[Declude.Virus] Banned file ext not caught

[John T \(lists\)]

I had a client receive an email with a PPS attachment this morning. PPS
files are banned. Looking at the Virus log for the message there are warning
lines about EOF encountered. I am assuming this means End Of File.

 

Is there a way to catch these?

 

09/19/2007 09:07:07.231 q492300cc5430.smd Vulnerability flags = 92

09/19/2007 09:07:07.246 q492300cc5430.smd MIME file:
[text/html][quoted-printable; Length=2041 Checksum=169730]

09/19/2007 09:07:07.278 q492300cc5430.smd Warning: EOF in middle of MIME
segment [] [--_b93bf649-659f-4133-bdea-60207fbe90ef_]

09/19/2007 09:07:07.309 q492300cc5430.smd WARNING: EOF in multipart
processing.

09/19/2007 09:07:07.309 q492300cc5430.smd WARNING: EOF in multipart
processing.

09/19/2007 09:07:07.309 q492300cc5430.smd WARNING: EOF in multipart
processing.

09/19/2007 09:07:07.309 q492300cc5430.smd WARNING: EOF in multipart
processing.

09/19/2007 09:07:08.918 q492300cc5430.smd Scanned: Virus Free [MIME: 4
345642]

 

John T

 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] exe in zip file why not blocked...

[John T \(lists\)]

David, the log snipped posted is of the Declude Virus log, meaning it passed
Junkmail and was scanned.

 

John T

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 30, 2007 9:24 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] exe in zip file why not blocked...

 

AVAFTERJM  ON means if the email reaches the JM either HOLD or DELETE to not
call the AV in the Declude code. Try switching this OFF to see if it
resolves the issue.


David

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Monday, July 30, 2007 10:27 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] exe in zip file why not blocked...

 

Declude 4.3.57

 

AVAFTERJM ON YES.

 

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 30, 2007 7:48 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] exe in zip file why not blocked...

 

Scott,

 

What version of Declude ?

 

Are you using the directive AVAFTERJM  ON?

 

David

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Friday, July 27, 2007 3:06 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] exe in zip file why not blocked...

 

I was looking at my spam folder and noticed an email with a zip that
contained an exe.

 

07/27/2007 11:10:14.234 q18d4010e464c.smd Vulnerability flags = 862

07/27/2007 11:10:14.234 q18d4010e464c.smd MIME file: fungame.zip
[base64; Length=19363 Checksum=2473579]

07/27/2007 11:10:17.749 q18d4010e464c.smd Virus scanner 2 reports exit
code of 8

07/27/2007 11:10:20.390 q18d4010e464c.smd Virus scanner 2 reports exit
code of 8

07/27/2007 11:10:23.015 q18d4010e464c.smd Virus scanner 2 reports exit
code of 8

07/27/2007 11:10:25.640 q18d4010e464c.smd Virus scanner 2 reports exit
code of 8

07/27/2007 11:10:28.374 q18d4010e464c.smd Virus scanner 2 reports exit
code of 8

07/27/2007 11:10:30.374 q18d4010e464c.smd Could not find parse string
Found in report.txt

07/27/2007 11:10:30.374 q18d4010e464c.smd Error 8 in virus scanner 2.

07/27/2007 11:10:30.374 q18d4010e464c.smd Scanned: Error in virus
scanner. [MIME: 2 19668]

 

virus.cfg lines:

BANEXTexe

BANZIPEXTS ON

 

I believe this should have been blocked (regardless of the problem with
scanner 2).

 

Scott Fisher

Dir of IT

Farm Progress Companies

191 S Gary Ave

Carol Stream, IL 60188

Tel: 630-462-2323

 

This email message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender
by reply email and destroy all copies of the original message. Although Farm
Progress Companies has taken reasonable precautions to ensure no viruses are
present in this email, the company cannot accept responsibility for any loss
or damage arising from the use of this email or attachments.

 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] banning EZIP but....

[John T \(lists\)]

I do not ban EZIP outright, but instead I ban EZIPEXTS.

 

John T

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno
Bloksma
Sent: Thursday, June 28, 2007 5:30 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] banning EZIP but

 

Hi,

 

Just ran into a problem that *I* could resolve but still

I had a problem with my backup tool Yosemite Backup and they have a tool on
their site that they want you to run. It collects all kind of relevant data
to help pinpointing the problem.

The output in the latest version is an encrypted ZIP file which gets
blocked when I try to send it via email. :-(

 

Of course I could just change the Declude config for a few seconds but
that's just me. What I would like Declude to do is:

- Block all inbound EZIP files

- Block oubound EZIP files UNLESS the user authenticates via SMTP AUTH.

Currently this is not possible I think, would be a nice option though.

 

How do others currently circumvent this problem?

 

Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer

 

tio hogeschool hotelmanagement en toerisme 

begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20
  [EMAIL PROTECTED]  /  
www.tio.nl 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Feature request - Notification emails generated on vulnerabilities

[John T \(lists\)]

Why not use vulnerability.eml?

 

SKIPIFVIRUSNAMEDOESNOTHAVE  Vulnerability

ONLYSENDIFREMOTESENDER

From: [EMAIL PROTECTED]

To: %ALLRECIPS%

Subject: We blocked a suspected malicious email sent to you!

 

Delivery blocked: %LOCALRECIPS%

 

The mail server for %LOCALHOST% scans each e-mail for Viruses,

junk mail, (spam) and e-mail vulnerabilities. (Vulnerabilities

are those which can allow a virus or other malicious content to

hide from virus scanners and junk mail filters.)

 

We caught an e-mail addressed to you that is formatted with

%VIRUSNAME%, and have quarantined it for your protection.

 

If you recognize the below information as a valid email that

you want or should have received, please reply to this

notification, and we will review and requeue the message for

delivery. (Note, there may be a delay until the message is

delivered to you.) Otherwise, the e-mail will be deleted

automatically after 5 days.

 

FROM: %MAILFROM%

TO: %ALLRECIPS%

SUBJECT: %SUBJECT%

Remote IP: %REMOTEIP%

 

DATE: %DATE% @ %TIME%

 

SPOOL FILE: %QUEUENAME%

 

Headers of the e-mail in question:

 

%HEADERS%

 

John T

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
Sent: Friday, May 25, 2007 6:48 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Feature request - Notification emails generated on
vulnerabilities

 

It would be wonderful to be able to send out notifications on
vulnerabilities like the current notifications on virus found/banned files.

 

We still have to process the virus queue due to legit email that may be held
due to vulnerabilities that we do not want to turn off in the config.  For
legit email in virus/banned file scanning notifications are sent and the
requeue message link we include in our notifications allows the users to
receive the message without us touching it.  But since this notification
does not get sent for vulnerabilities, we still have to manually review this
queue.  Being able to send out notifications on vulnerabilities would keep
us from having to touch the virus hold queue at all, saving us time very
day.

 

Thoughts?


Darin.

 

 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] OT: Prevx and malware detection

[John T \(lists\)]

Windows Defender Beta ended I believe in December 2006. The version out now
is a fully released supported verison.

John T


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Gary Steiner
> Sent: Tuesday, May 08, 2007 10:57 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] OT: Prevx and malware detection
> 
> Does anyone have any experience with Prevx for malware detection?  I've
> been looking at different products and after googling this one seems to
> be well recommended.
> 
> I was playing around with WIndows Defender, but since it is a beta, I'm
> not sure how serious Microsoft is taking it at this point.
> 
> Gary Steiner
> 
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] BanNotify email not being sent

[John T \(lists\)]

I wonder if the name of the file you are testing with is on the forging list
at Declude.

 

Try creating a text file and renaming it to something like john.bat and then
see what happens.

 

John T

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy
Armbrecht
Sent: Thursday, May 03, 2007 2:33 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] BanNotify email not being sent

 





 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] BanNotify email not being sent

[John T \(lists\)]

Sorry to bother, but please post the rest of the lines from the debug log
for that message.

 

John T

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy
Armbrecht
Sent: Wednesday, May 02, 2007 2:36 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] BanNotify email not being sent

 

John,

I should have known to go to DEBUG mode first

Here's what is showing there:

05/02/2007 17:27:31.265 q0225028073d8.smd Not sending .eml file since
AUTOFORGING detected a forging virus.

I sent a regular .exe program install file in the test.  The question now is
- why is this being picked up as a forging virus?

Randy A. 

  _  

From: "John T \(lists\)" <[EMAIL PROTECTED]>
Sent: Wednesday, May 02, 2007 12:25 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] BanNotify email not being sent 

Put your virus log into debug and then try sending a banned extension
attachement. 

Post your bannotify.eml file as a text attachment 

  

John T 

  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy
Armbrecht
Sent: Wednesday, May 02, 2007 5:48 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] BanNotify email not being sent 

 

I just upgraded to 4.3.46 and same thing - BANnotify is not being sent...

Randy A. 

  _____  

>From : "John T \(lists\)" <[EMAIL PROTECTED]>
Sent: Monday, April 30, 2007 8:21 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] BanNotify email not being sent 

What version of Declude? I am using 4.3.47 and it is working. 

  

What does the Virus log say? 

  

John T 

  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy
Armbrecht
Sent: Monday, April 30, 2007 12:45 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] BanNotify email not being sent 

 

It was recently brought to my attention by a customer that the BanNotify
email is not being sent out from our server when necessary - I tried sending
myself a test email with  an ..exe file attached, and sure enough, the
message is trapped but  the notice is not sent out.

Using declude v4.x  

Thanks!

Randy A. 
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] BanNotify email not being sent

[John T \(lists\)]

1)  Put your virus log into debug and then try sending a banned
extension attachement.

2)  Post your bannotify.eml file as a text attachment

 

John T

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy
Armbrecht
Sent: Wednesday, May 02, 2007 5:48 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] BanNotify email not being sent

 

I just upgraded to 4.3.46 and same thing - BANnotify is not being sent...

Randy A.

  _  

From: "John T \(lists\)" <[EMAIL PROTECTED]>
Sent: Monday, April 30, 2007 8:21 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] BanNotify email not being sent 

What version of Declude? I am using 4.3.47 and it is working. 

  

What does the Virus log say? 

  

John T 

  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy
Armbrecht
Sent: Monday, April 30, 2007 12:45 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] BanNotify email not being sent 

 

It was recently brought to my attention by a customer that the BanNotify
email is not being sent out from our server when necessary - I tried sending
myself a test email with  an ..exe file attached, and sure enough, the
message is trapped but  the notice is not sent out.

Using declude v4.x  

Thanks!

Randy A. 
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] BanNotify email not being sent

[John T \(lists\)]

What version of Declude? I am using 4.3.47 and it is working.

 

What does the Virus log say?

 

John T

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy
Armbrecht
Sent: Monday, April 30, 2007 12:45 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] BanNotify email not being sent

 

It was recently brought to my attention by a customer that the BanNotify
email is not being sent out from our server when necessary - I tried sending
myself a test email with  an ..exe file attached, and sure enough, the
message is trapped but  the notice is not sent out.

Using declude v4.x  

Thanks!

Randy A. 
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures

[John T \(lists\)]

Actually, that is the BANNotify.eml file that is used.

John T


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> John T (lists)
> Sent: Friday, April 27, 2007 12:39 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] More info about encrypted RAR virus and
> Declude failures
> 
> > Until Declude resolves the issue with BANEXT EZIP, I've had to ban
> all
> > rar files.  Unfortunately some of my customers regularly send rar
> > attachments, so I've had to check the virus hold directory on a
> regular
> > basis and manually resubmit any false positives there.
> >
> > Gary
> 
> Instead of manually checking for legit files, use the BANEXT.eml file
> to
> send a postmaster message that you get and/or the recipient and/or
> sender
> get and that notice can be reviewed a lot easier than manually checking
> the
> hold directory.
> 
> John T
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures

[John T \(lists\)]

> Until Declude resolves the issue with BANEXT EZIP, I've had to ban all
> rar files.  Unfortunately some of my customers regularly send rar
> attachments, so I've had to check the virus hold directory on a regular
> basis and manually resubmit any false positives there.
> 
> Gary

Instead of manually checking for legit files, use the BANEXT.eml file to
send a postmaster message that you get and/or the recipient and/or sender
get and that notice can be reviewed a lot easier than manually checking the
hold directory.

John T




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] You should not use an on-access virus scanner that scans the ....

[John T \(lists\)]

Unfortunately, I am still up, at least for another 15 minutes or so. If you
want to zip and send me a log file I will have a look see.

 

John Tolmachoff

eServices For You

[EMAIL PROTECTED]

(626) 737-6003

Fax (626) 737-6004

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe,
Alexander
Sent: Tuesday, April 17, 2007 1:54 AM
To: declude.virus@declude.com
Subject: AW: [Declude.Virus] You should not use an on-access virus scanner
that scans the 

 

Hello John,

 

1)  86 the read receipt requests! 

Sorry. I'm trying, but sometimes I forget to disable it. 

 

2)  You should be running 4.3.46 at this point due to a problem with a
recent change in AVG. 

Typo, it *is* 4.3.46 

 

3)  Is this happening on every email, or random? 

This morning (after updating) it happend all times, now I can't see any
entries in the log. (and we are getting virusmails :)

I'll keep an eye on the logfiles.

 

4)  Since you are only running one virus scanner (aside from the built
in AVG,) I do not think you need to have the number 1 for each line, i.e.
SCANFILE1 and VIRUSCODE1. 

modified (and no entry before and after) 

 

Alex 

 

  _  

Siller AG, Wannenäckerstraße 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Jörn Bülow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955 

  _  

 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] You should not use an on-access virus scanner that scans the ....

[John T \(lists\)]

1)  86 the read receipt requests!

2)  You should be running 4.3.46 at this point due to a problem with a
recent change in AVG.

3)  Is this happening on every email, or random?

4)  Since you are only running one virus scanner (aside from the built
in AVG,) I do not think you need to have the number 1 for each line, i.e.
SCANFILE1 and VIRUSCODE1.

 

John T

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe,
Alexander
Sent: Tuesday, April 17, 2007 12:29 AM
To: declude.virus@declude.com
Subject: [Declude.Virus] You should not use an on-access virus scanner that
scans the 

 

Hello, 

after updating to 4.0.46 I've got these entries in one of our Mailservers: 

04/17/2007 08:49:18.391 q6de201f80068.smd Virus scanner 1 reports exit
code of 0 
04/17/2007 08:49:18.391 q6de201f80068.smd 1 [1 of 2 not deleted] files
were deleted.  You should not use an on-access virus scanner that scans the
\IMail directory or sub-directories.

04/17/2007 08:49:18.391 q6de201f80068.smd Scanned: Virus Free [MIME: 1
2108] 

Yes, I know I should disable to on-access Scanner :) 

But: 
- there is a local AVG installed, *without* real-time scanner 
- and ClamAV 
- and nothing else (F-Prot is removed after changing the licensing :) 
so I can't find anything that could delete a virus. 

Could it be a "wrong" setting from ClamAV (not ClamWin)? 

SCANFILE1 C:\imail\declude\runclamscan.exe log=1
C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt 
VIRUSCODE1 1 
REPORT1 FOUND 
Clam is running with Sanesecurity and malware.com.br signatures. 

Alex 

  _  

Siller AG, Wannenäckerstraße 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Jörn Bülow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955 

  _  

 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Declude 4.3.46 Release

[John T \(lists\)]

My bad, the file is not pcres.dll but pcre3.dll. 

Darn keyboard virus. I wish Declude could fix that.

;-)>

John T


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> John T (lists)
> Sent: Monday, April 16, 2007 12:38 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] Declude 4.3.46 Release
> Importance: High
> 
> Just got off the phone with Tech Support.
> 
> A file pcres.dll was not included in the original upgrade executable
> and if
> that file is not in the \Imail directory the decludeproc service will
> not
> start.
> 
> She had to send me the file separately and they will now be changing
> the
> upgrade executable.
> 
> John T
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > David Barker
> > Sent: Monday, April 16, 2007 11:24 AM
> > To: declude.virus@declude.com
> > Subject: [Declude.Virus] Declude 4.3.46 Release
> >
> > Addresses this AVG issue. If you currently only have AVG as your
> virus
> > scanner I would consider this a critical update.
> >
> > EVA ADD Improved AVG virus database format for optimization
> > EVA ADD Improved speed of AVG scanning by 15-20%
> > EVA ADD Updated AVG (avgsdk.dll 1.2.449)
> > DEC ADD Updated Commtouch ZEROHOUR (asapsdk.dll 5.03.0013)
> > JM  FIX Smartermail HELO was being picked up from the headers
> > rather
> > than the envelope
> > JM  FIX Fixed log entry for PCRE when matching on location SUBJECT
> >
> > David Barker
> > VP Operations  |  Declude
> > Your Email Security is our business
> > O: 978.499.2933  x7007
> > F: 978.988.1311
> > E: [EMAIL PROTECTED]
> >
> >
> > 
> >
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > Hirthe,
> > Alexander
> > Sent: Monday, April 16, 2007 10:09 AM
> > To: declude.virus@declude.com
> > Subject: AW: [Declude.Virus] AVG Virus updates - No updates from
> > declude
> > since 4/7/7
> >
> >
> > Hello Darell,
> >
> > are you (or David :) sure with the return codes?
> >
> > I'm getting 0.0.0.1 and these files on both servers:
> >
> > DarellAlex
> > incavi.avm - 4/15/2007 - 4/06/2007
> > microavi.avg - 4/5/2007 - 4/05/2007
> > miniavg.avg - 2/16/2007 - 2/16/2007
> > avi7.avg - 2/21/2007 - 21/02/2007
> >
> > I stopped decludeproc, renamed the AVG Files and started decludeproc
> > and I
> > got the same files, all from today, but with the same size than
> bevor.
> >
> > Alex
> >
> >
> >
> > 
> >
> > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag
> > von
> > Darrell ([EMAIL PROTECTED])
> > Gesendet: Montag, 16. April 2007 14:37
> > An: declude.virus@declude.com
> > Betreff: Re: [Declude.Virus] AVG Virus updates - No updates from
> > declude since 4/7/7
> >
> >
> > Honestly, I am not sure what all the individual files are, but
> > here
> > are my dates
> >
> > incavi.avm - 4/15/2007
> > microavi.avg - 4/5/2007
> > miniavg.avg - 2/16/2007
> > avi7.avg - 2/21/2007
> >
> > Howard - you can try this post from David from the Archive-
> > http://www.mail-
> > archive.com/declude.virus@declude.com/msg13473.html
> >
> > Darrell
> >
> > -
> --
> > -
> > Check out http://www.invariantsystems.com for utilities for
> > Declude
> > And Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI
> > integration,
> > MRTG Integration, and Log Parsers.
> >
> > - Original Message -
> > From: Howard Smith (N.O.R.A.D.) <mailto:[EMAIL PROTECTED]>
> > To: declude.virus@declude.com
> > Cc: [EMAIL PROTECTED] ; 'David Barker'
> > <mailto:[EMAIL PROTECTED]>
> > Sent: Monday, April 16, 2007 6:28 AM
> > Subject: [Declude.Virus] AVG Virus updates - No updates
> > from
> > declude since 4/7/7
> >
> >
> > I have not had a virus update from decludes AVG builtin
> > scanner since 4/6/7 , has any one received any later updates , or
> > suggestions  to fix problem
> >
> >
> >
> >
> >
> &g

RE: [Declude.Virus] Declude 4.3.46 Release

[John T \(lists\)]

Just got off the phone with Tech Support.

A file pcres.dll was not included in the original upgrade executable and if
that file is not in the \Imail directory the decludeproc service will not
start. 

She had to send me the file separately and they will now be changing the
upgrade executable.

