RE: [Declude.Virus] .vir directories in spool\proc
Title: .vir directories in spool\proc There has been information on this issue on the Declude Junkmail list, which is where most of the beta stuff is talked about. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcel Sangers Sent: Monday, September 26, 2005 10:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] .vir directories in spool\proc Hi all, I use Declude (beta) JM and AV with F-Prot and AVG. Daily I find multiple .vir directories in my \spool\proc directory. Why is this? Regards, Marcel
RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted
Grant, contact me off list and we can test this. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Thursday, September 22, 2005 10:58 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted Is anyone using Declude Confirm with success in this beta version? Was just curious if it is working properly now in this newer version. I am still running version 2.0.6.16 as I don't have a test box to play with. But I really need to get Declude Confirm working so was thinking of going with the beta this weekend. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, September 22, 2005 10:41 AM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] Declude Beta 3.0.4.4 Posted 2 new Directives WAITFORTHREADS 1500 Located in the Declude.cfg - Defined in milliseconds eg. 1500 = 1.5 seconds this can be changed so that when the maximum threads are in use this time specifics the wait before checking to launch more threads. WAITBETWEENTHREADS 1 Located in the Declude.cfg - Defined in milliseconds eg. 1 = 1 millisecond The time to wait between spawning one thread and starting to process another thread. David B www.declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted
There is an issue with both Hijack and Confirm with Beta 3.0.4.4. The issue has to do with the handling of domain aliases. Declude is aware of the issue and is working on it. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Thursday, September 22, 2005 10:58 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted Is anyone using Declude Confirm with success in this beta version? Was just curious if it is working properly now in this newer version. I am still running version 2.0.6.16 as I don't have a test box to play with. But I really need to get Declude Confirm working so was thinking of going with the beta this weekend. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, September 22, 2005 10:41 AM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] Declude Beta 3.0.4.4 Posted 2 new Directives WAITFORTHREADS 1500 Located in the Declude.cfg - Defined in milliseconds eg. 1500 = 1.5 seconds this can be changed so that when the maximum threads are in use this time specifics the wait before checking to launch more threads. WAITBETWEENTHREADS 1 Located in the Declude.cfg - Defined in milliseconds eg. 1 = 1 millisecond The time to wait between spawning one thread and starting to process another thread. David B www.declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] VBE attachments
Everyone is banning vbe attachments, correct? http://www.sophos.com/virusinfo/analyses/w32pegasa.html John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] blocking eml and msg attachemtns
What are others thoughts on blocking eml and msg attachments? If there is an eml or msg attachment which that has a executable or virus attachment, will Declude properly decode it and will it be scanned for viruses and banned attachments? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called 1.cpl (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sudden Internet Slowdown
Since when is Maine no longer in the Atlantic time zone? How come I did not get the notice? I never get the notices! Has any one informed the president? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:55 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown You mean 4AM ET... We do have some sickos over here that get up to go to work then perhaps we could just send them over to you to solve this whole problem. If not, perhaps we could just insert an hour between 1am PT/4am ET and 1:00:01am PT/4:00:01am ET. That would fix it. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 1:42 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown Nope, we here on the West coast protested loudly. We clearly stated it could not be done before 1 AM. However, 1 AM here is 5 AM in the Atlantic time zone, and those people stated it must be done before 5 AM. Therefore the normal reboot of the Internet has been on hold for a long time until this dispute can be resolved. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown I thought it was rebooted every night around 3 am ET... Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 12:01 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown Maybe someone should reboot the Internet. Matt Keith Johnson wrote: I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sudden Internet Slowdown
