[Declude.Virus] Per-Domain Per-User settings for EZIP
We usually don't post about every interim release however we thought this would be usefull as it has been requested often. (Please Note: you need to be on 4.11.00 to upgrade just the decludeproc, if you are ealier than 4.11.00 use the setup upgrade from your host record on www.declude.com) Interim access can be found on your My Account home page. // 4.11.04 == ADD: Allowing EZIP (Encrypted ZIP files) for Domains and Users File: Virus.cfg file ALLOWEZIPTO = used for incoming email ALLOWEZIPFROM = used for outgoing email User configuration= u...@example.com Domain Configuration = example.com Example: ALLOWEZIPTO u...@example.com ALLOWEZIPTO example.com ALLOWEZIPFROM senderaddr...@example.com ALLOWEZIPFROM example.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: Description: Description: -declude --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. image001.png
[Declude.Virus] Declude 4.11.00 Interceptor 3.4.11.500 Available
Please contact supp...@declude.com if you need assistance with your upgrade. // 4.11.00 == New Complete Release with setup // 4.10.89 == Updated Dll's // 4.10.88 == Fix: Email attachment being strip due to vulnerability in the boundary string. // 4.10.87 == Fix: AVG issue, Error number 8, Not enough storage is available to process this command. ERROR_NOT_ENOUGH_MEMORY / 4.10.86 == Debug: In the ScanFiles function, AVG test, Comment out two log message so that we get the correct window error message. / 4.10.85 == Updated copyright from 2011 to 2012, / 4.10.84 == IMail: Fix delude notification looping issue due to Alert action / 4.10.83 == Add more debug information for AVG Load error / 4.10.82 == Hijack ALLOWADDR allows authenticated user as well as the FROM address / 4.10.80 == Commtouch recommended not to block the VOD medium classification David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: Description: Description: Description: -declude Description: Description: Description: Description: -dnsstuff --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. image001.pngimage002.png
[Declude.Virus] Declude 4.10.78 Interceptor 3.4.10.508 Available
Please contact supp...@declude.com if you need assistance with your upgrade. Version Part Type Change 4.10.78 AVG FIX Update AVG Key license key Exp=2012-04-10 4.10.77 AV ADD Fixed virus emails being deleted instead of being held in the virus directory, problem was introduced with 4.10.72. (IMail Only) 4.10.76 JM FIX Fixed crash due to buffer overflow (to many recipients) when the last action is DELETE 4.10.75 DEC FIX Fixed ALLOWVULNERABILITIESFROM which was not working with certain vulnerabilities, such as OBJECT DATA, Partial vulnerability and Outlook 'Blank Folding' vulnerability. 4.10.74 JM FIX Fixed emails being tagged by Declude as Outbound when should be Inbound. Declude will exit from loading the domains name (host) to memory, when the Aliases entry in the registry is missing from one of the domain. (IMail only) 4.10.73 DEC ADD Added the Declude Key in the diags.txt file David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: Description: Description: -declude Description: Description: Description: -dnsstuff --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. image001.pngimage002.png
[Declude.Virus] Declude 4.10.72 Interceptor 3.4.10.500
Please contact supp...@declude.com if you need assistance with your upgrade. Version Part Type Change 4.10.72 DEC ADD Declude no longer use imail1.exe to send notifications as IMail no longer supports imail1.exe. 4.10.71 DEC ADD Create the diags.txt file when the decludeproc service is started, which includes Declude Version, Platform Type, Copyright and Host name 4.10.70 SNF FIX Declude crashed due to SNF header exceeding the buffer size. Improved altering of headers and footers. 4.10.69 VIR FIX File attachments stripped when the following vulnerabilities were allowed OLMIMESEGMIMEPRE, MIMESEGMIMEPOST, OLBOUNDARYSPACEGAP 4.10.68 HI FIX When Hijack is turned off no Hijack log is created. 4.10.67 VIR FIX When the Outlook Boundary Space Gap Vulnerability occurs (triggered) the attachment files are striped. This was due miss match boundary string. 4.10.66 DEC FIX Declude accepts SM default alias as incoming. (Makes Declude compatible with SM default alias mail.* ) For example, domain.com its default alias is mail.domain.com 4.10.65 JM FIX Filter triggered information now displays in medium log level instead of debug. 4.10.64 DEC ADD blklst.txt which is located in the \spool directory is being created every day like the other logs if BLKLST ON in the declude.cfg 4.10.63 JM ADD Split Commtouch test results so each have their own score. Spam, Bulk, Suspect. Also included the match value of nonzero for single line configuration, which will be triggered for spam or bulk. Example of configuration: CT-SPAMCOMMTOUCH 0 4 20 0 CT-BULKCOMMTOUCH 0 3 8 0 CT-SUSPECT COMMTOUCH 0 2 4 0 Example of nonzero configuration: CT-SPAMCOMMTOUCH 0 nonzero 15 0 4.10.61 JM FIX Fix ROUTTO issue with SM Routing when incoming gateway is configured. Accommodate their change by deleting the smarthost: line from hdr file as the SM suggested 4.10.61 DEC FIX Copyright update from 2010 to 2011 4.10.60 JM FIX Compliance with SM 6+ to accommodate changes to their Trusted Sender list. 4.10.59 AV FIX When virus scanning is turned off (OUTGOING OFF, INCOMING OFF, or virus.cfg.off) any plain/text email Declude failed to copy the body of the email from eml to em$. Which resulted in an empty email. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: -declude Description: -dnsstuff --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. image001.pngimage002.png
RE: [Declude.Virus] AVG antivirus did not work
The error means that the AVG database failed to initialize. Did you do a manual upgrade? One way to try resolve this is to delete all the files in C:\SmarterMail\declude\scanners\avg\db then restart decludeproc, wait for the new AVG signature to come down. Once the new signature file is down does the error go away? If not email supp...@declude.com and we can help you resolve the problem. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com -declude -dnsstuff From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Mon Mariola - Rubén Sent: Wednesday, February 02, 2011 3:08 PM To: declude.virus@declude.com Subject: [Declude.Virus] AVG antivirus did not work Today I have noticed that my AVG antivirus did not work. I really think a long time that does not work. My version of Declude was 4.10.48. When looking at the file vir0202.log: 02/02/2011 00:02:07.505 453300649.eml Log Level set to MID 02/02/2011 00:02:07.520 453300649 Vulnerability flags = 343 02/02/2011 00:02:07.567 453300649 Error: AVG Initialize Fail (5) 02/02/2011 00:02:07.567 453300649 Scanned: Virus Free [MIME: 2 25857] 02/02/2011 00:02:22.677 453300650 Vulnerability flags = 343 02/02/2011 00:02:22.708 453300650 Error: AVG Initialize Fail (5) 02/02/2011 00:02:22.723 453300650 Scanned: Virus Free [MIME: 2 26260] I upgraded Declude to version 4.10.58. Still does not run the AVG antivirus. And the logs are showing the same error. 02/02/2011 20:20:32.574 453317098 Vulnerability flags = 351 02/02/2011 20:20:32.605 453317098 Error: AVG Initialize Fail (5) 02/02/2011 20:20:32.605 453317098 Scanned: Virus Free [MIME: 1 18517] 02/02/2011 20:20:56.043 453317101 Vulnerability flags = 351 02/02/2011 20:20:56.277 453317101 Error: AVG Initialize Fail (5) 02/02/2011 20:20:56.418 453317101 Scanned: Virus Free [Prescan OK][MIME: 2 959768] I looked at the folder declude\scanners\avg\db and see this: Directorio de C:\SmarterMail\declude\scanners\avg\db 02/02/2011 20:26 DIR . 02/02/2011 20:26 DIR .. 02/02/2011 20:230 avi7.avg 02/02/2011 20:26 70.627.222 incavi.avm 02/02/2011 20:230 microavi.avg 02/02/2011 20:230 miniavi.avg 4 archivos 70.627.222 bytes If I stop Declude, I delete these files and I start Declude, after a few minutes its are recreated with the same sizes. What is the problem? Rubén Martí. Món Mariola, S.L. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. image001.png Description: Binary data image002.png Description: Binary data
RE: [Declude.Virus] Need Help - How to Rescan Messages
Hi Andy, To reprocess files through Declude place the matching pairs of Q*.smd and D*.smd into the \proc folder. You can move them together however if it is a lot of files you may want to move the D files first then the Q files. The best way to do it for IMail is to use Invariant Systems free application http://www.invariantsystems.com/download/movefiles20.zip The \Review folder holds messages that were busy being processed when Decludeproc was stopped. Move old files from the \work to the \review then move all the matching pairs to \proc. There is no circumstance to move messages to the \work. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com -declude -dnsstuff From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, September 15, 2010 11:22 AM To: declude.virus@declude.com Subject: [Declude.Virus] Need Help - How to Rescan Messages Importance: High Hi, I had an issue overnight that caused many hundreds of messages to be moved to the /Spool/Virus folder (Q* and D* pairs) and to the /Spool/Proc/Review folder (Q* files only). Question - how to I cause these files to be rescanned (as some may be REAL Trojans). Where do I move Q/D pairs from the /Spool/Virus folder? Do I move the D file to the /Spool folder and the Q file to the /Spool/Proc folder? Or do I move BOTH the Q D file to the /Spool/Proc folder? What about the Q files in the /Spool/Proc/Review folder - do I just move them to /Spool/Proc, or to /Spool/Proc/Work? I checked one file and it seems the matching D file was in the /Spool/Proc/Work folder! Best Regards, Andy --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. image001.png Description: Binary data image002.png Description: Binary data
[Declude.Virus] Declude Compass
Just an FYI. 15 September 2010 we will be increasing the price of Declude Compass from $299 to $349 and including AVG as standard. If you purchase or renew your Compass prior to this date you will receive Compass at the $299 price including AVG. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude Compass
Just an FYI. 15 September 2010 we will be increasing the price of Declude Compass from $299 to $349 and including AVG as standard. If you purchase or renew your Compass prior to this date you will receive Compass at the $299 price including AVG. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AVG reports SPAM as VIRUS!
Andy, AVG is not integrated with Declude JM, this is AVG reporting the name of the virus as spam. Now, something may have changed that AVG is now detecting spam in their signatures however we were not made aware of this by AVG I will look further into this. As much as we do appreciate your feedback which helps Identify such problems, in some things it may be more helpful to first approach mailto:supp...@declude.com supp...@declude.com or myself dbar...@declude.com before engaging everyone in the list, your assumptions of PROPERLY IMPLEMENTED as part of Declude JunkMail not just dumped into the regular virus handling! and Declude MUST recognize that and NOT treat it like a virus are rather harsh to be posting to without having all the facts to begin with. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 12, 2010 10:39 AM To: declude.virus@declude.com Subject: [Declude.Virus] AVG reports SPAM as VIRUS! Importance: High Hi, For the past few days, I'm seeing AVG suddenly reporting a virus SPAM: Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 19,499 Virus Infected Messages: 232 Percentage Infected: 1.19% VIRUS # INFECTED PERCENTAGE SPAM 232 1.19% resulting in these SMTP headers: X-Declude-Virus: Detected Spam [from IP 41.218.0.202 ([No Reverse DNS])]. and these reports: q061a000274936c02.smd AVG Reports VIRUS: Spam q061a000274936c02.smd File(s) are INFECTED [Spam: 7] q061a000274936c02.smd Scanned: CONTAINS A VIRUS [MIME: 1 424] q061a000274936c02.smd From: bloodiest...@rcbassociats.com To: elopre...@??? [incoming from 41.218.0.202] q061a000274936c02.smd Subject: Please attention! This causes a whole bunch of problems, e.g. a) I am unable to 'weigh' this Spam with other factors BEFORE it gets blocked. b) It bypasses the WhiteList feature (from the user's Webmail Contacts) c) It's treated like a Virus, hundreds of the configured virus notices are being emailed, etc. While I'm certainly in favor of any additional SPAM detection - but then it needs to be PROPERLY IMPLEMENTED as part of Declude JunkMail not just dumped into the regular virus handling! If AVG reports to Declude the virus name Spam, then Declude MUST recognize that and NOT treat it like a virus (or at least give us a config option NOT to.) Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AVG reports SPAM as VIRUS!
Andy, My point was not that one shouldn't post to the list, we appreciate user input no matter how we feel about it, an open forum is very important for both Declude and users. All I am saying is if you had emailed us first then we could stike the assumption that we dumped a new spam tests into virus handling as you suggested. While I'm certainly in favor of any additional SPAM detection - but then it needs to be PROPERLY IMPLEMENTED as part of Declude JunkMail not just dumped into the regular virus handling! And then we could focus on the real issue of why is AVG reporting SPAM. Working together to solve a problem is the goal, so let's rule out the things we know it is not. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 12, 2010 11:35 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AVG reports SPAM as VIRUS! Dave, I'm aware it's integrated in Declude Virus - that's why I chose the CORRECT list to discuss this. I referenced Declude Junkmail, because IF AVG is now reporting SPAM, the THAT part SHOULD be handled as part of Declude Junkmail NOT as Declude Virus. I choose to use the list, whenever I have expended some time to track down a situation and realize that this will affect all users and thus will save everyone time from working on the same issue. That's the whole point of the list! Consequently, whenever AVG stops working altogether (which was doubted both times when I discovered it - until eventually it was determined to have been a problem after all), I will continue to report this on the list, because everyone needs to be aware that their internal scanner may be non-functioning for extended periods of time. The alternative would be for Declude to post an alert! When I notice that the Sniffer implementation has objectively incorrect or incomplete sample files, or have sample files that don't make it obvious that some IP based results will be triple-counted, then I feel justified in discussing this on the list as this will benefit OTHER users who don't have to re-learn what took me days to figure out. I will post on the list whenever I'm hoping to solicit feedback from a broader audience, to see if a situation I encountered was isolated or turns out to be more widespread. I will contact support@ whenever I suspect that I may have an isolated problem that needs to be analyzed first. In my opinion, I usually use the appropriate venue. But I accept that you may disagree and prefer that the list is quiet. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, May 12, 2010 10:59 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AVG reports SPAM as VIRUS! Andy, AVG is not integrated with Declude JM, this is AVG reporting the name of the virus as spam. Now, something may have changed that AVG is now detecting spam in their signatures however we were not made aware of this by AVG I will look further into this. As much as we do appreciate your feedback which helps Identify such problems, in some things it may be more helpful to first approach mailto:supp...@declude.com supp...@declude.com or myself dbar...@declude.com before engaging everyone in the list, your assumptions of PROPERLY IMPLEMENTED as part of Declude JunkMail not just dumped into the regular virus handling! and Declude MUST recognize that and NOT treat it like a virus are rather harsh to be posting to without having all the facts to begin with. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 12, 2010 10:39 AM To: declude.virus@declude.com Subject: [Declude.Virus] AVG reports SPAM as VIRUS! Importance: High Hi, For the past few days, I'm seeing AVG suddenly reporting a virus SPAM: Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 19,499 Virus Infected Messages: 232 Percentage Infected: 1.19% VIRUS # INFECTED PERCENTAGE SPAM 232 1.19% resulting in these SMTP headers: X-Declude-Virus: Detected Spam [from IP 41.218.0.202 ([No Reverse DNS])]. and these reports: q061a000274936c02.smd AVG Reports VIRUS: Spam q061a000274936c02.smd File(s) are INFECTED [Spam: 7] q061a000274936c02.smd Scanned: CONTAINS A VIRUS [MIME: 1 424] q061a000274936c02.smd From: bloodiest...@rcbassociats.com To: elopre...@??? [incoming from 41.218.0.202] q061a000274936c02.smd Subject: Please attention! This causes a whole bunch of problems, e.g. a) I am unable to 'weigh' this Spam with other factors BEFORE it gets blocked. b) It bypasses the WhiteList feature (from the user's Webmail
RE: [Declude.Virus] embedded AVG issue
Don, The ZIP contains the correct dll's the full declude list of dll's is as follows: (avgcertx.dll is not used and was only around during the interim releases) COMMTOUCH asapsdk.dll PCRE pcre3.dll AVG Avgsdk.dll Avgcorex.dll Avgcerta.dll SNF Mingwm10.dll Snfmulti.dll David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Monday, May 10, 2010 5:02 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] embedded AVG issue Thanks Andy, I found that I do not have avgcertx.dll. Should this file have been included in the zip download David made? Don - Original Message - From: Andy Schmidt mailto:andy_schm...@hm-software.com To: declude.virus@declude.com Sent: Monday, May 10, 2010 9:05 AM Subject: RE: [Declude.Virus] embedded AVG issue Hi Don, Here's what I have in C:\Imail\ 11/06/2008 12:49 PM61,440 AvApiBit.dll 11/06/2008 12:49 PM61,440 AvApiSym.dll 04/29/2010 04:13 PM 834,328 avgcerta.dll 04/29/2010 04:13 PM 623,384 avgcertx.dll 04/29/2010 04:13 PM 4,250,392 avgcorex.dll 04/29/2010 04:13 PM 312,320 avgsdk.dll 10/21/2005 10:43 AM32,768 Declude.exe 04/29/2010 04:12 PM 2,318,428 decludeproc.exe (You can disregard the dates/times, they just represent the time when I copied those files). Maybe do a DIR C:\av*.dll /s to make sure you don't have any duplicates elsewhere. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Monday, May 10, 2010 7:28 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] embedded AVG issue David, I was having this issue so I followed your directions below. After overwriting the current dlls, I could not get decludeproc to start. I determined that it was the avgsdk.dll that was in the newly downloaded zip file that was the culprit. I had to restore a previous version to get everything working again. I did notice that the new avgsdk.dll is substantially smaller than the old version. So I am still having the issue originally described in the post. Don - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.virus@declude.com Sent: Friday, May 07, 2010 1:25 PM Subject: RE: [Declude.Virus] embedded AVG issue We have seen this mostly with manual installs. Error: Could not start AVG Instance (17) has to do with the DLL. Please contact supp...@declude.com if you need assistance. 1. Stop decludeproc 2. Download http://interim.declude.com/41048/AVG-DLL.zip http://interim.declude.com/41048/AVG-DLL.zip 3. Extract and replace the dll files overwriting your current dlls. 4. Start decludeproc 5. If the error persists or you get error 2 or error 4 6. Stop decludeproc 7. Delete all files in \declude\scanners\avg\db\ 8. Start decludeproc this will initiate a new download of the AVG signatures David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry Vanderzand Sent: Friday, May 07, 2010 2:09 PM To: declude.virus@declude.com Subject: [Declude.Virus] embedded AVG issue I though I would check my virus logs which I have not done for a while. It is not working. See log entry: 05/07/2010 14:06:13.502 qb42e00250010.smd Scanned: Virus Free [MIME: 1 125] 05/07/2010 14:06:18.720 q990400280052.smd Vulnerability flags = 862 05/07/2010 14:06:18.814 q990400280052.smd Error: Could not start AVG Instance (17) 05/07/2010 14:06:18.814 q990400280052.smd Scanned: Virus Free [MIME: 2 1293] What could be the issue here? Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus
RE: [Declude.Virus] embedded AVG issue
We have seen this mostly with manual installs. Error: Could not start AVG Instance (17) has to do with the DLL. Please contact supp...@declude.com if you need assistance. 1. Stop decludeproc 2. Download http://interim.declude.com/41048/AVG-DLL.zip http://interim.declude.com/41048/AVG-DLL.zip 3. Extract and replace the dll files overwriting your current dlls. 4. Start decludeproc 5. If the error persists or you get error 2 or error 4 6. Stop decludeproc 7. Delete all files in \declude\scanners\avg\db\ 8. Start decludeproc this will initiate a new download of the AVG signatures David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry Vanderzand Sent: Friday, May 07, 2010 2:09 PM To: declude.virus@declude.com Subject: [Declude.Virus] embedded AVG issue I though I would check my virus logs which I have not done for a while. It is not working. See log entry: 05/07/2010 14:06:13.502 qb42e00250010.smd Scanned: Virus Free [MIME: 1 125] 05/07/2010 14:06:18.720 q990400280052.smd Vulnerability flags = 862 05/07/2010 14:06:18.814 q990400280052.smd Error: Could not start AVG Instance (17) 05/07/2010 14:06:18.814 q990400280052.smd Scanned: Virus Free [MIME: 2 1293] What could be the issue here? Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] RE: Internal (AVG Scanner) does NOT report file name
We agreed that adding the file name would be useful and it is on the dev list. I thought I posted this to the list but it may have got overlooked with all the activity from last week ;) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, May 03, 2010 1:41 PM To: declude.virus@declude.com Subject: [Declude.Virus] RE: Internal (AVG Scanner) does NOT report file name Hi Dave (just in case this was overlooked in all the activity last week): Considering that AVG is integrated INTO Declude, it should interface at LEAST as good as any external scanner. However, the virus bounce message filename variable is NOT set when a virus is caught by AVG. Only the Virus Name variable is populated. Obviously, Declude is AWARE of the file name, because when Declude passes control to an external scanners next, then the infected file is reported correctly. So there should be no good reason, why a virus caught by the internal scanner would not report the filename!? This is also evident in the LOG file. Here's the EICAR virus caught by AVG in the .48 build. It only reports the virus name EICAR_Test. 04/29/2010 22:22:20.277 qeae800cc0002.smd AVG Reports VIRUS: EICAR_Test 04/29/2010 22:22:20.277 qeae800cc0002.smd File(s) are INFECTED [EICAR_Test: 7] 04/29/2010 22:22:20.293 qeae800cc0002.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 905] If the SAME file is detected by an external scanner (in this case ClamAV) it reports the virus name AND the file name: 04/28/2010 12:49:29.722 q6748c63e0425.smd Virus scanner 1 reports exit code of 1 04/28/2010 12:49:29.722 q6748c63e0425.smd Scanner 1: Virus= Eicar-Test-Signature Attachment=eicar.zip [61] I 04/28/2010 12:49:29.722 q6748c63e0425.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 875] The AVG integration should be improved to match the quality of integration of external scanners. Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection!