John T

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> David Barker
> Sent: Monday, April 16, 2007 11:24 AM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] Declude 4.3.46 Release
> 
> Addresses this AVG issue. If you currently only have AVG as your virus
> scanner I would consider this a critical update.
> 
> EVA   ADD Improved AVG virus database format for optimization
> EVA   ADD Improved speed of AVG scanning by 15-20%
> EVA   ADD Updated AVG (avgsdk.dll 1.2.449)
> DEC   ADD Updated Commtouch ZEROHOUR (asapsdk.dll 5.03.0013)
> JMFIX Smartermail HELO was being picked up from the headers
> rather
> than the envelope
> JMFIX Fixed log entry for PCRE when matching on location SUBJECT
> 
> David Barker
> VP Operations  |  Declude
> Your Email Security is our business
> O: 978.499.2933  x7007
> F: 978.988.1311
> E: [EMAIL PROTECTED]
> 
> 
> 
> 
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Hirthe,
> Alexander
> Sent: Monday, April 16, 2007 10:09 AM
> To: declude.virus@declude.com
> Subject: AW: [Declude.Virus] AVG Virus updates - No updates from
> declude
> since 4/7/7
> 
> 
> Hello Darell,
> 
> are you (or David :) sure with the return codes?
> 
> I'm getting 0.0.0.1 and these files on both servers:
> 
> DarellAlex
> incavi.avm - 4/15/2007 - 4/06/2007
> microavi.avg - 4/5/2007 - 4/05/2007
> miniavg.avg - 2/16/2007 - 2/16/2007
> avi7.avg - 2/21/2007 - 21/02/2007
> 
> I stopped decludeproc, renamed the AVG Files and started decludeproc
> and I
> got the same files, all from today, but with the same size than bevor.
> 
> Alex
> 
> 
> 
> 
> 
>   Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag
> von
> Darrell ([EMAIL PROTECTED])
>   Gesendet: Montag, 16. April 2007 14:37
>   An: declude.virus@declude.com
>   Betreff: Re: [Declude.Virus] AVG Virus updates - No updates from
> declude since 4/7/7
> 
> 
>   Honestly, I am not sure what all the individual files are, but
> here
> are my dates
> 
>   incavi.avm - 4/15/2007
>   microavi.avg - 4/5/2007
>   miniavg.avg - 2/16/2007
>   avi7.avg - 2/21/2007
> 
>   Howard - you can try this post from David from the Archive-
>   http://www.mail-
> archive.com/declude.virus@declude.com/msg13473.html
> 
>   Darrell
> 
> ---
> -
>   Check out http://www.invariantsystems.com for utilities for
> Declude
> And Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI
> integration,
> MRTG Integration, and Log Parsers.
> 
>   - Original Message -
>   From: Howard Smith (N.O.R.A.D.) 
>   To: declude.virus@declude.com
>   Cc: [EMAIL PROTECTED] ; 'David Barker'
> 
>   Sent: Monday, April 16, 2007 6:28 AM
>   Subject: [Declude.Virus] AVG Virus updates - No updates
> from
> declude since 4/7/7
> 
> 
>   I have not had a virus update from decludes AVG builtin
> scanner since 4/6/7 , has any one received any later updates , or
> suggestions  to fix problem
> 
> 
> 
> 
> 
>   Howard Smith
> 
>   N.O.R.A.D. Inc.
> 
>   P.O. Box 680116
> 
>   Miami, Florida 33168
> 
>   www.norad.com
> 
>   [EMAIL PROTECTED]
> 
> 
> 
> 
>   ---
>   This E-mail came from the Declude.Virus mailing list. To
>   unsubscribe, just send an E-mail to [EMAIL PROTECTED],
> and
>   type "unsubscribe Declude.Virus". The archives can be found
>   at http://www.mail-archive.com.
> 
> 
>   ---
>   This E-mail came from the Declude.Virus mailing list. To
>   unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>   type "unsubscribe Declude.Virus". The archives can be found
>   at http://www.mail-archive.com.
> 
> 
> 
> Siller AG, Wannenäckerstraße 43, 74078 Heilbronn
> Vorstand: Prof. H.-F. Siller (Vorsitzender), Jörn Bülow, Ralf Michi
> Aufsichtsratsvorsitzender: Armin Sohler
> Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955
> 
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus". The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  T

RE: [Declude.Virus] Declude Upgrade on IMail - Key Trouble

[John T \(lists\)]

Bill, I will be back on in a couple of hours if you are still around and
need help.

John T
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Bill Green dfn Systems
> Sent: Thursday, March 22, 2007 6:15 PM
> To: declude.virus@declude.com
> Subject: Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble
> 
> Is there an actual set of instructions for a Declude Upgrade for IMail?
> The
> Declude site lists Installation Instructions, but they are for
> SmarterMail.
> The Knowledge Base is no help. Declude Support has gone Home. My
> Upgrade has
> gone horribly wrong and I now seem to have a hybrid monster.
> 
> Bill Green
> dfn Systems
> 
> - Original Message -
> From: "Bill Green dfn Systems" <[EMAIL PROTECTED]>
> To: 
> Sent: Thursday, March 22, 2007 6:31 PM
> Subject: [Declude.Virus] Declude Upgrade on IMail - Key Trouble
> 
> 
> > I've just upgraded to the 4.x suite from 3.0. I'm getting the Invalid
> Key
> > message. According to the Archives, I need to put the Key in the
> > declude.cfg file, but what is the correct syntax?
> >
> > License Key (KEY#) ?
> > or
> > Product Key (Key#) ?
> > or just
> > Key # ?
> >
> > Bill Green
> > dfn Systems
> >
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot Version 6

[John T \(lists\)]

As Andrew pointed out, you did not read the fine print.

John T

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Douglas Cohn
> Sent: Tuesday, March 13, 2007 8:50 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] F-Prot Version 6
> 
> F-prot is $50 for 10 licenses per year.  $5 per machine per year.  Version
> 6
> 
> Why is that not still reasonable?
> 
> Please explain
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
> Bilbee
> Sent: Thursday, February 01, 2007 8:33 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] F-Prot Version 6
> 
> Changed when they released the new version. About 3 months back. Check the
> archives of this list. We were complaining about it. We dumped using their
> product and just use the AVG built into Declude.
> 
> 
> 
> Kevin Bilbee
> 
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: Thursday, February 01, 2007 3:33 PM
> > To: declude.virus@declude.com
> > Subject: Re: [Declude.Virus] F-Prot Version 6
> >
> > When did their licensing change?  F-Prot used to be extremely
> > reasonable.
> >
> > Don
> >
> > - Original Message -
> > From: "Kevin Bilbee" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Wednesday, January 31, 2007 11:14 PM
> > Subject: RE: [Declude.Virus] F-Prot Version 6
> >
> >
> > > Read the license. It may be compatible but the licensing is
> > expensive.
> > >
> > >
> > > Kevin Bilbee
> > >
> > >> -Original Message-
> > >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > >> David Dodell
> > >> Sent: Wednesday, January 31, 2007 7:26 PM
> > >> To: Declude.Virus@declude.com
> > >> Subject: [Declude.Virus] F-Prot Version 6
> > >>
> > >> Been using F-Prot version 3 for years ... and now getting notices to
> > >> upgrade to version 6.
> > >>
> > >> Anyone done this yet, and is it still compatible with Declude/Imail,
> > >> etc?
> > >>
> > >> David
> > >>
> > >>
> > >> ---
> > >> This E-mail came from the Declude.Virus mailing list.  To
> > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > >> type "unsubscribe Declude.Virus".The archives can be found
> > >> at http://www.mail-archive.com.
> > >
> > >
> > >
> > >
> > > ---
> > > This E-mail came from the Declude.Virus mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.Virus".The archives can be found
> > > at http://www.mail-archive.com.
> > >
> > >
> >
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] New virus - PiggiA

[John T \(Lists\)]

With the extensions listed, any one know if the payload is only in the
executuables?

W32/Piggi-A is a mass-mailing worm for the Windows platform. 
W32/Piggi-A spreads via email and may pretend: 
- to offer a free gift
- that your myspace, anti-virus, tax, financial or personal details have
been hacked or expired
- that an email sent, was failed to deliver
- to be showing you a picture, movie, game, sound or website
- to offer a gambling, casino or poker technique or strategy 
Attached files may contain any of the following extensions: 
- .wav
- .wma
- .mp3
- .rtf
- .html
- .txt
- .gif
- .jpeg
- .com
- .exe


John T
eServices For You

"Life is a succession of lessons which must be lived to be understood."
Ralph Waldo Emerson (1802-1882)





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] How to block an IP

[John T \(Lists\)]

If you want to block IP addresses from any access, your best bet is to use
Imail Control Access list in the SMTP service, that way neither Imail nor
Declude ever have to touch it in the first place.

John T
eServices For You

"Life is a succession of lessons which must be lived to be understood."
Ralph Waldo Emerson (1802-1882)



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J
Porter
> Sent: Monday, December 25, 2006 10:30 PM
> To: declude.virus@declude.com
> Subject: Re: [Declude.Virus] How to block an IP
> 
> I guess I've forgotten the order in which processes occur. I thought it
was
> kill.lst, rules.ima, and then Declude.
> 
> I thought I was clear. I want to block certain IP addresses which get
> stopped by Declude AV for a vulnerability. Certain ones are prolific and
> tend to leave a couple of hundred in my virus hold file each day. I want
to
> have them deleted so I don't have to deal with them.
> 
> They don't get caught by my Declude IP blacklist since they are stopped by
> AV first. It's only about 6 or 8 IP blocks which have never show a valid
> email in over 2 years.
> 
> BTW.. I responded to you off-list on my last subject a few days ago. After
> thinking about it, I didn't think the subject had much place on the
Declude
> list.
> 
> - Original Message -
> From: "John T (Lists)" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, December 25, 2006 11:38 PM
> Subject: RE: [Declude.Virus] How to block an IP
> 
> 
> Using Imail rules, no! Imail rules are the last to run of all other items.
> 
> Exactly what are you intending to do?
> 
> John T
> eServices For You
> 
> "Life is a succession of lessons which must be lived to be understood."
> Ralph Waldo Emerson (1802-1882)
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J
> Porter
> > Sent: Monday, December 25, 2006 8:07 PM
> > To: declude.virus@declude.com
> > Subject: [Declude.Virus] How to block an IP
> >
> > Is there a way to block an IP address before analysis by Declude's AV
(Ver
> > 1.82 - Imail 8.x)?
> >
> > I thought I should be able to do this with rules.ima by looking for a
line
> > in the header. So I have a line that says
> > H~xxx\.yyy\.zz\.
> > but it doesn't work. (In case you can't see it, the lines read \. =
slash
> > dot per Ipswitch docs) I don't think the H~ (header contains) command
> reads
> > everything in the header.
> >
> > ~Joe
> >
> >
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> ---
> [This E-mail scanned for viruses at HNB.com]
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] How to block an IP

[John T \(Lists\)]

Using Imail rules, no! Imail rules are the last to run of all other items.

Exactly what are you intending to do?

John T
eServices For You

"Life is a succession of lessons which must be lived to be understood."
Ralph Waldo Emerson (1802-1882)



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J
Porter
> Sent: Monday, December 25, 2006 8:07 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] How to block an IP
> 
> Is there a way to block an IP address before analysis by Declude's AV (Ver
> 1.82 - Imail 8.x)?
> 
> I thought I should be able to do this with rules.ima by looking for a line
> in the header. So I have a line that says
> H~xxx\.yyy\.zz\.
> but it doesn't work. (In case you can't see it, the lines read \. = slash
> dot per Ipswitch docs) I don't think the H~ (header contains) command
reads
> everything in the header.
> 
> ~Joe
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Posting etiquette

[John T \(Lists\)]

Do not use "Digital email Signatures" when posting to a list.

John T
eServices For You

"Life is a succession of lessons which must be lived to be understood."
Ralph Waldo Emerson (1802-1882)






---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Couldn't rename SMD to SM$ [183]

[John T \(Lists\)]

Search for all log lines for that message in both the junkmail and virus
logs to see if there is another error message preceding that.

 

John T

eServices For You

 

"Life is a succession of lessons which must be lived to be understood."

Ralph Waldo Emerson (1802-1882)

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe,
Alexander
Sent: Monday, December 18, 2006 2:54 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] Couldn't rename SMD to SM$ [183]

 

Hello,

 

what should this message tell me? :)

-

12/18/2006 23:51:47.687 q1a18019903bb.smd Couldn't rename SMD to SM$
[183].  Priority back to 32. Error String: [Cannot create a file when that
file already exists.] [C:\IMail\spool\proc\work\D1a18019903bb.smd]
[C:\IMail\spool\proc\work\D1a18019903bb.sm$]
-

and why does it happen?

 

I found it multiple times in the logfile, running declude v4.3.14 with AVG
Built-In and ClamAV.

 

Alex 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Problem after upgrade to Declude 4.3.23

[John T \(Lists\)]

Did you put it into the Declude.cfg file?

 

John T

eServices For You

 

"Life is a succession of lessons which must be lived to be understood."

Ralph Waldo Emerson (1802-1882)

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wolf
Tombe
Sent: Sunday, December 17, 2006 10:53 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Problem after upgrade to Declude 4.3.23

 

I have finally made the move and upgraded Declude to version 4.3.23 (from
version 3.1) but I'm now having trouble getting it to run.  I've used my
"product Key" listed on my account area of the Declude website for version
4.x; but the Declude process will not start and continually responds with
the error "FATAL ERROR: Product license key not in configuration INVALID
KEY".

 

I've doubled checked the product key and it appears correct.  I've checked
the Declude Support and on-line help areas but nothings references this
error.  Has anyone else have this problem when upgrading?

 

Wolf


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Re: notification stopped? .. now Why GSC

[John T \(Lists\)]

What happens if you restart the Queue Manager service?

 

John T

eServices For You

 

"Life is a succession of lessons which must be lived to be understood."

Ralph Waldo Emerson (1802-1882)

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Dodell
Sent: Thursday, December 07, 2006 10:47 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] Re: notification stopped? .. now Why GSC

 

-Original Message-
I just realized I haven't been seeing any notifications for the past 
few weeks from my Declude software showing it had stopped a virus.
I checked the virus log on the server, and it shows it is stopping 
several virues a day.
---

I just checked the spool directory ... there are thousands of GSC files, all
containing the virus notification that I'm looking for.   They are all
addressed to [EMAIL PROTECTED] which is working from tests from outside
email accounts.

Why are the virus notifications getting stuck thousands at a time as GSC
files in the spool directory instead of being delivered?

David

---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] EXE in RAR file

[John T \(Lists\)]

RAR files should be treated the same as ZIP files, so unless something has
changed if you have BANZIPEXTS ON and have BANEXT EXE it should be banned.

 

John T

eServices For You

 

"Life is a succession of lessons which must be lived to be understood."

Ralph Waldo Emerson (1802-1882)

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Wednesday, December 06, 2006 7:40 AM
To: declude.virus@declude.com
Subject: [Declude.Virus] EXE in RAR file

 

Does Declude check for banned extension in RAR files?

If not, please add this to the wish list. RAR files are becoming more
popular and it is difficult to ban RAR files.

 

I had an email come in with an .EXE file in a RAR file. So I believe it
doesn't.


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] AUTOFORGE

[John T \(Lists\)]

OOPS, brainfart.

John T
eServices For You

"Life is a succession of lessons which must be lived to be understood."
Ralph Waldo Emerson (1802-1882)



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
> Steiner
> Sent: Friday, October 27, 2006 5:07 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] AUTOFORGE
> 
> I think you meant to say SKIPIFFORGING not SKIPIFFORGINGVIRUS.
> 
> 
> ---- Original Message 
> > From: "John T \(Lists\)" <[EMAIL PROTECTED]>
> > Sent: Friday, October 27, 2006 7:52 PM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] AUTOFORGE
> >
> > > Also, how is FORGINGVIRUS different from SKIPIFVIRUSNAME?  Do you need
to
> > have
> > > both statements in the virus.cfg or is that redundant?
> >
> > FORGINGVIRUS is in the virus.cfg file and it is to list those viruses
that
> > forge the from address. Then, in your various eml files, you just need
to
> > put in SKIPIFFORGINGVIRUS instead of having list list each
> > SKIPIFVIRUSNAMEHAS
> >
> > John T
> > eServices For You
> >
> > "Life is a succession of lessons which must be lived to be understood."
> > Ralph Waldo Emerson (1802-1882)
> >
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> 
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] AUTOFORGE

[John T \(Lists\)]

> Also, how is FORGINGVIRUS different from SKIPIFVIRUSNAME?  Do you need to
have
> both statements in the virus.cfg or is that redundant?

FORGINGVIRUS is in the virus.cfg file and it is to list those viruses that
forge the from address. Then, in your various eml files, you just need to
put in SKIPIFFORGINGVIRUS instead of having list list each
SKIPIFVIRUSNAMEHAS

John T
eServices For You

"Life is a succession of lessons which must be lived to be understood."
Ralph Waldo Emerson (1802-1882)





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] stration work

[John T \(Lists\)]

Andrew, wouldn’t the second line
include the first meaning only the second line is needed?

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Colbeck, Andrew
Sent: Monday, October
 02, 2006 3:49 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus]
stration work

 

Those of us still running F-Prot* as a
primary virus scanner will want to add one or both of these to their virus.cfg
in order to block notifications for detection of the Stration malware:

 

FORGINGVIRUS
W32/Tricky-Malware-based!Maximus 

FORGINGVIRUS Tricky-Malware-based!

 

The first is the most explicit, and the
second is a fragment that will catch future detections that are based on
heuristics.

 

And in the unlikely event that someone is
using Trend Micro OfficeScan or SysClean:

 

FORGINGVIRUS Possible_Strat-2

FORGINGVIRUS Possible_

 

 

Andrew 8)

 

* The "new" price is
unjustifiably high for using fpcmd on a mailserver.  Plan to switch to a
different vendor before you renew this licence.

 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Monday, October
 02, 2006 7:27 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] stration
work



It looks like the Stration worm is causing backscatter
today:





 





The W32/Stration.dr virus drops the mass mailing worm W32/[EMAIL PROTECTED]. that uses
its own SMTP engine to send itself to the email addresses that it harvests on
the infected computer. The W32/Stration.dr is written using Microsoft Visual
C++ and also contains functionality to connect to a remote web server to
download a file.



 





I've added it as a forging virus







FORGINGVIRUS Stration






-
Scott Fisher
Director of IT
Farm Progress Companies
191 S Gary Ave
Carol Stream, IL 60188
630-462-2323





 





This email message, including any attachments, is for the
sole use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply email and destroy all copies of the original
message. Although Farm Progress Companies has taken reasonable precautions to
ensure no viruses are present in this email, the company cannot accept
responsibility for any loss or damage arising from the use of this email or
attachments.





 





 




---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 










---This E-mail came from the Declude.Virus mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
---This E-mail came from the Declude.Virus mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.

RE: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam

[John T \(Lists\)]

Matt, please keep us informed about this
bug. I thank you for your diligence.

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Monday, October 02, 2006
11:56 AM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] Bug
in mismatched extensions causes backscatter on spam

 

Here's an update about the attempted workaround. 
I added "SKIPIFEXT mismatched.exe" to my bannotify.eml and it didn't
prevent the bounce.  It would seem that while Declude is using the EXE
extension from mismatched.exe in determining the bannotify.eml action, it is
not using that file name in the variable that SKIPIFEXT is using.

It appears that there is no way to prevent the backscatter from this besides
maybe turning off bounces for EXE's (which may or may not work), turning off
all banned extension bouncing, or not blocking EXE's altogether.  This
definitely needs a solution since none of those options are acceptable nor is
the potential of bouncing so much E-mail.

I know that I can create something to delete these messages on my own system,
but I would still be vulnerable to other exploits by broken spamware, and of
course that's only me and this affects all Declude users that block EXE's and
use bannotify.eml to bounce.

Matt



Colbeck, Andrew wrote: 

.. I hope that Declude will agree with Matt's
point that backscatter must be avoided.  There is ample
precedent, for example in that the BOUNCE action was renamed to
BOUNCEONLYIFYOUMUST to prevent backscatter.

 

Andrew.

 



 







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED])
Sent: Monday, October 02, 2006
5:44 AM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] Bug
in mismatched extensions causes backscatter on spam



Matt,





 





I agree with everyone of your points - My intent was
to bring it up that I had reported this issue up a long time ago as I also
thought that what was happening was undesirable.  However, at the time
Scott did not feel this was a bug.  However, times change and back scatter
is a huge issue.  Maybe thats enough now to convince for an alteration of
behavior.  As my preference would be to handle mismatched exe's as its own
class of which I would not send bannotify messages for.





 





Darrell






Check out http://www.invariantsystems.com
for utilities for Declude And Imail.  IMail/Declude Overflow Queue
Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers.







- Original Message - 





From: Matt 





To: declude.virus@declude.com






Sent: Sunday,
October 01, 2006 8:24 PM





Subject: Re:
[Declude.Virus] Bug in mismatched extensions causes backscatter on spam





 



Darrell,

I'm sure that it is desirable to block (when the detection isn't erroring),
however having this handled as if it was an EXE when it comes to the
bannotify.eml is problematic.  Backscatter can get you blacklisted, not to
mention it is annoying to get such things for forged E-mail.

I have Virus running after JunkMail and still I have bounced a dozen of these
today alone (which excludes messages that reached my DELETE weight).  For
those that run JunkMail before Virus (the default), that number could be in the
hundreds or thousands depending on volume since this comes from a major zombie
spammer.  I'm guessing that most are bouncing EXE's that aren't detected
as viruses.

To check this, just search your Virus log for "mismatched.exe".

The behavior needs to be changed so that this doesn't trigger bannotify.eml
bounces.  I am testing using "SKIPIFEXT mismatched.exe" in my
bannotify.eml to see if that helps, but this should not bounce such messages by
default as if they were EXE's.  It makes sense to give it a unique
extension for these conditions and let us determine what to do with them
instead of lumping it together with actions for EXE's.

Matt



Darrell ([EMAIL PROTECTED])
wrote: 



I brought this up to Scott several years ago - and he
said this is not a bug but a by design issue. He explained a scenario why
this was important and I understood based on the explantion but for the life of
me I can't remember the scenario.






Darrell





 






Check out http://www.invariantsystems.com
for utilities for Declude And Imail.  IMail/Declude Overflow Queue Monitoring,
SURBL/URI integration, MRTG Integration, and Log Parsers.







