Re: [Declude.Virus] Banning open.html
OK, found the problem with David. Banning file names is limited to 50. I put this ban at the top of the list and it is working now.John T eServices For You -Original Message- From: "John T" Sent 6/11/2010 10:57:26 AM To: "declude.virus" Subject: [Declude.Virus] Banning open.html Fighting the latest virus, trying to ban open.html file attacements. Any one able to do this succesfully? I am working with Declude right now to figure out why it is not being stopped.John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Banning open.html
Fighting the latest virus, trying to ban open.html file attacements. Any one able to do this succesfully? I am working with Declude right now to figure out why it is not being stopped.John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Per user setting
Any ideas?John T eServices For You -Original Message- From: "John T" Sent 12/11/2009 11:59:05 AM To: "declude.virus" Subject: [Declude.Virus] Per user setting Is there a way possible to allow on a per user basis outgoing banned extensions WITHOUT disabling outgoing virus scanning? If not, could this be something that could be added?John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Per user setting
Is there a way possible to allow on a per user basis outgoing banned extensions WITHOUT disabling outgoing virus scanning? If not, could this be something that could be added?John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BANNotify message
I'd have to dig it up in the archives, if I could find it. Unless it was one of those things that Scott tried to do.John T eServices For You -Original Message- From: "David Barker" Sent 10/16/2009 6:29:46 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BANNotify messageNot that I am aware of. Do you have information to show otherwise please send it to supp...@declude.comdavid BFrom: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of John TSent: Thursday, October 15, 2009 6:20 PMTo: declude.virusSubject: [Declude.Virus] BANNotify messageWay back when this was introduced, we had the ability to list files names as well as extensions that we did not want the bannotify message to go out on. Example, you could have "SKIPIFEXT install.zip" and if the banned ext file name was install.zip, the bannotify message would not go out. Has this changed? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] BANNotify message
Way back when this was introduced, we had the ability to list files names as well as extensions that we did not want the bannotify message to go out on. Example, you could have "SKIPIFEXT install.zip" and if the banned ext file name was install.zip, the bannotify message would not go out. Has this changed? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Virus inoperable for 13% of th year?
I really think these type of comments, while they may be perfectly valid, are better done off line as they are outside of the scope and purpose of this list.John T eServices For You -Original Message- From: "Patrick Childers" Sent 6/4/2009 10:36:30 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?font-face { font-family: Cambria Math; } @font-face { font-family: Calibri; } @font-face { font-family: Tahoma; } @page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; } P.MsoNormal { FONT-SIZE: 10pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif" } LI.MsoNormal { FONT-SIZE: 10pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif" } DIV.MsoNormal { FONT-SIZE: 10pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif" } A:link { COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99 } SPAN.MsoHyperlink { COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99 } A:visited { COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99 } SPAN.MsoHyperlinkFollowed { COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99 } P.MsoListParagraph { FONT-SIZE: 10pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 34 } LI.MsoListParagraph { FONT-SIZE: 10pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 34 } DIV.MsoListParagraph { FONT-SIZE: 10pt; MARGIN: 0in 0in 0pt 0.5in; FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 34 } SPAN.EmailStyle18 { COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal } SPAN.EmailStyle19 { COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal } SPAN.EmailStyle20 { COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal } SPAN.EmailStyle21 { COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal } SPAN.EmailStyle24 { COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply } .MsoChpDefault { FONT-SIZE: 10pt; mso-style-type: export-only } DIV.Section1 { page: Section1 } Irun a business and I work for a business. Thank you. Maybe you should work for one...~PFrom: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David BarkerSent: Thursday, June 04, 2009 1:17 PMTo: declude.vi...@declude.comsubject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?>… but I can spend almost whateverI need to to protect my network.There are those of us who run businesses and then there are those who work for them. Either way your feedback is appreciated ;)DavidFrom: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Patrick ChildersSent: Thursday, June 04, 2009 12:50 PMTo: declude.vi...@declude.comsubject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?Comments are in-line.From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David BarkerSent: Thursday, June 04, 2009 10:03 AMTo: declude.vi...@declude.comsubject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?Sorry no marketing department to give you the warm and fuzzy spin, just me.>Obviously.Couple of suggestions. Declude has the ability to run upto 5 additional cmd line scanners of your choice, we provide AVG as a courtesy to our customers as in the past Declude did not have any internal virus scanner, you would have to go out and purchase that separately>Well aware of that.It would be good to run more than 1 virus scanner for several reasons, one of which is failure of an AV scanner, (admittedly in this instance failure was on our part) But rest assured false positives, no virus signatures, lag time are problems ALL AV vendors are faced with. There are some that are free that work extremely well ClamWin or ClamAV is an example of this.In addition we have ZEROHOUR as a option for Perpetual license customers as an additional virus scanners providing ZEROHOUR protection and additional spam definitions. For the amount of money that this is being offered for it is a wise investment. If you opted out of this because you didn’t want to spend the extra few $ on security then you have different issues and it’s not Declude.>LOL. I maybe one of the few, but I can spend almost whateverI need to to protect my network. I do run multiple scanners as well as virus scanning on the perimeter firewall.>If you didn’t want to spend the extra few $ on making sure your code is up-to-date then you have different issues and it’s not your customers. Lastly Patrick please contact supp...@declude.com having looked at your host record it does not look like you are receiving any AV updates - it could be that your firewall is blocking the AV updates, our support can work with you to fix that.>LOL again. Don't need to. I don't use AVG. I only chimed in because I felt that your responses to the issue was not helpful and somewhat offending
[Declude.Virus] HEADS UP, Virus storm right now
I am catching a lot of ZIP-exe files to different addresses from different IPs starting about 25 minutes ago.John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
Any update or information on this?John T eServices For You -Original Message- From: "David Barker" <[EMAIL PROTECTED]> Sent 6/23/2008 11:36:40 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} I will see what we can do for a new directive for the HOLD to be excluded or included by the admin. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BilbeeSent: Monday, June 23, 2008 2:17 PMTo: [EMAIL PROTECTED]: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I have complained about this for a while now. This process of fix the configuration the place in the proc folder only works if you are constantly pouring through your hold folders. We do not do that. We send an email to our users with the message they have in their hold. They then have the option to deliver the message to their inbox, when they click the recover link the message is placed in the spool folder and a copy of the raw email is sent to our admin to then look at the configuration. This process makes the hold folder completely hands off. How about an option to VIRUSSCANONHOLD. This would make everyone happy. Kevin Bilbee From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Monday, June 23, 2008 9:57 AMTo: [EMAIL PROTECTED]: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG For what it's worth, I never move messages from HOLD to SPOOL. When I do move false positives out, I fix the problem in my configuration, so that the same circumstance doesn't happen again, and then I move the files from the HOLD to the PROC folder. By re-scanning them, they get virus scanned and I am sure that I have saved time by getting spam scanned as well; it would cost me more time to repeat the procedure next time than it takes me to override my text filters and re-queue the messages now. Very few messages get pulled out of the HOLD folder, so not scanning those messages for viruses saves me a lot of processing power. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David BarkerSent: Monday, June 23, 2008 9:00 AMTo: [EMAIL PROTECTED]: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDGCorrect if you send held email directly to the spool there is a potential for a virus to bypass if running AVAFTERJM this is why it is important to correct the issue that caused the false positive then reprocess via Declude. OR alternately ensure you virus scan your HOLD folders. If you are asking to only to apply AVAFTERJM only to Deleted emails this would reduce it’s effectiveness as not every Declude customer uses Delete. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno BloksmaSent: Monday, June 23, 2008 11:30 AMTo: [EMAIL PROTECTED]: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Hi David, Could you explain this:We have chosen not to do this otherwise your users will end up with viruses in their junkmail folders By NOT scanning held junkmail the virus WILL end up in a users mailbox if I have to reque the mail because it was a FP. Of course you don't have to scan deleted mail. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 [EMAIL PROTECTED] / www.tio.nl- Original Message - From:David BarkerTo:[EMAIL PROTECTED]: Monday, June 23, 2008 4:28 PMSubject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Dear Bonno, It is not that we can’t do this. We have chosen not to do this otherwise your users will end up with viruses in their junkmail folders. AVAFTERJM will skip messages on DELETE and HOLD actions only. David From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno BloksmaSent: Monday, June 23, 2008 4:20 AMTo: [EMAIL PROTECTED]: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Hi, (Open mail request)Dear Declude people. I have asked this before and with the current spam levels kan we PLEASE have this feature now ASAP? We all want to use AVAFTERJM but could you PLEASE make it scan all mail which is not deleted?If that is a to big step at first becasue of all the possible copy, routeto, etc statements can we at least have it for the HOLD action asap? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 [EMAIL PROTECTED] / www.tio.nl- Original Message - From:Kevin BilbeeTo:[EMAIL PROTECTED]: Friday, June 13, 2008 5:25 PMSubject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Be careful with this setting. If a message gets held as spam it will not be virus scanned. Make sure you scan any message moved back into the delivery queue for viruses before placing it in the delivery queue folder. Kevin
Re: [Declude.Virus] Invalid Zip Vulnerability
No name, just the extenesion?John T eServices For You -Original Message- From: "Andy Schmidt" <[EMAIL PROTECTED]> Sent 3/3/2008 9:30:59 AM To: [EMAIL PROTECTED] Cc: declude.virus@declude.com Subject: [Declude.Virus] Invalid Zip VulnerabilityHi, I checked your KB – and it doesn’t document that vulnerability:http://support.declude.com/Customer/KBArticle.aspx?articleid=25&KBSearchID=11699 I checked your manual – and it doesn’t document that vulnerability:http://www.declude.com/searchresults.asp?Cat=124 However, I do have a message that fails the vulnerability: File: "[.ZIP file]" Result: Found[Invalid ZIP Vulnerability] So now I need to determine, why this ZIP file is being rejected. Thanks,Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Banned file ext not caught
I had a client receive an email with a PPS attachment this morning. PPS files are banned. Looking at the Virus log for the message there are warning lines about EOF encountered. I am assuming this means End Of File. Is there a way to catch these? 09/19/2007 09:07:07.231 q492300cc5430.smd Vulnerability flags = 92 09/19/2007 09:07:07.246 q492300cc5430.smd MIME file: [text/html][quoted-printable; Length=2041 Checksum=169730] 09/19/2007 09:07:07.278 q492300cc5430.smd Warning: EOF in middle of MIME segment [] [--_b93bf649-659f-4133-bdea-60207fbe90ef_] 09/19/2007 09:07:07.309 q492300cc5430.smd WARNING: EOF in multipart processing. 09/19/2007 09:07:07.309 q492300cc5430.smd WARNING: EOF in multipart processing. 09/19/2007 09:07:07.309 q492300cc5430.smd WARNING: EOF in multipart processing. 09/19/2007 09:07:07.309 q492300cc5430.smd WARNING: EOF in multipart processing. 09/19/2007 09:07:08.918 q492300cc5430.smd Scanned: Virus Free [MIME: 4 345642] John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] exe in zip file why not blocked...
David, the log snipped posted is of the Declude Virus log, meaning it passed Junkmail and was scanned. John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 30, 2007 9:24 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... AVAFTERJM ON means if the email reaches the JM either HOLD or DELETE to not call the AV in the Declude code. Try switching this OFF to see if it resolves the issue. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, July 30, 2007 10:27 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... Declude 4.3.57 AVAFTERJM ON YES. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 30, 2007 7:48 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... Scott, What version of Declude ? Are you using the directive AVAFTERJM ON? David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, July 27, 2007 3:06 PM To: declude.virus@declude.com Subject: [Declude.Virus] exe in zip file why not blocked... I was looking at my spam folder and noticed an email with a zip that contained an exe. 07/27/2007 11:10:14.234 q18d4010e464c.smd Vulnerability flags = 862 07/27/2007 11:10:14.234 q18d4010e464c.smd MIME file: fungame.zip [base64; Length=19363 Checksum=2473579] 07/27/2007 11:10:17.749 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:20.390 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:23.015 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:25.640 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:28.374 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:30.374 q18d4010e464c.smd Could not find parse string Found in report.txt 07/27/2007 11:10:30.374 q18d4010e464c.smd Error 8 in virus scanner 2. 07/27/2007 11:10:30.374 q18d4010e464c.smd Scanned: Error in virus scanner. [MIME: 2 19668] virus.cfg lines: BANEXTexe BANZIPEXTS ON I believe this should have been blocked (regardless of the problem with scanner 2). Scott Fisher Dir of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 Tel: 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] banning EZIP but....
I do not ban EZIP outright, but instead I ban EZIPEXTS. John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Thursday, June 28, 2007 5:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] banning EZIP but Hi, Just ran into a problem that *I* could resolve but still I had a problem with my backup tool Yosemite Backup and they have a tool on their site that they want you to run. It collects all kind of relevant data to help pinpointing the problem. The output in the latest version is an encrypted ZIP file which gets blocked when I try to send it via email. :-( Of course I could just change the Declude config for a few seconds but that's just me. What I would like Declude to do is: - Block all inbound EZIP files - Block oubound EZIP files UNLESS the user authenticates via SMTP AUTH. Currently this is not possible I think, would be a nice option though. How do others currently circumvent this problem? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] / <http://www.tio.nl> www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request - Notification emails generated on vulnerabilities
Why not use vulnerability.eml? SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability ONLYSENDIFREMOTESENDER From: [EMAIL PROTECTED] To: %ALLRECIPS% Subject: We blocked a suspected malicious email sent to you! Delivery blocked: %LOCALRECIPS% The mail server for %LOCALHOST% scans each e-mail for Viruses, junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities are those which can allow a virus or other malicious content to hide from virus scanners and junk mail filters.) We caught an e-mail addressed to you that is formatted with %VIRUSNAME%, and have quarantined it for your protection. If you recognize the below information as a valid email that you want or should have received, please reply to this notification, and we will review and requeue the message for delivery. (Note, there may be a delay until the message is delivered to you.) Otherwise, the e-mail will be deleted automatically after 5 days. FROM: %MAILFROM% TO: %ALLRECIPS% SUBJECT: %SUBJECT% Remote IP: %REMOTEIP% DATE: %DATE% @ %TIME% SPOOL FILE: %QUEUENAME% Headers of the e-mail in question: %HEADERS% John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, May 25, 2007 6:48 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Feature request - Notification emails generated on vulnerabilities It would be wonderful to be able to send out notifications on vulnerabilities like the current notifications on virus found/banned files. We still have to process the virus queue due to legit email that may be held due to vulnerabilities that we do not want to turn off in the config. For legit email in virus/banned file scanning notifications are sent and the requeue message link we include in our notifications allows the users to receive the message without us touching it. But since this notification does not get sent for vulnerabilities, we still have to manually review this queue. Being able to send out notifications on vulnerabilities would keep us from having to touch the virus hold queue at all, saving us time very day. Thoughts? Darin. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] OT: Prevx and malware detection
Windows Defender Beta ended I believe in December 2006. The version out now is a fully released supported verison. John T > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Gary Steiner > Sent: Tuesday, May 08, 2007 10:57 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] OT: Prevx and malware detection > > Does anyone have any experience with Prevx for malware detection? I've > been looking at different products and after googling this one seems to > be well recommended. > > I was playing around with WIndows Defender, but since it is a beta, I'm > not sure how serious Microsoft is taking it at this point. > > Gary Steiner > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BanNotify email not being sent
I wonder if the name of the file you are testing with is on the forging list at Declude. Try creating a text file and renaming it to something like john.bat and then see what happens. John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Thursday, May 03, 2007 2:33 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BanNotify email not being sent
Sorry to bother, but please post the rest of the lines from the debug log for that message. John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Wednesday, May 02, 2007 2:36 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent John, I should have known to go to DEBUG mode first Here's what is showing there: 05/02/2007 17:27:31.265 q0225028073d8.smd Not sending .eml file since AUTOFORGING detected a forging virus. I sent a regular .exe program install file in the test. The question now is - why is this being picked up as a forging virus? Randy A. _ From: "John T \(lists\)" <[EMAIL PROTECTED]> Sent: Wednesday, May 02, 2007 12:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent Put your virus log into debug and then try sending a banned extension attachement. Post your bannotify.eml file as a text attachment John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Wednesday, May 02, 2007 5:48 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent I just upgraded to 4.3.46 and same thing - BANnotify is not being sent... Randy A. _____ >From : "John T \(lists\)" <[EMAIL PROTECTED]> Sent: Monday, April 30, 2007 8:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent What version of Declude? I am using 4.3.47 and it is working. What does the Virus log say? John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Monday, April 30, 2007 12:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] BanNotify email not being sent It was recently brought to my attention by a customer that the BanNotify email is not being sent out from our server when necessary - I tried sending myself a test email with an ..exe file attached, and sure enough, the message is trapped but the notice is not sent out. Using declude v4.x Thanks! Randy A. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BanNotify email not being sent
1) Put your virus log into debug and then try sending a banned extension attachement. 2) Post your bannotify.eml file as a text attachment John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Wednesday, May 02, 2007 5:48 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent I just upgraded to 4.3.46 and same thing - BANnotify is not being sent... Randy A. _ From: "John T \(lists\)" <[EMAIL PROTECTED]> Sent: Monday, April 30, 2007 8:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] BanNotify email not being sent What version of Declude? I am using 4.3.47 and it is working. What does the Virus log say? John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Monday, April 30, 2007 12:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] BanNotify email not being sent It was recently brought to my attention by a customer that the BanNotify email is not being sent out from our server when necessary - I tried sending myself a test email with an ..exe file attached, and sure enough, the message is trapped but the notice is not sent out. Using declude v4.x Thanks! Randy A. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BanNotify email not being sent
What version of Declude? I am using 4.3.47 and it is working. What does the Virus log say? John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Monday, April 30, 2007 12:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] BanNotify email not being sent It was recently brought to my attention by a customer that the BanNotify email is not being sent out from our server when necessary - I tried sending myself a test email with an ..exe file attached, and sure enough, the message is trapped but the notice is not sent out. Using declude v4.x Thanks! Randy A. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
Actually, that is the BANNotify.eml file that is used. John T > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > John T (lists) > Sent: Friday, April 27, 2007 12:39 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] More info about encrypted RAR virus and > Declude failures > > > Until Declude resolves the issue with BANEXT EZIP, I've had to ban > all > > rar files. Unfortunately some of my customers regularly send rar > > attachments, so I've had to check the virus hold directory on a > regular > > basis and manually resubmit any false positives there. > > > > Gary > > Instead of manually checking for legit files, use the BANEXT.eml file > to > send a postmaster message that you get and/or the recipient and/or > sender > get and that notice can be reviewed a lot easier than manually checking > the > hold directory. > > John T > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
> Until Declude resolves the issue with BANEXT EZIP, I've had to ban all > rar files. Unfortunately some of my customers regularly send rar > attachments, so I've had to check the virus hold directory on a regular > basis and manually resubmit any false positives there. > > Gary Instead of manually checking for legit files, use the BANEXT.eml file to send a postmaster message that you get and/or the recipient and/or sender get and that notice can be reviewed a lot easier than manually checking the hold directory. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] re: new virus with .rar attachment
Only if you also have BANEXT rar. Do you have junkmail scanning before virus? John T-Original Message-From: "Gary Steiner" <[EMAIL PROTECTED]>Sent 4/25/2007 10:44:37 AMTo: declude.virus@declude.comSubject: [Declude.Virus] re: new virus with .rar attachmentAs a followup to this, in my virus.cfg I have BANEXT EZIP. Shouldn't this have caught the password-protected .rar file? Declude passed the message to SmarterMail without holding it. I'm running Declude 4.3.46. Original Message > From: "Gary Steiner" <[EMAIL PROTECTED]> > Sent: Wednesday, April 25, 2007 1:31 PM > To: declude.virus@declude.com > Subject: new virus with .rar attachment > > I started getting some messages today that were picked up as spam, but we re not being identified as viruses. They looked suspicious, having subject lines of > > Virus Activity Detected! > Spyware Alert! > > It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. > > I ran it on www.virustotal.com, and the only scanner that picked it up wa s McAfee, and it identified it as "W32/[EMAIL PROTECTED]". > > http://vil.nai.com/vil/content/v_142094.htm > > Since this a password protected .rar file, should we now be blocking thes e? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] You should not use an on-access virus scanner that scans the ....
