[Declude.Virus] MIME segment in MIME Preamble - WHERE?
Hi, Supposedly it's in line 22, layer1: Outlook 'MIME segment in MIME Preamble' vulnerability in line 22 layer 1 [Content-Type: multipart/altern] Attached is the original SMD file from the /Virus folder. I'd like to educate the other side as to what's wrong with their email - but I fail to see it myself (other than possibly the in the message ID - but that's wa earlier than line 22 and not in the MIME preamble.) Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. D8592de5b45a5.smd Description: Binary data
RE: [Declude.Virus] mc afee 8.7 not scanning
The new virus scanner command line version now uses compressed virus signature and clean files etc. It's intended for the occasional one-time use for a situation where the command line is the only option and where you wouldn't mind to wait a minute or two for the uncompressing to be complete. There IS a way how you can uncompress a new virus signature file every time you download an updated one. Then, the command line tool won't have to do it each and every time. If you lucky that might just be fast enough for Declude to cope. Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of bernd.goebb...@it.nrw.de Sent: Monday, December 20, 2010 3:23 AM To: declude.virus@declude.com Subject: [Declude.Virus] mc afee 8.7 not scanning hello, we just updated our mcafee virus-scanner for 7.? to 8.7. after installing the virus scan commandline 6.00.1 we are catching NO virusses! we did not change the virus.cfg except for the path - now it looks like this: SCANFILEc:\mcafee\scan.exe /ALL /NOMEM /NOBREAK /UNZIP /NODDA /NOBEEP /SILENT /REPORT report.txt VIRUSCODE 13 REPORT Found here's a snap out of our virus.log: 12/19/2010 23:56:29.176 q893d01763439.smd Vulnerability flags = 28 12/19/2010 23:59:20.908 q893d01763439.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:56:31.239 q893f01763449.smd Vulnerability flags = 28 12/19/2010 23:59:19.283 q893f01763449.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:56:35.207 q894000d9345c.smd Vulnerability flags = 28 12/19/2010 23:59:20.689 q894000d9345c.smd ERROR: Virus scanner 1 didn't finish after 120 seconds; terminating. 12/19/2010 23:59:20.689 q894000d9345c.smd Couldn't delete E:\IMail\spool\proc\work\D894000d9345c.vir\report.txt: 32. Error String: [Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.] 12/19/2010 23:59:50.705 q894000d9345c.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:56:35.488 q894001763459.smd Vulnerability flags = 28 12/19/2010 23:59:21.252 q894001763459.smd ERROR: Virus scanner 1 didn't finish after 120 seconds; terminating. 12/19/2010 23:59:21.252 q894001763459.smd Couldn't delete E:\IMail\spool\proc\work\D894001763459.vir\report.txt: 32. Error String: [Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.] 12/19/2010 23:59:51.298 q894001763459.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:56:55.848 q894300dc3481.smd Vulnerability flags = 28 12/19/2010 23:59:21.424 q894300dc3481.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:56:55.754 q89430176347c.smd Vulnerability flags = 28 12/19/2010 23:59:17.580 q89430176347c.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:57:44.222 q894301c9347d.smd Vulnerability flags = 28 12/20/2010 00:00:07.408 q894301c9347d.smd Scanned: Virus Free [MIME: 2 40736] the error string says that the file can't be accessed because it's used by something else. our on-access scanner is deactivated for e:\ and its subdirectories. does anyone know if we did something wrong? greetings bernd goebbels it.nrw.de --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Need Help - How to Rescan Messages
Hi, I had an issue overnight that caused many hundreds of messages to be moved to the /Spool/Virus folder (Q* and D* pairs) and to the /Spool/Proc/Review folder (Q* files only). Question - how to I cause these files to be rescanned (as some may be REAL Trojans). Where do I move Q/D pairs from the /Spool/Virus folder? Do I move the D file to the /Spool folder and the Q file to the /Spool/Proc folder? Or do I move BOTH the Q D file to the /Spool/Proc folder? What about the Q files in the /Spool/Proc/Review folder - do I just move them to /Spool/Proc, or to /Spool/Proc/Work? I checked one file and it seems the matching D file was in the /Spool/Proc/Work folder! Best Regards, Andy --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] AVG reports SPAM as VIRUS!
Hi, For the past few days, I'm seeing AVG suddenly reporting a virus SPAM: Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 19,499 Virus Infected Messages: 232 Percentage Infected: 1.19% VIRUS # INFECTED PERCENTAGE SPAM 232 1.19% resulting in these SMTP headers: X-Declude-Virus: Detected Spam [from IP 41.218.0.202 ([No Reverse DNS])]. and these reports: q061a000274936c02.smd AVG Reports VIRUS: Spam q061a000274936c02.smd File(s) are INFECTED [Spam: 7] q061a000274936c02.smd Scanned: CONTAINS A VIRUS [MIME: 1 424] q061a000274936c02.smd From: bloodiest...@rcbassociats.com To: elopre...@??? [incoming from 41.218.0.202] q061a000274936c02.smd Subject: Please attention! This causes a whole bunch of problems, e.g. a) I am unable to 'weigh' this Spam with other factors BEFORE it gets blocked. b) It bypasses the WhiteList feature (from the user's Webmail Contacts) c) It's treated like a Virus, hundreds of the configured virus notices are being emailed, etc. While I'm certainly in favor of any additional SPAM detection - but then it needs to be PROPERLY IMPLEMENTED as part of Declude JunkMail not just dumped into the regular virus handling! If AVG reports to Declude the virus name Spam, then Declude MUST recognize that and NOT treat it like a virus (or at least give us a config option NOT to.) Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AVG reports SPAM as VIRUS!
Dave, I'm aware it's integrated in Declude Virus - that's why I chose the CORRECT list to discuss this. I referenced Declude Junkmail, because IF AVG is now reporting SPAM, the THAT part SHOULD be handled as part of Declude Junkmail NOT as Declude Virus. I choose to use the list, whenever I have expended some time to track down a situation and realize that this will affect all users and thus will save everyone time from working on the same issue. That's the whole point of the list! Consequently, whenever AVG stops working altogether (which was doubted both times when I discovered it - until eventually it was determined to have been a problem after all), I will continue to report this on the list, because everyone needs to be aware that their internal scanner may be non-functioning for extended periods of time. The alternative would be for Declude to post an alert! When I notice that the Sniffer implementation has objectively incorrect or incomplete sample files, or have sample files that don't make it obvious that some IP based results will be triple-counted, then I feel justified in discussing this on the list as this will benefit OTHER users who don't have to re-learn what took me days to figure out. I will post on the list whenever I'm hoping to solicit feedback from a broader audience, to see if a situation I encountered was isolated or turns out to be more widespread. I will contact support@ whenever I suspect that I may have an isolated problem that needs to be analyzed first. In my opinion, I usually use the appropriate venue. But I accept that you may disagree and prefer that the list is quiet. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, May 12, 2010 10:59 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AVG reports SPAM as VIRUS! Andy, AVG is not integrated with Declude JM, this is AVG reporting the name of the virus as spam. Now, something may have changed that AVG is now detecting spam in their signatures however we were not made aware of this by AVG I will look further into this. As much as we do appreciate your feedback which helps Identify such problems, in some things it may be more helpful to first approach mailto:supp...@declude.com supp...@declude.com or myself dbar...@declude.com before engaging everyone in the list, your assumptions of PROPERLY IMPLEMENTED as part of Declude JunkMail not just dumped into the regular virus handling! and Declude MUST recognize that and NOT treat it like a virus are rather harsh to be posting to without having all the facts to begin with. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 12, 2010 10:39 AM To: declude.virus@declude.com Subject: [Declude.Virus] AVG reports SPAM as VIRUS! Importance: High Hi, For the past few days, I'm seeing AVG suddenly reporting a virus SPAM: Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 19,499 Virus Infected Messages: 232 Percentage Infected: 1.19% VIRUS # INFECTED PERCENTAGE SPAM 232 1.19% resulting in these SMTP headers: X-Declude-Virus: Detected Spam [from IP 41.218.0.202 ([No Reverse DNS])]. and these reports: q061a000274936c02.smd AVG Reports VIRUS: Spam q061a000274936c02.smd File(s) are INFECTED [Spam: 7] q061a000274936c02.smd Scanned: CONTAINS A VIRUS [MIME: 1 424] q061a000274936c02.smd From: bloodiest...@rcbassociats.com To: elopre...@??? [incoming from 41.218.0.202] q061a000274936c02.smd Subject: Please attention! This causes a whole bunch of problems, e.g. a) I am unable to 'weigh' this Spam with other factors BEFORE it gets blocked. b) It bypasses the WhiteList feature (from the user's Webmail Contacts) c) It's treated like a Virus, hundreds of the configured virus notices are being emailed, etc. While I'm certainly in favor of any additional SPAM detection - but then it needs to be PROPERLY IMPLEMENTED as part of Declude JunkMail not just dumped into the regular virus handling! If AVG reports to Declude the virus name Spam, then Declude MUST recognize that and NOT treat it like a virus (or at least give us a config option NOT to.) Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com
RE: [Declude.Virus] AVG reports SPAM as VIRUS!
Dave - you are right! This appears to a matter of poor labeling by AVG - and has nothing to do with Declude. I have since looked through a large sample of held emails and they either are well crafted short Notices about a supposed change in SMTP, POP settings - which even lists the person's email address, and a warning to carefully read the enclosed instructions before making changes. Then there is a link to a ZIP file (which likely will be a virus). The other group of emails deals with a supposed non-deliverable DHL package that one needs to pick up at the post office after printing the attached label (with the link to a zip file). All appears to be emails with links to malicious pages. In that respect, one can't argue that Declude Virus is the appropriate place to catch that (but then it's inconsistent for AVG to detect it with a label Spam). You are further correct, that AVG has done a good job catching this one. I ran it past ClamD and the latest McAfee hourly signature - and neither flagged those emails. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, May 12, 2010 12:20 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AVG reports SPAM as VIRUS! Looks like it is part of their virus signatures, and the only line in the email was:http://glunis.g**glegroups.com/web/setup.zip We could request that they change the name. if not we will have to make an translation in our code to accommodate this. File 45710617.eml received on 2010.05.12 16:16:29 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED http://www.virustotal.com/img/loader.gif Result: 1/41 (2.44%) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.image001.gif
RE: [Declude.Virus] embedded AVG issue
Hi Don, Here's what I have in C:\Imail\ 11/06/2008 12:49 PM61,440 AvApiBit.dll 11/06/2008 12:49 PM61,440 AvApiSym.dll 04/29/2010 04:13 PM 834,328 avgcerta.dll 04/29/2010 04:13 PM 623,384 avgcertx.dll 04/29/2010 04:13 PM 4,250,392 avgcorex.dll 04/29/2010 04:13 PM 312,320 avgsdk.dll 10/21/2005 10:43 AM32,768 Declude.exe 04/29/2010 04:12 PM 2,318,428 decludeproc.exe (You can disregard the dates/times, they just represent the time when I copied those files). Maybe do a DIR C:\av*.dll /s to make sure you don't have any duplicates elsewhere. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Monday, May 10, 2010 7:28 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] embedded AVG issue David, I was having this issue so I followed your directions below. After overwriting the current dlls, I could not get decludeproc to start. I determined that it was the avgsdk.dll that was in the newly downloaded zip file that was the culprit. I had to restore a previous version to get everything working again. I did notice that the new avgsdk.dll is substantially smaller than the old version. So I am still having the issue originally described in the post. Don - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.virus@declude.com Sent: Friday, May 07, 2010 1:25 PM Subject: RE: [Declude.Virus] embedded AVG issue We have seen this mostly with manual installs. Error: Could not start AVG Instance (17) has to do with the DLL. Please contact supp...@declude.com if you need assistance. 1. Stop decludeproc 2. Download http://interim.declude.com/41048/AVG-DLL.zip http://interim.declude.com/41048/AVG-DLL.zip 3. Extract and replace the dll files overwriting your current dlls. 4. Start decludeproc 5. If the error persists or you get error 2 or error 4 6. Stop decludeproc 7. Delete all files in \declude\scanners\avg\db\ 8. Start decludeproc this will initiate a new download of the AVG signatures David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry Vanderzand Sent: Friday, May 07, 2010 2:09 PM To: declude.virus@declude.com Subject: [Declude.Virus] embedded AVG issue I though I would check my virus logs which I have not done for a while. It is not working. See log entry: 05/07/2010 14:06:13.502 qb42e00250010.smd Scanned: Virus Free [MIME: 1 125] 05/07/2010 14:06:18.720 q990400280052.smd Vulnerability flags = 862 05/07/2010 14:06:18.814 q990400280052.smd Error: Could not start AVG Instance (17) 05/07/2010 14:06:18.814 q990400280052.smd Scanned: Virus Free [MIME: 2 1293] What could be the issue here? Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] RE: Internal (AVG Scanner) does NOT report file name
Hi Dave (just in case this was overlooked in all the activity last week): Considering that AVG is integrated INTO Declude, it should interface at LEAST as good as any external scanner. However, the virus bounce message filename variable is NOT set when a virus is caught by AVG. Only the Virus Name variable is populated. Obviously, Declude is AWARE of the file name, because when Declude passes control to an external scanners next, then the infected file is reported correctly. So there should be no good reason, why a virus caught by the internal scanner would not report the filename!? This is also evident in the LOG file. Here's the EICAR virus caught by AVG in the .48 build. It only reports the virus name EICAR_Test. 04/29/2010 22:22:20.277 qeae800cc0002.smd AVG Reports VIRUS: EICAR_Test 04/29/2010 22:22:20.277 qeae800cc0002.smd File(s) are INFECTED [EICAR_Test: 7] 04/29/2010 22:22:20.293 qeae800cc0002.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 905] If the SAME file is detected by an external scanner (in this case ClamAV) it reports the virus name AND the file name: 04/28/2010 12:49:29.722 q6748c63e0425.smd Virus scanner 1 reports exit code of 1 04/28/2010 12:49:29.722 q6748c63e0425.smd Scanner 1: Virus= Eicar-Test-Signature Attachment=eicar.zip [61] I 04/28/2010 12:49:29.722 q6748c63e0425.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 875] The AVG integration should be improved to match the quality of integration of external scanners. Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection!
Hi Dave, I guess the key question is - WHEN did AVG make the change. They released Version AVG 9 last October. Is THAT when AVG made the database structure change which disabled the internal Virus Scanner in Declude until 4.10.46 was made available as an interim? If so - I must have missed the big announcement that 4.10.46 was critical to install (since there is no way of knowing how many Declude customers are using secondary scanner and thus are not fully exposed.). Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 4:52 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Mike, I understand what the point of Andy's email is. I was commenting on CommTouch/Zerohour does a good job, but does not catch all known viruses Yes AVG made a change to their database structure - Declude 4.10.46+ makes use of their new data structure, this is integrated into the new release. In order for Declude to work with the latest AVG updates one needs to be running Declude version 4.10.46 or greater. If you have additional virus scanners other than AVG or are running Commtouch then the move to the latest version is not as imperative. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Biddle (via mobile device) Sent: Friday, April 30, 2010 4:40 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Uhhh.. I am pretty sure that was not the point he was trying to make. While no AV is 100 percent effective, there is no reason for it not to work for days or weeks. It would appear that when core files with AVG are exploited, AVG obviously pushed out a software update to their software and I assume it needs manually implemented in Declude. Some clarification on this matter would be great. Mike _ From: David Barker dbar...@declude.com Sent: Friday, April 30, 2010 10:21 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Andy is correct, it should be remembered that no AV is 100% accurate. This is why besides AVG and Commtouch which are integrated into Declude users can run up to 5 additional external virus scanners using Declude, and as seen from the lists CalmAV is a good choice for a free scanner. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 11:13 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Declude Users - take note! CommTouch/Zerohous does a good job, but does not catch all known viruses (some days I have 5 or 6 DIFFERENT viruses/trojans sneaking by, some to multiple users each!), it's absolutely imperative that AVG works if you don't have additional scanners set up. Unfortunately, AVG had stopped working (no one has said for how many weeks or possible months it has not worked). I have confirmed that AVG is now working again after I upgraded from 4.10.42-A to 4.10.48. So - I recommend all Declude users get on top of this quickly! (PS: This is the second time AVG has gone AWOL inside of Declude for extended periods of times - and it's never discovered until I finally insist. Naturally, I have zero confidence in the built-in scanner. It's unreliable and there is no notification whenever it stops working.) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 12:56 PM To: declude.junkm...@declude.com; declude.virus@declude.com; declude.relea...@declude.com Subject: [Declude.Virus] New Release Declude 4.10.48 The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44
RE: [Declude.Virus] ClamAV
There really is no need for ClamAid, because the recent builds (including oss.netfarm.it) already are able to install themselves as services, and the additional ClamAid DLLs will obsolete once you install the official version. So unless you need help adding the 3 lines to the Virus.cfg, ClamAid probably makes things unnecessary complicated... From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Thursday, April 29, 2010 2:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps up FreshClam as a service and gets everything pointed and configured for Declude to use. It includes pthreadVC2.dll , but I don't know if it uses it once we replace the files here in a bit, because. .when FreshClam goes to update the DB, it mangles the DB dies, because version 0.92 isn't supported anymore. Immediately after installing ClamAID I stopped the ClamAVSvc and FreshClam services and I commented out the lines it added in virus.cfg so I could get it all running properly again. I downloaded the clamav-win32-0.96.7z from http://oss.netfarm.it/clamav/ and extracted the files to a folder. I grabbed all the .exe and .dll files and replaced the old ones in \Program Files\Clam AV. I edited \conf\clamd.conf and commented out the deprecated MailFollowURLs on line 226. I deleted the files in \data\ and crated a \db\. I set the log levels in clamd.conf and freshclam.conf to high so I could see things chugging along until I was comfortable. I hard set the database to \db\ in the conf files, and set verbose logging. I cranked up the services, and watched FreshClam download new profiles to \db\. Once the db was downloaded, I tested Clam from the command prompt as described on the armresearch page, and everything looked like it was working fine. I uncommented the lines in Declude, restarted Declude, and watched it all start humming. Now I am just keeping an eye on things, and waiting for Clam to catch a virus. -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
Nothing really changed with the current version - other than making sure that you have the proper version of the VC runtime installed. It absolutely HAS to match - so it's worth mentioning as an installation step. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt Sent: Thursday, April 29, 2010 6:05 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] ClamAV Michael, I created a step-by-step guide a little over a year ago for the proper installation. It's pretty simple to do. I can't say however if the steps have changed in the latest release, and obviously the version that I linked to is old now and should be updated. So here are my abridged directions for a standard install. 1) You need 7zip installed (http://www.7-zip.org/), and to open files in 7zip, you open the file manager and double click the 7z or ZIP files. 2) Download the Current Stable code from http://oss.netfarm.it/clamav/ For Windows 32bit, it would be clamav-win32-0.94.2.7z 3) Create a directory structure with C:\ClamAV and also create a sub-directory of C:\ClamAV\DB Put the files from the above 7z file into C:\ClamAV 4) Run C:\ClamAV\clamav.reg to put some directory entries into the registry. These are by default pointing to the directory structure that I am using. 5) From a command prompt run C:\ClamAV\freshclam.exe --datadir=C:\ClamAV\DB --daemon-notify This will download the latest definitions and let the service know to reload them if new ones are found. You want to schedule a task to run this every 15 minutes (there is virtually no load if no updates are available). There is no need to install freshclam as a service. 6) From a command prompt run C:\ClamAV\clamd --install This will install the ClamWin Free Antivirus Scanner Service You then want to edit the service properties to start automatically, and set your recovery options to restart the service. 7) Download the ClamAV GUI Wrapper from http://oss.netfarm.it/clamav/ You only need one file from this zip, ClamAV-GUI.exe, and yo uwant to place that in C:\ClamAV This is a simple GUI for scanning files and directories and can be useful. You can create a short-cut for it if you want. 8) Configure Declude for ClamAV with the following (it is probably best to have this as the first scanner since it is the fastest): SCANFILE1 C:\ClamAV\ClamDScan.exe --quiet --no-summary -l report.txt VIRUSCODE1 1 REPORT1. 9) Check your virus logs for Virus scanner 1 reports in order to verify that it is running. Note, if you want to use a non-default location, you will need to change the location in the following three things (don't quote me on this) 1) clamav.reg 2) clamd.conf 3) The freshclam.exe --datadir argument Matt On 4/29/2010 4:14 PM, Michael Cummins wrote: The official download from Clam wouldn't install on my Windows 2003 box. It said it only supports Windows 7, Vista, told me to go pound sand, yada yada. The stuff at oss.netfarm.it didn't come with very much in the way of instructions, but the ClamAID stuff did and it was also familiar with Declude so it gave me a warm and fuzzy feeling. It also didn't look like clamav-win32-0.96.7z was going to set up FreshClam as a service, or at least didn't mention it, and I hate installing random product just to see what it does. Not dissing anything, just explaining why I chose it. You're completely right. I'm completely clam-n00b. I've never worked with ClamAV, don't know its parts and pieces from a racoon skin hat, and was grateful to have a nice page of instructions (thanks, ARM!), especially on how to test it before configuring Declude.Also, the ClamAID example used the .conf file in their Declude config, while the Declude example didn't. I thought that was handy, too. It at least gave me a place I could kludge from, and now I know a lot more about how the product works. Just splaining where my head was and leaving a trail here in the archives in case it helps someone else. :) - Michael Cummins From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 3:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV There really is no need for ClamAid, because the recent builds (including oss.netfarm.it) already are able to install themselves as services, and the additional ClamAid DLLs will obsolete once you install the official version. So unless you need help adding the 3 lines to the Virus.cfg, ClamAid probably makes things unnecessary complicated... From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Thursday, April 29, 2010 2:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me
RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection!
