RE: [Declude.Virus] [Invalid ZIP Vulnerability]
Darin, Thanks for your help. Guess I was hoping there was something along the lines of and INCLUDEIFVIRUSNAMEHAS to only include the message for specific vulnerabilities and to not have to list all of the ones I didn't want to send for. Is there a list of all of the vulnerabilities, or is this specific to which scanner(s) I am using? Thanks Jared -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, July 31, 2007 6:40 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] Yep. You can use SKIPIFVIRUSNAMEHAS at the top of the vulnerability.eml file to specify the vulnerability you don't want to notify on. Darin. - Original Message - From: "Jared Pickerell" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 31, 2007 6:49 PM Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability] Thanks. That's great! I've not blocked these before because of a large number of legitimate emails needing to get through that would have been blocked. This lets me block them if I want, but still let the legits get through. I'm a newbie when in comes to Declude configs. I've pretty much left a lot of defaults, but can this (the customized vulnerability.eml) be limited to only be sent for certain vulnerabilities? I don't want this sent for all blocked vulnerabilities and have the users get notifications for things they don't need to. Thanks! Jared -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, July 31, 2007 5:34 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] We use this vulnerability.eml -- Begin vulnerability.eml SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability ONLYSENDIFREMOTESENDER From: [EMAIL PROTECTED] To: %ALLRECIPS% Subject: Suspected malicious email blocked Delivery blocked: %LOCALRECIPS% The mail server for %LOCALHOST% scans each e-mail for Viruses, junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities are those which can allow a virus or other malicious content to hide from virus scanners and junk mail filters.) We caught an e-mail addressed to you that is formatted with %VIRUSNAME%, and have quarantined it for your protection. If you recognize the below information as a valid email that you want or should have received, please click on the link below to have the message released for delivery. Otherwise, the e-mail will be deleted automatically after seven days. http://www.example.com/requeue.asp?msgid=%QUEUENAME% Please note that the email could contain dangerous content. Use at your own risk. Original message information follows FROM: %MAILFROM% TO: %ALLRECIPS% SUBJECT: %SUBJECT% DATE: %DATE% @ %TIME% %HEADERS% -- End vulnerability.eml You'll want to replace the link in the email with one appropriate for you. and the following requeue.asp script. -- Begin REQUEUE.ASP <[EMAIL PROTECTED]> <% // --- // requires IUSR permissions to the following directories // --- var virusdir="c:\\imail\\spool\\virus\\"; var spooldir="c:\\imail\\spool\\"; var file=""+Request.QueryString("msgid"); file=file.substr(1); fso = new ActiveXObject ("Scripting.FileSystemObject"); if (fso.FileExists(virusdir+"D"+file)) { fso.MoveFile(virusdir+"D"+file, spooldir+"D"+file); fso.MoveFile(virusdir+"Q"+file, spooldir+"Q"+file); Response.Write("Please check your e-mail in a few minutes for the message you requested."); } else { Response.Write("Message does not exist, or has already been released for normal delivery."); } %> -- End REQUEUE.ASP You'll need to change the path to the path for your IMail spool directory. This inserts the message back into the queue for the next queue run. Others have gone a step further to call SMTP32.exe with the queue file name to delivery it immediately. Hope this helps, Darin. - Original Message - From: "Jared Pickerell" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 31, 2007 6:02 PM Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability] How would you go about setting up the ability to "include a link to a script to re-queue the message for delivery"? I'd be interested in that. Jared -Original Message- From: [EMAIL PROTECTED] [mailto:
RE: [Declude.Virus] [Invalid ZIP Vulnerability]