NO NO NO NO Then all of our clients will be asking us how come we have not done the work yesterday that they asked us to do tomorrow. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 11:39 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown Hmmm... that gets me thinking... maybe all offices should be located straddling the international date line. Then if someone wants something done on a particular day, and you missed it, you could just walk over to the other side of the building, finish it, and tell them it's done. Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 2:07 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown No problem, Darin. We'll have Newfoundland reboot it. They're half an hour off of everybody else. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:55 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown You mean 4AM ET... We do have some sickos over here that get up to go to work then perhaps we could just send them over to you to solve this whole problem. If not, perhaps we could just insert an hour between 1am PT/4am ET and 1:00:01am PT/4:00:01am ET. That would fix it. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 1:42 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown Nope, we here on the West coast protested loudly. We clearly stated it could not be done before 1 AM. However, 1 AM here is 5 AM in the Atlantic time zone, and those people stated it must be done before 5 AM. Therefore the normal reboot of the Internet has been on hold for a long time until this dispute can be resolved. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown I thought it was rebooted every night around 3 am ET... Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 12:01 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown Maybe someone should reboot the Internet. Matt Keith Johnson wrote: I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
RE: [Declude.Virus] Sudden Internet Slowdown
Because that then admits you knew about it tomorrow. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, September 09, 2005 1:26 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sudden Internet Slowdown Andrew, Why not just give it to them yesterday ? David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, September 09, 2005 4:21 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sudden Internet Slowdown Them: When can we have it? Me: Tomorrow. Them: No, if we wanted it tomorrow, we'd ask for it tomorrow! Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, September 09, 2005 12:39 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sudden Internet Slowdown NO NO NO NO Then all of our clients will be asking us how come we have not done the work yesterday that they asked us to do tomorrow. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 11:39 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown Hmmm... that gets me thinking... maybe all offices should be located straddling the international date line. Then if someone wants something done on a particular day, and you missed it, you could just walk over to the other side of the building, finish it, and tell them it's done. Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 2:07 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown No problem, Darin. We'll have Newfoundland reboot it. They're half an hour off of everybody else. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:55 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown You mean 4AM ET... We do have some sickos over here that get up to go to work then perhaps we could just send them over to you to solve this whole problem. If not, perhaps we could just insert an hour between 1am PT/4am ET and 1:00:01am PT/4:00:01am ET. That would fix it. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 1:42 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown Nope, we here on the West coast protested loudly. We clearly stated it could not be done before 1 AM. However, 1 AM here is 5 AM in the Atlantic time zone, and those people stated it must be done before 5 AM. Therefore the normal reboot of the Internet has been on hold for a long time until this dispute can be resolved. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown I thought it was rebooted every night around 3 am ET... Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 12:01 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown Maybe someone should reboot the Internet. Matt Keith Johnson wrote: I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half
RE: [Declude.Virus] OT: Online file check?
While the site you are looking for is called www.virustotal.com, here are steps you will probably have to take: Basically what you will end up doing is first finding what the registry key for it is, what is the actual executable name, restart the computer in safe mode, and delete or rename the registry key, delete the executable, and possibly put restrictive permissions on the registry key and on the directory it creates and uses. I have also had to use Administrators Pak by Winternals to go in and modify the registry and delete files before when even booting to safe mode did not work. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Stillwell Sent: Monday, July 25, 2005 12:05 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] OT: Online file check? At one time i saw a post about a site that you can upload and it will scan it with the popular scanners and check it.. I have this evil little program that i can't remove from a users computer, and i have done everything.. It keeps Renaming itself on termination.. It spawns under explorer, rundll32, svchost and just totally takes over, and once its connected to an internet connection, downloads just about every peace of malware/spyware it can.. Thanks-
RE: [Declude.Virus] Limit Size of message to be scanned?
