RE: [Declude.Virus] F-Prot and Mydoom.O

[John Tolmachoff \(Lists\)]

Would be great. Send it to my other address if you still have it.   John Tolmachoff Engineer/Consultant/Owner eServices For You   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, July 28, 2004 2:36 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] F-Prot and Mydoom.O   Would you like for me to E-mail it to you? Matt John Tolmachoff (Lists) wrote: Well, that is the problem on that one server. Even running the manual update, which is using updater.exe, it is saying it is updated. I will probably do a restart on the server tonight and try again. If still does not update, I guess I will download the package from F-Prot’s web site.   John Tolmachoff Engineer/Consultant/Owner eServices For You   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, July 28, 2004 2:06 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] F-Prot and Mydoom.O   Markus, Searching the archives, I came up with Version 3.14d being where they switched to using /ARCHIVE=n.  Please forgive my innaccurate clarification.     http://www.mail-archive.com/[EMAIL PROTECTED]/msg08682.html Here's a better clarification however...everyone should probably update to the latest version and use the /ARCHIVE=5 switch :)  I believe that when you manually run live update, it will prompt you to download the version which is then manually installed.  It's a snap to do. Matt Markus Gufler wrote: The "switch" must be between 3.14b and 3.14e.   We've running 3.14e with /ARCHIVE=5 and can't see missing detection for Scanner 1 (F-prot)   Markus     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, July 28, 2004 9:59 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] F-Prot and Mydoom.O Let's try to be clear about this so that others don't mess it up accidentally. In 3.14 or earlier, you must use /ARCHIVE.  if you use /ARCHIVE=5 it will break the /ARCHIVE switch leading to zip files not being scanned. In 3.15 and later, you should change to /ARCHIVE=5.  Apparently just /ARCHIVE no longer works without =n being specified. I believe that /ARCHIVE=3 also works just fine, and Scott's warning this morning was related to those that upgraded from 3.14 to 3.15 and didn't add the =n part, and that his preference was =5 where as others were already using =3 which should work as well.  I don't expect to see too many viruses that are recursively zipped more than 3 times given that this wouldn't be a very efficient way to spread viruses. Matt Bonno Bloksma wrote: Hi,   Using F-Prot 3.14b I did change the ARCHIVE line and did not notice any errors in the Declude vir*.log file. HOWEVER... After carefull checking I did find that suddenly f-prot was no longer catching virusses which Sophos did catch. These were various Netsky viri (B, D, P and Z) that F-Prot *did* catch earlier today. So I have just changed the /ARCHIVE option back to plain /ARCHIVE. So far no viri, I can't therefore determine yet wheter this solved the problem. This server only proccesses 3-4K msgs a day, mostly during (european) business hours.   Later tonight I'll upgrade to F-prot 3.15, which I just downloaded and I'll probably add the new /ARCHIVE line later tomorrow I won't do it at the same time just to see if it makes a difference.   p.s. I do NOT have the warning lines you have in my log so it seems different versions of f-prot react differently to this /ARCHIVE=x directive. The lines I have been using today are: SCANFILE1 C:\Progra~1\FSI\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOBOOT /DUMB /REPORT=report.txt #SCANFILE1 C:\Progra~1\FSI\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt     Groetjes,   Bonno Bloksma .... Back up my hard drive? How do I put it in reverse?   ----- Original Message ----- From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 28, 2004 8:40 PM Subject: RE: [Declude.Virus] F-Prot and Mydoom.O     PROBLEM!   Do not do this without checking your logs.   At 8:29 AM, I changed /ARCHIVE to /ARCHIVE=5.   Starting at 8:30 AM, in the virus log I see the following line for every infected message: 07/28/2004 11:31:41 Qf106025c017afb61 1 [1 of 2 not deleted] files were deleted.  You should not use an on-access virus scanner that scans the IMail directory or sub-directories.   Changing it back to /ARCHIVE only fixes this.   Some one please verify what this broke.   John Tolmachoff Engineer/Consultant/Owner eServices For You     -----Original Message-----From: [EMAIL PROTECTED]    [mailto:[EMAIL PROTECTED]]  On Behalf Of R. Scott PerrySent: Wednesday, July 28, 2004 6:02 AMTo: [EMAIL PROTECTED]Subject: [Declude.Virus] F-Prot and Mydoom.O It turns out that there is a flaw in recent versions of F-Prot thatprevents it from properly detecting Mydoom.O when it is double-zipped. Anyone using F-Prot should change the "/ARCHIVE " switch in the SCANFILEline in the \IMail\Declude\virus.cfg file to "/ARCHIVE=5 ".  This will    make  sure that F-Prot properly scans the .ZIP files.                                                     -Scott---Declude JunkMail: The advanced anti-spam solution for IMail mailserverssince 2000.Declude Virus: Ultra reliable virus detection and the leader in mailservervulnerability detection.Find out what you've been missing: Ask for a free 30-day evaluation. ---[This E-mail was scanned for viruses by Declude Virus    (http://www.declude.com)]  ---This E-mail came from the Declude.Virus mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".    The archives can be foundat http://www.mail-archive.com.     ---[This E-mail was scanned for viruses by Declude Virus(http://www.declude.com)] ---This E-mail came from the Declude.Virus mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".    The archives can be foundat http://www.mail-archive.com.---[E-mail scanned at tio.nl for viruses by Declude Virus]  ---[E-mail scanned at tio.nl for viruses by Declude Virus] ---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] ---This E-mail came from the Declude.Virus mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".    The archives can be foundat http://www.mail-archive.com.      -- =====================================================MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=====================================================   -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================