Thanks. That's great! I've not blocked these before because of a large number of legitimate emails needing to get through that would have been blocked. This lets me block them if I want, but still let the legits get through. I'm a newbie when in comes to Declude configs. I've pretty much left a lot of defaults, but can this (the customized vulnerability.eml) be limited to only be sent for certain vulnerabilities? I don't want this sent for all blocked vulnerabilities and have the users get notifications for things they don't need to. Thanks! Jared -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, July 31, 2007 5:34 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] We use this vulnerability.eml -- Begin vulnerability.eml SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability ONLYSENDIFREMOTESENDER From: [EMAIL PROTECTED] To: %ALLRECIPS% Subject: Suspected malicious email blocked Delivery blocked: %LOCALRECIPS% The mail server for %LOCALHOST% scans each e-mail for Viruses, junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities are those which can allow a virus or other malicious content to hide from virus scanners and junk mail filters.) We caught an e-mail addressed to you that is formatted with %VIRUSNAME%, and have quarantined it for your protection. If you recognize the below information as a valid email that you want or should have received, please click on the link below to have the message released for delivery. Otherwise, the e-mail will be deleted automatically after seven days. http://www.example.com/requeue.asp?msgid=%QUEUENAME% Please note that the email could contain dangerous content. Use at your own risk. Original message information follows FROM: %MAILFROM% TO: %ALLRECIPS% SUBJECT: %SUBJECT% DATE: %DATE% @ %TIME% %HEADERS% -- End vulnerability.eml You'll want to replace the link in the email with one appropriate for you. and the following requeue.asp script. -- Begin REQUEUE.ASP <[EMAIL PROTECTED]> <% // --- // requires IUSR permissions to the following directories // --- var virusdir="c:\\imail\\spool\\virus\\"; var spooldir="c:\\imail\\spool\\"; var file=""+Request.QueryString("msgid"); file=file.substr(1); fso = new ActiveXObject ("Scripting.FileSystemObject"); if (fso.FileExists(virusdir+"D"+file)) { fso.MoveFile(virusdir+"D"+file, spooldir+"D"+file); fso.MoveFile(virusdir+"Q"+file, spooldir+"Q"+file); Response.Write("Please check your e-mail in a few minutes for the message you requested."); } else { Response.Write("Message does not exist, or has already been released for normal delivery."); } %> -- End REQUEUE.ASP You'll need to change the path to the path for your IMail spool directory. This inserts the message back into the queue for the next queue run. Others have gone a step further to call SMTP32.exe with the queue file name to delivery it immediately. Hope this helps, Darin. - Original Message - From: "Jared Pickerell" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 31, 2007 6:02 PM Subject: RE: [Declude.Virus] [Invalid ZIP Vulnerability] How would you go about setting up the ability to "include a link to a script to re-queue the message for delivery"? I'd be interested in that. Jared -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, July 31, 2007 4:23 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] We got slammed with them today as well. It caught a bunch that made it past spam filtering (we run AVAFTERJM ON). So I'd second that recommendation to NOT turn it off. If you're concerned about delivery, set up an email notification to let the intended recipient know the message was held, and include a link to a script to requeue the message for delivery. Darin. - Original Message - From: "Shayne Embry" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 31, 2007 5:09 PM Subject: re: [Declude.Virus] [Invalid ZIP Vulnerability] Not too sure you'd want to turn that off. We've been getting hit by a wave of messages the last two days, all with the same vulnerability. I've been too busy to spen
RE: [Declude.Virus] [Invalid ZIP Vulnerability]
How would you go about setting up the ability to "include a link to a script to re-queue the message for delivery"? I'd be interested in that. Jared -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, July 31, 2007 4:23 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] [Invalid ZIP Vulnerability] We got slammed with them today as well. It caught a bunch that made it past spam filtering (we run AVAFTERJM ON). So I'd second that recommendation to NOT turn it off. If you're concerned about delivery, set up an email notification to let the intended recipient know the message was held, and include a link to a script to requeue the message for delivery. Darin. - Original