- Original Message - 





From: Matt 





To: declude.virus@declude.com






Sent: Sunday,
October 01, 2006 3:33 PM





Subject:
[Declude.Virus] Bug in mismatched extensions causes backscatter on spam





 



I just found this bug.  Essentially, if the MIME
headers for an attachment are mismatched, Declude "assumes" that it
is an EXE for virus scanning purpos

RE: [Declude.Virus] New feature needed

[John T \(Lists\)]

Sorry, forgot to make an all inclusive list:

To my knowledge, there is no BounceNotify.eml.

JunkMail uses the following eml files ONLY:
SpamAttach.eml

Confirm uses the following eml file ONLY:
Confirm.eml

When EVA finds a vulnerability (list in the EVA manual further down from the
allow section) it uses the following file ONLY:
Vulnerability.eml

When EVA finds a banned attachment and the associated email is not found to
be virus laden or contain a vulnerability, EVA will use the following file
ONLY:
BanNotify.eml

ANY OTHER eml file contained in the \declude directory will be used by EVA
when a virus is found according to parameters within each file. So, if you
have 50 eml files aside from the above specifically mentioned 4, EVA will
try to use all 50 when it finds a virus.

The reason for this along with the original 4 other eml files normally found
(postmaster.eml, otherpostmaster.eml, sender.eml and recipient.eml) was so
that a appropriately worded notice be set to each respective party as
desired. However, that also allows for plenty of customization. Example, I
have a client that the manager wants a copy of each notice sent. So I have
created 2 specific eml files for that client, one for if the infected email
is incoming and one for if the infected email is outgoing.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
> Steiner
> Sent: Thursday, August 10, 2006 9:05 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New feature needed
> 
> But what defines a "vulnerability"?  Are you referring to the list of
vulnerabilities
> associated with the ALLOWVULNERABILITY statement in the EVA manual?  I'm
> confused by the various .eml files Declude provides and how it decides to
use them,
> whether EVA or Junkmail.  None of the .eml files that come with Declude
have the
> name of a vulnerability.
> 
> Here is a list of the E-mail template files that came with the Declude 4.x
installation
> and how I guess that they are used (since there doesn't seem to be some
centralized
> description/list of what these files are and how they are used):
> 
> spamattach.eml - Used by Junkmail when ATTACH action is implemented.
> 
> postmaster.eml - Used by EVA to warn the postmaster of the local machine
that a
> virus was detected.
> 
> BOUNCEnotify.eml - Used by EVA to warn the local sender that his
(outgoing) E-mail
> attachment contained a banned extension.
> 
> BANnotify.eml - Used by EVA to warn the sender that his (incoming) E-mail
> attachment contained a banned extension.
> 
> otherpostmaster.eml - Used by EVA to warn the postmaster of a host that a
virus
> came from his server (typically not used due to virus forging).
> 
> sender.eml - Used by EVA to warn the sender that an E-mail sent by him was
> detected as a virus (typically not used due to virus forging).
> 
> recip.eml - Used by EVA to warn the recipient that Declude detected a
virus send to
> him.
> 
> confirm.eml - Used by Declude Confirm
> (http://www.declude.com/Articles.asp?ID=127).  Is this a discontinued
product?  If
> not, does it work with SmarterMail?
> 
> 
> So it seems that most of the files are used by EVA, one by Junkmail and
one by
> Confirm.  Does that mean that Junkmail and Confirm only use their one
specific .eml
> file and ignore all the others?  If I create a randomly named .eml file,
will it only be
> used by EVA?
> 
> 
> 
>  Original Message 
> > From: "John T \(Lists\)" <[EMAIL PROTECTED]>
> > Sent: Thursday, August 10, 2006 9:37 PM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] New feature needed
> >
> > When a vulnerability is detected, it looks for vulnerability.eml only.
When
> > a virus is detected, it uses any and all .eml files except for
> > vulnerability.eml.
> >
> > So yes, you could do that.
> >
> > John T
> > eServices For You
> >
> > "Seek, and ye shall find!"
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Gary
> > > Steiner
> > > Sent: Thursday, August 10, 2006 4:43 PM
> > > To: declude.virus@declude.com
> > > Subject: RE: [Declude.Virus] New feature needed
> > >
> > > I was wondering if there might be a work-around for this.  Could a
> > combination of
> > > multiple .eml files utilizing SKIPIFRECIP work?
> > >
> > > I guess the first question is what .eml files does Declude look for
when
> > it detects a
> > > virus?  Does EVA specifically look for a file named "recip.eml"?  Or
doe

RE: [Declude.Virus] New feature needed

[John T \(Lists\)]

When a vulnerability is detected, it looks for vulnerability.eml only. When
a virus is detected, it uses any and all .eml files except for
vulnerability.eml. 

So yes, you could do that.

John T
eServices For You

"Seek, and ye shall find!"

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
> Steiner
> Sent: Thursday, August 10, 2006 4:43 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New feature needed
> 
> I was wondering if there might be a work-around for this.  Could a
combination of
> multiple .eml files utilizing SKIPIFRECIP work?
> 
> I guess the first question is what .eml files does Declude look for when
it detects a
> virus?  Does EVA specifically look for a file named "recip.eml"?  Or does
it look at all
> the .eml files in the main Declude directory?
> 
> Could you have two files, one called recip-en.eml (English) and one called
recip-
> es.eml (Spanish), and then list in those files using SKIPIFRECIP all the
domains that
> want the other language?
> 
> Gary
> 
> 
>  Original Message 
> > From: "Goran Jovanovic" <[EMAIL PROTECTED]>
> > Sent: Tuesday, June 20, 2006 3:57 PM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] New feature needed
> >
> > Gary,
> >
> > I have not even thought of something like that (since all my customers
> > are English speaking) but you are absolutely right.
> >
> > So David will we be seeing this new feature next week? :)
> >
> > Goran Jovanovic
> > Omega Network Solutions
> >
> >
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > Gary
> > > Steiner
> > > Sent: Tuesday, June 20, 2006 3:24 PM
> > > To: declude.virus@declude.com
> > > Subject: re: [Declude.Virus] New feature needed
> > >
> > >
> > > I asked about the possibility of per domain replies several months
> > ago.  I
> > > would hope that it has already been placed on the wish list.
> > >
> > > It is especially useful when you have users speaking different
> > languages
> > > and you want to have language specific messages linked to each domain.
> > >
> > > Gary
> > >
> > >
> > >  Original Message 
> > > > From: "Goran Jovanovic" <[EMAIL PROTECTED]>
> > > > Sent: Tuesday, June 20, 2006 2:30 PM
> > > > To: declude.virus@declude.com
> > > > Subject: [Declude.Virus] New feature needed
> > > >
> > > > Hi,
> > > >
> > > > I would like to suggest a new feature to be added to the virus
> > > > notification capabilities.
> > > >
> > > > Right now to notify a recipient that I stopped a virus I have a
> > > > recip.eml file in my main delude directory. There is another
> > > > recip-vulnerability.eml file that is used if the "virus" is a
> > > > vulnerability. These two files are all or nothing files. Meaning
> > that
> > > > all recipients for all the domains that I process are in the same
> > file.
> > > >
> > > > I need to be able to specify a per domain recip.eml file. This way I
> > can
> > > > tailor the notifications to each domain as appropriate. These files
> > > > should be in the domain subdirectory along with the
> > $default$.junkfile
> > > > etc.
> > > >
> > > > I am faced with the challenge right now for a single domain to send
> > all
> > > > virus notification to one person only or to stop all notifications
> > to
> > > > that domain. To the best of my knowledge I cannot redirect all the
> > > > notifications to the one person for that domain and to the original
> > > > recipients for all the other domains.
> > > >
> > > > Another feature that should be added to the *.eml files is the
> > ability
> > > > to do a BCC to a monitoring address. This is a good way to monitor
> > what
> > > > is happening with banned files, viruses or whatever notification
> > > > processes we have setup.
> > > >
> > > > So can you please add this to the "to do" list
> > > >
> > > > Thank you
> > > >
> > > > Goran Jovanovic
> > > > Omega Network Solutions
> > > >
> > > >
> > > > ---
> > > > This E-mail came from the Declude.Virus mailing list.  To
> > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > > type "unsubscribe Declude.Virus".The archives can be found
> > > > at http://www.mail-archive.com.
> > >
> > >
> > >
> > >
> > >
> > > ---
> > > This E-mail came from the Declude.Virus mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.Virus".The archives can be found
> > > at http://www.mail-archive.com.
> >
> >
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http:/

[Declude.Virus] Virus in at HTA inside of ZIP seen

[John T \(Lists\)]

FYI

By banning potentially malicious extensions, including within zip files, I
caught an email with the FEEBS virus. Per VirusTotal, ClamAV, McCrappy, AVG,
F-Prot is not catching these.

John T
eServices For You

"Seek, and ye shall find!"





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Declude error, not ClamAV error

[John T \(Lists\)]

My recommendation if not done already is to put the Virus log into debug
mode, wait until the error occurs, then zip the log and the D file for a
message in question and send to Declude support.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
> Steiner
> Sent: Saturday, July 15, 2006 11:29 AM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] Declude error, not ClamAV error
> 
> Yes the command line works fine.  Nowhere in the output from the command
line does
> it say anything about an attachment, nor do I see the
"Attachment=[Unknown: Err]"
> statement.  That's why I believe it is something generated by Declude not
by ClamAV.
> 
> 
>  Original Message 
> > From: "John T \(Lists\)" <[EMAIL PROTECTED]>
> > Sent: Saturday, July 15, 2006 2:13 AM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] Declude error, not ClamAV error
> >
> > Have you tried running the command line by itself against a file in
question
> > to see what the return code is?
> >
> > John T
> > eServices For You
> >
> > "Seek, and ye shall find!"
> >
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Gary
> > > Steiner
> > > Sent: Friday, July 14, 2006 7:08 PM
> > > To: declude.virus@declude.com
> > > Subject: RE: [Declude.Virus] Declude error, not ClamAV error
> > >
> > > I get the error no matter what the virus, Netsky, Bagle, Feebs, even
when
> > ClamAV
> > > detects a fishing attempt the error is there.
> > >
> > >
> > >  Original Message 
> > > > From: "John T \(Lists\)" <[EMAIL PROTECTED]>
> > > > Sent: Friday, July 14, 2006 9:46 PM
> > > > To: declude.virus@declude.com
> > > > Subject: RE: [Declude.Virus] Declude error, not ClamAV error
> > > >
> > > > In other log lines Declude states it is an invalid/bogus pif file.
That
> > > > might explain it.
> > > >
> > > > John T
> > > > eServices For You
> > > >
> > > > "Seek, and ye shall find!"
> > > >
> > > > > -Original Message-
> > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
> > Gary
> > > > > Steiner
> > > > > Sent: Friday, July 14, 2006 2:43 PM
> > > > > To: declude.virus@declude.com
> > > > > Subject: [Declude.Virus] Declude error, not ClamAV error
> > > > >
> > > > > Upon further research, the statement "Attachment=[Unknown: Err]"
is
> > > > generated by
> > > > > Declude, not ClamAV.  So does Declude have a problem with ClamAV?
> > > > >
> > > > >
> > > > >  Original Message 
> > > > > > From: "Gary Steiner" <[EMAIL PROTECTED]>
> > > > > > Sent: Friday, July 14, 2006 1:32 PM
> > > > > > To: declude.virus@declude.com
> > > > > > Subject: [Declude.Virus] ClamAV error
> > > > > >
> > > > > > I recently installed ClamAv as my third scanner after AVG and
> > F-Prot.
> > > > For some
> > > > > reason it indicates an error related to the attachment when it
detects
> > a
> > > > virus
> > > > > (Attachment=[Unknown: Err]).  Here is an example from the Declude
> > virus
> > > > log file:
> > > > > >
> > > > > > 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861
> > > > > > 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif
> > [base64;
> > > > > Length=17424 Checksum=1974090]
> > > > > > 07/13/2006 19:32:18.843 366626185 Banning file with pif
extension
> > > > > [application/octet-stream].
> > > > > > 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-
> Worm/Netsky.D
> > > > > > 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-
> > > Worm/Netsky.D:
> > > > 7]
> > > > > > 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit
code
> > of 3
> > > > > > 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus=
> W32/[EMAIL PROTECTED]
> > > > > Attachment=your_letter.pif [1] I
> > 

RE: [Declude.Virus] Declude error, not ClamAV error

[John T \(Lists\)]

Have you tried running the command line by itself against a file in question
to see what the return code is?

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
> Steiner
> Sent: Friday, July 14, 2006 7:08 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] Declude error, not ClamAV error
> 
> I get the error no matter what the virus, Netsky, Bagle, Feebs, even when
ClamAV
> detects a fishing attempt the error is there.
> 
> 
> ---- Original Message 
> > From: "John T \(Lists\)" <[EMAIL PROTECTED]>
> > Sent: Friday, July 14, 2006 9:46 PM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] Declude error, not ClamAV error
> >
> > In other log lines Declude states it is an invalid/bogus pif file. That
> > might explain it.
> >
> > John T
> > eServices For You
> >
> > "Seek, and ye shall find!"
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Gary
> > > Steiner
> > > Sent: Friday, July 14, 2006 2:43 PM
> > > To: declude.virus@declude.com
> > > Subject: [Declude.Virus] Declude error, not ClamAV error
> > >
> > > Upon further research, the statement "Attachment=[Unknown: Err]" is
> > generated by
> > > Declude, not ClamAV.  So does Declude have a problem with ClamAV?
> > >
> > >
> > >  Original Message 
> > > > From: "Gary Steiner" <[EMAIL PROTECTED]>
> > > > Sent: Friday, July 14, 2006 1:32 PM
> > > > To: declude.virus@declude.com
> > > > Subject: [Declude.Virus] ClamAV error
> > > >
> > > > I recently installed ClamAv as my third scanner after AVG and
F-Prot.
> > For some
> > > reason it indicates an error related to the attachment when it detects
a
> > virus
> > > (Attachment=[Unknown: Err]).  Here is an example from the Declude
virus
> > log file:
> > > >
> > > > 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861
> > > > 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif
[base64;
> > > Length=17424 Checksum=1974090]
> > > > 07/13/2006 19:32:18.843 366626185 Banning file with pif extension
> > > [application/octet-stream].
> > > > 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D
> > > > 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-
> Worm/Netsky.D:
> > 7]
> > > > 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code
of 3
> > > > 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL 
> > > > PROTECTED]
> > > Attachment=your_letter.pif [1] I
> > > > 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code
of 1
> > > > 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185
> > > (366626185.eml,366626)
> > > > 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D
> > > Attachment=[Unknown: Err] [1] I
> > > > 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability
> > > > 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file
> > > > 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2
> > > 17604]
> > > > 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To:
> > > [EMAIL PROTECTED] [incoming from 72.82.177.22]
> > > > 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter
> > > >
> > > > It doesn't seem to matter what kind of virus is involved.  Even when
it
> > detects a
> > > phishing attempt you still see the same error.
> > > >
> > > > Here is what I have in the virus.cfg:
> > > >
> > > > SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1
> > C:\clamav-
> > > devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l
> > report.txt
> > > > VIRUSCODE2 1
> > > > REPORT2 FOUND
> > > >
> > > > Is anyone else experiencing this, or have any ideas?
> > > >
> > > > Thanks,
> > > >
> > > > Gary
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ---
> > > > This E-mail came from the Declude.Virus mailing list.  To
> > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
&g

RE: [Declude.Virus] Declude error, not ClamAV error

[John T \(Lists\)]

In other log lines Declude states it is an invalid/bogus pif file. That
might explain it.

John T
eServices For You

"Seek, and ye shall find!"

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
> Steiner
> Sent: Friday, July 14, 2006 2:43 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] Declude error, not ClamAV error
> 
> Upon further research, the statement "Attachment=[Unknown: Err]" is
generated by
> Declude, not ClamAV.  So does Declude have a problem with ClamAV?
> 
> 
>  Original Message 
> > From: "Gary Steiner" <[EMAIL PROTECTED]>
> > Sent: Friday, July 14, 2006 1:32 PM
> > To: declude.virus@declude.com
> > Subject: [Declude.Virus] ClamAV error
> >
> > I recently installed ClamAv as my third scanner after AVG and F-Prot.
For some
> reason it indicates an error related to the attachment when it detects a
virus
> (Attachment=[Unknown: Err]).  Here is an example from the Declude virus
log file:
> >
> > 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861
> > 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64;
> Length=17424 Checksum=1974090]
> > 07/13/2006 19:32:18.843 366626185 Banning file with pif extension
> [application/octet-stream].
> > 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D
> > 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D:
7]
> > 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3
> > 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED]
> Attachment=your_letter.pif [1] I
> > 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1
> > 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185
> (366626185.eml,366626)
> > 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D
> Attachment=[Unknown: Err] [1] I
> > 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability
> > 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file
> > 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2
> 17604]
> > 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To:
> [EMAIL PROTECTED] [incoming from 72.82.177.22]
> > 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter
> >
> > It doesn't seem to matter what kind of virus is involved.  Even when it
detects a
> phishing attempt you still see the same error.
> >
> > Here is what I have in the virus.cfg:
> >
> > SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1
C:\clamav-
> devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l
report.txt
> > VIRUSCODE2 1
> > REPORT2 FOUND
> >
> > Is anyone else experiencing this, or have any ideas?
> >
> > Thanks,
> >
> > Gary
> >
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Odd lines in Declude Virus log.

[John T \(Lists\)]

Declude 4.2.12 for Imail 9.10 preview2 on Windows Server 2003

This is my new server currently being fully configured and tested before
going into production. I have one domain live on it right now, my personal
domain. 

I have uu files blocked in the virus.cfg file, so the following log lines
strike me as odd, especially since there was no attachment on this message.
Can some one explain what this means about the uu file?

07/11/2006 10:16:50.727 qdcfa012a008d.smd Vulnerability flags = 64
07/11/2006 10:16:50.727 qdcfa012a008d.smd uu file:  the wrong question.
What's the first step to reinventing
[S:\Spool\proc\work\Ddcfa012a008d.vir\1_1.]
07/11/2006 10:16:51.274 qdcfa012a008d.smd Virus scanner 1 reports exit
code of 0
07/11/2006 10:16:51.274 qdcfa012a008d.smd Scanned: Virus Free [UU: 1
0][MIME: 2 17360]

John T
eServices For You

"Seek, and ye shall find!"





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

[John T \(Lists\)]

Sure it is not some form or the Pebcak virus Andrew? 

Sorry, couldn't resist. I needed the laugh.

;-)>

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Colbeck,
> Andrew
> Sent: Wednesday, June 28, 2006 2:26 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
> Importance: Low
> 
> I don't know where that ">" character in front of my From sentence came
> from.  The first character on that line should have been an "F".
> 
> It must be some kind of weird auto-quoting software; that character is
> not in the email that I sent.
> 
> Andrew 8)
> 




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

[John T \(Lists\)]

Back to the matter indicated in the subject line, how are others dealing
with this?

Is F-Prot and AVG and others catching this now?

Which AV scanners are indeed catching it?

Now for the bigger question: How do we combat this and future such versions
without outright blocking of the file extension? We all know that relaying
on users to not open attachments is problematic.

John T
eServices For You

"Seek, and ye shall find!"




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

[John T \(Lists\)]

I know. :(

Declude, this is a feature who's time has come.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus
> Gufler
> Sent: Tuesday, June 27, 2006 3:10 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
> 
> As I know yes but
> 
> BANNAME my_notebook.doc
> 
> wouldn't work for files within zip-archives.
> 
> Markus
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> > Behalf Of John T (Lists)
> > Sent: Tuesday, June 27, 2006 11:48 PM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] New Virus: zipped word doc with
> > Macro-Virus
> >
> > Is the word document only named that?
> >
> > John T
> > eServices For You
> >
> > "Seek, and ye shall find!"
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > > Markus Gufler
> > > Sent: Tuesday, June 27, 2006 11:32 AM
> > > To: declude.virus@declude.com
> > > Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
> > >
> > > Some of us has noted in the past two hours that messages with an
> > > zip-file
> > as
> > > attachment has passed our virus filters
> > >
> > > It's a zip-file containing a MS Word Document named
> > "my_notebook.doc"
> > >
> > > Most Virus-Scanners can't catch it. Virustotal has returned
> > only two
> > > scanners with positive results
> > >
> > > Sophos has found "WM97/Kukudro-A"
> > > UNA has found a "Macro Virus"
> > >
> > > No other AV-Engine has catched the suspicious file.
> > >
> > > We've added the following lines to our virus.cfg in order
> > to block as
> > > much was we can at the moment.
> > >
> > > BANNAME prices.zip
> > > BANNAME apple_prices.zip
> > > BANNAME sony_prices.zip
> > > BANNAME hp_prices.zip
> > > BANNAME dell_prices.zip
> > > BANNAME My_Notebook.doc
> > >
> > > Regards
> > > Markus
> > >
> > >
> > >
> > > ---
> > > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe,
> > > just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.Virus".The archives can be found
> > > at http://www.mail-archive.com.
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

[John T \(Lists\)]

Is the word document only named that?

