Re: [Declude.Virus] Mysterious
R. Scott Perry wrote: ... especially with all these new potential dangerous JPG's floating around (BTW, how common are these, has anyone been picking them up with declude?) I'm not aware of any being picked up with Declude Virus yet. But there was a report earlier today of a trojan horse spreading in Usenet newsgroups using this exploit. To be honest, I expect the overwhelming majority of these to be on web sites, rather than embedded in e-mails. Still, it's good to know that Declude is on the job. :) -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail scanned for viruses by Declude Virus / Sophos AV] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Virus test tools
Is there going to be a test added to the Tools page to test to see if the GDIplus.dll exploit will be caught? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Mysterious
I used the label "mysterious" because people (like me) had been highly anticipating the JPEG detection feature - and today we learn purely by accident that there are new interim and "release" releases. FYI, there was no new interim. Someone went to the URL to get an interim, saw that it wasn't what they expected (I have no idea what they expected), and posted about it. The only new release today is 1.80, which as expected, had the GDIPlus.dll Exploit detection. Mystery is an appropriate word, since I (the customer) know of no way to determine the changes in the interim releases - e.g., if it may contain the JPEG detection feature. I am monitoring this list and I don't believe it saw any prior discussion on -i20 that would have lifted the mystery. IIRC, the 1.79i20 that someone posted about was released last week. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Mysterious
Yes Scott, thank you for updating Declude as well. I would prefer to have notifications of new releases go out ASAP to the lists, so that we as customers can decide if they are a priority to get installed... I agree. :) If I had been the one deciding, I would likely have notified the lists first, then the website, then individual customers. ... especially with all these new potential dangerous JPG's floating around (BTW, how common are these, has anyone been picking them up with declude?) I'm not aware of any being picked up with Declude Virus yet. But there was a report earlier today of a trojan horse spreading in Usenet newsgroups using this exploit. Also it would have been nice to know about your change to how new versions were downloaded and installed on your website. If I was downloading a new version for an emergency use having to register to download the new version, even though we have been a customer for many years, then having to read documentation to figure out which version (automated, or manual), would be preferred to download (what about providing a 3rd old school exe only version. The ideas of requiring people to register and the install program are new, so there may be some ways that they can be improved for future releases. We'll be listening to any issues people report. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Mysterious
Yes Scott, thank you for updating Declude as well. I would prefer to have notifications of new releases go out ASAP to the lists, so that we as customers can decide if they are a priority to get installed, especially with all these new potential dangerous JPG's floating around (BTW, how common are these, has anyone been picking them up with declude?) Also it would have been nice to know about your change to how new versions were downloaded and installed on your website. If I was downloading a new version for an emergency use having to register to download the new version, even though we have been a customer for many years, then having to read documentation to figure out which version (automated, or manual), would be preferred to download (what about providing a 3rd old school exe only version. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Andy Schmidt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 27, 2004 3:32 PM Subject: RE: [Declude.Virus] Mysterious Sorry - new thread, as requested. I used the label "mysterious" because people (like me) had been highly anticipating the JPEG detection feature - and today we learn purely by accident that there are new interim and "release" releases. Mystery is an appropriate word, since I (the customer) know of no way to determine the changes in the interim releases - e.g., if it may contain the JPEG detection feature. I am monitoring this list and I don't believe it saw any prior discussion on -i20 that would have lifted the mystery. Anyway - thank you for updating Declude with the new feature and thank you for updating the documentation (if I understand the other customers correctly.) Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Mysterious
Sorry - new thread, as requested. I used the label "mysterious" because people (like me) had been highly anticipating the JPEG detection feature - and today we learn purely by accident that there are new interim and "release" releases. Mystery is an appropriate word, since I (the customer) know of no way to determine the changes in the interim releases - e.g., if it may contain the JPEG detection feature. I am monitoring this list and I don't believe it saw any prior discussion on -i20 that would have lifted the mystery. Anyway - thank you for updating Declude with the new feature and thank you for updating the documentation (if I understand the other customers correctly.) Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Which one is considered the "latest". Unless otherwise specified, "latest" refers to a beta or release. In this case, it is specifically the v1.80 release. Is that the mysterious latest interim 20 that end-users have announced on this list? There's nothing mysterious about interims. We do not announce interims, but have a URL where people can get them. Someone found that there was a new interim, posted about it, and asked questions about it. There was nothing mysterious about it -- we needed to come out with a new interim, did, and made it available for the person who needed it. Yes, I know there are people who want interims that are more like betas (announced and/or documented somehow), but if people want to bring that up, they should do so in another thread. And yes, I know that you know how interims work, and that you know there is nothing mysterious about this one (in that it was handled exactly the same as interims have been handled for several years now). Or is that the Version 1.80 that end-users have announced on this list. (If I somehow got unsubscribed form the "announcement" list then I apologize for wasting bandwidth.) It hasn't been announced on the lists yet. It was decided to have the release announced on the website before notifying customers via E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Which one is considered the "latest". Is that the mysterious latest interim 20 that end-users have announced on this list? Or is that the Version 1.80 that end-users have announced on this list. (If I somehow got unsubscribed form the "announcement" list then I apologize for wasting bandwidth.) Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, September 27, 2004 05:32 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. >Same here. Is there a way to make f-prot w\Declude catch these? The latest release of Declude Virus will automatically detect the GDIPlus.dll JPEG exploit. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Same here. Is there a way to make f-prot w\Declude catch these? The latest release of Declude Virus will automatically detect the GDIPlus.dll JPEG exploit. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Title: RE: [Declude.Virus] Fprot GDI Scanner lines. Same here. Is there a way to make f-prot w\Declude catch these? -Original Message- From: Keith Johnson [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, September 27, 2004 12:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Nevermind, found a copy of it, just had trouble with the German. It seems my Inoc caught it correctly, however, the Fprot didn't, gave me error. Q6f7408d2006085b0 Scanner 1 reported error code #8, which is listed as OK 09/27/2004 15:52:20 Q6f7408d2006085b0 Scanner 2: Virus= JPEG.MS04-028.Exploit.Trojan Attachment=jpegcompoc.zip.ZIP [1] I 09/27/2004 15:52:20 Q6f7408d2006085b0 File(s) are INFECTED [ JPEG.MS04-028.Exploit.Trojan: 101] Keith -Original Message- From: Keith Johnson on behalf of Keith Johnson Sent: Mon 9/27/2004 3:02 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Mark, What did you use to generate the GDI Exploit test file? Thanks Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Mark Smith Sent: Mon 9/27/2004 1:55 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Send a GDI Exploit test file through. You'll get the error "Can't Parse Virus type" in the Declude Virus log. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Bill Landry > Sent: Saturday, September 25, 2004 11:22 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Fprot GDI Scanner lines. > > - Original Message - > From: "Mark Smith" <[EMAIL PROTECTED]> > > > > Actually this breaks Declude because Declude Virus can't > look for multiple > > REPORT lines. > > > > Scott, > > How can we setup Declude Virus to look for multiple lines in the > report.txt > > file? > > I've been running F-Prot Version 3.15b since it was released > yesterday and > have not had to make any changes to my virus config to support the new > version. It has been running exactly the way it always has. > > Bill > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Nevermind, found a copy of it, just had trouble with the German. It seems my Inoc caught it correctly, however, the Fprot didn't, gave me error. Q6f7408d2006085b0 Scanner 1 reported error code #8, which is listed as OK 09/27/2004 15:52:20 Q6f7408d2006085b0 Scanner 2: Virus= JPEG.MS04-028.Exploit.Trojan Attachment=jpegcompoc.zip.ZIP [1] I 09/27/2004 15:52:20 Q6f7408d2006085b0 File(s) are INFECTED [ JPEG.MS04-028.Exploit.Trojan: 101] Keith -Original Message- From: Keith Johnson on behalf of Keith Johnson Sent: Mon 9/27/2004 3:02 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Mark, What did you use to generate the GDI Exploit test file? Thanks Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Mark Smith Sent: Mon 9/27/2004 1:55 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Send a GDI Exploit test file through. You'll get the error "Can't Parse Virus type" in the Declude Virus log. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry > Sent: Saturday, September 25, 2004 11:22 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Fprot GDI Scanner lines. > > - Original Message - > From: "Mark Smith" <[EMAIL PROTECTED]> > > > > Actually this breaks Declude because Declude Virus can't > look for multiple > > REPORT lines. > > > > Scott, > > How can we setup Declude Virus to look for multiple lines in the > report.txt > > file? > > I've been running F-Prot Version 3.15b since it was released > yesterday and > have not had to make any changes to my virus config to support the new > version. It has been running exactly the way it always has. > > Bill > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. <>
RE: [Declude.Virus] Fprot GDI Scanner lines.
Mark, What did you use to generate the GDI Exploit test file? Thanks Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Mark Smith Sent: Mon 9/27/2004 1:55 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Send a GDI Exploit test file through. You'll get the error "Can't Parse Virus type" in the Declude Virus log. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry > Sent: Saturday, September 25, 2004 11:22 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Fprot GDI Scanner lines. > > - Original Message - > From: "Mark Smith" <[EMAIL PROTECTED]> > > > > Actually this breaks Declude because Declude Virus can't > look for multiple > > REPORT lines. > > > > Scott, > > How can we setup Declude Virus to look for multiple lines in the > report.txt > > file? > > I've been running F-Prot Version 3.15b since it was released > yesterday and > have not had to make any changes to my virus config to support the new > version. It has been running exactly the way it always has. > > Bill > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. <>