Message - From: "Shayne Embry" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 31, 2007 5:09 PM Subject: re: [Declude.Virus] [Invalid ZIP Vulnerability] Not too sure you'd want to turn that off. We've been getting hit by a wave of messages the last two days, all with the same vulnerability. I've been too busy to spend any time looking at the payload...but if they're not viruses they are definitely spam. I'm catching about 40 per hour, widely distributed among about 550 accounts across 100 domains. Shayne Embry Original Message > From: Heimir Eidskrem <[EMAIL PROTECTED]> > Sent: Tuesday, July 31, 2007 2:53 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] [Invalid ZIP Vulnerability] > > How do I turn this off. > I am having emails held as virus but they are not. > They do contain pdfs and doc files. > > Could not find it in the manual. > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV and Declude problem
I had this same problem and had to stop using clam. I believe someone said that it was a problem with that version of clam. I don't remember what the fix for it was' but would be interested to know as well. Jared (from my phone) -Original Message- From: "Imail Admin" <[EMAIL PROTECTED]> To: "declude.virus@declude.com" Sent: 7/14/07 3:42 AM Subject: [Declude.Virus] ClamAV and Declude problem Hi All, We've been testing ClamAV with Declude AVA on our new mail server (running 2006.2). We only have a few mailboxes on this server because we're still testing it. Today, I ran into a problem where the D: drive ran out of space (100GB). It turns out the d:\temp folder was very large (90GB) and that was due to a large number of folders named .clamtmp or some such. Each of those folders was full of very files, some quite large. My take is that these are temp folders created by ClamAV, but I can't figure out why they're being left behind. The lines for ClamAV in virus.cfg are: CLAMAV SCANFILE2 D:\Progra~1\clamwin\bin\clamscan.exe --verbose --database="C:\docume~1\alluse~1.win\clamwi~1\db" --tempdir="D:\Temp" --no-summary -l report.txt VIRUSCODE2 1 REPORT2FOUND I also noticed some strange lines in the virus log files: 07/13/2007 00:31:17.439 q2a03033d58e6.smd ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 07/13/2007 00:31:17.439 q2a03033d58e6.smd Virus scanner 2 reports exit code of 0 07/13/2007 00:31:17.439 q2a03033d58e6.smd Couldn't delete D:\IMail\spool\proc\work\D2a03033d58e6.vir\report.txt: 32. Error String: [The process cannot access the file because it is being used by another process.] 07/13/2007 00:31:47.440 q2a03033d58e6.smd Scanned: Virus Free [MIME: 1 26] 07/13/2007 00:32:31.597 q2a8a035958eb.smd Vulnerability flags = 0 07/13/2007 00:33:32.551 q2a8a035958eb.smd ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 07/13/2007 00:33:32.551 q2a8a035958eb.smd Virus scanner 2 reports exit code of 0 07/13/2007 00:33:32.551 q2a8a035958eb.smd Couldn't delete D:\IMail\spool\proc\work\D2a8a035958eb.vir\report.txt: 32. Error String: [The process cannot access the file because it is being used by another process.] 07/13/2007 00:36:57.961 q2b58038758f4.smd ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 07/13/2007 00:36:58.008 q2b58038758f4.smd Virus scanner 2 reports exit code of 0 07/13/2007 00:36:58.008 q2b58038758f4.smd Couldn't delete D:\IMail\spool\proc\work\D2b58038758f4.vir\report.txt: 32. Error String: [The process cannot access the file because it is being used by another process.] 07/13/2007 00:37:03.149 q2b5e036258f7.smd ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 07/13/2007 00:37:03.149 q2b5e036258f7.smd Virus scanner 2 reports exit code of 0 07/13/2007 00:37:03.149 q2b5e036258f7.smd Couldn't delete D:\IMail\spool\proc\work\D2b5e036258f7.vir\report.txt: 32. Error String: [The process cannot access the file because it is being used by another process.] Any suggestions? I'm also concerned about the lines where is says "the process cannot acces the file because it is being used...". Thanks, Ben BC Web --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Temp files ClamAV Windows not deleting