Andy is correct, it should be remembered that no AV is 100% accurate. This is why besides AVG and Commtouch which are integrated into Declude users can run up to 5 additional external virus scanners using Declude, and as seen from the lists CalmAV is a good choice for a free scanner. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 11:13 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Declude Users - take note! CommTouch/Zerohous does a good job, but does not catch all known viruses (some days I have 5 or 6 DIFFERENT viruses/trojans sneaking by, some to multiple users each!), it's absolutely imperative that AVG works if you don't have additional scanners set up. Unfortunately, AVG had stopped working (no one has said for how many weeks or possible months it has not worked). I have confirmed that AVG is now working again after I upgraded from 4.10.42-A to 4.10.48. So - I recommend all Declude users get on top of this quickly! (PS: This is the second time AVG has gone AWOL inside of Declude for extended periods of times - and it's never discovered until I finally insist. Naturally, I have zero confidence in the built-in scanner. It's unreliable and there is no notification whenever it stops working.) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 12:56 PM To: declude.junkm...@declude.com; declude.virus@declude.com; declude.relea...@declude.com Subject: [Declude.Virus] New Release Declude 4.10.48 The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44 Optimize code for moving files to the spool directory for Smartermail 4.10.43 Fixed variable names in the MoveToError function which were declared globally 4.10.42-A Fix for SNF Authentication to turn off without having to restart Decludeproc 4.10.42 Message Sniffer integrated into Declude 4.10.41 Added variable %AUTH% to show the authenticated sender of the email 4.10.40 XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment
RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection!
Mike, I understand what the point of Andy's email is. I was commenting on CommTouch/Zerohour does a good job, but does not catch all known viruses Yes AVG made a change to their database structure - Declude 4.10.46+ makes use of their new data structure, this is integrated into the new release. In order for Declude to work with the latest AVG updates one needs to be running Declude version 4.10.46 or greater. If you have additional virus scanners other than AVG or are running Commtouch then the move to the latest version is not as imperative. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Biddle (via mobile device) Sent: Friday, April 30, 2010 4:40 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Uhhh.. I am pretty sure that was not the point he was trying to make. While no AV is 100 percent effective, there is no reason for it not to work for days or weeks. It would appear that when core files with AVG are exploited, AVG obviously pushed out a software update to their software and I assume it needs manually implemented in Declude. Some clarification on this matter would be great. Mike _ From: David Barker dbar...@declude.com Sent: Friday, April 30, 2010 10:21 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Andy is correct, it should be remembered that no AV is 100% accurate. This is why besides AVG and Commtouch which are integrated into Declude users can run up to 5 additional external virus scanners using Declude, and as seen from the lists CalmAV is a good choice for a free scanner. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 11:13 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Declude Users - take note! CommTouch/Zerohous does a good job, but does not catch all known viruses (some days I have 5 or 6 DIFFERENT viruses/trojans sneaking by, some to multiple users each!), it's absolutely imperative that AVG works if you don't have additional scanners set up. Unfortunately, AVG had stopped working (no one has said for how many weeks or possible months it has not worked). I have confirmed that AVG is now working again after I upgraded from 4.10.42-A to 4.10.48. So - I recommend all Declude users get on top of this quickly! (PS: This is the second time AVG has gone AWOL inside of Declude for extended periods of times - and it's never discovered until I finally insist. Naturally, I have zero confidence in the built-in scanner. It's unreliable and there is no notification whenever it stops working.) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 12:56 PM To: declude.junkm...@declude.com; declude.virus@declude.com; declude.relea...@declude.com Subject: [Declude.Virus] New Release Declude 4.10.48 The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44 Optimize code for moving files to the spool directory for Smartermail 4.10.43 Fixed variable names in the MoveToError function which were declared globally 4.10.42-A Fix for SNF Authentication to turn off without having to restart Decludeproc 4.10.42 Message Sniffer integrated into Declude 4.10.41 Added variable %AUTH
RE: [Declude.Virus] Testing Internal Scanner
Andy what version of Declude are you running ? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, April 28, 2010 8:16 AM To: declude.virus@declude.com Subject: [Declude.Virus] Testing Internal Scanner Hi, I've been watching this now for a few months. The internal scanner NEVER ever catches a virus - while my two other scanner catch them daily. However, since CommTouch doesn't allow the Eicar file to pass, there is no way to easily test the internal scanner. I think this is something that should eventually be addressed - either by a parameter that allows a user to disable CommTouch for a few minutes at night while testing OR by CommTouch recognizing the EICAR file as a good file and letting it pass! Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 17,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 17,402 Virus Infected Messages: 4 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE PDF.DROPPER-3 3 0.02% SUSPECT.DOUBLEEXTENSION-ZIPPWD-9 1 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 17,402 Virus Infected Messages: 1 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE GENERIC.DX!SED TROJAN !!! 1 0.01% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Testing Internal Scanner
The release was yesterday. I am putting together the release notes today and I will post to the list. From: Scott Fisher sfis...@farmprogress.com Sent: Wednesday, April 28, 2010 9:48 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Testing Internal Scanner Speaking of versions. I'm running 4.10.42 I noticed there is a 4.10.48 available but no email notice or release notes. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 8:12 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Testing Internal Scanner Andy what version of Declude are you running ? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, April 28, 2010 8:16 AM To: declude.virus@declude.com Subject: [Declude.Virus] Testing Internal Scanner Hi, I've been watching this now for a few months. The internal scanner NEVER ever catches a virus - while my two other scanner catch them daily. However, since CommTouch doesn't allow the Eicar file to pass, there is no way to easily test the internal scanner. I think this is something that should eventually be addressed - either by a parameter that allows a user to disable CommTouch for a few minutes at night while testing OR by CommTouch recognizing the EICAR file as a good file and letting it pass! Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 17,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 17,402 Virus Infected Messages: 4 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE PDF.DROPPER-3 3 0.02% SUSPECT.DOUBLEEXTENSION-ZIPPWD-9 1 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 17,402 Virus Infected Messages: 1 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE GENERIC.DX!SED TROJAN !!! 1 0.01% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New Release Declude 4.10.48
The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44 Optimize code for moving files to the spool directory for Smartermail 4.10.43 Fixed variable names in the MoveToError function which were declared globally 4.10.42-A Fix for SNF Authentication to turn off without having to restart Decludeproc 4.10.42 Message Sniffer integrated into Declude 4.10.41 Added variable %AUTH% to show the authenticated sender of the email 4.10.40 XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,SORBS-D UL=5,FIVETENRC=2,ZEN=7,SORBS=7,DYNHELO=5,FROMNOMATCH=2,WEIGHT10=10,WEIGHT14= 14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In declude.cfg file: POSTINIFIXON in order for the Postini Fix to work 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Release Declude 4.10.48
The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44 Optimize code for moving files to the spool directory for Smartermail 4.10.43 Fixed variable names in the MoveToError function which were declared globally 4.10.42-A Fix for SNF Authentication to turn off without having to restart Decludeproc 4.10.42 Message Sniffer integrated into Declude 4.10.41 Added variable %AUTH% to show the authenticated sender of the email 4.10.40 XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,SORBS-D UL=5,FIVETENRC=2,ZEN=7,SORBS=7,DYNHELO=5,FROMNOMATCH=2,WEIGHT10=10,WEIGHT14= 14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In declude.cfg file: POSTINIFIXON in order for the Postini Fix to work 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] RE: Outlook
Hi Rob, By False Positive you mean the message was good yet did not have a virus but the email does contain the vulnerability, which can be exploited which puts your server or recipient at risk. The best thing to do if it comes from a specific address is to contact the sender and make them aware of the issue so they can upgrade or patch their side. If this is not possible, you do have the option of disabling this vulnerability check either for the sender specifically or turn it off completely on your server (which we do not advise) so in short we suggest to continue to check for this vulnerability. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Robert Grosshandler Sent: Monday, April 12, 2010 6:07 PM To: declude.junkm...@declude.com Subject: [Declude.JunkMail] Outlook Hi Occassionally, we're getting false positives on the email to us containing: [Outlook 'MIME segment in MIME Postamble' Vulnerability] I'm sure they do contain that problem, but false in that they're not malicious (I don't think.) People still blocking on this? Thanks, Rob --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] RE: Outlook
Hi Rob, By False Positive you mean the message was good yet did not have a virus but the email does contain the vulnerability, which can be exploited which puts your server or recipient at risk. The best thing to do if it comes from a specific address is to contact the sender and make them aware of the issue so they can upgrade or patch their side. If this is not possible, you do have the option of disabling this vulnerability check either for the sender specifically or turn it off completely on your server (which we do not advise) so in short we suggest to continue to check for this vulnerability. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Robert Grosshandler Sent: Monday, April 12, 2010 6:07 PM To: declude.junkm...@declude.com Subject: [Declude.JunkMail] Outlook Hi Occassionally, we're getting false positives on the email to us containing: [Outlook 'MIME segment in MIME Postamble' Vulnerability] I'm sure they do contain that problem, but false in that they're not malicious (I don't think.) People still blocking on this? Thanks, Rob --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Commtouch/Temp files going back to last year?
This is the answer directly from Commtouch: You can safely stop commtouch [declude] and delete all of these files. If any are needed, the application will download them again, but any handled in this matter should be a few days old. Usually Commtouch will clean up these files on its own, but at times problems do develop due to the index.dat file. If you see any .tmp files older than a month, it is a good sign that a delete should be done to clean up these temp files. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, March 19, 2010 10:16 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? Thanks, I'll make it part of my monthly job that deletes files older than 30 days - that's tight enough for me. Of course, Declude or Commtouch should be cleaning up after itself (e.g., whenever new files/signatures are downloaded) - but that's a different story. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Friday, March 19, 2010 2:27 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Commtouch/Temp files going back to last year? Hi David, A while ago I was told these can be deleted almost immediatly but the running DecludeProc service has them locked so it will be needed to stop DecludeProc, remove the temp files and then start Declude proc. As part of my nightly routine I have now: --quote--- Set LogFile=C:\Beheer\Logs\CleanTemp.log echo %Date% %Time% Starting CleanTemp %LogFile% Del /Q C:\IMail\declude\invuribl\Exception\*.* Del /Q C:\IMail\WebDir\WebClient\temp\*.* del /Q C:\IMail\Spool\tmp*.tmp net stop Decludeproc Del /Q C:\IMail\declude\scanners\CommTouch\Temp\*.* Del /Q C:\IMail\spool\proc\work\*.smd.tmp net start Decludeproc echo %Date% %Time% End CleanTemp %LogFile% exit --quote--- Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:b.blok...@tio.nl b.blok...@tio.nl / http://www.tio.nl/ www.tio.nl - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.virus@declude.com Sent: Thursday, March 18, 2010 4:44 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? These are cached CT files. I will find out when the can be deleted and get back to you. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:35 AM To: Declude.virus@declude.com Subject: [Declude.Virus] Commtouch/Temp files going back to last year? Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing)
Andy work with our support so we can disable it for you for testing. Let us know when you want to do it. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:29 AM To: Declude.virus@declude.com Subject: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Hi, I want to test the virus scanners using EICAR. However, CommTouch gets in the way and blocks it. How do I temporarily disable CommTouch in Declude Virus, so that the EICAR file is handled by the interna/external scanners? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Commtouch/Temp files going back to last year?
These are cached CT files. I will find out when the can be deleted and get back to you. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:35 AM To: Declude.virus@declude.com Subject: [Declude.Virus] Commtouch/Temp files going back to last year? Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing)
What version of Declude are you running ? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 12:02 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Hi Dave, Thanks. So the answer is, there is no local override where we can disable CommTouch ourselves. Such a directive maybe something for the to-do list. To be frank - I was trying to test AVG. I've noticed in recent weeks that my external scanners (ClamAV and my trusted McAfee) have been catching infected emails - but AVG never catches any. The files in the AVG folder are all from today. So when I had 2 minutes, I just wanted to quickly check if AVG had somehow disabled itself again by passing an EICAR file through - but I don't have time to make a big project out of it. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, March 18, 2010 11:43 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Andy work with our support so we can disable it for you for testing. Let us know when you want to do it. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:29 AM To: Declude.virus@declude.com Subject: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Hi, I want to test the virus scanners using EICAR. However, CommTouch gets in the way and blocks it. How do I temporarily disable CommTouch in Declude Virus, so that the EICAR file is handled by the interna/external scanners? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing)
Release notes for Declude Security Suite 4.10.42 [28 December 2009] EVA FIX Fix for Virus test not catching the eicar test due to e-mail formatting This was done in interim 4.8.36 which is still on the Interim site if you just want to try switching out the decludeproc.exe and testing to see if the issue is resolved. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 12:22 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Declude 4.6.35 Diagnostics Compilation Platform: IMail Copyright (c) 2000-2009 Declude, Inc. Host Name MAYWOOD-IS-0012.WEBHOST.HM-SOFTWARE.COM Daisy Chain smtp32.exe DNS Server 127.0.0.1 Product Details JunkMail ON EVAON Hijack OFF AVGON CommTouch ON From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, March 18, 2010 12:07 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) What version of Declude are you running ? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Which scanner?
Hi Dave, Not at the moment but we can look at adding this request to our dev list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Dodell Sent: Saturday, February 06, 2010 9:43 PM To: declude.virus@declude.com Subject: [Declude.Virus] Which scanner? In my email reports, is there a way to also signify which scanner caught the virus; ie internal vs one of the external scanners? so my reports now look like; Declude Virus v4.6.35 caught the following: Virus Name: Sanesecurity.Junk.26145.UNOFFICIAL Virus File: Unknown File From: lyris-nore...@listhost.stat.com To : junkm...@stat.com Date: 06 Feb 2010 17:10:56 Subject:Re: You have spam Spool File: D050a00d3693b.smd RemoteIP: 65.163.175.26 SenderHost: listhost.stat.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Per user setting
Hi John, There is no per user settings for virus other than on or off or allow vulnerabilities. We can look at adding the new functionality to our development wish list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of John T Sent: Monday, December 21, 2009 11:22 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Per user setting Any ideas? John T eServices For You -Original Message- From: John T johnl...@eservicesforyou.com Sent 12/11/2009 11:59:05 AM To: declude.virus declude.virus@declude.com Subject: [Declude.Virus] Per user setting Is there a way possible to allow on a per user basis outgoing banned extensions WITHOUT disabling outgoing virus scanning? If not, could this be something that could be added? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Please note these releases are interim and still considered beta. Any test feedback would be appreciated. 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. the format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOL EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5, FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In declude.cfg file: POSTINIFIXON in order for the Posting Fix to work 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Declude 4.9.39 Interim Release Notes
Please note these releases are interim and still considered beta. Any test feedback would be appreciated. 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. the format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOL EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5, FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In declude.cfg file: POSTINIFIXON in order for the Posting Fix to work 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BANNotify message
Not that I am aware of. Do you have information to show otherwise please send it to supp...@declude.com David B From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of John T Sent: Thursday, October 15, 2009 6:20 PM To: declude.virus Subject: [Declude.Virus] BANNotify message Way back when this was introduced, we had the ability to list files names as well as extensions that we did not want the bannotify message to go out on. Example, you could have SKIPIFEXT install.zip and if the banned ext file name was install.zip, the bannotify message would not go out. Has this changed? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Upgrade 4.6.35
A reminder that we request all Declude installations to be upgraded to Declude 4.6.35. Changes to the AVG license key on installations prior to Declude 4.6.35 means that earlier versions of Declude will no longer be receiving AVG updates. To find the current version of your Declude, open the diags.txt file found in your \Declude directory. If the version is prior to 4.6.35 follow these steps: 1. Logon to Declude http://www.declude.com/myaccount.asp 2. View your HOST record and download the upgrade The release notes for 4.6.35 can be found here. http://www.declude.com/searchresults.asp?Cat=89 If you have any questions or concerns please email supp...@declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.image001.png
[Declude.Virus] Upgrade 4.6.35
A reminder that we request all Declude installations to be upgraded to Declude 4.6.35. Changes to the AVG license key on installations prior to Declude 4.6.35 means that earlier versions of Declude will no longer be receiving AVG updates. To find the current version of your Declude, open the diags.txt file found in your \Declude directory. If the version is prior to 4.6.35 follow these steps: 1. Logon to Declude http://www.declude.com/myaccount.asp 2. View your HOST record and download the upgrade The release notes for 4.6.35 can be found here. http://www.declude.com/searchresults.asp?Cat=89 If you have any questions or concerns please email supp...@declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.image001.png
RE: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it?
We just migrated servers this week. It is possible your DNS is using cached information. Remember a diags.txt is only created on startup so you may have old information. Can you flush your DNS cache and restart Declude to see if it resolves the problem. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, July 08, 2009 10:20 AM To: declude.virus@declude.com; declude.junkm...@declude.com Subject: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it? Sensitivity: Personal Hi, I noticed that ZeroHour stopped catching any viruses after 6/28 - and, after investigating, I now realize it no longer traps any Spam. There were NO changes to any .CFG (or other Declude files). I'm enclosing the most recent Diags.txt (from 6/18, where CommTouch was ON) and then one from today after I made a point of manually restarting DecludeProc. Suddenly, it reports CommTouch as OFF? My customer screen shows: Host Information Declude Imail Perpetual Lic. [omitted] 28 Jun 2010 AVG Activated Current CommTouch Activated It can't be a coincidence that CommTouch stopped working 3 weeks ago, on the exact anniversary date of my (renewed) agreement? Since I only purchased CommTouch a few weeks ago, I'm new to this. So, what do Declude customers have to do after purchasing CommTouch or after renewing their service agreements to make sure that the software will continue to work with a complete function set? This way, I can add yet another reminder to my calendar (besides monitoring the AVG licensing renewal date). Overall Server Virus Summary Report Total Messages Processed: 21,868 Virus Infected Messages: 60 Percentage Infected: 0.27% VIRUS # INFECTED PERCENTAGE OUTLOOK 'BLANK FOLDING' VULNERABILITY 33 0.15% OUTLOOK 'CR' VULNERABILITY 11 0.05% OUTLOOK 'MIME SEGMENT IN MIME PREAMBLE' VULNERABILITY 8 0.04% I-WORM/MYDOOM.O 3 0.01% I-WORM/MYDOOM.BE 1 0.00% I-WORM/MYDOOM.N 1 0.00% NON STANDARD HEADER VULNERABILITY 1 0.00% TROJAN.IFRAME-3 1 0.00% WORM.BAGLE-ZIPPWD-35 1 0.00% Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 21,868 Virus Infected Messages: 5 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE I-WORM/MYDOOM.O 3 0.01% I-WORM/MYDOOM.BE 1 0.00% I-WORM/MYDOOM.N 1 0.00% Virus Scanner Summary Report (ClamAV) Total Messages Processed: 21,868 Virus Infected Messages: 2 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE TROJAN.IFRAME-3 1 0.00% WORM.BAGLE-ZIPPWD-35 1 0.00% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] RE: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it?
