05/02/2007 17:27:20.468 q02250280000073d8.smd Setting AVAFTERJM to ON.
05/02/2007 17:27:20.468 q02250280000073d8.smd Setting virus directory to:
e:\spool\virus
05/02/2007 17:27:20.468 q02250280000073d8.smd Allowing OLBOUNDARYSPACEGAP
vulnerability
05/02/2007 17:27:20.468 q02250280000073d8.smd Setting MAXATONCE to 0.
05/02/2007 17:27:20.468 q02250280000073d8.smd Incoming E-mail scanning turned ON
05/02/2007 17:27:20.468 q02250280000073d8.smd Outgoing E-mail scanning turned ON
05/02/2007 17:27:20.468 q02250280000073d8.smd Setting scanner timeout to 60
seconds
05/02/2007 17:27:20.468 q02250280000073d8.smd Skip Extensions: BMP MOV MPG PDF
PNG QXD PSD TIF TIFF TXT WMV
05/02/2007 17:27:20.468 q02250280000073d8.smd 12 Ban Extensions: scr pif com
bat vbe vbs exe shs cpl hta vb EZIP
05/02/2007 17:27:20.468 q02250280000073d8.smd Starting locality check
(sender=globalweb.net; nr=1 ca=off). nHas=528.
05/02/2007 17:27:20.468 q02250280000073d8.smd [EMAIL PROTECTED] [0-193] is
local domain1 viaFM
05/02/2007 17:27:20.468 q02250280000073d8.smd Ending locality check (cached),
sender=local.
05/02/2007 17:27:20.468 q02250280000073d8.smd Local host = globalweb.net
05/02/2007 17:27:20.468 q02250280000073d8.smd [EMAIL PROTECTED] Offset=17
Flags=1
05/02/2007 17:27:20.484 q02250280000073d8.smd Msgid: <[EMAIL PROTECTED]>
05/02/2007 17:27:20.484 q02250280000073d8.smd Subject: Test exe
05/02/2007 17:27:28.937 q02250280000073d8.smd Starting virus scanning section...
05/02/2007 17:27:28.937 q02250280000073d8.smd MIMELAYER=0
05/02/2007 17:27:28.937 q02250280000073d8.smd Exclude Default=-1
05/02/2007 17:27:28.937 q02250280000073d8.smd Exclude Domain=-1
05/02/2007 17:27:28.937 q02250280000073d8.smd Exclude peruser=-1
05/02/2007 17:27:28.937 q02250280000073d8.smd DoAv(
e:\spool\proc\work\D02250280000073d8.smd );
05/02/2007 17:27:28.937 q02250280000073d8.smd avtempdir=e:\spool\proc\work
05/02/2007 17:27:28.937 q02250280000073d8.smd Temp dir set to:
e:\spool\proc\work\D02250280000073d8.vir\
05/02/2007 17:27:28.937 q02250280000073d8.smd fp=485800
05/02/2007 17:27:28.937 q02250280000073d8.smd Vulnerability flags = 256
05/02/2007 17:27:28.937 q02250280000073d8.smd MIMELAYER++
05/02/2007 17:27:28.937 q02250280000073d8.smd DOMIME START
05/02/2007 17:27:28.937 q02250280000073d8.smd CT: Content-Type:
multipart/mixed;boundary="----=_NextPart_000_0
05/02/2007 17:27:28.937 q02250280000073d8.smd Got boundary;
=------=_NextPart_000_0116_01C78CDE.FF008140.
05/02/2007 17:27:28.937 q02250280000073d8.smd DOMIME end-of-headers
05/02/2007 17:27:28.937 q02250280000073d8.smd ISMULTI
05/02/2007 17:27:28.937 q02250280000073d8.smd Hit boundary... Recursing... 0
(b-0-).
05/02/2007 17:27:28.937 q02250280000073d8.smd MIMELAYER++
05/02/2007 17:27:28.937 q02250280000073d8.smd DOMIME START
05/02/2007 17:27:28.937 q02250280000073d8.smd CT: Content-Type:
text/plain;charset="us-ascii"
05/02/2007 17:27:28.937 q02250280000073d8.smd Got Encoding 7bit.