Declude Users - take note! CommTouch/Zerohous does a good job, but does not catch all known viruses (some days I have 5 or 6 DIFFERENT viruses/trojans sneaking by, some to multiple users each!), it's absolutely imperative that AVG works if you don't have additional scanners set up. Unfortunately, AVG had stopped working (no one has said for how many weeks or possible months it has not worked). I have confirmed that AVG is now working again after I upgraded from 4.10.42-A to 4.10.48. So - I recommend all Declude users get on top of this quickly! (PS: This is the second time AVG has gone AWOL inside of Declude for extended periods of times - and it's never discovered until I finally insist. Naturally, I have zero confidence in the built-in scanner. It's unreliable and there is no notification whenever it stops working.) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 12:56 PM To: declude.junkm...@declude.com; declude.virus@declude.com; declude.relea...@declude.com Subject: [Declude.Virus] New Release Declude 4.10.48 The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44 Optimize code for moving files to the spool directory for Smartermail 4.10.43 Fixed variable names in the MoveToError function which were declared globally 4.10.42-A Fix for SNF Authentication to turn off without having to restart Decludeproc 4.10.42 Message Sniffer integrated into Declude 4.10.41 Added variable %AUTH% to show the authenticated sender of the email 4.10.40 XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,SORBS-D UL=5,FIVETENRC=2,ZEN=7,SORBS=7,DYNHELO=5,FROMNOMATCH=2,WEIGHT10=10,WEIGHT14= 14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In
[Declude.Virus] Internal (AVG Scanner) does NOT report file name
Hi, Considering that AVG is integrated INTO Declude, it should interface at LEAST as good as any external scanner. However, the virus bounce message filename variable is NOT set when a virus is caught by AVG. Only the Virus Name variable is populated. But when a virus is caught by the external scanners, then the infected file is reported correctly. This is also evident in the LOG file. Here's the EICAR virus caught by AVG in the .48 build. It only reports the virus name EICAR_Test. 04/29/2010 22:22:20.277 qeae800cc0002.smd AVG Reports VIRUS: EICAR_Test 04/29/2010 22:22:20.277 qeae800cc0002.smd File(s) are INFECTED [EICAR_Test: 7] 04/29/2010 22:22:20.293 qeae800cc0002.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 905] If the SAME file is detected by an external scanner (in this case ClamAV) it reports the virus name AND the file name: 04/28/2010 12:49:29.722 q6748c63e0425.smd Virus scanner 1 reports exit code of 1 04/28/2010 12:49:29.722 q6748c63e0425.smd Scanner 1: Virus= Eicar-Test-Signature Attachment=eicar.zip [61] I 04/28/2010 12:49:29.722 q6748c63e0425.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 875] The AVG integration should be improved to match the quality of external scanner. Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Testing Internal Scanner
Hi, I've been watching this now for a few months. The internal scanner NEVER ever catches a virus - while my two other scanner catch them daily. However, since CommTouch doesn't allow the Eicar file to pass, there is no way to easily test the internal scanner. I think this is something that should eventually be addressed - either by a parameter that allows a user to disable CommTouch for a few minutes at night while testing OR by CommTouch recognizing the EICAR file as a good file and letting it pass! Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 17,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 17,402 Virus Infected Messages: 4 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE PDF.DROPPER-3 3 0.02% SUSPECT.DOUBLEEXTENSION-ZIPPWD-9 1 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 17,402 Virus Infected Messages: 1 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE GENERIC.DX!SED TROJAN !!! 1 0.01% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Testing Internal Scanner
4.10.42-A From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 9:12 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Testing Internal Scanner Andy what version of Declude are you running ? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, April 28, 2010 8:16 AM To: declude.virus@declude.com Subject: [Declude.Virus] Testing Internal Scanner Hi, I've been watching this now for a few months. The internal scanner NEVER ever catches a virus - while my two other scanner catch them daily. However, since CommTouch doesn't allow the Eicar file to pass, there is no way to easily test the internal scanner. I think this is something that should eventually be addressed - either by a parameter that allows a user to disable CommTouch for a few minutes at night while testing OR by CommTouch recognizing the EICAR file as a good file and letting it pass! Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 17,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 17,402 Virus Infected Messages: 4 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE PDF.DROPPER-3 3 0.02% SUSPECT.DOUBLEEXTENSION-ZIPPWD-9 1 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 17,402 Virus Infected Messages: 1 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE GENERIC.DX!SED TROJAN !!! 1 0.01% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
Generally, ClamD catches most viruses that AVG misses (during those times when it actually runs), and McAfee catches the occasional virus that ClamD misses. ClamD downloads updates automatically (using the FreshClam). I found the http://oss.netfarm.it/clamav build very useful. I don't recall any installation difficulty. It did have a successful installer and is able to install itself as a service. There is a .REG file that sets up a registry entry where the path is stored. In their registry, I use the following: [HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV] ConfigDir=C:\\Progra~1\\ClamAV\\conf DataDir=C:\\Progra~1\\ClamAV\\db For FreshClam.conf, I changed these parameters: DatabaseDirectory C:\Program Files\clamAV\db UpdateLogFile C:\Program Files\clamAV\log\freshclam.log LogTime yes For ClamD.conf, I changed these: LogFile C:\Program Files\clamAV\log\clamd.log LogTime yes TemporaryDirectory C:\Temp DatabaseDirectory C:\Program Files\clamAV\db For the service, I removed the spaces from the path (not sure if this was needed): C:\Progra~1\ClamAV\clamd.exe --daemon In Declude, you'd use: #ClamAV SCANFILE1 C:\Progra~1\ClamAV\ClamDScan.exe VIRUSCODE1 1 Of course, that still leaves the problem of the virus report file. I had contacted Declude and they said they would check if they can natively parse the report file. For now I still use a simple script to reformat the Report file to suit Declude. ClamAV now has an official Windows build AND compiles under Visual Studio. So, ideally, Declude would just integrate ClamAV as an internal scanner instead of having to deal with all this command-line jazz. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Wednesday, April 28, 2010 1:30 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Internal Scanner - Nonfunctional? What's the best way to look into using Clam as a second scanner? I found this at ARM, does anyone else use this install aid? http://www.armresearch.com/tools/arm/clamAID.jsp What's your general opinion of Clam when compared to McAffee, or another favorite scanner? How do you update your Clam database files? Thanks for the discussion and feedback! -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
Thanks John, Yes, that'll work too. Of course, rather than you having to modify the source code of 2 or 3 modules for every build - or me having to write a report file parser, the REAL solution is for Declude to provide at least a minimum amount of flexibility in parsing report files (or - to integrate the ClamLib and eliminate any command line needs). Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Cert Sent: Wednesday, April 28, 2010 7:26 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] ClamAV Hello! The sherpya Clam port at oss.netfarm.it is very easy to build and use, and there are only about 10 lines of code in 2 or 3 modules where you need to add a VirusName- prefix before the actual name of the virus so Declude can pick it up in the report file. I just mod the code and recompile instead of trying to manipulate the report file. I do not use any sort of installer. I just setup the conf files, spawn a clamd process on startup, schedule a freshclam run periodically, and point Declude to the clamdscan scanner. I also grab the MSRBL Images spam database for use with Clam. The clamd/clamdscan combo are very light and fast. Take care! John On 4/28/2010 1:13 PM, Andy Schmidt wrote: Generally, ClamD catches most viruses that AVG misses (during those times when it actually runs), and McAfee catches the occasional virus that ClamD misses. ClamD downloads updates automatically (using the FreshClam). I found the http://oss.netfarm.it/clamav build very useful. I don't recall any installation difficulty. It did have a successful installer and is able to install itself as a service. There is a .REG file that sets up a registry entry where the path is stored. In their registry, I use the following: [HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV] ConfigDir=C:\\Progra~1\\ClamAV\\conf DataDir=C:\\Progra~1\\ClamAV\\db For FreshClam.conf, I changed these parameters: DatabaseDirectory C:\Program Files\clamAV\db UpdateLogFile C:\Program Files\clamAV\log\freshclam.log LogTime yes For ClamD.conf, I changed these: LogFile C:\Program Files\clamAV\log\clamd.log LogTime yes TemporaryDirectory C:\Temp DatabaseDirectory C:\Program Files\clamAV\db For the service, I removed the spaces from the path (not sure if this was needed): C:\Progra~1\ClamAV\clamd.exe --daemon In Declude, you'd use: #ClamAV SCANFILE1 C:\Progra~1\ClamAV\ClamDScan.exe VIRUSCODE1 1 Of course, that still leaves the problem of the virus report file. I had contacted Declude and they said they would check if they can natively parse the report file. For now I still use a simple script to reformat the Report file to suit Declude. ClamAV now has an official Windows build AND compiles under Visual Studio. So, ideally, Declude would just integrate ClamAV as an internal scanner instead of having to deal with all this command-line jazz. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Wednesday, April 28, 2010 1:30 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Internal Scanner - Nonfunctional? What's the best way to look into using Clam as a second scanner? I found this at ARM, does anyone else use this install aid? http://www.armresearch.com/tools/arm/clamAID.jsp What's your general opinion of Clam when compared to McAffee, or another favorite scanner? How do you update your Clam database files? Thanks for the discussion and feedback! -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAV 0.96 Released - Now a native Windows Port!
Native Windows Support: ClamAV will now build natively under Visual Studio. This will allow 3rd Party application developers on Windows to easily integrate LibClamAV into their applications. http://www.clamav.net/lang/en/2010/04/02/announcing-clamav-0-96/ Also: ClamAV for Windows Released http://www.clamav.net/lang/en/about/win32/ Haven't checked yet, whether this official ClamAV for Windows will also work with normal signature files and has ClamD - or if it's an entirely different animal. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Commtouch/Temp files going back to last year?
Thanks, I'll make it part of my monthly job that deletes files older than 30 days - that's tight enough for me. Of course, Declude or Commtouch should be cleaning up after itself (e.g., whenever new files/signatures are downloaded) - but that's a different story. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Friday, March 19, 2010 2:27 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Commtouch/Temp files going back to last year? Hi David, A while ago I was told these can be deleted almost immediatly but the running DecludeProc service has them locked so it will be needed to stop DecludeProc, remove the temp files and then start Declude proc. As part of my nightly routine I have now: --quote--- Set LogFile=C:\Beheer\Logs\CleanTemp.log echo %Date% %Time% Starting CleanTemp %LogFile% Del /Q C:\IMail\declude\invuribl\Exception\*.* Del /Q C:\IMail\WebDir\WebClient\temp\*.* del /Q C:\IMail\Spool\tmp*.tmp net stop Decludeproc Del /Q C:\IMail\declude\scanners\CommTouch\Temp\*.* Del /Q C:\IMail\spool\proc\work\*.smd.tmp net start Decludeproc echo %Date% %Time% End CleanTemp %LogFile% exit --quote--- Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:b.blok...@tio.nl b.blok...@tio.nl / http://www.tio.nl/ www.tio.nl - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.virus@declude.com Sent: Thursday, March 18, 2010 4:44 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? These are cached CT files. I will find out when the can be deleted and get back to you. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:35 AM To: Declude.virus@declude.com Subject: [Declude.Virus] Commtouch/Temp files going back to last year? Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing)
Thanks - downloaded and installed. I'll have to take a look at the integrated Sniffer. I got pulled away and never got back to it. I'll have to take a good luck at the rulebase update - on first glace it seems as if your script is leaving out the crucial SNF2CHECK to make sure that the downloaded rulebase is valid BEFORE replacing it. So I'll have to look at it very carefully. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, March 18, 2010 4:05 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Release notes for Declude Security Suite 4.10.42 [28 December 2009] EVA FIX Fix for Virus test not catching the eicar test due to e-mail formatting This was done in interim 4.8.36 which is still on the Interim site if you just want to try switching out the decludeproc.exe and testing to see if the issue is resolved. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 12:22 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Declude 4.6.35 Diagnostics Compilation Platform: IMail Copyright (c) 2000-2009 Declude, Inc. Host Name MAYWOOD-IS-0012.WEBHOST.HM-SOFTWARE.COM Daisy Chain smtp32.exe DNS Server 127.0.0.1 Product Details JunkMail ON EVAON Hijack OFF AVGON CommTouch ON From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, March 18, 2010 12:07 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) What version of Declude are you running ? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Integrated Sniffer
Hi Pete: Thanks for jumping in. 1. The SNF engine performs the SNF2CHECK task before it accepts a new rulebase I'm a little confused - the script replaces the rulebase - without checking. So what happens if the rulebase is bad. By the time the engine checks the good one is already rename and the bad one is already called .snf if exist %LICENSE_ID%.old del %LICENSE_ID%.old if exist %LICENSE_ID%.snf rename %LICENSE_ID%.snf %LICENSE_ID%.old rename %LICENSE_ID%.new %LICENSE_ID%.snf 2. I assume I can still just update the XML file to move the logfiles, rulebase and workspace to its own subfolders to keep things tidy and for improved maintainability? log path='[PATH]\declude\scanners\SNF\logs\'/ rulebase path='[PATH]\declude\scanners\SNF\rulebase\'/ workspace path='[PATH]\declude\scanners\SNF\work\'/ Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Friday, March 19, 2010 1:22 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] How to disable CommTouch Zerohour (for testing) On 3/19/2010 11:26 AM, Andy Schmidt wrote: Thanks - downloaded and installed. I'll have to take a look at the integrated Sniffer. I got pulled away and never got back to it. I'll have to take a good luck at the rulebase update - on first glace it seems as if your script is leaving out the crucial SNF2CHECK to make sure that the downloaded rulebase is valid BEFORE replacing it. So I'll have to look at it very carefully. Andy, The script cannot call snf2check for the embedded SNF because that would expose the OEM rulebase. The SNF engine performs the SNF2CHECK task before it accepts a new rulebase so it's ok to leave that out of the update script in OEM integrations of the SNF engine. In fact, the getRulebase.cmd script need not be used at all by an OEM -- they can use their own facility. However in this case I recommended strongly that Declude use a modified getRulebase script so that Declude customers could modify it to perform additional tasks in the way they are used to. Hope this helps, Best, _M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Integrated Sniffer
Thanks If the rulebase does not properly authenticate in the SNF engine then the reload is rejected. Once the guard time expires the update script will be run again (by default after 3 minutes). Which also means, if the corrupt rulebase persists and the server or services happen to be restarted during those times, we have a potential problem because upon restart it won't have a good rulebase to fall back on. So there's definitely a (calculated) risk in NOT checking the rulebase BEFORE renaming it. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Commtouch/Temp files going back to last year?
Thanks! DecludeProc should probably just delete that folder content when the service is restarted the first time before the first email is processed. Then CommTouch can reinitialize itself subsequently. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, March 19, 2010 3:23 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? This is the answer directly from Commtouch: You can safely stop commtouch [declude] and delete all of these files. If any are needed, the application will download them again, but any handled in this matter should be a few days old. Usually Commtouch will clean up these files on its own, but at times problems do develop due to the index.dat file. If you see any .tmp files older than a month, it is a good sign that a delete should be done to clean up these temp files. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, March 19, 2010 10:16 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? Thanks, I'll make it part of my monthly job that deletes files older than 30 days - that's tight enough for me. Of course, Declude or Commtouch should be cleaning up after itself (e.g., whenever new files/signatures are downloaded) - but that's a different story. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Friday, March 19, 2010 2:27 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Commtouch/Temp files going back to last year? Hi David, A while ago I was told these can be deleted almost immediatly but the running DecludeProc service has them locked so it will be needed to stop DecludeProc, remove the temp files and then start Declude proc. As part of my nightly routine I have now: --quote--- Set LogFile=C:\Beheer\Logs\CleanTemp.log echo %Date% %Time% Starting CleanTemp %LogFile% Del /Q C:\IMail\declude\invuribl\Exception\*.* Del /Q C:\IMail\WebDir\WebClient\temp\*.* del /Q C:\IMail\Spool\tmp*.tmp net stop Decludeproc Del /Q C:\IMail\declude\scanners\CommTouch\Temp\*.* Del /Q C:\IMail\spool\proc\work\*.smd.tmp net start Decludeproc echo %Date% %Time% End CleanTemp %LogFile% exit --quote--- Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:b.blok...@tio.nl b.blok...@tio.nl / http://www.tio.nl/ www.tio.nl - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.virus@declude.com Sent: Thursday, March 18, 2010 4:44 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? These are cached CT files. I will find out when the can be deleted and get back to you. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:35 AM To: Declude.virus@declude.com Subject: [Declude.Virus] Commtouch/Temp files going back to last year? Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus
RE: [Declude.Virus] Commtouch/Temp files going back to last year?
Hi, No I have a little cscript I wrote that iterates through subdirectories and takes parameters like /lastweek /lastmonth etc. I'll be happy to share, if you need it. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Friday, March 19, 2010 5:33 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Commtouch/Temp files going back to last year? Hi Andy, What tool are you using to specify x days old when deleting? Or are you allready using Powershell? Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:b.blok...@tio.nl b.blok...@tio.nl / http://www.tio.nl/ www.tio.nl - Original Message - From: Andy Schmidt mailto:andy_schm...@hm-software.com To: declude.virus@declude.com Sent: Friday, March 19, 2010 3:15 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? Thanks, I'll make it part of my monthly job that deletes files older than 30 days - that's tight enough for me. Of course, Declude or Commtouch should be cleaning up after itself (e.g., whenever new files/signatures are downloaded) - but that's a different story. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Friday, March 19, 2010 2:27 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Commtouch/Temp files going back to last year? Hi David, A while ago I was told these can be deleted almost immediatly but the running DecludeProc service has them locked so it will be needed to stop DecludeProc, remove the temp files and then start Declude proc. As part of my nightly routine I have now: --quote--- Set LogFile=C:\Beheer\Logs\CleanTemp.log echo %Date% %Time% Starting CleanTemp %LogFile% Del /Q C:\IMail\declude\invuribl\Exception\*.* Del /Q C:\IMail\WebDir\WebClient\temp\*.* del /Q C:\IMail\Spool\tmp*.tmp net stop Decludeproc Del /Q C:\IMail\declude\scanners\CommTouch\Temp\*.* Del /Q C:\IMail\spool\proc\work\*.smd.tmp net start Decludeproc echo %Date% %Time% End CleanTemp %LogFile% exit --quote--- Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:b.blok...@tio.nl b.blok...@tio.nl / http://www.tio.nl/ www.tio.nl - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.virus@declude.com Sent: Thursday, March 18, 2010 4:44 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? These are cached CT files. I will find out when the can be deleted and get back to you. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:35 AM To: Declude.virus@declude.com Subject: [Declude.Virus] Commtouch/Temp files going back to last year? Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] How to disable CommTouch Zerohour (for testing)
Hi, I want to test the virus scanners using EICAR. However, CommTouch gets in the way and blocks it. How do I temporarily disable CommTouch in Declude Virus, so that the EICAR file is handled by the interna/external scanners? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Commtouch/Temp files going back to last year?
Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing)
Hi Dave, Thanks. So the answer is, there is no local override where we can disable CommTouch ourselves. Such a directive maybe something for the to-do list. To be frank - I was trying to test AVG. I've noticed in recent weeks that my external scanners (ClamAV and my trusted McAfee) have been catching infected emails - but AVG never catches any. The files in the AVG folder are all from today. So when I had 2 minutes, I just wanted to quickly check if AVG had somehow disabled itself again by passing an EICAR file through - but I don't have time to make a big project out of it. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, March 18, 2010 11:43 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Andy work with our support so we can disable it for you for testing. Let us know when you want to do it. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:29 AM To: Declude.virus@declude.com Subject: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Hi, I want to test the virus scanners using EICAR. However, CommTouch gets in the way and blocks it. How do I temporarily disable CommTouch in Declude Virus, so that the EICAR file is handled by the interna/external scanners? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing)
Declude 4.6.35 Diagnostics Compilation Platform: IMail Copyright (c) 2000-2009 Declude, Inc. Host Name MAYWOOD-IS-0012.WEBHOST.HM-SOFTWARE.COM Daisy Chain smtp32.exe DNS Server 127.0.0.1 Product Details JunkMail ON EVAON Hijack OFF AVGON CommTouch ON From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, March 18, 2010 12:07 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) What version of Declude are you running ? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it?
Hi, I noticed that ZeroHour stopped catching any viruses after 6/28 - and, after investigating, I now realize it no longer traps any Spam. There were NO changes to any .CFG (or other Declude files). I'm enclosing the most recent Diags.txt (from 6/18, where CommTouch was ON) and then one from today after I made a point of manually restarting DecludeProc. Suddenly, it reports CommTouch as OFF? My customer screen shows: Host Information Declude Imail Perpetual Lic. [omitted] 28 Jun 2010 AVG Activated Current CommTouch Activated It can't be a coincidence that CommTouch stopped working 3 weeks ago, on the exact anniversary date of my (renewed) agreement? Since I only purchased CommTouch a few weeks ago, I'm new to this. So, what do Declude customers have to do after purchasing CommTouch or after renewing their service agreements to make sure that the software will continue to work with a complete function set? This way, I can add yet another reminder to my calendar (besides monitoring the AVG licensing renewal date). Overall Server Virus Summary Report Total Messages Processed: 21,868 Virus Infected Messages: 60 Percentage Infected: 0.27% VIRUS # INFECTED PERCENTAGE OUTLOOK 'BLANK FOLDING' VULNERABILITY 33 0.15% OUTLOOK 'CR' VULNERABILITY 11 0.05% OUTLOOK 'MIME SEGMENT IN MIME PREAMBLE' VULNERABILITY 8 0.04% I-WORM/MYDOOM.O 3 0.01% I-WORM/MYDOOM.BE 1 0.00% I-WORM/MYDOOM.N 1 0.00% NON STANDARD HEADER VULNERABILITY 1 0.00% TROJAN.IFRAME-3 1 0.00% WORM.BAGLE-ZIPPWD-35 1 0.00% Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 21,868 Virus Infected Messages: 5 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE I-WORM/MYDOOM.O 3 0.01% I-WORM/MYDOOM.BE 1 0.00% I-WORM/MYDOOM.N 1 0.00% Virus Scanner Summary Report (ClamAV) Total Messages Processed: 21,868 Virus Infected Messages: 2 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE TROJAN.IFRAME-3 1 0.00% WORM.BAGLE-ZIPPWD-35 1 0.00% Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.Declude 4.6.35 Diagnostics Compilation Platform: IMail Copyright (c) 2000-2009 Declude, Inc. Host Name MAYWOOD-IS-0012.WEBHOST.HM-SOFTWARE.COM Daisy Chain smtp32.exe DNS Server 127.0.0.1 Product Details JunkMail ON EVAON Hijack OFF AVGON CommTouch OFF Tests Defined 106 CONSOLEOFF BYPASS19 BYPASSWHITELIST BYPASS14 BYPASSWHITELIST BYPASS12 BYPASSWHITELIST KUNDENSERVER IP4R SPAMCOPIP4R BARRACUDA IP4R NJABL IP4R NJABLRELAYSIP4R NJABLDUL IP4R NJABLDYNA IP4R NJABLSOURCES IP4R NJABLMULTI IP4R NJABLFORMMAIL IP4R NJABLPROXIES IP4R AHBL IP4R AHBLRELAYS IP4R AHBLPROXIESIP4R AHBLSOURCESIP4R AHBLPSSL IP4R AHBLFORMMAIL IP4R AHBLDYNA IP4R AHBLZDDOS IP4R AHBLZRELAY IP4R AHBLZSCAN IP4R AHBLZWORM IP4R AHBLZVIRUS IP4R AHBLPROXIES2 IP4R AHBLTORIP4R SORBS IP4R SORBS-HTTP IP4R SORBS-SOCKSIP4R SORBS-MISC IP4R SORBS-SMTP IP4R SORBS-WEB IP4R SORBS-BLOCKIP4R SORBS-ZOMBIE IP4R SORBS-DUHL IP4R SENDERDB IP4R
[Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it?
Hi, I noticed that ZeroHour stopped catching any viruses after 6/28 - and, after investigating, I now realize it no longer traps any Spam. There were NO changes to any .CFG (or other Declude files). I'm enclosing the most recent Diags.txt (from 6/18, where CommTouch was ON) and then one from today after I made a point of manually restarting DecludeProc. Suddenly, it reports CommTouch as OFF? My customer screen shows: Host Information Declude Imail Perpetual Lic. [omitted] 28 Jun 2010 AVG Activated Current CommTouch Activated It can't be a coincidence that CommTouch stopped working 3 weeks ago, on the exact anniversary date of my (renewed) agreement? Since I only purchased CommTouch a few weeks ago, I'm new to this. So, what do Declude customers have to do after purchasing CommTouch or after renewing their service agreements to make sure that the software will continue to work with a complete function set? This way, I can add yet another reminder to my calendar (besides monitoring the AVG licensing renewal date). Overall Server Virus Summary Report Total Messages Processed: 21,868 Virus Infected Messages: 60 Percentage Infected: 0.27% VIRUS # INFECTED PERCENTAGE OUTLOOK 'BLANK FOLDING' VULNERABILITY 33 0.15% OUTLOOK 'CR' VULNERABILITY 11 0.05% OUTLOOK 'MIME SEGMENT IN MIME PREAMBLE' VULNERABILITY 8 0.04% I-WORM/MYDOOM.O 3 0.01% I-WORM/MYDOOM.BE 1 0.00% I-WORM/MYDOOM.N 1 0.00% NON STANDARD HEADER VULNERABILITY 1 0.00% TROJAN.IFRAME-3 1 0.00% WORM.BAGLE-ZIPPWD-35 1 0.00% Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 21,868 Virus Infected Messages: 5 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE I-WORM/MYDOOM.O 3 0.01% I-WORM/MYDOOM.BE 1 0.00% I-WORM/MYDOOM.N 1 0.00% Virus Scanner Summary Report (ClamAV) Total Messages Processed: 21,868 Virus Infected Messages: 2 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE TROJAN.IFRAME-3 1 0.00% WORM.BAGLE-ZIPPWD-35 1 0.00% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.Declude 4.6.35 Diagnostics Compilation Platform: IMail Copyright (c) 2000-2009 Declude, Inc. Host Name MAYWOOD-IS-0012.WEBHOST.HM-SOFTWARE.COM Daisy Chain smtp32.exe DNS Server 127.0.0.1 Product Details JunkMail ON EVAON Hijack OFF AVGON CommTouch OFF Tests Defined 106 CONSOLEOFF BYPASS19 BYPASSWHITELIST BYPASS14 BYPASSWHITELIST BYPASS12 BYPASSWHITELIST KUNDENSERVER IP4R SPAMCOPIP4R BARRACUDA IP4R NJABL IP4R NJABLRELAYSIP4R NJABLDUL IP4R NJABLDYNA IP4R NJABLSOURCES IP4R NJABLMULTI IP4R NJABLFORMMAIL IP4R NJABLPROXIES IP4R AHBL IP4R AHBLRELAYS IP4R AHBLPROXIESIP4R AHBLSOURCESIP4R AHBLPSSL IP4R AHBLFORMMAIL IP4R AHBLDYNA IP4R AHBLZDDOS IP4R AHBLZRELAY IP4R AHBLZSCAN IP4R AHBLZWORM IP4R AHBLZVIRUS IP4R AHBLPROXIES2 IP4R AHBLTORIP4R SORBS IP4R SORBS-HTTP IP4R SORBS-SOCKSIP4R SORBS-MISC IP4R SORBS-SMTP IP4R SORBS-WEB IP4R SORBS-BLOCKIP4R SORBS-ZOMBIE IP4R SORBS-DUHL IP4R SENDERDB IP4R
[Declude.Virus] ZEROHOUR, scanner order
Hi Dave: I see. Based on your email I checked the Virus side of things and I do see Zerohour log entires. 06/07/2009 23:44:36.968 q29d5b0d20821.smd Vulnerability flags = 1 06/07/2009 23:44:36.984 q29d5b0d20821.smd ZEROHOUR Reports VIRUS: Unknown 06/07/2009 23:44:36.984 q29d5b0d20821.smd File(s) are INFECTED [ZEROHOUR Unknown] 06/07/2009 23:44:36.984 q29d5b0d20821.smd Scanned: CONTAINS A VIRUS [MIME: 2 24588] 06/07/2009 23:44:36.984 q29d5b0d20821.smd From: ignitionhf8...@sicis.com To: imail...@wateroperations.com [incoming from 84.63.45.89] 06/07/2009 23:44:36.984 q29d5b0d20821.smd Subject: =?koi8-r?B?WW91knZlIHJlY2VpdmVkIGEgZ3JlZXRpbmcgZWNhcmQ=?= Unfortunately, Zerohour doesnt identify the virus (which in some cases, may be obvious if its a yet unnamed outbreak). But, the problem is that know viruses are not handled as configured. What are my configuration options for Declude Virus with regards to ZeroHour? Can I at least control the order of scanning e.g., Id rather have the regular virus scanners try to identify and report known/named viruses and make Zerohour the option of last defense? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 9:36 AM To: declude.junkm...@declude.com Subject: RE: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED Hi Andy, The ZEROHOUR was integrated into Declude as part of the virus code as it provides ZEROHOUR anti-virus. Because of this it does not function the same as the other tests. It either scores the email for x points as defined in the global.cfg or it does not which is shown as zero. Changing the way ZEROHOUR was implemented is on our development list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Sunday, June 07, 2009 6:07 PM To: declude.junkm...@declude.com Subject: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED Importance: High Hi, Seems as if ZEROHOUR is not at all handled correctly vis-à-vis the TESTSFAILED variable? 1. Example: I have defined XINHEADERX-Declude: Triggered [%WEIGHT%] %TESTSFAILED% However, since activating ZEROHOUR I know see SMTP headers like this: X-Declude: Triggered [-2] None, ZEROHOUR [0] There are two things wrong with this: a) If Testsfailed returns None, why is the string ZEROHOUR appended? If its None then it should be None and nothing else. b) If ZEROHOUR didnt fail and thus has a weight of 0, then it shouldnt appear in the TESTSFAILED list at all. 2. In one of my filters, I have the line TESTSFAILED 5 CONTAINS ZEROHOUR However, it fails to add 5 to the weight as if it doesnt detect ZEROHOUR in the TestsFailed string which would be consistent with items a) and b) because apparently there is a bug where ZEROHOUR is not correctly included in the TESTSFAILED variable, but instead it is somehow appended behind it! The power of Declude is to be able to tightly configure (through various options) how weights are assigned and (with the help of TESTSFAILED filters) which groupings of tests might be testing/triggering on the same aspect of a message. Currently ZEROHOUR appears to negate all the other advantages of Declude! Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
Hi David: The best is http://oss.netfarm.it/clamav - because it's the same one ClamWin is using and it's kept up-to-date. I don't recall any installation difficulty. It did have a successful installer and is able to install itself as a service. There is a .REG file that sets up a registry entry where the path is stored. In their registry, I chose to change the following (because I wanted to keep the CONF files and the DB files out of the program code): [HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV] ConfigDir=C:\\Progra~1\\ClamAV\\conf DataDir=C:\\Progra~1\\ClamAV\\db For FreshClam.conf, I changed these parameters to match my preference: DatabaseDirectory C:\Program Files\clamAV\db UpdateLogFile C:\Program Files\clamAV\log\freshclam.log LogTime yes For ClamD.conf, I changed these: LogFile C:\Program Files\clamAV\log\clamd.log LogTime yes TemporaryDirectory C:\Temp DatabaseDirectory C:\Program Files\clamAV\db For the service, I removed the spaces from the path (not sure if this was needed): C:\Progra~1\ClamAV\clamd.exe --daemon In Declude, I used: #ClamAV SCANFILE1 C:\Progra~1\ClamAV\ClamDScan.exe VIRUSCODE1 1 Of course, that still leaves the problem of Declude having no decent virus report file parser (if you care about seeing the proper virus name in the proper location of the log files). For now, I still use a middleware to reformat the Report file before feeding it to Declude. If you don't care about names, then this isn't necessary. Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Dodell Sent: Monday, June 08, 2009 12:26 AM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV I'm using an older version of ClamAV that needs to be updated as a backup scanner.Unfortunately, it is no longer being developed. Has anyone tried the ClamID from ArmResearch or any other version of ClamAV that is current that works with Declude? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ZEROHOUR, scanner order
Hi David: Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was implemented as Declude.Virus. So any configuration would go into the Virus.cfg file. It seems to me as if it's implemented in some fashion in both ends. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. Based on log entries/detection it appears as if it first checks ZEROHOUR, then AVG, then launches the external scanners. Sorry for all the questions - just trying to wrap my arms around the new way that everything is behaving now - as it's inconsistent with what I have had in place all these years (both in Junkmail, which relies on TESTSFAILED to control actions) and in Virus (which relies on virus name detection to control what actions to take). (Seems as if ZEROHOUR was added by a developer who wasn't yet familiar/briefed with what was already in place elsewhere in the product, and just came up with his/her own way of doing things instead of integration with the existing features.) Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 10:34 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Commtouch Zerohour identifies virus' based on traffic patterns rather than signatures this is why it is not associated with a name. There is only one option currently for Commtouch - in the global.cfg ZEROHOUR x Where x is the weight assigned if ZEROHOUR is triggered. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ZEROHOUR, scanner order
Fair enough! Looks like a good service in general - hopefully, the implementation can be cleaned up at some point. Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 11:10 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Andy, It is implemented in the Declude virus but because the spam function overlaps into junkmail and the spam weighting system is in junkmail the weight is specified in the global.cfg - as you can see it is more as a directive than a test. Secondly you are correct about the developer who integrated Commtouch. This was before I took over the managment of Declude and it is suffice to say he is no longer with Declude either. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, June 08, 2009 11:02 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Hi David: Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was implemented as Declude.Virus. So any configuration would go into the Virus.cfg file. It seems to me as if it's implemented in some fashion in both ends. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. Based on log entries/detection it appears as if it first checks ZEROHOUR, then AVG, then launches the external scanners. Sorry for all the questions - just trying to wrap my arms around the new way that everything is behaving now - as it's inconsistent with what I have had in place all these years (both in Junkmail, which relies on TESTSFAILED to control actions) and in Virus (which relies on virus name detection to control what actions to take). (Seems as if ZEROHOUR was added by a developer who wasn't yet familiar/briefed with what was already in place elsewhere in the product, and just came up with his/her own way of doing things instead of integration with the existing features.) Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 10:34 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Commtouch Zerohour identifies virus' based on traffic patterns rather than signatures this is why it is not associated with a name. There is only one option currently for Commtouch - in the global.cfg ZEROHOUR x Where x is the weight assigned if ZEROHOUR is triggered. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Internal Scanner missing most viruses
Hi Serge: http://www.invariantsystems.com/dlanalyzer/ EXTREMELY helpful in assessing the performance of certain spam tests, seeing which users are being targeted by viruses, which IP addresses are the top spammers and which ones are virus sources. And, you can generate per person or per domain reports to show a company how effective you protect them. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Wednesday, June 03, 2009 6:42 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Internal Scanner missing most viruses Hello Andy how are these reports generated ? is this something built in into declude ? or some add on sw ? TIA - Original Message - From: Andy mailto:andy_schm...@hm-software.com Schmidt To: declude.virus@declude.com Sent: Wednesday, June 03, 2009 12:58 PM Subject: RE: [Declude.Virus] Internal Scanner missing most viruses Hi, With the new build, AVG is finally working again and catching most of the viruses: Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 21,119 Virus Infected Messages: 159 Percentage Infected: 0.75% VIRUS # INFECTED PERCENTAGE DOWNLOADER.GENERIC8.AQNV 132 0.63% PAKES.DRC 12 0.06% WIN32/CRYPTOR 9 0.04% I-WORM/NETSKY.X 4 0.02% WIN32/VIRUT.A 2 0.01% Virus Scanner Summary Report (ClamAV) Total Messages Processed: 21,119 Virus Infected Messages: 3 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE TROJAN.ZBOT-3428 3 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 21,119 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 13, 2009 11:45 AM To: declude.virus@declude.com Subject: [Declude.Virus] Internal Scanner missing most viruses Sensitivity: Personal Hi, For a while, AVG was doing an adequate job - but recently it again has been missing virtually all infected emails that ClamAV and the trusted McAfee are identifying. I inspected several of the held files - and each one clearly was a life virus (e.g., inside a ZIP attachment etc.) Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 21,157 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 21,157 Virus Infected Messages: 3 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE SUSPECT.DOUBLEEXTENSION-ZIPPWD-2 2 0.01% WORM.BAGLE-1 1 0.00% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 21,157 Virus Infected Messages: 29 Percentage Infected: 0.14% VIRUS # INFECTED PERCENTAGE TROJAN OR VARIANT NEW MALWARE.JJ !!! 22 0.10% PWS-ZBOT TROJAN !!! 7 0.03% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.image001.png
RE: [Declude.Virus] CommTouch, External Scanners, Marketplace
Hi Dave, Could you please elaborate on that: In addition we have ZEROHOUR as a option for Perpetual license customers as an additional virus scanners providing ZEROHOUR protection and additional spam definitions. For the amount of money that this is being offered for it is a wise investment. Yesterday you indicated, in your breakdown of annual fees, you indicated that my annual fees were 50% higher than 5 years ago (which I have been paying without complaint), because my fees now PAID for feature. I wasn't aware of that. Is there something special that I have to do to turn this on? (I'm assuming: If I'm paying for it every year, I should be entitled to use it?) It would be good to run more than 1 virus scanner for several reasons As far as external scanners - one desirable feature for your current full-time developer would be to implement ClamLib und the Sniffer API so that they do NOT require launching yet another command line program, which chips away from the system heap - and causes severe overhead. Mr/s Customer how much more are you willing to pay so that we can invest in more resources in order to develop a better product? As far as the market place and how much to pay - I tend to compare Declude to ORF (http://www.vamsoft.com/orfee_order.asp), which I both pay for. One for Imail the other for IIS SMTP. Both have interfaces to external tools (Sniffer, ClamAV, McAfee), both check SPF, DNS blacklists, URI Blacklists, both have the ability to define RegEx custom filters. The difference: for the lesser annual fees, ORF has been growing its business by delivering versions with new features for as many years as I have been a user. They even have a voting system where their paying customers can express preferences which features are most important to them: http://www.vamsoft.com/features/default.asp. Or, let's look at Sniffer: for $495.00/year you have a company that has people actively improving their signatures several times EACH day PLUS they still manage to put out significant new versions. So don't falsely accuse us that we're unwilling to pay sufficient fees to support one full time developer. I pay that many times over for spam/virus filtering to various vendors - I even pay for DLAnalyzer and invURIBL, money that Declude could and should have earned if they had added reporting and URIBL scanning into the product. Then YOU would be getting the annual fees I'm paying them! I say it again: The budget is clearly there. The difference is, other vendors invest that money into the product I pay for! Declude is the only product that's been taking these fees for years and has NOT progressed the product, forcing me to pay extra for add-ons - and now is expecting that we should trust yet another incarnation of a new business model to pay us first, then we deliver. There's only so much up front investing that your investors (=customers) are willing to do before they want to see results. Best Regards, Andy Schmidt From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, June 04, 2009 10:03 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sorry no marketing department to give you the warm and fuzzy spin, just me. Couple of suggestions. Declude has the ability to run upto 5 additional cmd line scanners of your choice, we provide AVG as a courtesy to our customers as in the past Declude did not have any internal virus scanner, you would have to go out and purchase that separately It would be good to run more than 1 virus scanner for several reasons, one of which is failure of an AV scanner, (admittedly in this instance failure was on our part) But rest assured false positives, no virus signatures, lag time are problems ALL AV vendors are faced with. There are some that are free that work extremely well ClamWin or ClamAV is an example of this. In addition we have ZEROHOUR as a option for Perpetual license customers as an additional virus scanners providing ZEROHOUR protection and additional spam definitions. For the amount of money that this is being offered for it is a wise investment. If you opted out of this because you didn't want to spend the extra few $ on security then you have different issues and it's not Declude. Lastly Patrick please contact supp...@declude.com having looked at your host record it does not look like you are receiving any AV updates - it could be that your firewall is blocking the AV updates, our support can work with you to fix that. Thanks David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Declude Virus inoperable for 13% of th year?
