RE: [Declude.Virus] embedded AVG issue

[David Barker]

Don,

 

The ZIP contains the correct dll's the full declude list of dll's is as
follows: (avgcertx.dll is not used and was only around during the interim
releases)

 

COMMTOUCH

 

asapsdk.dll

 

PCRE

 

pcre3.dll

 

AVG



Avgsdk.dll

Avgcorex.dll

Avgcerta.dll

 

SNF

 

Mingwm10.dll

Snfmulti.dll

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of
decl...@mail.net1media.com
Sent: Monday, May 10, 2010 5:02 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] embedded AVG issue

 

Thanks Andy,

 

I found that I do not have avgcertx.dll.  Should this file have been
included in the zip download David made?

 

Don

 

- Original Message - 

From: Andy Schmidt   

To: declude.virus@declude.com 

Sent: Monday, May 10, 2010 9:05 AM

Subject: RE: [Declude.Virus] embedded AVG issue

 

Hi Don,

 

Here's what I have in C:\Imail\

 

11/06/2008  12:49 PM61,440 AvApiBit.dll

11/06/2008  12:49 PM61,440 AvApiSym.dll

04/29/2010  04:13 PM   834,328 avgcerta.dll

04/29/2010  04:13 PM   623,384 avgcertx.dll

04/29/2010  04:13 PM 4,250,392 avgcorex.dll

04/29/2010  04:13 PM   312,320 avgsdk.dll

10/21/2005  10:43 AM32,768 Declude.exe

04/29/2010  04:12 PM 2,318,428 decludeproc.exe

 

(You can disregard the dates/times, they just represent the time when I
copied those files).

 

Maybe do a

 

DIR C:\av*.dll  /s

 

to make sure you don't have any duplicates elsewhere.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of
decl...@mail.net1media.com
Sent: Monday, May 10, 2010 7:28 AM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] embedded AVG issue

 

David,

 

I was having this issue so I followed your directions below.  After
overwriting the current dlls, I could not get decludeproc to start.  I
determined that it was the avgsdk.dll that was in the newly downloaded zip
file that was the culprit.  I had to restore a previous version to get
everything working again.  I did notice that the new avgsdk.dll is
substantially smaller than the old version.

 

So  I am still having the issue originally described in the post.

 

Don

 

- Original Message - 

From: David Barker   

To: declude.virus@declude.com 

Sent: Friday, May 07, 2010 1:25 PM

Subject: RE: [Declude.Virus] embedded AVG issue

 

We have seen this mostly with manual installs. Error: Could not start AVG
Instance (17) has to do with the DLL. Please contact supp...@declude.com if
you need assistance.

 

1.   Stop decludeproc

2.   Download  
http://interim.declude.com/41048/AVG-DLL.zip

3.   Extract and replace the dll files overwriting your current dlls.

4.   Start decludeproc

5.   If the error persists or you get error 2 or error 4

6.   Stop decludeproc

7.   Delete all files in \declude\scanners\avg\db\

8.   Start decludeproc this will initiate a new download of the AVG
signatures

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry
Vanderzand
Sent: Friday, May 07, 2010 2:09 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] embedded AVG issue

 

I though I would check my virus logs which I have not done for a while.

 

It is not working.

 

See log entry:

05/07/2010 14:06:13.502 qb42e00250010.smd Scanned: Virus Free [MIME: 1
125]

05/07/2010 14:06:18.720 q990400280052.smd Vulnerability flags = 862

05/07/2010 14:06:18.814 q990400280052.smd Error: Could not start AVG
Instance (17)

05/07/2010 14:06:18.814 q990400280052.smd Scanned: Virus Free [MIME: 2
1293]

 

What could be the issue here?

 

Thank you

 

Please note our new Address

 

Harry Vanderzand

Intown Internet

740 Erbsville Road

Waterloo, On, N2J 3Z4

519-741-1222

 

DISCLAIMER: The information in this message is confidential and may be
legally privileged. It is intended solely for the addressee. Access to this
message by anyone else is unauthorised. If you are not the intended
recipient, any disclosure, copying,or distribution of the message, or any
action or omission taken by you in reliance on it, is prohibited and may be
unlawful. Please immediately contact the sender if you have received this
message in error. Thank you. 

 

 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the De

Re: [Declude.Virus] embedded AVG issue

[declude]

Thanks Andy,

I found that I do not have avgcertx.dll.  Should this file have been included 
in the zip download David made?