John T
eServices For You

"Seek, and ye shall find!"

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus
> Gufler
> Sent: Tuesday, June 27, 2006 11:32 AM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
> 
> Some of us has noted in the past two hours that messages with an zip-file
as
> attachment has passed our virus filters
> 
> It's a zip-file containing a MS Word Document named "my_notebook.doc"
> 
> Most Virus-Scanners can't catch it. Virustotal has returned only two
> scanners with positive results
> 
> Sophos has found "WM97/Kukudro-A"
> UNA has found a "Macro Virus"
> 
> No other AV-Engine has catched the suspicious file.
> 
> We've added the following lines to our virus.cfg in order to block as much
> was we can at the moment.
> 
> BANNAME prices.zip
> BANNAME apple_prices.zip
> BANNAME sony_prices.zip
> BANNAME hp_prices.zip
> BANNAME dell_prices.zip
> BANNAME My_Notebook.doc
> 
> Regards
> Markus
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Kidala-A Virus

[John T \(Lists\)]

Wow, a busy little bugger isn't it?

http://www.sophos.com/virusinfo/analyses/w32kidalaa.html

W32/Kidala-A is a mass-mailing worm and IRC backdoor Trojan for the Windows
platform. 
W32/Kidala-A runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over the
computer via IRC channels. 
W32/Kidala-A spreads to other network computers by: 
- via file sharing on P2P networks
- copying itself to network shares protected by weak passwords
- exploiting common buffer overflow vulnerabilities, including: LSASS
(MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), MSSQL
(MS02-039) (CAN-2002-0649) and Realcast
- sending itself to instant messenger contacts in MSN Messenger, Yahoo
instant Messenger and AOL Instant Messenger.
- to other network computers infected with: Troj/Kuang, Troj/Sub7,
W32/Sasser, Troj/NetDevil and Troj/Optix 
W32/Kidala-A includes functionality to:
- perform DDoS attacks
- setup a SOCKS4 server
- download code from the internet 


John T
eServices For You

"Seek, and ye shall find!"


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Testing the Boards

[John T \(Lists\)]

PPPOONNGGG!

John T
eServices For You

"Seek, and ye shall find!"

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of David Barker
> Sent: Thursday, April 27, 2006 6:22 AM
> To: Declude.Virus@declude.com; Declude.JunkMail@declude.com
> Subject: [Declude.Virus] Testing the Boards
> 
> PING
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] url file extensions

[John T \(Lists\)]

Yep, exactly what I meant. I ban them as
there is no way to scan them (Although Bill says ClamAV can do it) to know what
they are going to lead to.

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer
Sent: Tuesday, April 11, 2006 1:09 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] url
file extensions

 

Hi John,

I was referring to file attachments that had a .url extension - I have that
extension banned in my virus.cfg and wondered why - 

-Nick



John T (Lists) wrote: 

You nor I nor Declude nor any one knows where that leads too. You can notscan the destination for a url.  John TeServices For You "Seek, and ye shall find!"   

-Original Message-From: [EMAIL PROTECTED]    

[mailto:[EMAIL PROTECTED]]  

On Behalf Of Nick HayerSent: Tuesday, April 11, 2006 12:10 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] url file extensions I been asked to remove the block I have on these - and since I haveforgotten why I am blocking them Is there a valid reason to blockthese? Thanks in advance -Nick---This E-mail came from the Declude.Virus mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".    The archives can be foundat http://www.mail-archive.com.    

 ---This E-mail came from the Declude.Virus mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".    The archives can be foundat http://www.mail-archive.com.    

RE: [Declude.Virus] url file extensions

[John T \(Lists\)]

You nor I nor Declude nor any one knows where that leads too. You can not
scan the destination for a url. 

John T
eServices For You

"Seek, and ye shall find!"

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Nick Hayer
> Sent: Tuesday, April 11, 2006 12:10 PM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] url file extensions
> 
> I been asked to remove the block I have on these - and since I have
> forgotten why I am blocking them Is there a valid reason to block
> these?
> 
> Thanks in advance
> 
> -Nick
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Updates from Declude

[John T \(Lists\)]

Fine, make a guy feel guilty.

 

Ok, I am over it now. ;)

 

I’ll get to it tonight. 

 

I promise. 

 

I think. 

 

;-)>

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith
Sent: Wednesday, March 08, 2006
9:47 AM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Updates from Declude

 

Is anyone else using confirm and can let me know if it is
working for you now or not?  I know John is busy and may not of had time
to try it yet and Declude is not responding.

 



Thanks,
Grant Griffith
Web Application Developer
Enhanced Telecommunications Corp.
(812)932-1000











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith
Sent: Monday, March 06, 2006 8:06
AM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Updates from Declude



 

Sounds good John, was just curious if you were still seeing
the issue also.

 



Thanks,
Grant Griffith
Web Application Developer
Enhanced Telecommunications Corp.
(812)932-1000











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of John T (Lists)
Sent: Friday, March 03, 2006 5:27
PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Updates from Declude



 

No I have not tested lately. I have been
extremely busy this week. I will try on Saturday.

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith
Sent: Friday, March 03, 2006 5:38
AM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Updates from Declude

 

Barry,

 

Wasn’t the confirm issues supposed to be resolved in
this version?  I just tested it and it still does not subscribe the user
after they confirm be replying to the message?!?!

 

John, have you tried this yet with the same results?

 



Thanks,
Grant Griffith
Web Application Developer
Enhanced Telecommunications Corp.
(812)932-1000











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Thursday, March 02, 2006
5:04 PM
To: Declude.JunkMail@declude.com;
Declude.Virus@declude.com
Subject: [Declude.Virus] Updates
from Declude



 



Product
Naming





 





After
considering all the choices we have decided to rename the new product
"Declude Security Suite". I will be notifying the winner(s) of the
competition shortly.





 





Declude
Security Suite for IMail





 





We
have now released additional versions of the software for different levels of
IMail and these can be found at http://www.declude.com//Purchase.asp?cat=13





 





As
usual if anyone has questions please contact me and we will do our best to
answer.





 





Barry





 





[EMAIL PROTECTED]





Office:
(978) 499-2933





Cell:
(978) 853-9593





 

RE: Re[2]: [Declude.Virus] Virus Notification Variables No Longer Working

[John T \(Lists\)]

I will see if I can muster the time to test later tonight, probably late
tonight.

John T
eServices For You

"Seek, and ye shall find!"

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of David Sullivan
> Sent: Wednesday, March 08, 2006 9:05 AM
> To: Declude.Virus@declude.com
> Subject: Re[2]: [Declude.Virus] Virus Notification Variables No Longer
Working
> 
> I'm feeling lonely here...like I'm talking to myself...
> 
> Could someone PLEASE check the %RECIPHOST% and %REMOTEHOST% variables in
> your
> email notification on 3.0.6 just to make sure it's not me for some
> reason.
> 
> You don't have to mess with your active notifications. Just put
> another .eml file in the Declude folder with these two variables.
> 
> Thanks.
> 
> -David
> 
> 
> Thursday, March 2, 2006, 12:10:55 PM, you wrote:
> 
> DS> Ok, no one else has so I'll respond to my own post. 3.06 and still no
> DS> change. Can someone try a notification with the %RECIPHOST% and
> DS> %REMOTEHOST% variables and see if they work?
> 
> DS> Thanks
> 
> DS> -David
> 
> DS> Friday, February 24, 2006, 2:39:34 PM, you wrote:
> 
> DS>> Has anyone else had trouble with the RECIPIENT HOST and REMOTE HOST
> DS>> NAME variables in your virus notification email since going to 3.x?
We
> DS>> send all data to a program alias for notification processing, but
> DS>> since December now we can't get the RECIPIENT HOST data.
> 
> DS>> Below is our notify email file and below that is a slightly munged
> DS>> example of the output. Notice lines 11 and 12 in the output. This
> DS>> behavior persistent and used to work before upgrading.
> DS>> Anyone else experiencing this?
> 
> 
> DS>> From: [EMAIL PROTECTED]
> DS>> To: [EMAIL PROTECTED]
> DS>> Subject: Virus Notification
> 
> DS>> 1 ALLRECIPS: %ALLRECIPS%
> DS>> 2 BANNED EXTENSION: %BANEXT%
> DS>> 3 DATE (mm/dd/yyy): %DATE%
> DS>> 4 HEADERS: %HEADERS%
> DS>> 5 INOROUT: %INOROUT%
> DS>> 6 LOCALHOST: %LOCALHOST%
> DS>> 7 MAILFROM: %MAILFROM%
> DS>> 8 MESSAGE ID: %MSGID%
> DS>> 9 NUMBER OF RECIPIENTS: %NRECIPS%
> DS>> 10 QUEUE FILE NAME: %QUEUENAME%
> DS>> 11 RECIPIENT HOST: %RECIPHOST%
> DS>> 12 REMOTE HOST NAME: %REMOTEHOST%
> DS>> 13 REMOTE IP: %REMOTEIP%
> DS>> 14 SENDER HOST: %SENDERHOST%
> DS>> 15 SUBJECT: %SUBJECT%
> DS>> 16 CURRENT TIME (hh/mm/ss): %TIME%
> DS>> 17 VIRUS FILE: %VIRUSFILE%
> DS>> 18 VIRUS NAME: %VIRUSNAME%
> DS>> 19 SOFTWARE VERSION: %VERSION%
> 
> 
> 
> 
> DS>> 1 ALLRECIPS: [EMAIL PROTECTED]
> DS>> 2 BANNED EXTENSION:
> DS>> 3 DATE (mm/dd/yyy): 24 Feb 2006
> DS>> 4 HEADERS: Received: from mx1.ourpostfixserver.com [192.168.200.60]
by
> DS>> mail5.ourimailserver.com with ESMTP
> DS>>   (SMTPD32-8.15) id A5ADFD770080; Fri, 24 Feb 2006 12:43:09 -0500
> DS>> Received: from localhost (adsl-146-64-253.mia.bellsouth.net
[70.146.64.253])
> DS>> by mx1.ourpostfixserver.com (Postfix) with SMTP id
4150B1464ED
> DS>> for <[EMAIL PROTECTED]>; Fri, 24 Feb 2006
12:45:43
> + (GMT)
> DS>> Message-ID: <[EMAIL PROTECTED]>
> DS>> From: "Jay Ross" <[EMAIL PROTECTED]>
> DS>> To: <[EMAIL PROTECTED]>
> DS>> Subject: Software At Low Pr1ce
> DS>> Date: Fri, 24 Feb 2006 12:42:58 -0500
> DS>> MIME-Version: 1.0
> DS>> Content-Type: multipart/alternative;
> DS>> boundary="=_NextPart_000_0001_01C63993.BFF33280"
> DS>> X-Priority: 3
> DS>> X-MSMail-Priority: Normal
> DS>> X-Mailer: Microsoft Outlook Express 6.00.2900.2180
> DS>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> DS>> 5 INOROUT: outgoing
> DS>> 6 LOCALHOST: mail5.ourimailserver.com
> DS>> 7 MAILFROM: [EMAIL PROTECTED]
> DS>> 8 MESSAGE ID: <[EMAIL PROTECTED]>
> DS>> 9 NUMBER OF RECIPIENTS: 1
> DS>> 10 QUEUE FILE NAME: D45adfd7700801edf.smd
> DS>> 11 RECIPIENT HOST:
> DS>> 12 REMOTE HOST NAME:
> DS>> 13 REMOTE IP: 192.168.200.60
> DS>> 14 SENDER HOST: bellamorris.com
> DS>> 15 SUBJECT: Software At Low Pr1ce
> DS>> 16 CURRENT TIME (hh/mm/ss): 12:43:27
> DS>> 17 VIRUS FILE: [No attachment]
> DS>> 18 VIRUS NAME: [Outlook 'Blank Folding' Vulnerability]
> DS>> 19 SOFTWARE VERSION: 3.0.5.26
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Updates from Declude

[John T \(Lists\)]

No I have not tested lately. I have been
extremely busy this week. I will try on Saturday.

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith
Sent: Friday, March
 03, 2006 5:38 AM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Updates from Declude

 

Barry,

 

Wasn’t the confirm issues supposed to be resolved in
this version?  I just tested it and it still does not subscribe the user after
they confirm be replying to the message?!?!

 

John, have you tried this yet with the same results?

 



Thanks,
Grant Griffith
Web Application Developer
Enhanced Telecommunications Corp.
(812)932-1000











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, March
 02, 2006 5:04 PM
To: Declude.JunkMail@declude.com;
Declude.Virus@declude.com
Subject: [Declude.Virus] Updates
from Declude



 



Product
Naming





 





After
considering all the choices we have decided to rename the new product
"Declude Security Suite". I will be notifying the winner(s) of the
competition shortly.





 





Declude
Security Suite for IMail





 





We
have now released additional versions of the software for different levels of IMail
and these can be found at http://www.declude.com//Purchase.asp?cat=13





 





As
usual if anyone has questions please contact me and we will do our best to
answer.





 





Barry





 





[EMAIL PROTECTED]





Office:
(978) 499-2933





Cell:
(978) 853-9593





 

RE: [Declude.Virus] New Virus?

[John T \(Lists\)]

Upon further investigation and uploading to VirusTotal, these are a group
that came in from one IP that had corrupted/incomplete file attachments and
were non-viable Kasper viruses.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of John T (Lists)
> Sent: Saturday, February 25, 2006 9:04 AM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] New Virus?
> 
> Seeing HQX, BHX and UUEs being blocked this morning.
> 
> John T
> eServices For You
> 
> "Seek, and ye shall find!"
> 
> 
> 
> ---
> [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] New Virus?

[John T \(Lists\)]

Seeing HQX, BHX and UUEs being blocked this morning.

John T
eServices For You

"Seek, and ye shall find!"



---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Encoded viruses...worried

[John T \(Lists\)]

I have been blocking them for about 2
weeks now and the only legit one caught was a file sent to a MAC user. They
followed the instructions in my policy and resent it without problem.

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer
Sent: Thursday, February 16, 2006 12:26 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Encoded viruses...worried

 



I'm curious. Are people banning BHX, HQX,
UUE, UU, and MIM since the Kapser/Blackmal.E/MyWife.d virus hit? If so have you
seen any negative effects from doing this. I'm thinking of blocking them as
well.





 



Mark
Reimer
IT Project Manager
American CareSource
214-596-2464



-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists)
Sent: Tuesday, January 31, 2006 7:37 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Encoded viruses...worried

Matt, are you saying the attachment as
Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so,
what harm would be in blocking those for now?

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Tuesday, January 31, 2006 4:50 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Encoded viruses...worried

 

Someone just reported to me that MyWife.d
(McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month
payload that will overwrite a bunch of files.  It's really nasty. 
More can be found at these links:

    http://isc.sans.org/diary.php?storyid=1067
    http://vil.nai.com/vil/content/v_138027.htm

This started hitting my system on the 17th, possibly seeded through Yahoo!
Groups.  The problem is that it often sent encoded attachments in BinHex
(BHX, HQX), Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), and I'm not
sure that Declude is decoding all of these to see what is inside.  For
instance, I found that some BHX files that clearly contained an executable
payload, showed up in my Virus logs like so:

01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: [text/html][7bit; Length=1953 Checksum=154023]
 01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: Attachments001.BHX [base64;
Length=134042 Checksum=8624521]

There was no mention about the payload inside of it,
and there almost definitely was.  The same attachment name with the same
length was repeatedly detected as a virus later on that day.  This likely
was a PIF file inside, though it could also have been a JPG according the notes
on this virus.  I, like most of us here, don't allow PIF's to be sent
through our system, but when the PIF is encoded in at least BinHex format, it
gets past this type of protection.

Here's the conundrum.  This mechanism could be exploited just like the Zip
files were by the Sober writers and continually seeded, but instead of
requiring some of us to at least temporarily block Zips with executables
inside, an outbreak of continually seeded variants with executables within one
of these standard encoding mechanisms would cause us to have to block all such
encodings.  I therefore think it would be prudent for Declude to support
banned extensions within any of these encoding mechanisms if it doesn't
already.  I readily admit that this could be a lot of work, but it could
be very bad if this mechanism becomes more common.  This particular virus
is so destructive that a single copy could cause severe damage to one's
enterprise.  I cross my fingers hoping that none of this would be
necessary, but that's not enough to be safe.

Matt

RE: [Declude.Virus] Encoded viruses...worried

[John T \(Lists\)]

l extant.

 

Blocking messages containing those
attachment formats may be reasonable for you if you're doing postmaster alerts
and can check whether you've found false positives.

 

Like Matt, I'm somewhat worried that this
technique will become as common a nuisance as encrypted zips.  Until
recently, I've put my faith in the combination of Declude unpacking the
attachments (I've assumed MIME encoding only) and F-Prot's packed and server
options to otherwise do message decoding before virus scanning.

 

I've been watching for copies of Blackworm
that might be caught on my system so that I check if Declude+F-Prot would catch
these other packing formats, but no luck so far (or rather, I've had the good
luck to receive so few copies in so few formats).

 

Andrew 8)

 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of John T (Lists)
Sent: Tuesday,
 January 31, 2006 5:44 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Encoded viruses...worried

Actually, I am already blocking hqz and
uue so I went and added the others and will see what happens.

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of John T (Lists)
Sent: Tuesday, January 31, 2006 5:37 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Encoded viruses...worried

 

Matt, are you saying the attachment as
Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so,
what harm would be in blocking those for now?

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Matt
Sent: Tuesday, January 31, 2006 4:50 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Encoded
viruses...worried

 

Someone just reported to me that MyWife.d
(McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month
payload that will overwrite a bunch of files.  It's really nasty. 
More can be found at these links:

    http://isc.sans.org/diary.php?storyid=1067
    http://vil.nai.com/vil/content/v_138027.htm

This started hitting my system on the 17th, possibly seeded through Yahoo!
Groups.  The problem is that it often sent encoded attachments in BinHex
(BHX, HQX), Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), and I'm not
sure that Declude is decoding all of these to see what is inside.  For
instance, I found that some BHX files that clearly contained an executable
payload, showed up in my Virus logs like so:

01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: [text/html][7bit; Length=1953 Checksum=154023]
 01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: Attachments001.BHX [base64;
Length=134042 Checksum=8624521]

There was no mention about the payload inside of it,
and there almost definitely was.  The same attachment name with the same
length was repeatedly detected as a virus later on that day.  This likely
was a PIF file inside, though it could also have been a JPG according the notes
on this virus.  I, like most of us here, don't allow PIF's to be sent
through our system, but when the PIF is encoded in at least BinHex format, it
gets past this type of protection.

Here's the conundrum.  This mechanism could be exploited just like the Zip
files were by the Sober writers and continually seeded, but instead of
requiring some of us to at least temporarily block Zips with executables
inside, an outbreak of continually seeded variants with executables within one
of these standard encoding mechanisms would cause us to have to block all such
encodings.  I therefore think it would be prudent for Declude to support
banned extensions within any of these encoding mechanisms if it doesn't
already.  I readily admit that this could be a lot of work, but it could
be very bad if this mechanism becomes more common.  This particular virus
is so destructive that a single copy could cause severe damage to one's
enterprise.  I cross my fingers hoping that none of this would be
necessary, but that's not enough to be safe.

Matt

RE: [Declude.Virus] Encoded viruses...worried

[John T \(Lists\)]

Andrew, the output ended up being 255 characters
long and then wrapping.

 

How do I do this so each find is on a separate
line for reading?

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Tuesday, January 31, 2006
6:35 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Encoded viruses...worried

 

On the plus side, there are mitigating
circumstances...

 

First, let me point out that although the
antivirus companies will lag behind the virus authors, the antivirus guys
aren't sleeping.

 

For many years, the bad guys have been
using encoding methods and 3rd party applications to obfusticate their software
as a cheaper alternative on their time than writing polymorphic code whose very
technique gave them away.

 

PKLite was probably the first 3rd party
tool used.  I've recently seen PAK, UPX and FSG... all three of which were
caught by F-Prot because the antivirus guys simply make signatures for the
binary itself, and don't bother including unpacking methods for all possible
compression/encryption methods.  This explains why we have relatively few
upgrades on the engines themselves.

 

The F-Prot documentation mentions (I
think) only zip decoding, but we know that it certainly does UPX and RAR
decoding based on issues that have been raised with each (for the former,
pathetic speed and the former, a buffer overflow).

 

If you want to see what your virMMDD.log
might reveal about this latest malware this month and what attachments you're
seeing anyway, try this:

 

egrep
"\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" vir01??.log

 

(if you don't want the filename, stick a
-h parameter and a space before that first quotation mark)

 

By doing this, against my virMMDD.log I
just discovered that F-Prot decodes BHX and HQX attachments too.

 

By doing something similar against my
nightly virus-scan-the-spam-folder logs I also discovered that I have zero
non-viral messages using the unconventional attachment formats in the last two
months.  You can take that as an indication that it's okay to ban those
formats if you wish, but I'll warn that I have a pretty homogeneous Windows
user base.