Hi, Dave - so now that we have a working Declude Virus again, what can be done to prevent this from recurring. a) Apparently Declude Virus has no error tracking in place at all - otherwise it would have REPORTED to us (or your own Declude to your own mail server) that the AVG API was no longer performing scans? b) Do the customers need to set a follow-up reminder for December 2010, which is when your new renewed AVG license will expire? The old DecludeProc had THIS AVG License String: LicBeg, Ver=1.0, Name=Declude, Exp=2009-04-10 So this implies, that the product was inoperable since April 10th for every customer because Declude didn't obtain a new annual AVG license and had to wait a few days for this transaction to complete? That means the product was unusable for 13% of the year? This can't just be brushed aside quietly. Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
Hi, Oh, now you really got me going. Declude Virus does not have a built in system to report this error as with this specific example The problem is not the hard-coded expiration itself. Clearly, when this API (including the hardcoded expiry) was originally implemented, the fact that there was an expiry was a known fact to that developer - cause (s)he added it. Whoever wrote this API implementation simply was too lazy to properly handle and report on the condition that absolutely was going to occur with 100% certainty on 4/10. That's a programming 101 and this flaw must be fixed, not discussed. It's when an Anti-Virus product doesn't report that it has decided to stop detecting viruses. how much more are you prepared to pay for your service agreement Nice try, but to me, money is secondary to function. I rather would pay appropriate maintenance for a product that is enhanced with features (as it was in the first few years when I had purchased it) than to pay a lesser annual maintenance for a dormant product! However, I'm NOT willing to pay a company just so that they can pursue OTHER technical, legal and marketing ventures INSTEAD of enhancing the product. The problem with Declude is that they lost focus - this instance makes this painfully obvious! increase our prices dramatically so we can hire more developers Let's get real. I remember looking at your web site a while ago and seeing a huge roster of management. I also remember web site project and other products being launched and initating legal actions. Here's what you need: Start laying off managers and other supervisory staff, cut the retainers for your attorneys, etc. and don't stop until you have enough money to finally pay ONE full time developer that actually works on continually enhancing the product we are all paying for and gets as much done as the original author of the product did for YEARS. Once caught up with 3 years of backlog, then sell me the upgrade!) You don't need additional personnel - you to need replace overhead-personnel with production personnel. I suspect the problem is not lack of funds but diversion of it. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, June 03, 2009 11:07 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal Andy, a. Declude Virus does not have a built in system to report this error as with this specific example. What happened here is not the norm but an exception. It was not our choice to hard code the expiration date but a requirement from AVG. In this instance the specific persons who we had been working with at AVG are no longer with the company and the process of having this renewed took longer than usual. b. I am not sure if you are being facetious, but if it makes you feel better, sure you can schedule a reminder for me, please email me at least 3 month prior of the new expiration date 2010-12-31 c. Yes AVG was not working as it should have been since 2009-04-10 I agree with you - this is totally unacceptable, intolerable, painful and should not be brushed aside lightly. You are correct in your observations, we should increase our prices dramatically so we can hire more developers to ensure unfortunate incidents like this don't happen again. Considering the market and what other vendors charge how much more are you prepared to pay for your service agreement so that we can meet this type of requirement ? David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, June 03, 2009 9:08 AM To: declude.virus@declude.com Subject: [Declude.Virus] Declude Virus inoperable for 13% of th year? Importance: High Sensitivity: Personal Hi, Dave - so now that we have a working Declude Virus again, what can be done to prevent this from recurring. a) Apparently Declude Virus has no error tracking in place at all - otherwise it would have REPORTED to us (or your own Declude to your own mail server) that the AVG API was no longer performing scans? b) Do the customers need to set a follow-up reminder for December 2010, which is when your new renewed AVG license will expire? The old DecludeProc had THIS AVG License String: LicBeg, Ver=1.0, Name=Declude, Exp=2009-04-10 So this implies, that the product was inoperable since April 10th for every customer because Declude didn't obtain a new annual AVG license and had to wait a few days for this transaction to complete? That means the product was unusable for 13% of the year? This can't just be brushed aside quietly. Best Regards, Andy --- This E-mail came from the Declude.Virus
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
unfortunate incidents like this don't happen again. Considering the market and what other vendors charge how much more are you prepared to pay for your service agreement so that we can meet this type of requirement ? David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, June 03, 2009 9:08 AM To: declude.virus@declude.com Subject: [Declude.Virus] Declude Virus inoperable for 13% of th year? Importance: High Sensitivity: Personal Hi, Dave - so now that we have a working Declude Virus again, what can be done to prevent this from recurring. a) Apparently Declude Virus has no error tracking in place at all - otherwise it would have REPORTED to us (or your own Declude to your own mail server) that the AVG API was no longer performing scans? b) Do the customers need to set a follow-up reminder for December 2010, which is when your new renewed AVG license will expire? The old DecludeProc had THIS AVG License String: LicBeg, Ver=1.0, Name=Declude, Exp=2009-04-10 So this implies, that the product was inoperable since April 10th for every customer because Declude didn't obtain a new annual AVG license and had to wait a few days for this transaction to complete? That means the product was unusable for 13% of the year? This can't just be brushed aside quietly. Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
That's the point of the discussion. Declude added a hard-coded end-time but didn't add a handling mechanism that deals with the event when (not IF) the end-time was absolutely going to occur on the predescribed date. Consequently there were/are only indirect ways to find out: - Infected emails reached your desktops, and/or - You had secondary scanners plus a reporting tool, http://www.invariantsystems.com/dlanalyzer/, which made is obvious that ALL your viruses were ONLY being caught by the secondary scanners (which is what I have been pointing out for weeks), and/or - You check your VIRmmdd.LOG file and a scan of AVG Reports VIRUS: finds no matches. According to Declude, properly dealing with a known, hard-coded, expiry date is not included in the annual maintenance fees but is considered an enhancement for which they should charge extra. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Wednesday, June 03, 2009 12:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal Darin Cox said: that the AVG API was no longer performing scans? David Barker said: Declude Virus does not have a built in system to report this error as with this specific example. Is this true? Has my Declude virus scanner been inoperable? My Declude logs look OK, but I guess that's what you're talking about? What's the deal? How can I detect this misbehavior, if indeed it did occur? -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
I think taking a software company to task on their lack of control DOES benefit all users technically! I didn't introduce pricing and staffing into this discussion - YOU did! Now you take me to task for responding to your pricing/staffing issues that YOU raised? Let's not forget you are paying less for the product maintenance today than you were 5 years ago 1/6/2002: $295 1/14/2003: $295 1/23/2004: $295 (after having upgrading to Pro in March 2003) 1/5/2005: $264 12/30/2005: $264 8/18/2006: $309 1/19/2007: $309 3/13/2008: $395 6/2009: $395 Would you like to revise your statement? I'm not paying less, I'm paying 50% more. No complaints - just insisting on the truth. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, June 03, 2009 12:40 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal Breathing and counting to 10 . ;) Whoever wrote this API implementation simply was too lazy to properly handle and report on the condition that absolutely was going to occur with 100% certainty on 4/10. That's a programming 101 and this flaw must be fixed, not discussed. It's when an Anti-Virus product doesn't report that it has decided to stop detecting viruses. In coding Utopia yes that is true. I was unaware of this situation till now. I would fire the person who implemented this but we had already let them go over 2 years ago. I get what you are saying, I just don't think you understand when I say I have heard you Andy, you can stop posting to the lists about this Nice try, but to me, money is secondary to function. Nice dodge! I rather would pay appropriate maintenance for a product that is enhanced with features (as it was in the first few years when I had purchased it) than to pay a lesser annual maintenance for a dormant product! Ah the good old days of Scott Perry. Let's not forget you are paying less for the product maintenance today than you were 5 years ago. Dormant ? or not the fixes and features you want? However, I'm NOT willing to pay a company just so that they can pursue OTHER technical, legal and marketing ventures INSTEAD of enhancing the product. The problem with Declude is that they lost focus - this instance makes this painfully obvious! What are you talking about ? Let's get real. I remember looking at your web site a while ago and seeing a huge roster of management. I also remember web site project and other products being launched and initating legal actions. Here's what you need Start laying off managers and other supervisory staff, cut the retainers for your attorneys, etc. and don't stop until you have enough money to finally pay ONE full time developer that actually works on continually enhancing the product we are all paying for and gets as much done as the original author of the product did for YEARS. Once caught up with 3 years of backlog, then sell me the upgrade!) You don't need additional personnel - you to need replace overhead-personnel with production personnel. Wrong. Declude is a separate company from DNSStuff. Our (Declude) revenues are solely committed to maintaining and growing this company. I suspect the problem is not lack of funds but diversion of it. Oh wait. that's a good one. I think the best way to answer this just is to say your suspicion is incorrect. Finaly the purpose for these lists is mostly for tech questions and assisting other users. Your initial posts about AVG were fine, but if you want to get into what you think Declude should be doing as a company either email me or call me directly. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
Fair enough. For this particular case: If AVG requires a fix license date, then add an alert mechanism so that customers (specially those who might not upgrade until 12/2010) will receive an explicit notice that their Declude Virus is inactive! The log file would be the minimum - but ideally a postmaster email to an admin email address in one of the Declude config files. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, June 03, 2009 12:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Maybe I am misunderstanding you but the AVG issue that occurred has been resolved, and should have never happened, now let's move on to the real issue at hand ... I am challenged with, how do I prevent such issues occurring in the future? As my resources are currently maxed what are my options ..? Suggestions ? David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, June 03, 2009 12:42 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Let's turn this around: however if customers expect more than what is currently being delivered then I have to ask the question, in clear, open and honest communication.. Mr/s Customer how much more are you willing to pay so that we can invest in more resources in order to develop a better product? How much more than 100% of the annual fee are customers expected to pay before Declude considers them entitled to expect to use the product (close to) 100% of the time - instead of 87%? The point is, this was a major mess up and the problem was absolutely poor programming practice (hard-coding a time limit without adding code to deal with the reaching of that limit). And your response is: Pay us more if you want us to use remotely reasonably normal programming practice? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, June 03, 2009 12:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Darin, I accept your constructive criticism. With regard to the situation; 1. We recognize that this was a serious failure 2. The issue was highlighted and resolved in the quickest possible time 3. Procedural steps have been put in place to ensure that this does not happen again. 4. This was an unfortunate circumstance and I understand the frustration on the part of Declude customers 5. We make every effort to meet the needs of our customers My statement regarding increased prices has less to do with this current problem as it has to do with moving forward and preventing issues like this in the future. More $ means more resources which means more can be done which equates to less risk in all areas. Declude has given good service, value for money and a product that works for minimum $. I understand that the expectation is always more for less, however if customers expect more than what is currently being delivered then I have to ask the question, in clear, open and honest communication.. Mr/s Customer how much more are you willing to pay so that we can invest in more resources in order to develop a better product? David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Darin Cox Sent: Wednesday, June 03, 2009 11:50 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Declude Virus inoperable for 13% of th year? Wow, what a way to respond to a long-time, loyal paying customer! Instead of apologizing for the serious problem and relaying what steps are being taken to avoid it happening again (a simple reminder in the calendar system of your choice would suffice), it's being thrown back in the customer's face. Regarding the question of increasing prices for service agreements, that has no bearing on a current customer who has already paid the fees. Such customers should expect the service they paid for to be rendered. Failure to do so is a breach of agreement on Declude's part. While we are all human and problems can occur, this is a serious failure, and the tone of the response being putative instead of apologetic makes customers less forgiving, not more. To be frank, many customers are asking what they are paying for, when fix and feature requests take months to be released, or not at all. I understand the situation may be frustrating, but it's often best to step back for a moment, vent elsewhere if needed, then respond professionally to customers. Clear, open, and honest communication also helps. Please don't take this email as incendiary. It is meant to be constructive. Darin
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
Didn't realize I was paying for CommTouch ZEROHOUR and for Hijack? How do I turn on CommTouch, since apparently I've been paying for its maintenance since at least 2008? No, I am NOT complaining about the amounts. I've many times forced money on various developers because I want them to be well funded so that they will be motivated to proceed. I'm complaining about the lack of delivering added features. I say it again: Money is secondary to me to function. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, June 03, 2009 1:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal Here is the full breakdown. The Good ol' Days EVA - Service Agreement $195.00 JunkMail - Service Agreement $195.00 HiJack - Service Agreement $75.00 Total: $465 Today EVA - Service Agreement JunkMail - Service Agreement HiJack - Service Agreement AVG virus scanner Commtouch ZEROHOUR Antivirus + Spam definitions Total: $395 So you have a whole lot more for less money, and yes you are complaining. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, June 03, 2009 1:12 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal I think taking a software company to task on their lack of control DOES benefit all users technically! I didn't introduce pricing and staffing into this discussion - YOU did! Now you take me to task for responding to your pricing/staffing issues that YOU raised? Let's not forget you are paying less for the product maintenance today than you were 5 years ago 1/6/2002: $295 1/14/2003: $295 1/23/2004: $295 (after having upgrading to Pro in March 2003) 1/5/2005: $264 12/30/2005: $264 8/18/2006: $309 1/19/2007: $309 3/13/2008: $395 6/2009: $395 Would you like to revise your statement? I'm not paying less, I'm paying 50% more. No complaints - just insisting on the truth. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, June 03, 2009 12:40 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal Breathing and counting to 10 . ;) Whoever wrote this API implementation simply was too lazy to properly handle and report on the condition that absolutely was going to occur with 100% certainty on 4/10. That's a programming 101 and this flaw must be fixed, not discussed. It's when an Anti-Virus product doesn't report that it has decided to stop detecting viruses. In coding Utopia yes that is true. I was unaware of this situation till now. I would fire the person who implemented this but we had already let them go over 2 years ago. I get what you are saying, I just don't think you understand when I say I have heard you Andy, you can stop posting to the lists about this Nice try, but to me, money is secondary to function. Nice dodge! I rather would pay appropriate maintenance for a product that is enhanced with features (as it was in the first few years when I had purchased it) than to pay a lesser annual maintenance for a dormant product! Ah the good old days of Scott Perry. Let's not forget you are paying less for the product maintenance today than you were 5 years ago. Dormant ? or not the fixes and features you want? However, I'm NOT willing to pay a company just so that they can pursue OTHER technical, legal and marketing ventures INSTEAD of enhancing the product. The problem with Declude is that they lost focus - this instance makes this painfully obvious! What are you talking about ? Let's get real. I remember looking at your web site a while ago and seeing a huge roster of management. I also remember web site project and other products being launched and initating legal actions. Here's what you need Start laying off managers and other supervisory staff, cut the retainers for your attorneys, etc. and don't stop until you have enough money to finally pay ONE full time developer that actually works on continually enhancing the product we are all paying for and gets as much done as the original author of the product did for YEARS. Once caught up with 3 years of backlog, then sell me the upgrade!) You don't need additional personnel - you to need replace overhead-personnel with production personnel. Wrong. Declude is a separate company from DNSStuff. Our (Declude) revenues are solely committed to maintaining and growing this company. I suspect the problem is not lack of funds but diversion of it. Oh wait. that's a good one. I think the best way to answer this just is to say your
RE: [Declude.Virus] Internal Scanner missing most viruses
Hi Andrew: scanner being the main line of defense is dead . . . it's just that most people don't know it yet Well - today there were 80 or so infected emails that would have gone through. While AV scanning may not be the main line, it certainly is still a crucial element. Just ONE email raises the chance that some uninformed end user and one of our customers could get their entire network taken over and could cost man-days to rebuild systems that were infected by root-kits. Look at last night's statistics - the bad guys certainly knew how to beat AVG. But my other two scanners are NOT beaten - and that's my daily experience. So there is a pattern here that just can't be ignored! My thinking is - ClamAV and McAfee are being updated many times daily (because I control the updating process) - so any new virus variants are caught quickly. I have no control over how often AVG is being updated? If they are only updated daily, then (in today's times) that rendering AVG worthless. What's even more disconcerting is the fact that some of these missed virus names appear for days at a time - so even AFTER a daily update, AVG is missing those. I'm not impressed by whatever comparisons were taken a year or more ago. Version numbers mean very little. The key is the date/timestamp of the signature file. You can get any comparison result you want, if you don't use the most current hourly signature files for each product. I have no hidden agenda - but I can tell you that in all the years that I've been watching this, AVG is easily been outperformed by the other two scanners I use, at least for the mix of viruses that MY many hundreds of end users are targeted with. Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 22,303 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 22,303 Virus Infected Messages: 154 Percentage Infected: 0.69% VIRUS # INFECTED PERCENTAGE EMAIL.TROJAN-99 88 0.39% HTML.PHISHING.BANK-218 28 0.13% EMAIL.TROJAN-98 12 0.05% EMAIL.PHISHING.BANK-101 8 0.04% SUSPECT.DOUBLEEXTENSION-ZIPPWD-2 8 0.04% WORM.BAGLE-1 7 0.03% WORM.BAGLE-ZIPPWD-24 2 0.01% HTML.PHISHING.BANK-1127 1 0.00% From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Colbeck, Andrew Sent: Thursday, May 14, 2009 7:19 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Internal Scanner missing most viruses Sensitivity: Personal http://www.processor.com/editorial/article.asp?article=articles/P3110/25p10/ 25p10.asp The day of the [AV] scanner being the main line of defense is dead . . . it's just that most people don't know it yet, says AVG's Thompson. Last year alone, AVG added more than 650,000 signatures to its antivirus engine. There are 20,000 to 30,000 unique binary samples every day. The bad guys know how to beat a scanner. Interesting and timely commentary. For what it's worth, I find the blocking options in Declude Virus to be as useful as the actual scanner, but I don't have the hard numbers to back up that statement. I do have to depend on the scanners when the bad guys use malware PDFs or other documents. In general, the bad guys have taught email users to be surprised if they can send a program or even a script via email. Andrew. _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, May 13, 2009 11:44 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Internal Scanner missing most viruses Sensitivity: Personal Andy, The process of virus signatures being made available is an automated process this issue was already resolved in January as I said it would be. As soon as virus definitions are available from AVG they become available to Declude users. As you can see with the data that we have provided regarding AVG the signature file date is matches yours which is 5/13/2009. The bottom line is AVG did not detect this specific virus. Here is some data from tests done last year with regard different AV scanners and their accuracy, again this data is about 1 year old but it can give you a good idea. Another option is to consider using our offering of Commtouch which has the ZEROHOUR http://www.commtouch.com/zero-hour-virus-outbreak-protection-sdk protection against new viruses. Rank 1. G DATA 2008 version 18.2.7310.844 - 99.05% 2. F-Secure 2008 version 8.00.103 - 98.75% 3. TrustPort version 2.8.0.1835 - 98.06% 4. Kaspersky version 8.0.0.357 - 97.95% 5. eScan version 9.0.742.1 - 97.44% 6. The Shield 2008 - 97.43% 7. AntiVir version 8.1.00.331 Premium - 97.13% 8. Ashampoo version 1.61 - 97.09% 9. Ikarus version 1.0.82 - 96.05% 10. AntiVir version 8.1.00.295 Classic - 95.54% 11. AVG version 8.0.100 Free - 94.85% 12.