Unfortunately, I am still up, at least for another 15 minutes or so. If you want to zip and send me a log file I will have a look see. John Tolmachoff eServices For You [EMAIL PROTECTED] (626) 737-6003 Fax (626) 737-6004 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Tuesday, April 17, 2007 1:54 AM To: declude.virus@declude.com Subject: AW: [Declude.Virus] You should not use an on-access virus scanner that scans the Hello John, 1) 86 the read receipt requests! Sorry. I'm trying, but sometimes I forget to disable it. 2) You should be running 4.3.46 at this point due to a problem with a recent change in AVG. Typo, it *is* 4.3.46 3) Is this happening on every email, or random? This morning (after updating) it happend all times, now I can't see any entries in the log. (and we are getting virusmails :) I'll keep an eye on the logfiles. 4) Since you are only running one virus scanner (aside from the built in AVG,) I do not think you need to have the number 1 for each line, i.e. SCANFILE1 and VIRUSCODE1. modified (and no entry before and after) Alex _ Siller AG, Wannenäckerstraße 43, 74078 Heilbronn Vorstand: Prof. H.-F. Siller (Vorsitzender), Jörn Bülow, Ralf Michi Aufsichtsratsvorsitzender: Armin Sohler Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955 _ --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] You should not use an on-access virus scanner that scans the ....
1) 86 the read receipt requests! 2) You should be running 4.3.46 at this point due to a problem with a recent change in AVG. 3) Is this happening on every email, or random? 4) Since you are only running one virus scanner (aside from the built in AVG,) I do not think you need to have the number 1 for each line, i.e. SCANFILE1 and VIRUSCODE1. John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Tuesday, April 17, 2007 12:29 AM To: declude.virus@declude.com Subject: [Declude.Virus] You should not use an on-access virus scanner that scans the Hello, after updating to 4.0.46 I've got these entries in one of our Mailservers: 04/17/2007 08:49:18.391 q6de201f80068.smd Virus scanner 1 reports exit code of 0 04/17/2007 08:49:18.391 q6de201f80068.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. 04/17/2007 08:49:18.391 q6de201f80068.smd Scanned: Virus Free [MIME: 1 2108] Yes, I know I should disable to on-access Scanner :) But: - there is a local AVG installed, *without* real-time scanner - and ClamAV - and nothing else (F-Prot is removed after changing the licensing :) so I can't find anything that could delete a virus. Could it be a "wrong" setting from ClamAV (not ClamWin)? SCANFILE1 C:\imail\declude\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND Clam is running with Sanesecurity and malware.com.br signatures. Alex _ Siller AG, Wannenäckerstraße 43, 74078 Heilbronn Vorstand: Prof. H.-F. Siller (Vorsitzender), Jörn Bülow, Ralf Michi Aufsichtsratsvorsitzender: Armin Sohler Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955 _ --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude 4.3.46 Release
My bad, the file is not pcres.dll but pcre3.dll. Darn keyboard virus. I wish Declude could fix that. ;-)> John T > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > John T (lists) > Sent: Monday, April 16, 2007 12:38 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] Declude 4.3.46 Release > Importance: High > > Just got off the phone with Tech Support. > > A file pcres.dll was not included in the original upgrade executable > and if > that file is not in the \Imail directory the decludeproc service will > not > start. > > She had to send me the file separately and they will now be changing > the > upgrade executable. > > John T > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > David Barker > > Sent: Monday, April 16, 2007 11:24 AM > > To: declude.virus@declude.com > > Subject: [Declude.Virus] Declude 4.3.46 Release > > > > Addresses this AVG issue. If you currently only have AVG as your > virus > > scanner I would consider this a critical update. > > > > EVA ADD Improved AVG virus database format for optimization > > EVA ADD Improved speed of AVG scanning by 15-20% > > EVA ADD Updated AVG (avgsdk.dll 1.2.449) > > DEC ADD Updated Commtouch ZEROHOUR (asapsdk.dll 5.03.0013) > > JM FIX Smartermail HELO was being picked up from the headers > > rather > > than the envelope > > JM FIX Fixed log entry for PCRE when matching on location SUBJECT > > > > David Barker > > VP Operations | Declude > > Your Email Security is our business > > O: 978.499.2933 x7007 > > F: 978.988.1311 > > E: [EMAIL PROTECTED] > > > > > > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Hirthe, > > Alexander > > Sent: Monday, April 16, 2007 10:09 AM > > To: declude.virus@declude.com > > Subject: AW: [Declude.Virus] AVG Virus updates - No updates from > > declude > > since 4/7/7 > > > > > > Hello Darell, > > > > are you (or David :) sure with the return codes? > > > > I'm getting 0.0.0.1 and these files on both servers: > > > > DarellAlex > > incavi.avm - 4/15/2007 - 4/06/2007 > > microavi.avg - 4/5/2007 - 4/05/2007 > > miniavg.avg - 2/16/2007 - 2/16/2007 > > avi7.avg - 2/21/2007 - 21/02/2007 > > > > I stopped decludeproc, renamed the AVG Files and started decludeproc > > and I > > got the same files, all from today, but with the same size than > bevor. > > > > Alex > > > > > > > > > > > > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag > > von > > Darrell ([EMAIL PROTECTED]) > > Gesendet: Montag, 16. April 2007 14:37 > > An: declude.virus@declude.com > > Betreff: Re: [Declude.Virus] AVG Virus updates - No updates from > > declude since 4/7/7 > > > > > > Honestly, I am not sure what all the individual files are, but > > here > > are my dates > > > > incavi.avm - 4/15/2007 > > microavi.avg - 4/5/2007 > > miniavg.avg - 2/16/2007 > > avi7.avg - 2/21/2007 > > > > Howard - you can try this post from David from the Archive- > > http://www.mail- > > archive.com/declude.virus@declude.com/msg13473.html > > > > Darrell > > > > - > -- > > - > > Check out http://www.invariantsystems.com for utilities for > > Declude > > And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI > > integration, > > MRTG Integration, and Log Parsers. > > > > - Original Message - > > From: Howard Smith (N.O.R.A.D.) <mailto:[EMAIL PROTECTED]> > > To: declude.virus@declude.com > > Cc: [EMAIL PROTECTED] ; 'David Barker' > > <mailto:[EMAIL PROTECTED]> > > Sent: Monday, April 16, 2007 6:28 AM > > Subject: [Declude.Virus] AVG Virus updates - No updates > > from > > declude since 4/7/7 > > > > > > I have not had a virus update from decludes AVG builtin > > scanner since 4/6/7 , has any one received any later updates , or > > suggestions to fix problem > > > > > > > > > > > &g
RE: [Declude.Virus] Declude 4.3.46 Release
Just got off the phone with Tech Support. A file pcres.dll was not included in the original upgrade executable and if that file is not in the \Imail directory the decludeproc service will not start. She had to send me the file separately and they will now be changing the upgrade executable. John T > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > David Barker > Sent: Monday, April 16, 2007 11:24 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] Declude 4.3.46 Release > > Addresses this AVG issue. If you currently only have AVG as your virus > scanner I would consider this a critical update. > > EVA ADD Improved AVG virus database format for optimization > EVA ADD Improved speed of AVG scanning by 15-20% > EVA ADD Updated AVG (avgsdk.dll 1.2.449) > DEC ADD Updated Commtouch ZEROHOUR (asapsdk.dll 5.03.0013) > JMFIX Smartermail HELO was being picked up from the headers > rather > than the envelope > JMFIX Fixed log entry for PCRE when matching on location SUBJECT > > David Barker > VP Operations | Declude > Your Email Security is our business > O: 978.499.2933 x7007 > F: 978.988.1311 > E: [EMAIL PROTECTED] > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Hirthe, > Alexander > Sent: Monday, April 16, 2007 10:09 AM > To: declude.virus@declude.com > Subject: AW: [Declude.Virus] AVG Virus updates - No updates from > declude > since 4/7/7 > > > Hello Darell, > > are you (or David :) sure with the return codes? > > I'm getting 0.0.0.1 and these files on both servers: > > DarellAlex > incavi.avm - 4/15/2007 - 4/06/2007 > microavi.avg - 4/5/2007 - 4/05/2007 > miniavg.avg - 2/16/2007 - 2/16/2007 > avi7.avg - 2/21/2007 - 21/02/2007 > > I stopped decludeproc, renamed the AVG Files and started decludeproc > and I > got the same files, all from today, but with the same size than bevor. > > Alex > > > > > > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag > von > Darrell ([EMAIL PROTECTED]) > Gesendet: Montag, 16. April 2007 14:37 > An: declude.virus@declude.com > Betreff: Re: [Declude.Virus] AVG Virus updates - No updates from > declude since 4/7/7 > > > Honestly, I am not sure what all the individual files are, but > here > are my dates > > incavi.avm - 4/15/2007 > microavi.avg - 4/5/2007 > miniavg.avg - 2/16/2007 > avi7.avg - 2/21/2007 > > Howard - you can try this post from David from the Archive- > http://www.mail- > archive.com/declude.virus@declude.com/msg13473.html > > Darrell > > --- > - > Check out http://www.invariantsystems.com for utilities for > Declude > And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI > integration, > MRTG Integration, and Log Parsers. > > - Original Message - > From: Howard Smith (N.O.R.A.D.) <mailto:[EMAIL PROTECTED]> > To: declude.virus@declude.com > Cc: [EMAIL PROTECTED] ; 'David Barker' > <mailto:[EMAIL PROTECTED]> > Sent: Monday, April 16, 2007 6:28 AM > Subject: [Declude.Virus] AVG Virus updates - No updates > from > declude since 4/7/7 > > > I have not had a virus update from decludes AVG builtin > scanner since 4/6/7 , has any one received any later updates , or > suggestions to fix problem > > > > > > Howard Smith > > N.O.R.A.D. Inc. > > P.O. Box 680116 > > Miami, Florida 33168 > > www.norad.com > > [EMAIL PROTECTED] > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], > and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > > Siller AG, Wannenäckerstraße 43, 74078 Heilbronn > Vorstand: Prof. H.-F. Siller (
RE: [Declude.Virus] Declude Upgrade on IMail - Key Trouble
Bill, I will be back on in a couple of hours if you are still around and need help. John T > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Bill Green dfn Systems > Sent: Thursday, March 22, 2007 6:15 PM > To: declude.virus@declude.com > Subject: Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble > > Is there an actual set of instructions for a Declude Upgrade for IMail? > The > Declude site lists Installation Instructions, but they are for > SmarterMail. > The Knowledge Base is no help. Declude Support has gone Home. My > Upgrade has > gone horribly wrong and I now seem to have a hybrid monster. > > Bill Green > dfn Systems > > - Original Message - > From: "Bill Green dfn Systems" <[EMAIL PROTECTED]> > To: > Sent: Thursday, March 22, 2007 6:31 PM > Subject: [Declude.Virus] Declude Upgrade on IMail - Key Trouble > > > > I've just upgraded to the 4.x suite from 3.0. I'm getting the Invalid > Key > > message. According to the Archives, I need to put the Key in the > > declude.cfg file, but what is the correct syntax? > > > > License Key (KEY#) ? > > or > > Product Key (Key#) ? > > or just > > Key # ? > > > > Bill Green > > dfn Systems > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot Version 6
As Andrew pointed out, you did not read the fine print. John T > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Douglas Cohn > Sent: Tuesday, March 13, 2007 8:50 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] F-Prot Version 6 > > F-prot is $50 for 10 licenses per year. $5 per machine per year. Version > 6 > > Why is that not still reasonable? > > Please explain > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin > Bilbee > Sent: Thursday, February 01, 2007 8:33 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] F-Prot Version 6 > > Changed when they released the new version. About 3 months back. Check the > archives of this list. We were complaining about it. We dumped using their > product and just use the AVG built into Declude. > > > > Kevin Bilbee > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Thursday, February 01, 2007 3:33 PM > > To: declude.virus@declude.com > > Subject: Re: [Declude.Virus] F-Prot Version 6 > > > > When did their licensing change? F-Prot used to be extremely > > reasonable. > > > > Don > > > > - Original Message - > > From: "Kevin Bilbee" <[EMAIL PROTECTED]> > > To: > > Sent: Wednesday, January 31, 2007 11:14 PM > > Subject: RE: [Declude.Virus] F-Prot Version 6 > > > > > > > Read the license. It may be compatible but the licensing is > > expensive. > > > > > > > > > Kevin Bilbee > > > > > >> -Original Message- > > >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > >> David Dodell > > >> Sent: Wednesday, January 31, 2007 7:26 PM > > >> To: Declude.Virus@declude.com > > >> Subject: [Declude.Virus] F-Prot Version 6 > > >> > > >> Been using F-Prot version 3 for years ... and now getting notices to > > >> upgrade to version 6. > > >> > > >> Anyone done this yet, and is it still compatible with Declude/Imail, > > >> etc? > > >> > > >> David > > >> > > >> > > >> --- > > >> This E-mail came from the Declude.Virus mailing list. To > > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > >> type "unsubscribe Declude.Virus".The archives can be found > > >> at http://www.mail-archive.com. > > > > > > > > > > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New virus - PiggiA
With the extensions listed, any one know if the payload is only in the executuables? W32/Piggi-A is a mass-mailing worm for the Windows platform. W32/Piggi-A spreads via email and may pretend: - to offer a free gift - that your myspace, anti-virus, tax, financial or personal details have been hacked or expired - that an email sent, was failed to deliver - to be showing you a picture, movie, game, sound or website - to offer a gambling, casino or poker technique or strategy Attached files may contain any of the following extensions: - .wav - .wma - .mp3 - .rtf - .html - .txt - .gif - .jpeg - .com - .exe John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to block an IP
If you want to block IP addresses from any access, your best bet is to use Imail Control Access list in the SMTP service, that way neither Imail nor Declude ever have to touch it in the first place. John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J Porter > Sent: Monday, December 25, 2006 10:30 PM > To: declude.virus@declude.com > Subject: Re: [Declude.Virus] How to block an IP > > I guess I've forgotten the order in which processes occur. I thought it was > kill.lst, rules.ima, and then Declude. > > I thought I was clear. I want to block certain IP addresses which get > stopped by Declude AV for a vulnerability. Certain ones are prolific and > tend to leave a couple of hundred in my virus hold file each day. I want to > have them deleted so I don't have to deal with them. > > They don't get caught by my Declude IP blacklist since they are stopped by > AV first. It's only about 6 or 8 IP blocks which have never show a valid > email in over 2 years. > > BTW.. I responded to you off-list on my last subject a few days ago. After > thinking about it, I didn't think the subject had much place on the Declude > list. > > - Original Message - > From: "John T (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Monday, December 25, 2006 11:38 PM > Subject: RE: [Declude.Virus] How to block an IP > > > Using Imail rules, no! Imail rules are the last to run of all other items. > > Exactly what are you intending to do? > > John T > eServices For You > > "Life is a succession of lessons which must be lived to be understood." > Ralph Waldo Emerson (1802-1882) > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J > Porter > > Sent: Monday, December 25, 2006 8:07 PM > > To: declude.virus@declude.com > > Subject: [Declude.Virus] How to block an IP > > > > Is there a way to block an IP address before analysis by Declude's AV (Ver > > 1.82 - Imail 8.x)? > > > > I thought I should be able to do this with rules.ima by looking for a line > > in the header. So I have a line that says > > H~xxx\.yyy\.zz\. > > but it doesn't work. (In case you can't see it, the lines read \. = slash > > dot per Ipswitch docs) I don't think the H~ (header contains) command > reads > > everything in the header. > > > > ~Joe > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail scanned for viruses at HNB.com] > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to block an IP
Using Imail rules, no! Imail rules are the last to run of all other items. Exactly what are you intending to do? John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J Porter > Sent: Monday, December 25, 2006 8:07 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] How to block an IP > > Is there a way to block an IP address before analysis by Declude's AV (Ver > 1.82 - Imail 8.x)? > > I thought I should be able to do this with rules.ima by looking for a line > in the header. So I have a line that says > H~xxx\.yyy\.zz\. > but it doesn't work. (In case you can't see it, the lines read \. = slash > dot per Ipswitch docs) I don't think the H~ (header contains) command reads > everything in the header. > > ~Joe > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Posting etiquette
Do not use "Digital email Signatures" when posting to a list. John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Couldn't rename SMD to SM$ [183]
Search for all log lines for that message in both the junkmail and virus logs to see if there is another error message preceding that. John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Monday, December 18, 2006 2:54 PM To: declude.virus@declude.com Subject: [Declude.Virus] Couldn't rename SMD to SM$ [183] Hello, what should this message tell me? :) - 12/18/2006 23:51:47.687 q1a18019903bb.smd Couldn't rename SMD to SM$ [183]. Priority back to 32. Error String: [Cannot create a file when that file already exists.] [C:\IMail\spool\proc\work\D1a18019903bb.smd] [C:\IMail\spool\proc\work\D1a18019903bb.sm$] - and why does it happen? I found it multiple times in the logfile, running declude v4.3.14 with AVG Built-In and ClamAV. Alex --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Problem after upgrade to Declude 4.3.23
Did you put it into the Declude.cfg file? John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wolf Tombe Sent: Sunday, December 17, 2006 10:53 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Problem after upgrade to Declude 4.3.23 I have finally made the move and upgraded Declude to version 4.3.23 (from version 3.1) but I'm now having trouble getting it to run. I've used my "product Key" listed on my account area of the Declude website for version 4.x; but the Declude process will not start and continually responds with the error "FATAL ERROR: Product license key not in configuration INVALID KEY". I've doubled checked the product key and it appears correct. I've checked the Declude Support and on-line help areas but nothings references this error. Has anyone else have this problem when upgrading? Wolf --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Re: notification stopped? .. now Why GSC
What happens if you restart the Queue Manager service? John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Thursday, December 07, 2006 10:47 PM To: declude.virus@declude.com Subject: [Declude.Virus] Re: notification stopped? .. now Why GSC -Original Message- I just realized I haven't been seeing any notifications for the past few weeks from my Declude software showing it had stopped a virus. I checked the virus log on the server, and it shows it is stopping several virues a day. --- I just checked the spool directory ... there are thousands of GSC files, all containing the virus notification that I'm looking for. They are all addressed to [EMAIL PROTECTED] which is working from tests from outside email accounts. Why are the virus notifications getting stuck thousands at a time as GSC files in the spool directory instead of being delivered? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] EXE in RAR file