50 MB e-mail attachments? Youch! John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Thursday, July 07, 2005 8:36 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Limit Size of message to be scanned? Hello All, Is there a way to limit the size of the message that Declude/F-Prot can scan? We have some customers that are sending 50+ meg files and it is causing our servers to have major issues. Is there a setting to say skip anything over a certain size? Either in F-Prot or Declude? We fixed it currently by setting it to OFF for certain domains, but really want to ban extensions and vulnerabilities for those domains. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000
RE: [Declude.Virus] NetSky and Sasser author sentenced, Microsoft pays up
Title: Message So the virus writer got a slap on the wrist. Boy, that will sure send a message to would be virus writers. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, July 08, 2005 11:40 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] NetSky and Sasser author sentenced, Microsoft pays up Well, the speculation on whether Microsoft would make good on their bounty to Sven Jaschen's friends is over. http://www.f-secure.com/weblog/ Andrew 8)
RE: [Declude.Virus] viruses getting through
Declude Virus has no definitions to update. Are you using AFTERJM ON? Logs, what do the logs say? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ivey Sent: Wednesday, June 08, 2005 12:54 PM To: 'Declude.Virus@declude.com' Subject: [Declude.Virus] viruses getting through Greetings, Over the past 2 days, I have had some viruses get through my Declude Virus, with updated definitions. Has anyone else seen this? Also, when I receive an email and look at the headers of the email, I am not seeing where Declude Virus scanned the message. Does anyone have any suggestions? I am running version 1.82. Thanks, Daniel === Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] System resources
Welcome Bill. John T [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Billman Sent: Friday, June 03, 2005 1:25 PM To: Declude.Jun[EMAIL PROTECTED]; Declude.Virus@declude.com Subject: [Declude.Virus] System resources Hello Everyone, I would like to introduce myself and say hello to everyone. Im new to Declude, having just joined last week. Im very excited about working for Declude and looking forward to working with you all. We have uncovered an intermittent issue with Declude and IMail 8.2. Basically, system resources are consumed until the system will no longer run. I want you to know that we are aware of the situation. We are working on a solution to this problem now and hope to have it solved in the near future. When ready we will conduct a limited beta program. If all goes well we will provide the solution in an interim release. I apologize for any inconvenience this may have caused and thank you for your patience. This is my first post here but assure you that it will not be my last. All the best, Bill Bill Billman Director of Engineering Declude - internet security software 978.499.2933 office 603.930.4886 mobile 978.477.8930 fax [EMAIL PROTECTED] www.declude.com -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.5.2 - Release Date: 6/3/2005
RE: [Declude.Virus] BitDefender updates
I have verified by watching the files on my server and contacting BitDefender support that on the Free version you must be logged into the computer for the updates to occur. :( John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, June 01, 2005 7:44 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] BitDefender updates So far, it appears that the updates are only take place when some one is actually logged in. In the last 4 days, the only time I have seen the modified date on the updated files was when I was logged in. I saw no changes in modified date when I was not logged in. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, May 27, 2005 4:20 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] BitDefender updates There updater is there, but like Jerry questioned does it require a user to be logged in? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry Murdock Sent: Friday, May 27, 2005 7:11 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] BitDefender updates Have to admit this has been on my list of things to investigate as well. The auto-update is there, but looks to require the console logged in - but have to admit I haven't looked hard. Any luck running the update as a service or via command line? Jerry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Thursday, May 26, 2005 9:52 PM To: John Tolmachoff (Lists) Subject: Re: [Declude.Virus] BitDefender updates Since it appears that the free version of BitDefender works with Declude, how do you go about doing updates, as it appears there is no auto update for the free version. There's a nice auto-updater in MY free version. :) Maybe you have the wrong download. . . . --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] .EML file syntax
Title: Message And the answer is no you can not use BCC, or even CC. Some one has asked before and Scott answered with the technical explanation which I do not remember what it was. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Horne Sent: Wednesday, June 01, 2005 6:54 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] .EML file syntax No one seems to actually be reading the OP. He doesn't want to do anything with any BCC's in incoming mail. All he wants to be able to do is BCC the virus notifications to himself. Declude has a set of .eml files that it sends out when a virus is found (postmaster, otherpostmaster, etc). In that file, you specify who gets the email by putting in a TO: line at the top. He was simply asking if that file could use a BCC: line as well.
