[Declude.Virus] Virri Getting Through
I am rather new to using declude, but so far have been rather happy with it. For the first week it worked perfectly, but now, various virii seem to be getting through So far, in the last 2 days, 3 have gotten through, all variants of Netsky. I received them, so i am sure my clients have as well. I am not concerned about these myself, as I use a Mac as my desktop computer, so I just download them to my desktop to examine. message.htm.com [EMAIL PROTECTED] notice.zip [EMAIL PROTECTED] secrets.zip [EMAIL PROTECTED] I am running Declude 1.79 with NetShield. Netshield is set to update every day, so I know I have the most recent virus defs. I also have BANEXT EZIP in my virus.cfg file. Does anyone know why these might be getting through, or is anyone else having some of the same problem? Thanks Christian --- [This E-mail scanned for viruses by CySpace Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unusual Entry in Declude Log
Scott, I just sent the two files out to the address you provided. Let me know if you have any suggestion. Regards, Julio OchoaWebjogger Internet Services845-757-4000 ext.124 - Original Message - From: R. Scott Perry To: [EMAIL PROTECTED] Sent: Friday, May 07, 2004 9:47 AM Subject: Re: [Declude.Virus] Unusual Entry in Declude Log >I'm new to this list and to the Declude system.>>Yesterday I found an unusual entry in the Declude log and was wondering if >someone could help me out deciphering what it is.>>Below is an excerpt from the log>>05/06/2004 03:23:17 Qe7b006a701001294 (Error 5 at 40ee76 v1.79)>05/06/2004 03:23:17 Qe7b006a701001294 (log part 2 saved as C:\declude.gp2)>05/06/2004 03:23:17 Qe7b006a701001294 (log part 1 saved as C:\declude.gp1)>05/06/2004 03:23:17.697 Qe7b006a701001294 Unlocked >d:\IMAIL\spool\Qe7b006a701001294.SMD.>>I'm concerned about the entries where it says that the program saved two >files, declude.gp1 and declude.gp2. The program did indeed create both >files in the C:\ drive. Does anyone know what this is about or where I can >find information that will help me understand why these entries were >posted in the log?If you send those two files to [EMAIL PROTECTED], we can take a look at them to see what may have happened. -Scott---Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000.Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection.Find out what you've been missing: Ask for a free 30-day evaluation.---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com.---[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]
RE: [Declude.Virus] Unknown Viruses?
Here are some examples from the log file. Seems I do not have a virus name in any of the log messages. 05/06/2004 00:14:48 Qbba90921010cfa85 Invalid PIF Vulnerability These are being detected by Declude Virus (ones that F-Prot is not picking up for some reason). I believe the latest interim (1.79i6) takes care of this (if not, the next interim will), so that they will appear as "Invalid PIF Vulnerability" instead of "Unknown Virus". -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Unusual Entry in Declude Log
I'm new to this list and to the Declude system. Yesterday I found an unusual entry in the Declude log and was wondering if someone could help me out deciphering what it is. Below is an excerpt from the log 05/06/2004 03:23:17 Qe7b006a701001294 (Error 5 at 40ee76 v1.79) 05/06/2004 03:23:17 Qe7b006a701001294 (log part 2 saved as C:\declude.gp2) 05/06/2004 03:23:17 Qe7b006a701001294 (log part 1 saved as C:\declude.gp1) 05/06/2004 03:23:17.697 Qe7b006a701001294 Unlocked d:\IMAIL\spool\Qe7b006a701001294.SMD. I'm concerned about the entries where it says that the program saved two files, declude.gp1 and declude.gp2. The program did indeed create both files in the C:\ drive. Does anyone know what this is about or where I can find information that will help me understand why these entries were posted in the log? If you send those two files to [EMAIL PROTECTED], we can take a look at them to see what may have happened. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Unknown Viruses?