05/02/2007 17:27:28.937 q02250280000073d8.smd DOMIME end-of-headers
05/02/2007 17:27:28.937 q02250280000073d8.smd !ISMULTI
05/02/2007 17:27:28.937 q02250280000073d8.smd Handling a MIME segment
[Boundary=------=_NextPart_000_0116_01C78CDE.FF008140].
05/02/2007 17:27:28.937 q02250280000073d8.smd Encoding type: 7bit [1/]
05/02/2007 17:27:28.937 q02250280000073d8.smd Starting BASE64
05/02/2007 17:27:28.937 q02250280000073d8.smd Hit new boundary (fseek)
05/02/2007 17:27:28.937 q02250280000073d8.smd curpos=1271
05/02/2007 17:27:28.937 q02250280000073d8.smd Deleting (1) plaintext segment
e:\spool\proc\work\D02250280000073d8.vir\0..
05/02/2007 17:27:28.937 q02250280000073d8.smd MIMELAYER--
05/02/2007 17:27:28.937 q02250280000073d8.smd Done Recursing...
05/02/2007 17:27:28.937 q02250280000073d8.smd Hit boundary... Recursing... 1
(b-0-).
05/02/2007 17:27:28.937 q02250280000073d8.smd MIMELAYER++
05/02/2007 17:27:28.937 q02250280000073d8.smd DOMIME START
05/02/2007 17:27:28.937 q02250280000073d8.smd CT: Content-Type:
application/x-msdownload;name="aspupload.exe"
05/02/2007 17:27:28.937 q02250280000073d8.smd Setting MimeName to aspupload.exe
[13].
05/02/2007 17:27:28.937 q02250280000073d8.smd Got Encoding base64.
05/02/2007 17:27:28.937 q02250280000073d8.smd Got disp name=aspupload.exe
[MimeName=aspupload.exe].
05/02/2007 17:27:28.937 q02250280000073d8.smd DOMIME end-of-headers
05/02/2007 17:27:28.937 q02250280000073d8.smd !ISMULTI
05/02/2007 17:27:28.937 q02250280000073d8.smd Handling a MIME segment
[Boundary=------=_NextPart_000_0116_01C78CDE.FF008140].
05/02/2007 17:27:28.937 q02250280000073d8.smd Encoding type: base64 [1/exe]
05/02/2007 17:27:28.937 q02250280000073d8.smd Starting BASE64
05/02/2007 17:27:29.000 q02250280000073d8.smd Hit new boundary (fseek)
05/02/2007 17:27:29.000 q02250280000073d8.smd curpos=1081834
05/02/2007 17:27:29.000 q02250280000073d8.smd Ending BASE64
05/02/2007 17:27:29.000 q02250280000073d8.smd MIME file: aspupload.exe [base64;
Length=789488 Checksum=98101739]
05/02/2007 17:27:29.000 q02250280000073d8.smd Comparing |exe| to SKIPEXTs and
BANEXTs
05/02/2007 17:27:29.000 q02250280000073d8.smd Banning file with exe extension
[application/x-msdownload].
05/02/2007 17:27:29.000 q02250280000073d8.smd NOT PLAINTEXT:
application/x-msdownload.
05/02/2007 17:27:29.000 q02250280000073d8.smd MIMELAYER--
05/02/2007 17:27:29.000 q02250280000073d8.smd Done Recursing...
05/02/2007 17:27:29.000 q02250280000073d8.smd Hit end of layer
05/02/2007 17:27:29.000 q02250280000073d8.smd MIMELAYER layer--
05/02/2007 17:27:29.000 q02250280000073d8.smd 0 - aspupload.exe
05/02/2007 17:27:29.000 q02250280000073d8.smd Scanning files (0 scanners)
05/02/2007 17:27:31.187 q02250280000073d8.smd AVG Reports No Virus
05/02/2007 17:27:31.203 q02250280000073d8.smd 0:
05/02/2007 17:27:31.203 q02250280000073d8.smd Starting EXT check .