RE: [Declude.Virus] BitDefender updates
So far, it appears that the updates are only take place when some one is actually logged in. In the last 4 days, the only time I have seen the modified date on the updated files was when I was logged in. I saw no changes in modified date when I was not logged in. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, May 27, 2005 4:20 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] BitDefender updates There updater is there, but like Jerry questioned does it require a user to be logged in? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry Murdock Sent: Friday, May 27, 2005 7:11 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] BitDefender updates Have to admit this has been on my list of things to investigate as well. The auto-update is there, but looks to require the console logged in - but have to admit I haven't looked hard. Any luck running the update as a service or via command line? Jerry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Thursday, May 26, 2005 9:52 PM To: John Tolmachoff (Lists) Subject: Re: [Declude.Virus] BitDefender updates Since it appears that the free version of BitDefender works with Declude, how do you go about doing updates, as it appears there is no auto update for the free version. There's a nice auto-updater in MY free version. :) Maybe you have the wrong download. . . . --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] EXITSCANONVIRUS
ANYWAYS, what would be the comment from Declude on this issue? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Sunday, May 29, 2005 4:43 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS Sounds good to me. I tend to think of both virus and spam detection in the same breath, since I think they're stronger together than separate... but you certainly have a valid point about moving code to Junkmail...and it would seem more useful there as well. I haven't seen the false positives you've seen with the Outlook Boundary Space Gap vulnerability, but it may be due to a variation in customer base. I'll check the logs and let you know what we've seen over a similar timeframe. Happy Memorial Day weekend! Don't forget to spend some time with the fam. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 5:35 PM Subject: Re: [Declude.Virus] EXITSCANONVIRUS Darin, My list was really only in respect to my feelings on Declude Virus and not JunkMail. In this perspective of both however, maybe a modification where #2 includes the potential of adding it as a test to JunkMail if it would be beneficial, and a clarification on #3 like so: 1) Active Vulnerabilities - Default to ON, and patch known exceptions that could be triggered by standard E-mail clients. I would expect that such things would stay in this category for at least a year following a patch being released for the affected E-mail clients. 2) Inactive Vulnerabilities - Default to OFF, don't necessarily patch issues when found (judgment call). Add code to Declude JunkMail if useful for blocking spam. I would expect that this category would include things that were between 1 and 3 years following a patch being issued for the affected E-mail clients. 3) Removal - Remove the code from the Declude Virus part of the executable. Depending on the conditions related to the vulnerability; i.e. commonality in exploit, potential for false positives, seriousness of flaw, etc., it would be prudent to remove the code that detects such things after 2 or more years. Note that some of these vulnerabilities have never been actively exploited by viruses. Being conservative about leaving the code in for long periods I think is fine because they would give people peace of mind and choice, but there is always going to be a legitimate extent to which being conservative about things reach. I think this reflects what you have said, and in essence this is what I was indicating in the paragraph that followed. I would definitely like to see the Outlook CR Vulnerability added to Declude JunkMail as a scoreable test since it does hit on a good deal of spam, but I won't use it in Declude Virus since I can only chose to block or pass and it has daily issues with false positives for my customer base. Other present vulnerabilities might not justify keeping the code however. The Outlook Boundary Space Gap vulnerability trapped a total of 8 messages that weren't otherwise detected as viruses on my system in a two week period of time, covering over 1 million scanned messages. Of these 8 messages, all 8 were legitimate personal E-mails generated by Microsoft's own E-mail clients. I think we could agree that if this is the long-term trend, this code would be best removed or fixed instead of being added to JunkMail. Alternatively, if this is still a threat with this one vulnerability (I don't know), then the detection should be fixed. The false positives were all the result of an error in Declude where the following header was properly 'folded', but Declude seemingly experienced an error in de-folding the headers which led it to believe that there were spaces within the boundary. The 4 spaces at the beginning of the second line in this case is part of proper header folding Content-Type: multipart/alternative; boundary= _=_NextPart_001_01C55D5F.F2B051DD This vulnerability is designed to detect spaces or tabs within message boundaries, and apparently could be exploited to package attachments which Outlook clients would read. The above example is not an example of exploitable code. RFC 2912 - http://www.faqs.org/rfcs/rfc2912.html 3.1 Whitespace and folding long headers In some circumstances, media feature expressions can be very long. According to A Syntax for Describing Media Feature Sets [1], whitespace is allowed between lexical elements of a media feature _expression_. Further, RFC822/MIME [4,5] allows folding of long headers at points where whitespace appears to avoid line length restrictions. Therefore, it is recommended that whitespace is included as permitted, especially in long media feature expressions, to facilitate the folding of headers by agents that do not otherwise understand the syntax of this field. For this to
[Declude.Virus] New virus out?