Andy, When I checked your record on our server CT was set to ON I did not reactivate it. 1. The switch over to the new system was on 6/28 8:00-10:00 pm EST time. I chose Sunday to do this as web traffic to Declude would be low and it was after the weekend. 2. Thanks for pointing out that we should update our own DNS a week prior. This was done 1 week prior and we set the TTL to 5 min. Which I think is still the case and once everything has settled we will move it up again. I have not pinpointed the exact problem as of yet however the issue you experienced occurred on some servers and is resolved within minutes of notifying us, as it was with you. Thanks David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, July 08, 2009 11:50 AM To: declude.junkm...@declude.com Subject: [Declude.JunkMail] RE: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it? Sensitivity: Personal Hi Dave, The Diags.txt I had sent was created from THIS MORNING (I had made a point of restarting DecludeProc to get a current status). So CommTouch was definitely reported as OFF at that time. It had been reported as ON in June, the previous time that the server had been started (for security fixes). I cleared the DNS cache and restarted DecludeProc and now Diags.txt reports ON for CommTouch. So thanks for re-activating it. So - that leaves a whole bunch of new concerns: - If you ONLY migrated servers THIS week, then THIS was NOT the reason. CommTouch had stopped after 6/27, which is 11 days ago. (That's the last date your log files showed any CommTouch hits!) However, it's the exact date of my new renewal term! So what precisely happened on 6/28 at midnight? - Irregardless, if you switched IP addresses for some of your servers, that you obviously would have to FIRST update your OWN DNS a week prior (or whatever the old TTL was) to change the TTL for that DNS record to something extremely short (e.g., hours). A week later, after the old TTL had expired, you could THEN change the DNS record to the NEW IP address and update the TTL to the longer period again. If you simply switched IP addresses without prior TTL adjustments, then your customers would NOT see the new IP until the old TTL had run out. Although this was not the problem I my case - which host name are we talking about and how was this migration executed if you feel that your customers have to flush their DNS cache to obtain the new server address? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, July 08, 2009 11:04 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it? Sensitivity: Personal We just migrated servers this week. It is possible your DNS is using cached information. Remember a diags.txt is only created on startup so you may have old information. Can you flush your DNS cache and restart Declude to see if it resolves the problem. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, July 08, 2009 10:20 AM To: declude.virus@declude.com; declude.junkm...@declude.com Subject: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it? Sensitivity: Personal Hi, I noticed that ZeroHour stopped catching any viruses after 6/28 - and, after investigating, I now realize it no longer traps any Spam. There were NO changes to any .CFG (or other Declude files). I'm enclosing the most recent Diags.txt (from 6/18, where CommTouch was ON) and then one from today after I made a point of manually restarting DecludeProc. Suddenly, it reports CommTouch as OFF? My customer screen shows: Host Information Declude Imail Perpetual Lic. [omitted] 28 Jun 2010 AVG Activated Current CommTouch Activated It can't be a coincidence that CommTouch stopped working 3 weeks ago, on the exact anniversary date of my (renewed) agreement? Since I only purchased CommTouch a few weeks ago, I'm new to this. So, what do Declude customers have to do after purchasing CommTouch or after renewing their service agreements to make sure that the software will continue to work with a complete function set? This way, I can add yet another reminder to my calendar (besides monitoring the AVG licensing renewal date). Overall Server Virus Summary Report Total Messages Processed: 21,868 Virus Infected Messages: 60 Percentage Infected: 0.27% VIRUS # INFECTED PERCENTAGE OUTLOOK 'BLANK FOLDING' VULNERABILITY 33
RE: [Declude.JunkMail] RE: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it?
Andy, When I checked your record on our server CT was set to ON I did not reactivate it. 1. The switch over to the new system was on 6/28 8:00-10:00 pm EST time. I chose Sunday to do this as web traffic to Declude would be low and it was after the weekend. 2. Thanks for pointing out that we should update our own DNS a week prior. This was done 1 week prior and we set the TTL to 5 min. Which I think is still the case and once everything has settled we will move it up again. I have not pinpointed the exact problem as of yet however the issue you experienced occurred on some servers and is resolved within minutes of notifying us, as it was with you. Thanks David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, July 08, 2009 11:50 AM To: declude.junkm...@declude.com Subject: [Declude.JunkMail] RE: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it? Sensitivity: Personal Hi Dave, The Diags.txt I had sent was created from THIS MORNING (I had made a point of restarting DecludeProc to get a current status). So CommTouch was definitely reported as OFF at that time. It had been reported as ON in June, the previous time that the server had been started (for security fixes). I cleared the DNS cache and restarted DecludeProc and now Diags.txt reports ON for CommTouch. So thanks for re-activating it. So - that leaves a whole bunch of new concerns: - If you ONLY migrated servers THIS week, then THIS was NOT the reason. CommTouch had stopped after 6/27, which is 11 days ago. (That's the last date your log files showed any CommTouch hits!) However, it's the exact date of my new renewal term! So what precisely happened on 6/28 at midnight? - Irregardless, if you switched IP addresses for some of your servers, that you obviously would have to FIRST update your OWN DNS a week prior (or whatever the old TTL was) to change the TTL for that DNS record to something extremely short (e.g., hours). A week later, after the old TTL had expired, you could THEN change the DNS record to the NEW IP address and update the TTL to the longer period again. If you simply switched IP addresses without prior TTL adjustments, then your customers would NOT see the new IP until the old TTL had run out. Although this was not the problem I my case - which host name are we talking about and how was this migration executed if you feel that your customers have to flush their DNS cache to obtain the new server address? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, July 08, 2009 11:04 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it? Sensitivity: Personal We just migrated servers this week. It is possible your DNS is using cached information. Remember a diags.txt is only created on startup so you may have old information. Can you flush your DNS cache and restart Declude to see if it resolves the problem. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, July 08, 2009 10:20 AM To: declude.virus@declude.com; declude.junkm...@declude.com Subject: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it? Sensitivity: Personal Hi, I noticed that ZeroHour stopped catching any viruses after 6/28 - and, after investigating, I now realize it no longer traps any Spam. There were NO changes to any .CFG (or other Declude files). I'm enclosing the most recent Diags.txt (from 6/18, where CommTouch was ON) and then one from today after I made a point of manually restarting DecludeProc. Suddenly, it reports CommTouch as OFF? My customer screen shows: Host Information Declude Imail Perpetual Lic. [omitted] 28 Jun 2010 AVG Activated Current CommTouch Activated It can't be a coincidence that CommTouch stopped working 3 weeks ago, on the exact anniversary date of my (renewed) agreement? Since I only purchased CommTouch a few weeks ago, I'm new to this. So, what do Declude customers have to do after purchasing CommTouch or after renewing their service agreements to make sure that the software will continue to work with a complete function set? This way, I can add yet another reminder to my calendar (besides monitoring the AVG licensing renewal date). Overall Server Virus Summary Report Total Messages Processed: 21,868 Virus Infected Messages: 60 Percentage Infected: 0.27% VIRUS # INFECTED PERCENTAGE OUTLOOK 'BLANK FOLDING' VULNERABILITY 33
RE: [Declude.Virus] Hundreds
Declude does not process T*.smd files, these are temporary files created by Imail. See what happens if you remove Declude as the delivery agent, does it still occur. If yes it is 100% an IMail issue. If you need to get us on a conference call with Imail support, set up a time with us and we would be happy to do it. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Kevin Rogers Sent: Friday, July 03, 2009 2:49 PM To: declude.virus@declude.com Subject: [Declude.Virus] Hundreds All throughout the day, hundreds of D and T files (each of them 0KB) show up in my spool directory. I spoke with Ipswitch about this and they said they had heard of it only with other Declude users and that it most likely is caused by Declude. Very quickly (way quicker than if they were all being delivered), they all disappear (e.g., 500 files are gone in an instant). Anyone else experiencing this, or know what could be causing it? I'm running Declude 4.6.35 and Imail 11 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Database error after upgrading
Hi Kevin. 1. If you are using the IMail MS SQL database this is different to their previous version MS Access database, we are in the process of coding and testing for Declude using MS SQL to use AUTOWHITELIST. I am not sure if you have the option to use the old MS Access database in Imail or if it is just MS SQL, if you can use MS Acccess then Declude AUTOWHITELIST will work or you have to wait for our release. 2. We are currently also looking into this issue to determine what exactly is causing this and if it is legitimate or a problem with IMail new format. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Kevin Rogers Sent: Thursday, June 25, 2009 2:35 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Database error after upgrading So I emailed David about this issue and he had me turn off AUTOWHITELIST and that seemed to get rid of the error. It seems that Imail 11 changed the database it uses for contacts and this is why Declude was generating that error. But I'd really like to turn AUTOWHITELIST back on. And, since the upgrade all emails are failing the DYNHELO and HELOBOGUS tests so I've had to reduce their weights for the time being. Has anyone seen this or have any ideas how to correct? Thanks. Kevin Rogers wrote: I upgraded to 4.6.35 because of the AVG scanner issue, but now in my declude logs I am seeing error messages like this: 06/23/2009 00:38:48.986 q8f0c00670096.smd DataBase Error = ['(unknown)' is not a valid path. Make sure that the path name is spelled correctly and that you are connected to the server on which the file resides. Driver's SQLSetConnectAttr failed ] I didn't have these errors before my upgrade. Any ideas? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Database error after upgrading
Declude has never had support for reading the SQL database in Imail. I don't know your setup, but many times based on the registry, Declude would be using the old system either the txt file or the later MS Access DB. We are now adding the addition SQL, which should be available pretty soon. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Kevin Rogers Sent: Thursday, June 25, 2009 3:19 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Database error after upgrading 1. We've been using MS SQL Server for years for our user/mailbox list (using the External Database option in Imail). Which database are you referencing? The user list database, or the contact database? There weren't any changes to the user SQL Server database tables in Imail 11 as far as I know. And if you're referencing the contact database, why would that affect AUTOWHITELIST? 2. Great. I hope a fix comes out soon. The lack of the AUTOWHITELIST combined with two tests that add up to close-to-threshold weights caused a lot of legit email to be put into our bulk folders. Kevin David Barker wrote: Hi Kevin. 1. If you are using the IMail MS SQL database this is different to their previous version MS Access database, we are in the process of coding and testing for Declude using MS SQL to use AUTOWHITELIST. I am not sure if you have the option to use the old MS Access database in Imail or if it is just MS SQL, if you can use MS Acccess then Declude AUTOWHITELIST will work or you have to wait for our release. 2. We are currently also looking into this issue to determine what exactly is causing this and if it is legitimate or a problem with IMail new format. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Kevin Rogers Sent: Thursday, June 25, 2009 2:35 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Database error after upgrading So I emailed David about this issue and he had me turn off AUTOWHITELIST and that seemed to get rid of the error. It seems that Imail 11 changed the database it uses for contacts and this is why Declude was generating that error. But I'd really like to turn AUTOWHITELIST back on. And, since the upgrade all emails are failing the DYNHELO and HELOBOGUS tests so I've had to reduce their weights for the time being. Has anyone seen this or have any ideas how to correct? Thanks. Kevin Rogers wrote: I upgraded to 4.6.35 because of the AVG scanner issue, but now in my declude logs I am seeing error messages like this: 06/23/2009 00:38:48.986 q8f0c00670096.smd DataBase Error = ['(unknown)' is not a valid path. Make sure that the path name is spelled correctly and that you are connected to the server on which the file resides. Driver's SQLSetConnectAttr failed ] I didn't have these errors before my upgrade. Any ideas? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ZEROHOUR, scanner order
Commtouch Zerohour identifies virus based on traffic patterns rather than signatures this is why it is not associated with a name. There is only one option currently for Commtouch in the global.cfg ZEROHOUR x Where x is the weight assigned if ZEROHOUR is triggered. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, June 08, 2009 10:26 AM To: declude.virus@declude.com Subject: [Declude.Virus] ZEROHOUR, scanner order Hi Dave: I see. Based on your email I checked the Virus side of things and I do see Zerohour log entires. 06/07/2009 23:44:36.968 q29d5b0d20821.smd Vulnerability flags = 1 06/07/2009 23:44:36.984 q29d5b0d20821.smd ZEROHOUR Reports VIRUS: Unknown 06/07/2009 23:44:36.984 q29d5b0d20821.smd File(s) are INFECTED [ZEROHOUR Unknown] 06/07/2009 23:44:36.984 q29d5b0d20821.smd Scanned: CONTAINS A VIRUS [MIME: 2 24588] 06/07/2009 23:44:36.984 q29d5b0d20821.smd From: ignitionhf8...@sicis.com To: imail...@wateroperations.com [incoming from 84.63.45.89] 06/07/2009 23:44:36.984 q29d5b0d20821.smd Subject: =?koi8-r?B?WW91knZlIHJlY2VpdmVkIGEgZ3JlZXRpbmcgZWNhcmQ=?= Unfortunately, Zerohour doesnt identify the virus (which in some cases, may be obvious if its a yet unnamed outbreak). But, the problem is that know viruses are not handled as configured. What are my configuration options for Declude Virus with regards to ZeroHour? Can I at least control the order of scanning e.g., Id rather have the regular virus scanners try to identify and report known/named viruses and make Zerohour the option of last defense? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 9:36 AM To: declude.junkm...@declude.com Subject: RE: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED Hi Andy, The ZEROHOUR was integrated into Declude as part of the virus code as it provides ZEROHOUR anti-virus. Because of this it does not function the same as the other tests. It either scores the email for x points as defined in the global.cfg or it does not which is shown as zero. Changing the way ZEROHOUR was implemented is on our development list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Sunday, June 07, 2009 6:07 PM To: declude.junkm...@declude.com Subject: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED Importance: High Hi, Seems as if ZEROHOUR is not at all handled correctly vis-à-vis the TESTSFAILED variable? 1. Example: I have defined XINHEADERX-Declude: Triggered [%WEIGHT%] %TESTSFAILED% However, since activating ZEROHOUR I know see SMTP headers like this: X-Declude: Triggered [-2] None, ZEROHOUR [0] There are two things wrong with this: a) If Testsfailed returns None, why is the string ZEROHOUR appended? If its None then it should be None and nothing else. b) If ZEROHOUR didnt fail and thus has a weight of 0, then it shouldnt appear in the TESTSFAILED list at all. 2. In one of my filters, I have the line TESTSFAILED 5 CONTAINS ZEROHOUR However, it fails to add 5 to the weight as if it doesnt detect ZEROHOUR in the TestsFailed string which would be consistent with items a) and b) because apparently there is a bug where ZEROHOUR is not correctly included in the TESTSFAILED variable, but instead it is somehow appended behind it! The power of Declude is to be able to tightly configure (through various options) how weights are assigned and (with the help of TESTSFAILED filters) which groupings of tests might be testing/triggering on the same aspect of a message. Currently ZEROHOUR appears to negate all the other advantages of Declude! Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E
RE: [Declude.Virus] ZEROHOUR, scanner order
Andy, It is implemented in the Declude virus but because the spam function overlaps into junkmail and the spam weighting system is in junkmail the weight is specified in the global.cfg - as you can see it is more as a directive than a test. Secondly you are correct about the developer who integrated Commtouch. This was before I took over the managment of Declude and it is suffice to say he is no longer with Declude either. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, June 08, 2009 11:02 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Hi David: Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was implemented as Declude.Virus. So any configuration would go into the Virus.cfg file. It seems to me as if it's implemented in some fashion in both ends. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. Based on log entries/detection it appears as if it first checks ZEROHOUR, then AVG, then launches the external scanners. Sorry for all the questions - just trying to wrap my arms around the new way that everything is behaving now - as it's inconsistent with what I have had in place all these years (both in Junkmail, which relies on TESTSFAILED to control actions) and in Virus (which relies on virus name detection to control what actions to take). (Seems as if ZEROHOUR was added by a developer who wasn't yet familiar/briefed with what was already in place elsewhere in the product, and just came up with his/her own way of doing things instead of integration with the existing features.) Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 10:34 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Commtouch Zerohour identifies virus' based on traffic patterns rather than signatures this is why it is not associated with a name. There is only one option currently for Commtouch - in the global.cfg ZEROHOUR x Where x is the weight assigned if ZEROHOUR is triggered. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ZEROHOUR, scanner order
I confirmed that Commtouch runs before AVG as the internal virus scanner and currently there is no way to change this without changing the code. I will add this as a dev request to switch the order of AVG and Commtouch. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, June 08, 2009 11:28 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Fair enough! Looks like a good service in general - hopefully, the implementation can be cleaned up at some point. Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 11:10 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Andy, It is implemented in the Declude virus but because the spam function overlaps into junkmail and the spam weighting system is in junkmail the weight is specified in the global.cfg - as you can see it is more as a directive than a test. Secondly you are correct about the developer who integrated Commtouch. This was before I took over the managment of Declude and it is suffice to say he is no longer with Declude either. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, June 08, 2009 11:02 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Hi David: Thanks. The Global.cfg configures the Declude.Junkmail - but you said it was implemented as Declude.Virus. So any configuration would go into the Virus.cfg file. It seems to me as if it's implemented in some fashion in both ends. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. Based on log entries/detection it appears as if it first checks ZEROHOUR, then AVG, then launches the external scanners. Sorry for all the questions - just trying to wrap my arms around the new way that everything is behaving now - as it's inconsistent with what I have had in place all these years (both in Junkmail, which relies on TESTSFAILED to control actions) and in Virus (which relies on virus name detection to control what actions to take). (Seems as if ZEROHOUR was added by a developer who wasn't yet familiar/briefed with what was already in place elsewhere in the product, and just came up with his/her own way of doing things instead of integration with the existing features.) Thanks, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 10:34 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR, scanner order Commtouch Zerohour identifies virus' based on traffic patterns rather than signatures this is why it is not associated with a name. There is only one option currently for Commtouch - in the global.cfg ZEROHOUR x Where x is the weight assigned if ZEROHOUR is triggered. In the Declude EVA the ZEROHOUR is part of the internal scanner process and I will need to look at the code to determine the order of scanning but I will get back to you on this. David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CommTouch ZeroHour
You are welcome Dean. Members of the list just a reminder that these lists go to many subscribers. The last thing any of us need is more email please if you have questions relating to your account specifically please email us directly supp...@declude.com again just use discretion when posting and ask yourself if what you are about to post will benefit the Declude community. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dean Lawrence Sent: Friday, June 05, 2009 12:06 PM To: declude.junkm...@declude.com Subject: Re: [Declude.JunkMail] CommTouch ZeroHour Excellent. Thanks David On Fri, Jun 5, 2009 at 11:54 AM, David Barkerdbar...@declude.com wrote: I simply host mailboxes for some of my development clients' domains. This is classified as a non-ISP and you can use Commtouch David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dean Lawrence Sent: Friday, June 05, 2009 11:50 AM To: declude.junkm...@declude.com Subject: Re: [Declude.JunkMail] CommTouch ZeroHour Thanks David. I'm still a little confused though. I do not provide Internet access for my clients, nor do I offer a clean and forward option. I simply host mailboxes for some of my development clients' domains. With this description, would CommTouch classify me as an ISP? Thanks, Dean On Fri, Jun 5, 2009 at 11:35 AM, David Barkerdbar...@declude.com wrote: Yes Internet access provider is a better description of ISP and how it is understood by Commtouch. David -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, June 05, 2009 11:30 AM To: declude.junkm...@declude.com Subject: RE: [Declude.JunkMail] CommTouch ZeroHour Uh - okay, that was the reason, why I wasn't able to purchase CommTouch back when. As a hosting provider (which includes providing mailboxes for the clients' domains), that would fall under the umbrella primary function is to provide Internet service. If they would define ISP as Internet ACCESS provider - then this would be a different story. Because we don't provide Internet access and our primary function is not clean-and-forward MX services. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, June 05, 2009 10:49 AM To: declude.junkm...@declude.com Subject: RE: [Declude.JunkMail] CommTouch ZeroHour Commtouch does have a restriction. The condition is: a. ISP shall mean an internet service provider or managed solution provider. What this means - if you are an ISP as defined by Commtouch, your primary function is to provide Internet service to your customers (like Comcast) or your business provides managed services (Like MXlogic) clean-and-forward of emails. Secondly, if your business is part of the ISP category you can use Commtouch with the added cost of $3.60 per user per year. And finally, the yearly cost and payments to Commtouch for NON-ISP perpetual license Declude customers is being absorbed by Declude. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists --- This E-mail came from the Declude.JunkMail mailing list
[Declude.Virus] RE: [Declude.JunkMail] CommTouch ZeroHour
You are welcome Dean. Members of the list just a reminder that these lists go to many subscribers. The last thing any of us need is more email please if you have questions relating to your account specifically please email us directly supp...@declude.com again just use discretion when posting and ask yourself if what you are about to post will benefit the Declude community. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dean Lawrence Sent: Friday, June 05, 2009 12:06 PM To: declude.junkm...@declude.com Subject: Re: [Declude.JunkMail] CommTouch ZeroHour Excellent. Thanks David On Fri, Jun 5, 2009 at 11:54 AM, David Barkerdbar...@declude.com wrote: I simply host mailboxes for some of my development clients' domains. This is classified as a non-ISP and you can use Commtouch David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dean Lawrence Sent: Friday, June 05, 2009 11:50 AM To: declude.junkm...@declude.com Subject: Re: [Declude.JunkMail] CommTouch ZeroHour Thanks David. I'm still a little confused though. I do not provide Internet access for my clients, nor do I offer a clean and forward option. I simply host mailboxes for some of my development clients' domains. With this description, would CommTouch classify me as an ISP? Thanks, Dean On Fri, Jun 5, 2009 at 11:35 AM, David Barkerdbar...@declude.com wrote: Yes Internet access provider is a better description of ISP and how it is understood by Commtouch. David -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, June 05, 2009 11:30 AM To: declude.junkm...@declude.com Subject: RE: [Declude.JunkMail] CommTouch ZeroHour Uh - okay, that was the reason, why I wasn't able to purchase CommTouch back when. As a hosting provider (which includes providing mailboxes for the clients' domains), that would fall under the umbrella primary function is to provide Internet service. If they would define ISP as Internet ACCESS provider - then this would be a different story. Because we don't provide Internet access and our primary function is not clean-and-forward MX services. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, June 05, 2009 10:49 AM To: declude.junkm...@declude.com Subject: RE: [Declude.JunkMail] CommTouch ZeroHour Commtouch does have a restriction. The condition is: a. ISP shall mean an internet service provider or managed solution provider. What this means - if you are an ISP as defined by Commtouch, your primary function is to provide Internet service to your customers (like Comcast) or your business provides managed services (Like MXlogic) clean-and-forward of emails. Secondly, if your business is part of the ISP category you can use Commtouch with the added cost of $3.60 per user per year. And finally, the yearly cost and payments to Commtouch for NON-ISP perpetual license Declude customers is being absorbed by Declude. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists --- This E-mail came from the Declude.JunkMail mailing list
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