Scott, >From the virus.cfg file SCANFILED:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 Here are some examples from the log file. Seems I do not have a virus name in any of the log messages. 05/06/2004 00:14:48 Qbba90921010cfa85 Invalid PIF Vulnerability 05/06/2004 00:14:48 Qbba90921010cfa85 File(s) are INFECTED [: 3] 05/06/2004 00:14:48 Qbba90921010cfa85 Scanned: CONTAINS A VIRUS [MIME: 2 17600] 05/06/2004 10:38:34 Q4de7012901160c06 File(s) are INFECTED [: 3] 05/06/2004 10:38:34 Q4de7012901160c06 Scanned: CONTAINS A VIRUS [MIME: 2 22573] 05/06/2004 10:39:02 Q4df9058801180c08 Scanned: Virus Free [MIME: 1 4836] I have lots of these types but these are from declude checking the Outlook vulnerabilities. 05/06/2004 12:13:25 Q6421067d01180f35 Invalid SCR Vulnerability 05/06/2004 12:13:25 Q6421067d01180f35 File(s) are INFECTED [[Outlook 'MIME Header' Vulnerability]: 3] 05/06/2004 12:13:26 Q6421067d01180f35 Scanned: CONTAINS A VIRUS [MIME: 3 30458] Goran Jovanovic The LAN Shoppe > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > [EMAIL PROTECTED] On Behalf Of R. Scott Perry > Sent: Friday, May 07, 2004 7:10 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Unknown Viruses? > > > >I am using F-Prot and it is working but I keep getting these > >unidentified viruses. > > > >Unknown Virus virus in the Unknown File attachment > > > >Can anyone shed any light on this? > > Do you ever get the correct virus name (without "Vulnerability" in the > name)? If not, then the F-Prot settings aren't correct (either it is not > saving the report.txt file, or there is no REPORT line or an invalid > REPORT > line in the \IMail\Declude\virus.cfg file). > > If the virus name is shown sometimes, the log file entries should help > determine what happened. If you are blocking suspicious files (with > "VIRUSCODE 8" in the virus.cfg file), then the "Unknown Virus" will appear > if F-Prot detects a suspicious file (since it can't know the name of a > virus that it cannot detect). > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > since 2000. > Declude Virus: Ultra reliable virus detection and the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Unusual Entry in Declude Log
Hi, I'm new to this list and to the Declude system. Yesterday I found an unusual entry in the Declude log and was wondering if someone could help me out deciphering what it is. Below is an excerpt from the log 05/06/2004 03:23:17 Qe7b006a701001294 (Error 5 at 40ee76 v1.79)05/06/2004 03:23:17 Qe7b006a701001294 (log part 2 saved as C:\declude.gp2)05/06/2004 03:23:17 Qe7b006a701001294 (log part 1 saved as C:\declude.gp1)05/06/2004 03:23:17.697 Qe7b006a701001294 Unlocked d:\IMAIL\spool\Qe7b006a701001294.SMD. I'm concerned about the entries where it says that the program saved two files, declude.gp1 and declude.gp2. The program did indeed create both files in the C:\ drive. Does anyone know what this is about or where I can find information that will help me understand why these entries were posted in the log? Thank you in advance. Regards, Julio OchoaWebjogger Internet Services845-757-4000 ext.124
RE: [Declude.Virus] Feature Request: Deletion of banned files
Thanx I am going to shamelessly plagiarize. :> Goran Jovanovic The LAN Shoppe 2345 Yonge Street, Suite 302 Toronto, Ontario M4P 2E5 Phone: (416) 440-1167 x-2113 Cell: (416) 931-0688 E-Mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, May 07, 2004 3:11 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Feature Request: Deletion of banned files What it does is moving everything in the virus folder to a folder called day1, move everything in day1 to day2 and so forth and deletes what is in day 5. Attached is the script. Runs daily at 12:05 AM. I am sure some one can come up with a cleaner one, but it works. It also sends a report. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, May 06, 2004 8:36 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Feature Request: Deletion of banned files John, Does this script delete just the files with the banned attachments or anything over 5 days old? Are you willing to share the script? Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, April 30, 2004 11:06 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Feature Request: Deletion of banned files I have a script that runs just after midnight each day that in effect deletes those held after 5 days. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, April 30, 2004 6:21 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Feature Request: Deletion of banned files Hi Scott, We seem to be spending more and more time deleting from the virus hold queue files that have .PIF and .SCR extensions. We'd like to request a little more granular control over banning of extensions...specifically, a setting to go ahead a delete some of them. For example, instead of BANEXT PIF perhaps we could use DELEXT PIF Obviously there are a number of other extensions we would continue to ban, and check for legitimacy, but this would be helpful. Thoughts? Darin. <>
RE: [Declude.Virus] Unknown Viruses?