[Declude.Virus] Internal Scanner missing most viruses
Hi, For a while, AVG was doing an adequate job - but recently it again has been missing virtually all infected emails that ClamAV and the trusted McAfee are identifying. I inspected several of the held files - and each one clearly was a life virus (e.g., inside a ZIP attachment etc.) Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 21,157 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 21,157 Virus Infected Messages: 3 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE SUSPECT.DOUBLEEXTENSION-ZIPPWD-2 2 0.01% WORM.BAGLE-1 1 0.00% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 21,157 Virus Infected Messages: 29 Percentage Infected: 0.14% VIRUS # INFECTED PERCENTAGE TROJAN OR VARIANT NEW MALWARE.JJ !!! 22 0.10% PWS-ZBOT TROJAN !!! 7 0.03% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.image001.png
RE: [Declude.Virus] Internal Scanner missing most viruses
Hi Dave, No problem. 5 viruses have been sent to your Support email address - each of which was detected by either ClamAV, the secondary scanner, or if ClamAV missed it, then at least McAfee the last resort scanner. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, May 13, 2009 12:27 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Internal Scanner missing most viruses Sensitivity: Personal Hi Andy, If you are having issues please submit a support ticket supp...@declude.com with any appropriate information so we can look into this for you. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 13, 2009 11:45 AM To: declude.virus@declude.com Subject: [Declude.Virus] Internal Scanner missing most viruses Sensitivity: Personal Hi, For a while, AVG was doing an adequate job - but recently it again has been missing virtually all infected emails that ClamAV and the trusted McAfee are identifying. I inspected several of the held files - and each one clearly was a life virus (e.g., inside a ZIP attachment etc.) Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 21,157 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 21,157 Virus Infected Messages: 3 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE SUSPECT.DOUBLEEXTENSION-ZIPPWD-2 2 0.01% WORM.BAGLE-1 1 0.00% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 21,157 Virus Infected Messages: 29 Percentage Infected: 0.14% VIRUS # INFECTED PERCENTAGE TROJAN OR VARIANT NEW MALWARE.JJ !!! 22 0.10% PWS-ZBOT TROJAN !!! 7 0.03% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.image001.png
RE: [Declude.Virus] OT - looking for a command line email tool - with attachments
Hi Alex, I can't imagine that any email tool that is able to send an attachment would go inside your PDF file and certainly wouldn't delete anything (such as the embedded font) out of the single attachment. I rather would expect that there is a difference in the environment on the server and the environment on the workstations (such as different operating systems, different Acrobat Reader versions, etc. that account for the different viewing experience). What if you copy the PDF file from the server to the workstation that has the problem. If the email worked correctly, the copy your emailed to the workstation should be binary identical to the file you copied from the server. If you now open the copy from the server, I would expect that you'll have the same problem. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Hirthe, Alexander Sent: Tuesday, May 12, 2009 10:57 AM To: 'declude.virus@declude.com' Subject: [Declude.Virus] OT - looking for a command line email tool - with attachments Hello, can anyone help me? I'm looking for a command line tool to send mail (within our company) including an attachment. (I want to forward the incoming fax to the inbox of the user :) I can create the pdf, put it in a directory and now I only need a command line mailer *with* attachment. I tried different tools now, the best sent me the mail and the embedded pdf font was missing :-/ if I open the pdf on the server it's all working. ? Alex _ Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi Aufsichtsratsvorsitzender: Dr. Peter Baumeister Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Ouch AVG is missing new Viruses again, big time!
ClamAV and my trusted last defense McAfee catches them (both updated at least hourly): Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 21,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 21,402 Virus Infected Messages: 11 Percentage Infected: 0.05% VIRUS # INFECTED PERCENTAGE TROJAN.ZBOT-3279 7 0.03% WORM.BAGLE-1 2 0.01% WORM.BAGLE.GV 1 0.00% WORM.MYDOOM.I 1 0.00% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 21,402 Virus Infected Messages: 35 Percentage Infected: 0.16% VIRUS # INFECTED PERCENTAGE PWS-ZBOT TROJAN !!! 31 0.14% GENERIC PWS.Y TROJAN !!! 4 0.02% Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AVG update
Thank you - that is helpful for our understanding. Would it be practical to take the human element out of the loop and just have a scheduled script use WGET or similar batch application check for an updated file on their HTTP server every hour? If the returncode indicates a new file, download it and make it available without needing manual intervention? That's how many of us retrieve signature updates for third party scanners several times daily. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, December 29, 2008 3:11 PM To: declude.virus@declude.com Subject: [Declude.Virus] AVG update An FYI on the AV process. Declude receives from AVG an email (example below) this is typically once per day. On occasion we may get several per day or one in two days. As soon as this email is received we download the latest definitions to our AVG server and the definitions are available for your Decludeproc to retrieve. Now depending on when this last check was done by your Declude - will determine when you will get the AV sigs or what the time difference is between release and update. The following virus database update has been prepared for you to download. --- SDK VDB Update Description --- New Viruses: New Trojans: New Virus Variants: New Trojan Variants: Agent.ARGZ, Downloader.Zlob.AIFA, Generic12.AGYE, BackDoor.Hupigon4.AXIM, Agent.ARLN, BackDoor.Generic10.AFRU --- SDK VDB Update Files --- avgsdk_ivdb2422.zip avgsdk_vdb2422.zip --- SDK VDB version.nfo --- VDB_RELEASE_VERSION: 2422 PREVIOUS_VDB_RELEASE_VERSION: 2421 SEVERITY: critical VDB_RELEASE_DATE: 2008-12-28 14:23 MODIFIED: microavi.avg MODIFIED: incavi.avm VDB_FILES_VERSION: 270.10.1/1867 REQUIRED_BIN_RELEASE_VERSION: 1.3.510 --- SDK VDB Update Notification End --- David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Force AVG update
Hi, The general experience has been (as reported by several individuals in two different lists over the past 3 months), that the Declude AVG updates are frequently 48 hours behind - which means they are only effective for old viruses. I even posted the stats for several days where it showed that every few days new viruses were being caught by my secondary scanner (McAfee), which truly does have hourly updates - and would have been passed through to my desktops if I had relied on Decludes AVG scanner. I have the feeling that changing your poll time from 4 hours to 2 will only mean that you'll be finding out twice as often that they have a 2-day old update. I'm curious what the answer is - but somewhere in the back of my head I think I had previously read that Declude will occasionally get updates from AVG which in turn you get from them. If my recollection/understanding is accurate, then the real frequency is controlled by Declude's server, not yours. Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Dodell Sent: Saturday, December 27, 2008 10:00 AM To: declude.virus@declude.com Subject: [Declude.Virus] Force AVG update Anyway to force declude to update the AVG files ... my dates run from 12/17 to 12/23 ... are these really current dates? David (I have my update frequency set at every 2 hrs) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Force AVG update
Well, most scanners will require much more expensive licenses, e.g., a license per mailbox, etc. The Declude anti-virus license is a good deal - if they would just get the technology working right! -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Dodell Sent: Saturday, December 27, 2008 2:15 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Force AVG update On Dec 27, 2008, at 9:59 AM, Andy Schmidt wrote: Hi, The general experience has been (as reported by several individuals in two different lists over the past 3 months), that the Declude AVG updates are frequently 48 hours behind - which means they are only effective for old viruses. I even posted the stats for several days where it showed that every few days new viruses were being caught by my secondary scanner (McAfee), which truly does have hourly updates - and would have been passed through to my desktops if I had relied on Decludes AVG scanner. Then I guess, is it worth for me to renew my Declude support ... things run pretty much very smoothly now, the spam tests are all external engines, and was only keeping Declude update to get the AVG updates ... with budget cuts, maybe I should be investing into a secondary scanner versus a Declude contract? What can I get for the same pricing $395 or less since this is all we have budgeted. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Invalid Zip Vulnerability
I have since determined that this email simply did have corrupted zip files. My problem was NOT that those emails were held – but rather that it referred to an undocumented vulnerability that we weren’t able to intelligent discuss with the client (it’s not on our “list” of vulnerability explanations). I also heard back from Declude that they will research that vulnerability check in the source code to learn more about it, and hopefully they will then add whatever information they’ll learn into the documentation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T Sent: Thursday, March 06, 2008 10:54 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Invalid Zip Vulnerability No name, just the extenesion? John T eServices For You -Original Message- From: Andy Schmidt [EMAIL PROTECTED] Sent 3/3/2008 9:30:59 AM To: [EMAIL PROTECTED] Cc: declude.virus@declude.com Subject: [Declude.Virus] Invalid Zip Vulnerability Hi, I checked your KB – and it doesn’t document that vulnerability: http://support.declude.com/Customer/KBArticle.aspx?articleid=25 http://support.declude.com/Customer/KBArticle.aspx?articleid=25KBSearchID=11699 KBSearchID=11699 I checked your manual – and it doesn’t document that vulnerability: http://www.declude.com/searchresults.asp?Cat=124 However, I do have a message that fails the vulnerability: File: [.ZIP file] Result: Found[Invalid ZIP Vulnerability] So now I need to determine, why this ZIP file is being rejected. Thanks, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Invalid Zip Vulnerability
Hi, I checked your KB - and it doesn't document that vulnerability: http://support.declude.com/Customer/KBArticle.aspx?articleid=25 http://support.declude.com/Customer/KBArticle.aspx?articleid=25KBSearchID= 11699 KBSearchID=11699 I checked your manual - and it doesn't document that vulnerability: http://www.declude.com/searchresults.asp?Cat=124 However, I do have a message that fails the vulnerability: File: [.ZIP file] Result: Found[Invalid ZIP Vulnerability] So now I need to determine, why this ZIP file is being rejected. Thanks, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Message without Body Held as Header Vulnerability?
Hi, Test1 (attached SMD file) is a message with a subject but without a body. It is held by Declude Virus with the Non Standard Header vulnerability. However, the SAME message Test2 WITH a body is let through (see bottom of this posting). The header appears the same - so if the header truly was non standard, BOTH messages should have been held. The only difference is the lack of a message BODY. 1) Imail Log of Test 1 12:21 19:31 SMTPD(5ad901aa99dd) [71.162.228.88] EHLO sony.home 12:21 19:31 SMTPD(5ad901aa99dd) Authenticated [EMAIL PROTECTED], session treated as local. 12:21 19:31 SMTPD(5ad901aa99dd) [71.162.228.88] MAIL FROM:[EMAIL PROTECTED] 12:21 19:31 SMTPD(5ad901aa99dd) [71.162.228.88] RCPT TO:[EMAIL PROTECTED] 12:21 19:31 SMTPD(5ad901aa99dd) [71.162.228.88] D:\IMail\spool\D5ad901aa99dd.SMD 563 2) Declude Log of Test 1 12/21/2007 19:31:25.987 q5ad901aa99dd.smd Vulnerability flags = 1 12/21/2007 19:31:36.612 q5ad901aa99dd.smd Non Standard Header Vulnerability 12/21/2007 19:31:36.612 q5ad901aa99dd.smd Scanned: CONTAINS A VIRUS [MIME: 1 4] 12/21/2007 19:31:36.612 q5ad901aa99dd.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 71.162.228.88] 12/21/2007 19:31:36.612 q5ad901aa99dd.smd Subject: TEST 1 12/21/2007 19:31:43.893 q5ad901aa99dd.smd LAST ACTION: Moving file to virus hold directory: D:\IMAIL\spool\virus 3) Test 2 message (with a body) passes Declude 12/21/2007 19:31:43.721 q5ada01aa99df.smd Skipping E-mail from authenticated user [EMAIL PROTECTED]; whitelisted. Received: from sony.home [71.162.228.88] by Mail.Webhost.HM-Software.com with ESMTP (SMTPD-9.23) id AADA081C; Fri, 21 Dec 2007 19:31:22 -0500 To: RBL [EMAIL PROTECTED] Subject: TEST 2 Reply-To: [EMAIL PROTECTED] From: RBL [EMAIL PROTECTED] Organization: RBLevin.net, 484-321-1133, 484-997-1300 Content-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-15 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Date: Fri, 21 Dec 2007 19:31:07 -0500 Message-ID: [EMAIL PROTECTED] User-Agent: Opera Mail/9.25 (Win32) X-Declude: Version 4.3.64; Code 0x0 from pool-71-162-228-88.phlapa.fios.verizon.net [71.162.228.88] X-Declude: Triggered [0] Whitelisted Return-path: [EMAIL PROTECTED] X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 478726316 X-IMail-ThreadID: 5ada01aa99df --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. D5ad901aa99dd.smd Description: Binary data
[Declude.JunkMail] RE: IMmail 2006.23 release notes
Darrell, I think they are using SOME Imail mailer to send the Virus, Bounce and Postmaster notifications. However, I DO believe there is some confusion between the .EXE that is the mailer vs. the old .EXE that is a mailbox CLIENT software. (There used to be an Imail client where you could read/reply messages, etc.) Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, December 10, 2007 10:33 AM To: declude.virus@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Re: [Declude.Virus] IMmail 2006.23 release notes Bonno, After Declude finishes scanning the message it passes it off to smtp32.exe for delivery. I can't think of any instance where declude will use the imail.exe utility. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, In the IMail 2006.23 release notes it states: --Quote-- The IMail.exe Client provided in the IMail Server contained a vulnerability due to a boundary error when processing emails with multipart MIME data, which could potentially compromise a user's system. IMail.exe will no longer be delivered during installation. Caution: It is recommended that existing installations remove IMail.exe from the IMail directory. It has been determined that utilizing this feature could potentially corrupt mailboxes. --Quote-- I seem to remember Declude used this (IMail.exe) as part of it's mail delivery. Is that still true with the 4.x versions I use it to send myself mails when something happens like a sniffer update. But that is just one script which I can change. Is there something similar that we can use? p.s. I assume they mean IMail1 as there is no IMail.exe in the IMail directory. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl/ - Original Message - *From:* Tom Lewis mailto:[EMAIL PROTECTED] *To:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Sent:* Monday, December 10, 2007 2:28 PM *Subject:* RE: [IMail Forum] apimmdd.txt files The api/mmdd/.txt files are new in 9.23. There is informational logging taking place that is creating these logs. They can be used by tech support for diagnosing problems in the web client if they were to occur. You can get to the release notes here: http://docs.ipswitch.com/IMail2006.23/ImailRelNotes/index.htm Tom Lewis *Ipswitch, Inc.* Development Manager - Messaging Products 706-312-3573 *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Bonno Bloksma *Sent:* Monday, December 10, 2007 7:27 AM *To:* [EMAIL PROTECTED] *Subject:* [IMail Forum] apimmdd.txt files Hi, As of IMail 2006.23 I have apimmdd.txt logfiles. However I cannot find what these are for. Is this the new extra debugging for the webmail? There seem to be no release notes for 2006.23, at least I cannot find them. Appart from that, everything seems to be working ok. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] RE: IMmail 2006.23 release notes
Darrell, I think they are using SOME Imail mailer to send the Virus, Bounce and Postmaster notifications. However, I DO believe there is some confusion between the .EXE that is the mailer vs. the old .EXE that is a mailbox CLIENT software. (There used to be an Imail client where you could read/reply messages, etc.) Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, December 10, 2007 10:33 AM To: declude.virus@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Re: [Declude.Virus] IMmail 2006.23 release notes Bonno, After Declude finishes scanning the message it passes it off to smtp32.exe for delivery. I can't think of any instance where declude will use the imail.exe utility. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, In the IMail 2006.23 release notes it states: --Quote-- The IMail.exe Client provided in the IMail Server contained a vulnerability due to a boundary error when processing emails with multipart MIME data, which could potentially compromise a user's system. IMail.exe will no longer be delivered during installation. Caution: It is recommended that existing installations remove IMail.exe from the IMail directory. It has been determined that utilizing this feature could potentially corrupt mailboxes. --Quote-- I seem to remember Declude used this (IMail.exe) as part of it's mail delivery. Is that still true with the 4.x versions I use it to send myself mails when something happens like a sniffer update. But that is just one script which I can change. Is there something similar that we can use? p.s. I assume they mean IMail1 as there is no IMail.exe in the IMail directory. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl/ - Original Message - *From:* Tom Lewis mailto:[EMAIL PROTECTED] *To:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Sent:* Monday, December 10, 2007 2:28 PM *Subject:* RE: [IMail Forum] apimmdd.txt files The api/mmdd/.txt files are new in 9.23. There is informational logging taking place that is creating these logs. They can be used by tech support for diagnosing problems in the web client if they were to occur. You can get to the release notes here: http://docs.ipswitch.com/IMail2006.23/ImailRelNotes/index.htm Tom Lewis *Ipswitch, Inc.* Development Manager - Messaging Products 706-312-3573 *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Bonno Bloksma *Sent:* Monday, December 10, 2007 7:27 AM *To:* [EMAIL PROTECTED] *Subject:* [IMail Forum] apimmdd.txt files Hi, As of IMail 2006.23 I have apimmdd.txt logfiles. However I cannot find what these are for. Is this the new extra debugging for the webmail? There seem to be no release notes for 2006.23, at least I cannot find them. Appart from that, everything seems to be working ok. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] RE: IMmail 2006.23 release notes