RAR files should be treated the same as ZIP files, so unless something has changed if you have BANZIPEXTS ON and have BANEXT EXE it should be banned. John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, December 06, 2006 7:40 AM To: declude.virus@declude.com Subject: [Declude.Virus] EXE in RAR file Does Declude check for banned extension in RAR files? If not, please add this to the wish list. RAR files are becoming more popular and it is difficult to ban RAR files. I had an email come in with an .EXE file in a RAR file. So I believe it doesn't. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AUTOFORGE
OOPS, brainfart. John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Steiner > Sent: Friday, October 27, 2006 5:07 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] AUTOFORGE > > I think you meant to say SKIPIFFORGING not SKIPIFFORGINGVIRUS. > > > ---- Original Message > > From: "John T \(Lists\)" <[EMAIL PROTECTED]> > > Sent: Friday, October 27, 2006 7:52 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] AUTOFORGE > > > > > Also, how is FORGINGVIRUS different from SKIPIFVIRUSNAME? Do you need to > > have > > > both statements in the virus.cfg or is that redundant? > > > > FORGINGVIRUS is in the virus.cfg file and it is to list those viruses that > > forge the from address. Then, in your various eml files, you just need to > > put in SKIPIFFORGINGVIRUS instead of having list list each > > SKIPIFVIRUSNAMEHAS > > > > John T > > eServices For You > > > > "Life is a succession of lessons which must be lived to be understood." > > Ralph Waldo Emerson (1802-1882) > > > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AUTOFORGE
> Also, how is FORGINGVIRUS different from SKIPIFVIRUSNAME? Do you need to have > both statements in the virus.cfg or is that redundant? FORGINGVIRUS is in the virus.cfg file and it is to list those viruses that forge the from address. Then, in your various eml files, you just need to put in SKIPIFFORGINGVIRUS instead of having list list each SKIPIFVIRUSNAMEHAS John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] stration work
Andrew, wouldn’t the second line include the first meaning only the second line is needed? John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, October 02, 2006 3:49 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] stration work Those of us still running F-Prot* as a primary virus scanner will want to add one or both of these to their virus.cfg in order to block notifications for detection of the Stration malware: FORGINGVIRUS W32/Tricky-Malware-based!Maximus FORGINGVIRUS Tricky-Malware-based! The first is the most explicit, and the second is a fragment that will catch future detections that are based on heuristics. And in the unlikely event that someone is using Trend Micro OfficeScan or SysClean: FORGINGVIRUS Possible_Strat-2 FORGINGVIRUS Possible_ Andrew 8) * The "new" price is unjustifiably high for using fpcmd on a mailserver. Plan to switch to a different vendor before you renew this licence. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, October 02, 2006 7:27 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] stration work It looks like the Stration worm is causing backscatter today: The W32/Stration.dr virus drops the mass mailing worm W32/[EMAIL PROTECTED]. that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer. The W32/Stration.dr is written using Microsoft Visual C++ and also contains functionality to connect to a remote web server to download a file. I've added it as a forging virus FORGINGVIRUS Stration - Scott Fisher Director of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam
Matt, please keep us informed about this bug. I thank you for your diligence. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, October 02, 2006 11:56 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam Here's an update about the attempted workaround. I added "SKIPIFEXT mismatched.exe" to my bannotify.eml and it didn't prevent the bounce. It would seem that while Declude is using the EXE extension from mismatched.exe in determining the bannotify.eml action, it is not using that file name in the variable that SKIPIFEXT is using. It appears that there is no way to prevent the backscatter from this besides maybe turning off bounces for EXE's (which may or may not work), turning off all banned extension bouncing, or not blocking EXE's altogether. This definitely needs a solution since none of those options are acceptable nor is the potential of bouncing so much E-mail. I know that I can create something to delete these messages on my own system, but I would still be vulnerable to other exploits by broken spamware, and of course that's only me and this affects all Declude users that block EXE's and use bannotify.eml to bounce. Matt Colbeck, Andrew wrote: .. I hope that Declude will agree with Matt's point that backscatter must be avoided. There is ample precedent, for example in that the BOUNCE action was renamed to BOUNCEONLYIFYOUMUST to prevent backscatter. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, October 02, 2006 5:44 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam Matt, I agree with everyone of your points - My intent was to bring it up that I had reported this issue up a long time ago as I also thought that what was happening was undesirable. However, at the time Scott did not feel this was a bug. However, times change and back scatter is a huge issue. Maybe thats enough now to convince for an alteration of behavior. As my preference would be to handle mismatched exe's as its own class of which I would not send bannotify messages for. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Sunday, October 01, 2006 8:24 PM Subject: Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam Darrell, I'm sure that it is desirable to block (when the detection isn't erroring), however having this handled as if it was an EXE when it comes to the bannotify.eml is problematic. Backscatter can get you blacklisted, not to mention it is annoying to get such things for forged E-mail. I have Virus running after JunkMail and still I have bounced a dozen of these today alone (which excludes messages that reached my DELETE weight). For those that run JunkMail before Virus (the default), that number could be in the hundreds or thousands depending on volume since this comes from a major zombie spammer. I'm guessing that most are bouncing EXE's that aren't detected as viruses. To check this, just search your Virus log for "mismatched.exe". The behavior needs to be changed so that this doesn't trigger bannotify.eml bounces. I am testing using "SKIPIFEXT mismatched.exe" in my bannotify.eml to see if that helps, but this should not bounce such messages by default as if they were EXE's. It makes sense to give it a unique extension for these conditions and let us determine what to do with them instead of lumping it together with actions for EXE's. Matt Darrell ([EMAIL PROTECTED]) wrote: I brought this up to Scott several years ago - and he said this is not a bug but a by design issue. He explained a scenario why this was important and I understood based on the explantion but for the life of me I can't remember the scenario. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Sunday, October 01, 2006 3:33 PM Subject: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam I just found this bu
RE: [Declude.Virus] New feature needed
Sorry, forgot to make an all inclusive list: To my knowledge, there is no BounceNotify.eml. JunkMail uses the following eml files ONLY: SpamAttach.eml Confirm uses the following eml file ONLY: Confirm.eml When EVA finds a vulnerability (list in the EVA manual further down from the allow section) it uses the following file ONLY: Vulnerability.eml When EVA finds a banned attachment and the associated email is not found to be virus laden or contain a vulnerability, EVA will use the following file ONLY: BanNotify.eml ANY OTHER eml file contained in the \declude directory will be used by EVA when a virus is found according to parameters within each file. So, if you have 50 eml files aside from the above specifically mentioned 4, EVA will try to use all 50 when it finds a virus. The reason for this along with the original 4 other eml files normally found (postmaster.eml, otherpostmaster.eml, sender.eml and recipient.eml) was so that a appropriately worded notice be set to each respective party as desired. However, that also allows for plenty of customization. Example, I have a client that the manager wants a copy of each notice sent. So I have created 2 specific eml files for that client, one for if the infected email is incoming and one for if the infected email is outgoing. John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Steiner > Sent: Thursday, August 10, 2006 9:05 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New feature needed > > But what defines a "vulnerability"? Are you referring to the list of vulnerabilities > associated with the ALLOWVULNERABILITY statement in the EVA manual? I'm > confused by the various .eml files Declude provides and how it decides to use them, > whether EVA or Junkmail. None of the .eml files that come with Declude have the > name of a vulnerability. > > Here is a list of the E-mail template files that came with the Declude 4.x installation > and how I guess that they are used (since there doesn't seem to be some centralized > description/list of what these files are and how they are used): > > spamattach.eml - Used by Junkmail when ATTACH action is implemented. > > postmaster.eml - Used by EVA to warn the postmaster of the local machine that a > virus was detected. > > BOUNCEnotify.eml - Used by EVA to warn the local sender that his (outgoing) E-mail > attachment contained a banned extension. > > BANnotify.eml - Used by EVA to warn the sender that his (incoming) E-mail > attachment contained a banned extension. > > otherpostmaster.eml - Used by EVA to warn the postmaster of a host that a virus > came from his server (typically not used due to virus forging). > > sender.eml - Used by EVA to warn the sender that an E-mail sent by him was > detected as a virus (typically not used due to virus forging). > > recip.eml - Used by EVA to warn the recipient that Declude detected a virus send to > him. > > confirm.eml - Used by Declude Confirm > (http://www.declude.com/Articles.asp?ID=127). Is this a discontinued product? If > not, does it work with SmarterMail? > > > So it seems that most of the files are used by EVA, one by Junkmail and one by > Confirm. Does that mean that Junkmail and Confirm only use their one specific .eml > file and ignore all the others? If I create a randomly named .eml file, will it only be > used by EVA? > > > > Original Message > > From: "John T \(Lists\)" <[EMAIL PROTECTED]> > > Sent: Thursday, August 10, 2006 9:37 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] New feature needed > > > > When a vulnerability is detected, it looks for vulnerability.eml only. When > > a virus is detected, it uses any and all .eml files except for > > vulnerability.eml. > > > > So yes, you could do that. > > > > John T > > eServices For You > > > > "Seek, and ye shall find!" > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary > > > Steiner > > > Sent: Thursday, August 10, 2006 4:43 PM > > > To: declude.virus@declude.com > > > Subject: RE: [Declude.Virus] New feature needed > > > > > > I was wondering if there might be a work-around for this. Could a > > combination of > > > multiple .eml files utilizing SKIPIFRECIP work? > > > > > > I guess the first question is what .eml files does Declude look for when > > it detects a > > > virus? Does EVA specifically look for a file named "recip.eml"? Or doe
RE: [Declude.Virus] New feature needed
When a vulnerability is detected, it looks for vulnerability.eml only. When a virus is detected, it uses any and all .eml files except for vulnerability.eml. So yes, you could do that. John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Steiner > Sent: Thursday, August 10, 2006 4:43 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New feature needed > > I was wondering if there might be a work-around for this. Could a combination of > multiple .eml files utilizing SKIPIFRECIP work? > > I guess the first question is what .eml files does Declude look for when it detects a > virus? Does EVA specifically look for a file named "recip.eml"? Or does it look at all > the .eml files in the main Declude directory? > > Could you have two files, one called recip-en.eml (English) and one called recip- > es.eml (Spanish), and then list in those files using SKIPIFRECIP all the domains that > want the other language? > > Gary > > > Original Message > > From: "Goran Jovanovic" <[EMAIL PROTECTED]> > > Sent: Tuesday, June 20, 2006 3:57 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] New feature needed > > > > Gary, > > > > I have not even thought of something like that (since all my customers > > are English speaking) but you are absolutely right. > > > > So David will we be seeing this new feature next week? :) > > > > Goran Jovanovic > > Omega Network Solutions > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Gary > > > Steiner > > > Sent: Tuesday, June 20, 2006 3:24 PM > > > To: declude.virus@declude.com > > > Subject: re: [Declude.Virus] New feature needed > > > > > > > > > I asked about the possibility of per domain replies several months > > ago. I > > > would hope that it has already been placed on the wish list. > > > > > > It is especially useful when you have users speaking different > > languages > > > and you want to have language specific messages linked to each domain. > > > > > > Gary > > > > > > > > > Original Message > > > > From: "Goran Jovanovic" <[EMAIL PROTECTED]> > > > > Sent: Tuesday, June 20, 2006 2:30 PM > > > > To: declude.virus@declude.com > > > > Subject: [Declude.Virus] New feature needed > > > > > > > > Hi, > > > > > > > > I would like to suggest a new feature to be added to the virus > > > > notification capabilities. > > > > > > > > Right now to notify a recipient that I stopped a virus I have a > > > > recip.eml file in my main delude directory. There is another > > > > recip-vulnerability.eml file that is used if the "virus" is a > > > > vulnerability. These two files are all or nothing files. Meaning > > that > > > > all recipients for all the domains that I process are in the same > > file. > > > > > > > > I need to be able to specify a per domain recip.eml file. This way I > > can > > > > tailor the notifications to each domain as appropriate. These files > > > > should be in the domain subdirectory along with the > > $default$.junkfile > > > > etc. > > > > > > > > I am faced with the challenge right now for a single domain to send > > all > > > > virus notification to one person only or to stop all notifications > > to > > > > that domain. To the best of my knowledge I cannot redirect all the > > > > notifications to the one person for that domain and to the original > > > > recipients for all the other domains. > > > > > > > > Another feature that should be added to the *.eml files is the > > ability > > > > to do a BCC to a monitoring address. This is a good way to monitor > > what > > > > is happening with banned files, viruses or whatever notification > > > > processes we have setup. > > > > > > > > So can you please add this to the "to do" list > > > > > > > > Thank you > > > > > > > > Goran Jovanovic > > > > Omega Network Solutions > > > > > > > > > > > > --- > > > > This
[Declude.Virus] Virus in at HTA inside of ZIP seen
FYI By banning potentially malicious extensions, including within zip files, I caught an email with the FEEBS virus. Per VirusTotal, ClamAV, McCrappy, AVG, F-Prot is not catching these. John T eServices For You "Seek, and ye shall find!" --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude error, not ClamAV error
My recommendation if not done already is to put the Virus log into debug mode, wait until the error occurs, then zip the log and the D file for a message in question and send to Declude support. John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Steiner > Sent: Saturday, July 15, 2006 11:29 AM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] Declude error, not ClamAV error > > Yes the command line works fine. Nowhere in the output from the command line does > it say anything about an attachment, nor do I see the "Attachment=[Unknown: Err]" > statement. That's why I believe it is something generated by Declude not by ClamAV. > > > Original Message > > From: "John T \(Lists\)" <[EMAIL PROTECTED]> > > Sent: Saturday, July 15, 2006 2:13 AM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] Declude error, not ClamAV error > > > > Have you tried running the command line by itself against a file in question > > to see what the return code is? > > > > John T > > eServices For You > > > > "Seek, and ye shall find!" > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary > > > Steiner > > > Sent: Friday, July 14, 2006 7:08 PM > > > To: declude.virus@declude.com > > > Subject: RE: [Declude.Virus] Declude error, not ClamAV error > > > > > > I get the error no matter what the virus, Netsky, Bagle, Feebs, even when > > ClamAV > > > detects a fishing attempt the error is there. > > > > > > > > > Original Message > > > > From: "John T \(Lists\)" <[EMAIL PROTECTED]> > > > > Sent: Friday, July 14, 2006 9:46 PM > > > > To: declude.virus@declude.com > > > > Subject: RE: [Declude.Virus] Declude error, not ClamAV error > > > > > > > > In other log lines Declude states it is an invalid/bogus pif file. That > > > > might explain it. > > > > > > > > John T > > > > eServices For You > > > > > > > > "Seek, and ye shall find!" > > > > > > > > > -Original Message- > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Gary > > > > > Steiner > > > > > Sent: Friday, July 14, 2006 2:43 PM > > > > > To: declude.virus@declude.com > > > > > Subject: [Declude.Virus] Declude error, not ClamAV error > > > > > > > > > > Upon further research, the statement "Attachment=[Unknown: Err]" is > > > > generated by > > > > > Declude, not ClamAV. So does Declude have a problem with ClamAV? > > > > > > > > > > > > > > > Original Message > > > > > > From: "Gary Steiner" <[EMAIL PROTECTED]> > > > > > > Sent: Friday, July 14, 2006 1:32 PM > > > > > > To: declude.virus@declude.com > > > > > > Subject: [Declude.Virus] ClamAV error > > > > > > > > > > > > I recently installed ClamAv as my third scanner after AVG and > > F-Prot. > > > > For some > > > > > reason it indicates an error related to the attachment when it detects > > a > > > > virus > > > > > (Attachment=[Unknown: Err]). Here is an example from the Declude > > virus > > > > log file: > > > > > > > > > > > > 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861 > > > > > > 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif > > [base64; > > > > > Length=17424 Checksum=1974090] > > > > > > 07/13/2006 19:32:18.843 366626185 Banning file with pif extension > > > > > [application/octet-stream]. > > > > > > 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I- > Worm/Netsky.D > > > > > > 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I- > > > Worm/Netsky.D: > > > > 7] > > > > > > 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code > > of 3 > > > > > > 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= > W32/[EMAIL PROTECTED] > > > > > Attachment=your_letter.pif [1] I > >
RE: [Declude.Virus] Declude error, not ClamAV error