One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus out?
Various named zip files. The D*.smd file is 26KB in length. No subject line. Varing IP addresses and apparent forged from address. Blank HTML body. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, May 31, 2005 8:22 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New virus out? John, What do the filenames appear to be - any pattern either filename, subject, body content etc? Darrell John Tolmachoff (Lists) writes: One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MS05-16 Exploit
Since I am pressed for time and am presently unable to completely digest what the vulnerability is and how to stop it, how can we configure our Declude installs to protect/find/stop these messages? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Tuesday, May 31, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] MS05-16 Exploit Hi, Enclosed a notice for the MS05-16 Exploit. For the record: I'm actually in favor of using STRICT interpretation of vulnerabilities - no matter how seldom one might actually occur. Whether a violation of standards is due to an actual virus - or just a poor mass-mailer application, I gladly use the reason of vulnerability of a potential virus to reject these messages early. As far as some features suggested here: - I do agree that it might be helpful for some people not to scan for viruses, if a vulnerability is found (to conserve CPU). - I do agree that there is little reason (other than statistics) to run the second scanner after the first scanner already found a virus. - I do agree that it is desirable for some people, if there was an option that would delete vulnerabilities rather than isolate them in the Virus folder. - I do NOT agree that Declude should NOT detect certain vulerabilities, just because they only occur very rarely. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: Nick FitzGerald [mailto:[EMAIL PROTECTED] Sent: Sunday, May 29, 2005 9:31 AM To: Bugtraq@securityfocus.com Subject: Spam exploiting MS05-016 Yesterday at least two of my spam-traps received the following message (I've elided the MIME boundary values just in case...): Subject: We make a business offer to you MIME-Version: 1.0 Content-type: multipart/mixed; boundary=[...] [...] Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: 8bit Hello! It is not spam, so don't delete this message. We have a business offer to you. Read our offer. You can increase the business in 1,5 times. We hope you do not miss this information. Best regards, Keith [...] Content-type: application/octet-stream; name=agreement.zip Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=agreement.zip encoded ZIP file data There are a few trivial differences between the messages to the different addresses I checked, so don't anyone try to turn the above into a totally literal filtering rule... Anyway, the agreement.zip attachment held only one file, apparently called agreement.txt, but on closer inspection it turned out the file was called agreement.txt where the apparent trailing space was actually a 0xFF character. This pseudo-TXT file was, in fact, an OLE2 format file (originally a Word document file) with the OLE2 Root Entry CLSID set to that of the Microsoft HTML Application Host (MSHTA). This was all done as per the description in the iDEFENSE advisory announcing this vulnerability: http://www.idefense.com/application/poi/display?id=231type=vulns This pseudo-TXT file is an example of what is produced by the PoC generator posted to Bugtraq. Oddly, that message is not archived in SecurityFocus' own mailing list archives, but its PoC code is listed with the vulnerability's BID entry: http://www.securityfocus.com/bid/13132/info/ That PoC may be identified from the comment at the top of its code: MS05-016 POC Made By ZwelL [EMAIL PROTECTED] 2005.4.13 Anyway, the agreement.txt file contained a script to write a text file with commands and responses for use with the Windows ftp client via its -s option and further commands to run ftp with those scripted commands and then to run the executable that ftp script would cause to be downloaded from a Russian web site. At the time of writing, that site is still up and the executable that is downloaded (a backdoor) is the same one that was there when the spam was first seen. If you haven't installed the MS05-016 Windows Shell patch yet: http://www.microsoft.com/technet/security/bulletin/ms05-016.mspx or at least taken reasonable precautions to defang possible exploitation of this vulnerability (particularly through MSHTA), it would be advisable to do so now. When initially discovered, only two of more than 20 tested virus scanning engines detected the exploit in agreement.txt . Since alerting the antivirus developer community of the field discovery of this exploit, a couple more big name scanners have added a degree of detection for this exploit, and I expect that number to grow as the new week dawns and new updates are pushed to customers. -- Nick FitzGerald Computer Virus