Ok final comments on this. 1. For those who took my example of the decisions making process and criticized it citing pre-release time of IMail 11 etc etc. If you think I only have a choice between 2 options - where to dedicate my resources - you missed the point. 2. I fully agree with being proactive see point 1. The reality choosing between what has to be done and what we would like to do. 3. Sandys options: [a] dissolve the company as is How does that benefit everyone ? [b] sell the product to a developer Show me the money! [c] (re)package it as an owner-maintained, purpose-built software tool - Not enough demand. [d] build up from there as needed This is what I have opted for. 4. For customers who have a perpetual license but no service agreement the expiration date of AVG is irrelevant as with no service agreement there are no updates or virus signatures. 5. I agree there can always be improvements in the decision making process, allocation of resources and creativity. The REAL issue is resources, how do I know?? because I run this business and have all the information. So, I appreciate everyone's comments whether you agree or disagree is fine, but what I have seen throughout this thread is that Talk is cheap not one critic revealed how much they are willing to pay to help address the problem going forward. The bottom line . you are not willing - and it's a good thing I understand that, so I will continue to offer great service, a product that works and at prices that would make the Salvation Army proud, so please forgive me when sometimes things do go amiss. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Wednesday, June 03, 2009 7:55 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Declude Virus inoperable for 13% of th year? Hello David, 1- What will happen to those who have a perpetual licence but no SA on 2010-12-31 2- The prices and number of developpers is declude buisness, we cannot force you one way or another but once you make your choice, we, the customers, make our decisions based on factors, including price, quality, so even if you want to blame low prices and lack of staff,, it is still declude management fault, not the customers that is not to say that i'm not satisfied with declude product and support just dont agree with your logic BR Serge - Original Message - From: David Barker To: declude.virus@declude.com Sent: Wednesday, June 03, 2009 3:07 PM Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Andy, a. Declude Virus does not have a built in system to report this error as with this specific example. What happened here is not the norm but an exception. It was not our choice to hard code the expiration date but a requirement from AVG. In this instance the specific persons who we had been working with at AVG are no longer with the company and the process of having this renewed took longer than usual. b. I am not sure if you are being facetious, but if it makes you feel better, sure you can schedule a reminder for me, please email me at least 3 month prior of the new expiration date 2010-12-31 c. Yes AVG was not working as it should have been since 2009-04-10 I agree with you - this is totally unacceptable, intolerable, painful and should not be brushed aside lightly. You are correct in your observations, we should increase our prices dramatically so we can hire more developers to ensure unfortunate incidents like this dont happen again. Considering the market and what other vendors charge how much more are you prepared to pay for your service agreement so that we can meet this type of requirement ? David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, June 03, 2009 9:08 AM To: declude.virus@declude.com Subject: [Declude.Virus] Declude Virus inoperable for 13% of th year? Importance: High Sensitivity: Personal Hi, Dave so now that we have a working Declude Virus again, what can be done to prevent this from recurring. a) Apparently Declude Virus has no error tracking in place at all otherwise it would have REPORTED to us (or your own Declude to your own mail server) that the AVG API was no longer performing scans? b) Do the customers need to set a follow-up reminder for December 2010, which is when your new renewed AVG license will expire? The old DecludeProc had THIS AVG License String: LicBeg, Ver=1.0, Name=Declude, Exp=2009-04-10 So this implies, that the product was inoperable since April 10th for every customer because Declude didnt obtain a new
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
Sorry no marketing department to give you the warm and fuzzy spin, just me. Couple of suggestions. Declude has the ability to run upto 5 additional cmd line scanners of your choice, we provide AVG as a courtesy to our customers as in the past Declude did not have any internal virus scanner, you would have to go out and purchase that separately It would be good to run more than 1 virus scanner for several reasons, one of which is failure of an AV scanner, (admittedly in this instance failure was on our part) But rest assured false positives, no virus signatures, lag time are problems ALL AV vendors are faced with. There are some that are free that work extremely well ClamWin or ClamAV is an example of this. In addition we have ZEROHOUR as a option for Perpetual license customers as an additional virus scanners providing ZEROHOUR protection and additional spam definitions. For the amount of money that this is being offered for it is a wise investment. If you opted out of this because you didn't want to spend the extra few $ on security then you have different issues and it's not Declude. Lastly Patrick please contact supp...@declude.com having looked at your host record it does not look like you are receiving any AV updates - it could be that your firewall is blocking the AV updates, our support can work with you to fix that. Thanks David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Patrick Childers Sent: Thursday, June 04, 2009 9:13 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? How much are we willing to pay? It doesn't matter if it costs $5 or $5000 if the product doesn't work. Especially when you, the developer, doesn't notice the problem for a month and a half - especially when the problem has been reported by end users. Do you not run your own product? Maybe you don't realize this, but your whining customers put a level of trust in your company whether you want it or not. This trust is automatic when you are dealing with A/V products that protect mail systems and their networks. If you lose that trust, the cost won't matter. You won't have enough customers to stay in business anyway. Price you product at whatever you think you need to. The mail admins will either buy it or they won't. Maybe it's time for you to find another person to communicate with the list. You certainly aren't giving your end users that warm and fuzzy feeling. (IMO) Regards, ~Patrick _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, June 03, 2009 12:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Darin, I accept your constructive criticism. With regard to the situation; 1. We recognize that this was a serious failure 2. The issue was highlighted and resolved in the quickest possible time 3. Procedural steps have been put in place to ensure that this does not happen again. 4. This was an unfortunate circumstance and I understand the frustration on the part of Declude customers 5. We make every effort to meet the needs of our customers My statement regarding increased prices has less to do with this current problem as it has to do with moving forward and preventing issues like this in the future. More $ means more resources which means more can be done which equates to less risk in all areas. Declude has given good service, value for money and a product that works for minimum $. I understand that the expectation is always more for less, however if customers expect more than what is currently being delivered then I have to ask the question, in clear, open and honest communication.. Mr/s Customer how much more are you willing to pay so that we can invest in more resources in order to develop a better product? David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Darin Cox Sent: Wednesday, June 03, 2009 11:50 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Declude Virus inoperable for 13% of th year? Wow, what a way to respond to a long-time, loyal paying customer! Instead of apologizing for the serious problem and relaying what steps are being taken to avoid it happening again (a simple reminder in the calendar system of your choice would suffice), it's being thrown back in the customer's face. Regarding the question of increasing prices for service agreements, that has no bearing on a current customer who has already paid the fees. Such customers should expect the service they paid for to be rendered. Failure to do so is a breach of agreement on Declude's part. While we are all human and problems can occur
RE: [Declude.Virus] CommTouch, External Scanners, Marketplace
In addition we have ZEROHOUR as a option for Perpetual license customers as an additional virus scanners providing ZEROHOUR protection and additional spam definitions. For the amount of money that this is being offered for it is a wise investment. No Andy WE are paying for it not YOU. Here were my choices: 1. Add ZEROHOUR and increase the service agreement price - Which we did not do. 2. Add ZEROHOUR and charge a yearly renewal on ZEROHOUR - Which we did not do. Instead this is what we did do - I opted to give all perpetual license customers ZEROHOUR at COST and then Declude absorbs the yearly renewal I did not ask for any more money, every year I pay a % of the Service Agreement to Commtouch, we did this without asking you for a penny extra. And what do I get from you . entitlement blah blah.. no you are not entitled to it, it is a 3rd party add-on of which we carry the cost. If you would like to participate, please purchase the ZEROHOUR at COST (meaning we make no money on it) and benefit from what we are offering. for your current full-time developer would be to implement ClamLib und the Sniffer API GREAT idea why didn't I think of that ? Wait I know - let me stop everything else we doing and focus on the Sniffer API. There's only so much up front investing that your investors (=customers) are willing to do before they want to see results. There is spin and there is reality. I have laid down the issues and you know my concern and dedication for Declude customers, every decision is made with Declude customers best interests in mind balanced with keeping the business running (maybe I am too soft for running a business). Untimely it is a free market and if we doing it wrong we won't survive - if Declude does not meet your needs and money is not an issue for you. Please feel free to use a different solution, I won't be offended. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, June 04, 2009 11:03 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] CommTouch, External Scanners, Marketplace Hi Dave, Could you please elaborate on that: In addition we have ZEROHOUR as a option for Perpetual license customers as an additional virus scanners providing ZEROHOUR protection and additional spam definitions. For the amount of money that this is being offered for it is a wise investment. Yesterday you indicated, in your breakdown of annual fees, you indicated that my annual fees were 50% higher than 5 years ago (which I have been paying without complaint), because my fees now PAID for feature. I wasn't aware of that. Is there something special that I have to do to turn this on? (I'm assuming: If I'm paying for it every year, I should be entitled to use it?) It would be good to run more than 1 virus scanner for several reasons As far as external scanners - one desirable feature for your current full-time developer would be to implement ClamLib und the Sniffer API so that they do NOT require launching yet another command line program, which chips away from the system heap - and causes severe overhead. Mr/s Customer how much more are you willing to pay so that we can invest in more resources in order to develop a better product? As far as the market place and how much to pay - I tend to compare Declude to ORF (http://www.vamsoft.com/orfee_order.asp), which I both pay for. One for Imail the other for IIS SMTP. Both have interfaces to external tools (Sniffer, ClamAV, McAfee), both check SPF, DNS blacklists, URI Blacklists, both have the ability to define RegEx custom filters. The difference: for the lesser annual fees, ORF has been growing its business by delivering versions with new features for as many years as I have been a user. They even have a voting system where their paying customers can express preferences which features are most important to them: http://www.vamsoft.com/features/default.asp. Or, let's look at Sniffer: for $495.00/year you have a company that has people actively improving their signatures several times EACH day PLUS they still manage to put out significant new versions. So don't falsely accuse us that we're unwilling to pay sufficient fees to support one full time developer. I pay that many times over for spam/virus filtering to various vendors - I even pay for DLAnalyzer and invURIBL, money that Declude could and should have earned if they had added reporting and URIBL scanning into the product. Then YOU would be getting the annual fees I'm paying them! I say it again: The budget is clearly there. The difference is, other vendors invest that money into the product I pay for! Declude is the only product that's been taking these fees for years and has NOT progressed the product
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
. but I can spend almost whatever I need to to protect my network. There are those of us who run businesses and then there are those who work for them. Either way your feedback is appreciated ;) David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Patrick Childers Sent: Thursday, June 04, 2009 12:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Comments are in-line. _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, June 04, 2009 10:03 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sorry no marketing department to give you the warm and fuzzy spin, just me. Obviously. Couple of suggestions. Declude has the ability to run upto 5 additional cmd line scanners of your choice, we provide AVG as a courtesy to our customers as in the past Declude did not have any internal virus scanner, you would have to go out and purchase that separately Well aware of that. It would be good to run more than 1 virus scanner for several reasons, one of which is failure of an AV scanner, (admittedly in this instance failure was on our part) But rest assured false positives, no virus signatures, lag time are problems ALL AV vendors are faced with. There are some that are free that work extremely well ClamWin or ClamAV is an example of this. In addition we have ZEROHOUR as a option for Perpetual license customers as an additional virus scanners providing ZEROHOUR protection and additional spam definitions. For the amount of money that this is being offered for it is a wise investment. If you opted out of this because you didn't want to spend the extra few $ on security then you have different issues and it's not Declude. LOL. I maybe one of the few, but I can spend almost whatever I need to to protect my network. I do run multiple scanners as well as virus scanning on the perimeter firewall. If you didn't want to spend the extra few $ on making sure your code is up-to-date then you have different issues and it's not your customers. Lastly Patrick please contact supp...@declude.com having looked at your host record it does not look like you are receiving any AV updates - it could be that your firewall is blocking the AV updates, our support can work with you to fix that. LOL again. Don't need to. I don't use AVG. I only chimed in because I felt that your responses to the issue was not helpful and somewhat offending the users of your product. Again, if you can't get the job done at current income levels, I suggest you come up with the necessary figure after reviewing your operating costs. You're the one selling a product. As for you wanting to know what I will pay for your product, I will leave you with this answer: As much as I think it is worth. If the product is rock solid and I feel (or believe) that the company is trying to stay up with current technologies and cares about me as a customer, I will pay much more than I would to a company that doesn't project those qualities. Oh, and by the way, I know how to setup a firewall. So, why don't you guys concentrate on your code instead. Thanks, Patrick Thanks David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Patrick Childers Sent: Thursday, June 04, 2009 9:13 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? How much are we willing to pay? It doesn't matter if it costs $5 or $5000 if the product doesn't work. Especially when you, the developer, doesn't notice the problem for a month and a half - especially when the problem has been reported by end users. Do you not run your own product? Maybe you don't realize this, but your whining customers put a level of trust in your company whether you want it or not. This trust is automatic when you are dealing with A/V products that protect mail systems and their networks. If you lose that trust, the cost won't matter. You won't have enough customers to stay in business anyway. Price you product at whatever you think you need to. The mail admins will either buy it or they won't. Maybe it's time for you to find another person to communicate with the list. You certainly aren't giving your end users that warm and fuzzy feeling. (IMO) Regards, ~Patrick _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, June 03, 2009 12:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Darin, I accept your constructive criticism. With regard to the situation; 1. We recognize that this was a serious failure 2. The issue was highlighted and resolved in the quickest possible time 3. Procedural steps have been put
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
Andy, a. Declude Virus does not have a built in system to report this error as with this specific example. What happened here is not the norm but an exception. It was not our choice to hard code the expiration date but a requirement from AVG. In this instance the specific persons who we had been working with at AVG are no longer with the company and the process of having this renewed took longer than usual. b. I am not sure if you are being facetious, but if it makes you feel better, sure you can schedule a reminder for me, please email me at least 3 month prior of the new expiration date 2010-12-31 c. Yes AVG was not working as it should have been since 2009-04-10 I agree with you - this is totally unacceptable, intolerable, painful and should not be brushed aside lightly. You are correct in your observations, we should increase our prices dramatically so we can hire more developers to ensure unfortunate incidents like this don't happen again. Considering the market and what other vendors charge how much more are you prepared to pay for your service agreement so that we can meet this type of requirement ? David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, June 03, 2009 9:08 AM To: declude.virus@declude.com Subject: [Declude.Virus] Declude Virus inoperable for 13% of th year? Importance: High Sensitivity: Personal Hi, Dave - so now that we have a working Declude Virus again, what can be done to prevent this from recurring. a) Apparently Declude Virus has no error tracking in place at all - otherwise it would have REPORTED to us (or your own Declude to your own mail server) that the AVG API was no longer performing scans? b) Do the customers need to set a follow-up reminder for December 2010, which is when your new renewed AVG license will expire? The old DecludeProc had THIS AVG License String: LicBeg, Ver=1.0, Name=Declude, Exp=2009-04-10 So this implies, that the product was inoperable since April 10th for every customer because Declude didn't obtain a new annual AVG license and had to wait a few days for this transaction to complete? That means the product was unusable for 13% of the year? This can't just be brushed aside quietly. Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
Darin, I accept your constructive criticism. With regard to the situation; 1. We recognize that this was a serious failure 2. The issue was highlighted and resolved in the quickest possible time 3. Procedural steps have been put in place to ensure that this does not happen again. 4. This was an unfortunate circumstance and I understand the frustration on the part of Declude customers 5. We make every effort to meet the needs of our customers My statement regarding increased prices has less to do with this current problem as it has to do with moving forward and preventing issues like this in the future. More $ means more resources which means more can be done which equates to less risk in all areas. Declude has given good service, value for money and a product that works for minimum $. I understand that the expectation is always more for less, however if customers expect more than what is currently being delivered then I have to ask the question, in clear, open and honest communication.. Mr/s Customer how much more are you willing to pay so that we can invest in more resources in order to develop a better product? David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Darin Cox Sent: Wednesday, June 03, 2009 11:50 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Declude Virus inoperable for 13% of th year? Wow, what a way to respond to a long-time, loyal paying customer! Instead of apologizing for the serious problem and relaying what steps are being taken to avoid it happening again (a simple reminder in the calendar system of your choice would suffice), it's being thrown back in the customer's face. Regarding the question of increasing prices for service agreements, that has no bearing on a current customer who has already paid the fees. Such customers should expect the service they paid for to be rendered. Failure to do so is a breach of agreement on Declude's part. While we are all human and problems can occur, this is a serious failure, and the tone of the response being putative instead of apologetic makes customers less forgiving, not more. To be frank, many customers are asking what they are paying for, when fix and feature requests take months to be released, or not at all. I understand the situation may be frustrating, but it's often best to step back for a moment, vent elsewhere if needed, then respond professionally to customers. Clear, open, and honest communication also helps. Please don't take this email as incendiary. It is meant to be constructive. Darin. - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.virus@declude.com Sent: Wednesday, June 03, 2009 11:07 AM Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Andy, a. Declude Virus does not have a built in system to report this error as with this specific example. What happened here is not the norm but an exception. It was not our choice to hard code the expiration date but a requirement from AVG. In this instance the specific persons who we had been working with at AVG are no longer with the company and the process of having this renewed took longer than usual. b. I am not sure if you are being facetious, but if it makes you feel better, sure you can schedule a reminder for me, please email me at least 3 month prior of the new expiration date 2010-12-31 c. Yes AVG was not working as it should have been since 2009-04-10 I agree with you - this is totally unacceptable, intolerable, painful and should not be brushed aside lightly. You are correct in your observations, we should increase our prices dramatically so we can hire more developers to ensure unfortunate incidents like this don't happen again. Considering the market and what other vendors charge how much more are you prepared to pay for your service agreement so that we can meet this type of requirement ? David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, June 03, 2009 9:08 AM To: declude.virus@declude.com Subject: [Declude.Virus] Declude Virus inoperable for 13% of th year? Importance: High Sensitivity: Personal Hi, Dave - so now that we have a working Declude Virus again, what can be done to prevent this from recurring. a) Apparently Declude Virus has no error tracking in place at all - otherwise it would have REPORTED to us (or your own Declude to your own mail server) that the AVG API was no longer performing scans? b) Do the customers need to set
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
Breathing and counting to 10 . ;) Whoever wrote this API implementation simply was too lazy to properly handle and report on the condition that absolutely was going to occur with 100% certainty on 4/10. That's a programming 101 and this flaw must be fixed, not discussed. It's when an Anti-Virus product doesn't report that it has decided to stop detecting viruses. In coding Utopia yes that is true. I was unaware of this situation till now. I would fire the person who implemented this but we had already let them go over 2 years ago. I get what you are saying, I just don't think you understand when I say I have heard you Andy, you can stop posting to the lists about this Nice try, but to me, money is secondary to function. Nice dodge! I rather would pay appropriate maintenance for a product that is enhanced with features (as it was in the first few years when I had purchased it) than to pay a lesser annual maintenance for a dormant product! Ah the good old days of Scott Perry. Let's not forget you are paying less for the product maintenance today than you were 5 years ago. Dormant ? or not the fixes and features you want? However, I'm NOT willing to pay a company just so that they can pursue OTHER technical, legal and marketing ventures INSTEAD of enhancing the product. The problem with Declude is that they lost focus - this instance makes this painfully obvious! What are you talking about ? Let's get real. I remember looking at your web site a while ago and seeing a huge roster of management. I also remember web site project and other products being launched and initating legal actions. Here's what you need Start laying off managers and other supervisory staff, cut the retainers for your attorneys, etc. and don't stop until you have enough money to finally pay ONE full time developer that actually works on continually enhancing the product we are all paying for and gets as much done as the original author of the product did for YEARS. Once caught up with 3 years of backlog, then sell me the upgrade!) You don't need additional personnel - you to need replace overhead-personnel with production personnel. Wrong. Declude is a separate company from DNSStuff. Our (Declude) revenues are solely committed to maintaining and growing this company. I suspect the problem is not lack of funds but diversion of it. Oh wait. that's a good one. I think the best way to answer this just is to say your suspicion is incorrect. Finaly the purpose for these lists is mostly for tech questions and assisting other users. Your initial posts about AVG were fine, but if you want to get into what you think Declude should be doing as a company either email me or call me directly. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, June 03, 2009 12:12 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal Hi, Oh, now you really got me going. Declude Virus does not have a built in system to report this error as with this specific example The problem is not the hard-coded expiration itself. Clearly, when this API (including the hardcoded expiry) was originally implemented, the fact that there was an expiry was a known fact to that developer - cause (s)he added it. Whoever wrote this API implementation simply was too lazy to properly handle and report on the condition that absolutely was going to occur with 100% certainty on 4/10. That's a programming 101 and this flaw must be fixed, not discussed. It's when an Anti-Virus product doesn't report that it has decided to stop detecting viruses. how much more are you prepared to pay for your service agreement Nice try, but to me, money is secondary to function. I rather would pay appropriate maintenance for a product that is enhanced with features (as it was in the first few years when I had purchased it) than to pay a lesser annual maintenance for a dormant product! However, I'm NOT willing to pay a company just so that they can pursue OTHER technical, legal and marketing ventures INSTEAD of enhancing the product. The problem with Declude is that they lost focus - this instance makes this painfully obvious! increase our prices dramatically so we can hire more developers Let's get real. I remember looking at your web site a while ago and seeing a huge roster of management. I also remember web site project and other products being launched and initating legal actions. Here's what you need: Start laying off managers and other supervisory staff, cut the retainers for your attorneys, etc. and don't stop until you have enough money to finally pay ONE full time developer that actually works on continually