Have you tried running the command line by itself against a file in question to see what the return code is? John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Steiner > Sent: Friday, July 14, 2006 7:08 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] Declude error, not ClamAV error > > I get the error no matter what the virus, Netsky, Bagle, Feebs, even when ClamAV > detects a fishing attempt the error is there. > > > ---- Original Message > > From: "John T \(Lists\)" <[EMAIL PROTECTED]> > > Sent: Friday, July 14, 2006 9:46 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] Declude error, not ClamAV error > > > > In other log lines Declude states it is an invalid/bogus pif file. That > > might explain it. > > > > John T > > eServices For You > > > > "Seek, and ye shall find!" > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary > > > Steiner > > > Sent: Friday, July 14, 2006 2:43 PM > > > To: declude.virus@declude.com > > > Subject: [Declude.Virus] Declude error, not ClamAV error > > > > > > Upon further research, the statement "Attachment=[Unknown: Err]" is > > generated by > > > Declude, not ClamAV. So does Declude have a problem with ClamAV? > > > > > > > > > Original Message > > > > From: "Gary Steiner" <[EMAIL PROTECTED]> > > > > Sent: Friday, July 14, 2006 1:32 PM > > > > To: declude.virus@declude.com > > > > Subject: [Declude.Virus] ClamAV error > > > > > > > > I recently installed ClamAv as my third scanner after AVG and F-Prot. > > For some > > > reason it indicates an error related to the attachment when it detects a > > virus > > > (Attachment=[Unknown: Err]). Here is an example from the Declude virus > > log file: > > > > > > > > 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861 > > > > 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; > > > Length=17424 Checksum=1974090] > > > > 07/13/2006 19:32:18.843 366626185 Banning file with pif extension > > > [application/octet-stream]. > > > > 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D > > > > 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I- > Worm/Netsky.D: > > 7] > > > > 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3 > > > > 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL > > > > PROTECTED] > > > Attachment=your_letter.pif [1] I > > > > 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1 > > > > 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 > > > (366626185.eml,366626) > > > > 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D > > > Attachment=[Unknown: Err] [1] I > > > > 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability > > > > 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file > > > > 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 > > > 17604] > > > > 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: > > > [EMAIL PROTECTED] [incoming from 72.82.177.22] > > > > 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter > > > > > > > > It doesn't seem to matter what kind of virus is involved. Even when it > > detects a > > > phishing attempt you still see the same error. > > > > > > > > Here is what I have in the virus.cfg: > > > > > > > > SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 > > C:\clamav- > > > devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l > > report.txt > > > > VIRUSCODE2 1 > > > > REPORT2 FOUND > > > > > > > > Is anyone else experiencing this, or have any ideas? > > > > > > > > Thanks, > > > > > > > > Gary > > > > > > > > > > > > > > > > > > > > > > > > --- > > > > This E-mail came from the Declude.Virus mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and &g
RE: [Declude.Virus] Declude error, not ClamAV error
In other log lines Declude states it is an invalid/bogus pif file. That might explain it. John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Steiner > Sent: Friday, July 14, 2006 2:43 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] Declude error, not ClamAV error > > Upon further research, the statement "Attachment=[Unknown: Err]" is generated by > Declude, not ClamAV. So does Declude have a problem with ClamAV? > > > Original Message > > From: "Gary Steiner" <[EMAIL PROTECTED]> > > Sent: Friday, July 14, 2006 1:32 PM > > To: declude.virus@declude.com > > Subject: [Declude.Virus] ClamAV error > > > > I recently installed ClamAv as my third scanner after AVG and F-Prot. For some > reason it indicates an error related to the attachment when it detects a virus > (Attachment=[Unknown: Err]). Here is an example from the Declude virus log file: > > > > 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861 > > 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; > Length=17424 Checksum=1974090] > > 07/13/2006 19:32:18.843 366626185 Banning file with pif extension > [application/octet-stream]. > > 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D > > 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D: 7] > > 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3 > > 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED] > Attachment=your_letter.pif [1] I > > 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1 > > 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 > (366626185.eml,366626) > > 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D > Attachment=[Unknown: Err] [1] I > > 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability > > 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file > > 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 > 17604] > > 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: > [EMAIL PROTECTED] [incoming from 72.82.177.22] > > 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter > > > > It doesn't seem to matter what kind of virus is involved. Even when it detects a > phishing attempt you still see the same error. > > > > Here is what I have in the virus.cfg: > > > > SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav- > devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt > > VIRUSCODE2 1 > > REPORT2 FOUND > > > > Is anyone else experiencing this, or have any ideas? > > > > Thanks, > > > > Gary > > > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Odd lines in Declude Virus log.
Declude 4.2.12 for Imail 9.10 preview2 on Windows Server 2003 This is my new server currently being fully configured and tested before going into production. I have one domain live on it right now, my personal domain. I have uu files blocked in the virus.cfg file, so the following log lines strike me as odd, especially since there was no attachment on this message. Can some one explain what this means about the uu file? 07/11/2006 10:16:50.727 qdcfa012a008d.smd Vulnerability flags = 64 07/11/2006 10:16:50.727 qdcfa012a008d.smd uu file: the wrong question. What's the first step to reinventing [S:\Spool\proc\work\Ddcfa012a008d.vir\1_1.] 07/11/2006 10:16:51.274 qdcfa012a008d.smd Virus scanner 1 reports exit code of 0 07/11/2006 10:16:51.274 qdcfa012a008d.smd Scanned: Virus Free [UU: 1 0][MIME: 2 17360] John T eServices For You "Seek, and ye shall find!" --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Sure it is not some form or the Pebcak virus Andrew? Sorry, couldn't resist. I needed the laugh. ;-)> John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, > Andrew > Sent: Wednesday, June 28, 2006 2:26 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus > Importance: Low > > I don't know where that ">" character in front of my From sentence came > from. The first character on that line should have been an "F". > > It must be some kind of weird auto-quoting software; that character is > not in the email that I sent. > > Andrew 8) > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Back to the matter indicated in the subject line, how are others dealing with this? Is F-Prot and AVG and others catching this now? Which AV scanners are indeed catching it? Now for the bigger question: How do we combat this and future such versions without outright blocking of the file extension? We all know that relaying on users to not open attachments is problematic. John T eServices For You "Seek, and ye shall find!" --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I know. :( Declude, this is a feature who's time has come. John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus > Gufler > Sent: Tuesday, June 27, 2006 3:10 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus > > As I know yes but > > BANNAME my_notebook.doc > > wouldn't work for files within zip-archives. > > Markus > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of John T (Lists) > > Sent: Tuesday, June 27, 2006 11:48 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] New Virus: zipped word doc with > > Macro-Virus > > > > Is the word document only named that? > > > > John T > > eServices For You > > > > "Seek, and ye shall find!" > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > > Markus Gufler > > > Sent: Tuesday, June 27, 2006 11:32 AM > > > To: declude.virus@declude.com > > > Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus > > > > > > Some of us has noted in the past two hours that messages with an > > > zip-file > > as > > > attachment has passed our virus filters > > > > > > It's a zip-file containing a MS Word Document named > > "my_notebook.doc" > > > > > > Most Virus-Scanners can't catch it. Virustotal has returned > > only two > > > scanners with positive results > > > > > > Sophos has found "WM97/Kukudro-A" > > > UNA has found a "Macro Virus" > > > > > > No other AV-Engine has catched the suspicious file. > > > > > > We've added the following lines to our virus.cfg in order > > to block as > > > much was we can at the moment. > > > > > > BANNAME prices.zip > > > BANNAME apple_prices.zip > > > BANNAME sony_prices.zip > > > BANNAME hp_prices.zip > > > BANNAME dell_prices.zip > > > BANNAME My_Notebook.doc > > > > > > Regards > > > Markus > > > > > > > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Is the word document only named that? John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus > Gufler > Sent: Tuesday, June 27, 2006 11:32 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus > > Some of us has noted in the past two hours that messages with an zip-file as > attachment has passed our virus filters > > It's a zip-file containing a MS Word Document named "my_notebook.doc" > > Most Virus-Scanners can't catch it. Virustotal has returned only two > scanners with positive results > > Sophos has found "WM97/Kukudro-A" > UNA has found a "Macro Virus" > > No other AV-Engine has catched the suspicious file. > > We've added the following lines to our virus.cfg in order to block as much > was we can at the moment. > > BANNAME prices.zip > BANNAME apple_prices.zip > BANNAME sony_prices.zip > BANNAME hp_prices.zip > BANNAME dell_prices.zip > BANNAME My_Notebook.doc > > Regards > Markus > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Kidala-A Virus
Wow, a busy little bugger isn't it? http://www.sophos.com/virusinfo/analyses/w32kidalaa.html W32/Kidala-A is a mass-mailing worm and IRC backdoor Trojan for the Windows platform. W32/Kidala-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Kidala-A spreads to other network computers by: - via file sharing on P2P networks - copying itself to network shares protected by weak passwords - exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), MSSQL (MS02-039) (CAN-2002-0649) and Realcast - sending itself to instant messenger contacts in MSN Messenger, Yahoo instant Messenger and AOL Instant Messenger. - to other network computers infected with: Troj/Kuang, Troj/Sub7, W32/Sasser, Troj/NetDevil and Troj/Optix W32/Kidala-A includes functionality to: - perform DDoS attacks - setup a SOCKS4 server - download code from the internet John T eServices For You "Seek, and ye shall find!" --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Testing the Boards
PPPOONNGGG! John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of David Barker > Sent: Thursday, April 27, 2006 6:22 AM > To: Declude.Virus@declude.com; Declude.JunkMail@declude.com > Subject: [Declude.Virus] Testing the Boards > > PING > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] url file extensions
Yep, exactly what I meant. I ban them as there is no way to scan them (Although Bill says ClamAV can do it) to know what they are going to lead to. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, April 11, 2006 1:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] url file extensions Hi John, I was referring to file attachments that had a .url extension - I have that extension banned in my virus.cfg and wondered why - -Nick John T (Lists) wrote: You nor I nor Declude nor any one knows where that leads too. You can notscan the destination for a url. John TeServices For You "Seek, and ye shall find!" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Tuesday, April 11, 2006 12:10 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] url file extensions I been asked to remove the block I have on these - and since I haveforgotten why I am blocking them Is there a valid reason to blockthese? Thanks in advance -Nick---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] url file extensions
You nor I nor Declude nor any one knows where that leads too. You can not scan the destination for a url. John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Nick Hayer > Sent: Tuesday, April 11, 2006 12:10 PM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] url file extensions > > I been asked to remove the block I have on these - and since I have > forgotten why I am blocking them Is there a valid reason to block > these? > > Thanks in advance > > -Nick > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Updates from Declude
Fine, make a guy feel guilty. Ok, I am over it now. ;) I’ll get to it tonight. I promise. I think. ;-)> John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Wednesday, March 08, 2006 9:47 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude Is anyone else using confirm and can let me know if it is working for you now or not? I know John is busy and may not of had time to try it yet and Declude is not responding. Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Monday, March 06, 2006 8:06 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude Sounds good John, was just curious if you were still seeing the issue also. Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Friday, March 03, 2006 5:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude No I have not tested lately. I have been extremely busy this week. I will try on Saturday. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Friday, March 03, 2006 5:38 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude Barry, Wasn’t the confirm issues supposed to be resolved in this version? I just tested it and it still does not subscribe the user after they confirm be replying to the message?!?! John, have you tried this yet with the same results? Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 02, 2006 5:04 PM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] Updates from Declude Product Naming After considering all the choices we have decided to rename the new product "Declude Security Suite". I will be notifying the winner(s) of the competition shortly. Declude Security Suite for IMail We have now released additional versions of the software for different levels of IMail and these can be found at http://www.declude.com//Purchase.asp?cat=13 As usual if anyone has questions please contact me and we will do our best to answer. Barry [EMAIL PROTECTED] Office: (978) 499-2933 Cell: (978) 853-9593
RE: Re[2]: [Declude.Virus] Virus Notification Variables No Longer Working
I will see if I can muster the time to test later tonight, probably late tonight. John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of David Sullivan > Sent: Wednesday, March 08, 2006 9:05 AM > To: Declude.Virus@declude.com > Subject: Re[2]: [Declude.Virus] Virus Notification Variables No Longer Working > > I'm feeling lonely here...like I'm talking to myself... > > Could someone PLEASE check the %RECIPHOST% and %REMOTEHOST% variables in > your > email notification on 3.0.6 just to make sure it's not me for some > reason. > > You don't have to mess with your active notifications. Just put > another .eml file in the Declude folder with these two variables. > > Thanks. > > -David > > > Thursday, March 2, 2006, 12:10:55 PM, you wrote: > > DS> Ok, no one else has so I'll respond to my own post. 3.06 and still no > DS> change. Can someone try a notification with the %RECIPHOST% and > DS> %REMOTEHOST% variables and see if they work? > > DS> Thanks > > DS> -David > > DS> Friday, February 24, 2006, 2:39:34 PM, you wrote: > > DS>> Has anyone else had trouble with the RECIPIENT HOST and REMOTE HOST > DS>> NAME variables in your virus notification email since going to 3.x? We > DS>> send all data to a program alias for notification processing, but > DS>> since December now we can't get the RECIPIENT HOST data. > > DS>> Below is our notify email file and below that is a slightly munged > DS>> example of the output. Notice lines 11 and 12 in the output. This > DS>> behavior persistent and used to work before upgrading. > DS>> Anyone else experiencing this? > > > DS>> From: [EMAIL PROTECTED] > DS>> To: [EMAIL PROTECTED] > DS>> Subject: Virus Notification > > DS>> 1 ALLRECIPS: %ALLRECIPS% > DS>> 2 BANNED EXTENSION: %BANEXT% > DS>> 3 DATE (mm/dd/yyy): %DATE% > DS>> 4 HEADERS: %HEADERS% > DS>> 5 INOROUT: %INOROUT% > DS>> 6 LOCALHOST: %LOCALHOST% > DS>> 7 MAILFROM: %MAILFROM% > DS>> 8 MESSAGE ID: %MSGID% > DS>> 9 NUMBER OF RECIPIENTS: %NRECIPS% > DS>> 10 QUEUE FILE NAME: %QUEUENAME% > DS>> 11 RECIPIENT HOST: %RECIPHOST% > DS>> 12 REMOTE HOST NAME: %REMOTEHOST% > DS>> 13 REMOTE IP: %REMOTEIP% > DS>> 14 SENDER HOST: %SENDERHOST% > DS>> 15 SUBJECT: %SUBJECT% > DS>> 16 CURRENT TIME (hh/mm/ss): %TIME% > DS>> 17 VIRUS FILE: %VIRUSFILE% > DS>> 18 VIRUS NAME: %VIRUSNAME% > DS>> 19 SOFTWARE VERSION: %VERSION% > > > > > DS>> 1 ALLRECIPS: [EMAIL PROTECTED] > DS>> 2 BANNED EXTENSION: > DS>> 3 DATE (mm/dd/yyy): 24 Feb 2006 > DS>> 4 HEADERS: Received: from mx1.ourpostfixserver.com [192.168.200.60] by > DS>> mail5.ourimailserver.com with ESMTP > DS>> (SMTPD32-8.15) id A5ADFD770080; Fri, 24 Feb 2006 12:43:09 -0500 > DS>> Received: from localhost (adsl-146-64-253.mia.bellsouth.net [70.146.64.253]) > DS>> by mx1.ourpostfixserver.com (Postfix) with SMTP id 4150B1464ED > DS>> for <[EMAIL PROTECTED]>; Fri, 24 Feb 2006 12:45:43 > + (GMT) > DS>> Message-ID: <[EMAIL PROTECTED]> > DS>> From: "Jay Ross" <[EMAIL PROTECTED]> > DS>> To: <[EMAIL PROTECTED]> > DS>> Subject: Software At Low Pr1ce > DS>> Date: Fri, 24 Feb 2006 12:42:58 -0500 > DS>> MIME-Version: 1.0 > DS>> Content-Type: multipart/alternative; > DS>> boundary="=_NextPart_000_0001_01C63993.BFF33280" > DS>> X-Priority: 3 > DS>> X-MSMail-Priority: Normal > DS>> X-Mailer: Microsoft Outlook Express 6.00.2900.2180 > DS>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 > DS>> 5 INOROUT: outgoing > DS>> 6 LOCALHOST: mail5.ourimailserver.com > DS>> 7 MAILFROM: [EMAIL PROTECTED] > DS>> 8 MESSAGE ID: <[EMAIL PROTECTED]> > DS>> 9 NUMBER OF RECIPIENTS: 1 > DS>> 10 QUEUE FILE NAME: D45adfd7700801edf.smd > DS>> 11 RECIPIENT HOST: > DS>> 12 REMOTE HOST NAME: > DS>> 13 REMOTE IP: 192.168.200.60 > DS>> 14 SENDER HOST: bellamorris.com > DS>> 15 SUBJECT: Software At Low Pr1ce > DS>> 16 CURRENT TIME (hh/mm/ss): 12:43:27 > DS>> 17 VIRUS FILE: [No attachment] > DS>> 18 VIRUS NAME: [Outlook 'Blank Folding' Vulnerability] > DS>> 19 SOFTWARE VERSION: 3.0.5.26 > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Updates from Declude
No I have not tested lately. I have been extremely busy this week. I will try on Saturday. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Friday, March 03, 2006 5:38 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude Barry, Wasn’t the confirm issues supposed to be resolved in this version? I just tested it and it still does not subscribe the user after they confirm be replying to the message?!?! John, have you tried this yet with the same results? Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 02, 2006 5:04 PM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] Updates from Declude Product Naming After considering all the choices we have decided to rename the new product "Declude Security Suite". I will be notifying the winner(s) of the competition shortly. Declude Security Suite for IMail We have now released additional versions of the software for different levels of IMail and these can be found at http://www.declude.com//Purchase.asp?cat=13 As usual if anyone has questions please contact me and we will do our best to answer. Barry [EMAIL PROTECTED] Office: (978) 499-2933 Cell: (978) 853-9593