RE: [Declude.Virus] MS05-16 Exploit
Title: Message Putting in 2 new drives was the easy part. Recreating 43 websites in IIS because the backup drive on the backup server departed for parts unknown the week before and proceeded with the tape drive (Onstream) finally giving out a month ago leaving my backup solution in shambles is what has been fun. Fortunately, both the actual website data drives and their separate backups on zip disks are fine. When it rains it pours. I must be in Southern California. Needless to say, I am revamping my backup and disaster recovery solutions. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, May 31, 2005 2:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] MS05-16 Exploit Ok, John, get back to fixing that mirrored drive set. Andrew 8)
RE: [Declude.Virus] .EML file syntax
Title: Message Not unless it has been introduced as a feature in 2.x. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Tuesday, May 31, 2005 6:27 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
RE: [Declude.Virus] EXITSCANONVIRUS
Off the topic, but it interrupted my work on my mail server. Any one ever loose both mirrored OS drives at the same time? FUN FUN FUN NOT! At least Ghost is able to read the master. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Sunday, May 29, 2005 4:59 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS Thanks! The grass is cut and the friends are already on the way over with beer and stuff to burn :) Matt Darin Cox wrote: Sounds good to me. I tend to think of both virus and spam detection in the same breath, since I think they're stronger together than separate... but you certainly have a valid point about moving code to Junkmail...and it would seem more useful there as well. I haven't seen the false positives you've seen with the Outlook Boundary Space Gap vulnerability, but it may be due to a variation in customer base. I'll check the logs and let you know what we've seen over a similar timeframe. Happy Memorial Day weekend! Don't forget to spend some time with the fam. Darin. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 5:35 PM Subject: Re: [Declude.Virus] EXITSCANONVIRUS Darin, My list was really only in respect to my feelings on Declude Virus and not JunkMail. In this perspective of both however, maybe a modification where #2 includes the potential of adding it as a test to JunkMail if it would be beneficial, and a clarification on #3 like so: 1) Active Vulnerabilities - Default to ON, and patch known exceptions that could be triggered by standard E-mail clients. I would expect that such things would stay in this category for at least a year following a patch being released for the affected E-mail clients. 2) Inactive Vulnerabilities - Default to OFF, don't necessarily patch issues when found (judgment call). Add code to Declude JunkMail if useful for blocking spam. I would expect that this category would include things that were between 1 and 3 years following a patch being issued for the affected E-mail clients. 3) Removal - Remove the code from the Declude Virus part of the executable. Depending on the conditions related to the vulnerability; i.e. commonality in exploit, potential for false positives, seriousness of flaw, etc., it would be prudent to remove the code that detects such things after 2 or more years. Note that some of these vulnerabilities have never been actively exploited by viruses. Being conservative about leaving the code in for long periods I think is fine because they would give people peace of mind and choice, but there is always going to be a legitimate extent to which being conservative about things reach. I think this reflects what you have said, and in essence this is what I was indicating in the paragraph that followed. I would definitely like to see the Outlook CR Vulnerability added to Declude JunkMail as a scoreable test since it does hit on a good deal of spam, but I won't use it in Declude Virus since I can only chose to block or pass and it has daily issues with false positives for my customer base. Other present vulnerabilities might not justify keeping the code however. The Outlook Boundary Space Gap vulnerability trapped a total of 8 messages