Don

  - Original Message - 
  From: Andy Schmidt 
  To: declude.virus@declude.com 
  Sent: Monday, May 10, 2010 9:05 AM
  Subject: RE: [Declude.Virus] embedded AVG issue


  Hi Don,

   

  Here's what I have in C:\Imail\

   

  11/06/2008  12:49 PM61,440 AvApiBit.dll

  11/06/2008  12:49 PM61,440 AvApiSym.dll

  04/29/2010  04:13 PM   834,328 avgcerta.dll

  04/29/2010  04:13 PM   623,384 avgcertx.dll

  04/29/2010  04:13 PM 4,250,392 avgcorex.dll

  04/29/2010  04:13 PM   312,320 avgsdk.dll

  10/21/2005  10:43 AM32,768 Declude.exe

  04/29/2010  04:12 PM 2,318,428 decludeproc.exe

   

  (You can disregard the dates/times, they just represent the time when I 
copied those files).

   

  Maybe do a

   

  DIR C:\av*.dll  /s

   

  to make sure you don't have any duplicates elsewhere.

   

  Best Regards,

  Andy

   

  From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of 
decl...@mail.net1media.com
  Sent: Monday, May 10, 2010 7:28 AM
  To: declude.virus@declude.com
  Subject: Re: [Declude.Virus] embedded AVG issue

   

  David,

   

  I was having this issue so I followed your directions below.  After 
overwriting the current dlls, I could not get decludeproc to start.  I 
determined that it was the avgsdk.dll that was in the newly downloaded zip file 
that was the culprit.  I had to restore a previous version to get everything 
working again.  I did notice that the new avgsdk.dll is substantially smaller 
than the old version.

   

  So  I am still having the issue originally described in the post.

   

  Don

   

- Original Message - 

From: David Barker 

To: declude.virus@declude.com 

Sent: Friday, May 07, 2010 1:25 PM

Subject: RE: [Declude.Virus] embedded AVG issue

 

We have seen this mostly with manual installs. Error: Could not start AVG 
Instance (17) has to do with the DLL. Please contact supp...@declude.com if you 
need assistance.

 

1.   Stop decludeproc

2.   Download http://interim.declude.com/41048/AVG-DLL.zip

3.   Extract and replace the dll files overwriting your current dlls.

4.   Start decludeproc

5.   If the error persists or you get error 2 or error 4

6.   Stop decludeproc

7.   Delete all files in \declude\scanners\avg\db\

8.   Start decludeproc this will initiate a new download of the AVG 
signatures

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
dbar...@declude.com

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry 
Vanderzand
Sent: Friday, May 07, 2010 2:09 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] embedded AVG issue

 

I though I would check my virus logs which I have not done for a while.

 

It is not working.

 

See log entry:

05/07/2010 14:06:13.502 qb42e00250010.smd Scanned: Virus Free [MIME: 1 
125]

05/07/2010 14:06:18.720 q990400280052.smd Vulnerability flags = 862

05/07/2010 14:06:18.814 q990400280052.smd Error: Could not start AVG 
Instance (17)

05/07/2010 14:06:18.814 q990400280052.smd Scanned: Virus Free [MIME: 2 
1293]

 

What could be the issue here?

 

Thank you

 

Please note our new Address

 

Harry Vanderzand

Intown Internet

740 Erbsville Road

Waterloo, On, N2J 3Z4

519-741-1222

 

DISCLAIMER: The information in this message is confidential and may be 
legally privileged. It is intended solely for the addressee. Access to this 
message by anyone else is unauthorised. If you are not the intended recipient, 
any disclosure, copying,or distribution of the message, or any action or 
omission taken by you in reliance on it, is prohibited and may be unlawful. 
Please immediately contact the sender if you have received this message in 
error. Thank you. 

 

 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 


  ---
  This E-mail came from the Declude.Virus mailing list. To
  unsubscribe, just send an E-mail to imail...@declude.com, and
  type "unsubscribe Declude.Virus". The archives can be found
  at http://www.mail-archive.com. 


  ---
  This E-mail came from the Declude.Virus mailing list. To
  uns

Re: [Declude.Virus] False Positives

[Linda Pagillo]

Kevin, could you please send me one of the actual emails that was caught by 
the 'uuencoding bad end' Vulnerability as an attachment? Also, could you put 
your virus.cfg file in debug mode and send me the entire log snip from the 
next message that is caught by this vulnerability? You can send it directly 
to me if you like. My email address is lpagi...@declude.com. Thanks.


--
From: "Linda Pagillo" 
Sent: Sunday, May 09, 2010 7:07 PM
To: 
Subject: Re: [Declude.Virus] False Positives

You're welcome, Kevin and thanks for the log snip. I sent it over to 
development to obtain more detailed information about it. I will let you 
know as soon as I receive a response.


--
From: "Kevin Rogers" 
Sent: Friday, May 07, 2010 6:02 PM
To: 
Cc: "Linda Pagillo" 
Subject: Re: [Declude.Virus] False Positives


Thanks for your help Linda.