RE: [Declude.Virus] New Virus?
Upon further investigation and uploading to VirusTotal, these are a group that came in from one IP that had corrupted/incomplete file attachments and were non-viable Kasper viruses. John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of John T (Lists) > Sent: Saturday, February 25, 2006 9:04 AM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] New Virus? > > Seeing HQX, BHX and UUEs being blocked this morning. > > John T > eServices For You > > "Seek, and ye shall find!" > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Virus?
Seeing HQX, BHX and UUEs being blocked this morning. John T eServices For You "Seek, and ye shall find!" --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Encoded viruses...worried
I have been blocking them for about 2 weeks now and the only legit one caught was a file sent to a MAC user. They followed the instructions in my policy and resent it without problem. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Thursday, February 16, 2006 12:26 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried I'm curious. Are people banning BHX, HQX, UUE, UU, and MIM since the Kapser/Blackmal.E/MyWife.d virus hit? If so have you seen any negative effects from doing this. I'm thinking of blocking them as well. Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 7:37 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried Matt, are you saying the attachment as Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, what harm would be in blocking those for now? John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 31, 2006 4:50 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Encoded viruses...worried Someone just reported to me that MyWife.d (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month payload that will overwrite a bunch of files. It's really nasty. More can be found at these links: http://isc.sans.org/diary.php?storyid=1067 http://vil.nai.com/vil/content/v_138027.htm This started hitting my system on the 17th, possibly seeded through Yahoo! Groups. The problem is that it often sent encoded attachments in BinHex (BHX, HQX), Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), and I'm not sure that Declude is decoding all of these to see what is inside. For instance, I found that some BHX files that clearly contained an executable payload, showed up in my Virus logs like so: 01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: [text/html][7bit; Length=1953 Checksum=154023] 01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: Attachments001.BHX [base64; Length=134042 Checksum=8624521] There was no mention about the payload inside of it, and there almost definitely was. The same attachment name with the same length was repeatedly detected as a virus later on that day. This likely was a PIF file inside, though it could also have been a JPG according the notes on this virus. I, like most of us here, don't allow PIF's to be sent through our system, but when the PIF is encoded in at least BinHex format, it gets past this type of protection. Here's the conundrum. This mechanism could be exploited just like the Zip files were by the Sober writers and continually seeded, but instead of requiring some of us to at least temporarily block Zips with executables inside, an outbreak of continually seeded variants with executables within one of these standard encoding mechanisms would cause us to have to block all such encodings. I therefore think it would be prudent for Declude to support banned extensions within any of these encoding mechanisms if it doesn't already. I readily admit that this could be a lot of work, but it could be very bad if this mechanism becomes more common. This particular virus is so destructive that a single copy could cause severe damage to one's enterprise. I cross my fingers hoping that none of this would be necessary, but that's not enough to be safe. Matt
RE: [Declude.Virus] Encoded viruses...worried
Did a search on all logs for January. Found 337 hits, all HQX files. All but 2 were viruses, and those 2 had suspicious looking from addresses and I am assuming were unviable corrupt versions of viruses. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, February 01, 2006 6:40 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried I've grep'ed trough the logfiles for the last 7 days on my servers 2981 lines has sources of "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" (ignoring double counts for the second av scanner) After filtering out all lines containing "Kapser" and "Mywife" there remains the following 4 lines 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; assuming .exe 01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with mismatched extensions [Attachments00.HQX-Removed Attachment.txt]; assuming .exe 01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; assuming .exe 01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning: EOF in middle of MIME segment [] [--=_NextPart_001_0008_01C6238B.B6472520] This looks very promising that declude is already handling it in order to catch malicious code inside such attachments. Note: the 4.th line is listed due the "MIME" Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, February 01, 2006 3:19 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Encoded viruses...worried You know, I was going to ask if you would do a search, but I figured you might do it anyway :) You did leave out the ".uue" extension, but I doubt that would have changed your results. I suppose that if these extensions aren't hardly ever used anymore, it might be prudent enough to just watch for the possibility of the tactic to become widespread and then take action. I do have a fair number of Mac users and probably more overseas traffic that you do, so I think that I am going to have to search a little on my own. Unfortunately I zip all of my logs nightly, so it isn't practical to search through all of them. Matt Colbeck, Andrew wrote: On the plus side, there are mitigating circumstances... First, let me point out that although the antivirus companies will lag behind the virus authors, the antivirus guys aren't sleeping. For many years, the bad guys have been using encoding methods and 3rd party applications to obfusticate their software as a cheaper alternative on their time than writing polymorphic code whose very technique gave them away. PKLite was probably the first 3rd party tool used. I've recently seen PAK, UPX and FSG... all three of which were caught by F-Prot because the antivirus guys simply make signatures for the binary itself, and don't bother including unpacking methods for all possible compression/encryption methods. This explains why we have relatively few upgrades on the engines themselves. The F-Prot documentation mentions (I think) only zip decoding, but we know that it certainly does UPX and RAR decoding based on issues that have been raised with each (for the former, pathetic speed and the former, a buffer overflow). If you want to see what your virMMDD.log might reveal about this latest malware this month and what attachments you're seeing anyway, try this: egrep "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" vir01??.log (if you don't want the filename, stick a -h parameter and a space before that first quotation mark) By doing this, against my virMMDD.log I just discovered that F-Prot decodes BHX and HQX attachments too. By doing something similar against my nightly virus-scan-the-spam-folder logs I also discovered that I have zero non-viral messages using the unconventional attachment formats in the last two months. You can take that as an indication that it's okay to ban those formats if you wish, but I'll warn that I have a pretty homogeneous Windows user base. and that's a wrap for tonight. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Tuesday, January 31, 2006 6:04 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried John, the other formats are common (or, were common) on Macintosh and Unix based systems for binary attachments and for attached messages. Eudora for Windows used to expose several of these formats for message construction. They've fallen into disuse in favour of MIME attachments, but they are stil
RE: [Declude.Virus] Encoded viruses...worried
Andrew, the output ended up being 255 characters long and then wrapping. How do I do this so each find is on a separate line for reading? John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, January 31, 2006 6:35 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried On the plus side, there are mitigating circumstances... First, let me point out that although the antivirus companies will lag behind the virus authors, the antivirus guys aren't sleeping. For many years, the bad guys have been using encoding methods and 3rd party applications to obfusticate their software as a cheaper alternative on their time than writing polymorphic code whose very technique gave them away. PKLite was probably the first 3rd party tool used. I've recently seen PAK, UPX and FSG... all three of which were caught by F-Prot because the antivirus guys simply make signatures for the binary itself, and don't bother including unpacking methods for all possible compression/encryption methods. This explains why we have relatively few upgrades on the engines themselves. The F-Prot documentation mentions (I think) only zip decoding, but we know that it certainly does UPX and RAR decoding based on issues that have been raised with each (for the former, pathetic speed and the former, a buffer overflow). If you want to see what your virMMDD.log might reveal about this latest malware this month and what attachments you're seeing anyway, try this: egrep "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" vir01??.log (if you don't want the filename, stick a -h parameter and a space before that first quotation mark) By doing this, against my virMMDD.log I just discovered that F-Prot decodes BHX and HQX attachments too. By doing something similar against my nightly virus-scan-the-spam-folder logs I also discovered that I have zero non-viral messages using the unconventional attachment formats in the last two months. You can take that as an indication that it's okay to ban those formats if you wish, but I'll warn that I have a pretty homogeneous Windows user base. and that's a wrap for tonight. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, January 31, 2006 6:04 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried John, the other formats are common (or, were common) on Macintosh and Unix based systems for binary attachments and for attached messages. Eudora for Windows used to expose several of these formats for message construction. They've fallen into disuse in favour of MIME attachments, but they are still extant. Blocking messages containing those attachment formats may be reasonable for you if you're doing postmaster alerts and can check whether you've found false positives. Like Matt, I'm somewhat worried that this technique will become as common a nuisance as encrypted zips. Until recently, I've put my faith in the combination of Declude unpacking the attachments (I've assumed MIME encoding only) and F-Prot's packed and server options to otherwise do message decoding before virus scanning. I've been watching for copies of Blackworm that might be caught on my system so that I check if Declude+F-Prot would catch these other packing formats, but no luck so far (or rather, I've had the good luck to receive so few copies in so few formats). Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 5:44 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried Actually, I am already blocking hqz and uue so I went and added the others and will see what happens. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 5:37 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried Matt, are you saying the attachment as Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, what harm would be in blocking those for now? John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 31, 2006 4:50 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Encoded viruses...worried Someone just reported to me that MyWife.d (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month payload that will overwrite a bu
RE: [Declude.Virus] Encoded viruses...worried
Actually, I am already blocking hqz and uue so I went and added the others and will see what happens. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 5:37 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried Matt, are you saying the attachment as Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, what harm would be in blocking those for now? John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 31, 2006 4:50 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Encoded viruses...worried Someone just reported to me that MyWife.d (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month payload that will overwrite a bunch of files. It's really nasty. More can be found at these links: http://isc.sans.org/diary.php?storyid=1067 http://vil.nai.com/vil/content/v_138027.htm This started hitting my system on the 17th, possibly seeded through Yahoo! Groups. The problem is that it often sent encoded attachments in BinHex (BHX, HQX), Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), and I'm not sure that Declude is decoding all of these to see what is inside. For instance, I found that some BHX files that clearly contained an executable payload, showed up in my Virus logs like so: 01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: [text/html][7bit; Length=1953 Checksum=154023] 01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: Attachments001.BHX [base64; Length=134042 Checksum=8624521] There was no mention about the payload inside of it, and there almost definitely was. The same attachment name with the same length was repeatedly detected as a virus later on that day. This likely was a PIF file inside, though it could also have been a JPG according the notes on this virus. I, like most of us here, don't allow PIF's to be sent through our system, but when the PIF is encoded in at least BinHex format, it gets past this type of protection. Here's the conundrum. This mechanism could be exploited just like the Zip files were by the Sober writers and continually seeded, but instead of requiring some of us to at least temporarily block Zips with executables inside, an outbreak of continually seeded variants with executables within one of these standard encoding mechanisms would cause us to have to block all such encodings. I therefore think it would be prudent for Declude to support banned extensions within any of these encoding mechanisms if it doesn't already. I readily admit that this could be a lot of work, but it could be very bad if this mechanism becomes more common. This particular virus is so destructive that a single copy could cause severe damage to one's enterprise. I cross my fingers hoping that none of this would be necessary, but that's not enough to be safe. Matt
RE: [Declude.Virus] Encoded viruses...worried
Matt, are you saying the attachment as Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, what harm would be in blocking those for now? John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 31, 2006 4:50 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Encoded viruses...worried Someone just reported to me that MyWife.d (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month payload that will overwrite a bunch of files. It's really nasty. More can be found at these links: http://isc.sans.org/diary.php?storyid=1067 http://vil.nai.com/vil/content/v_138027.htm This started hitting my system on the 17th, possibly seeded through Yahoo! Groups. The problem is that it often sent encoded attachments in BinHex (BHX, HQX), Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), and I'm not sure that Declude is decoding all of these to see what is inside. For instance, I found that some BHX files that clearly contained an executable payload, showed up in my Virus logs like so: 01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: [text/html][7bit; Length=1953 Checksum=154023] 01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: Attachments001.BHX [base64; Length=134042 Checksum=8624521] There was no mention about the payload inside of it, and there almost definitely was. The same attachment name with the same length was repeatedly detected as a virus later on that day. This likely was a PIF file inside, though it could also have been a JPG according the notes on this virus. I, like most of us here, don't allow PIF's to be sent through our system, but when the PIF is encoded in at least BinHex format, it gets past this type of protection. Here's the conundrum. This mechanism could be exploited just like the Zip files were by the Sober writers and continually seeded, but instead of requiring some of us to at least temporarily block Zips with executables inside, an outbreak of continually seeded variants with executables within one of these standard encoding mechanisms would cause us to have to block all such encodings. I therefore think it would be prudent for Declude to support banned extensions within any of these encoding mechanisms if it doesn't already. I readily admit that this could be a lot of work, but it could be very bad if this mechanism becomes more common. This particular virus is so destructive that a single copy could cause severe damage to one's enterprise. I cross my fingers hoping that none of this would be necessary, but that's not enough to be safe. Matt
RE: [Declude.Virus] F-Prot exit code 8 and body content
