFILE [Drive:]\[Path]\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt Which would probably translate to SCANFILE C:\Program Files\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt or would SCANFILE C:\IMail\Declude\Scanners\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt be a better solution. There is also a clamscam.txt file in the C:\IMail\declude\scanners\ClamAV directory that seems to suggest something else. So where is a HOWTO to get it up and running with Declude? I'm sure I'm not the first to look at the combination, so how dit YOU do it. :-) Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAv with Declude
There is an announcement on the SOSDG web site saying they will no longer support their version of ClamAV. http://www.sosdg.org/clamav-win32 Is anyone using a different port of ClamAV with Declude? Has anyone had success with http://www.clamwin.com/ ? Original Message From: Scott Fisher sfis...@farmprogress.com Sent: Monday, December 29, 2008 7:39 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAv with Declude I use the runclamscan program to call clamav. Here's my virus.cfg lines SCANFILE1 c:\clamav\runclamscan.exe log=1 C:\clamav\clamdscan.exe --quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Dodell Sent: Sunday, December 28, 2008 11:29 AM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAv with Declude On Dec 28, 2008, at 8:36 AM, Hirthe, Alexander wrote: http://www.mail-archive.com/declude.virus@declude.com/msg14082.html Ok, thanks for the excellent beginning ... I'm using the Clamav-win32 from sosdg.org Freshclam installed all the latest files just fine Got it all installed ... but something still not working: (1) I got clamd installed as a service (2) In my virus.cfg I have scanfile c:\imail\declude\clamav\clamdscan.exe --quiet -l report.txt viruscode 1 report FOUND (3) In my logs it reports Could Not Parse String FOUND in report.txt Error 2 in virus scanner 1 Scanned: Error in Virus scanner [MIME: 1 991] - So I'm assuming I need another type code or way for freshclam to exit cleanly if it doesn't find a virus? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAv with Declude
Here is a comment by the SOSDG ClamAV author on the SmarterMail forum: http://www.smartertools.com/forums/p/22257/59718.aspx#59718 Original Message From: Gary Steiner decludei...@plusultraweb.com Sent: Monday, December 29, 2008 3:20 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAv with Declude There is an announcement on the SOSDG web site saying they will no longer support their version of ClamAV. http://www.sosdg.org/clamav-win32 Is anyone using a different port of ClamAV with Declude? Has anyone had success with http://www.clamwin.com/ ? Original Message From: Scott Fisher sfis...@farmprogress.com Sent: Monday, December 29, 2008 7:39 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAv with Declude I use the runclamscan program to call clamav. Here's my virus.cfg lines SCANFILE1 c:\clamav\runclamscan.exe log=1 C:\clamav\clamdscan.exe --quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Dodell Sent: Sunday, December 28, 2008 11:29 AM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAv with Declude On Dec 28, 2008, at 8:36 AM, Hirthe, Alexander wrote: http://www.mail-archive.com/declude.virus@declude.com/msg14082.html Ok, thanks for the excellent beginning ... I'm using the Clamav-win32 from sosdg.org Freshclam installed all the latest files just fine Got it all installed ... but something still not working: (1) I got clamd installed as a service (2) In my virus.cfg I have scanfile c:\imail\declude\clamav\clamdscan.exe --quiet -l report.txt viruscode 1 report FOUND (3) In my logs it reports Could Not Parse String FOUND in report.txt Error 2 in virus scanner 1 Scanned: Error in Virus scanner [MIME: 1 991] - So I'm assuming I need another type code or way for freshclam to exit cleanly if it doesn't find a virus? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAv / ClamWin with Declude
What version or port of ClamAV are you using with Declude? I've been reading on the SmarterTools forums about the problems with ClamWin, and was wondering if the majority are using this port or a different one? SmarterTools has been referring people to this link: http://www.h-online.com/open/news/item/Free-ClamWin-virus-scanner-moves-most -of-Windows-into-quarantine-1139430.html Which port of ClamAV does Declude recommend? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.