I'm running into the same problem. I ended up with a server out of hard drive space before I figured out what was going on. What can you do to let Declude/ClamWin delete them in the first place? As the administrator I can already delete the folders/files after the fact, but that doesn't solve the problem. Who needs to have ownership of the temp directory for Declude/ClamWin to delete these on its own? Also ClamWin was using very high CPU. Is ClamWin know for high CPU usage? With the temp files not deleting and the high CPU utilization, I ended up just removing ClamWin as one of the scanners. When the AVG fix came out it wasn't really an issue, but I would like to use Clam as a secondary scanner if possible? Any thoughts? Thanks Jared From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, April 17, 2007 1:58 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Temp files ClamAV Windows not deleting You need to take ownership of the files as the administrator and then you can delete them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Tuesday, April 17, 2007 2:41 PM To: declude.virus@declude.com Subject: [Declude.Virus] Temp files ClamAV Windows not deleting Hi; I am having problem with viruses not being deleted from the temp directory when using the ClamWin - the following is the config entries: # CLAM- 1st Scanner #SCANFILE1 C:\Progra~1\ClamWin\bin\clamscan.exe --verbose --database="C:\Progra~1\ClamWin\db" --tempdir="c:\Temp" --no-summary -l report.txt #VIRUSCODE1 1 Any idea what I can do to have the virus files deleted from C:\temp? Thanks -Kami --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] [OT} Anti-Virus - Client Side Suggestion
We use Symantec Antivirus Corporate Edition. It has worked great for us. The corporate edition has no activation. I believe it is much better suited for the business world than NAV 2004. You set up a SAV server that controls the SAV client settings. (very nice central configuration and management) Also, only the server has to download the updates, which automatically pushes out the defs to the clients. I have schedule the server to updated defs every couple of hours every day. You get updates this way that you do not get by doing a LiveUpdate. I have been very happy with it. Jared Pickerell Co-Director/Network Admin Highland Community College 606 W Main, Highland, KS 66035 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze - Hostmaster Sent: Monday, April 26, 2004 10:15 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] [OT} Anti-Virus - Client Side Suggestion Does NAV 2k4 have the product activation as well? The reason I ask is that I did have Norton Internet Security (NIS) 2k4 installed on my work laptop. Well, since it's a work laptop, I install, de-install programs most of the time and as a result, every month or two, I backup and re-ghost the HDD from an image. Just this weekend when I tried to activate the NIS I installed, I got the "Activated too many times" error. UGH! I'm awaiting a response from Symantec and was just asking about other alternatives for the anti-virus side of things. Looking at Zonelabs Zonealarm for the software Firewall replacement.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry Fritts Sent: Monday, April 26, 2004 10:59 AM To: Jeff Maze - Hostmaster Subject: Re: [Declude.Virus] [OT} Anti-Virus - Client Side Suggestion > McAfee, Norton, or others? Which do you think provides the quickest > update I used Norton for a long time on Windows 2k but when I moved to XP I also upgraded to Norton 2004. It seemed much more complex to me with a bunch more services (maybe my imagination). Regardless, I had constant problems with it and no help from Symantec. Main problem was that after a reboot the AV could not start. Usually a 2nd reboot would fix but sometimes not. Also, my XP machine would sometimes just reboot itself for no apparent reason and I always "felt" it had something to do with Norton. Don't know that - could just be XP. Finally removed it and switched to McAfee on one workstation. So far I think I like it better and no problems on it starting and no reboots. Only thing I do complain about it with McAfee is the download process forces use of Internet Explorer and the scanning configuration program needs more granularity. On my XP notebook I'm using Kaspersky - it's kind of fun actually - screams if it finds something - a little too aggressive on non-virus vulnerabilities but probably something I can adjust out. All seem to me about equally effective over time. Also using Fprot and ClamAV and have extremely good results with both. Really with cost consideration Fprot has to be one of my favorites. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [198.248.79.209] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.