Markus, even though I know others have said they can not do this; I am blocking any zip, including ezips that have an executable within them. All of my clients know this and I have a published policy on it which includes instructions on what to do if you must get these through. As such, IMHO, this issue is fine. Others mileage may vary. John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Markus Gufler > Sent: Tuesday, January 31, 2006 10:39 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] F-prot exit code 8 and body content > > Matt, John, > > F-Prot is not catching simple e-zips. I supposed it was the "password" > string in the mailbody. Now after an additional test it turned out that > F-Prot is exiting with code 8 if there is an attached e-zip containing .exe > files. The mail-body seems not interfering to F-prot's result. > > This is a problem for thus who need allow any extensions in zip-files. > > Maybe we can ask F-Prot if they can change the singnatures to catch only exe > in ezip's if they are larger then ... > Usualy legit ezip's should be much larger then 100 kByte. > > I wouldn't remove exit code 8 from my configuration because most of the > outbreaks in the last year was catched by this exit code before any > AV-scanner has had updated signatures. > > Markus > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) > > Sent: Tuesday, January 31, 2006 7:17 PM > > To: Declude.Virus@declude.com > > Subject: RE: [Declude.Virus] F-prot exit code 8 and body content > > > > I am using viruscode 8 and it is not blocking password > > protected zips. I think like Markus said it is looking for a > > combination of a password protected zip, and executable and > > the phrase he listed. > > > > Markus, did that attachment have an executable within the zip file? > > > > John T > > eServices For You > > > > "Seek, and ye shall find!" > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > > On Behalf Of Matt > > > Sent: Tuesday, January 31, 2006 10:02 AM > > > To: Declude.Virus@declude.com > > > Subject: Re: [Declude.Virus] F-prot exit code 8 and body content > > > > > > Markus, > > > > > > I believe that this is something that several of us railed > > against and > > > tried to get F-Prot to change. Formerly no known viruses would be > > > tagged with an exit code of 8, but then they suddenly > > started tagging > > > some known viruses this way, essentially requiring us to > > add that code > > > in for detection. The downside of this is that this exit code also > > > blocks things like encrypted zips. It was a real shame. > > > > > > It's worth checking to see if F-Prot is tagging more recent known > > > viruses with exit code 8 because if they are no longer > > doing this, I > > > would assume that turning it off would be wise so long as > > you had two > > > virus scanners running. > > > > > > Note that I'm not dismissing your primary intention of pointing out > > > the FP issue with virus scanning and a way to deal with it. > > > > > > Matt > > > > > > > > > > > > Markus Gufler wrote: > > > > > > >Today I've had a message hold as false positive ("unknown > > virus" exit > > code > > > >8) > > > > > > > >F-Prot seems ending with this exit code if there is attached a > > > >password protected zip file and in the body is something like > > > > > > > >"password: ." > > > > > > > >This message was definitively no false positive and so I > > requeued it. > > > > > > > >I've noted it due the low number of postmaster virus warnings I > > > >receive because they are send to me only if the detected > > virus is not > > > >a forging > > one. > > > >Fortunately this legit message wasn't deleted from the virus folder > > between > > > >thousands of unwanted netsky's and sober's. > > > > > > > >Markus > > > > > > > >--- > > > >[This E-mail was scanned for viruses by Declude EVA > > www.declude.com
RE: [Declude.Virus] F-prot exit code 8 and body content
I am using viruscode 8 and it is not blocking password protected zips. I think like Markus said it is looking for a combination of a password protected zip, and executable and the phrase he listed. Markus, did that attachment have an executable within the zip file? John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Matt > Sent: Tuesday, January 31, 2006 10:02 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] F-prot exit code 8 and body content > > Markus, > > I believe that this is something that several of us railed against and > tried to get F-Prot to change. Formerly no known viruses would be > tagged with an exit code of 8, but then they suddenly started tagging > some known viruses this way, essentially requiring us to add that code > in for detection. The downside of this is that this exit code also > blocks things like encrypted zips. It was a real shame. > > It's worth checking to see if F-Prot is tagging more recent known > viruses with exit code 8 because if they are no longer doing this, I > would assume that turning it off would be wise so long as you had two > virus scanners running. > > Note that I'm not dismissing your primary intention of pointing out the > FP issue with virus scanning and a way to deal with it. > > Matt > > > > Markus Gufler wrote: > > >Today I've had a message hold as false positive ("unknown virus" exit code > >8) > > > >F-Prot seems ending with this exit code if there is attached a password > >protected zip file and in the body is something like > > > >"password: ." > > > >This message was definitively no false positive and so I requeued it. > > > >I've noted it due the low number of postmaster virus warnings I receive > >because they are send to me only if the detected virus is not a forging one. > >Fortunately this legit message wasn't deleted from the virus folder between > >thousands of unwanted netsky's and sober's. > > > >Markus > > > >--- > >[This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > >--- > >This E-mail came from the Declude.Virus mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.Virus".The archives can be found > >at http://www.mail-archive.com. > > > > > > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Virus Feebs variant warning
Why not catch it with less resources via banning hta files and BANZIPEXTS and BANEZIPEXTS? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Wednesday, January 25, 2006 4:56 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Virus Feebs variant warning I just got a message from a gmail account (forged) With a data.zip attached. It has a hta file inside. subject: Secure Mail The body says ID: 46271 Password: zgbvndwdx Message is attached. Sincerely, Protected Mail System, Gmail.com Using virustotal.com it is only catched by very few companies. This is a report processed by VirusTotal on 01/26/2006 at 01:38:32 (CET) after scanning the file "data.zip" file. This is a report processed by VirusTotal on 01/26/2006 at 01:38:32 (CET) after scanning the file "data.zip" file. Antivirus Version Update Result AntiVir 6.33.0.77 01.25.2006 no virus found Avast 4.6.695.0 01.25.2006 no virus found AVG 718 01.25.2006 Worm/Feebs Avira 6.33.0.77 01.25.2006 no virus found BitDefender 7.2 01.26.2006 no virus found CAT-QuickHeal 8.00 01.25.2006 no virus found ClamAV devel-20051123 01.26.2006 no virus found DrWeb 4.33 01.25.2006 Win32.HLLM.Graz eTrust-InoculateIT 23.71.60 01.25.2006 no virus found eTrust-Vet 12.4.2056 01.25.2006 Win32/Feeb!ZIP Ewido 3.5 01.25.2006 no virus found Fortinet 2.54.0.0 01.26.2006 JS/Feebs.fam-mm F-Prot 3.16c 01.25.2006 no virus found Ikarus 0.2.59.0 01.25.2006 no virus found Kaspersky 4.0.2.24 01.25.2006 Worm.Win32.Feebs.gen McAfee 4682 01.25.2006 no virus found NOD32v2 1.1380 01.25.2006 JS/TrojanDownloader.Tivso.gen Norman 5.70.10 01.25.2006 JS/[EMAIL PROTECTED] Panda 9.0.0.4 01.25.2006 no virus found Sophos 4.01.0 01.25.2006 no virus found Symantec 8.0 01.26.2006 W32.Feebs TheHacker 5.9.3.081 01.26.2006 no virus found UNA 1.83 01.25.2006 no virus found VBA32 3.10.5 01.25.2006 no virus found F-prot, Mcaffe, ClamAV are not catching it. meanwhile I am banning it via the body of the email. Catching "Protected Mail System"
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
As a work around until and if Declude adds the requested feature, you could write a script to search the files on a timed based for a phrase (virus name) and have it delete them. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Markus Gufler > Sent: Wednesday, January 25, 2006 3:27 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME > > > > But if we are cycling the held viruses on a x day basis, (my > > cycle is 5 > > days,) why would that be needed? > > 5 days x 2 viruses x 2 (d & q-file) = 200k files > Around 99% of this files contains the same 5 types of malware that are > stored, moved and defragmented unnecessary. > > I asked only because as I understand it should be very easy and > unproblematic to add such a feature. > > Markus > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
But if we are cycling the held viruses on a x day basis, (my cycle is 5 days,) why would that be needed? John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Markus Gufler > Sent: Wednesday, January 25, 2006 2:37 PM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] Feature request: DELETEVIRUSNAME > > Maybe someone has already requested it: > > Why not allow commands like > > DELETEVIRUSNAME Netsky > DELETEVIRUSNAME Bagle > ... > > in the virus.cfg file? > > I won't and can't delete all viruses on our server because there is always > the possibility that a scanner is catching something as "suspicious" or > "generic" > > But commands to delete certain virusnames should be very easy to implement > and allow us to eliminate > 95% of all hold viruses on out servers. > > Markus > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Another day, another Bagle
Just got this from Sophos: http://www.sophos.com/virusinfo/analyses/trojbagledlbj.html John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Colbeck, Andrew > Sent: Wednesday, January 25, 2006 10:14 AM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] Another day, another Bagle > > F-Secure reports in their blog that another round of Bagle is starting > up. No details yet. > > > Andrew 8) > > > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Mail.zip from AOL Encrypted Messaging Service?
Title: Mail.zip from AOL Encrypted Messaging Service? Well, neither the HELO nor the IP received from looks to be anything from AOL. I would say it is a virus. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Thursday, January 19, 2006 11:51 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Mail.zip from AOL Encrypted Messaging Service? Hello, I got a mail.zip from "AOL Encrypted Messaging Service", including a .hta file with encrypted content. Does'nt look good to me :) Has anyone else seen this mail? Does anyone know DadaMail? --- Received: from thbafiqcm.com [217.198.112.101] by siller.de with ESMTP (SMTPD-8.22) id A9DB33088; Thu, 19 Jan 2006 19:26:35 +0100 Date: Thu, 19 Jan 2006 19:28:38 +0100 From: [EMAIL PROTECTED] X-Mailer: DadaMail 2.1 Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Suspect Mail]Encrypted Message Service MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="ABCD6E90" X-Antivirus: avast! (VPS 0603-3, 18.01.2006), Outbound message X-Antivirus-Status: Clean X-OriginalArrivalTime: 19 Jan 2006 18:36:26.0852 (UTC) FILETIME=[419F3240:01C61D27] --ABCD6E90 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --ABCD6E90 Content-Type: application/x-zip-compressed; name="mail.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="mail.zip" --ABCD6E90-- --- Alex
RE: [Declude.Virus] Sober.X Variant
Are you using the correct switches for F-Prot? John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of JT > Sent: Thursday, January 05, 2006 12:49 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Sober.X Variant > > Andrew, > > I suspected that but we'll see my results. I did what John suggested and > I also have ClamAV and F-Prot running simultaneously. Doing this has > seemed to cut down the Sober.Xs completely but now I have a customer > complaining that trojan.lodear and sober.l variant is getting through, I > haven't investigated yet but I'll keep you posted. > > JT > > On Thu, 2006-01-05 at 11:31 -0800, Colbeck, Andrew wrote: > > I just saw two today. This may not be what you're seeing, JT, but here > > goes: > > > > What I saw were two broken Sober.X messages that were bounced with the > > original message (the viral message) truncated. F-Prot didn't trigger > > on the broken attachment and the bounce didn't trigger my custom filters > > to weed out junk bounces. > > > > The messages made it into my internal mail system, where they were > > caught by Trend Micro ScanMail for Exchange. When I looked up the > > details on the virus that was named, the alias matched the Symantec name > > for the virus. > > > > Given that it was broken, I regard this as a spam issue, and not a case > > of F-Prot failing to detect the damaged Sober virus. If I can get the > > original, I'll submit to F-Prot anyway in the hope that they will come > > with a signature. > > > > Andrew 8) > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of JT > > > Sent: Thursday, January 05, 2006 10:39 AM > > > To: Declude.Virus@declude.com > > > Subject: RE: [Declude.Virus] Sober.X Variant > > > > > > John, > > > > > > Thanks for the help! > > > > > > Regards, > > > JT > > > > > > On Thu, 2006-01-05 at 09:31 -0800, John T (Lists) wrote: > > > > Into the Virus.cfg file: > > > > > > > > BANEZIPEXTS ON > > > > BANZIPEXTS ON > > > > > > > > John T > > > > eServices For You > > > > > > > > > > > > > -Original Message- > > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] > > > > > On Behalf Of JT > > > > > Sent: Thursday, January 05, 2006 9:20 AM > > > > > To: Declude.Virus@declude.com > > > > > Subject: RE: [Declude.Virus] Sober.X Variant > > > > > > > > > > John, > > > > > > > > > > What do I need to do to block banned extensions within zip files > > > > > > > > > > Thanks, > > > > > JT > > > > > > > > > > On Thu, 2006-01-05 at 09:14 -0800, John T (Lists) wrote: > > > > > > That means you are not blocking banned extensions > > > within zip files? > > > > > > > > > > > > John T > > > > > > eServices For You > > > > > > > > > > > > > > > > > > > -Original Message- > > > > > > > From: [EMAIL PROTECTED] > > > > > > [mailto:[EMAIL PROTECTED] > > > > > > > On Behalf Of JT > > > > > > > Sent: Thursday, January 05, 2006 8:45 AM > > > > > > > To: Declude.Virus@declude.com > > > > > > > Subject: RE: [Declude.Virus] Sober.X Variant > > > > > > > > > > > > > > What I am experiencing is that the server lets the virus go > > > > > > > through > > > > the > > > > > > > system. It scans and result is clean, the end user gets the > > > > > > > email and their Symantec Enterprise snags it and tags it as > > > > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > On Thu, 2006-01-05 at 08:25 -0800, John T (Lists) wrote: > > > > > > > > Is this what you are seeing? > > > > > > > > > > > > > > > > http://www.sophos.com/virusinfo/analyses/w32feebsa.html > > > > > > > > > > > > > > > > John T > > > > > > > &g
RE: [Declude.Virus] Sober.X Variant
Into the Virus.cfg file: BANEZIPEXTS ON BANZIPEXTS ON John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of JT > Sent: Thursday, January 05, 2006 9:20 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Sober.X Variant > > John, > > What do I need to do to block banned extensions within zip files > > Thanks, > JT > > On Thu, 2006-01-05 at 09:14 -0800, John T (Lists) wrote: > > That means you are not blocking banned extensions within zip files? > > > > John T > > eServices For You > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > > On Behalf Of JT > > > Sent: Thursday, January 05, 2006 8:45 AM > > > To: Declude.Virus@declude.com > > > Subject: RE: [Declude.Virus] Sober.X Variant > > > > > > What I am experiencing is that the server lets the virus go through the > > > system. It scans and result is clean, the end user gets the email and > > > their Symantec Enterprise snags it and tags it as [EMAIL PROTECTED] > > > > > > On Thu, 2006-01-05 at 08:25 -0800, John T (Lists) wrote: > > > > Is this what you are seeing? > > > > > > > > http://www.sophos.com/virusinfo/analyses/w32feebsa.html > > > > > > > > John T > > > > eServices For You > > > > > > > > > > > > > -Original Message- > > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] > > > > > On Behalf Of JT > > > > > Sent: Thursday, January 05, 2006 6:44 AM > > > > > To: declude.virus@declude.com > > > > > Subject: [Declude.Virus] Sober.X Variant > > > > > > > > > > Has anyone seen an influx of this virus come through? I've upgraded to > > > > > the latest F-Prot and it seems like it still sneaking through. > > Although > > > > > the Z variant is being stopped by F-prot. Any light that could be shed > > > > > on this would be greatly appreciated. > > > > > > > > > > Also I've tried setting up ClamAV for Windows on our imail server as a > > > > > scanner. I've got it to scan but it randomly generated an exit code of > > > > > 50. Does anyone know what exit code 50 from ClamAV means? > > > > > > > > > > Thanks, > > > > > JT > > > > > > > > > > --- > > > > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > > > > > > > --- > > > > > This E-mail came from the Declude.Virus mailing list. To > > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > > type "unsubscribe Declude.Virus".The archives can be found > > > > > at http://www.mail-archive.com. > > > > > > > > --- > > > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > > > > > --- > > > > This E-mail came from the Declude.Virus mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.Virus".The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sober.X Variant
That means you are not blocking banned extensions within zip files? John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of JT > Sent: Thursday, January 05, 2006 8:45 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Sober.X Variant > > What I am experiencing is that the server lets the virus go through the > system. It scans and result is clean, the end user gets the email and > their Symantec Enterprise snags it and tags it as [EMAIL PROTECTED] > > On Thu, 2006-01-05 at 08:25 -0800, John T (Lists) wrote: > > Is this what you are seeing? > > > > http://www.sophos.com/virusinfo/analyses/w32feebsa.html > > > > John T > > eServices For You > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > > On Behalf Of JT > > > Sent: Thursday, January 05, 2006 6:44 AM > > > To: declude.virus@declude.com > > > Subject: [Declude.Virus] Sober.X Variant > > > > > > Has anyone seen an influx of this virus come through? I've upgraded to > > > the latest F-Prot and it seems like it still sneaking through. Although > > > the Z variant is being stopped by F-prot. Any light that could be shed > > > on this would be greatly appreciated. > > > > > > Also I've tried setting up ClamAV for Windows on our imail server as a > > > scanner. I've got it to scan but it randomly generated an exit code of > > > 50. Does anyone know what exit code 50 from ClamAV means? > > > > > > Thanks, > > > JT > > > > > > --- > > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sober.X Variant
Is this what you are seeing? http://www.sophos.com/virusinfo/analyses/w32feebsa.html John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of JT > Sent: Thursday, January 05, 2006 6:44 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] Sober.X Variant > > Has anyone seen an influx of this virus come through? I've upgraded to > the latest F-Prot and it seems like it still sneaking through. Although > the Z variant is being stopped by F-prot. Any light that could be shed > on this would be greatly appreciated. > > Also I've tried setting up ClamAV for Windows on our imail server as a > scanner. I've got it to scan but it randomly generated an exit code of > 50. Does anyone know what exit code 50 from ClamAV means? > > Thanks, > JT > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude with IMail 2006
What is sad is that the fix is very simple, as I have pointed out to Declude exactly what the problem is. When the confirmation is received, Declude Confirm is looking at the wrong location for the D or Q file. One of the files gets properly renamed and moved, but the other does not. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Grant Griffith > Sent: Thursday, December 22, 2005 9:38 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Declude with IMail 2006 > > That has been an issue with confirmation for some time. I have been told > multiple times that it would be fixed after Imail 2006 is released, but have > never heard any more. I am guessing they are just forgetting about it as it > is a free product. I hope it gets fixed soon though... > > Thanks, > Grant Griffith > EI8HTLEGS, A Division of ETC > (812)932-1000 > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Donn Bly > Sent: Thursday, December 22, 2005 10:22 AM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] Declude with IMail 2006 > > Just in case anybody is interested, we upgraded to Imail 2006 last week, and > we aren't having any problems using declude v3.0.5.22 with it EXCEPT that > the confirm function for listserves doesn't seem to work right. Declude > intercepts the subscription and sends out the notification for the double > opt-in, but doesn't seem to see replies when they come back. > > Oh, an just in case you were thinking of upgrading to 2006 -- don't. > Ipswitch released a patch for it today which they claim addresses some of > the problems we're having, but our big webmail users have been screaming > bloody murder ever since we upgraded. I'll be putting in the upgrade on > Monday and we'll see how much it fixes... > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Another round of Bagle?