 

 and that's a wrap for
tonight.

 

Andrew 8)

 

 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Tuesday, January 31, 2006
6:04 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Encoded viruses...worried

John, the other formats are common (or,
were common) on Macintosh and Unix based systems for binary attachments and for
attached messages.  Eudora for Windows used to expose several of these
formats for message construction.

 

They've fallen into disuse in favour of
MIME attachments, but they are still extant.

 

Blocking messages containing those
attachment formats may be reasonable for you if you're doing postmaster alerts
and can check whether you've found false positives.

 

Like Matt, I'm somewhat worried that this
technique will become as common a nuisance as encrypted zips.  Until
recently, I've put my faith in the combination of Declude unpacking the
attachments (I've assumed MIME encoding only) and F-Prot's packed and server
options to otherwise do message decoding before virus scanning.

 

I've been watching for copies of Blackworm
that might be caught on my system so that I check if Declude+F-Prot would catch
these other packing formats, but no luck so far (or rather, I've had the good
luck to receive so few copies in so few formats).

 

Andrew 8)

 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
Sent: Tuesday, January 31, 2006
5:44 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Encoded viruses...worried

Actually, I am already blocking hqz and
uue so I went and added the others and will see what happens.

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of John T (Lists)
Sent: Tuesday, January 31, 2006
5:37 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Encoded viruses...worried

 

Matt, are you saying the attachment as
Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so,
what harm would be in blocking those for now?

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Matt
Sent: Tuesday, January 31, 2006
4:50 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Encoded
viruses...worried

 

Someone just reported to me that MyWife.d (McAfee)/Kapser.A
(F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month payload that will
overwrite a bu

RE: [Declude.Virus] Encoded viruses...worried

[John T \(Lists\)]

Actually, I am already blocking hqz and
uue so I went and added the others and will see what happens.

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
Sent: Tuesday, January 31, 2006 5:37 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Encoded viruses...worried

 

Matt, are you saying the attachment as
Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so,
what harm would be in blocking those for now?

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Tuesday, January 31, 2006 4:50 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Encoded viruses...worried

 

Someone just reported to me that MyWife.d
(McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month
payload that will overwrite a bunch of files.  It's really nasty. 
More can be found at these links:

    http://isc.sans.org/diary.php?storyid=1067
    http://vil.nai.com/vil/content/v_138027.htm

This started hitting my system on the 17th, possibly seeded through Yahoo!
Groups.  The problem is that it often sent encoded attachments in BinHex
(BHX, HQX), Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), and I'm not
sure that Declude is decoding all of these to see what is inside.  For instance,
I found that some BHX files that clearly contained an executable payload,
showed up in my Virus logs like so:

01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: [text/html][7bit; Length=1953 Checksum=154023]
 01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: Attachments001.BHX [base64;
Length=134042 Checksum=8624521]

There was no mention about the payload inside of it,
and there almost definitely was.  The same attachment name with the same
length was repeatedly detected as a virus later on that day.  This likely was
a PIF file inside, though it could also have been a JPG according the notes on
this virus.  I, like most of us here, don't allow PIF's to be sent through
our system, but when the PIF is encoded in at least BinHex format, it gets past
this type of protection.

Here's the conundrum.  This mechanism could be exploited just like the Zip
files were by the Sober writers and continually seeded, but instead of
requiring some of us to at least temporarily block Zips with executables
inside, an outbreak of continually seeded variants with executables within one
of these standard encoding mechanisms would cause us to have to block all such
encodings.  I therefore think it would be prudent for Declude to support
banned extensions within any of these encoding mechanisms if it doesn't
already.  I readily admit that this could be a lot of work, but it could
be very bad if this mechanism becomes more common.  This particular virus
is so destructive that a single copy could cause severe damage to one's enterprise. 
I cross my fingers hoping that none of this would be necessary, but that's not
enough to be safe.

Matt

RE: [Declude.Virus] Encoded viruses...worried

[John T \(Lists\)]

Matt, are you saying the attachment as
Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so,
what harm would be in blocking those for now?

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Matt
Sent: Tuesday, January 31, 2006 4:50 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Encoded
viruses...worried

 

Someone just reported to me that MyWife.d
(McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month
payload that will overwrite a bunch of files.  It's really nasty. 
More can be found at these links:

    http://isc.sans.org/diary.php?storyid=1067
    http://vil.nai.com/vil/content/v_138027.htm

This started hitting my system on the 17th, possibly seeded through Yahoo!
Groups.  The problem is that it often sent encoded attachments in BinHex
(BHX, HQX), Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), and I'm not
sure that Declude is decoding all of these to see what is inside.  For
instance, I found that some BHX files that clearly contained an executable
payload, showed up in my Virus logs like so:

01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: [text/html][7bit; Length=1953 Checksum=154023]
 01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: Attachments001.BHX [base64;
Length=134042 Checksum=8624521]

There was no mention about the payload inside of it,
and there almost definitely was.  The same attachment name with the same
length was repeatedly detected as a virus later on that day.  This likely
was a PIF file inside, though it could also have been a JPG according the notes
on this virus.  I, like most of us here, don't allow PIF's to be sent
through our system, but when the PIF is encoded in at least BinHex format, it
gets past this type of protection.

Here's the conundrum.  This mechanism could be exploited just like the Zip
files were by the Sober writers and continually seeded, but instead of
requiring some of us to at least temporarily block Zips with executables
inside, an outbreak of continually seeded variants with executables within one
of these standard encoding mechanisms would cause us to have to block all such
encodings.  I therefore think it would be prudent for Declude to support
banned extensions within any of these encoding mechanisms if it doesn't
already.  I readily admit that this could be a lot of work, but it could
be very bad if this mechanism becomes more common.  This particular virus
is so destructive that a single copy could cause severe damage to one's
enterprise.  I cross my fingers hoping that none of this would be
necessary, but that's not enough to be safe.

Matt

RE: [Declude.Virus] F-Prot exit code 8 and body content

[John T \(Lists\)]

Markus, even though I know others have said they can not do this; I am
blocking any zip, including ezips that have an executable within them.

All of my clients know this and I have a published policy on it which
includes instructions on what to do if you must get these through.

As such, IMHO, this issue is fine. Others mileage may vary.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Markus Gufler
> Sent: Tuesday, January 31, 2006 10:39 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] F-prot exit code 8 and body content
> 
> Matt, John,
> 
> F-Prot is not catching simple e-zips. I supposed it was the "password"
> string in the mailbody. Now after an additional test it turned out that
> F-Prot is exiting with code 8 if there is an attached e-zip containing
.exe
> files. The mail-body seems not interfering to F-prot's result.
> 
> This is a problem for thus who need allow any extensions in zip-files.
> 
> Maybe we can ask F-Prot if they can change the singnatures to catch only
exe
> in ezip's if they are larger then ...
> Usualy legit ezip's should be much larger then 100 kByte.
> 
> I wouldn't remove exit code 8 from my configuration because most of the
> outbreaks in the last year was catched by this exit code before any
> AV-scanner has had updated signatures.
> 
> Markus
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: Tuesday, January 31, 2006 7:17 PM
> > To: Declude.Virus@declude.com
> > Subject: RE: [Declude.Virus] F-prot exit code 8 and body content
> >
> > I am using viruscode 8 and it is not blocking password
> > protected zips. I think like Markus said it is looking for a
> > combination of a password protected zip, and executable and
> > the phrase he listed.
> >
> > Markus, did that attachment have an executable within the zip file?
> >
> > John T
> > eServices For You
> >
> > "Seek, and ye shall find!"
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]
> > > On Behalf Of Matt
> > > Sent: Tuesday, January 31, 2006 10:02 AM
> > > To: Declude.Virus@declude.com
> > > Subject: Re: [Declude.Virus] F-prot exit code 8 and body content
> > >
> > > Markus,
> > >
> > > I believe that this is something that several of us railed
> > against and
> > > tried to get F-Prot to change.  Formerly no known viruses would be
> > > tagged with an exit code of 8, but then they suddenly
> > started tagging
> > > some known viruses this way, essentially requiring us to
> > add that code
> > > in for detection.  The downside of this is that this exit code also
> > > blocks things like encrypted zips.  It was a real shame.
> > >
> > > It's worth checking to see if F-Prot is tagging more recent known
> > > viruses with exit code 8 because if they are no longer
> > doing this, I
> > > would assume that turning it off would be wise so long as
> > you had two
> > > virus scanners running.
> > >
> > > Note that I'm not dismissing your primary intention of pointing out
> > > the FP issue with virus scanning and a way to deal with it.
> > >
> > > Matt
> > >
> > >
> > >
> > > Markus Gufler wrote:
> > >
> > > >Today I've had a message hold as false positive ("unknown
> > virus" exit
> > code
> > > >8)
> > > >
> > > >F-Prot seems ending with this exit code if there is attached a
> > > >password protected zip file and in the body is something like
> > > >
> > > >"password: ."
> > > >
> > > >This message was definitively no false positive and so I
> > requeued it.
> > > >
> > > >I've noted it due the low number of postmaster virus warnings I
> > > >receive because they are send to me only if the detected
> > virus is not
> > > >a forging
> > one.
> > > >Fortunately this legit message wasn't deleted from the virus folder
> > between
> > > >thousands of unwanted netsky's and sober's.
> > > >
> > > >Markus
> > > >
> > > >---
> > > >[This E-mail was scanned for viruses by Declude EVA
> > www.declude.com

RE: [Declude.Virus] F-prot exit code 8 and body content

[John T \(Lists\)]

I am using viruscode 8 and it is not blocking password protected zips. I
think like Markus said it is looking for a combination of a password
protected zip, and executable and the phrase he listed. 

Markus, did that attachment have an executable within the zip file?

John T
eServices For You

"Seek, and ye shall find!"

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Matt
> Sent: Tuesday, January 31, 2006 10:02 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] F-prot exit code 8 and body content
> 
> Markus,
> 
> I believe that this is something that several of us railed against and
> tried to get F-Prot to change.  Formerly no known viruses would be
> tagged with an exit code of 8, but then they suddenly started tagging
> some known viruses this way, essentially requiring us to add that code
> in for detection.  The downside of this is that this exit code also
> blocks things like encrypted zips.  It was a real shame.
> 
> It's worth checking to see if F-Prot is tagging more recent known
> viruses with exit code 8 because if they are no longer doing this, I
> would assume that turning it off would be wise so long as you had two
> virus scanners running.
> 
> Note that I'm not dismissing your primary intention of pointing out the
> FP issue with virus scanning and a way to deal with it.
> 
> Matt
> 
> 
> 
> Markus Gufler wrote:
> 
> >Today I've had a message hold as false positive ("unknown virus" exit
code
> >8)
> >
> >F-Prot seems ending with this exit code if there is attached a password
> >protected zip file and in the body is something like
> >
> >"password: ."
> >
> >This message was definitively no false positive and so I requeued it.
> >
> >I've noted it due the low number of postmaster virus warnings I receive
> >because they are send to me only if the detected virus is not a forging
one.
> >Fortunately this legit message wasn't deleted from the virus folder
between
> >thousands of unwanted netsky's and sober's.
> >
> >Markus
> >
> >---
> >[This E-mail was scanned for viruses by Declude EVA www.declude.com]
> >
> >---
> >This E-mail came from the Declude.Virus mailing list.  To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.Virus".The archives can be found
> >at http://www.mail-archive.com.
> >
> >
> >
> >
> ---
> [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Virus Feebs variant warning

[John T \(Lists\)]

Why
not catch it with less resources via banning hta files and BANZIPEXTS and
BANEZIPEXTS?

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis
Alberto Arango
Sent: Wednesday,
 January 25, 2006 4:56 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Virus
Feebs variant warning

 

I just got a
message from a gmail account (forged)
With a data.zip attached. It has a hta file inside.

subject:
Secure Mail
The body says

ID: 46271
Password: zgbvndwdx

Message is attached.

Sincerely,
Protected Mail System,
Gmail.com

Using virustotal.com it is only catched by very few companies.

This is a report processed by VirusTotal on 01/26/2006 at 01:38:32 (CET) after
scanning the file "data.zip" file.

This is a report
processed by VirusTotal on 01/26/2006 at 01:38:32 (CET) after scanning the file "data.zip"
file.


 
  
   
   Antivirus
   
   
   Version
   
   
   Update
   
   
       Result
   
  
 
 
  
  AntiVir
  
  
  6.33.0.77
  
  
  01.25.2006
  
  
      no virus found
  
 
 
  
  Avast
  
  
  4.6.695.0
  
  
  01.25.2006
  
  
      no virus found
  
 
 
  
  AVG
  
  
  718
  
  
  01.25.2006
  
  
      Worm/Feebs
  
 
 
  
  Avira
  
  
  6.33.0.77
  
  
  01.25.2006
  
  
      no virus found
  
 
 
  
  BitDefender
  
  
  7.2
  
  
  01.26.2006
  
  
      no virus found
  
 
 
  
  CAT-QuickHeal
  
  
  8.00
  
  
  01.25.2006
  
  
      no virus found
  
 
 
  
  ClamAV
  
  
  devel-20051123
  
  
  01.26.2006
  
  
      no virus found
  
 
 
  
  DrWeb
  
  
  4.33
  
  
  01.25.2006
  
  
      Win32.HLLM.Graz
  
 
 
  
  eTrust-InoculateIT
  
  
  23.71.60
  
  
  01.25.2006
  
  
      no virus found
  
 
 
  
  eTrust-Vet
  
  
  12.4.2056
  
  
  01.25.2006
  
  
      Win32/Feeb!ZIP
  
 
 
  
  Ewido
  
  
  3.5
  
  
  01.25.2006
  
  
      no virus found
  
 
 
  
  Fortinet
  
  
  2.54.0.0
  
  
  01.26.2006
  
  
      JS/Feebs.fam-mm
  
 
 
  
  F-Prot
  
  
  3.16c
  
  
  01.25.2006
  
  
      no virus found
  
 
 
  
  Ikarus
  
  
  0.2.59.0
  
  
  01.25.2006
  
  
      no virus found
  
 
 
  
  Kaspersky
  
  
  4.0.2.24
  
  
  01.25.2006    
  
  
      Worm.Win32.Feebs.gen
  
 
 
  
  McAfee
  
  
  4682
  
  
  01.25.2006
  
  
      no virus found
  
 
 
  
  NOD32v2
  
  
  1.1380
  
  
  01.25.2006
  
  
      JS/TrojanDownloader.Tivso.gen
  
 
 
  
  Norman
  
  
  5.70.10
  
  
  01.25.2006
  
  
      JS/[EMAIL PROTECTED]
  
 
 
  
  Panda
  
  
  9.0.0.4
  
  
  01.25.2006
  
  
      no virus found
  
 
 
  
  Sophos
  
  
  4.01.0
  
  
  01.25.2006
  
  
      no virus found
  
 
 
  
  Symantec
  
  
  8.0
  
  
  01.26.2006
  
  
      W32.Feebs
  
 
 
  
  TheHacker
  
  
  5.9.3.081
  
  
  01.26.2006
  
  
      no virus found
  
 
 
  
  UNA
  
  
  1.83
  
  
  01.25.2006
  
  
      no virus found
  
 
 
  
  VBA32
  
  
  3.10.5
  
  
  01.25.2006
  
  
      no virus found
  
 


 

F-prot, Mcaffe, ClamAV are not catching it.

 

meanwhile I am banning it via the body of the email. Catching
"Protected Mail System"

 

RE: [Declude.Virus] Feature request: DELETEVIRUSNAME

[John T \(Lists\)]

As a work around until and if Declude adds the requested feature, you could
write a script to search the files on a timed based for a phrase (virus
name) and have it delete them.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Markus Gufler
> Sent: Wednesday, January 25, 2006 3:27 PM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
> 
> 
> > But if we are cycling the held viruses on a x day basis, (my
> > cycle is 5
> > days,) why would that be needed?
> 
> 5 days x 2 viruses x 2 (d & q-file) = 200k files
> Around 99% of this files contains the same 5 types of malware that are
> stored, moved and defragmented unnecessary.
> 
> I asked only because as I understand it should be very easy and
> unproblematic to add such a feature.
> 
> Markus
> 
> ---
> [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Feature request: DELETEVIRUSNAME

[John T \(Lists\)]

But if we are cycling the held viruses on a x day basis, (my cycle is 5
days,) why would that be needed?

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Markus Gufler
> Sent: Wednesday, January 25, 2006 2:37 PM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] Feature request: DELETEVIRUSNAME
> 
> Maybe someone has already requested it:
> 
> Why not allow commands like
> 
> DELETEVIRUSNAME Netsky
> DELETEVIRUSNAME Bagle
> ...
> 
> in the virus.cfg file?
> 
> I won't and can't delete all viruses on our server because there is always
> the possibility that a scanner is catching something as "suspicious" or
> "generic"
> 
> But commands to delete certain virusnames should be very easy to implement
> and allow us to eliminate > 95% of all hold viruses on out servers.
> 
> Markus
> 
> ---
> [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Another day, another Bagle

[John T \(Lists\)]

Just got this from Sophos:

http://www.sophos.com/virusinfo/analyses/trojbagledlbj.html

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Colbeck, Andrew
> Sent: Wednesday, January 25, 2006 10:14 AM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] Another day, another Bagle
> 
> F-Secure reports in their blog that another round of Bagle is starting
> up.  No details yet.
> 
> 
> Andrew 8)
> 
> 
> 
> 
> 
> ---
> [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Mail.zip from AOL Encrypted Messaging Service?

[John T \(Lists\)]

Title: Mail.zip from AOL Encrypted Messaging Service?









Well,
neither the HELO nor the IP received from looks to be anything from AOL.

 

I would say it is a virus.

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander
Sent: Thursday, January 19, 2006
11:51 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Mail.zip
from AOL Encrypted Messaging Service?

 

Hello,


I
got a mail.zip from "AOL Encrypted Messaging Service", including a
.hta file with encrypted content. Does'nt look good to me :)

Has
anyone else seen this mail? 
Does
anyone know DadaMail? 

---

Received:
from thbafiqcm.com [217.198.112.101] by siller.de with ESMTP 
 
(SMTPD-8.22) id A9DB33088; Thu, 19 Jan 2006 19:26:35 +0100 
Date:
Thu, 19 Jan 2006 19:28:38 +0100 
From:
[EMAIL PROTECTED] 
X-Mailer:
DadaMail 2.1 
Reply-To:
[EMAIL PROTECTED] 
X-Priority:
3 (Normal) 
Message-ID:
[EMAIL PROTECTED] 
To:
[EMAIL PROTECTED] 
Subject:
[Suspect Mail]Encrypted Message Service 
MIME-Version:
1.0 
Content-Type:
multipart/mixed; boundary="ABCD6E90" 
X-Antivirus:
avast! (VPS 0603-3, 18.01.2006), Outbound message 
X-Antivirus-Status:
Clean 
X-OriginalArrivalTime:
19 Jan 2006 18:36:26.0852 (UTC) FILETIME=[419F3240:01C61D27] 

--ABCD6E90

Content-Type:
text/plain; charset=us-ascii 
Content-Transfer-Encoding:
7bit 

--ABCD6E90

Content-Type:
application/x-zip-compressed; name="mail.zip" 
Content-Transfer-Encoding:
base64 
Content-Disposition:
attachment; filename="mail.zip" 

 

--ABCD6E90--

---


Alex

RE: [Declude.Virus] Sober.X Variant

[John T \(Lists\)]

Are you using the correct switches for F-Prot?