05/02/2007 17:27:31.203 q02250280000073d8.smd 1: aspupload.exe MZP
05/02/2007 17:27:31.203 q02250280000073d8.smd Found an EXE file
05/02/2007 17:27:31.203 q02250280000073d8.smd Starting EXT check exe.
05/02/2007 17:27:31.203 q02250280000073d8.smd
e:\spool\proc\work\D02250280000073d8.vir\*.*
05/02/2007 17:27:31.203 q02250280000073d8.smd 0.exe
05/02/2007 17:27:31.265 q02250280000073d8.smd Deleted
e:\spool\proc\work\D02250280000073d8.vir\0.exe.
05/02/2007 17:27:31.265 q02250280000073d8.smd han=13da30 b=False
05/02/2007 17:27:31.265 q02250280000073d8.smd High code=20.
05/02/2007 17:27:31.265 q02250280000073d8.smd AV returned 20
05/02/2007 17:27:31.265 q02250280000073d8.smd Scanned: Banned file extension.
[MIME: 2 790128]
05/02/2007 17:27:31.265 q02250280000073d8.smd C:\IMail\Declude\BANnotify.eml
05/02/2007 17:27:31.265 q02250280000073d8.smd Starting E-mail file
C:\IMail\Declude\BANnotify.eml
05/02/2007 17:27:31.265 q02250280000073d8.smd Not sending .eml file since
AUTOFORGING detected a forging virus.
05/02/2007 17:27:31.265 q02250280000073d8.smd From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [incoming from 208.74.87.254]
05/02/2007 17:27:31.265 q02250280000073d8.smd Subject: Test exe
05/02/2007 17:27:31.359 q02250280000073d8.smd feof=16, ferr=0
05/02/2007 17:27:31.500 q02250280000073d8.smd Moving file to virus hold
directory: e:\spool\virus
----------------------------------------
From: "John T \(lists\)" <[EMAIL PROTECTED]>
Sent: Wednesday, May 02, 2007 7:07 PM
To: [email protected]
Subject: RE: [Declude.Virus] BanNotify email not being sent
Sorry to bother, but please
post the rest of the lines from the
debug log for that message.
John T
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht
Sent: Wednesday, May 02, 2007 2:36 PM
To: [email protected]
Subject: RE: [Declude.Virus] BanNotify email not being sent
John,
I should have known to go to DEBUG mode first....
Here's what is showing there:
05/02/2007 17:27:31.265 q02250280000073d8.smd Not sending .eml file since
AUTOFORGING detected a forging virus.
I sent a regular .exe program install file in the test. The question now
is - why is this being picked up as a forging virus?
Randy A.
----------------------------------------
From
: "John T
\(lists\)"
<[EMAIL PROTECTED]>
Sent: Wednesday, May 02, 2007 12:25 PM
To: [email protected]
Subject: RE: [Declude.Virus] BanNotify email not being sent
Put your virus
log
into debug and then try sending a banned extension attachement.
Post your
bannotify.eml file as a text attachment
John T
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht
Sent: Wednesday, May 02, 2007 5:48 AM
To: [email protected]
Subject: RE: [Declude.Virus] BanNotify email not being sent
I just upgraded to 4.3.46 and same thing -
BANnotify is not being sent...
Randy A.
----------------------------------------
From
: "John T \(lists\)"
<[EMAIL PROTECTED]>
Sent: Monday, April 30, 2007 8:21 PM
To: [email protected]
Subject: RE: [Declude.Virus] BanNotify email not being sent
What version of Declude? I am using 4.3.47 and it is working.
What does the Virus log say?
John T
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht
Sent: Monday, April 30, 2007 12:45 PM
To: [email protected]
Subject: [Declude.Virus] BanNotify email not being sent
It was
recently brought to my attention by a customer that the BanNotify email is not
being sent out from our server when necessary - I tried sending myself a test
email with an ..exe file attached, and sure enough, the message is
trapped but the notice is not sent out.
Using declude v4.x
Thanks!
Randy A.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