Looks like another round of Bagle is starting? John T eServices For You --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Virus Feebsa
Great news, not. Any one know if F-Prot or AVG or BitDefender is catching this yet? http://www.sophos.com/virusinfo/analyses/w32feebsa.html John T eServices For You --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Where to send exe's to check if they are a virus?
Uh, keyboard virus? ;) John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Goran Jovanovic > Sent: Thursday, December 15, 2005 7:53 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Where to send exe's to check if they are a virus? > > I tried www.totalvirus.com and it is an ad site. > > Thank you > > Goran Jovanovic > Omega Network Solutions > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > > [EMAIL PROTECTED] On Behalf Of Markus Gufler > > Sent: Thursday, December 15, 2005 10:45 AM > > To: Declude.Virus@declude.com > > Subject: RE: [Declude.Virus] Where to send exe's to check if they are > a > > virus? > > > > www.virustotal.com (se me previous posting for results) > > > > At the moment i consider blocking at least temporaly eye in zips and > > update > > the virus definitions > > > > Markus > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Goran > Jovanovic > > > Sent: Thursday, December 15, 2005 4:26 PM > > > To: Declude.Virus@declude.com > > > Subject: [Declude.Virus] Where to send exe's to check if they > > > are a virus? > > > > > > Hi, > > > > > > I am getting a bunch of exe in zip files being banned right > > > now. I have grabbed one of them it is called marie.zip and > > > has a single exe in it called s3700020.exe and when you put > > > it on your desktop is has the standard jpeg icon associated with it. > > > > > > My F-Prot, McAfee and Symantec scanners are not finding a > > > virus. Where is the place that you can send it to and have it > > > checked out by a ton of virus scanners? > > > > > > Thanx > > > > > > Goran Jovanovic > > > Omega Network Solutions > > > --- > > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Where to send exe's to check if they are a virus?
www.virustotal.com This is a very small e-mail, the D file being only 11 kb. Some of the small AV companies are reporting it as a Bagle variant and F-Prot is reporting it as MitGlieder.GU although it is not catching it on the server. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Goran Jovanovic > Sent: Thursday, December 15, 2005 7:26 AM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] Where to send exe's to check if they are a virus? > > Hi, > > I am getting a bunch of exe in zip files being banned right now. I have > grabbed one of them it is called marie.zip and has a single exe in it > called s3700020.exe and when you put it on your desktop is has the > standard jpeg icon associated with it. > > My F-Prot, McAfee and Symantec scanners are not finding a virus. Where > is the place that you can send it to and have it checked out by a ton of > virus scanners? > > Thanx > > Goran Jovanovic > Omega Network Solutions > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Stranger...
Title: Strange... I do not think this is either an Imail or Declude issue, rather a server security issue, or rather a comprise of server security. Sounds like you have some type of virus or Trojan on that server. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Thursday, December 08, 2005 9:57 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... Does any body find the answer of this problem? After 1.5 years, this problem still remain. and IPSWITCH never give me a clear answer about it. - Original Message - From: serge To: Declude.Virus@declude.com Sent: Tuesday, June 08, 2004 7:46 AM Subject: Re: [Declude.Virus] Stranger... i know imail1 is a command line mailer but how do i find what i causing the imail 1 window to be open and filed with all these adresses ? see attached gif - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Monday, June 07, 2004 10:21 PM Subject: Re: [Declude.Virus] Stranger... Does this shed any light? http://support.ipswitch.com/kb/IM-19980119-DD10.htm Darin. - Original Message - From: Serge To: Declude.Virus@declude.com Sent: Monday, June 07, 2004 3:55 PM Subject: [Declude.Virus] Stranger... hi all urgent help needed I have imail1 client window ("create mail message") pop up on my server with all kind of real and strange addresses in the TO: and CC: Fields. The windows remains open on the server desktop. Is this a virus ? how can i identify the service/virus/application causing this ? TIA
RE: Re[2]: [Declude.Virus] how is Declude 3.x?
FYI, any server hardware that is not being used I disable. Removes items from equations when trying to solve problems. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of sbsi lists > Sent: Friday, November 25, 2005 11:25 AM > To: Chris Ulrich > Subject: Re[2]: [Declude.Virus] how is Declude 3.x? > > Thank you Chris. > > I just disabled it and will watch it. It's been up now 4 hrs so if it > follows any pattern, it should fail around now. > > I upgraded the drivers already as they were 2 yrs old so maybe that > helps too. > > much appreciated. -jason > > - - - - - - - - - - - - - - - - - - > > Friday, November 25, 2005, 1:15:47 PM, you wrote: > > CU> It *shouldn't* be a problem, but having the 2nd NIC in the machine (we also > CU> use Poweredge) and not having it plugged in can have an effect on things at > CU> times. > > CU> It isn't enough to leave it unplugged - go into Control Panel - Network, > CU> select the second port, right click and DISABLE it. > > CU> This actually addressed a few occasional funky network "lockups" > > CU> - Chris > > CU> At 09:26 AM 11/25/2005, you wrote: > > >>I just moved colos and servers. > >> > >>On the new(er) box, I installed Imail 8.21, Sniffer, Declude 3.0.5.20 > >>Pro-Virus/JM. > >> > >>Box is Dell Poweredge 1750, Dual Proc Xeon 2.4 Ghz, 3x73Gb Raid5, > >>Nics onboard (Broadcom Gigs, dual) > >> > >>So far, I like the newer Declude - we were using 1.82 on Imail 8.05. > >>It was nice to get a clean start ... > >> > >> > >>HOWEVER, I am having problems after moving server into production and > >>into live performance. The box seems to lose connectivity and I have > >>to hard reboot it to get ability of the network to come back up. > >> > >>There's no messages in the EVENT VIEWER - nada. > >> > >>I know IMAIL had issues a long time ago with certain NICS - does > >>anyone know the status of that? > >> > >>I am thinking it has to be the NIC I am using - the onboard Broadcom. > >>So, I updated the drivers to it and thinking that might help. > >> > >>If not, I'll try the 2nd onboard and hoping it will help. > >> > >>Next thing to try is IF I can get a nic in the box, I'll try that but > >>unsure if I have room. > >> > >>Last will be putting new box in there and doing all this over again. > >> > >> > >>I don't think my Declude is causing it... anyone have thoughts on > >>this. > >> > >> > >>Thanks. -jason > >> > >>- - - - - - - - - - - - - - - - - - > > >>Thursday, November 24, 2005, 12:24:22 PM, you wrote: > >> > >>IA> I just realized I hadn't seen any new versions of Declude in a while, > >>and I > >>IA> wonder if that means it's finally stable. We wanted to upgrade to > >>3.x, but > >>IA> it seems like there were so many errors being reported here, and new > >>IA> iterations being released every few days. We prefer to wait until the > >>smoke > >>IA> clears. So what do people think now? Is 3.x fully reliable now? > >> > >>IA> Thanks, and Happy Thanksgiving, > >> > >>--- > >>This E-mail came from the Declude.Virus mailing list. To > >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >>type "unsubscribe Declude.Virus".The archives can be found > >>at http://www.mail-archive.com. > > > CU> --- > CU> This E-mail came from the Declude.Virus mailing list. To > CU> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > CU> type "unsubscribe Declude.Virus".The archives can be found > CU> at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Another Sober out. (=> idea)
Well, I would say it is more like a restaurant but you can not get blow fish, alcohol, cigarettes, 10 Lbs of greasy French fries, etc. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Markus Gufler > Sent: Friday, November 25, 2005 12:46 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Another Sober out. (=> idea) > > > > I am scanning for viruses first. I block executables within > > zips. > > Yes I know you can do this. > But on my systems banning exe in zips is like having a restaurant where > people can eat but drinking is not allowed. > > Markus > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Another Sober out. (=> idea)
Interesting thought. However, on my system, that would not work. I am scanning for viruses first. I block executables within zips. So my point of adding the BANNAME is so that the banned file notice that goes out (until the AV scanners update their defs) does not just have the generic banned file (ZIP-EXE). John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Markus Gufler > Sent: Friday, November 25, 2005 12:21 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Another Sober out. (=> idea) > > Thank you John but, > > > BANNAME mailtext.zip > > ...is this really the only name used by this variant? > I'm feeling a little bit bad, while adding and adding BANNAMEs to the > virus.cfg file. > > First as sayd yesterday I feel there are many many BANNAME entries that are > not more accurate or spreading in the wild and so unneccessary load in my > and our config files. > Second it's always the "two steps behind" if we have to adapt our config > files manualy after someone else has discovered a new variant. > > Wouldn't be possible to write a junkmail external test, or maybe also an > "AV-Engine" that does nothing else then looking at a central database for > filenames that are suspsicious. > > I'm not 100% familiar with the ip4r/rbl tecnique but why not set up a > DNS-server containing TLD-zones like .zip .exe .com > Then some of us can act as operators and add additional zones like > "mailtext" > > Looking at the case two days ago that I reported with the new bagle variant > it would also be possible to add something like > > 1.exe.ester.zip > 12.exe.ester.zip > 1.exe.emanuel.zip > ... > > Are maybe also with wildcards like > > *.exe.mailtext.zip > > By having bitmasked result codes it would maybe also possible to entries > like > > *.exe*.zip > > with a "suspicious" result code and other more concrete definitions with an > "accurate" result code. > > so admins can use it at they want. > Our administrative work should decrease while new banname definitions will > be available as soon the first of the operators will detect and add it to > the database. > > +as having one (or more replicated) central points we should be able to > notice a relativ high increase of request for exe in zips and so know that > something seems going on. > > What do you think? My opinion is that last week av-companies showed that > they are not able to provide accurate detection-quality. > > Markus > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Another Sober out.
BANNAME mailtext.zip The ones I saw were bounces, but they may be made to look like bounces. Only Norman and Avast found it on VirusTotal as a Sober variant, and NOD32 suspects it is a variant. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] how is Declude 3.x?