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
Hi Michael, Yes this is true, however Declude EVA does not totally rely on virus signatures of AVG to stop virus' in your case you were not vulnerable as Commtouch ZEROHOUR virus was still operational as well as the built in virus detection by Declude EVA. We would still suggest you upgrade to the latest release asap. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Wednesday, June 03, 2009 12:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal Darin Cox said: that the AVG API was no longer performing scans? David Barker said: Declude Virus does not have a built in system to report this error as with this specific example. Is this true? Has my Declude virus scanner been inoperable? My Declude logs look OK, but I guess that's what you're talking about? What's the deal? How can I detect this misbehavior, if indeed it did occur? -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
Maybe I am misunderstanding you but the AVG issue that occurred has been resolved, and should have never happened, now let's move on to the real issue at hand ... I am challenged with, how do I prevent such issues occurring in the future? As my resources are currently maxed what are my options ..? Suggestions ? David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, June 03, 2009 12:42 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Let's turn this around: however if customers expect more than what is currently being delivered then I have to ask the question, in clear, open and honest communication.. Mr/s Customer how much more are you willing to pay so that we can invest in more resources in order to develop a better product? How much more than 100% of the annual fee are customers expected to pay before Declude considers them entitled to expect to use the product (close to) 100% of the time - instead of 87%? The point is, this was a major mess up and the problem was absolutely poor programming practice (hard-coding a time limit without adding code to deal with the reaching of that limit). And your response is: Pay us more if you want us to use remotely reasonably normal programming practice? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, June 03, 2009 12:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Darin, I accept your constructive criticism. With regard to the situation; 1. We recognize that this was a serious failure 2. The issue was highlighted and resolved in the quickest possible time 3. Procedural steps have been put in place to ensure that this does not happen again. 4. This was an unfortunate circumstance and I understand the frustration on the part of Declude customers 5. We make every effort to meet the needs of our customers My statement regarding increased prices has less to do with this current problem as it has to do with moving forward and preventing issues like this in the future. More $ means more resources which means more can be done which equates to less risk in all areas. Declude has given good service, value for money and a product that works for minimum $. I understand that the expectation is always more for less, however if customers expect more than what is currently being delivered then I have to ask the question, in clear, open and honest communication.. Mr/s Customer how much more are you willing to pay so that we can invest in more resources in order to develop a better product? David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Darin Cox Sent: Wednesday, June 03, 2009 11:50 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Declude Virus inoperable for 13% of th year? Wow, what a way to respond to a long-time, loyal paying customer! Instead of apologizing for the serious problem and relaying what steps are being taken to avoid it happening again (a simple reminder in the calendar system of your choice would suffice), it's being thrown back in the customer's face. Regarding the question of increasing prices for service agreements, that has no bearing on a current customer who has already paid the fees. Such customers should expect the service they paid for to be rendered. Failure to do so is a breach of agreement on Declude's part. While we are all human and problems can occur, this is a serious failure, and the tone of the response being putative instead of apologetic makes customers less forgiving, not more. To be frank, many customers are asking what they are paying for, when fix and feature requests take months to be released, or not at all. I understand the situation may be frustrating, but it's often best to step back for a moment, vent elsewhere if needed, then respond professionally to customers. Clear, open, and honest communication also helps. Please don't take this email as incendiary. It is meant to be constructive. Darin. - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.virus@declude.com Sent: Wednesday, June 03, 2009 11:07 AM Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Andy, a. Declude Virus does not have a built in system to report this error as with this specific example. What happened here is not the norm but an exception. It was not our choice to hard code the expiration date but a requirement from AVG. In this instance the specific persons who we had been working with at AVG are no longer with the company and the process of having
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
Here is the full breakdown. The Good ol' Days EVA - Service Agreement $195.00 JunkMail - Service Agreement $195.00 HiJack - Service Agreement $75.00 Total: $465 Today EVA - Service Agreement JunkMail - Service Agreement HiJack - Service Agreement AVG virus scanner Commtouch ZEROHOUR Antivirus + Spam definitions Total: $395 So you have a whole lot more for less money, and yes you are complaining. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, June 03, 2009 1:12 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal I think taking a software company to task on their lack of control DOES benefit all users technically! I didn't introduce pricing and staffing into this discussion - YOU did! Now you take me to task for responding to your pricing/staffing issues that YOU raised? Let's not forget you are paying less for the product maintenance today than you were 5 years ago 1/6/2002: $295 1/14/2003: $295 1/23/2004: $295 (after having upgrading to Pro in March 2003) 1/5/2005: $264 12/30/2005: $264 8/18/2006: $309 1/19/2007: $309 3/13/2008: $395 6/2009: $395 Would you like to revise your statement? I'm not paying less, I'm paying 50% more. No complaints - just insisting on the truth. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, June 03, 2009 12:40 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal Breathing and counting to 10 . ;) Whoever wrote this API implementation simply was too lazy to properly handle and report on the condition that absolutely was going to occur with 100% certainty on 4/10. That's a programming 101 and this flaw must be fixed, not discussed. It's when an Anti-Virus product doesn't report that it has decided to stop detecting viruses. In coding Utopia yes that is true. I was unaware of this situation till now. I would fire the person who implemented this but we had already let them go over 2 years ago. I get what you are saying, I just don't think you understand when I say I have heard you Andy, you can stop posting to the lists about this Nice try, but to me, money is secondary to function. Nice dodge! I rather would pay appropriate maintenance for a product that is enhanced with features (as it was in the first few years when I had purchased it) than to pay a lesser annual maintenance for a dormant product! Ah the good old days of Scott Perry. Let's not forget you are paying less for the product maintenance today than you were 5 years ago. Dormant ? or not the fixes and features you want? However, I'm NOT willing to pay a company just so that they can pursue OTHER technical, legal and marketing ventures INSTEAD of enhancing the product. The problem with Declude is that they lost focus - this instance makes this painfully obvious! What are you talking about ? Let's get real. I remember looking at your web site a while ago and seeing a huge roster of management. I also remember web site project and other products being launched and initating legal actions. Here's what you need Start laying off managers and other supervisory staff, cut the retainers for your attorneys, etc. and don't stop until you have enough money to finally pay ONE full time developer that actually works on continually enhancing the product we are all paying for and gets as much done as the original author of the product did for YEARS. Once caught up with 3 years of backlog, then sell me the upgrade!) You don't need additional personnel - you to need replace overhead-personnel with production personnel. Wrong. Declude is a separate company from DNSStuff. Our (Declude) revenues are solely committed to maintaining and growing this company. I suspect the problem is not lack of funds but diversion of it. Oh wait. that's a good one. I think the best way to answer this just is to say your suspicion is incorrect. Finaly the purpose for these lists is mostly for tech questions and assisting other users. Your initial posts about AVG were fine, but if you want to get into what you think Declude should be doing as a company either email me or call me directly. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
Nick, I think I would rather be a piñata with 20 screaming kids at the moment- at least that way once the candy has dropped they would leave me alone ;) David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Wednesday, June 03, 2009 4:23 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? David - At times like this its OK to sigh these emails: David your pinata Barker :) -Nick _ From: David Barker dbar...@declude.com Sent: Wednesday, June 03, 2009 4:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Nice. Thank you for your feedback Markus. MANY if not most of all Declude users has initially chosen the Swiss army knife as their tool who they can customize, enhance and integrate in their FULLY email filter system. This is true from the past and for many older Declude customers, but the market has changed over the years - there are not enough people looking for the Swiss army knife approach anymore. With managed services, hardware appliances etc. anti-spam and AV is a cost center for most ISP's and they would rather not have to deal with it at all. IMail themselves started losing market share for the same reasons which had a direct impact on the Declude business. So what was is no more. evolution and new functionality in order to be able to stay ahead or at least near on top of the market leaders. Agreed, but also take into account the changing Mail systems, we support both IMail and Smartermail, specifically supporting Smartermail as they were growing while IMail was shrinking. Every time a new release of IMail or Smartermail comes out something inevitably changes meaning we have to deal with the MUST do's rather than innovation. Again to combat this we just need additional developer/s so that we can dedicate one to maintenance and the other/s to innovation. To do this we need $ and that cost will always be carried over to you the customer, which I have done my utmost best to avoid. noted the active community who has definitively helped to let Declude become what it is/was isn't there anymore. Yes that community was (and what is left) is extremely helpful and useful. All this isn't there anymore. Why? Because people who was ready to contribute hasn't received back what they want and need: If such people has asked for a new feature even if it was a little piece of thing the maximum to hear was that it will be placed on a long list of planned to-do's. Depending on when this was and who was making the Declude decisions at the time. But if I should speak for myself. I realize I can't make everyone happy its part of my job. Here is a case in point, let's use this scenario. AVG fails IMail release version 11 which is incompatible with Declude If I choose to fix AVG first - IMail users scream If I choose to fix IMail first - All users scream So in this instance best decision is to let IMail users complain. Either way Declude in one group of people is going to be the company that is not doing enough for its customers. This is not really true but rather the perception. In the case you hasn't discovered it yet, from the begin of April on there was a big increase of spam activity This information is very useful and this is why the lists exist if we can share information we have a community that benefits. If there would be really someone taking technical care of this product he has should put more then on eye in the past 2 months in order to keep this product at least near to other spam filtering products. The cow was milked and milked and milked and does urgently need now some fresh grass, water and maybe also a new clean stable. The only thing that would change this current situation is revenues which means price increase. (Maybe it is time?) David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Gufler Markus | Limitis Sent: Wednesday, June 03, 2009 3:26 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal Hi David, I'm observing not only this AVG issue but many different things in the past 4 years (while paying SA fee's). Your price is not that much that other Spamfilter vendors ask for but keep in mind that MANY if not most of all Declude users has initially chosen the Swiss army knife as their tool who they can customize, enhance and integrate in their FULLY email filter system. Maybe we could start a long and never ending thread if Declude should be a flexible tool or a complete suite for customers, but in any case both type of customers would need definitively one thing, and this is evolution and new functionality in order to be able to stay ahead or at least near on top of the market leaders. At the moment Declude stand-alone without additional
[Declude.JunkMail] Declude Interceptor 2.2.35 Released
For customers running Declude Interceptor the new release is available from the Declude My Account page. Declude Interceptor Changes 2.2.35 Alligate - Version 3 Decludeproc --- 1.2.35 == AVG fix 1.2.34 == Console.txt scrolling fix 1.2.33== Declude crash fix due to formatting string in the Log function that is contained as part of the text. 1.2.32 == Removed outdated log message Pro version required for outgoing mail. 1.2.30 == Changed log level from LOW to DEBUG for START and END doprewhitelist debug information David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Declude Interceptor 2.2.35 Released
For customers running Declude Interceptor the new release is available from the Declude My Account page. Declude Interceptor Changes 2.2.35 Alligate - Version 3 Decludeproc --- 1.2.35 == AVG fix 1.2.34 == Console.txt scrolling fix 1.2.33== Declude crash fix due to formatting string in the Log function that is contained as part of the text. 1.2.32 == Removed outdated log message Pro version required for outgoing mail. 1.2.30 == Changed log level from LOW to DEBUG for START and END doprewhitelist debug information David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX
If your AVG is not scanning emails, please upgrade immediately to 4.6.35 which is available from the Declude website. If you are unsure whether this means you, we suggest you upgrade, if you need any assistance in this matter please contact supp...@declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Upgrade 4.6.35 AVG not scanning - FIX
If your AVG is not scanning emails, please upgrade immediately to 4.6.35 which is available from the Declude website. If you are unsure whether this means you, we suggest you upgrade, if you need any assistance in this matter please contact supp...@declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX
Not for everyone, but certainly for your server that would be true if that is what your logs indicate. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Colbeck, Andrew Sent: Monday, June 01, 2009 4:03 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX David, this log excerpt seems to indicate that my AVG hasn't been working since May 1st 2009. Is this correct? C:\IMail\Spoolgrep -c smd Scanned: Error in virus scanner vir.log vir0401.log:0 vir0402.log:0 vir0403.log:0 vir0404.log:0 vir0405.log:0 vir0406.log:0 vir0407.log:0 vir0408.log:0 vir0409.log:0 vir0410.log:0 vir0411.log:0 vir0412.log:0 vir0413.log:0 vir0414.log:0 vir0415.log:0 vir0416.log:0 vir0417.log:0 vir0418.log:0 vir0419.log:0 vir0420.log:0 vir0421.log:0 vir0422.log:0 vir0423.log:0 vir0424.log:0 vir0425.log:0 vir0426.log:0 vir0427.log:0 vir0428.log:0 vir0429.log:0 vir0430.log:0 vir0501.log:2722 vir0502.log:640 vir0503.log:623 vir0504.log:3143 vir0505.log:2885 vir0506.log:2568 vir0507.log:2761 vir0508.log:2554 vir0509.log:386 vir0510.log:415 vir0511.log:3110 vir0512.log:2920 vir0513.log:2761 vir0514.log:2771 vir0515.log:2429 vir0516.log:300 vir0517.log:376 vir0518.log:857 vir0519.log:2605 vir0520.log:2793 vir0521.log:2574 vir0522.log:2598 vir0523.log:279 vir0524.log:430 vir0525.log:2630 vir0526.log:2751 vir0527.log:3217 vir0528.log:3026 vir0529.log:2532 vir0530.log:336 vir0531.log:608 vir0601.log:1894 Andrew. _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 01, 2009 12:38 PM To: declude.junkm...@declude.com; declude.virus@declude.com Subject: [Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX If your AVG is not scanning emails, please upgrade immediately to 4.6.35 which is available from the Declude website. If you are unsure whether this means you, we suggest you upgrade, if you need any assistance in this matter please contact supp...@declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX
You can just replace the decludeproc if you were previously running anything later than 4.4.24 From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Monday, June 01, 2009 4:35 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX Can I replace the decludeproc.exe or is a upgrade install needed? -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 01, 2009 2:38 PM To: declude.junkm...@declude.com; declude.virus@declude.com Subject: [Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX If your AVG is not scanning emails, please upgrade immediately to 4.6.35 which is available from the Declude website. If you are unsure whether this means you, we suggest you upgrade, if you need any assistance in this matter please contact supp...@declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Internal Scanner missing most viruses
Hi Andy, If you are having issues please submit a support ticket supp...@declude.com with any appropriate information so we can look into this for you. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 13, 2009 11:45 AM To: declude.virus@declude.com Subject: [Declude.Virus] Internal Scanner missing most viruses Sensitivity: Personal Hi, For a while, AVG was doing an adequate job - but recently it again has been missing virtually all infected emails that ClamAV and the trusted McAfee are identifying. I inspected several of the held files - and each one clearly was a life virus (e.g., inside a ZIP attachment etc.) Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 21,157 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 21,157 Virus Infected Messages: 3 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE SUSPECT.DOUBLEEXTENSION-ZIPPWD-2 2 0.01% WORM.BAGLE-1 1 0.00% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 21,157 Virus Infected Messages: 29 Percentage Infected: 0.14% VIRUS # INFECTED PERCENTAGE TROJAN OR VARIANT NEW MALWARE.JJ !!! 22 0.10% PWS-ZBOT TROJAN !!! 7 0.03% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.image001.png
[Declude.JunkMail] Declude 4.5.29 Released
4.5.29 Hijack logging error fixed 4.5.28 Fix memory leak in SPF test 4.5.27 Diags.txt, shows if AVG and CommTouch are ON or OFF 4.5.26 Change Request Skip AUTOWHITELIST when the sender matches the recipient. Updated Diags.txt, shows the copyright 2009 and the products, Junkmail, Hijack and EVA as either ON or OFF 4.4.25 Fixed IPBYPASS 0 triggered inconsistencies with the IPFILE test 4.4.24 Increased number of Tests run in global.cfg 4.4.23 Bug fix when virus.cfg is not found. EVA code is still executed and vulnerabilities are placed in the root of C:\ directory. With this fix Virus code will not execute if no virus.cfg is found. E-mail will not be scanned for any virus or vulnerabilities A virus log will be created in declude\logs and will inform the user that virus test is OFF. 4.4.22 Removed all reference to versions PRO/STD/LITE. 4.4.21 Removed all reference to EVA versions PRO/STD/LITE. 4.4.20 Fixed Declude leaving an open socket during avg update. Also fixed for possibility of an early terminating thread in the transfer file function. 4.4.19 Temporary fix for CATCHALLMAIL not holding the e-mail when the e-mail is whitelisted and when COPYFILEACTIONWITHHEADER = ON 4.4.18 WHITELIST TO Removed the restriction of abuse@, noc@, postmaster@ and updated ROUTING the foreign IP address list 4.4.17 In fullmsg the header part of the message was being stored and printed twice. 4.4.16 Changed critical section to when accessing the Address book for autowhitelisting to resolve a thread hanging issue with Imail. 4.4.14 Added critical section before opening the Imail MS Access DataBase to prevent crashes 4.4.13 Changed the CommTouch Temp Directory from the default (the machine default tempdir) to ...\Declude\scanners\commTouch\Temp 4.4.12 Updated GP1 files to be amended rather than overwritten. Information will be appended with the system Date and time. Fixed a crash issue, due to decoding of the subject line. Fixed issue of TXT files being left in the work directory. Requires replacement of the avgsdk.dll. 4.4.11 Update Declude encoding of winmail.data (TNEF) and storing the attachment file and its corresponding file name. Improved detection of the Invalid zip vulnerability. 4.4.10 Added error message in logs for additional information as to why txt file could not be moved back to virus directory 4.4.8 Invalid zip vulnerability; updated Declude to be compatible with '7z' file archived compressor 4.4.7 Updated Declude to report on ODBC access issues in IMail. 4.4.6 Updated PCRE to better handle PCRE .dll exceptions 4.4.5 If ZEROHOUR weight value cannot be converted to an integer it will be ignored. This is a fix for a bug reported when ZEROHOUR test action was set, ZEROHOUR wasscoring a value of zero. 4.4.4 Updated FROMNOMATCH test failing when e-mail is sent as an NDR 4.4.3 Updated FROMNOMATCH test failing. According RFC-822 the angle bracket is not a requirement for FROM: in the header part of the email. Changed to handle the angle bracket and without. 4.4.2 Fixed CATCHALLMAIL to be triggered on whitelisted e-mail 4.4.1 Removed references to previous Versions (PRO/STD/LITE). 4.4.0 Release David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Declude 4.5.29 Released
4.5.29 Hijack logging error fixed 4.5.28 Fix memory leak in SPF test 4.5.27 Diags.txt, shows if AVG and CommTouch are ON or OFF 4.5.26 Change Request Skip AUTOWHITELIST when the sender matches the recipient. Updated Diags.txt, shows the copyright 2009 and the products, Junkmail, Hijack and EVA as either ON or OFF 4.4.25 Fixed IPBYPASS 0 triggered inconsistencies with the IPFILE test 4.4.24 Increased number of Tests run in global.cfg 4.4.23 Bug fix when virus.cfg is not found. EVA code is still executed and vulnerabilities are placed in the root of C:\ directory. With this fix Virus code will not execute if no virus.cfg is found. E-mail will not be scanned for any virus or vulnerabilities A virus log will be created in declude\logs and will inform the user that virus test is OFF. 4.4.22 Removed all reference to versions PRO/STD/LITE. 4.4.21 Removed all reference to EVA versions PRO/STD/LITE. 4.4.20 Fixed Declude leaving an open socket during avg update. Also fixed for possibility of an early terminating thread in the transfer file function. 4.4.19 Temporary fix for CATCHALLMAIL not holding the e-mail when the e-mail is whitelisted and when COPYFILEACTIONWITHHEADER = ON 4.4.18 WHITELIST TO Removed the restriction of abuse@, noc@, postmaster@ and updated ROUTING the foreign IP address list 4.4.17 In fullmsg the header part of the message was being stored and printed twice. 4.4.16 Changed critical section to when accessing the Address book for autowhitelisting to resolve a thread hanging issue with Imail. 4.4.14 Added critical section before opening the Imail MS Access DataBase to prevent crashes 4.4.13 Changed the CommTouch Temp Directory from the default (the machine default tempdir) to ...\Declude\scanners\commTouch\Temp 4.4.12 Updated GP1 files to be amended rather than overwritten. Information will be appended with the system Date and time. Fixed a crash issue, due to decoding of the subject line. Fixed issue of TXT files being left in the work directory. Requires replacement of the avgsdk.dll. 4.4.11 Update Declude encoding of winmail.data (TNEF) and storing the attachment file and its corresponding file name. Improved detection of the Invalid zip vulnerability. 4.4.10 Added error message in logs for additional information as to why txt file could not be moved back to virus directory 4.4.8 Invalid zip vulnerability; updated Declude to be compatible with '7z' file archived compressor 4.4.7 Updated Declude to report on ODBC access issues in IMail. 4.4.6 Updated PCRE to better handle PCRE .dll exceptions 4.4.5 If ZEROHOUR weight value cannot be converted to an integer it will be ignored. This is a fix for a bug reported when ZEROHOUR test action was set, ZEROHOUR wasscoring a value of zero. 4.4.4 Updated FROMNOMATCH test failing when e-mail is sent as an NDR 4.4.3 Updated FROMNOMATCH test failing. According RFC-822 the angle bracket is not a requirement for FROM: in the header part of the email. Changed to handle the angle bracket and without. 4.4.2 Fixed CATCHALLMAIL to be triggered on whitelisted e-mail 4.4.1 Removed references to previous Versions (PRO/STD/LITE). 4.4.0 Release David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] exclude a certain address from a vulnerability test
You can turn off vulnerability checking for a specific vulnerability for all addresses or You can turn off all vulnerability checking to a specific address. But you cannot turn off a specific vulnerability for a specific address. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Wednesday, February 11, 2009 4:40 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] exclude a certain address from a vulnerability test Hi, Using Declude 4.4.16 I want to exclude one e-mail address from the Outlook 'MIME segment in MIME Postamble' Vulnerability test. Is that possible or do I have to disable it then for all addresses? I seems one of our contacts is using a version of Groupwise that produces mail with this vulnerability. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:b.blok...@tio.nl b.blok...@tio.nl / http://www.tio.nl www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Parsing of Report.txt
Hi Andy we will certainly look at this, although to be clear, it is very
presumptions to say that adding this will only be 2 min work. Please be
careful when making statements like this because it raises a false
expectation for others. You have no idea about the complexity of the code,
other items being worked on, priorities, resource allocation, support,
issues, costs or time available.