I can see also a lot of this "unknown virus" reports. (Se attched admin-notify message) All are comming from <>, [EMAIL PROTECTED] or are NDRs. F-Prot reports an unknown virus. I don't know why, but from the message headers I can see that practically all of this NDRs are "useless" because they are generated from worm messages with forged mailfrom addresses. Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry > Sent: Friday, May 07, 2004 1:10 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Unknown Viruses? > > > >I am using F-Prot and it is working but I keep getting these > >unidentified viruses. > > > >Unknown Virus virus in the Unknown File attachment > > > >Can anyone shed any light on this? > > Do you ever get the correct virus name (without > "Vulnerability" in the name)? If not, then the F-Prot > settings aren't correct (either it is not saving the > report.txt file, or there is no REPORT line or an invalid > REPORT line in the \IMail\Declude\virus.cfg file). > > If the virus name is shown sometimes, the log file entries > should help determine what happened. If you are blocking > suspicious files (with "VIRUSCODE 8" in the virus.cfg file), > then the "Unknown Virus" will appear if F-Prot detects a > suspicious file (since it can't know the name of a virus that > it cannot detect). > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail > mailservers since 2000. > Declude Virus: Ultra reliable virus detection and the leader > in mailserver vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- Begin Message --- Title: Virus Report Virus in einer Email gefunden. Virus: Unknown Virus Datei: Unknown File von: <> an: [EMAIL PROTECTED] Betreff: Mail delivery failed: returning message to sender Empfänger: 1 Queuename: D609901dc0098aeb0.SMD Datum: 05/03/2004 Zeit: 17:09:15 Remotehost: Unknown (194.123.123.82) Localhost: local-domain.it D.Version: 1.79i6 Header: Received: from mailout05.sul.t-online.com [194.25.134.82] by mail.zcom.it with ESMTP (SMTPD32-7.15) id A0991DC0098; Mon, 03 May 2004 17:09:13 +0200 Received: from mailin05.aul.t-online.de by mailout05.sul.t-online.com with smtp id 1BKf4C-00072N-00; Mon, 03 May 2004 17:09:12 +0200 X-Failed-Recipients: [EMAIL PROTECTED] From: Mail Delivery System <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Mail delivery failed: returning message to sender Message-Id: <[EMAIL PROTECTED]> Date: Mon, 3 May 2004 17:08:41 +0200 --- End Message ---
Re: [Declude.Virus] Unknown Viruses?
I am using F-Prot and it is working but I keep getting these unidentified viruses. Unknown Virus virus in the Unknown File attachment Can anyone shed any light on this? Do you ever get the correct virus name (without "Vulnerability" in the name)? If not, then the F-Prot settings aren't correct (either it is not saving the report.txt file, or there is no REPORT line or an invalid REPORT line in the \IMail\Declude\virus.cfg file). If the virus name is shown sometimes, the log file entries should help determine what happened. If you are blocking suspicious files (with "VIRUSCODE 8" in the virus.cfg file), then the "Unknown Virus" will appear if F-Prot detects a suspicious file (since it can't know the name of a virus that it cannot detect). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature Request: Deletion of banned files
What it does is moving everything in the virus folder to a folder called day1, move everything in day1 to day2 and so forth and deletes what is in day 5. Attached is the script. Runs daily at 12:05 AM. I am sure some one can come up with a cleaner one, but it works. It also sends a report. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, May 06, 2004 8:36 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Feature Request: Deletion of banned files John, Does this script delete just the files with the banned attachments or anything over 5 days old? Are you willing to share the script? Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, April 30, 2004 11:06 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Feature Request: Deletion of banned files I have a script that runs just after midnight each day that in effect deletes those held after 5 days. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, April 30, 2004 6:21 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Feature Request: Deletion of banned files Hi Scott, We seem to be spending more and more time deleting from the virus hold queue files that have .PIF and .SCR extensions. We'd like to request a little more granular control over banning of extensions...specifically, a setting to go ahead a delete some of them. For example, instead of BANEXT PIF perhaps we could use DELEXT PIF Obviously there are a number of other extensions we would continue to ban, and check for legitimacy, but this would be helpful. Thoughts? Darin. <>cd F:\spool\virus F: del F:\spool\virus\deleted\*.* /F /Q move /Y F:\spool\virus\day5\*.* F:\spool\virus\deleted\ move /Y F:\spool\virus\day4\*.* F:\spool\virus\day5\ move /Y F:\spool\virus\day3\*.* F:\spool\virus\day4\ move /Y F:\spool\virus\day2\*.* F:\spool\virus\day3\ move /Y F:\spool\virus\day1\*.* F:\spool\virus\day2\ find "X-Note: This e-mail was received from IP:" D*.SMD > file1a.txt find "X-Note: This e-mail was received from IP:" file1a.txt > file1b.txt sort < file1b.txt > file1.txt find "Received:" D*.SMD > file2a.txt find "Received:" file2a.txt > file2b.txt sort < file2b.txt > file2.txt xcopy *.smd f:\spool\virus\day1 xcopy *.GSC f:\spool\virus\day1 del *.smd del *.GSC c:\imail\imail1.exe -f c:\batchfiles\virusfrombody.txt -s "Virus report eServices For You by IP" -t [EMAIL PROTECTED] -u [EMAIL PROTECTED] -a f:\spool\virus\file1.txt c:\imail\imail1.exe -f c:\batchfiles\virusfrombody.txt -s "Virus report eServices For You by Received" -t [EMAIL PROTECTED] -u [EMAIL PROTECTED] -a f:\spool\virus\file2.txt del file1a.txt del file1b.txt del file1.txt del file2a.txt del file2b.txt del file2.txt