P4 2 Ghz 1 GB memory 2 ATA 133 drives mirrored 3 SCSI 10K drives configured with 3 mirrored partitions Windows 2000 Server fully patched Imail 8.20 HF2 Declude 3.0.5.20 Declude JM Pro Declude Virus Pro Declude Hijack F-Prot 32 bit AVG Kiwi Syslog Volume of aprox 5K messages per day Sniffer SortMonster AutoWhite for Declude INV-URIBL Aprox 35 filter tests 27 IP4R tests 12 RHSBL 17 Declude JM tests (REVDNS, HELO, PERCENT, ROUTING, SUBJECTCHARACHTERS, SUBJECTSPACES, etc.) No known issues with Declude 3.0.5.20 John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] blocking exe in zips
That would be nice. I wonder if it shows up in Debug mode. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of John Carter > Sent: Thursday, November 24, 2005 8:34 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] blocking exe in zips > > Maybe Declude could add a syntax checker (at least for their directives and keywords) > in the diagnostics (decludeproc -v). You get version info, tests run, and notes of > possible syntax problems.?? > > John C > > -- Original Message -- > From: "Bonno Bloksma" <[EMAIL PROTECTED]> > Reply-To: Declude.Virus@declude.com > Date: Thu, 24 Nov 2005 17:01:55 +0100 > > >Hi John, > > > > > >>> BANZIPEXT on > >>> #BANEZIPEXT on > >> > >> Try "BANZIPEXTS ON" noting the s in there. > > > >Oops, thanks. > > > >Is there any syntax warning for stuff like this in Declude, in the logfiles > >or using the Diag parameter? I could not find anything in my Declude vir > >logfiles. > > > >Groetjes, > > > > > >Bonno Bloksma > > > > > >--- > >[E-mail scanned at tio.nl for viruses by Declude Virus] > > > >--- > >This E-mail came from the Declude.Virus mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.Virus".The archives can be found > >at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking PIF Files
To add to Darin's list, I also block PPS files. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Darin Cox > Sent: Wednesday, November 23, 2005 7:00 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Blocking PIF Files > > Here's a list compiled over the years of extensions we ban. The top two you > will want to consider your userbase before banning, the rest should be fine. > Note that we couple this with a banned file notification to the intended > recipient, which includes a link to requeue the file for delivery if it is > legitimate. > > > BANEXT EZIP > BANEXT rar > > BANEXT bas > BANEXT bat > BANEXT ceo > BANEXT chm > BANEXT cmd > BANEXT com > BANEXT cpl > BANEXT exe > BANEXT hta > BANEXT inf > BANEXT ins > BANEXT isp > BANEXT js > BANEXT jse > BANEXT lnk > BANEXT msi > BANEXT msp > BANEXT mst > BANEXT pcd > BANEXT pif > BANEXT reg > BANEXT scr > BANEXT sct > BANEXT shb > BANEXT shs > BANEXT vb > BANEXT vbe > BANEXT vbs > > BANEXT ws > BANEXT wsc > BANEXT wsf > BANEXT wsh > > > Darin. > > > - Original Message - > From: "Dan Geiser" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, November 23, 2005 9:26 AM > Subject: [Declude.Virus] Blocking PIF Files > > > Hello, All, > I don't know whether this would be more appropriate for the virus list or > the junkmail list so please point me towards junkmail if appropriate. > > What is the proper technique for blocking messages that have an attachment > that ends in a "pif" extension like "your_letter.pif"? > > We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. > > Thanks In Advance! > Dan Geiser > [EMAIL PROTECTED] > > --- > E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] blocking exe in zips
> # > # BANZIPEXT will block files based on EXT within ZIP files. EXT as declared with BANEXT > # BANEZIPEXT will do the same for ecrypted ZIPs. > # > # BB 1-11-05 > # Added BANxZIPEXT directives, BANEZIPEXT not neccesary as we block ALL EZIP files. > BANZIPEXT on > #BANEZIPEXT on Try "BANZIPEXTS ON" noting the s in there. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking PIF Files
Well, those are files which of them selves are not executable, rather they are files which require something else been do to use them. I am not sure of the value of blocking those. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Goran Jovanovic > Sent: Wednesday, November 23, 2005 7:15 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Blocking PIF Files > > I also ban some more > > BANEXTbin > BANEXTclass > BANEXTdll > BANEXTjsc > BANEXTocx > BANEXTsys > BANEXTvxd > > Goran Jovanovic > Omega Network Solutions > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > > [EMAIL PROTECTED] On Behalf Of Darin Cox > > Sent: Wednesday, November 23, 2005 10:00 AM > > To: Declude.Virus@declude.com > > Subject: Re: [Declude.Virus] Blocking PIF Files > > > > Here's a list compiled over the years of extensions we ban. The top > two > > you > > will want to consider your userbase before banning, the rest should be > > fine. > > Note that we couple this with a banned file notification to the > intended > > recipient, which includes a link to requeue the file for delivery if > it is > > legitimate. > > > > > > BANEXT EZIP > > BANEXT rar > > > > BANEXT bas > > BANEXT bat > > BANEXT ceo > > BANEXT chm > > BANEXT cmd > > BANEXT com > > BANEXT cpl > > BANEXT exe > > BANEXT hta > > BANEXT inf > > BANEXT ins > > BANEXT isp > > BANEXT js > > BANEXT jse > > BANEXT lnk > > BANEXT msi > > BANEXT msp > > BANEXT mst > > BANEXT pcd > > BANEXT pif > > BANEXT reg > > BANEXT scr > > BANEXT sct > > BANEXT shb > > BANEXT shs > > BANEXT vb > > BANEXT vbe > > BANEXT vbs > > > > BANEXT ws > > BANEXT wsc > > BANEXT wsf > > BANEXT wsh > > > > > > Darin. > > > > > > - Original Message - > > From: "Dan Geiser" <[EMAIL PROTECTED]> > > To: > > Sent: Wednesday, November 23, 2005 9:26 AM > > Subject: [Declude.Virus] Blocking PIF Files > > > > > > Hello, All, > > I don't know whether this would be more appropriate for the virus list > or > > the junkmail list so please point me towards junkmail if appropriate. > > > > What is the proper technique for blocking messages that have an > attachment > > that ends in a "pif" extension like "your_letter.pif"? > > > > We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. > > > > Thanks In Advance! > > Dan Geiser > > [EMAIL PROTECTED] > > > > --- > > E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
Looks like F-Prot is now catching it as SoberZ John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Rick Davidson > Sent: Monday, November 21, 2005 12:12 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > It is coming in with alot of different zip file names and body names now, I > blocked all zip files and submitted samples > > I am really getting hit hard > > Rick Davidson > National Systems Manager > North American Title Group > 440-639-0607 - Office > 951-233-6342 - Mobile > [EMAIL PROTECTED] > - > - Original Message - > From: "Matt" <[EMAIL PROTECTED]> > To: > Sent: Monday, November 21, 2005 2:51 PM > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > > > McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still > > missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and > > McAfee seems to have had this one tagged prior to the outbreak starting > > since none have slipped through yet. > > > > Matt > > > > > > > > Rick Davidson wrote: > > > >> heads up folks, I am stopping a new zip virus with the following junkmail > >> rules, this is all I have seen so far. Contains an exacutable payload > >> called File-packed_dataInfo.exe > >> > >> Rick Davidson > >> National Systems Manager > >> North American Title Group > >> 440-639-0607 - Office > >> 951-233-6342 - Mobile > >> [EMAIL PROTECTED] > >> - > >> --- > >> This E-mail came from the Declude.Virus mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.Virus".The archives can be found > >> at http://www.mail-archive.com. > >> > >> > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
If you have Pro version you should be always blocking using "BANZIPEXTS ON" and "BANEZIPEXTS ON". John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Rick Davidson > Sent: Monday, November 21, 2005 12:12 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > It is coming in with alot of different zip file names and body names now, I > blocked all zip files and submitted samples > > I am really getting hit hard > > Rick Davidson > National Systems Manager > North American Title Group > 440-639-0607 - Office > 951-233-6342 - Mobile > [EMAIL PROTECTED] > - > - Original Message - > From: "Matt" <[EMAIL PROTECTED]> > To: > Sent: Monday, November 21, 2005 2:51 PM > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > > > McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still > > missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and > > McAfee seems to have had this one tagged prior to the outbreak starting > > since none have slipped through yet. > > > > Matt > > > > > > > > Rick Davidson wrote: > > > >> heads up folks, I am stopping a new zip virus with the following junkmail > >> rules, this is all I have seen so far. Contains an exacutable payload > >> called File-packed_dataInfo.exe > >> > >> Rick Davidson > >> National Systems Manager > >> North American Title Group > >> 440-639-0607 - Office > >> 951-233-6342 - Mobile > >> [EMAIL PROTECTED] > >> - > >> --- > >> This E-mail came from the Declude.Virus mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.Virus".The archives can be found > >> at http://www.mail-archive.com. > >> > >> > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
I have been seeing a bunch of blocked zip-exe but I have been on the phone with clients for the last hour and have not had a chance to review it. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Rick Davidson > Sent: Monday, November 21, 2005 11:34 AM > To: Declude.virus@declude.com > Subject: [Declude.Virus] New Virus Strain Pounding my systems > > heads up folks, I am stopping a new zip virus with the following junkmail > rules, this is all I have seen so far. Contains an exacutable payload called > File-packed_dataInfo.exe > > BODY 0 CONTAINS mailtext.zip > BODY 0 CONTAINS downloadm.zip > BODY 0 CONTAINS "mail.zip" > BODY 0 CONTAINS reg_pass-data.zip > BODY 0 CONTAINS Account and Password Information are attached! > > Rick Davidson > National Systems Manager > North American Title Group > 440-639-0607 - Office > 951-233-6342 - Mobile > [EMAIL PROTECTED] > - > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Sober to be released, possible variation?
Yes. I also like to add known file names so that when the user receives a message about a banned file, if they see the file name they are less likely to send me a message saying that the banned file could be OK as it looks like from some one they know. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Mark Reimer > Sent: Tuesday, November 15, 2005 12:49 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] New Sober to be released, possible variation? > > If we are banning extensions within zip files we should be ok right? > > Mark Reimer > IT Project Manager > American CareSource > 800-370-5994 ext. 267 > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of John T (Lists) > Sent: Tuesday, November 15, 2005 2:30 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] New Sober to be released, possible > variation? > > > And another: > > BANNAME packed-password_text.zip > > John T > eServices For You > > > > -Original Message- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > On Behalf Of Darin Cox > > Sent: Tuesday, November 15, 2005 10:16 AM > > To: Declude.Virus@declude.com > > Subject: Re: [Declude.Virus] New Sober to be released, possible variation? > > > > Another one to block... > > > > BANNAME Accept_e-Text.zip > > > > The list so far is > > > > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants > > BANNAME Accept_e-Text.zip > > BANNAME email_photo.zip > > BANNAME excel_table.zip > > BANNAME foto.zip > > BANNAME liste.zip > > BANNAME reg_text.zip > > BANNAME registration.zip > > BANNAME tabelle.zip > > BANNAME word-text.zip > > > > As mentioned before, we keep these in place even after the virus > definitions > > are catching them. That way new variants that use the names are caught > > before definitions are available. > > > > Darin. > > > > > > - Original Message - > > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > > To: > > Sent: Tuesday, November 15, 2005 11:57 AM > > Subject: RE: [Declude.Virus] New Sober to be released, possible variation? > > > > > > There are very interesting details in Trend Micro's writeup. > > > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS > > OBER%2EAD&VSect=T > > > > i.e. it uses its own SMTP server plus a hardcoded list of accounts and > > IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious > > Software Removal Tool. > > > > It may be worth mentioning that the BANNAME list that Darin provided > > will be useful for those of us using F-Prot only, as they are still not > > detecting the variant I've been receiving since this thread started. > > > > Andrew 8) > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > > > Sent: Tuesday, November 15, 2005 6:05 AM > > > To: Declude.Virus@declude.com > > > Subject: Re: [Declude.Virus] New Sober to be released, > > > possible variation? > > > > > > Most the new Sober variants are expected to be low volume, so > > > I'm not surprised that Netsky.P continues to outstrip them. > > > > > > Security vendors are varying as to what they are detecting > > > with 6 new Sober variants yesterday and today. Best bet is > > > to ban the files at least until virus definition files have > > > caught up. We keep the bans in place for the usual overlap > > > in new variants. > > > > > > Darin. > > > > > > > > > - Original Message - > > > From: "Markus Gufler" <[EMAIL PROTECTED]> > > > To: > > > Sent: Tuesday, November 15, 2005 8:44 AM > > > Subject: RE: [Declude.Virus] New Sober to be released, > > > possible variation? > > > > > > > > > Thank you Darin. > > > > > > just curious after watching our virus logfiles today > > > Anyone else can confirm that there are only a few of the > > > today new virus and > > > far more netsky (most .p variant) showing up in the logfiles? > > > > > > Today I've had some reports that certain varaints of the new > > > virus slipped > > > trough while it was definitively catching some
RE: [Declude.Virus] New Sober to be released, possible variation?
And another: BANNAME packed-password_text.zip John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Darin Cox > Sent: Tuesday, November 15, 2005 10:16 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] New Sober to be released, possible variation? > > Another one to block... > > BANNAME Accept_e-Text.zip > > The list so far is > > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants > BANNAME Accept_e-Text.zip > BANNAME email_photo.zip > BANNAME excel_table.zip > BANNAME foto.zip > BANNAME liste.zip > BANNAME reg_text.zip > BANNAME registration.zip > BANNAME tabelle.zip > BANNAME word-text.zip > > As mentioned before, we keep these in place even after the virus definitions > are catching them. That way new variants that use the names are caught > before definitions are available. > > Darin. > > > - Original Message - > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > To: > Sent: Tuesday, November 15, 2005 11:57 AM > Subject: RE: [Declude.Virus] New Sober to be released, possible variation? > > > There are very interesting details in Trend Micro's writeup. > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS > OBER%2EAD&VSect=T > > i.e. it uses its own SMTP server plus a hardcoded list of accounts and > IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious > Software Removal Tool. > > It may be worth mentioning that the BANNAME list that Darin provided > will be useful for those of us using F-Prot only, as they are still not > detecting the variant I've been receiving since this thread started. > > Andrew 8) > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > > Sent: Tuesday, November 15, 2005 6:05 AM > > To: Declude.Virus@declude.com > > Subject: Re: [Declude.Virus] New Sober to be released, > > possible variation? > > > > Most the new Sober variants are expected to be low volume, so > > I'm not surprised that Netsky.P continues to outstrip them. > > > > Security vendors are varying as to what they are detecting > > with 6 new Sober variants yesterday and today. Best bet is > > to ban the files at least until virus definition files have > > caught up. We keep the bans in place for the usual overlap > > in new variants. > > > > Darin. > > > > > > - Original Message - > > From: "Markus Gufler" <[EMAIL PROTECTED]> > > To: > > Sent: Tuesday, November 15, 2005 8:44 AM > > Subject: RE: [Declude.Virus] New Sober to be released, > > possible variation? > > > > > > Thank you Darin. > > > > just curious after watching our virus logfiles today > > Anyone else can confirm that there are only a few of the > > today new virus and > > far more netsky (most .p variant) showing up in the logfiles? > > > > Today I've had some reports that certain varaints of the new > > virus slipped > > trough while it was definitively catching some others. > > > > Markus > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > > > Sent: Tuesday, November 15, 2005 2:33 PM > > > To: Declude.Virus@declude.com > > > Subject: Re: [Declude.Virus] New Sober to be released, > > > possible variation? > > > > > > I just went through all of the reports. Here's a list of new > > > filenames to > > > ban: > > > > > > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants > > > BANNAME email_photo.zip > > > BANNAME excel_table.zip > > > BANNAME liste.zip > > > BANNAME reg_text.zip > > > BANNAME registration.zip > > > BANNAME tabelle.zip > > > > > > > > > Darin. > > > > > > > > > - Original Message - > > > From: "Doug Anderson" <[EMAIL PROTECTED]> > > > To: > > > Sent: Tuesday, November 15, 2005 8:24 AM > > > Subject: Re: [Declude.Virus] New Sober to be released, > > > possible variation? > > > > > > > > > Looks like varying attachment names. I got one thats excel_table.zip > > > > > > - Original Message - > > > From: "David Dodell" <[EMAIL PROTECTED]> > > > To: "John T (Lists)&
RE: [Declude.Virus] New Sober to be released Nov-15-2005 ?
Sophos is now calling it Sober-R. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Darin Cox > Sent: Monday, November 14, 2005 8:33 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] New Sober to be released Nov-15-2005 ? > > Yep...seeing them here as well. > > Darin. > > > ----- Original Message - > From: "John T (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Monday, November 14, 2005 7:57 PM > Subject: RE: [Declude.Virus] New Sober to be released Nov-15-2005 ? > > > Well, I am not sure about tomorrow, but in the last hour I have started to > see some messages being caught with banned ZIP-EXE with a subject line of > Thanks for your registration and a file name of reg_text.zip and a D file > size of 184 Kb that I have not seen before. > > John T > eServices For You > > > -Original Message- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > On Behalf Of Colbeck, Andrew > > Sent: Monday, November 14, 2005 3:36 PM > > To: Declude.Virus@declude.com > > Subject: [Declude.Virus] New Sober to be released Nov-15-2005 ? > > > > Hmmm, now that's interesting. > > > > http://www.f-secure.com/weblog/#0705 > > > > > > Andrew. > > > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Sober to be released Nov-15-2005 ?
Well, I am not sure about tomorrow, but in the last hour I have started to see some messages being caught with banned ZIP-EXE with a subject line of Thanks for your registration and a file name of reg_text.zip and a D file size of 184 Kb that I have not seen before. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Colbeck, Andrew > Sent: Monday, November 14, 2005 3:36 PM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] New Sober to be released Nov-15-2005 ? > > Hmmm, now that's interesting. > > http://www.f-secure.com/weblog/#0705 > > > Andrew. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Second scanner
I use AVG as the second scanner and am happy with the results. I like BitDefender as they publish updates on average a dozen or more times per day, but it is more resource costly. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of David Dodell > Sent: Thursday, November 03, 2005 9:25 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] Second scanner > > After many years of using Virus Standard, I upgraded to Virus Pro to > take advantage of a second scanner. I've scanned the previous > threads on what others like for a second scanner to F-Prot, but can't > seem to find any common thread ... > > So I would appreciate what seems to be the next most popular virus > scanner to run as a secondary scanner to F-Prot? > > David > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blast of zips coming in
Well ... ;-)> John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of System Administrator > Sent: Tuesday, November 01, 2005 9:48 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Blast of zips coming in > > on 11/1/05 11:38 AM, John T (Lists) wrote: > > > What is the payload inside? > > .exe files > > John's post about what we all should do with .exe files in zip attachments > will follow in 3 ... 2 ... 1 ... :) > > Don't let me down John, > Greg > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.