Re: [Declude.Virus] w32/Sober.O virus

[Matt]

Luis, If you are seeing 100% CPU utilization and timeouts in your Declude Virus log, you would be best served by reducing the number of simultaneous processes instead of increasing them.  If you increase them, you run the risk of causing more timeouts. Your F-Prot config looks to be normal, but you need to add the following line in order to stop some recent viruses that F-Prot is returning a code 8 when detected:     VIRUSCODE1   8 Considering that you attributed 80% to just one client, and it appears that they had a big infection, that would explain why you are seeing this sort of traffic but others like myself are not.  Seems like you have a good handle on things now. Good luck, Matt Panda Consulting S.A. Luis Alberto Arango wrote: Matt and Dave: First of all thank you very much for answering my post. I am using fpcmd.exe Here is my config lines, in case I am missing some important switch. SCANFILE1 D:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 REPORT1 Infection: Any way, I already contacted one of my clients who's IP is sending lots and lots of emails with virus to our mail server. I believe they are sending probably 80% of the virus I am getting. He confirmed that they were infected and that they are running a clean up task. They have over 600 computers so it takes quite some time to make sure they are all clean. I am also narrowing other IPs to contact the owners. Besides, Declude is running 25 simultaneously -default-. If tomorrow I get overflow messages I will increase the number of processes in the declude.cfg file to see if that improves the delivery. I just have to make sure I don't crash the server. I may also increase the number of Imail threads to 40 or 50 By the way I found interesting and useful support text regarding delayed delivery here http://www.declude.com/help_answer.asp?ID=122 -Imail's SMTP Sending Architecture- Again thanks for your help -Luis Arango -----Original Message----- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED]] On Behalf Of Matt Sent: Martes, 03 de Mayo de 2005 09:07 p.m. To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] w32/Sober.O virus If you aren't running fpcmd.exe as Dave suggested, that would definitely be the first place to start. You need to purchase F-Prot instead of using the free DOS scanner to get fpcmd.exe. This is not normal behavior for Sober, but I have seen some viruses get really bursty. For instance, one client that has a massive newsletter would get hammered by viruses because of harvesting of their addresses from the newsletter. Some viruses also can hammer you with huge volume from a single computer. You might want to look at the IP's that are sending the viruses and see if these can be narrowed down to just a few computers for the bulk of the messages. Aside from that, Declude JunkMail is generally leaner than Declude Virus, and you might get a boost by having Declude JunkMail run first, where many of the viruses would be blocked and then wouldn't need to be virus scanned. You would need to be deleting the spams for them to not get scanned by Declude Virus however, maybe Hold also prevents it, but I'm pretty sure that the other actions will still result in them being virus scanned under this alternative configuration. This is also much more beneficial when you run multiple virus scanners since more CPU can be saved this way. F-Prot is generally very efficient. Matt Panda Consulting S.A. Luis Alberto Arango wrote: FYI: Today we were flooded with a massive incoming emails containing Sober.O (f-prot) virus. We receive aprox 15% of viruses out of all the emails we process. Today the figure raised to almost 40%. It fulfilled the overflow folder and there were delays of about 2 to 5 hours to deliver non-virus emails We received the first email with virus at 12 (noon) may 2. Our f-prot signature files were not updated -we update every 4 hours- and we let 27 emails with viruses passed through. There was nothing we could do about it. The virus was discovered the same day by Symantec, F-prot and others. Our F-prot received signature files at 1:30 pm and from that time on we have catched about 9000 emails out 30,000 The folder is full with 3000 emails and is not able to be handled as fast as we would want with declude/f-prot. Q: Is there something we can do to avoid such delays delivering emails other than use Imail Kill list, catching the computers delivering the viruses and moving to a strongest server. Bye -Luis Arango ______ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. ______ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] ______ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================