Thanks
David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
mailto:dbar...@declude.com dbar...@declude.com
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Thursday, February 05, 2009 12:44 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] Parsing of Report.txt
Sensitivity: Personal
Hi,
With the ability of ClamD to run at lightning speed as a native Windows
service (e.g., http://oss.netfarm.it/clamav, without CygWin), offering
frequent updates during the day (quite contrary to the internal scanner that
often lags days behind) and has acceptable licensing terms - it certainly is
a highly attractive external scanner that should be fully supported by
Declude after ClamAV has been around for all these years.
Sadly, since Declude hasn't seen any feature updates in ages, the virus.cfg
parameter REPORT still can't parse the virus reports generated by
ClamDScan. Consequently, the Declude virus log files and virus notification
emails are missing file and virus name info.
I took 2 minutes and created a small .JS script that parses the ClamDScan
report file and then outputs a McAfee lookalike just to make Declude
happy. But that means that yet another batch process is now chewing up
Windows' limited resources.
To justify THIS year's maintenance renewal money, can PLEASE have someone
spend the same 2 minutes in the Declude source code to correctly parse the
ClamDScan output:
--
c:\maintenance\eicar.com: Eicar-Test-Signature FOUND
Thanks in advance.
Best Regards,
Andy Schmidt
www.Anamera.com
// RunClam.js
// Launches ClamD and reformats output to compensate
// for Decludes inability to correctly parse the report
// (Declude is no longer actively maintained.)
// Application Constants
var strClamAV = C:\\Program Files\\ClamAV\\ClamDScan.exe;
// Get Command Line Parameter
if ( WScript.Arguments.Count() == 0 )
// nothing to scan
WScript.Quit( 2 );
var strPath = WScript.Arguments(0);
// Run ClamAV
var objShell = new ActiveXObject(WScript.Shell);
var objExec = objShell.Exec( strClamAV + + strPath );
var strLine;
var nSeperator, nFound;
var bHaveFound = false;
while ( !objExec.StdOut.AtEndOfStream )
{
// Process ClamAV Output
strLine = objExec.StdOut.ReadLine();
if ( bHaveFound )
continue;
nFound = strLine.indexOf( FOUND );
if ( nFound 0 )
{
nSeperator = strLine.indexOf( : );
if ( nSeperator 1 )
continue;
// Appears to be a possible virus report
bHaveFound = true;
var objFS = new
ActiveXObject(Scripting.FileSystemObject);
objTS = objFS.CreateTextFile( Report.txt );
// Create Declude Report File
objTS.WriteLine( strLine.substring( 0, nSeperator ) +
FOUND + strLine.substring( nSeperator + 2, nFound ) );
objTS.Close();
}
}
// Wait for completion to be able to obtain exit code
while ( objExec.Status != 1 )
WScript.Sleep(100);
WScript.Quit( objExec.ExitCode );
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.Virus. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
RE: [Declude.Virus] Parsing of Report.txt
Scott I got that point. There have been interims throughout the year we are
now on 4.4.25 which is available to all with service agreements. I can roll
this up into an official release.
David B
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott
Fisher
Sent: Thursday, February 05, 2009 1:24 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] Parsing of Report.txt
Sensitivity: Personal
I think you missed the real point of Andy's email.
The last official Declude release was 4.4.0 on 3/17/2008. It's already
Febuary 2009, so it's about a year with no with no official releases. That
doesn't make me feel like I'm getting much out of my maintenance renewal
money.
Scott Fisher
Director of IT
Farm Progress Companies
255 38th Avenue, Suite P
St. Charles IL 60174-5410
630/462-2323
fax 630/462-2957
sfis...@farmprogress.com
www.farmprogress.com http://www.farmprogress.com/
This email message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender
by reply email and destroy all copies of the original message. Although Farm
Progress Companies has taken reasonable precautions to ensure no viruses are
present in this email, the company cannot accept responsibility for any loss
or damage arising from the use of this email or attachments.
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Thursday, February 05, 2009 12:02 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] Parsing of Report.txt
Sensitivity: Personal
Hi Andy we will certainly look at this, although to be clear, it is very
presumptions to say that adding this will only be 2 min work. Please be
careful when making statements like this because it raises a false
expectation for others. You have no idea about the complexity of the code,
other items being worked on, priorities, resource allocation, support,
issues, costs or time available.
Thanks
David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
mailto:dbar...@declude.com dbar...@declude.com
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Thursday, February 05, 2009 12:44 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] Parsing of Report.txt
Sensitivity: Personal
Hi,
With the ability of ClamD to run at lightning speed as a native Windows
service (e.g., http://oss.netfarm.it/clamav, without CygWin), offering
frequent updates during the day (quite contrary to the internal scanner that
often lags days behind) and has acceptable licensing terms - it certainly is
a highly attractive external scanner that should be fully supported by
Declude after ClamAV has been around for all these years.
Sadly, since Declude hasn't seen any feature updates in ages, the virus.cfg
parameter REPORT still can't parse the virus reports generated by
ClamDScan. Consequently, the Declude virus log files and virus notification
emails are missing file and virus name info.
I took 2 minutes and created a small .JS script that parses the ClamDScan
report file and then outputs a McAfee lookalike just to make Declude
happy. But that means that yet another batch process is now chewing up
Windows' limited resources.
To justify THIS year's maintenance renewal money, can PLEASE have someone
spend the same 2 minutes in the Declude source code to correctly parse the
ClamDScan output:
--
c:\maintenance\eicar.com: Eicar-Test-Signature FOUND
Thanks in advance.
Best Regards,
Andy Schmidt
www.Anamera.com
// RunClam.js
// Launches ClamD and reformats output to compensate
// for Decludes inability to correctly parse the report
// (Declude is no longer actively maintained.)
// Application Constants
var strClamAV = C:\\Program Files\\ClamAV\\ClamDScan.exe;
// Get Command Line Parameter
if ( WScript.Arguments.Count() == 0 )
// nothing to scan
WScript.Quit( 2 );
var strPath = WScript.Arguments(0);
// Run ClamAV
var objShell = new ActiveXObject(WScript.Shell);
var objExec = objShell.Exec( strClamAV + + strPath );
var strLine;
var nSeperator, nFound;
var bHaveFound = false;
while ( !objExec.StdOut.AtEndOfStream )
{
// Process ClamAV Output
strLine = objExec.StdOut.ReadLine();
if ( bHaveFound )
continue;
nFound = strLine.indexOf( FOUND );
if ( nFound 0 )
{
nSeperator = strLine.indexOf( : );
if ( nSeperator 1 )
continue;
// Appears to be a possible virus report
RE: [Declude.Virus] Parsing of Report.txt
Gary, I apologize the latest is 4.4.24. Yes you are correct the readme.txt does have the following note. Interim releases are stable and tested but as they are not official I guess you have a point... if I could give you an analogy - it is for the same reason Google has not taken GMAIL out of Beta yet. I can have the current interim release be official, what I am communicating to you is that it would be exactly the same as what you have now 4.4.24 this is not being disingenuous, but rather the exact opposite, perhaps you could accuse me of being too honest. But for argument sake I will officially make 4.4.24 official and have it released in the next week or 2. David B -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Gary Steiner Sent: Thursday, February 05, 2009 3:33 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Parsing of Report.txt David, If 4.4.25 is available to all with service agreements, where is it? Declude's main download page shows 4.4.0, and the interim page shows versions 4.4.23 and 4.4.24. And, as your readme.txt file in your interim directory says, Interim releases are versions of Declude that are released between betas (some software companies refer to these as alphas). They have one major advantage to betas and released versions: they allow our customers to get fixes and new features very, very quickly. We can often have a fix in less than an hour. However, there are a number of drawbacks... Interim releases are not production releases. You cannot substitute a production release with an interim release. And trying to equate an interim release with an official production release is disingenuous. If there is a stable release with significant bug fixes (such as deleting the .txt files being left in the work directory by AVG), then why has it taken this long for Declude to release it officially? Declude's answer for a problem should not be to tell me to install an alpha or beta version of their product on my production server. Gary Steiner Original Message From: David Barker dbar...@declude.com Sent: Thursday, February 05, 2009 11:03 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Parsing of Report.txt Scott I got that point. There have been interims throughout the year we are now on 4.4.25 which is available to all with service agreements. I can roll this up into an official release. David B From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Thursday, February 05, 2009 1:24 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Parsing of Report.txt Sensitivity: Personal I think you missed the real point of Andy's email. The last official Declude release was 4.4.0 on 3/17/2008. It's already Febuary 2009, so it's about a year with no with no official releases. That doesn't make me feel like I'm getting much out of my maintenance renewal money. Scott Fisher Director of IT Farm Progress Companies 255 38th Avenue, Suite P St. Charles IL 60174-5410 630/462-2323 fax 630/462-2957 sfis...@farmprogress.com www.farmprogress.com http://www.farmprogress.com/ This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, February 05, 2009 12:02 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Parsing of Report.txt Sensitivity: Personal Hi Andy we will certainly look at this, although to be clear, it is very presumptions to say that adding this will only be 2 min work. Please be careful when making statements like this because it raises a false expectation for others. You have no idea about the complexity of the code, other items being worked on, priorities, resource allocation, support, issues, costs or time available. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, February 05, 2009 12:44 PM To: declude.virus@declude.com Subject: [Declude.Virus] Parsing of Report.txt Sensitivity: Personal Hi
RE: [Declude.Virus] Force AVG update
So here is how it works. AVG releases a virus signature update on average once per day. By default Declude will check with the AVG definitions server once per 24 hour period or at every start of the Decludeproc service. As the time of this check is different for everyone we give Declude the ability to do checks on a more regular basis which is defined in the Declude.cfg #Ability to configure the built-in AVG update interval which checks for updates. Minimum is 1 hour. AVGUPDATEFREQHRS12 Then, at the end of the day we parse the logs and associate the information with our website. So the information on the website from your HOST record as to whether you virus signatures are updated can in fact be at the most 48 hours difference. The best way to check the virus signature date is to get the time/date on the files in the \declude\scanners\avg\db directory at least one of the files should be today or yesterdays date. As the way the virus signature files are incremental, they are distributed to the other files so as to provide the most efficient file size for download. Secondly, if you are running Commtouch. This is a ZERHOUR virus scanner that is able to detect virus' without definitions and is real-time, you can read more about it here: http://commtouch.com/Site/products/zero_hour.asp To get stats on AV accuracy compared to other scanners you can visit here: http://commtouch.com/Site/ResearchLab/VirusLab/virusLab_docs.asp Declude supports up to 5 additional external scanners. Declude has the key functionality to enable the use of an external scanner as a email server scanner. You are mistaken if you think you can use a regular network virus scanner as your email scanner there is a reason your AV vendors have a separate product for mail servers and average $3-5$ per user. So if you have 1000 users the cost $3000 Here are some thoughts on why using Declude is better than your traditional virus scanners when it comes to email: 1. There are a number of mailserver anti-virus solutions available today. However, many of them involve an unnecessary SMTP server chain. This means that E-mail comes in to one SMTP server, is scanned for viruses, and then goes to another SMTP server which processes the mail in the usual fashion. Most mail server virus scanners have no way of authenticating users. If you have an SMTP-based virus scanner, you can have users authenticate against the real mail server. However, by doing this, the E-mail bypasses the virus scanner. If you allow that, you are allowing viruses though your server. With Declude, we scan every message. 2. The Decoder the piece that Declude handles requires (among other things) handling numerous encoding schemes, recursive MIME segments, and even viewable non-text MIME segments (such as HTML, that needs to be scanned, even though it isn't an attachment). MIME is very complex, and even leading mail server manufacturers often have troubles handling MIME segments properly. We know MIME and encoding schemes inside and out, Declude can handle the most sophisticated MIME segments. 3. A vulnerability is a security flaw in a program. You may have heard about some of the more common mail client vulnerabilities, such as the Outlook MIME Headers vulnerability (where a virus can be run automatically with certain versions of Outlook). While these are bad, a standard mailserver virus scanner will catch viruses that exploit these vulnerabilities. However, there is another serious type of vulnerability that has recently been discovered: mail server vulnerabilities that allow viruses to bypass mailserver virus scanners! For example, the Outlook 'MIME segment in MIME preamble' vulnerability causes Outlook to see viruses that don't actually exist in an E-mail. In this case, a mail client (or mailserver virus scanner) that properly decodes the E-mail will not see an attachment. However, Outlook will incorrectly see an attachment. When a virus uses this type of vulnerability, it will bypass a standard mailserver virus scanner, and get delivered to the recipient! That's why you should use Declude Virus: it detects these vulnerabilities. Since it detects them, Declude Virus will be able to catch new viruses that use the vulnerabilities, where standard mailserver virus scanners won't be able to catch them. You can read more about vulnerabilities here: http://www.declude.com/articles.asp?id=219 At the end of the day it is about value and $$ I am still confident that with Declude we still offer the best value for the least $$. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Saturday, December 27, 2008 3:08 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Force AVG update Well, most scanners will require much more expensive licenses, e.g., a license per
[Declude.Virus] AVG update
An FYI on the AV process. Declude receives from AVG an email (example below) this is typically once per day. On occasion we may get several per day or one in two days. As soon as this email is received we download the latest definitions to our AVG server and the definitions are available for your Decludeproc to retrieve. Now depending on when this last check was done by your Declude - will determine when you will get the AV sigs or what the time difference is between release and update. The following virus database update has been prepared for you to download. --- SDK VDB Update Description --- New Viruses: New Trojans: New Virus Variants: New Trojan Variants: Agent.ARGZ, Downloader.Zlob.AIFA, Generic12.AGYE, BackDoor.Hupigon4.AXIM, Agent.ARLN, BackDoor.Generic10.AFRU --- SDK VDB Update Files --- avgsdk_ivdb2422.zip avgsdk_vdb2422.zip --- SDK VDB version.nfo --- VDB_RELEASE_VERSION: 2422 PREVIOUS_VDB_RELEASE_VERSION: 2421 SEVERITY: critical VDB_RELEASE_DATE: 2008-12-28 14:23 MODIFIED: microavi.avg MODIFIED: incavi.avm VDB_FILES_VERSION: 270.10.1/1867 REQUIRED_BIN_RELEASE_VERSION: 1.3.510 --- SDK VDB Update Notification End --- David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude/Alligate Gateway
We recognize that Declude needs to move beyond IMail and Smartermail, to this end we are working with Brian Milburn to bundle Declude with Alligate to offer a Declude Gateway solution. For now, we are naming the product Declude Interceptor so we can take full advantage of any previous marketing in this area. I believe this partnership is a step in the right direction not only for Declude as a company, but ultimately to the benefit of Declude customers. Also a special thanks to Nick Hayer for encouraging this relationship and for creating the link between the Alligate and Declude. If you have any questions feel free to email me directly. Regards, David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] PS. If anyone has the comment it's about time please give me some grace while flaming me. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Declude/Alligate Gateway
We recognize that Declude needs to move beyond IMail and Smartermail, to this end we are working with Brian Milburn to bundle Declude with Alligate to offer a Declude Gateway solution. For now, we are naming the product Declude Interceptor so we can take full advantage of any previous marketing in this area. I believe this partnership is a step in the right direction not only for Declude as a company, but ultimately to the benefit of Declude customers. Also a special thanks to Nick Hayer for encouraging this relationship and for creating the link between the Alligate and Declude. If you have any questions feel free to email me directly. Regards, David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] PS. If anyone has the comment it's about time please give me some grace while flaming me. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] header vulnerability
Which warning are you referring too I do not see any of the X-Declude headers. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Tuesday, October 21, 2008 10:11 AM To: declude.virus@declude.com Subject: [Declude.Virus] header vulnerability Hi We're seeing the HEADER warning being triggered where it was never triggered before. Here's one sample: Headers: Received: from QMTA01.westchester.pa.mail.comcast.net [76.96.62.16] by smtp.igive.com with ESMTP (SMTPD-9.23) id A12C03D8; Tue, 21 Oct 2008 05:38:36 -0500 Received: from OMTA02.westchester.pa.mail.comcast.net ([76.96.62.19]) by QMTA01.westchester.pa.mail.comcast.net with comcast id VM361a00K0QuhwU51NecVF; Tue, 21 Oct 2008 10:38:36 + Received: from sz0128.wc.mail.comcast.net ([76.96.58.192]) by OMTA02.westchester.pa.mail.comcast.net with comcast id VNeb1a00H48qnZY3NNebzd; Tue, 21 Oct 2008 10:38:36 + X-Authority-Analysis: v=1.0 c=1 a=k_JVt2Eeq2AA:10 a=uSyEGTH4XvkA:10 Date: Tue, 21 Oct 2008 10:38:35 + (UTC) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] ast.net In-Reply-To: [EMAIL PROTECTED] Subject: Re: Help FUMCH - Habitat for Humanity with Every Search MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Auto-Submitted: auto-replied (zimbra; vacation) Precedence: bulk It looks to me like Comcast is using zimbra, and something about the way it constructs its auto-replies doesn't sit well with Declude. We do want to receive these notices. Any insight appreciated. Rob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
On the devlist but not to be expected soon David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T Sent: Friday, July 04, 2008 7:43 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Any update or information on this? John T eServices For You -Original Message- From: David Barker [EMAIL PROTECTED] Sent 6/23/2008 11:36:40 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I will see what we can do for a new directive for the HOLD to be excluded or included by the admin. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Monday, June 23, 2008 2:17 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I have complained about this for a while now. This process of fix the configuration the place in the proc folder only works if you are constantly pouring through your hold folders. We do not do that. We send an email to our users with the message they have in their hold. They then have the option to deliver the message to their inbox, when they click the recover link the message is placed in the spool folder and a copy of the raw email is sent to our admin to then look at the configuration. This process makes the hold folder completely hands off. How about an option to VIRUSSCANONHOLD. This would make everyone happy. Kevin Bilbee From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, June 23, 2008 9:57 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG For what it's worth, I never move messages from HOLD to SPOOL. When I do move false positives out, I fix the problem in my configuration, so that the same circumstance doesn't happen again, and then I move the files from the HOLD to the PROC folder. By re-scanning them, they get virus scanned and I am sure that I have saved time by getting spam scanned as well; it would cost me more time to repeat the procedure next time than it takes me to override my text filters and re-queue the messages now. Very few messages get pulled out of the HOLD folder, so not scanning those messages for viruses saves me a lot of processing power. Andrew. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, June 23, 2008 9:00 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Correct if you send held email directly to the spool there is a potential for a virus to bypass if running AVAFTERJM this is why it is important to correct the issue that caused the false positive then reprocess via Declude. OR alternately ensure you virus scan your HOLD folders. If you are asking to only to apply AVAFTERJM only to Deleted emails this would reduce it’s effectiveness as not every Declude customer uses Delete. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, June 23, 2008 11:30 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Hi David, Could you explain this: We have chosen not to do this otherwise your users will end up with viruses in their junkmail folders By NOT scanning held junkmail the virus WILL end up in a users mailbox if I have to reque the mail because it was a FP. Of course you don't have to scan deleted mail. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] / http://www.tio.nl/ www.tio.nl - Original Message - From: David Barker mailto:[EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, June 23, 2008 4:28 PM Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Dear Bonno, It is not that we can’t do this. We have chosen not to do this otherwise your users will end up with viruses in their junkmail folders. AVAFTERJM will skip messages on DELETE and HOLD actions only. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, June 23, 2008 4:20 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Hi, (Open mail request) Dear Declude people. I have asked this before and with the current spam levels kan we PLEASE have this feature now ASAP? We all want to use AVAFTERJM but could you PLEASE make it scan all mail which is not deleted? If that is a to big step at first becasue of all the possible copy, routeto, etc statements can we at least have it for the HOLD action asap? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20
RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
/SILENT switch /TYPE is assumed now /ARCHIVE has changed to /ARCHIVE=5 /NOMEM, /NOBOOT, /DUMB, /AI, and /SERVER are defunct /SCANLEVEL and /HEURLEVEL are new switches. The values above are recommended See the FProt 6 manual for more info on conversion of switches, and desired settings Also, while the old VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 is most likely sufficient, we added VIRUSCODE 3 VIRUSCODE 5 VIRUSCODE 6 VIRUSCODE 7 VIRUSCODE 8 VIRUSCODE 9 VIRUSCODE 10 VIRUSCODE 11 VIRUSCODE 13 VIRUSCODE 14 VIRUSCODE 15 VIRUSCODE 17 VIRUSCODE 18 VIRUSCODE 19 VIRUSCODE 21 VIRUSCODE 22 VIRUSCODE 23 VIRUSCODE 25 VIRUSCODE 26 VIRUSCODE 27 VIRUSCODE 29 VIRUSCODE 30 VIRUSCODE 31 VIRUSCODE 33 VIRUSCODE 34 VIRUSCODE 35 VIRUSCODE 37 VIRUSCODE 38 VIRUSCODE 39 VIRUSCODE 41 VIRUSCODE 42 VIRUSCODE 43 VIRUSCODE 45 VIRUSCODE 46 VIRUSCODE 47 VIRUSCODE 49 VIRUSCODE 50 VIRUSCODE 51 VIRUSCODE 53 VIRUSCODE 54 VIRUSCODE 55 VIRUSCODE 57 VIRUSCODE 58 VIRUSCODE 59 VIRUSCODE 61 VIRUSCODE 62 VIRUSCODE 63 for completeness. Hope this helps, Darin. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, June 03, 2008 11:46 AM Subject: [Declude.Virus] F-PROT 6 Can anyone provide a SCANFILE line that they know works with F-PROT 6 ? Thanks David B --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
Correct if you send held email directly to the spool there is a potential for a virus to bypass if running AVAFTERJM this is why it is important to correct the issue that caused the false positive then reprocess via Declude. OR alternately ensure you virus scan your HOLD folders. If you are asking to only to apply AVAFTERJM only to Deleted emails this would reduce it's effectiveness as not every Declude customer uses Delete. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, June 23, 2008 11:30 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Hi David, Could you explain this: We have chosen not to do this otherwise your users will end up with viruses in their junkmail folders By NOT scanning held junkmail the virus WILL end up in a users mailbox if I have to reque the mail because it was a FP. Of course you don't have to scan deleted mail. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] / http://www.tio.nl/ www.tio.nl - Original Message - From: David Barker mailto:[EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, June 23, 2008 4:28 PM Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Dear Bonno, It is not that we can't do this. We have chosen not to do this otherwise your users will end up with viruses in their junkmail folders. AVAFTERJM will skip messages on DELETE and HOLD actions only. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, June 23, 2008 4:20 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Hi, (Open mail request) Dear Declude people. I have asked this before and with the current spam levels kan we PLEASE have this feature now ASAP? We all want to use AVAFTERJM but could you PLEASE make it scan all mail which is not deleted? If that is a to big step at first becasue of all the possible copy, routeto, etc statements can we at least have it for the HOLD action asap? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] / http://www.tio.nl www.tio.nl - Original Message - From: Kevin Bilbee mailto:[EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 5:25 PM Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Be careful with this setting. If a message gets held as spam it will not be virus scanned. Make sure you scan any message moved back into the delivery queue for viruses before placing it in the delivery queue folder. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, June 13, 2008 6:10 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG AVAFTERJM has been around a long time. I don't remember what version, but it was a 1.x version. Are you familiar with the setting? It tells Declude to run Anti-Virus after Junkmail. It then only runs AV after checking to see if the message is spam. With the spam load these days, I would expect that to be the desired config, resulting in AV scanning on only about 10% of incoming mail instead of 100%. However, it is not the default setting, which runs AV first, then Junkmail. That could easily account for yours and Kathy's 70-100% CPU. Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 8:55 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG No, I am still using antique version declude and imail. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 8:07 PM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Interesting that you are also seeing the 70-100% CPU with F-Prot 6, where we are not. Are you running AVAFTERJM? Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 5:23 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I just terminate my F-Prot 6, and installed ClamAV SOSDG Before that, my CPU usage is always run to skyhigh, at around 70%-100%, now using ClamAV, reduce to 5%-20%, still catching all the testing virus. F-prot 6 do not provide option like noboot, nomem, I guess these become the default setting, and cause very high CPU and harddisk usage. Alex instruction dated at 6 June 2008 for ClamAV installation is very helpful, thanks! The main
RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
I will see what we can do for a new directive for the HOLD to be excluded or included by the admin. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Monday, June 23, 2008 2:17 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I have complained about this for a while now. This process of fix the configuration the place in the proc folder only works if you are constantly pouring through your hold folders. We do not do that. We send an email to our users with the message they have in their hold. They then have the option to deliver the message to their inbox, when they click the recover link the message is placed in the spool folder and a copy of the raw email is sent to our admin to then look at the configuration. This process makes the hold folder completely hands off. How about an option to VIRUSSCANONHOLD. This would make everyone happy. Kevin Bilbee From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, June 23, 2008 9:57 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG For what it's worth, I never move messages from HOLD to SPOOL. When I do move false positives out, I fix the problem in my configuration, so that the same circumstance doesn't happen again, and then I move the files from the HOLD to the PROC folder. By re-scanning them, they get virus scanned and I am sure that I have saved time by getting spam scanned as well; it would cost me more time to repeat the procedure next time than it takes me to override my text filters and re-queue the messages now. Very few messages get pulled out of the HOLD folder, so not scanning those messages for viruses saves me a lot of processing power. Andrew. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, June 23, 2008 9:00 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Correct if you send held email directly to the spool there is a potential for a virus to bypass if running AVAFTERJM this is why it is important to correct the issue that caused the false positive then reprocess via Declude. OR alternately ensure you virus scan your HOLD folders. If you are asking to only to apply AVAFTERJM only to Deleted emails this would reduce it’s effectiveness as not every Declude customer uses Delete. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, June 23, 2008 11:30 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Hi David, Could you explain this: We have chosen not to do this otherwise your users will end up with viruses in their junkmail folders By NOT scanning held junkmail the virus WILL end up in a users mailbox if I have to reque the mail because it was a FP. Of course you don't have to scan deleted mail. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] / http://www.tio.nl/ www.tio.nl - Original Message - From: David Barker mailto:[EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, June 23, 2008 4:28 PM Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Dear Bonno, It is not that we can’t do this. We have chosen not to do this otherwise your users will end up with viruses in their junkmail folders. AVAFTERJM will skip messages on DELETE and HOLD actions only. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, June 23, 2008 4:20 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Hi, (Open mail request) Dear Declude people. I have asked this before and with the current spam levels kan we PLEASE have this feature now ASAP? We all want to use AVAFTERJM but could you PLEASE make it scan all mail which is not deleted? If that is a to big step at first becasue of all the possible copy, routeto, etc statements can we at least have it for the HOLD action asap? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] / http://www.tio.nl www.tio.nl - Original Message - From: Kevin Bilbee mailto:[EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 5:25 PM Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Be careful with this setting. If a message gets held as spam it will not be virus scanned. Make sure you scan any message moved back into the delivery queue for viruses before placing it in the delivery queue
[Declude.JunkMail] Interim Release 4.4.12
4.4.12 Updated GP1 files to be amended rather than overwritten. Information will be appended with the system Date and time Fixed a crash issue, due to decoding of the subject line. Fixed issue of TXT files being left in the work directory. Requires replacement of the avgsdk.dll. 4.4.11 Update Declude encoding of winmail.data (TNEF) and storing the attachment file and its corresponding file name. Improved detection of the Invalid zip vulnerability. 4.4.10 Added error message in logs for additional information as to why txt file could not be moved back to virus directory 4.4.8 Invalid zip vulnerability; updated Declude to be compatible with '7z' file archived compressor 4.4.7 Updated Declude to report on ODBC access issues in IMail. 4.4.6 Updated PCRE to better handle pcre3.dll exceptions 4.4.5 If ZEROHOUR weight value cannot be converted to an integer it will be ignored. This is a fix for a bug reported when ZEROHOUR test action was set, ZEROHOUR was scoring a value of zero. 4.4.4 Updated FROMNOMATCH test failing when e-mail is sent as an NDR 4.4.3 Updated FROMNOMATCH test failing. According RFC-822 the angle bracket is not a requirement for FROM: in the header part of the email. Changed to handle the angle bracket and without. 4.4.2 Fixed CATCHALLMAIL to be triggered on whitelisted e-mail 4.4.1 Removed references to previous Versions (PRO/STD/LITE). David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-PROT 6
Can anyone provide a SCANFILE line that they know works with F-PROT 6 ? Thanks David B --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-PROT 6
Excellent response thanks Darin. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, June 03, 2008 2:39 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 Yes. It's expensive, but is still a good and efficient scanner. Kaspersky and AVG combined may be a good way to go for lower cost if you can afford the CPU of two scanners, or perhaps just Kaspersky. Not sure if anyone has good stats on the performance, completeness of rulebases, and time from initial reports to detection of a virus for the various scanners, but from what information I was able to find, Kaspersky looked good and wasn't too expensive, and AVG is inexpensive though may be lacking as a single scanner. Darin. - Original Message - From: SJ Stanaitis [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, June 03, 2008 1:09 PM Subject: RE: [Declude.Virus] F-PROT 6 You've got to buy the server product now. I don't think the cheap version works anymore with Declude. --SJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, June 03, 2008 11:47 AM To: declude.virus@declude.com Subject: [Declude.Virus] F-PROT 6 Can anyone provide a SCANFILE line that they know works with F-PROT 6 ? Thanks David B --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ZEROHOUR caught a virus
Zerohour does not catch viruses based on signatures. It is a virus signature that defines it’s name. Signature-less protection is an essential complement to traditional AV technologies. By proactively scanning the Internet and identifying massive virus outbreaks as soon as they emerge, Commtouch's Zero-Hour provides proactive virus blocking that is effective and signature-independent. http://www.commtouch.com/GUI/images/general/blank.gif From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Wednesday, May 07, 2008 2:42 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] ZEROHOUR caught a virus Hi, Wel it is happening al lot more now and C:\Tempgrep -i zerohour vir0506.log 05/06/2008 00:57:58.462 q90f204c285d1.smd ZEROHOUR Reports VIRUS: Unknown 05/06/2008 00:57:58.462 q90f204c285d1.smd File(s) are INFECTED [ZEROHOUR Unknown] 05/06/2008 00:58:23.994 q910c05dc85ee.smd ZEROHOUR Reports VIRUS: Unknown 05/06/2008 00:58:23.994 q910c05dc85ee.smd File(s) are INFECTED [ZEROHOUR Unknown] 05/06/2008 11:20:00.552 q22b604dcdf98.smd ZEROHOUR Reports VIRUS: Unknown 05/06/2008 11:20:00.552 q22b604dcdf98.smd File(s) are INFECTED [ZEROHOUR Unknown] 05/06/2008 11:40:16.701 q27610537e398.smd ZEROHOUR Reports VIRUS: Unknown 05/06/2008 11:40:16.701 q27610537e398.smd File(s) are INFECTED [ZEROHOUR Unknown] 05/06/2008 19:52:39.166 q9ad505b654de.smd ZEROHOUR Reports VIRUS: Unknown 05/06/2008 19:52:39.166 q9ad505b654de.smd File(s) are INFECTED [ZEROHOUR Unknown] 05/06/2008 20:06:40.255 q9e0c04c25a91.smd ZEROHOUR Reports VIRUS: Unknown 05/06/2008 20:06:40.255 q9e0c04c25a91.smd File(s) are INFECTED [ZEROHOUR Unknown] But: 05/06/2008 00:57:58.744 q90f204c285d1.smd Scanner 1: Virus=: W32/[EMAIL PROTECTED] Attachment=document.zip [50] I 05/06/2008 00:58:24.213 q910c05dc85ee.smd Scanner 1: Virus=: HTML/IFrame Attachment=[HTML segment] [50] I 05/06/2008 11:20:00.755 q22b604dcdf98.smd Scanner 1: Virus=: W32/[EMAIL PROTECTED] Attachment=data.zip [50] I 05/06/2008 11:40:16.904 q27610537e398.smd Scanner 1: Virus=: HTML/IFrame Attachment=[HTML segment] [50] I 05/06/2008 19:52:39.416 q9ad505b654de.smd Scanner 1: Virus=: W32/[EMAIL PROTECTED] Attachment=message.zip [50] I 05/06/2008 20:06:40.474 q9e0c04c25a91.smd Scanner 1: Virus=: HTML/IFrame Attachment=[HTML segment] [50] I In each instance ZEROHOUR reported a virus but did not know what it was, one of my other scanners DID know what it was and reported it so. I sure hope Declude will change this behaviour and report the known virus name when one of the scanners DOES report a name. I'm right now using Declude 4.3.64, I'll start using 4.4.0 later this week. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] / http://www.tio.nl/ www.tio.nl - Original Message - From: David Barker mailto:[EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, May 05, 2008 9:53 PM Subject: RE: [Declude.Virus] ZEROHOUR caught a virus It could be ZEROHOUR as it identifies viruses based on attributes other than virus signatures thereby providing zerohour protection, in many cases the virus has no name as it has not been identified yet. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Monday, May 05, 2008 2:52 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR caught a virus If I remember correctly, it is not the ZEROHOUR spam test catching a virus. It is the internal AVG virus scanner saying it has caught an unknown virus, or what it thinks is a virus. Kevin Bilbee From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Sunday, May 04, 2008 11:27 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] ZEROHOUR caught a virus Hi, Suddenly ZEROHOUR starts catching virusses but it does not know WHAT it caught. --quote--- Declude Virus v4.3.64 caught the ZEROHOUR Unknown virus in readme.zip from [Forged] to: [EMAIL PROTECTED] Date: 04 May 2008 12:36:21 Subject:Returned mail: see transcript for details Spool File: D7b90047bbde0.smd Remote IP: 77.42.92.137 --quote--- From the virlog: --quote--- C:\TempGREP -i BDE0 vir0504.log 05/04/2008 12:36:21.061 q7b90047bbde0.smd Vulnerability flags = 0 05/04/2008 12:36:21.076 q7b90047bbde0.smd MIME file: readme.zip [base64; Length=29054 Checksum=3149200] 05/04/2008 12:36:21.139 q7b90047bbde0.smd ZEROHOUR Reports VIRUS: Unknown 05/04/2008 12:36:21.139 q7b90047bbde0.smd File(s) are INFECTED [ZEROHOUR Unknown] 05/04/2008 12:36:21.342 q7b90047bbde0.smd Virus
RE: [Declude.Virus] ZEROHOUR caught a virus
It could be ZEROHOUR as it identifies viruses based on attributes other than virus signatures thereby providing zerohour protection, in many cases the virus has no name as it has not been identified yet. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Monday, May 05, 2008 2:52 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ZEROHOUR caught a virus If I remember correctly, it is not the ZEROHOUR spam test catching a virus. It is the internal AVG virus scanner saying it has caught an unknown virus, or what it thinks is a virus. Kevin Bilbee From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Sunday, May 04, 2008 11:27 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] ZEROHOUR caught a virus Hi, Suddenly ZEROHOUR starts catching virusses but it does not know WHAT it caught. --quote--- Declude Virus v4.3.64 caught the ZEROHOUR Unknown virus in readme.zip from [Forged] to: [EMAIL PROTECTED] Date: 04 May 2008 12:36:21 Subject:Returned mail: see transcript for details Spool File: D7b90047bbde0.smd Remote IP: 77.42.92.137 --quote--- From the virlog: --quote--- C:\TempGREP -i BDE0 vir0504.log 05/04/2008 12:36:21.061 q7b90047bbde0.smd Vulnerability flags = 0 05/04/2008 12:36:21.076 q7b90047bbde0.smd MIME file: readme.zip [base64; Length=29054 Checksum=3149200] 05/04/2008 12:36:21.139 q7b90047bbde0.smd ZEROHOUR Reports VIRUS: Unknown 05/04/2008 12:36:21.139 q7b90047bbde0.smd File(s) are INFECTED [ZEROHOUR Unknown] 05/04/2008 12:36:21.342 q7b90047bbde0.smd Virus scanner 1 reports exit code of 3 05/04/2008 12:36:21.342 q7b90047bbde0.smd Forging virus found: Likely forged sender was [EMAIL PROTECTED] 05/04/2008 12:36:21.342 q7b90047bbde0.smd Scanner 1: Virus=: W32/[EMAIL PROTECTED] Attachment=readme.zip [50] I 05/04/2008 12:36:21.342 q7b90047bbde0.smd Scanned: CONTAINS A VIRUS [MIME: 2 29533] 05/04/2008 12:36:21.342 q7b90047bbde0.smd From: [Forged] To: [EMAIL PROTECTED] [incoming from 77.42.92.137] 05/04/2008 12:36:21.342 q7b90047bbde0.smd Subject: Returned mail: see transcript for details --quote--- I seems one of my other scanners thinks it's a virus as well, and... it reports a name. 1) I've seen a ZEROHOUR virus just once before, is this a new feature? 2) Does ZEROHOUR ever know the name of the virus? 3) Could we have a new feature where Declude uses the real name of a virus when multiple scanners report a virus and some don't know the name? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] / http://www.tio.nl www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] RE: [Declude.JunkMail] 4.3.46
Put the LOGLEVEL on DEBUG and capture a crash, send it to [EMAIL PROTECTED] looks like it could be a buffer overflow issue. Also if there is a declude.gp1 file in the c:\ send that as well. Thanks David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Friday, October 19, 2007 1:09 PM To: declude.virus@declude.com Subject: AW: [Declude.Virus] RE: [Declude.JunkMail] 4.3.46 Hello, our declude is crashing, no matter if I try 4.3.46 or 4.3.64. It looks like a special offer with about 1400 To Addresses. The Header looks not very strange: Received: from moutng.kundenserver.de [212.227.126.186] by xx-GmbH.de with ESMTP (SMTPD-8.22) id A2ED0348; Fri, 19 Oct 2007 19:01:33 +0200 Received: from ics-id.de (p578b6f85.dip0.t-ipconnect.de [87.139.111.133]) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis) id 0MKwtQ-1Iitka1tTt-00035s; Fri, 19 Oct 2007 17:41:54 +0200 Received: from mail pickup service by ics-id.de with Microsoft SMTPSVC; Fri, 19 Oct 2007 16:45:57 +0200 Return-Path: [EMAIL PROTECTED] Delivery-Date: Fri, 19 Oct 2007 16:36:56 +0200 Received-SPF: pass (mxeu24: domain of srs.kundenserver.de designates 212.227.126.187 as permitted sender) client-ip=212.227.126.187; [EMAIL PROTECTED]; helo=moutng.kundenserver.de; Return-Path: [EMAIL PROTECTED] Delivery-Date: Fri, 19 Oct 2007 10:39:31 +0200 Received-SPF: none (mxeu18: 12.107.122.224 is neither permitted nor denied by domain of europastar.com) client-ip=12.107.122.224; [EMAIL PROTECTED]; helo=vnu001glbmxh01.enterprisenet.org; Message-ID: [EMAIL PROTECTED] X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 Content-class: urn:content-classes:message Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=_=_NextPart_001_01C8122B.6A62C395 Subject: =?utf-8?Q?TR:_EUROTEC_NR_355_=286/07=29_-_=C3=A4ussert_attraktives_Sonder?= =?utf-8?Q?angebot!?= Date: Fri, 19 Oct 2007 16:45:57 +0200 X-Mailer: Microsoft CDO for Exchange 2000 X-MS-Has-Attach: yes X-MS-TNEF-Correlator: Thread-Topic: =?utf-8?Q?EUROTEC_NR_355_=286/07=29_-_=C3=A4ussert_attraktives_Sonderange?= =?utf-8?Q?bot!?= Thread-Index: AcgRkreGKI2IQ6TCQ3W3v9rY5iSFDAAAc3swACTqwAA= From: Bailly-Henguely, Jocelyne [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], And this repeated till line 1459. It's 164 KB in size, with mid nothing in the logfile. Eventlog says stopped unexpectedly :) ? Alex Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi Aufsichtsratsvorsitzender: Armin Sohler Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] RE: [Declude.JunkMail] 4.3.46