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of JT
> Sent: Thursday, January 05, 2006 12:49 PM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Sober.X Variant
> 
> Andrew,
> 
> I suspected that but we'll see my results. I did what John suggested and
> I also have ClamAV and F-Prot running simultaneously. Doing this has
> seemed to cut down the Sober.Xs completely but now I have a customer
> complaining that trojan.lodear and sober.l variant is getting through, I
> haven't investigated yet but I'll keep you posted.
> 
> JT
> 
> On Thu, 2006-01-05 at 11:31 -0800, Colbeck, Andrew wrote:
> > I just saw two today.  This may not be what you're seeing, JT, but here
> > goes:
> >
> > What I saw were two broken Sober.X messages that were bounced with the
> > original message (the viral message) truncated.  F-Prot didn't trigger
> > on the broken attachment and the bounce didn't trigger my custom filters
> > to weed out junk bounces.
> >
> > The messages made it into my internal mail system, where they were
> > caught by Trend Micro ScanMail for Exchange.  When I looked up the
> > details on the virus that was named, the alias matched the Symantec name
> > for the virus.
> >
> > Given that it was broken, I regard this as a spam issue, and not a case
> > of F-Prot failing to detect the damaged Sober virus.  If I can get the
> > original, I'll submit to F-Prot anyway in the hope that they will come
> > with a signature.
> >
> > Andrew 8)
> >
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of JT
> > > Sent: Thursday, January 05, 2006 10:39 AM
> > > To: Declude.Virus@declude.com
> > > Subject: RE: [Declude.Virus] Sober.X Variant
> > >
> > > John,
> > >
> > > Thanks for the help!
> > >
> > > Regards,
> > > JT
> > >
> > > On Thu, 2006-01-05 at 09:31 -0800, John T (Lists) wrote:
> > > > Into the Virus.cfg file:
> > > >
> > > > BANEZIPEXTS ON
> > > > BANZIPEXTS  ON
> > > >
> > > > John T
> > > > eServices For You
> > > >
> > > >
> > > > > -Original Message-
> > > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED]
> > > > > On Behalf Of JT
> > > > > Sent: Thursday, January 05, 2006 9:20 AM
> > > > > To: Declude.Virus@declude.com
> > > > > Subject: RE: [Declude.Virus] Sober.X Variant
> > > > >
> > > > > John,
> > > > >
> > > > > What do I need to do to block banned extensions within zip files
> > > > >
> > > > > Thanks,
> > > > > JT
> > > > >
> > > > > On Thu, 2006-01-05 at 09:14 -0800, John T (Lists) wrote:
> > > > > > That means you are not blocking banned extensions
> > > within zip files?
> > > > > >
> > > > > > John T
> > > > > > eServices For You
> > > > > >
> > > > > >
> > > > > > > -Original Message-
> > > > > > > From: [EMAIL PROTECTED]
> > > > > > [mailto:[EMAIL PROTECTED]
> > > > > > > On Behalf Of JT
> > > > > > > Sent: Thursday, January 05, 2006 8:45 AM
> > > > > > > To: Declude.Virus@declude.com
> > > > > > > Subject: RE: [Declude.Virus] Sober.X Variant
> > > > > > >
> > > > > > > What I am experiencing is that the server lets the virus go
> > > > > > > through
> > > > the
> > > > > > > system. It scans and result is clean, the end user gets the
> > > > > > > email and their Symantec Enterprise snags it and tags it as
> > > > > > > [EMAIL PROTECTED]
> > > > > > >
> > > > > > > On Thu, 2006-01-05 at 08:25 -0800, John T (Lists) wrote:
> > > > > > > > Is this what you are seeing?
> > > > > > > >
> > > > > > > > http://www.sophos.com/virusinfo/analyses/w32feebsa.html
> > > > > > > >
> > > > > > > > John T
> > > > > > > &g

RE: [Declude.Virus] Sober.X Variant

[John T \(Lists\)]

Into the Virus.cfg file:

BANEZIPEXTS ON
BANZIPEXTS  ON

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of JT
> Sent: Thursday, January 05, 2006 9:20 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Sober.X Variant
> 
> John,
> 
> What do I need to do to block banned extensions within zip files
> 
> Thanks,
> JT
> 
> On Thu, 2006-01-05 at 09:14 -0800, John T (Lists) wrote:
> > That means you are not blocking banned extensions within zip files?
> >
> > John T
> > eServices For You
> >
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]
> > > On Behalf Of JT
> > > Sent: Thursday, January 05, 2006 8:45 AM
> > > To: Declude.Virus@declude.com
> > > Subject: RE: [Declude.Virus] Sober.X Variant
> > >
> > > What I am experiencing is that the server lets the virus go through
the
> > > system. It scans and result is clean, the end user gets the email and
> > > their Symantec Enterprise snags it and tags it as [EMAIL PROTECTED]
> > >
> > > On Thu, 2006-01-05 at 08:25 -0800, John T (Lists) wrote:
> > > > Is this what you are seeing?
> > > >
> > > > http://www.sophos.com/virusinfo/analyses/w32feebsa.html
> > > >
> > > > John T
> > > > eServices For You
> > > >
> > > >
> > > > > -Original Message-
> > > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED]
> > > > > On Behalf Of JT
> > > > > Sent: Thursday, January 05, 2006 6:44 AM
> > > > > To: declude.virus@declude.com
> > > > > Subject: [Declude.Virus] Sober.X Variant
> > > > >
> > > > > Has anyone seen an influx of this virus come through? I've
upgraded to
> > > > > the latest F-Prot and it seems like it still sneaking through.
> > Although
> > > > > the Z variant is being stopped by F-prot. Any light that could be
shed
> > > > > on this would be greatly appreciated.
> > > > >
> > > > > Also I've tried setting up ClamAV for Windows on our imail server
as a
> > > > > scanner. I've got it to scan but it randomly generated an exit
code of
> > > > > 50. Does anyone know what exit code 50 from ClamAV means?
> > > > >
> > > > > Thanks,
> > > > > JT
> > > > >
> > > > > ---
> > > > > [This E-mail was scanned for viruses by Declude EVA
www.declude.com]
> > > > >
> > > > > ---
> > > > > This E-mail came from the Declude.Virus mailing list.  To
> > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > > > type "unsubscribe Declude.Virus".The archives can be found
> > > > > at http://www.mail-archive.com.
> > > >
> > > > ---
> > > > [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> > > >
> > > > ---
> > > > This E-mail came from the Declude.Virus mailing list.  To
> > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > > type "unsubscribe Declude.Virus".The archives can be found
> > > > at http://www.mail-archive.com.
> > > >
> > >
> > > ---
> > > [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> > >
> > > ---
> > > This E-mail came from the Declude.Virus mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.Virus".The archives can be found
> > > at http://www.mail-archive.com.
> >
> > ---
> > [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> 
> ---
> [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Sober.X Variant

[John T \(Lists\)]

That means you are not blocking banned extensions within zip files?

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of JT
> Sent: Thursday, January 05, 2006 8:45 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Sober.X Variant
> 
> What I am experiencing is that the server lets the virus go through the
> system. It scans and result is clean, the end user gets the email and
> their Symantec Enterprise snags it and tags it as [EMAIL PROTECTED]
> 
> On Thu, 2006-01-05 at 08:25 -0800, John T (Lists) wrote:
> > Is this what you are seeing?
> >
> > http://www.sophos.com/virusinfo/analyses/w32feebsa.html
> >
> > John T
> > eServices For You
> >
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]
> > > On Behalf Of JT
> > > Sent: Thursday, January 05, 2006 6:44 AM
> > > To: declude.virus@declude.com
> > > Subject: [Declude.Virus] Sober.X Variant
> > >
> > > Has anyone seen an influx of this virus come through? I've upgraded to
> > > the latest F-Prot and it seems like it still sneaking through.
Although
> > > the Z variant is being stopped by F-prot. Any light that could be shed
> > > on this would be greatly appreciated.
> > >
> > > Also I've tried setting up ClamAV for Windows on our imail server as a
> > > scanner. I've got it to scan but it randomly generated an exit code of
> > > 50. Does anyone know what exit code 50 from ClamAV means?
> > >
> > > Thanks,
> > > JT
> > >
> > > ---
> > > [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> > >
> > > ---
> > > This E-mail came from the Declude.Virus mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.Virus".The archives can be found
> > > at http://www.mail-archive.com.
> >
> > ---
> > [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> 
> ---
> [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Sober.X Variant

[John T \(Lists\)]

Is this what you are seeing?

http://www.sophos.com/virusinfo/analyses/w32feebsa.html

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of JT
> Sent: Thursday, January 05, 2006 6:44 AM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] Sober.X Variant
> 
> Has anyone seen an influx of this virus come through? I've upgraded to
> the latest F-Prot and it seems like it still sneaking through. Although
> the Z variant is being stopped by F-prot. Any light that could be shed
> on this would be greatly appreciated.
> 
> Also I've tried setting up ClamAV for Windows on our imail server as a
> scanner. I've got it to scan but it randomly generated an exit code of
> 50. Does anyone know what exit code 50 from ClamAV means?
> 
> Thanks,
> JT
> 
> ---
> [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Declude with IMail 2006

[John T \(Lists\)]

What is sad is that the fix is very simple, as I have pointed out to Declude
exactly what the problem is. When the confirmation is received, Declude
Confirm is looking at the wrong location for the D or Q file. One of the
files gets properly renamed and moved, but the other does not.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Grant Griffith
> Sent: Thursday, December 22, 2005 9:38 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Declude with IMail 2006
> 
> That has been an issue with confirmation for some time.  I have been told
> multiple times that it would be fixed after Imail 2006 is released, but
have
> never heard any more.  I am guessing they are just forgetting about it as
it
> is a free product.  I hope it gets fixed soon though...
> 
> Thanks,
> Grant Griffith
> EI8HTLEGS, A Division of ETC
> (812)932-1000
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Donn Bly
> Sent: Thursday, December 22, 2005 10:22 AM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] Declude with IMail 2006
> 
> Just in case anybody is interested, we upgraded to Imail 2006 last week,
and
> we aren't having any problems using declude v3.0.5.22 with it EXCEPT that
> the confirm function for listserves doesn't seem to work right.  Declude
> intercepts the subscription and sends out the notification for the double
> opt-in, but doesn't seem to see replies when they come back.
> 
> Oh, an just in case you were thinking of upgrading to 2006 -- don't.
> Ipswitch released a patch for it today which they claim addresses some of
> the problems we're having, but our big webmail users have been screaming
> bloody murder ever since we upgraded.  I'll be putting in the upgrade on
> Monday and we'll see how much it fixes...
> ---
> [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> ---
> [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Another round of Bagle?

[John T \(Lists\)]

Looks like another round of Bagle is starting?

John T
eServices For You



---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Virus Feebsa

[John T \(Lists\)]

Great news, not. Any one know if F-Prot or AVG or BitDefender is catching
this yet?

http://www.sophos.com/virusinfo/analyses/w32feebsa.html

John T
eServices For You



---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Where to send exe's to check if they are a virus?

[John T \(Lists\)]

Uh, keyboard virus?

;)

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Goran Jovanovic
> Sent: Thursday, December 15, 2005 7:53 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Where to send exe's to check if they are a
virus?
> 
> I tried www.totalvirus.com and it is an ad site.
> 
> Thank you
> 
> Goran Jovanovic
> Omega Network Solutions
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> > [EMAIL PROTECTED] On Behalf Of Markus Gufler
> > Sent: Thursday, December 15, 2005 10:45 AM
> > To: Declude.Virus@declude.com
> > Subject: RE: [Declude.Virus] Where to send exe's to check if they are
> a
> > virus?
> >
> > www.virustotal.com (se me previous posting for results)
> >
> > At the moment i consider blocking at least temporaly eye in zips and
> > update
> > the virus definitions
> >
> > Markus
> >
> >
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Goran
> Jovanovic
> > > Sent: Thursday, December 15, 2005 4:26 PM
> > > To: Declude.Virus@declude.com
> > > Subject: [Declude.Virus] Where to send exe's to check if they
> > > are a virus?
> > >
> > > Hi,
> > >
> > > I am getting a bunch of exe in zip files being banned right
> > > now. I have grabbed one of them it is called marie.zip and
> > > has a single exe in it called s3700020.exe and when you put
> > > it on your desktop is has the standard jpeg icon associated with it.
> > >
> > > My F-Prot, McAfee and Symantec scanners are not finding a
> > > virus. Where is the place that you can send it to and have it
> > > checked out by a ton of virus scanners?
> > >
> > > Thanx
> > >
> > > Goran Jovanovic
> > > Omega Network Solutions
> > > ---
> > > [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> > >
> > > ---
> > > This E-mail came from the Declude.Virus mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.Virus".The archives can be found
> > > at http://www.mail-archive.com.
> > >
> >
> > ---
> > [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> ---
> [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Where to send exe's to check if they are a virus?

[John T \(Lists\)]

www.virustotal.com

This is a very small e-mail, the D file being only 11 kb.

Some of the small AV companies are reporting it as a Bagle variant and
F-Prot is reporting it as MitGlieder.GU although it is not catching it on
the server.

John T
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Goran Jovanovic
> Sent: Thursday, December 15, 2005 7:26 AM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] Where to send exe's to check if they are a virus?
> 
> Hi,
> 
> I am getting a bunch of exe in zip files being banned right now. I have
> grabbed one of them it is called marie.zip and has a single exe in it
> called s3700020.exe and when you put it on your desktop is has the
> standard jpeg icon associated with it.
> 
> My F-Prot, McAfee and Symantec scanners are not finding a virus. Where
> is the place that you can send it to and have it checked out by a ton of
> virus scanners?
> 
> Thanx
> 
> Goran Jovanovic
> Omega Network Solutions
> ---
> [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Stranger...

[John T \(Lists\)]

Title: Strange...









I do not think this is either an Imail
or Declude issue, rather a server security issue, or rather a comprise of
server security.

 

Sounds like you have some type of virus
or Trojan on that server.

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com
Sent: Thursday, December 08, 2005
9:57 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus]
Stranger...

 



Does any body find the answer of this problem?





After 1.5 years, this problem still remain.





and IPSWITCH never give me a clear answer about it.





 







- Original Message - 





From: serge 





To: Declude.Virus@declude.com






Sent: Tuesday, June 08,
2004 7:46 AM





Subject: Re:
[Declude.Virus] Stranger...





 







i know imail1 is a command line mailer





but how do i find what i causing the imail 1 window to be
open and filed with all these adresses ?





see attached gif





 





 









- Original Message - 





From: Darin Cox 





To: Declude.Virus@declude.com






Sent: Monday, June 07,
2004 10:21 PM





Subject: Re:
[Declude.Virus] Stranger...





 





Does this shed any light?





 





http://support.ipswitch.com/kb/IM-19980119-DD10.htm






Darin.





 





 





- Original Message - 



From: Serge 





To: Declude.Virus@declude.com






Sent: Monday, June 07,
2004 3:55 PM





Subject: [Declude.Virus]
Stranger...







 





hi all





urgent help needed





I have imail1 client window ("create mail
message") pop up on my server with all kind of real and strange addresses
in the TO: and CC: Fields.





The windows remains open on the server desktop.





Is this a virus ? how can i identify the
service/virus/application causing this ?





 





TIA

RE: Re[2]: [Declude.Virus] how is Declude 3.x?

[John T \(Lists\)]

FYI, any server hardware that is not being used I disable. Removes items
from equations when trying to solve problems.

John T
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of sbsi lists
> Sent: Friday, November 25, 2005 11:25 AM
> To: Chris Ulrich
> Subject: Re[2]: [Declude.Virus] how is Declude 3.x?
> 
> Thank you Chris.
> 
> I just disabled it and will watch it.  It's been up now 4 hrs so if it
> follows any pattern, it should fail around now.
> 
> I  upgraded  the  drivers already as they were 2 yrs old so maybe that
> helps too.
> 
> much appreciated. -jason
> 
> - - - - - - - - - - - - - - - - - - >
> Friday, November 25, 2005, 1:15:47 PM, you wrote:
> 
> CU> It *shouldn't* be a problem, but having the 2nd NIC in the machine (we
also
> CU> use Poweredge) and not having it plugged in can have an effect on
things at
> CU> times.
> 
> CU> It isn't enough to leave it unplugged - go into Control Panel -
Network,
> CU> select the second port, right click and DISABLE it.
> 
> CU> This actually addressed a few occasional funky network "lockups"
> 
> CU> - Chris
> 
> CU> At 09:26 AM 11/25/2005, you wrote:
> 
> >>I just moved colos and servers.
> >>
> >>On  the new(er) box, I installed Imail 8.21, Sniffer, Declude 3.0.5.20
> >>Pro-Virus/JM.
> >>
> >>Box   is  Dell  Poweredge  1750, Dual Proc Xeon 2.4 Ghz, 3x73Gb Raid5,
> >>Nics onboard (Broadcom Gigs, dual)
> >>
> >>So  far,  I like the newer Declude - we were using 1.82 on Imail 8.05.
> >>It was nice to get a clean start ...
> >>
> >>
> >>HOWEVER,  I am having problems after moving server into production and
> >>into  live performance.  The box seems to lose connectivity and I have
> >>to hard reboot it to get ability of the network to come back up.
> >>
> >>There's no messages in the EVENT VIEWER - nada.
> >>
> >>I  know  IMAIL  had  issues  a  long time ago with certain NICS - does
> >>anyone know the status of that?
> >>
> >>I  am thinking it has to be the NIC I am using - the onboard Broadcom.
> >>So, I updated the drivers to it and thinking that might help.
> >>
> >>If not, I'll try the 2nd onboard and hoping it will help.
> >>
> >>Next thing to try is IF I can get a nic in the box, I'll try that but
> >>unsure if I have room.
> >>
> >>Last will be putting new box in there and doing all this over again.
> >>
> >>
> >>I  don't  think  my  Declude  is causing it... anyone have thoughts on
> >>this.
> >>
> >>
> >>Thanks. -jason
> >>
> >>- - - - - - - - - - - - - - - - - - >
> >>Thursday, November 24, 2005, 12:24:22 PM, you wrote:
> >>
> >>IA> I just realized I hadn't seen any new versions of Declude in a
while,
> >>and I
> >>IA> wonder if that means it's finally stable.  We wanted to upgrade to
> >>3.x, but
> >>IA> it seems like there were so many errors being reported here, and new
> >>IA> iterations being released every few days.  We prefer to wait until
the
> >>smoke
> >>IA> clears.  So what do people think now?  Is 3.x fully reliable now?
> >>
> >>IA> Thanks, and Happy Thanksgiving,
> >>
> >>---
> >>This E-mail came from the Declude.Virus mailing list.  To
> >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >>type "unsubscribe Declude.Virus".The archives can be found
> >>at http://www.mail-archive.com.
> 
> 
> CU> ---
> CU> This E-mail came from the Declude.Virus mailing list.  To
> CU> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> CU> type "unsubscribe Declude.Virus".The archives can be found
> CU> at http://www.mail-archive.com.
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Another Sober out. (=> idea)

[John T \(Lists\)]

Well, I would say it is more like a restaurant but you can not get blow
fish, alcohol, cigarettes, 10 Lbs of greasy French fries, etc.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Markus Gufler
> Sent: Friday, November 25, 2005 12:46 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Another Sober out. (=> idea)
> 
> 
> > I am scanning for viruses first. I block executables within
> > zips.
> 
> Yes I know you can do this.
> But on my systems banning exe in zips is like having a restaurant where
> people can eat but drinking is not allowed.
> 
> Markus
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Another Sober out. (=> idea)

[John T \(Lists\)]

Interesting thought.

However, on my system, that would not work. 

I am scanning for viruses first. I block executables within zips. So my
point of adding the BANNAME is so that the banned file notice that goes out
(until the AV scanners update their defs) does not just have the generic
banned file (ZIP-EXE).

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Markus Gufler
> Sent: Friday, November 25, 2005 12:21 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Another Sober out. (=> idea)
> 
> Thank you John but,
> 
> > BANNAME mailtext.zip
> 
> ...is this really the only name used by this variant?
> I'm feeling a little bit bad, while adding and adding BANNAMEs to the
> virus.cfg file.
> 
> First as sayd yesterday I feel there are many many BANNAME entries that
are
> not more accurate or spreading in the wild and so unneccessary load in my
> and our config files.
> Second it's always the "two steps behind" if we have to adapt our config
> files manualy after someone else has discovered a new variant.
> 
> Wouldn't be possible to write a junkmail external test, or maybe also an
> "AV-Engine" that does nothing else then looking at a central database for
> filenames that are suspsicious.
> 
> I'm not 100% familiar with the ip4r/rbl tecnique but why not set up a
> DNS-server containing TLD-zones like .zip .exe .com 
> Then some of us can act as operators and add additional zones like
> "mailtext"
> 
> Looking at the case two days ago that I reported with the new bagle
variant
> it would also be possible to add something like
> 
> 1.exe.ester.zip
> 12.exe.ester.zip
> 1.exe.emanuel.zip
> ...
> 
> Are maybe also with wildcards like
> 
> *.exe.mailtext.zip
> 
> By having bitmasked result codes it would maybe also possible to entries
> like
> 
> *.exe*.zip
> 
> with a "suspicious" result code and other more concrete definitions with
an
> "accurate" result code.
> 
> so admins can use it at they want.
> Our administrative work should decrease while new banname definitions will
> be available as soon the first of the operators will detect and add it to
> the database.
> 
> +as having one (or more replicated) central points we should be able to
> notice a relativ high increase of request for exe in zips and so know that
> something seems going on.
> 
> What do you think? My opinion is that last week av-companies showed that
> they are not able to provide accurate detection-quality.
> 
> Markus
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Another Sober out.

[John T \(Lists\)]

BANNAME mailtext.zip

The ones I saw were bounces, but they may be made to look like bounces.

Only Norman and Avast found it on VirusTotal as a Sober variant, and NOD32
suspects it is a variant.

John T
eServices For You



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] how is Declude 3.x?

[John T \(Lists\)]

P4 2 Ghz
1 GB memory
2 ATA 133 drives mirrored
3 SCSI 10K drives configured with 3 mirrored partitions

Windows 2000 Server fully patched
Imail 8.20 HF2
Declude 3.0.5.20
Declude JM Pro
Declude Virus Pro
Declude Hijack
F-Prot 32 bit
AVG
Kiwi Syslog

Volume of aprox 5K messages per day

Sniffer
SortMonster
AutoWhite for Declude
INV-URIBL
Aprox 35 filter tests
27 IP4R tests
12 RHSBL
17 Declude JM tests (REVDNS, HELO, PERCENT, ROUTING, SUBJECTCHARACHTERS,
SUBJECTSPACES, etc.)

