From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Matt
Sent: Wednesday,
July 28, 2004
9:59 PM
To: [EMAIL PROTECTED]
Subject: Re:
[Declude.Virus]
F-Prot and Mydoom.O
Let's try to be
clear about this so that others don't
mess it up accidentally.
In 3.14 or earlier, you must use /ARCHIVE. if you use /ARCHIVE=5 it
will
break the /ARCHIVE switch leading to zip files not being scanned.
In 3.15 and later, you should change to /ARCHIVE=5. Apparently just
/ARCHIVE no longer works without =n being specified.
I believe that /ARCHIVE=3 also works just fine, and Scott's warning
this
morning was related to those that upgraded from 3.14 to 3.15 and didn't
add the
=n part, and that his preference was =5 where as others were already
using =3
which should work as well. I don't expect to see too many viruses that
are recursively zipped more than 3 times given that this wouldn't be a
very
efficient way to spread viruses.
Matt
Bonno Bloksma wrote:
Hi,
Using F-Prot 3.14b I did change the ARCHIVE line and did not notice any
errors in the Declude vir*.log file. HOWEVER... After carefull checking I
did find that suddenly f-prot was no longer catching virusses which Sophos
did catch. These were various Netsky viri (B, D, P and Z) that F-Prot *did*
catch earlier today. So I have just changed the /ARCHIVE option back to
plain /ARCHIVE. So far no viri, I can't therefore determine yet wheter this
solved the problem. This server only proccesses 3-4K msgs a day, mostly
during (european) business hours.
Later tonight I'll upgrade to F-prot 3.15, which I just downloaded and I'll
probably add the new /ARCHIVE line later tomorrow I won't do it at the same
time just to see if it makes a difference.
p.s. I do NOT have the warning lines you have in my log so it seems
different versions of f-prot react differently to this /ARCHIVE=x directive.
The lines I have been using today are:
SCANFILE1 C:\Progra~1\FSI\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE
/NOBOOT /DUMB /REPORT=report.txt
#SCANFILE1 C:\Progra~1\FSI\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5
/NOBOOT /DUMB /REPORT=report.txt
Groetjes,
Bonno Bloksma
.... Back up my hard drive? How do I put it in reverse?
----- Original Message -----
From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, July 28, 2004 8:40 PM
Subject: RE: [Declude.Virus] F-Prot and Mydoom.O
PROBLEM!
Do not do this without checking your logs.
At 8:29 AM, I changed /ARCHIVE to /ARCHIVE=5.
Starting at 8:30 AM, in the virus log I see the following line for every
infected message:
07/28/2004 11:31:41 Qf106025c017afb61 1 [1 of 2 not deleted] files were
deleted. You should not use an on-access virus scanner that scans the IMail
directory or sub-directories.
Changing it back to /ARCHIVE only fixes this.
Some one please verify what this broke.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of R. Scott Perry
Sent: Wednesday, July 28, 2004 6:02 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] F-Prot and Mydoom.O
It turns out that there is a flaw in recent versions of F-Prot that
prevents it from properly detecting Mydoom.O when it is double-zipped.
Anyone using F-Prot should change the "/ARCHIVE " switch in the SCANFILE
line in the \IMail\Declude\virus.cfg file to "/ARCHIVE=5 ". This will
make
sure that F-Prot properly scans the .ZIP files.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
[E-mail scanned at tio.nl for viruses by Declude Virus]
---
[E-mail scanned at tio.nl for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