it could generate bounces with a null sender, and that's long overdue. Agreed! There is no excuse for Declude NOT to have its own mailer - after all, there is an Imail listening on SOME local port - it's ridiculous that the matter of NULL senders hasn't been addresses. At LEAST make it a configuration option to use a standard tool, such as BLAT. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, December 10, 2007 2:06 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] RE: IMmail 2006.23 release notes Some of us believe that it is the IMail1.exe executable that Declude uses and not the IMail.exe executable that is being discontinued. Regardless, if Declude stopped using IMail1.exe, it could generate bounces with a null sender, and that's long overdue. Matt Andy Schmidt wrote: Darrell, I think they are using SOME Imail mailer to send the Virus, Bounce and Postmaster notifications. However, I DO believe there is some confusion between the .EXE that is the mailer vs. the old .EXE that is a mailbox CLIENT software. (There used to be an Imail client where you could read/reply messages, etc.) Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, December 10, 2007 10:33 AM To: declude.virus@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Re: [Declude.Virus] IMmail 2006.23 release notes Bonno, After Declude finishes scanning the message it passes it off to smtp32.exe for delivery. I can't think of any instance where declude will use the imail.exe utility. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, In the IMail 2006.23 release notes it states: --Quote-- The IMail.exe Client provided in the IMail Server contained a vulnerability due to a boundary error when processing emails with multipart MIME data, which could potentially compromise a user's system. IMail.exe will no longer be delivered during installation. Caution: It is recommended that existing installations remove IMail.exe from the IMail directory. It has been determined that utilizing this feature could potentially corrupt mailboxes. --Quote-- I seem to remember Declude used this (IMail.exe) as part of it's mail delivery. Is that still true with the 4.x versions I use it to send myself mails when something happens like a sniffer update. But that is just one script which I can change. Is there something similar that we can use? p.s. I assume they mean IMail1 as there is no IMail.exe in the IMail directory. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl/ http://www.tio.nl/ - Original Message - *From:* Tom Lewis mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *To:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Sent:* Monday, December 10, 2007 2:28 PM *Subject:* RE: [IMail Forum] apimmdd.txt files The api/mmdd/.txt files are new in 9.23. There is informational logging taking place that is creating these logs. They can be used by tech support for diagnosing problems in the web client if they were to occur. You can get to the release notes here: http://docs.ipswitch.com/IMail2006.23/ImailRelNotes/index.htm Tom Lewis *Ipswitch, Inc.* Development Manager - Messaging Products 706-312-3573 *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Bonno Bloksma *Sent:* Monday, December 10, 2007 7:27 AM *To:* [EMAIL PROTECTED] *Subject:* [IMail Forum] apimmdd.txt files Hi, As of IMail 2006.23 I have apimmdd.txt logfiles. However I cannot find what these are for. Is this the new extra debugging for the webmail? There seem to be no release notes for 2006.23, at least I cannot find them. Appart from that, everything seems to be working ok. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com
[Declude.Virus] RE: [Declude.JunkMail] 4.3.46
Dave, Lots of confusion here: a) the subject refers to 4.3.46 - which shows up on my customer screen as the latest RELEASE b) however, that's less than the interim 4.3.57 that is shown on my customer screen? c) the body of your email refers to 4.3.64 - which would make more sense. Except, THAT number is not visible ANYWHERE on my customer screen, neither as a release NOR as an interim version number? Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, October 16, 2007 2:32 PM To: [EMAIL PROTECTED]; declude.virus@declude.com Subject: [Declude.JunkMail] 4.3.46 4.3.64 available, we have made some changes to address the vulnerability if you would like to test this - it can be downloaded from the interim location. David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] 4.3.46
Dave, Lots of confusion here: a) the subject refers to 4.3.46 - which shows up on my customer screen as the latest RELEASE b) however, that's less than the interim 4.3.57 that is shown on my customer screen? c) the body of your email refers to 4.3.64 - which would make more sense. Except, THAT number is not visible ANYWHERE on my customer screen, neither as a release NOR as an interim version number? Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, October 16, 2007 2:32 PM To: [EMAIL PROTECTED]; declude.virus@declude.com Subject: [Declude.JunkMail] 4.3.46 4.3.64 available, we have made some changes to address the vulnerability if you would like to test this - it can be downloaded from the interim location. David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Partial Vulnerability test failures on legitmate email
Hi, Actually, the Partial/Fragmented Vulnerability is one that ideally should be left in place. I'm not certain that this test can be circumvented individually - at least it's not on this list: http://www.declude.com/Version/Manuals/EVA/EVA_4.0.8.asp. Before HTML messages and picture attachments - and consequently support for messages that are many megabytes in size, there was a frequently used option (specially for NNTP newsgroups, if I recall correctly), where an email software would split a message into smaller fragments and then send each fragment was one email. The receiving software would look for the fragments and re-assemble them into a single message. Since it prevents virus detection at the server level, fragmented messages should no longer be accepted (and, with today's technology and size allowances, there really is no use for it). I have seen some devices (such as a Ricoh Sanner/Fax/Printer combination) still have the setting to create fragments after xx KB. And even Outlook Express can still generate fragments (see screenshot). However, I've never had trouble explaining to clients (and senders), why this option should remain off: Best Regards, Andy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Thursday, October 11, 2007 3:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] Partial Vulnerability test failures on legitmate email Does anyone know which Outlook Vulnerability test to REM out in the virus.cfg to keep the [Partial Vulnerability] test from failing? We are on 4.3.59 and this test is catching a number of legitmate emails recently and I need to turn this test off until the vulerability test fix is done so I can try it again. Has MS made updates to Outlook to affect this? this has just started on us about 5 days ago Randy A. Global Web Solutions Inc --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.image001.png
RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties
Hi Kevin, thanks. To save me and my customers frustration - is it limited to that one vulnerability - or are other's involved that I should disable proactively (or reverse to the previous build)? Best Regards, Andy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Friday, October 05, 2007 3:15 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties I reported this to declude. They are working on it. Kevin Bilbee From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, October 04, 2007 6:53 PM To: declude.virus@declude.com Subject: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties Hi, I put in 4.3.62 in this afternoon (was running a different interim from a few months ago). Since then I had numerous different clients reporting clients with Outlook 'MIME segment in MIME postamble' Vulnerability. Valid emails from Lotus Notes 6 with attachments were rejected (reproducible at will), messages from Yahoo Webmail, etc. If a change was made that triggers this test for major mailers, then it's worthless because no one can keep it on! -Original Message Headers- Received: from web54307.mail.re2.yahoo.com [206.190.49.117] by Mail.Webhost.HM-Software.com (SMTPD-9.21) id A7D90348; Thu, 04 Oct 2007 18:23:21 -0400 Received: (qmail 16141 invoked by uid 60001); 4 Oct 2007 22:23:21 - X-YMail-OSG: gMjlzJ8VM1kitP0O1BmKwo27pVtlLBqWelr5JqstaE0yZq5YNhiYJacdUZWYkR9IjJ6G5P haJ4H_VqsBIIjZqitJIsJEP6cL7GEoJN4Oqb_aWbnemUc3IZbdqDlDjg-- Received: from [69.147.97.215] by web54307.mail.re2.yahoo.com via HTTP; Thu, 04 Oct 2007 15:23:21 PDT X-Mailer: YahooMailRC/651.50 YahooMailWebService/0.7.134 Date: Thu, 4 Oct 2007 15:23:21 -0700 (PDT) From: Dorene D Robinson [EMAIL PROTECTED] Subject: Fw: Our Virus Firewall has Rejected Your Email! To: Michael Page [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=0-1745477977-1191536601=:15605 Message-ID: [EMAIL PROTECTED] Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties
Hi Dave, Well, I dropped in 4.3.62 in the afternoon and throughout the afternoon was getting reports from people using VARIOUS email systems (not limited to Yahoo's mail service), that just happened to be the one that I had at my finger tips. I can also say that it happened to people sending mail from Lotus Notes 6. I worked with the Tech Guy at the client's client and he tried to send me simply emails with a zip or PDF attachment and nothing got past 4.3.62. File: [No attachment] Result: Found[Outlook 'MIME segment in MIME Postamble' Vulnerability] -Original Message Headers- Received: from DOMSVR1.L***.COM [***.26.122.219] by Mail.Webhost.HM-Software.com with ESMTP (SMTPD-9.21) id A46A0358; Thu, 04 Oct 2007 14:43:54 -0400 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Riverside Quote P/N: 147329 MIME-Version: 1.0 X-Mailer: Lotus Notes Release 6.5.5 November 30, 2005 Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: Thu, 4 Oct 2007 13:43:36 -0500 X-MIMETrack: Serialize by Router on DOMSVR1/domino(Release 6.5.6|March 06, 2007) at 10/04/2007 13:43:38 Content-Type: multipart/mixed; boundary==_mixed 0066DE538625736A_= --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties
I did not have this problem with .57. So we can rule out .46. Sorry, jumped right from .57 to .62 - so can't say if it was introduced with .59 already. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, October 05, 2007 10:49 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties Ok, we are working on the issue, can you replicate it with an earlier version of Declude like .46 or .59 ? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties
I have not reverted to .57, I have disabled this vulnerability in the Virus.cfg for now to see what other issues I might uncover. (There was a false positive reported last night for a different vulnerability for mail send by Netscapes mail applet, but I haven't firmed that one up yet). If you like me to, I have an archive of held Postamble MIME files that are LEGITIMATE (some of them are automatically created emails that our clients used to get all the time) and zip them up to you? If so, which email do you want me to use? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, October 05, 2007 11:27 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties Ok so if you revert to .57 the issue goes away correct. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Friday, October 05, 2007 11:18 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties I did not have this problem with .57. So we can rule out .46. Sorry, jumped right from .57 to .62 - so can't say if it was introduced with .59 already. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, October 05, 2007 10:49 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties Ok, we are working on the issue, can you replicate it with an earlier version of Declude like .46 or .59 ? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties
Dave, The Blank Folding Vulnerability is ALSO causing false positives (but not as many as the Postamble one). I'll send you ANOTHER email with Blank Folding false positives in about 5 minutes. I have to back this release out - something majorly wrong with it. Best Regards, Andy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, October 04, 2007 9:53 PM To: declude.virus@declude.com Subject: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties Hi, I put in 4.3.62 in this afternoon (was running a different interim from a few months ago). Since then I had numerous different clients reporting clients with Outlook 'MIME segment in MIME postamble' Vulnerability. Valid emails from Lotus Notes 6 with attachments were rejected (reproducible at will), messages from Yahoo Webmail, etc. If a change was made that triggers this test for major mailers, then it's worthless because no one can keep it on! -Original Message Headers- Received: from web54307.mail.re2.yahoo.com [206.190.49.117] by Mail.Webhost.HM-Software.com (SMTPD-9.21) id A7D90348; Thu, 04 Oct 2007 18:23:21 -0400 Received: (qmail 16141 invoked by uid 60001); 4 Oct 2007 22:23:21 - X-YMail-OSG: gMjlzJ8VM1kitP0O1BmKwo27pVtlLBqWelr5JqstaE0yZq5YNhiYJacdUZWYkR9IjJ6G5P haJ4H_VqsBIIjZqitJIsJEP6cL7GEoJN4Oqb_aWbnemUc3IZbdqDlDjg-- Received: from [69.147.97.215] by web54307.mail.re2.yahoo.com via HTTP; Thu, 04 Oct 2007 15:23:21 PDT X-Mailer: YahooMailRC/651.50 YahooMailWebService/0.7.134 Date: Thu, 4 Oct 2007 15:23:21 -0700 (PDT) From: Dorene D Robinson [EMAIL PROTECTED] Subject: Fw: Our Virus Firewall has Rejected Your Email! To: Michael Page [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=0-1745477977-1191536601=:15605 Message-ID: [EMAIL PROTECTED] Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties
I reverted to .57 and had someone resent an email with Attachment from Lotus Notes and this time it went through. So - the answer is yes, the problem goes away with .57. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, October 05, 2007 11:27 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties Ok so if you revert to .57 the issue goes away correct. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Friday, October 05, 2007 11:18 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties I did not have this problem with .57. So we can rule out .46. Sorry, jumped right from .57 to .62 - so can't say if it was introduced with .59 already. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, October 05, 2007 10:49 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties Ok, we are working on the issue, can you replicate it with an earlier version of Declude like .46 or .59 ? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Interim .62 triggered Blank Folding on this one and other emails
Other emails from this same Thunderbird 2.0.0.6 user, using the same smtp relays, were also blocked. File: [No attachment] Result: Found[Outlook 'Blank Folding' Vulnerability] -Original Message Headers- Received: from smtp.webhost.hm-software.com [63.107.174.32] by hm-software.com with ESMTP (SMTPD-9.21) id ACE40380; Thu, 04 Oct 2007 22:09:40 -0400 Received: from s-utl02-dcpop.stsn.net ([72.255.0.202]) by smtp.webhost.hm-software.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 4 Oct 2007 22:09:37 -0400 Received: from s-utl02-dcpop.stsn.net ([127.0.0.1]) by s-utl02-dcpop.stsn.net (SMSSMTP 4.1.2.20) with SMTP id M2007100422091506156 ; Thu, 04 Oct 2007 22:09:15 -0400 X-Spam-Status: No, hits=0.0 required=9.9 tests=ALL_TRUSTED: -2.867,AWL: 0.172,BAYES_00: -1.665, SARE_FREE_WEBM_Usa: 0.077 X-Spam-Level: Received: from [127.0.0.1] ([10.26.87.211]) by s-utl02-dcpop.stsn.net; Thu, 4 Oct 2007 22:09:14 -0400 Message-ID: [EMAIL PROTECTED] Date: Thu, 04 Oct 2007 22:08:59 -0400 From: David Moskowitz [EMAIL PROTECTED] User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: [EMAIL PROTECTED] CC: Rich Levin [EMAIL PROTECTED] Subject: firewall rejection of RBL mail Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 05 Oct 2007 02:09:37.0529 (UTC) FILETIME=[C7E17E90:01C806F4] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] 4.3.62 countless false positives for vulnerabilties
Hi, I put in 4.3.62 in this afternoon (was running a different interim from a few months ago). Since then I had numerous different clients reporting clients with Outlook 'MIME segment in MIME postamble' Vulnerability. Valid emails from Lotus Notes 6 with attachments were rejected (reproducible at will), messages from Yahoo Webmail, etc. If a change was made that triggers this test for major mailers, then it's worthless because no one can keep it on! -Original Message Headers- Received: from web54307.mail.re2.yahoo.com [206.190.49.117] by Mail.Webhost.HM-Software.com (SMTPD-9.21) id A7D90348; Thu, 04 Oct 2007 18:23:21 -0400 Received: (qmail 16141 invoked by uid 60001); 4 Oct 2007 22:23:21 - X-YMail-OSG: gMjlzJ8VM1kitP0O1BmKwo27pVtlLBqWelr5JqstaE0yZq5YNhiYJacdUZWYkR9IjJ6G5P haJ4H_VqsBIIjZqitJIsJEP6cL7GEoJN4Oqb_aWbnemUc3IZbdqDlDjg-- Received: from [69.147.97.215] by web54307.mail.re2.yahoo.com via HTTP; Thu, 04 Oct 2007 15:23:21 PDT X-Mailer: YahooMailRC/651.50 YahooMailWebService/0.7.134 Date: Thu, 4 Oct 2007 15:23:21 -0700 (PDT) From: Dorene D Robinson [EMAIL PROTECTED] Subject: Fw: Our Virus Firewall has Rejected Your Email! To: Michael Page [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=0-1745477977-1191536601=:15605 Message-ID: [EMAIL PROTECTED] Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Clam AV vs. AVG vs. McAfee
That's my experience too. I update McAfee hourly - which helps with new outbreaks. It's the last scanner in sequence and always manages to catch viruses that the internal didn't. (Of course, I don't know if there are virus that the internal caught that McAfee might have missed.) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, March 06, 2007 10:45 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Clam AV vs. AVG vs. McAfee Wolf, I use McAfee, CLAM, Internal AVG, and at one time (before licensing changes) F-Prot all at the same time. If you have extra CPU there is no reason not to use multiple scanners. One thing though when I switched to processing AV last I seen a dramatic drop in viruses due to them being caught as spam. 50-60K a month down to less than 2K. FWIW - I have McAfee as my last scanner and every now and than I see it grab a few viruses that the others miss. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Wolf Tombe mailto:[EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, March 06, 2007 10:16 AM Subject: [Declude.Virus] Clam AV vs. AVG vs. McAfee The discussion on the current version of Clam AV and Clam being able to detect some image spam got me thinking. Prior to Declude version 4.0, I always used McAfee AV to scan all incoming messages. When I upgraded to Declude 4 I decided to try it's built in AV which seems to work fine. I'm curious though as to the opinions of others on this list as to the merits of using Clam or other anti-virus scanners either in place of the Declude built in AV or in addition to it. Any opinions people would like to share will be appreciated. Thanks! Wolf --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t
So - shall we all call that emergency number and ask that he turn off his vacation notice, or shall we just fake the return address an unsubscribe him since the Declude staff is not taking action? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, January 04, 2007 04:48 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t 75 over 45 minutes. Dumb... Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, January 04, 2007 4:12 PM Subject: RE: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t I think I received 36 of them. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, January 04, 2007 12:55 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t Importance: High Is it me or did everyone get this autoresponder about 300 times? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roconnor Sent: Thursday, January 04, 2007 9:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t I'm currently on a business trip down south and will be returning January 5th, 2007. If this is an emergency please call our office at 360.527.9111 Thanks, Rick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Sender.eml was sent even though forging virus?
Hi, My sender.eml has the line: SKIPIFFORGING And my virus.CFG has: AUTOFORGE ON FORGINGVIRUS Anonymous Driver FORGINGVIRUS Antiman FORGINGVIRUSAvril FORGINGVIRUSBagle Yet, declude virus just sent the sender.eml for the following details: File: Unknown File Result:FoundI-Worm/Bagle Message ID:[EMAIL PROTECTED] Our Domain:Schmidt.AS for Schmidt.AS Queue ID: D324e0153b795.smd Based on these headers: -Original Message Headers- Received: from [62.93.44.11] [62.93.44.11] by hm-software.com with ESMTP (SMTPD-9.10) id A24E331D0; Wed, 13 Dec 2006 12:03:10 -0500 Date: Wed, 13 Dec 2006 18:03:11 +0100 To: Andy [EMAIL PROTECTED] From: Webmaster [EMAIL PROTECTED] Subject: price 13-Dec-2006 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=oibzhbgyvnajpcxfwpdt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sender.eml was sent even though forging virus?