Here are a couple log snippets of the 'uuencoding bad end' Vulnerability


05/06/2010 15:39:30.823 q126c7cd3e05f.smd Vulnerability flags = 65
05/06/2010 15:39:31.854 q126c7cd3e05f.smd 'uuencoding bad end' 
vulnerability in line 208152
05/06/2010 15:39:32.166 q126c7cd3e05f.smd Scanned: CONTAINS A VIRUS 
[UU: 2 46771][MIME: 3 13110006]


05/06/2010 15:41:21.916 qa51e7cdae07c.smd Vulnerability flags = 65
05/06/2010 15:41:22.932 qa51e7cdae07c.smd 'uuencoding bad end' 
vulnerability in line 203543
05/06/2010 15:41:23.276 qa51e7cdae07c.smd Scanned: CONTAINS A VIRUS 
[UU: 2 46771][MIME: 3 12819408]




On 5/7/2010 7:31 AM, Linda Pagillo wrote:
Hi Kevin. Thanks for your post. I first would like to explain that what 
you are seeing is not a false-positive. The address that the emails are 
coming from are not a factor in the case of vulnerabilities. Our 
vulnerability checking looks for exploits in an email. If it finds one, 
it will mark it no matter who it is coming from. This is correct 
behavior for the tests and therefore, not a false-positive.


As for allowing these for everyone who sends to your server, I would 
advise against it, but of course, it is your choice. Instead I would 
allow vulnerabilities on a per-sender basis in order to be safe. For 
example, you said that you received 10 emails from a legit address that 
were caught as a vulnerability. In that case, I would allow 
vulnerabilities for that particular user. You can do that by adding a 
line to your virus.cfg file...


ALLOWVULNERABILITIESFROMu...@domain.com

If you wanted to allow vulnerabilities from the entire domain, you would 
add the following line instead...


ALLOWVULNERABILITIESFROMdomain.com (without the @ symbol)

You mentioned that the vulnerability you are seeing from the user in 
question is the 'uuencoding bad end' Vulnerability. Where are you seeing 
this? Is it in the email or the virus.cfg log? Could you copy and paste 
it from the log or email so I can send it over to development for 
review? Thanks again.


--
From: "Kevin Rogers" 
Sent: Thursday, May 06, 2010 8:39 PM
To: 
Subject: [Declude.Virus] False Positives


I'm getting several false positives a day for the following tests:

[Outlook 'Blank Folding' Vulnerability]
MIME segment in MIME Postamble

Today I received 10 false positives (from the same legit email address) 
of ['uuencoding bad end' Vulnerability]


I can't even find the 'uuencoding bad end' vulnerability in virus.cfg 
to allow it.  This is the first I've seen of this test.




I was getting too many of the OLMIMESEGMIMEPRE test before I had to 
allow them.


I am running the latest v4.10.48 on Imail.

Are other people using these tests without many/any false positives?




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.








---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com. 




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] embedded AVG issue

[Andy Schmidt]

Hi Don,

 

Here's what I have in C:\Imail\

 

11/06/2008  12:49 PM61,440 AvApiBit.dll

11/06/2008  12:49 PM61,440 AvApiSym.dll

04/29/2010  04:13 PM   834,328 avgcerta.dll

04/29/2010  04:13 PM   623,384 avgcertx.dll

04/29/2010  04:13 PM 4,250,392 avgcorex.dll

04/29/2010  04:13 PM   312,320 avgsdk.dll

10/21/2005  10:43 AM32,768 Declude.exe

04/29/2010  04:12 PM 2,318,428 decludeproc.exe

 

(You can disregard the dates/times, they just represent the time when I
copied those files).

 

Maybe do a

 

DIR C:\av*.dll  /s

 

to make sure you don't have any duplicates elsewhere.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of
decl...@mail.net1media.com
Sent: Monday, May 10, 2010 7:28 AM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] embedded AVG issue

 

David,

 

I was having this issue so I followed your directions below.  After
overwriting the current dlls, I could not get decludeproc to start.  I
determined that it was the avgsdk.dll that was in the newly downloaded zip
file that was the culprit.  I had to restore a previous version to get
everything working again.  I did notice that the new avgsdk.dll is
substantially smaller than the old version.

 

So  I am still having the issue originally described in the post.

 

Don

 

- Original Message - 

From: David Barker   

To: declude.virus@declude.com 

Sent: Friday, May 07, 2010 1:25 PM

Subject: RE: [Declude.Virus] embedded AVG issue

 

We have seen this mostly with manual installs. Error: Could not start AVG
Instance (17) has to do with the DLL. Please contact supp...@declude.com if
you need assistance.