No known issues with Declude 3.0.5.20

John T
eServices For You


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] blocking exe in zips

[John T \(Lists\)]

That would be nice. I wonder if it shows up in Debug mode.

John T
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of John Carter
> Sent: Thursday, November 24, 2005 8:34 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] blocking exe in zips
> 
> Maybe Declude could add a syntax checker (at least for their directives
and keywords)
> in the diagnostics (decludeproc -v).  You get version info, tests run, and
notes of
> possible syntax problems.??
> 
> John C
> 
> -- Original Message --
> From: "Bonno Bloksma" <[EMAIL PROTECTED]>
> Reply-To: Declude.Virus@declude.com
> Date:  Thu, 24 Nov 2005 17:01:55 +0100
> 
> >Hi John,
> >
> >
> >>> BANZIPEXT on
> >>> #BANEZIPEXT on
> >>
> >> Try "BANZIPEXTS ON" noting the s in there.
> >
> >Oops, thanks.
> >
> >Is there any syntax warning for stuff like this in Declude, in the
logfiles
> >or using the Diag parameter? I could not find anything in my Declude vir
> >logfiles.
> >
> >Groetjes,
> >
> >
> >Bonno Bloksma
> >
> >
> >---
> >[E-mail scanned at tio.nl for viruses by Declude Virus]
> >
> >---
> >This E-mail came from the Declude.Virus mailing list.  To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.Virus".The archives can be found
> >at http://www.mail-archive.com.
> >
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Blocking PIF Files

[John T \(Lists\)]

To add to Darin's list, I also block PPS files.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Darin Cox
> Sent: Wednesday, November 23, 2005 7:00 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] Blocking PIF Files
> 
> Here's a list compiled over the years of extensions we ban.  The top two
you
> will want to consider your userbase before banning, the rest should be
fine.
> Note that we couple this with a banned file notification to the intended
> recipient, which includes a link to requeue the file for delivery if it is
> legitimate.
> 
> 
> BANEXT  EZIP
> BANEXT  rar
> 
> BANEXT  bas
> BANEXT  bat
> BANEXT  ceo
> BANEXT  chm
> BANEXT  cmd
> BANEXT  com
> BANEXT  cpl
> BANEXT  exe
> BANEXT  hta
> BANEXT  inf
> BANEXT  ins
> BANEXT  isp
> BANEXT  js
> BANEXT  jse
> BANEXT  lnk
> BANEXT  msi
> BANEXT  msp
> BANEXT  mst
> BANEXT  pcd
> BANEXT  pif
> BANEXT  reg
> BANEXT  scr
> BANEXT  sct
> BANEXT  shb
> BANEXT  shs
> BANEXT  vb
> BANEXT  vbe
> BANEXT  vbs
> 
> BANEXT  ws
> BANEXT  wsc
> BANEXT  wsf
> BANEXT  wsh
> 
> 
> Darin.
> 
> 
> - Original Message -
> From: "Dan Geiser" <[EMAIL PROTECTED]>
> To: 
> Sent: Wednesday, November 23, 2005 9:26 AM
> Subject: [Declude.Virus] Blocking PIF Files
> 
> 
> Hello, All,
> I don't know whether this would be more appropriate for the virus list or
> the junkmail list so please point me towards junkmail if appropriate.
> 
> What is the proper technique for blocking messages that have an attachment
> that ends in a "pif" extension like "your_letter.pif"?
> 
> We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard.
> 
> Thanks In Advance!
> Dan Geiser
> [EMAIL PROTECTED]
> 
> ---
> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] blocking exe in zips

[John T \(Lists\)]

> #
> # BANZIPEXT will block files based on EXT within ZIP files. EXT as
declared with BANEXT
> # BANEZIPEXT will do the same for ecrypted ZIPs.
> #
> # BB 1-11-05
> # Added BANxZIPEXT directives, BANEZIPEXT not neccesary as we block ALL
EZIP files.
> BANZIPEXT on
> #BANEZIPEXT on

Try "BANZIPEXTS ON" noting the s in there.

John T
eServices For You


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Blocking PIF Files

[John T \(Lists\)]

Well, those are files which of them selves are not executable, rather they
are files which require something else been do to use them.

I am not sure of the value of blocking those.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Goran Jovanovic
> Sent: Wednesday, November 23, 2005 7:15 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Blocking PIF Files
> 
> I also ban some more
> 
> BANEXTbin
> BANEXTclass
> BANEXTdll
> BANEXTjsc
> BANEXTocx
> BANEXTsys
> BANEXTvxd
> 
> Goran Jovanovic
> Omega Network Solutions
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> > [EMAIL PROTECTED] On Behalf Of Darin Cox
> > Sent: Wednesday, November 23, 2005 10:00 AM
> > To: Declude.Virus@declude.com
> > Subject: Re: [Declude.Virus] Blocking PIF Files
> >
> > Here's a list compiled over the years of extensions we ban.  The top
> two
> > you
> > will want to consider your userbase before banning, the rest should be
> > fine.
> > Note that we couple this with a banned file notification to the
> intended
> > recipient, which includes a link to requeue the file for delivery if
> it is
> > legitimate.
> >
> >
> > BANEXT  EZIP
> > BANEXT  rar
> >
> > BANEXT  bas
> > BANEXT  bat
> > BANEXT  ceo
> > BANEXT  chm
> > BANEXT  cmd
> > BANEXT  com
> > BANEXT  cpl
> > BANEXT  exe
> > BANEXT  hta
> > BANEXT  inf
> > BANEXT  ins
> > BANEXT  isp
> > BANEXT  js
> > BANEXT  jse
> > BANEXT  lnk
> > BANEXT  msi
> > BANEXT  msp
> > BANEXT  mst
> > BANEXT  pcd
> > BANEXT  pif
> > BANEXT  reg
> > BANEXT  scr
> > BANEXT  sct
> > BANEXT  shb
> > BANEXT  shs
> > BANEXT  vb
> > BANEXT  vbe
> > BANEXT  vbs
> >
> > BANEXT  ws
> > BANEXT  wsc
> > BANEXT  wsf
> > BANEXT  wsh
> >
> >
> > Darin.
> >
> >
> > - Original Message -
> > From: "Dan Geiser" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Wednesday, November 23, 2005 9:26 AM
> > Subject: [Declude.Virus] Blocking PIF Files
> >
> >
> > Hello, All,
> > I don't know whether this would be more appropriate for the virus list
> or
> > the junkmail list so please point me towards junkmail if appropriate.
> >
> > What is the proper technique for blocking messages that have an
> attachment
> > that ends in a "pif" extension like "your_letter.pif"?
> >
> > We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard.
> >
> > Thanks In Advance!
> > Dan Geiser
> > [EMAIL PROTECTED]
> >
> > ---
> > E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New Virus Strain Pounding my systems

[John T \(Lists\)]

Looks like F-Prot is now catching it as SoberZ

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Rick Davidson
> Sent: Monday, November 21, 2005 12:12 PM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems
> 
> It is coming in with alot of different zip file names and body names now,
I
> blocked all zip files and submitted samples
> 
> I am really getting hit hard
> 
> Rick Davidson
> National Systems Manager
> North American Title Group
> 440-639-0607 - Office
> 951-233-6342 - Mobile
> [EMAIL PROTECTED]
> -
> - Original Message -
> From: "Matt" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, November 21, 2005 2:51 PM
> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems
> 
> 
> > McAfee is detecting this currently as W32/[EMAIL PROTECTED]  F-Prot is still
> > missing it.  My first hit was at 2:08 p.m. EST, just 40 minutes ago and
> > McAfee seems to have had this one tagged prior to the outbreak starting
> > since none have slipped through yet.
> >
> > Matt
> >
> >
> >
> > Rick Davidson wrote:
> >
> >> heads up folks, I am stopping a new zip virus with the following
junkmail
> >> rules, this is all I have seen so far. Contains an exacutable payload
> >> called File-packed_dataInfo.exe
> >>
> >> Rick Davidson
> >> National Systems Manager
> >> North American Title Group
> >> 440-639-0607 - Office
> >> 951-233-6342 - Mobile
> >> [EMAIL PROTECTED]
> >> -
> >> ---
> >> This E-mail came from the Declude.Virus mailing list.  To
> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >> type "unsubscribe Declude.Virus".The archives can be found
> >> at http://www.mail-archive.com.
> >>
> >>
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New Virus Strain Pounding my systems

[John T \(Lists\)]

If you have Pro version you should be always blocking using "BANZIPEXTS ON"
and "BANEZIPEXTS ON".

John T
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Rick Davidson
> Sent: Monday, November 21, 2005 12:12 PM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems
> 
> It is coming in with alot of different zip file names and body names now,
I
> blocked all zip files and submitted samples
> 
> I am really getting hit hard
> 
> Rick Davidson
> National Systems Manager
> North American Title Group
> 440-639-0607 - Office
> 951-233-6342 - Mobile
> [EMAIL PROTECTED]
> -
> - Original Message -
> From: "Matt" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, November 21, 2005 2:51 PM
> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems
> 
> 
> > McAfee is detecting this currently as W32/[EMAIL PROTECTED]  F-Prot is still
> > missing it.  My first hit was at 2:08 p.m. EST, just 40 minutes ago and
> > McAfee seems to have had this one tagged prior to the outbreak starting
> > since none have slipped through yet.
> >
> > Matt
> >
> >
> >
> > Rick Davidson wrote:
> >
> >> heads up folks, I am stopping a new zip virus with the following
junkmail
> >> rules, this is all I have seen so far. Contains an exacutable payload
> >> called File-packed_dataInfo.exe
> >>
> >> Rick Davidson
> >> National Systems Manager
> >> North American Title Group
> >> 440-639-0607 - Office
> >> 951-233-6342 - Mobile
> >> [EMAIL PROTECTED]
> >> -
> >> ---
> >> This E-mail came from the Declude.Virus mailing list.  To
> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >> type "unsubscribe Declude.Virus".The archives can be found
> >> at http://www.mail-archive.com.
> >>
> >>
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New Virus Strain Pounding my systems

[John T \(Lists\)]

I have been seeing a bunch of blocked zip-exe but I have been on the phone
with clients for the last hour and have not had a chance to review it.

John T
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Rick Davidson
> Sent: Monday, November 21, 2005 11:34 AM
> To: Declude.virus@declude.com
> Subject: [Declude.Virus] New Virus Strain Pounding my systems
> 
> heads up folks, I am stopping a new zip virus with the following junkmail
> rules, this is all I have seen so far. Contains an exacutable payload
called
> File-packed_dataInfo.exe
> 
> BODY  0 CONTAINS  mailtext.zip
> BODY  0 CONTAINS  downloadm.zip
> BODY  0 CONTAINS  "mail.zip"
> BODY  0 CONTAINS  reg_pass-data.zip
> BODY  0 CONTAINS  Account and Password Information are attached!
> 
> Rick Davidson
> National Systems Manager
> North American Title Group
> 440-639-0607 - Office
> 951-233-6342 - Mobile
> [EMAIL PROTECTED]
> -
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New Sober to be released, possible variation?

[John T \(Lists\)]

Yes. I also like to add known file names so that when the user receives a
message about a banned file, if they see the file name they are less likely
to send me a message saying that the banned file could be OK as it looks
like from some one they know.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Mark Reimer
> Sent: Tuesday, November 15, 2005 12:49 PM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] New Sober to be released, possible variation?
> 
> If we are banning extensions within zip files we should be ok right?
> 
> Mark Reimer
> IT Project Manager
> American CareSource
> 800-370-5994 ext. 267
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of John T (Lists)
> Sent: Tuesday, November 15, 2005 2:30 PM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] New Sober to be released, possible
> variation?
> 
> 
> And another:
> 
> BANNAME   packed-password_text.zip
> 
> John T
> eServices For You
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> > On Behalf Of Darin Cox
> > Sent: Tuesday, November 15, 2005 10:16 AM
> > To: Declude.Virus@declude.com
> > Subject: Re: [Declude.Virus] New Sober to be released, possible
variation?
> >
> > Another one to block...
> >
> > BANNAME Accept_e-Text.zip
> >
> > The list so far is
> >
> > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants
> > BANNAME Accept_e-Text.zip
> > BANNAME email_photo.zip
> > BANNAME excel_table.zip
> > BANNAME foto.zip
> > BANNAME liste.zip
> > BANNAME reg_text.zip
> > BANNAME registration.zip
> > BANNAME tabelle.zip
> > BANNAME word-text.zip
> >
> > As mentioned before, we keep these in place even after the virus
> definitions
> > are catching them.  That way new variants that use the names are caught
> > before definitions are available.
> >
> > Darin.
> >
> >
> > - Original Message -
> > From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Tuesday, November 15, 2005 11:57 AM
> > Subject: RE: [Declude.Virus] New Sober to be released, possible
variation?
> >
> >
> > There are very interesting details in Trend Micro's writeup.
> >
> > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS
> > OBER%2EAD&VSect=T
> >
> > i.e. it uses its own SMTP server plus a hardcoded list of accounts and
> > IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious
> > Software Removal Tool.
> >
> > It may be worth mentioning that the BANNAME list that Darin provided
> > will be useful for those of us using F-Prot only, as they are still not
> > detecting the variant I've been receiving since this thread started.
> >
> > Andrew 8)
> >
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
> > > Sent: Tuesday, November 15, 2005 6:05 AM
> > > To: Declude.Virus@declude.com
> > > Subject: Re: [Declude.Virus] New Sober to be released,
> > > possible variation?
> > >
> > > Most the new Sober variants are expected to be low volume, so
> > > I'm not surprised that Netsky.P continues to outstrip them.
> > >
> > > Security vendors are varying as to what they are detecting
> > > with 6 new Sober variants yesterday and today.  Best bet is
> > > to ban the files at least until virus definition files have
> > > caught up.  We keep the bans in place for the usual overlap
> > > in new variants.
> > >
> > > Darin.
> > >
> > >
> > > - Original Message -
> > > From: "Markus Gufler" <[EMAIL PROTECTED]>
> > > To: 
> > > Sent: Tuesday, November 15, 2005 8:44 AM
> > > Subject: RE: [Declude.Virus] New Sober to be released,
> > > possible variation?
> > >
> > >
> > > Thank you Darin.
> > >
> > > just curious after watching our virus logfiles today
> > > Anyone else can confirm that there are only a few of the
> > > today new virus and
> > > far more netsky (most .p variant) showing up in the logfiles?
> > >
> > > Today I've had some reports that certain varaints of the new
> > > virus slipped
> > > trough while it was definitively catching some

RE: [Declude.Virus] New Sober to be released, possible variation?

[John T \(Lists\)]

And another:

BANNAME packed-password_text.zip

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Darin Cox
> Sent: Tuesday, November 15, 2005 10:16 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] New Sober to be released, possible variation?
> 
> Another one to block...
> 
> BANNAME Accept_e-Text.zip
> 
> The list so far is
> 
> # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants
> BANNAME Accept_e-Text.zip
> BANNAME email_photo.zip
> BANNAME excel_table.zip
> BANNAME foto.zip
> BANNAME liste.zip
> BANNAME reg_text.zip
> BANNAME registration.zip
> BANNAME tabelle.zip
> BANNAME word-text.zip
> 
> As mentioned before, we keep these in place even after the virus
definitions
> are catching them.  That way new variants that use the names are caught
> before definitions are available.
> 
> Darin.
> 
> 
> - Original Message -
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> To: 
> Sent: Tuesday, November 15, 2005 11:57 AM
> Subject: RE: [Declude.Virus] New Sober to be released, possible variation?
> 
> 
> There are very interesting details in Trend Micro's writeup.
> 
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS
> OBER%2EAD&VSect=T
> 
> i.e. it uses its own SMTP server plus a hardcoded list of accounts and
> IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious
> Software Removal Tool.
> 
> It may be worth mentioning that the BANNAME list that Darin provided
> will be useful for those of us using F-Prot only, as they are still not
> detecting the variant I've been receiving since this thread started.
> 
> Andrew 8)
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
> > Sent: Tuesday, November 15, 2005 6:05 AM
> > To: Declude.Virus@declude.com
> > Subject: Re: [Declude.Virus] New Sober to be released,
> > possible variation?
> >
> > Most the new Sober variants are expected to be low volume, so
> > I'm not surprised that Netsky.P continues to outstrip them.
> >
> > Security vendors are varying as to what they are detecting
> > with 6 new Sober variants yesterday and today.  Best bet is
> > to ban the files at least until virus definition files have
> > caught up.  We keep the bans in place for the usual overlap
> > in new variants.
> >
> > Darin.
> >
> >
> > - Original Message -
> > From: "Markus Gufler" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Tuesday, November 15, 2005 8:44 AM
> > Subject: RE: [Declude.Virus] New Sober to be released,
> > possible variation?
> >
> >
> > Thank you Darin.
> >
> > just curious after watching our virus logfiles today
> > Anyone else can confirm that there are only a few of the
> > today new virus and
> > far more netsky (most .p variant) showing up in the logfiles?
> >
> > Today I've had some reports that certain varaints of the new
> > virus slipped
> > trough while it was definitively catching some others.
> >
> > Markus
> >
> >
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
> > > Sent: Tuesday, November 15, 2005 2:33 PM
> > > To: Declude.Virus@declude.com
> > > Subject: Re: [Declude.Virus] New Sober to be released,
> > > possible variation?
> > >
> > > I just went through all of the reports.  Here's a list of new
> > > filenames to
> > > ban:
> > >
> > > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants
> > > BANNAME email_photo.zip
> > > BANNAME excel_table.zip
> > > BANNAME liste.zip
> > > BANNAME reg_text.zip
> > > BANNAME registration.zip
> > > BANNAME tabelle.zip
> > >
> > >
> > > Darin.
> > >
> > >
> > > - Original Message -
> > > From: "Doug Anderson" <[EMAIL PROTECTED]>
> > > To: 
> > > Sent: Tuesday, November 15, 2005 8:24 AM
> > > Subject: Re: [Declude.Virus] New Sober to be released,
> > > possible variation?
> > >
> > >
> > > Looks like varying attachment names. I got one thats excel_table.zip
> > >
> > > - Original Message -
> > > From: "David Dodell" <[EMAIL PROTECTED]>
> > > To: "John T (Lists)&

RE: [Declude.Virus] New Sober to be released Nov-15-2005 ?

[John T \(Lists\)]

Sophos is now calling it Sober-R.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Darin Cox
> Sent: Monday, November 14, 2005 8:33 PM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] New Sober to be released Nov-15-2005 ?
> 
> Yep...seeing them here as well.
> 
> Darin.
> 
> 
> ----- Original Message -
> From: "John T (Lists)" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, November 14, 2005 7:57 PM
> Subject: RE: [Declude.Virus] New Sober to be released Nov-15-2005 ?
> 
> 
> Well, I am not sure about tomorrow, but in the last hour I have started to
> see some messages being caught with banned ZIP-EXE with a subject line of
> Thanks for your registration and a file name of reg_text.zip and a D file
> size of 184 Kb that I have not seen before.
> 
> John T
> eServices For You
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> > On Behalf Of Colbeck, Andrew
> > Sent: Monday, November 14, 2005 3:36 PM
> > To: Declude.Virus@declude.com
> > Subject: [Declude.Virus] New Sober to be released Nov-15-2005 ?
> >
> > Hmmm, now that's interesting.
> >
> > http://www.f-secure.com/weblog/#0705
> >
> >
> > Andrew.
> >
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New Sober to be released Nov-15-2005 ?

[John T \(Lists\)]

Well, I am not sure about tomorrow, but in the last hour I have started to
see some messages being caught with banned ZIP-EXE with a subject line of
Thanks for your registration and a file name of reg_text.zip and a D file
size of 184 Kb that I have not seen before.

John T
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Colbeck, Andrew
> Sent: Monday, November 14, 2005 3:36 PM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] New Sober to be released Nov-15-2005 ?
> 
> Hmmm, now that's interesting.
> 
> http://www.f-secure.com/weblog/#0705
> 
> 
> Andrew.
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Second scanner

[John T \(Lists\)]

I use AVG as the second scanner and am happy with the results. I like
BitDefender as they publish updates on average a dozen or more times per
day, but it is more resource costly.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of David Dodell
> Sent: Thursday, November 03, 2005 9:25 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] Second scanner
> 
> After many years of using Virus Standard, I upgraded to Virus Pro to
> take advantage of a second scanner.   I've scanned the previous
> threads on what others like for a second scanner to F-Prot, but can't
> seem to find any common thread ...
> 
> So I would appreciate what seems to be the next most popular virus
> scanner to run as a secondary scanner to F-Prot?
> 
> David
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Blast of zips coming in

[John T \(Lists\)]

Well ...

;-)>

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of System Administrator
> Sent: Tuesday, November 01, 2005 9:48 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] Blast of zips coming in
> 
> on 11/1/05 11:38 AM, John T (Lists) wrote:
> 
> > What is the payload inside?
> 
> .exe files
> 
> John's post about what we all should do with .exe files in zip attachments
> will follow in 3 ... 2 ... 1 ... :)
> 
> Don't let me down John,
> Greg
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Blast of zips coming in

[John T \(Lists\)]

What is the payload inside?