Oh? I've never had the problem with my external McAfee scanner. Could this be a problem with Declude's internal AVG scanner? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, December 13, 2006 01:11 PM To: declude.virus@declude.com Subject: re: [Declude.Virus] Sender.eml was sent even though forging virus? I've seen similar behavior with viruses found by AVG. Original Message From: Andy Schmidt [EMAIL PROTECTED] Sent: Wednesday, December 13, 2006 12:42 PM To: 'Declude Virus List' declude.virus@declude.com Subject: [Declude.Virus] Sender.eml was sent even though forging virus? Hi, My sender.eml has the line: SKIPIFFORGING And my virus.CFG has: AUTOFORGE ON FORGINGVIRUS Anonymous Driver FORGINGVIRUS Antiman FORGINGVIRUS Avril FORGINGVIRUS Bagle Yet, declude virus just sent the sender.eml for the following details: File:Unknown File Result: FoundI-Worm/Bagle Message ID:[EMAIL PROTECTED] Our Domain:Schmidt.AS for Schmidt.AS Queue ID: D324e0153b795.smd Based on these headers: -Original Message Headers- Received: from [62.93.44.11] [62.93.44.11] by hm-software.com with ESMTP (SMTPD-9.10) id A24E331D0; Wed, 13 Dec 2006 12:03:10 -0500 Date: Wed, 13 Dec 2006 18:03:11 +0100 To: Andy [EMAIL PROTECTED] From: Webmaster [EMAIL PROTECTED] Subject: price 13-Dec-2006 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=oibzhbgyvnajpcxfwpdt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] AUTOFORGE
Hi, is this still being actively maintained? If so, W32/Stration.dldr should be added as forging. Based on bounces that I'm seeing (from inbound-only mailboxes on our domain)it is forging the sender. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] 4.2.20 Error in Log
There is a parameter in the Virus.cfg to disable the internal scanner. I don't have it in front of me, but it was in the comments just below the external virus sample. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, July 13, 2006 08:34 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] 4.2.20 Error in Log Andy, Besides AVG I have 3 scanners: listed in order (F-Prot, Clam AV, McAfee). I do think its an AVG issue like you suggested. I am trying to find a way to disable the built in AVG virus scanner to see if this message goes away. Darrell Andy Schmidt writes: Do you have a second/external scanner defined. May be the internal scanner (AVG) deletes an attachment and then Declude complains that its gone when it tries to launch the secondary? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, July 12, 2006 05:46 PM To: declude.virus@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.Virus] 4.2.20 Error in Log Since upgrading to 4.2.20 I started seeing the following error: 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 This only happens when AVG catches a virus. It did not get logged under 3.x version. Nor do I have an On Access Virus Scanner. Anyone else seeing this? Darrell See the log snippet below. 07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Ambiguous Virus Scanner ID in log
Hi Dave, My log indicates: 07/12/2006 17:34:20.625 q6ad4014a0137.smd Vulnerability flags = 0 07/12/2006 17:34:21.593 q6ad4014a0137.smd Virus scanner 1 reports exit code of 0 Which one is considered Virus scanner 1 - the INTERNAL (AVG) scanner that comes with Declude 4.2.20 - or my EXTERNAL McAfee Scanner? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] RE: Trying to install Declude 4.2.20
Hi Dave, Okay, then Declude's error message is misleading. Here is what I had done: - I had defined McAfee as scanner 2, assuming that the internal was going to be scanner 1. - Based on your explanation, the internal scanner is scanner 0. So, in effect, I had defined a scanner 2 without having any scanner 1 defined. - The result of skipping a scanner number is this ambiguous error message: Your virus scanner DOES NOT EXIST (at C:\IMail\spool\proc\work\D65900~1.VIR\); NOT SCANNING ATTACHMENTS! [2] Error String: [The system cannot find the file specified.] I fixed the problem by defining McAfee as Scanner 1 (by removing any number behind the 3 parameters). So - it seems as if this is a usability issue. Declude should not try to start Scanner 1 if none has been defined - even if a higher scanner number IS defined. At least, it should indicate a meaningful configuration error, such as Scanner nnn not defined - this and all subsequent scanneres are skipped. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, July 12, 2006 05:31 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Trying to install Declude 4.2.20 The built in scanner works as scanner 0 so that your scanner 1 and 2 would be as it has always been. If you are just running MacAfee as you show try using: SCANFILEC:\Progra~1\Common~1\Networ~1\Engine\SCAN.EXE VIRUSCODE 13 REPORT Found Im not sure what the /LOAD D:\IMAIL\Declude\SCAN.CFG is used for ? David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Wednesday, July 12, 2006 5:21 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Trying to install Declude 4.2.20 Hi Dave, Okay - another try... A) Is the built-in scanner considered the scanner #1 and any additional scanner have to be set up as the #2 scanner, etc. Or are the external scanners counting from 1? B) I defined McAfee as the external scanner SCANFILE2 C:\Progra~1\Common~1\Networ~1\Engine\SCAN.EXE /LOAD D:\IMAIL\Declude\SCAN.CFG VIRUSCODE2 13 REPORT2 Found I copied and pasted the executable to the command line window confirm that it is being found: D:\IMailC:\Progra~1\Common~1\Networ~1\Engine\SCAN.EXE McAfee VirusScan for Win32 v4.40.0 Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights reserved. (408) 988-3832 EVALUATION COPY - Sep 23 2004 Scan engine v4.4.00 for Win32. Virus data file v4804 created Jul 11 2006 Scanning for 200919 viruses, trojans and variants. However, Declude reports: 07/12/2006 17:11:51.000 q6590017100aa.smd Vulnerability flags = 0 07/12/2006 17:11:51.484 q6590017100aa.smd Your virus scanner DOES NOT EXIST (at C:\IMail\spool\proc\work\D65900~1.VIR\); NOT SCANNING ATTACHMENTS! [2] Error String: [The system cannot find the file specified.] 07/12/2006 17:11:51.500 q6590017100aa.smd Scanned: Error starting scanner Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] 4.2.20 Error in Log
Do you have a second/external scanner defined. May be the internal scanner (AVG) deletes an attachment and then Declude complains that its gone when it tries to launch the secondary? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, July 12, 2006 05:46 PM To: declude.virus@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.Virus] 4.2.20 Error in Log Since upgrading to 4.2.20 I started seeing the following error: 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 This only happens when AVG catches a virus. It did not get logged under 3.x version. Nor do I have an On Access Virus Scanner. Anyone else seeing this? Darrell See the log snippet below. 07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] language specific messages
Example attached (sorry, German/English in this case). Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 02:12 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages You could always put the English and Spanish messages into the same recip.eml file. I see a lot of that type of thing up here in Canada except it is English and French. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Thursday, February 23, 2006 2:04 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] language specific messages Can the following be done in Declude EVA? I have customers who are english speakers, and customers who are spanish speakers. When a customer is sent a virus, they receive a messsage telling them about the virus (recip.eml). I want to be able to have a different message sent to each of my domains depending on the language of the customer (recip-en.eml and recip-es.eml). I believe this can be done in Junkmail, but can it be done in EVA? Thanks, Gary Steiner --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. From: [EMAIL PROTECTED] To: %MAILFROM% Subject: Mail Delivery Alert ENGLISH - See Below! DEUTSCH - Siehe unten! ENGLISH: Argos Networks' Firewall has tripped an alert while inspecting a message sent by %MAILFROM% to: %ALLRECIPS%. Your message originated at a mail server, which does not have a proper reverse lookup DNS entry. Anonymous mail servers are a common source of unsolicited email (SPAM), viruses and other cyber-attacks. In case your message was legitimate, we are including technical information that will assist your ISP with addressing their problem. Sender's Domain: %REMOTEHOST% More Info:http://www.dnsstuff.com/tools/ptr.ch?ip=%REMOTEIP% http://www.samspade.org/t/dns?a=%REMOTEIP% Message ID: %MSGID% Queue ID: %QUEUENAME% on %RECIPHOST% This time, your message was still forwarded to the recipient. However, it is important that you contact your Internet provider or mail administrator and ask them to correct the mail server setup. We apologize for your inconvenience, but resources and productivity lost to unsolicited email messages, viruses and other cyber-attacks require us to check for messages from suspect sources. For security reasons, you cannot respond to this email directly. If you need to contact us, please compose a new message addressed to [EMAIL PROTECTED] Sincerely, Argos Networks http://www.Argos.net/ DEUTSCH: Die Firewall von Argos Networks hat eine Warnung ausgeloest. Das betroffene Email kam von %MAILFROM% und war addressiert an: %ALLRECIPS%. Ihr Email kam von einem Mail Server, der keinen gueltigen Reverse Lookup DNS Eintrag hat. Solche anonymem Mail Server sind haeufig der Ursprung von unerwuneschten Massen-Emails (SPAM), Viren und anderen Cyber-Attacken. Fuer den Fall, dass Ihre Meldung legitim war, koennen Sie die folgenden technischen Informationen and Ihren Internet-Anbieter mit der Bitte um Korrektur weitergeben. Sendende Domaine: %REMOTEHOST% Details: http://www.dnsstuff.com/tools/ptr.ch?ip=%REMOTEIP% http://www.samspade.org/t/dns?a=%REMOTEIP% Message ID:%MSGID% Queue ID: %QUEUENAME% auf %RECIPHOST% Ihr Email wurde dieses mal noch an den Empfaenger weitergeleitet. Es ist jedoch wichtig, dass Sie Ihren Internetanbieter oder Email Administrator kontaktieren, damit das Problem in Ihrem Mail Server abgestellt wird. Wir bedauern diese Unannehmlichkeit, aber der Verlust von Ressourcen und Produktivitaet durch unerwuenschte Massen-Emails, Viren und andere Cyber-Attacken machen es notwendig, dass wir alle Emails auf legitime Herkunft pruefen. Aus Sicherheitsgruenden koennen Sie nicht direkt auf diese Benachrichtigung antworten. Um uns zu erreichen, erstellen Sie bitte ein neues Email an [EMAIL PROTECTED] Mit fruendlchem Gruss Argos Networks http://www.Argos.net/ -Original Message- %FULLMSG%
RE: [Declude.Virus] language specific messages
Hi, I kill most of the incoming mail (with help of Sniffer). I've never seen a complaint by an innocent users, but occasionally educate a corporate end user or manager about the incompetence of his/her I/S department. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 02:43 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages Andrew, Do you do anything to decrease the change of the alert message going out to real spammers or forged addresses? This would get sent out to e-mail that failed REVDNS and were not deleted as SPAM? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, February 23, 2006 2:35 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages Example attached (sorry, German/English in this case). Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 02:12 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages You could always put the English and Spanish messages into the same recip.eml file. I see a lot of that type of thing up here in Canada except it is English and French. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Thursday, February 23, 2006 2:04 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] language specific messages Can the following be done in Declude EVA? I have customers who are english speakers, and customers who are spanish speakers. When a customer is sent a virus, they receive a messsage telling them about the virus (recip.eml). I want to be able to have a different message sent to each of my domains depending on the language of the customer (recip-en.eml and recip-es.eml). I believe this can be done in Junkmail, but can it be done in EVA? Thanks, Gary Steiner --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Changes @ Declude
Clear enough for me. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Simpson Sent: Sunday, February 12, 2006 03:26 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Changes @ Declude All existing customers who choose to move to Version 4 will continue to pay Service Agreements. If they opt not to pay for the Service Agreement the software will continue to operate. Barry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Sunday, February 12, 2006 3:01 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Changes @ Declude I noticed looking at my account the my version 4 license states Declude Imail Perpetual License Since v4 is the Subscription modle. If we are customers running on the Maintenance modle and we decide to not renew maintenance and have upgraded to version 4 will version 4 ever stop functioning for us? Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Simpson Sent: Sunday, February 12, 2006 7:22 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Changes @ Declude Darin, You are asking a question that I don't have an answer to at this moment. When the time arrives we will make a business decision that will be in the best interests of both our customers and ourselves. This is not a decision that will be made lightly or in the near future. We will not just announce one week that the next week we will be discontinuing support for V3. We will ensure that all customers have an upgrade path of one form or another. No customer needs to be concerned at this time that we are going to abandon them, that is not the way we do business. Barry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Sunday, February 12, 2006 10:04 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Changes @ Declude So what will happen to customers on SAs at that time? See why we're asking the questions? Darin. - Original Message - From: Barry Simpson [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, February 12, 2006 9:58 AM Subject: RE: [Declude.Virus] Changes @ Declude Don, You are correct, it would be better to have only one product and that is why we are making the offer to customers to move to the highest level of the software at special pricing. We also recognize that some customers don't want to do that so for the foreseeable future we are maintaining the two code bases. We are not going to force customers to move. At some point in the future V3 will go onto maintenance but that date has not yet been decided. Barry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Sunday, February 12, 2006 9:47 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Changes @ Declude Friday, February 10, 2006, 3:20:03 PM, Kevin Bilbee [EMAIL PROTECTED] wrote: KB [Snip] KB KB On the buying issue what do you get, the two products will be kept KB in parity feature wise. KB KB Kevin Bilbee KB KB [Snip] If that is truly the case, then it makes sense to have only one version, 4.0. Then, the only difference will be that some customers are on an annual maint agreement and others pay an annual subscription. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned
RE: [Declude.Virus] Changes @ Declude
Has anyone figured out yet WHAT exactly Declude 4.0 IS? I'm looking around on the web site (figured, it's been days since I receive the notice that it's available), but I still haven't seen anything on the web site that tells me what my extra money would be buying - or, what it is I'd be missing out on if I don't buy? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, February 10, 2006 01:47 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Changes @ Declude In the last 10 days we have received a number of inquiries to the email sent to every customer explaining the changes that are happening here at Declude. To summarize the answers to those questions: * No existing customer is required to move to the new annual pricing. * Our current customers can continue to pay the annual Service Agreements. * No customer is required to move to 4.0 Over and above that we are continuing to enhance and support both 3.0 and 4.0 and we have provided great deals for customers wishing to move to the 4.0 version and also committed to keeping them on Service Agreements. I have responded to each and every customer who has contacted me since the email was sent out and if any one has any further questions they can contact me either by email or telephone (978) 499-2933. Barry
RE: [Declude.Virus] Changes @ Declude
Hi Kevin, I understand what you're saying- you believe Declude 4.0 is really just a"Declude 3.x Suite" vs. the Declude 3.x "legacy products".New customers can only purchase the Suite, while old customers will continue to upgrade their individual products. The code base is the same. In that case, the confusion stems from using a "version numbering" scheme, instead of using a proper "packaging" scheme. This would be comparable to what IpSwitch did eventually. New customers have to buy the bloated Imail suite, while existing customers can continue buy service agreements for the Imail mail server product. Let's see if Declude can confirm your understanding. Then we'll just have to find out what the "subscription" is. Is it a "service agreement subscription" (where you can continue to use the existing product version, even if the subscription is not renewed), or if it is a "license subscription" (whereyour license terminates if you fail to renew at some point). Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BilbeeSent: Friday, February 10, 2006 04:20 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Changes @ Declude Declude 4.x is all the products in one with a common license key and are not seperatable. On the buying issue what do you get, the two products will be kept in parity feature wise. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Andy SchmidtSent: Friday, February 10, 2006 11:02 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Changes @ DecludeImportance: High Has anyone figured out yet WHAT exactly Declude 4.0 IS? I'm looking around on the web site (figured, it's been days since I receive the notice that it's available), but I still haven't seen anything on the web site that tells me what my extra money would be buying - or, what it is I'd be missing out on if I don't buy? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, February 10, 2006 01:47 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Changes @ Declude In the last 10 days we have received a number of inquiries to the email sent to every customer explaining the changes that are happening here at Declude. To summarize the answers to those questions: * No existing customer is required to move to the new annual pricing. * Our current customers can continue to pay the annual Service Agreements. * No customer is required to move to 4.0 Over and above that we are continuing to enhance and support both 3.0 and 4.0 and we have provided great deals for customers wishing to move to the 4.0 version and also committed to keeping them on Service Agreements. I have responded to each and every customer who has contacted me since the email was sent out and if any one has any further questions they can contact me either by email or telephone (978) 499-2933. Barry
[Declude.Virus] Hardware Issue -- NOT!
Hi David: Thanks for acknowledging the hardware problem. However, I don't think anyone here really would be too upset about hardware problems on your end - if it didn't uncover what appears to be a HUGE software problem? It's the DecludeSOFTWARE that deactivates/downgrades itself, if we are to trust the reports of those who suffered the outcome!? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-RochaSent: Monday, December 26, 2005 12:29 PMTo: Declude.JunkMail@declude.comCc: Declude.Virus@declude.comSubject: [Declude.Virus] Hardware Issue Due to the long holiday weekend, we have been away from the office for a few days. Unfortunately it has come to our attention that there could be a problem with key validation on the server there. After some testing, we have determined that there is in fact a hardware issue that we expect to have resolved today. We appreciate that you have taken the time to bring this matter to our attention and appreciate your patience while we rectify the situation. We will once again post to this list when the issue has been corrected. Declude Technical / Engineering
[Declude.Virus] FW: AVERT Medium Threat Advisory: W32/[EMAIL PROTECTED]
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Subject: AVERT Medium Threat Advisory: W32/[EMAIL PROTECTED] Advisory This is a Medium Threat Advisory for W32/[EMAIL PROTECTED] Justification W32/[EMAIL PROTECTED] has been deemed Medium due to prevalence. Read About It Information about W32/[EMAIL PROTECTED] is located on VIL at: http://vil.nai.com/vil/content/v_136390.htm Detection W32/[EMAIL PROTECTED] was first discovered on October 5, 2005 and detection will be added to the 4598 dat files (Release Date: October 5, 2005). The EXTRA.DAT IS AVAILABLE. If you suspect you have W32/[EMAIL PROTECTED], please submit a sample to http://www.webimmune.net. Risk Assessment Definition For further information on the Risk Assessment and AVERT Recommended Actions please see: http://www.mcafeesecurity.com/us/security/resources/risk_assessment.htm Best Regards, McAfee AVERT - Anti Virus and Vulnerability Research, Analysis, and Solutions visit us at www.avertlabs.com You are currently subscribed to avertalert as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted
Hi Nick: I'm only repeating what I'm told - I don't have factual information on my own. There have been several reports on this list that describes the following problem with dual-processor systems: Declude is supposed to check the /proc folder and ONLY go to sleep (for 30 seconds), if the folder contains no messages. On systems that have that problem, Declude goes to sleep even though there ARE messages to process. The result is, that messages are queuing up and never get processed. There is a parameter to set the sleep time low (e.g. 1 second), this way, the effect of the problem is less - but now Declude does't go to sleep when it actually could - with a possible impact on resource consumption. (Of course, the question is why this appears to be related to dual-processor systems. May be one process still has an access lock against the first file in the proc folder and another process doesn't handle that error condition right - who knows.) Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Friday, September 23, 2005 08:15 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Declude Beta 3.0.4.4 Posted Hi Andy, Andy Schmidt wrote: Thanks Bill. I had gotten the impression as if everyone with dual-processor system was reporting this and that people were still seeing it with the latest version. If you will would you let me know more about this issue. I haven't been following exactly so I do not know what I should be looking for :) I have 3.0.4.4 running on my quad processor [with hyper threading] box without ant problems - at least as far as I can tell. If I'm I missing something I will revert back to 2.0.6.16 in a heartbeat! -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted
Hi David, I can't help but ask... You are proposing options that will help with the dual processor issue. But, are you REPRODUCING the issue and fixing it? I understand that the problem is that the service goes to sleep for 30 seconds, even though there are messages in the PROC folder. Clearly that should not happen. Changing the timings will only create a trade-off by consuming extra machine-resources. Even on a dual-processor system should the service be able to determine reliably if a folder has content or not? I'm just worried that the beta is declared successful when an entire class of machines is only working with a bandage. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, September 22, 2005 12:28 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted Yes, these are to help adjust for timing with Dual-proc Different systems / configuration respond differently to these settings. In particular they to fine tune through-put with CPU utilization. 1. SLOW server that is heavily loaded You may want to try to increase WAITBETWEENTHREADS and lower THREADS. 2. FAST server Use the THREADS and WAITFORTHREADS to adjust the CPU utilization. When decludeproc first starts up it will use a lot of the CPU but after that the %CPU used by decludeproc should come way down. The %CPU of all processes running may be high depending on external tests, other processes, etc. If the system is spiking but coming down quickly that's good. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Thursday, September 22, 2005 12:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted David, Are these to be used to correct issues with Dual-proc, or is that still an ongoing issue still be looking at? Thanks for the time. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, September 22, 2005 11:41 AM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] Declude Beta 3.0.4.4 Posted 2 new Directives WAITFORTHREADS 1500 Located in the Declude.cfg - Defined in milliseconds eg. 1500 = 1.5 seconds this can be changed so that when the maximum threads are in use this time specifics the wait before checking to launch more threads. WAITBETWEENTHREADS 1 Located in the Declude.cfg - Defined in milliseconds eg. 1 = 1 millisecond The time to wait between spawning one thread and starting to process another thread. David B www.declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted
Thanks Bill. I had gotten the impression as if everyone with dual-processor system was reporting this and that people were still seeing it with the latest version. I have so far not installed the beta, because of those issues - I just don't have a single-processor system to use and was waiting for a beta that addressed this problem. (My feeling was, nothing is gained by briefly installing a system if it's already known not to function on my environment). If you're saying that the dual-processor problem only appears for selected systems and rather the exception than the rule, then I might give it try to see if I get lucky. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Billman Sent: Thursday, September 22, 2005 08:44 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted Hi Andy, The directives are for tuning both single and multiprocessor systems. They are not meant as a tradeoff. Some multiprocessor systems do not exhibit the reported sleep for 30 seconds behavior. We have not been able to reproduce it ourselves. This doesn't mean that we do not take it seriously nor does it mean that we have given up. I picked up another dual processor machine tonight and tomorrow we will attempt to reproduce the reported behavior on it. It's hard to fix something that we can't reproduce but we will keep trying. It's not even clear to me that this problem still exists in the latest version. But until the issue is resolved I can assure you we will not give up. If you are having this or any other problems please send us your configuration files along with system specs and log files, debug level is best. The beta is a success thanks to our customers and we do appreciate your efforts. We set out to fix the 8.2 issues. We have accomplished that and fixed some other stuff along the way. The product will not ship bug free. But I do assure you that we will prioritize and address every issue that we know of. Once we have this baseline release, along with fixing bugs we plan on implement some cool new stuff that you guys have asked for. It's precisely because this is a wonderfully active and sharing community that Declude is the premier email vulnerability software solution. Let's keep the dialog, observations, and ideas flowing and I promise that Declude will become even better. All the best, Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, September 22, 2005 7:56 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted Hi David, I can't help but ask... You are proposing options that will help with the dual processor issue. But, are you REPRODUCING the issue and fixing it? I understand that the problem is that the service goes to sleep for 30 seconds, even though there are messages in the PROC folder. Clearly that should not happen. Changing the timings will only create a trade-off by consuming extra machine-resources. Even on a dual-processor system should the service be able to determine reliably if a folder has content or not? I'm just worried that the beta is declared successful when an entire class of machines is only working with a bandage. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, September 22, 2005 12:28 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted Yes, these are to help adjust for timing with Dual-proc Different systems / configuration respond differently to these settings. In particular they to fine tune through-put with CPU utilization. 1. SLOW server that is heavily loaded You may want to try to increase WAITBETWEENTHREADS and lower THREADS. 2. FAST server Use the THREADS and WAITFORTHREADS to adjust the CPU utilization. When decludeproc first starts up it will use a lot of the CPU but after that the %CPU used by decludeproc should come way down. The %CPU of all processes running may be high depending on external tests, other processes, etc. If the system is spiking but coming down quickly that's good. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Thursday, September 22, 2005 12:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted David, Are these to be used to correct issues with Dual-proc, or is that still an ongoing issue still be looking at? Thanks for the time. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, September 22, 2005 11:41 AM To: Declude.JunkMail
RE: [Declude.Virus] Sudden Internet Slowdown
Can you wait 7 minutes? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, September 09, 2005 02:09 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sudden Internet Slowdown Since when is Maine no longer in the Atlantic time zone? How come I did not get the notice? I never get the notices! Has any one informed the president? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Limit Size of message to be scanned?