 

1.   Stop decludeproc

2.   Download  
http://interim.declude.com/41048/AVG-DLL.zip

3.   Extract and replace the dll files overwriting your current dlls.

4.   Start decludeproc

5.   If the error persists or you get error 2 or error 4

6.   Stop decludeproc

7.   Delete all files in \declude\scanners\avg\db\

8.   Start decludeproc this will initiate a new download of the AVG
signatures

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry
Vanderzand
Sent: Friday, May 07, 2010 2:09 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] embedded AVG issue

 

I though I would check my virus logs which I have not done for a while.

 

It is not working.

 

See log entry:

05/07/2010 14:06:13.502 qb42e00250010.smd Scanned: Virus Free [MIME: 1
125]

05/07/2010 14:06:18.720 q990400280052.smd Vulnerability flags = 862

05/07/2010 14:06:18.814 q990400280052.smd Error: Could not start AVG
Instance (17)

05/07/2010 14:06:18.814 q990400280052.smd Scanned: Virus Free [MIME: 2
1293]

 

What could be the issue here?

 

Thank you

 

Please note our new Address

 

Harry Vanderzand

Intown Internet

740 Erbsville Road

Waterloo, On, N2J 3Z4

519-741-1222

 

DISCLAIMER: The information in this message is confidential and may be
legally privileged. It is intended solely for the addressee. Access to this
message by anyone else is unauthorised. If you are not the intended
recipient, any disclosure, copying,or distribution of the message, or any
action or omission taken by you in reliance on it, is prohibited and may be
unlawful. Please immediately contact the sender if you have received this
message in error. Thank you. 

 

 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] embedded AVG issue

[declude]

David,

I was having this issue so I followed your directions below.  After overwriting 
the current dlls, I could not get decludeproc to start.  I determined that it 
was the avgsdk.dll that was in the newly downloaded zip file that was the 
culprit.  I had to restore a previous version to get everything working again.  
I did notice that the new avgsdk.dll is substantially smaller than the old 
version.

So  I am still having the issue originally described in the post.

Don

  - Original Message - 
  From: David Barker 
  To: declude.virus@declude.com 
  Sent: Friday, May 07, 2010 1:25 PM
  Subject: RE: [Declude.Virus] embedded AVG issue


  We have seen this mostly with manual installs. Error: Could not start AVG 
Instance (17) has to do with the DLL. Please contact supp...@declude.com if you 
need assistance.

   

  1.   Stop decludeproc

  2.   Download http://interim.declude.com/41048/AVG-DLL.zip

  3.   Extract and replace the dll files overwriting your current dlls.

  4.   Start decludeproc

  5.   If the error persists or you get error 2 or error 4

  6.   Stop decludeproc

  7.   Delete all files in \declude\scanners\avg\db\

  8.   Start decludeproc this will initiate a new download of the AVG 
signatures

   

  David Barker
  VP Operations Declude
  Your Email security is our business
  978.499.2933 office
  978.988.1311 fax
  dbar...@declude.com

   

   

   

  From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry 
Vanderzand
  Sent: Friday, May 07, 2010 2:09 PM
  To: declude.virus@declude.com
  Subject: [Declude.Virus] embedded AVG issue

   

  I though I would check my virus logs which I have not done for a while.

   

  It is not working.

   

  See log entry:

  05/07/2010 14:06:13.502 qb42e00250010.smd Scanned: Virus Free [MIME: 1 
125]

  05/07/2010 14:06:18.720 q990400280052.smd Vulnerability flags = 862

  05/07/2010 14:06:18.814 q990400280052.smd Error: Could not start AVG 
Instance (17)

  05/07/2010 14:06:18.814 q990400280052.smd Scanned: Virus Free [MIME: 2 
1293]

   

  What could be the issue here?

   

  Thank you

   

  Please note our new Address

   

  Harry Vanderzand

  Intown Internet

  740 Erbsville Road

  Waterloo, On, N2J 3Z4

  519-741-1222

   

  DISCLAIMER: The information in this message is confidential and may be 
legally privileged. It is intended solely for the addressee. Access to this 
message by anyone else is unauthorised. If you are not the intended recipient, 
any disclosure, copying,or distribution of the message, or any action or 
omission taken by you in reliance on it, is prohibited and may be unlawful. 
Please immediately contact the sender if you have received this message in 
error. Thank you. 

   

   


  ---
  This E-mail came from the Declude.Virus mailing list. To
  unsubscribe, just send an E-mail to imail...@declude.com, and
  type "unsubscribe Declude.Virus". The archives can be found
  at http://www.mail-archive.com. 


  ---
  This E-mail came from the Declude.Virus mailing list. To
  unsubscribe, just send an E-mail to imail...@declude.com, and
  type "unsubscribe Declude.Virus". The archives can be found
  at http://www.mail-archive.com. 

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.