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of John Carter
> Sent: Tuesday, November 01, 2005 7:51 AM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] Blast of zips coming in
> 
> We are currently getting hit with a blast of emails with ZIP attachments.
> They are showing clean, at least with F-Prot and ClamAV under Declude,
plus
> a manual scan by Trend Micro.  They fake our user as sender.
> 
> Attachments are among others: info_price.zip, text_sms.zip, max.zip,
> Health_and_knowledge.zip, and others.
> 
> John C
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Possible BANnotify.EML problem with Declude 1.82

[John T \(Lists\)]

SKIPIFFORGING is only for virus
notifications, so it should not be in any other .eml file.

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
Sent: Wednesday,
 October 12, 2005 12:30 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Possible
BANnotify.EML problem with Declude 1.82

 



Just ran across a possible problem with the BANnotify.EML in
Declude Virus 1.82.  If a SKIPIFFORGING line is in it, it doesn't send the
notification.





 





Is this an inappropriate setting?  i.e. If virus
checking is done first then SKIPIFFORGING would not apply.

Darin.





 





 

RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content

[John T \(Lists\)]

Well, the answer lies within how those features were introduced. When the
first wave of viruses came out using zip files, we blocked zip files
entirely. But then we asked for a way to pass EZIP files, so Scott added
that feature whereby BANEXT ZIP did not ban EZIPs, instead introducing
BANEXT EZIP. Then when waves of viruses started to come out using EZIP
files, the first thing we did was ban then and then asked Scott to come up
with a work around. He did this by introducing BANZIPEXTs and BANEZIPEXTS
which only banned a zip or EZIP if it had a file in it that was banned. But
that is only for Pro version.

So if you are using Pro version, you can just use BANZIPEXTS and BANEZIPEXTS
if desired, leaving "BANEXT ZIP" and "BANEXT EZIP" in the virus.cfg but
commented out. That way, if there is a sudden need to do so, it can be done
quickly.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Kevin Rogers
> Sent: Tuesday, October 11, 2005 3:36 PM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email
Content
> 
> Ok OK already.  lol
> 
> So some people block EZIPs and some don't.  If you don't block EZIPs but
> do block certain file extensions within EZIPs, is it the same security
> as if you blocked them outright?  Or are there ways to slip bad stuff
> through an EZIP even if you block most bad extensions?  Or can you
> really not scan EZIPs as well as other files.
> 
> Thanks
> 
> 
> Scott Fisher wrote:
> 
> > I block all encrypted zips based on the fact that I can't virus scan
> > them.
> >
> > But then again I'm slightly paranoid and should not be trusted with
> > sharp objects.
> >
> > - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Tuesday, October 11, 2005 3:08 PM
> > Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email
> > Content
> >
> >
> >> So it's this forum's consensus that if I have PRO I should not block
> >> all EZIPs - I should just block the other extensions even if they are
> >> found within ZIP files?
> >>
> >> I do send out notices when a file gets blocked, but I don't have a
> >> requeue script in place.  I'll search for one and see what I can do.
> >> Thanks.
> >>
> >>
> >>
> >> Darin Cox wrote:
> >>
> >>> If you have Declude Virus/EVA Pro you can switch to banning extensions
> >>> within zips.  With Standard, you may want to continue to ban
> >>> encrypted zips.
> >>>
> >>> In either case, you will probably want to send out notices for
> >>> banned files,
> >>> notifying the intended recipient that a file sent to them was blocked.
> >>> Include a link in the notification for them to requeue the message
> >>> if it was
> >>> legit and they want to receive it.  Scripts to requeue messages have
> >>> been
> >>> posted to the list in the past, but they are very simple to create
> >>> by just
> >>> moving the Q and D files back to the spool directory... possibly
> >>> going as
> >>> far as launching the SMTP32 process to immediately send the message
> >>> if you
> >>> don't want your user to wait for the next queue run.
> >>>
> >>> Darin.
> >>>
> >>>
> >>> - Original Message - From: "Kevin Rogers"
> >>> <[EMAIL PROTECTED]>
> >>> To: 
> >>> Sent: Tuesday, October 11, 2005 1:26 AM
> >>> Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email
> >>> Content
> >>>
> >>>
> >>> We're looking for a simple way to opportunistically allow our users to
> >>> encrypt or password-protect certain emails and/or their attachments
> >>> that
> >>> contain sensitive data.  We're running Declude Pro and have banned
EZIP
> >>> extensions (the highly recommended suggestion from several people on
> >>> this forum), so that kinda rules out PKZIP and any kind of ZIP program
> >>> (because as soon as you password-protect a ZIP file, it becomes an
EZIP
> >>> file).  We looked at PGP, but it seems very complex and seems to
> >>> require
> >>> a hardware proxy in between our mail server and the Net.  Is there a
> >>> simple and effective way to encrypt or password protect documents for
> >>> email transmission that doesn't cause problems with Imail or Declude
> >>> and
> >>> doesn't require software to be installed on the recipient's end?
> >>>
> >>> Thanks.
> >>>
> >>> Kevin
> >>> ---
> >>> [This E-mail was scanned for viruses.]
> >>>
> >>> ---
> >>> This E-mail came from the Declude.Virus mailing list.  To
> >>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >>> type "unsubscribe Declude.Virus".The archives can be found
> >>> at http://www.mail-archive.com.
> >>>
> >>> ---
> >>> This E-mail came from the Declude.Virus mailing list.  To
> >>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >>> type "unsubscribe Declude.Virus".The archives can be found
> >>> at http://www.mail-archive.com.
> >>> ---
> >>> [This E-mail was scanned for viruses.]
> >>>
> >>>
> >>>
> >>>
> >> ---
> >> [This 

RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content

[John T \(Lists\)]

Yah, those doctors and their instruments. Ouch.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Darrell ([EMAIL PROTECTED])
> Sent: Tuesday, October 11, 2005 2:44 PM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email
Content
> 
> Please no talk about sharp objects - I just had a vasectomy a couple of
> hours ago - oh the pain...
> 
> Darrell
> 
> ---
> Check out http://www.invariantsystems.com for utilities for Declude And
> Imail.  IMail Queue Monitoring, Declude Overflow Queue Monitoring,
SURBL/URI
> integration, MRTG Integration, and Log Parsers.
> 
> - Original Message -
> From: "John T (Lists)" <[EMAIL PROTECTED]>
> To: 
> Sent: Tuesday, October 11, 2005 5:00 PM
> Subject: RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email
> Content
> 
> 
> What is wrong with sharp objects? They make nice clean cuts.
> 
> Now, it's the blunt ones that I worry about.
> 
> John T
> eServices For You
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> > On Behalf Of Scott Fisher
> > Sent: Tuesday, October 11, 2005 1:44 PM
> > To: Declude.Virus@declude.com
> > Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email
> Content
> >
> > I block all encrypted zips based on the fact that I can't virus scan
them.
> >
> > But then again I'm slightly paranoid and should not be trusted with
sharp
> > objects.
> >
> > - Original Message -
> > From: "Kevin Rogers" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Tuesday, October 11, 2005 3:08 PM
> > Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email
> > Content
> >
> >
> > > So it's this forum's consensus that if I have PRO I should not block
all
> > > EZIPs - I should just block the other extensions even if they are
found
> > > within ZIP files?
> > >
> > > I do send out notices when a file gets blocked, but I don't have a
> requeue
> > > script in place.  I'll search for one and see what I can do.  Thanks.
> > >
> > >
> > >
> > > Darin Cox wrote:
> > >
> > >>If you have Declude Virus/EVA Pro you can switch to banning extensions
> > >>within zips.  With Standard, you may want to continue to ban encrypted
> > >>zips.
> > >>
> > >>In either case, you will probably want to send out notices for banned
> > >>files,
> > >>notifying the intended recipient that a file sent to them was blocked.
> > >>Include a link in the notification for them to requeue the message if
it
> > >>was
> > >>legit and they want to receive it.  Scripts to requeue messages have
> been
> > >>posted to the list in the past, but they are very simple to create by
> just
> > >>moving the Q and D files back to the spool directory... possibly going
> as
> > >>far as launching the SMTP32 process to immediately send the message if
> you
> > >>don't want your user to wait for the next queue run.
> > >>
> > >>Darin.
> > >>
> > >>
> > >>- Original Message -
> > >>From: "Kevin Rogers" <[EMAIL PROTECTED]>
> > >>To: 
> > >>Sent: Tuesday, October 11, 2005 1:26 AM
> > >>Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email
> Content
> > >>
> > >>
> > >>We're looking for a simple way to opportunistically allow our users to
> > >>encrypt or password-protect certain emails and/or their attachments
that
> > >>contain sensitive data.  We're running Declude Pro and have banned
EZIP
> > >>extensions (the highly recommended suggestion from several people on
> > >>this forum), so that kinda rules out PKZIP and any kind of ZIP program
> > >>(because as soon as you password-protect a ZIP file, it becomes an
EZIP
> > >>file).  We looked at PGP, but it seems very complex and seems to
require
> > >>a hardware proxy in between our mail server and the Net.  Is there a
> > >>simple and effective way to encrypt or password protect documents for
> > >>email transmission that doesn't cause problems with Imail or Declude
and
> > >>doesn't require software to be installed on the recipient's end?
> > 

RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content

[John T \(Lists\)]

What is wrong with sharp objects? They make nice clean cuts.

Now, it's the blunt ones that I worry about.

John T
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Scott Fisher
> Sent: Tuesday, October 11, 2005 1:44 PM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email
Content
> 
> I block all encrypted zips based on the fact that I can't virus scan them.
> 
> But then again I'm slightly paranoid and should not be trusted with sharp
> objects.
> 
> - Original Message -
> From: "Kevin Rogers" <[EMAIL PROTECTED]>
> To: 
> Sent: Tuesday, October 11, 2005 3:08 PM
> Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email
> Content
> 
> 
> > So it's this forum's consensus that if I have PRO I should not block all
> > EZIPs - I should just block the other extensions even if they are found
> > within ZIP files?
> >
> > I do send out notices when a file gets blocked, but I don't have a
requeue
> > script in place.  I'll search for one and see what I can do.  Thanks.
> >
> >
> >
> > Darin Cox wrote:
> >
> >>If you have Declude Virus/EVA Pro you can switch to banning extensions
> >>within zips.  With Standard, you may want to continue to ban encrypted
> >>zips.
> >>
> >>In either case, you will probably want to send out notices for banned
> >>files,
> >>notifying the intended recipient that a file sent to them was blocked.
> >>Include a link in the notification for them to requeue the message if it
> >>was
> >>legit and they want to receive it.  Scripts to requeue messages have
been
> >>posted to the list in the past, but they are very simple to create by
just
> >>moving the Q and D files back to the spool directory... possibly going
as
> >>far as launching the SMTP32 process to immediately send the message if
you
> >>don't want your user to wait for the next queue run.
> >>
> >>Darin.
> >>
> >>
> >>- Original Message -
> >>From: "Kevin Rogers" <[EMAIL PROTECTED]>
> >>To: 
> >>Sent: Tuesday, October 11, 2005 1:26 AM
> >>Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email
Content
> >>
> >>
> >>We're looking for a simple way to opportunistically allow our users to
> >>encrypt or password-protect certain emails and/or their attachments that
> >>contain sensitive data.  We're running Declude Pro and have banned EZIP
> >>extensions (the highly recommended suggestion from several people on
> >>this forum), so that kinda rules out PKZIP and any kind of ZIP program
> >>(because as soon as you password-protect a ZIP file, it becomes an EZIP
> >>file).  We looked at PGP, but it seems very complex and seems to require
> >>a hardware proxy in between our mail server and the Net.  Is there a
> >>simple and effective way to encrypt or password protect documents for
> >>email transmission that doesn't cause problems with Imail or Declude and
> >>doesn't require software to be installed on the recipient's end?
> >>
> >>Thanks.
> >>
> >>Kevin
> >>---
> >>[This E-mail was scanned for viruses.]
> >>
> >>---
> >>This E-mail came from the Declude.Virus mailing list.  To
> >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >>type "unsubscribe Declude.Virus".The archives can be found
> >>at http://www.mail-archive.com.
> >>
> >>---
> >>This E-mail came from the Declude.Virus mailing list.  To
> >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >>type "unsubscribe Declude.Virus".The archives can be found
> >>at http://www.mail-archive.com.
> >>---
> >>[This E-mail was scanned for viruses.]
> >>
> >>
> >>
> >>
> > ---
> > [This E-mail was scanned for viruses.]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content

[John T \(Lists\)]

FYI, I do not ban EZIP outright. What I do is BANEZIPEXTs which will ban an
EZIP file containing a file that is banned.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Kevin Rogers
> Sent: Monday, October 10, 2005 10:26 PM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content
> 
> We're looking for a simple way to opportunistically allow our users to
> encrypt or password-protect certain emails and/or their attachments that
> contain sensitive data.  We're running Declude Pro and have banned EZIP
> extensions (the highly recommended suggestion from several people on
> this forum), so that kinda rules out PKZIP and any kind of ZIP program
> (because as soon as you password-protect a ZIP file, it becomes an EZIP
> file).  We looked at PGP, but it seems very complex and seems to require
> a hardware proxy in between our mail server and the Net.  Is there a
> simple and effective way to encrypt or password protect documents for
> email transmission that doesn't cause problems with Imail or Declude and
> doesn't require software to be installed on the recipient's end?
> 
> Thanks.
> 
> Kevin
> ---
> [This E-mail was scanned for viruses.]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New variant as of 15 minutes ago

[John T \(Lists\)]

Matt, what is the payload inside the
zip?

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Thursday, October 06, 2005
9:32 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] New
variant as of 15 minutes ago

 

Same servers, but this
time it has a Regis.info.zip
attachment and the subject is "Registration Confirmation".

Basically I converted to blocking any zips below 200 KB that come from these
providers with some filtering and it seems to be working.

Matt

RE: [Declude.Virus] Possible new virus

[John T \(Lists\)]

Sorry to say it, but that is why we must
be blocking executables and zips that contain executables. For the sake of our
clients, we can no longer afford to be reactive, we must be proactive.

 

I caught a couple hundred using banned
BANZIPEXTS as it has an exe payload inside the zip file, the first one being at
about 20:25 ET.

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL PROTECTED])
Sent: Wednesday,
 October 05, 2005 7:46 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus]
Possible new virus

 



Alot got through today with that one, but its being caught
by F-Prot now.





 





10/05/2005 22:06:18
Q86937B8E01F27E50 MIME file: pword_change.zip [base64; Length=113709
Checksum=13075286]
10/05/2005 22:06:18 Q86937B8E01F27E50
Scanner 2: Virus=W32/[EMAIL PROTECTED]
Attachment=pword_change.zip [12] O





 





My first hit was at 20:02 EST tonight.





 





Darrell





---
Check out http://www.invariantsystems.com
for utilities for Declude And Imail.  IMail Queue Monitoring, Declude
Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log
Parsers.







- Original Message - 





From: Darin Cox 





To: Declude.Virus@declude.com






Sent: Wednesday,
 October 05, 2005 10:33 PM





Subject: [Declude.Virus]
Possible new virus





 





We're seeing a lot of emails with pword_change.zip
attached.  May want to block it in your virus.cfg.





 





Subject is "Your new Password"  All so
far were routed through gmx.net or web.de just before delivery, but are
originating from a variety of dial-up or broadband ISP accounts.






Darin.





 





 

RE: [Declude.Virus] Virus directory

[John T \(Lists\)]

>From the manual:

DELETEONVIRUS   YES or TRUE

However, once deleted it is gone for good.

Better is to rotate and delete via a scheduled batch file.

John T
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Harry Vanderzand
> Sent: Tuesday, October 04, 2005 10:33 AM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] Virus directory
> 
> Declude puts all e-mails with viruses into a separate directory
> 
> I find I always have to go there and delete files.
> 
> Is there a way to set the system to just delete those e-mails rather than
> move them into a separate directory?
> 
> Thank you
> 
> Harry Vanderzand
> inTown Internet & Computer Services
> 11 Belmont Ave. W., Kitchener, ON,N2M 1L2
> 519-741-1222
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Info Wind
> > Sent: Friday, September 30, 2005 8:29 AM
> > To: Declude.Virus@declude.com
> > Subject: Re: [Declude.Virus] Version 3.0.5.5
> >
> > same to me, there seams to be problems when not uninstalling.
> > I had the same issue.
> > Thanks John for the proper procedure, that helped me.
> >
> > Bye,
> > Uwe
> >
> > - Original Message -
> > From: Harry Vanderzand
> > To: Declude.Virus@declude.com
> > Sent: Friday, September 30, 2005 1:50 PM
> > Subject: RE: [Declude.Virus] Version 3.0.5.5
> >
> >
> > that is what I thought, but I had to go into add remove
> > programs and remove
> > the service before I could use the install procedure.  If I had the
> > decludeproc.exe file then I could likely have "copied the new file"
> >
> > Harry Vanderzand
> > inTown Internet & Computer Services
> > 11 Belmont Ave. W., Kitchener, ON,N2M 1L2
> > 519-741-1222
> >
> >
> >
> >
> >
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: Thursday, September 29, 2005 6:09 PM
> > To: Declude.Virus@declude.com
> > Subject: RE: [Declude.Virus] Version 3.0.5.5
> >
> >
> > The proper procedure is:
> > Stop Imail SMTP
> > Stop Imail Queue Manager
> > Make sure spool\proc and spool\proc\work are empty of files.
> > If not, wait
> > until they are processed.
> > Stop Decludeproc
> > Copy in the new file
> > Start Decludeproc
> > Start Imail SMTP
> > Start Imail Queue Manager
> >
> > John T
> > eServices For You
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee
> > Sent: Thursday, September 29, 2005 2:07 PM
> > To: Declude.Virus@declude.com
> > Subject: RE: [Declude.Virus] Version 3.0.5.5
> >
> > You need to stop SMTP and queuemanager. It probably got
> > started back up. By
> > the stub program.
> >
> > Kevin Bilbee
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of Harry Vanderzand
> > Sent: Thursday, September 29, 2005 1:59 PM
> > To: Declude.Virus@declude.com
> > Subject: RE: [Declude.Virus] Version 3.0.5.5
> > I downloaded this update
> >
> > stopped decludeproc
> >
> > ran the update
> >
> > got message:  Another version is already running, cannot update
> >
> > what's up with that?
> >
> > Harry Vanderzand
> > inTown Internet & Computer Services
> > 11 Belmont Ave. W., Kitchener, ON,N2M 1L2
> > 519-741-1222
> >
> >
> >
> >
> >
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Billman
> > Sent: Thursday, September 29, 2005 2:53 PM
> > To: Declude.Virus@declude.com; Declude.JunkMail@declude.com
> > Subject: [Declude.Virus] Version 3.0.5.5
> > Declude Version 3.0.5.5 is available on the website for download.
> > There are two changes from version 3.0.5.3
> >
> > Fix for special character scanning causing abnormal
> > termination.  Special
> > thanks to John Tolmachoff for identifying and helping us fix
> > this nasty.
> > For SmarterMail only.  Correctly handle parsing the XML file
> > for the email
> > installation path.
> >
> > SY, Bill Billman
> > Declude
> >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Anti-Virus.
> > Version: 7.0.344 / Virus Database: 267.11.7/112 - Release
> > Date: 9/26/2005
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Version 3.0.5.5

[John T \(Lists\)]

The proper procedure is:

Stop Imail SMTP

Stop Imail Queue Manager

Make sure spool\proc and spool\proc\work
are empty of files. If not, wait until they are processed.

Stop Decludeproc

Copy in the new file

Start Decludeproc

Start Imail SMTP

Start Imail Queue Manager

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee
Sent: Thursday,
 September 29, 2005 2:07 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Version 3.0.5.5

 



You need to stop SMTP and queuemanager. It
probably got started back up. By the stub program.





 





Kevin Bilbee





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Harry Vanderzand
Sent: Thursday,
 September 29, 2005 1:59 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus]
Version 3.0.5.5

I downloaded this update

 

stopped decludeproc

 

ran the update

 

got message:  Another version is
already running, cannot update

 

what's up with that?



 



Harry
Vanderzand 
inTown
Internet & Computer Services 
11 Belmont Ave. W., Kitchener, ON,N2M 1L2
519-741-1222



 





 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Billman
Sent: Thursday,
 September 29, 2005 2:53 PM
To: Declude.Virus@declude.com;
Declude.JunkMail@declude.com
Subject: [Declude.Virus] Version
3.0.5.5

Declude Version 3.0.5.5 is available on the website for
download.

There are two changes from version 3.0.5.3

 


 Fix for special character scanning causing abnormal
 termination.  Special thanks to John Tolmachoff for identifying and
 helping us fix this nasty. 
 For SmarterMail only.  Correctly handle parsing
 the XML file for the email installation path. 


 

SY, Bill Billman

Declude

 

 

--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.7/112 - Release Date: 9/26/2005