My apologies I was lysdexic Latest Full Release 4.3.46 Latest Interim 4.3.64 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, October 18, 2007 3:56 PM To: [EMAIL PROTECTED]; declude.virus@declude.com Subject: [Declude.Virus] RE: [Declude.JunkMail] 4.3.46 Dave, Lots of confusion here: a) the subject refers to 4.3.46 - which shows up on my customer screen as the latest RELEASE b) however, that's less than the interim 4.3.57 that is shown on my customer screen? c) the body of your email refers to 4.3.64 - which would make more sense. Except, THAT number is not visible ANYWHERE on my customer screen, neither as a release NOR as an interim version number? Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, October 16, 2007 2:32 PM To: [EMAIL PROTECTED]; declude.virus@declude.com Subject: [Declude.JunkMail] 4.3.46 4.3.64 available, we have made some changes to address the vulnerability if you would like to test this - it can be downloaded from the interim location. David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] RE: [Declude.JunkMail] 4.3.46
My apologies I was lysdexic Latest Full Release 4.3.46 Latest Interim 4.3.64 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, October 18, 2007 3:56 PM To: [EMAIL PROTECTED]; declude.virus@declude.com Subject: [Declude.Virus] RE: [Declude.JunkMail] 4.3.46 Dave, Lots of confusion here: a) the subject refers to 4.3.46 - which shows up on my customer screen as the latest RELEASE b) however, that's less than the interim 4.3.57 that is shown on my customer screen? c) the body of your email refers to 4.3.64 - which would make more sense. Except, THAT number is not visible ANYWHERE on my customer screen, neither as a release NOR as an interim version number? Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, October 16, 2007 2:32 PM To: [EMAIL PROTECTED]; declude.virus@declude.com Subject: [Declude.JunkMail] 4.3.46 4.3.64 available, we have made some changes to address the vulnerability if you would like to test this - it can be downloaded from the interim location. David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] 4.3.46
4.3.64 available, we have made some changes to address the vulnerability if you would like to test this - it can be downloaded from the interim location. David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, October 08, 2007 4:02 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] noticed problem after upgrade to beta Herb, There were a lot of posts on this late last week on the forum. Declude is working on the fix. -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Herb Guenther wrote: Hi All; We have been experiencing the same declude shutdown errors when running declude for smartermail that some of you have been seeing. On Friday I upgraded to the beta version as had been suggested. We had some customers who were not seeing some incoming messages. Declude was tripping on a couple vulnerabilities (see below). I turned off those tests, and have since went back to the production version. Did anyone else see this? There were no attachments in the message. 10/08/2007 07:06:40.687 20122895 Vulnerability flags = 4 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 21 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 24 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 25 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 29 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 30 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 36 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 37 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 39 10/08/2007 07:06:40.687 20122895 Deleting file with vulnerability 10/08/2007 07:06:40.687 20122895 Deleting E-mail with vulnerability! -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] 4.3.46
4.3.64 available, we have made some changes to address the vulnerability if you would like to test this - it can be downloaded from the interim location. David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, October 08, 2007 4:02 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] noticed problem after upgrade to beta Herb, There were a lot of posts on this late last week on the forum. Declude is working on the fix. -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Herb Guenther wrote: Hi All; We have been experiencing the same declude shutdown errors when running declude for smartermail that some of you have been seeing. On Friday I upgraded to the beta version as had been suggested. We had some customers who were not seeing some incoming messages. Declude was tripping on a couple vulnerabilities (see below). I turned off those tests, and have since went back to the production version. Did anyone else see this? There were no attachments in the message. 10/08/2007 07:06:40.687 20122895 Vulnerability flags = 4 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 21 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 24 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 25 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 29 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 30 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 36 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 37 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 39 10/08/2007 07:06:40.687 20122895 Deleting file with vulnerability 10/08/2007 07:06:40.687 20122895 Deleting E-mail with vulnerability! -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties
We are looking into this code, are you sure it is 4.3.62 and not a change with YahooMailWebService? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, October 04, 2007 9:53 PM To: declude.virus@declude.com Subject: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties Hi, I put in 4.3.62 in this afternoon (was running a different interim from a few months ago). Since then I had numerous different clients reporting clients with Outlook 'MIME segment in MIME postamble' Vulnerability. Valid emails from Lotus Notes 6 with attachments were rejected (reproducible at will), messages from Yahoo Webmail, etc. If a change was made that triggers this test for major mailers, then it's worthless because no one can keep it on! -Original Message Headers- Received: from web54307.mail.re2.yahoo.com [206.190.49.117] by Mail.Webhost.HM-Software.com (SMTPD-9.21) id A7D90348; Thu, 04 Oct 2007 18:23:21 -0400 Received: (qmail 16141 invoked by uid 60001); 4 Oct 2007 22:23:21 - X-YMail-OSG: gMjlzJ8VM1kitP0O1BmKwo27pVtlLBqWelr5JqstaE0yZq5YNhiYJacdUZWYkR9IjJ6G5P haJ4H_VqsBIIjZqitJIsJEP6cL7GEoJN4Oqb_aWbnemUc3IZbdqDlDjg-- Received: from [69.147.97.215] by web54307.mail.re2.yahoo.com via HTTP; Thu, 04 Oct 2007 15:23:21 PDT X-Mailer: YahooMailRC/651.50 YahooMailWebService/0.7.134 Date: Thu, 4 Oct 2007 15:23:21 -0700 (PDT) From: Dorene D Robinson [EMAIL PROTECTED] Subject: Fw: Our Virus Firewall has Rejected Your Email! To: Michael Page [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=0-1745477977-1191536601=:15605 Message-ID: [EMAIL PROTECTED] Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Question regarding Whitelist
No whitelisted is only for JM. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Lucas Sent: Friday, October 05, 2007 10:46 AM To: declude.virus@declude.com Subject: [Declude.Virus] Question regarding Whitelist If a domain is whitelisted, does Declude bypass the virus filtering and allow the email to pass through? Jon Lucas Poly-Cast, Inc. --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties
Ok so if you revert to .57 the issue goes away correct. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Friday, October 05, 2007 11:18 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties I did not have this problem with .57. So we can rule out .46. Sorry, jumped right from .57 to .62 - so can't say if it was introduced with .59 already. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, October 05, 2007 10:49 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties Ok, we are working on the issue, can you replicate it with an earlier version of Declude like .46 or .59 ? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties
Send them directly to me. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Friday, October 05, 2007 12:15 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties I have not reverted to .57, I have disabled this vulnerability in the Virus.cfg for now to see what other issues I might uncover. (There was a false positive reported last night for a different vulnerability for mail send by Netscapes mail applet, but I haven't firmed that one up yet). If you like me to, I have an archive of held Postamble MIME files that are LEGITIMATE (some of them are automatically created emails that our clients used to get all the time) and zip them up to you? If so, which email do you want me to use? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, October 05, 2007 11:27 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties Ok so if you revert to .57 the issue goes away correct. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Friday, October 05, 2007 11:18 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties I did not have this problem with .57. So we can rule out .46. Sorry, jumped right from .57 to .62 - so can't say if it was introduced with .59 already. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, October 05, 2007 10:49 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties Ok, we are working on the issue, can you replicate it with an earlier version of Declude like .46 or .59 ? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties
Thanks for the feedback we are looking at it as #1 priority at the moment. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Friday, October 05, 2007 2:09 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties Dave, The Blank Folding Vulnerability is ALSO causing false positives (but not as many as the Postamble one). I'll send you ANOTHER email with Blank Folding false positives in about 5 minutes. I have to back this release out - something majorly wrong with it. Best Regards, Andy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, October 04, 2007 9:53 PM To: declude.virus@declude.com Subject: [Declude.Virus] 4.3.62 countless false positives for vulnerabilties Hi, I put in 4.3.62 in this afternoon (was running a different interim from a few months ago). Since then I had numerous different clients reporting clients with Outlook 'MIME segment in MIME postamble' Vulnerability. Valid emails from Lotus Notes 6 with attachments were rejected (reproducible at will), messages from Yahoo Webmail, etc. If a change was made that triggers this test for major mailers, then it's worthless because no one can keep it on! -Original Message Headers- Received: from web54307.mail.re2.yahoo.com [206.190.49.117] by Mail.Webhost.HM-Software.com (SMTPD-9.21) id A7D90348; Thu, 04 Oct 2007 18:23:21 -0400 Received: (qmail 16141 invoked by uid 60001); 4 Oct 2007 22:23:21 - X-YMail-OSG: gMjlzJ8VM1kitP0O1BmKwo27pVtlLBqWelr5JqstaE0yZq5YNhiYJacdUZWYkR9IjJ6G5P haJ4H_VqsBIIjZqitJIsJEP6cL7GEoJN4Oqb_aWbnemUc3IZbdqDlDjg-- Received: from [69.147.97.215] by web54307.mail.re2.yahoo.com via HTTP; Thu, 04 Oct 2007 15:23:21 PDT X-Mailer: YahooMailRC/651.50 YahooMailWebService/0.7.134 Date: Thu, 4 Oct 2007 15:23:21 -0700 (PDT) From: Dorene D Robinson [EMAIL PROTECTED] Subject: Fw: Our Virus Firewall has Rejected Your Email! To: Michael Page [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=0-1745477977-1191536601=:15605 Message-ID: [EMAIL PROTECTED] Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] exe in zip file why not blocked...
Scott, What version of Declude ? Are you using the directive AVAFTERJM ON? David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, July 27, 2007 3:06 PM To: declude.virus@declude.com Subject: [Declude.Virus] exe in zip file why not blocked... I was looking at my spam folder and noticed an email with a zip that contained an exe. 07/27/2007 11:10:14.234 q18d4010e464c.smd Vulnerability flags = 862 07/27/2007 11:10:14.234 q18d4010e464c.smd MIME file: fungame.zip [base64; Length=19363 Checksum=2473579] 07/27/2007 11:10:17.749 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:20.390 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:23.015 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:25.640 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:28.374 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:30.374 q18d4010e464c.smd Could not find parse string Found in report.txt 07/27/2007 11:10:30.374 q18d4010e464c.smd Error 8 in virus scanner 2. 07/27/2007 11:10:30.374 q18d4010e464c.smd Scanned: Error in virus scanner. [MIME: 2 19668] virus.cfg lines: BANEXTexe BANZIPEXTS ON I believe this should have been blocked (regardless of the problem with scanner 2). Scott Fisher Dir of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 Tel: 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] exe in zip file why not blocked...
AVAFTERJM ON means if the email reaches the JM either HOLD or DELETE to not call the AV in the Declude code. Try switching this OFF to see if it resolves the issue. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, July 30, 2007 10:27 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... Declude 4.3.57 AVAFTERJM ON YES. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 30, 2007 7:48 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... Scott, What version of Declude ? Are you using the directive AVAFTERJM ON? David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, July 27, 2007 3:06 PM To: declude.virus@declude.com Subject: [Declude.Virus] exe in zip file why not blocked... I was looking at my spam folder and noticed an email with a zip that contained an exe. 07/27/2007 11:10:14.234 q18d4010e464c.smd Vulnerability flags = 862 07/27/2007 11:10:14.234 q18d4010e464c.smd MIME file: fungame.zip [base64; Length=19363 Checksum=2473579] 07/27/2007 11:10:17.749 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:20.390 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:23.015 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:25.640 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:28.374 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:30.374 q18d4010e464c.smd Could not find parse string Found in report.txt 07/27/2007 11:10:30.374 q18d4010e464c.smd Error 8 in virus scanner 2. 07/27/2007 11:10:30.374 q18d4010e464c.smd Scanned: Error in virus scanner. [MIME: 2 19668] virus.cfg lines: BANEXTexe BANZIPEXTS ON I believe this should have been blocked (regardless of the problem with scanner 2). Scott Fisher Dir of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 Tel: 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] exe in zip file why not blocked...
John I saw that, but I am not sure how much of the virus code is executed once the JM threshold is met. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (lists) Sent: Monday, July 30, 2007 12:55 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... David, the log snipped posted is of the Declude Virus log, meaning it passed Junkmail and was scanned. John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 30, 2007 9:24 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... AVAFTERJM ON means if the email reaches the JM either HOLD or DELETE to not call the AV in the Declude code. Try switching this OFF to see if it resolves the issue. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, July 30, 2007 10:27 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... Declude 4.3.57 AVAFTERJM ON YES. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 30, 2007 7:48 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... Scott, What version of Declude ? Are you using the directive AVAFTERJM ON? David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, July 27, 2007 3:06 PM To: declude.virus@declude.com Subject: [Declude.Virus] exe in zip file why not blocked... I was looking at my spam folder and noticed an email with a zip that contained an exe. 07/27/2007 11:10:14.234 q18d4010e464c.smd Vulnerability flags = 862 07/27/2007 11:10:14.234 q18d4010e464c.smd MIME file: fungame.zip [base64; Length=19363 Checksum=2473579] 07/27/2007 11:10:17.749 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:20.390 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:23.015 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:25.640 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:28.374 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:30.374 q18d4010e464c.smd Could not find parse string Found in report.txt 07/27/2007 11:10:30.374 q18d4010e464c.smd Error 8 in virus scanner 2. 07/27/2007 11:10:30.374 q18d4010e464c.smd Scanned: Error in virus scanner. [MIME: 2 19668] virus.cfg lines: BANEXTexe BANZIPEXTS ON I believe this should have been blocked (regardless of the problem with scanner 2). Scott Fisher Dir of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 Tel: 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] removing js/psyme
Just FYI the emails themselves do not contain a virus.
Use the attached filter to detect these emails, using Declude JunkMail. You
must be using at least Declude 4.3.46 to take use the regular expression
filtering.
David Barker
VP Operations | Declude
Your Email Security is our business
O: 978.499.2933 x7007
F: 978.988.1311
E: [EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob
McGregor
Sent: Tuesday, July 24, 2007 12:26 PM
To: Declude-List
Subject: [Declude.Virus] removing js/psyme
We have had quite a few people open the ecard messages and are now infected
with this virus.
Anyone know of a freebe that will remove this one? Currently, the only way
we're able to remove it is safe mode and avg.
thanks, bob
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.BODYEND NOTCONTAINS SEEING YOUR CARD
BODY20 PCRE
(http://((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/)
BODY5 PCRE(?i:ecard)
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
RE: [Declude.Virus] removing js/psyme
Looks like the list added a footer to the attached filter. Be sure to remove the additional text. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, July 24, 2007 12:36 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] removing js/psyme Just FYI the emails themselves do not contain a virus. Use the attached filter to detect these emails, using Declude JunkMail. You must be using at least Declude 4.3.46 to take use the regular expression filtering. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McGregor Sent: Tuesday, July 24, 2007 12:26 PM To: Declude-List Subject: [Declude.Virus] removing js/psyme We have had quite a few people open the ecard messages and are now infected with this virus. Anyone know of a freebe that will remove this one? Currently, the only way we're able to remove it is safe mode and avg. thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Interim 4.3.57 available
4.3.57 JM Fixed crash bug. Declude crash when reading the envelop file (SM and IM), where the HELO line exceeded 512 Characters RFC-821. Truncated HELO after 512 characters. 4.3.54 DEC Added spool # and the list of Tests failed with the weight in the BLKLST log 4.3.53 DEC Fixed SmarterMail CMDSPACE test. SM made changes to test in cmdspc instead of cmdspace 4.3.52 DEC Added date and time for the BLKLST log 4.3.51 DEC LOG change outgoing and incoming message was incorrect 4.3.50 EVA Fixed BANEZIPEXT ON to block any encrypted file name. 4.3.49 EVA Fixed BANEXT EZIP for encrypted files, .RAR can encrypt file names only using a password. 4.3.47 JM Fixed HELO information was reported incorrectly when IPBYPASS is set David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Interim 4.3.57 available
4.3.57 JM Fixed crash bug. Declude crash when reading the envelop file (SM and IM), where the HELO line exceeded 512 Characters RFC-821. Truncated HELO after 512 characters. 4.3.54 DEC Added spool # and the list of Tests failed with the weight in the BLKLST log 4.3.53 DEC Fixed SmarterMail CMDSPACE test. SM made changes to test in cmdspc instead of cmdspace 4.3.52 DEC Added date and time for the BLKLST log 4.3.51 DEC LOG change outgoing and incoming message was incorrect 4.3.50 EVA Fixed BANEZIPEXT ON to block any encrypted file name. 4.3.49 EVA Fixed BANEXT EZIP for encrypted files, .RAR can encrypt file names only using a password. 4.3.47 JM Fixed HELO information was reported incorrectly when IPBYPASS is set David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AVG Antivirus AVG7CORE.SYS IOCTL Handler Privilege Escalation
Mark, As we use the AVG SDK which integrates with Declude we do not use the AVG7CORE.SYS device driver. So this should not be an issue. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Thursday, July 12, 2007 10:11 AM To: declude.virus@declude.com Subject: [Declude.Virus] AVG Antivirus AVG7CORE.SYS IOCTL Handler Privilege Escalation David, Is the built-in AVG affected by this? http://secunia.com/advisories/25998/ Mark Reimer IT System Admin American CareSource 972-308-6887 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