How do you prevent DoS attacks by someone sending a 405 MB attachment 100 times to a list of 10 cc's over a weekend, when it's likely not to be read? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus GuflerSent: Friday, July 08, 2005 03:19 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Limit Size of message to be scanned? have had one with 405 MB last week. The entire Declude system has scanned and checked it (it was hold due to several suspicious files in the archive). Only the _vbscript_ that should move the hold message file has created some problems +800 MB of memory usage and some read-errors in the declude logfile. Some further messages was not scanned. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)Sent: Friday, July 08, 2005 9:05 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Limit Size of message to be scanned? 50 MB e-mail attachments? Youch! John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant GriffithSent: Thursday, July 07, 2005 8:36 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Limit Size of message to be scanned? Hello All, Is there a way to limit the size of the message that Declude/F-Prot can scan? We have some customers that are sending 50+ meg files and it is causing our servers to have major issues. Is there a setting to say skip anything over a certain size? Either in F-Prot or Declude? We fixed it currently by setting it to OFF for certain domains, but really want to ban extensions and vulnerabilities for those domains. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000
RE: [Declude.Virus] .EML file syntax
Title: Message Uh - thanks - got it. Now that I read how you phrased the question I see how the original poster meant it. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HorneSent: Wednesday, June 01, 2005 09:54 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] .EML file syntax No one seems to actually be reading the OP. He doesn't want to do anything with any BCC's in incoming mail. All he wants to be able to do is BCC the virus notifications to himself. Declude has a set of .eml files that it sends out when a virus is found (postmaster, otherpostmaster, etc). In that file, you specify who gets the email by putting in a TO: line at the top. He was simply asking if that file could use a BCC: line as well. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy SchmidtSent: Wednesday, June 01, 2005 12:22 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] .EML file syntax Hi Goran: The "cc:" information is part of the (spoofable) SMTP header - the "bcc:" is not ANYWHERE. The only entitythat knows about the "bcc"s is the sending mail sever, it will simply distribute the message to anyone in the bcc and cc header. To each BCC or CC recipient's server it will look like a message that wasaddressed from one third party to another third party - they will not see the BCC information. While the "cc:" (but not bcc) information can be found in the SMTP header in the receiving server (and thus Declude) there is no way to say whether that header is "true" or spoofed (although there is little motivation to spoof that header, that I can think of). There simply is no way on earth for anythingbeyond the sending mail server to do anything with BCCs since the information simply is omitted and thus not available. Therefore, there is no reason to believe that it will (or could) ever be added to a future DEclude version. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Tuesday, May 31, 2005 09:27 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
[Declude.Virus] MS05-16 Exploit
Hi, Enclosed a notice for the MS05-16 Exploit. For the record: I'm actually in favor of using STRICT interpretation of vulnerabilities - no matter how seldom one might actually occur. Whether a violation of standards is due to an actual virus - or just a poor mass-mailer application, I gladly use the reason of vulnerability of a potential virus to reject these messages early. As far as some features suggested here: - I do agree that it might be helpful for some people not to scan for viruses, if a vulnerability is found (to conserve CPU). - I do agree that there is little reason (other than statistics) to run the second scanner after the first scanner already found a virus. - I do agree that it is desirable for some people, if there was an option that would delete vulnerabilities rather than isolate them in the Virus folder. - I do NOT agree that Declude should NOT detect certain vulerabilities, just because they only occur very rarely. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: Nick FitzGerald [mailto:[EMAIL PROTECTED] Sent: Sunday, May 29, 2005 9:31 AM To: Bugtraq@securityfocus.com Subject: Spam exploiting MS05-016 Yesterday at least two of my spam-traps received the following message (I've elided the MIME boundary values just in case...): Subject: We make a business offer to you MIME-Version: 1.0 Content-type: multipart/mixed; boundary=[...] [...] Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: 8bit Hello! It is not spam, so don't delete this message. We have a business offer to you. Read our offer. You can increase the business in 1,5 times. We hope you do not miss this information. Best regards, Keith [...] Content-type: application/octet-stream; name=agreement.zip Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=agreement.zip encoded ZIP file data There are a few trivial differences between the messages to the different addresses I checked, so don't anyone try to turn the above into a totally literal filtering rule... Anyway, the agreement.zip attachment held only one file, apparently called agreement.txt, but on closer inspection it turned out the file was called agreement.txt where the apparent trailing space was actually a 0xFF character. This pseudo-TXT file was, in fact, an OLE2 format file (originally a Word document file) with the OLE2 Root Entry CLSID set to that of the Microsoft HTML Application Host (MSHTA). This was all done as per the description in the iDEFENSE advisory announcing this vulnerability: http://www.idefense.com/application/poi/display?id=231type=vulns This pseudo-TXT file is an example of what is produced by the PoC generator posted to Bugtraq. Oddly, that message is not archived in SecurityFocus' own mailing list archives, but its PoC code is listed with the vulnerability's BID entry: http://www.securityfocus.com/bid/13132/info/ That PoC may be identified from the comment at the top of its code: MS05-016 POC Made By ZwelL [EMAIL PROTECTED] 2005.4.13 Anyway, the agreement.txt file contained a script to write a text file with commands and responses for use with the Windows ftp client via its -s option and further commands to run ftp with those scripted commands and then to run the executable that ftp script would cause to be downloaded from a Russian web site. At the time of writing, that site is still up and the executable that is downloaded (a backdoor) is the same one that was there when the spam was first seen. If you haven't installed the MS05-016 Windows Shell patch yet: http://www.microsoft.com/technet/security/bulletin/ms05-016.mspx or at least taken reasonable precautions to defang possible exploitation of this vulnerability (particularly through MSHTA), it would be advisable to do so now. When initially discovered, only two of more than 20 tested virus scanning engines detected the exploit in agreement.txt . Since alerting the antivirus developer community of the field discovery of this exploit, a couple more big name scanners have added a degree of detection for this exploit, and I expect that number to grow as the new week dawns and new updates are pushed to customers. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3267092 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] .EML file syntax
Title: Message Hi Goran: The "cc:" information is part of the (spoofable) SMTP header - the "bcc:" is not ANYWHERE. The only entitythat knows about the "bcc"s is the sending mail sever, it will simply distribute the message to anyone in the bcc and cc header. To each BCC or CC recipient's server it will look like a message that wasaddressed from one third party to another third party - they will not see the BCC information. While the "cc:" (but not bcc) information can be found in the SMTP header in the receiving server (and thus Declude) there is no way to say whether that header is "true" or spoofed (although there is little motivation to spoof that header, that I can think of). There simply is no way on earth for anythingbeyond the sending mail server to do anything with BCCs since the information simply is omitted and thus not available. Therefore, there is no reason to believe that it will (or could) ever be added to a future DEclude version. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Tuesday, May 31, 2005 09:27 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
RE: [Declude.Virus] EXITSCANONVIRUS
Title: Message Yep, that same happened with their hardware raid-1 on an ML 530 (a pretty up-scale server). Had one bad drive (apparently) and the controller managed to wipe out the complete string. The other controller channel was unaffected. I'm pretty certain, I've see this happen twice (the second time I got lucky.) Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Monday, May 30, 2005 12:39 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] EXITSCANONVIRUS Ouch. We've periodically had problems with Compaq (now HP) Proliant servers that have been mostly about the pre-failure being too sensitive; it's now part of our best practice to keep up with driver and ROM updates. This used to be difficult, but now HP has a ROM update bootable ISO image we download, it detects and updates the ROMs on the motherboard, the array cards, and the microcode on the hard drives. It's called the Firmware Maintenance CD. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)Sent: Monday, May 30, 2005 9:07 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] EXITSCANONVIRUS Windows. Power went out, for some reason the UPS went into shutdown mode, it appears some thing on the server hung preventing it from shutting down before the UPS shutdown timer expired, the rest is history. Turns out the Ghost image is inconsistent, so I am rebuilding the OS from the ground, will try to do a restore from a backup I made of the extracted OS partition in Ghost, not sure how that is going to go, but if not then will have to recreate in IIS 47 web sites. Data for the sites is fine, as that was on a pair of separate SCSI drives. So much for getting caught up on other work. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Monday, May 30, 2005 6:43 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] EXITSCANONVIRUS Oh man...I feel your pain! Happened tous mid-April. Fortunately it was just after midnight on a Friday, so we had everything back up before morning and no one noticed the interruption in service. Was it Windows mirroring or hardware level? Darin. - Original Message - From: John Tolmachoff (Lists) To: Declude.Virus@declude.com Sent: Monday, May 30, 2005 3:30 AM Subject: RE: [Declude.Virus] EXITSCANONVIRUS Off the topic, but it interrupted my work on my mail server. Any one ever loose both mirrored OS drives at the same time? FUN FUN FUN NOT! At least Ghost is able to read the master. John T eServices For You ==
[Declude.Virus] AVERT Medium Threat Advisory for Home Users Only: W32/Sober.p@MM
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 04:36 PM Subject: AVERT Medium Threat Advisory for Home Users Only: W32/[EMAIL PROTECTED] Advisory This is a Medium Threat Advisory for W32/[EMAIL PROTECTED] for Home Users Only. Justification W32/[EMAIL PROTECTED] has been deemed Medium due to prevalence. Read About It Information about W32/[EMAIL PROTECTED] is located on VIL at: http://vil.mcafeesecurity.com/vil/content/v_133409.htm Detection W32/[EMAIL PROTECTED] was first discovered on 05/02/2005 and has been proactively detected since at least DAT version 4443. Specific detection and improved repair will be added to the 4482 dat files (Release Date: 05/02/2005). EXTRA.DATs are not necessary to be protected from this threat. If you suspect you have W32/[EMAIL PROTECTED], please submit a sample to http://www.webimmune.net. Risk Assessment Definition For further information on the Risk Assessment and AVERT Recommended Actions please see: http://www.mcafeesecurity.com/us/security/resources/risk_assessment.htm --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Attachment=[Unknown: Err] ?
Hi, Any particular subject/attachment name that we can recognize it by? Also, for half a day I've seen lots of no subject and the attachmen of Unknown Err. Seems as if Declude is choking on something here: 04/15/2005 16:43:42 Q275DA0790152A6BF Warning: file#=123456 (123456.EXE ... ) 04/15/2005 16:43:42 Q275DA0790152A6BF Scanner 1: Virus= the W32/[EMAIL PROTECTED] Attachment=[Unknown: Err] [17] I 04/15/2005 16:43:42 Q275DA0790152A6BF File(s) are INFECTED [ the W32/[EMAIL PROTECTED]: 13] 04/15/2005 16:43:42 Q275DA0790152A6BF Deleting file with virus 04/15/2005 16:43:42 Q275DA0790152A6BF Deleting E-mail with virus! 04/15/2005 16:43:42 Q275DA0790152A6BF Scanned: CONTAINS A VIRUS [MIME: 2 19430] 04/15/2005 16:43:42 Q275DA0790152A6BF From: [Forged] To: [EMAIL PROTECTED] [incoming from 207.30.155.52] 04/15/2005 16:43:42 Q275DA0790152A6BF Subject: Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, April 15, 2005 05:33 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Another new virus I am getting lots of banned attachment notices and lots of bounces in the last 90 minutes. THANKFULLY, I am blocking zip files which contain executables otherwise these would have all be delivered to users. Any one have an idea of what this one is, it is kind of acting like Bagle. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Covad has a problem with our RBL
Hi: I am sure they will end up doing what ATT does and just blackhole queries to certain RBL's. And rightfully so - ISP are offering domain name resolution service to their customers. However, RBLs don't really qualify as domain name resolution, even though they use the public DNS to store and propagate the information. As you say - it's absolutely necessary (and proper) to run your own DNS to avoid trouble with upstream providers. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, March 31, 2005 05:19 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Covad has a problem with our RBL Yes, its very possible. 10 RBLS x 1200 emails in an hour is easily 12K hits. The 10 RBLS is also conservative. I am sure they will end up doing what ATT does and just blackhole queries to certain RBL's. I would look at setting up a local DNS server. Darrell --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Spam .com files being blocked.
Title: Message Uh, I reproduced that and will report it. Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Wednesday, March 16, 2005 01:16 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Spam .com files being blocked. 1.82 is what I am running. I get an IP address with vulnerabilities and with viruses but not withBanned file extensions. - Original Message - From: Andy Schmidt To: Declude.Virus@declude.com Sent: Wednesday, March 16, 2005 11:38 AM Subject: RE: [Declude.Virus] Spam .com files being blocked. Hm, What version of Declude Virus are you using? mine reads: 03/16/2005 11:49:53 Q63864DC00020B8C3 Deleting file with virus03/16/2005 11:49:53 Q63864DC00020B8C3 Deleting E-mail with virus!03/16/2005 11:49:53 Q63864DC00020B8C3 Scanned: CONTAINS A VIRUS [MIME: 2 17610]03/16/2005 11:49:53 Q63864DC00020B8C3 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 217.247.3.127]03/16/2005 11:49:53 Q63864DC00020B8C3 Subject: Re: Hi and I'm pretty certain that I've been able to get Virus statistcs (using DLAnalyzer)with the originating IP long BEFORE Declude 2.0? IP Summary Virus Report Total Incoming Messages from External Networks: 2,792Virus Infected Messages: 593Percentage Infected: 21.24% IP ADDRESS # INFECTED PERCENTAGE061092229014.ctinets.com.200.72%par69-3-82-224-162-161.fbx.proxad.net160.57%nitrogen.onspeed.com.130.47%maywood-is-0003.webhost.hm-software.com..120.43%ip-225-194.sn1.eutelia.it.90.32%195.25.76.51..80.29%202.163.77.18180.29%253-111.ip.ll.net.80.29%cc273613-a.emmen1.dr.home.nl..80.29%62-101-126-213.fastres.net80.29%IGLD-80-230-80-220.inter.net.il...80.29%host158-188.pool8249.interbusiness.it.80.29%host54-157.pool8251.interbusiness.it..80.29%host213-118.pool8257.interbusiness.it.80.29%210.92.57.169.70.25%host209-107.pool82104.interbusiness.it70.25%santaana-a392.racsa.co.cr.50.18%host-217-172-243-1.gdynia.mm.pl...50.18%wsip-70-182-91-175.ok.ok.cox.net..50.18%ARouen-203-1-37-98.w80-14.abo.wanadoo.fr..50.18%89.102.99-84.rev.gaoland.net..50.18%151.197.99.18640.14%ppp-84-73.29-151.libero.it40.14%d12a1.ppp.halden.net..40.14%d126a1.ppp.halden.net.40.14%d49a1.ppp.halden.net..40.14%adsl2p158.access.maltanet.net.40.14%santaana-a219.racsa.co.cr.40.14%ip88.bb203.pacific.net.hk.40.14%207-255-1-025-static.jst.pa.atlanticbb.net40.14% Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Wednesday, March 16, 2005 12:02 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Spam .com files being blocked. Unfortunately Declude doesn't list the IP: (Maybe this could be corrected?) 03/15/2005 19:09:58 Q876023ed02a22c68 Banning file with com extension [image/gif].03/15/2005 19:10:00 Q876023ed02a22c68 Found a bogus .com file03/15/2005 19:10:00 Q876023ed02a22c68 Scanned: Banned file extension. [MIME: 3 10049]03/15/2005 19:10:00 Q876023ed02a22c68 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] attachment: HMSoftSmall.jpg attachment: HMSoftSmall.jpg
[Declude.Virus] Foto.rar
Another variation - came with a foto.rar attachment. Received: from host46.ipowerweb.com [66.235.216.140] by hm-software.com (SMTPD32-8.14) id A70B620D0124; Fri, 28 Jan 2005 14:48:27 -0500 Received: from riqotscr (168.113.230.53) by host46.ipowerweb.com; Fri, 28 Jan 2005 11:48:22 -0800 Message-ID: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: photo Date: Fri, 28 Jan 2005 11:48:22 -0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0091_01C4F282.E483B826 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Declude: Version 1.82; D970a620d01240fca.SMD from host46.ipowerweb.com [66.235.216.140] X-Declude: Triggered [0] WEIGHTSNIFFER X-Countries: UNITED STATES-[ARIN Unlisted]-destination Return-Path: [EMAIL PROTECTED] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 406759401 Hi Pete! My porn photo, only for you ;) With love, Alice. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] RAR Support - why not?
Hi Goran: Oh, I've been thinking about just that. However does that mean you hold all virus files? I don't think I could afford the additional disk space (the spool file is already too big as it is.) Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, January 28, 2005 12:48 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] RAR Support - why not? Andy, Someone posted on this list a while ago a small ASP page that I am using to requeue a banned file. I send out a bannotify.eml what has the link back to the server with the appropriate file name. The user says I really really want this file and clicks on the link. It gets requeued automatically into the spool directory and it is not scanned/banned again and the user gets it within 30 minutes. I remember that there was some discussion on the list a while ago about having the users authenticate and fill in a form etc. I decided not to bother with that. I can send you my bannotify.eml and the asp file if you wish. Let me know Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, January 27, 2005 6:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] RAR Support - why not? 1.82 will treat encrypted .RAR files the same as encrypted .ZIP files, and will block banned file extensions in .RAR files the same way as it blocks banned file extensions in .ZIP files. Beautiful! Now we just need McAfee to scan inside RAR files G (Globally banning zipped .EXE files is not an option for me - I gotta give those customers SOME practical way to send/receive restricted file types.) Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] RAR Support - why not?
I may have to start doing that. I used to be able to keep 30 days of logs - but volume, dictionary attacks and SPAM volume are making it increasingly difficult. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, January 28, 2005 05:15 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] RAR Support - why not? Notices only go out for banned files. We include a statement that the email will be available to be requeued for x number of days...so automatic processes clean it up if it's unclaimed. Regarding the space problem, are you moving logs off to another partition on a nightly basis? Between that, automatic cleanup, and zipping old logs ours stays pretty clean. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, January 28, 2005 5:05 PM Subject: RE: [Declude.Virus] RAR Support - why not? Hi Goran: Oh, I've been thinking about just that. However does that mean you hold all virus files? I don't think I could afford the additional disk space (the spool file is already too big as it is.) Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, January 28, 2005 12:48 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] RAR Support - why not? Andy, Someone posted on this list a while ago a small ASP page that I am using to requeue a banned file. I send out a bannotify.eml what has the link back to the server with the appropriate file name. The user says I really really want this file and clicks on the link. It gets requeued automatically into the spool directory and it is not scanned/banned again and the user gets it within 30 minutes. I remember that there was some discussion on the list a while ago about having the users authenticate and fill in a form etc. I decided not to bother with that. I can send you my bannotify.eml and the asp file if you wish. Let me know Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, January 27, 2005 6:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] RAR Support - why not? 1.82 will treat encrypted .RAR files the same as encrypted .ZIP files, and will block banned file extensions in .RAR files the same way as it blocks banned file extensions in .ZIP files. Beautiful! Now we just need McAfee to scan inside RAR files G (Globally banning zipped .EXE files is not an option for me - I gotta give those customers SOME practical way to send/receive restricted file types.) Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