that weren't otherwise detected as viruses on my system in a two week period of time, covering over 1 million scanned messages. Of these 8 messages, all 8 were legitimate personal E-mails generated by Microsoft's own E-mail clients. I think we could agree that if this is the long-term trend, this code would be best removed or fixed instead of being added to JunkMail. Alternatively, if this is still a threat with this one vulnerability (I don't know), then the detection should be fixed. The false positives were all the result of an error in Declude where the following header was properly 'folded', but Declude seemingly experienced an error in de-folding the headers which led it to believe that there were spaces within the boundary. The 4 spaces at the beginning of the second line in this case is part of proper header folding Content-Type: multipart/alternative; boundary= _=_NextPart_001_01C55D5F.F2B051DD This vulnerability is designed to detect spaces or tabs within message boundaries, and apparently could be exploited to package attachments which Outlook clients would read. The above example is not an example of exploitable code. RFC 2912 - http://www.faqs.org/rfcs/rfc2912.html 3.1 Whitespace and folding long headers In some circumstances, media feature expressions can be very long. According to A Syntax for Describing Media Feature Sets [1], whitespace is allowed between lexical elements of a media feature _expression_. Further, RFC822/MIME [4,5] allows folding of long headers at points where whitespace appears to avoid line
RE: [Declude.Virus] EXITSCANONVIRUS
Windows. Power went out, for some reason the UPS went into shutdown mode, it appears some thing on the server hung preventing it from shutting down before the UPS shutdown timer expired, the rest is history. Turns out the Ghost image is inconsistent, so I am rebuilding the OS from the ground, will try to do a restore from a backup I made of the extracted OS partition in Ghost, not sure how that is going to go, but if not then will have to recreate in IIS 47 web sites. Data for the sites is fine, as that was on a pair of separate SCSI drives. So much for getting caught up on other work. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, May 30, 2005 6:43 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS Oh man...I feel your pain! Happened tous mid-April. Fortunately it was just after midnight on a Friday, so we had everything back up before morning and no one noticed the interruption in service. Was it Windows mirroring or hardware level? Darin. - Original Message - From: John Tolmachoff (Lists) To: Declude.Virus@declude.com Sent: Monday, May 30, 2005 3:30 AM Subject: RE: [Declude.Virus] EXITSCANONVIRUS Off the topic, but it interrupted my work on my mail server. Any one ever loose both mirrored OS drives at the same time? FUN FUN FUN NOT! At least Ghost is able to read the master. John T eServices For You ==
RE: [Declude.Virus] EXITSCANONVIRUS
Title: Message Oh, dont get me started on the ProLiant 350 with the all-in-one SCSIController/NIC/VGA card. Why would any one even ever think to sell a server with a monstrosity like that is beyond me. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Monday, May 30, 2005 9:46 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS Yep, that same happened with their hardware raid-1 on an ML 530 (a pretty up-scale server). Had one bad drive (apparently) and the controller managed to wipe out the complete string. The other controller channel was unaffected. I'm pretty certain, I've see this happen twice (the second time I got lucky.) Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, May 30, 2005 12:39 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS Ouch. We've periodically had problems with Compaq (now HP) Proliant servers that have been mostly about the pre-failure being too sensitive; it's now part of our best practice to keep up with driver and ROM updates. This used to be difficult, but now HP has a ROM update bootable ISO image we download, it detects and updates the ROMs on the motherboard, the array cards, and the microcode on the hard drives. It's called the Firmware Maintenance CD. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 30, 2005 9:07 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS Windows. Power went out, for some reason the UPS went into shutdown mode, it appears some thing on the server hung preventing it from shutting down before the UPS shutdown timer expired, the rest is history. Turns out the Ghost image is inconsistent, so I am rebuilding the OS from the ground, will try to do a restore from a backup I made of the extracted OS partition in Ghost, not sure how that is going to go, but if not then will have to recreate in IIS 47 web sites. Data for the sites is fine, as that was on a pair of separate SCSI drives. So much for getting caught up on other work. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, May 30, 2005 6:43 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS Oh man...I feel your pain! Happened tous mid-April. Fortunately it was just after midnight on a Friday, so we had everything back up before morning and no one noticed the interruption in service. Was it Windows mirroring or hardware level? Darin. - Original Message - From: John Tolmachoff (Lists) To: Declude.Virus@declude.com Sent: Monday, May 30, 2005 3:30 AM Subject: RE: [Declude.Virus] EXITSCANONVIRUS Off the topic, but it interrupted my work on my mail server. Any one ever loose both mirrored OS drives at the same time? FUN FUN FUN NOT! At least Ghost is able to read the master. John T eServices For You ==
RE: [Declude.Virus] EXITSCANONVIRUS
Well, here is an example of what I was hoping not to see. 05/27/2005 23:35:14 Q112105DF2AB2 Vulnerability flags = 0 05/27/2005 23:35:14 Q112105DF2AB2 Outlook 'CR' vulnerability [Subject: H] in line 15 05/27/2005 23:35:15 Q112105DF2AB2 Virus scanner 1 reports exit code of 0 05/27/2005 23:35:15 Q112105DF2AB2 File(s) are INFECTED [[Outlook 'CR' Vulnerability]: 0] 05/27/2005 23:35:36 Q112105DF2AB2 Scanned: CONTAINS A VIRUS 05/27/2005 23:35:36 Q112105DF2AB2 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from x.x.x.x] 05/27/2005 23:35:36 Q112105DF2AB2 Subject: How is Rebecca doing? In this case, the subject line is the last line for the message in the Declude Virus log in HIGH and it apparently shows that scanners 2 3 were not called. If it finds a vulnerability, it still should fire the scanners to see if one of them finds an actual virus. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha [ Declude ] Sent: Friday, May 27, 2005 7:21 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS John, There is a processing loop wherein all the scanners are called in succession. It is independent of vulnerability checking. This directive merely tells Declude to break out of the external virus scanner execution loop. If you use this directive to exit the scanning loop on virus detection and (1) you have 5 scanners listed in your cfg file and (2) a virus is detected by the first scanner listed, then the effect is exactly the same in processing as if you had a single scanner listed and a virus were detected by that single scanner. David Franco-Rocha Declude Technical Support - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, May 27, 2005 2:50 AM Subject: [Declude.Virus] EXITSCANONVIRUS A question about this new feature. Am I correct in thinking that as soon as a scanner reports a virus, the next scanner(s) in line will not be called and the message will be processed accordingly, and that it will not be affected by Declude first finding a banned attachment before having it scanned by a scanner? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] EXITSCANONVIRUS
I agree with Darrell. If it contains a virus, I want it to be marked as a virus. If it does not contain a virus, then if it contains a vulnerability or banned extension then mark as such. An example is that some Sober viruses also contain vulnerability. Well, I want it labeled as a virus not vulnerability. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Saturday, May 28, 2005 10:10 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS My thoughts are this - a virus is a virus and a vulnerability is a vulnerability. My expectation is that if a virus is detected than the other scanners will not be called. However, if a vulnerability is detected the scanners will execute until such time a virus is found. Maybe two switches - EXITSCANONVULNERABILITY... However, on the grander scale of things if nothing changed on this I would still use EXITSCANONVIRUS as long as it observes the various delivery options on vulnerabilities. Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Saturday, May 28, 2005 12:49 PM Subject: RE: [Declude.Virus] EXITSCANONVIRUS John, can you expand on that? In my implementation, there is no difference in message treatment if a vulnerability or virus is detected. Therefore, I am happy to stop the virus scanning if a vulnerability is detected. That is, as long as ALLOWVULNERABILITIESFROM is still respected. Of course, I've already found that these two had too many false positives for the safety they afford, so I've turned them off: BANPARTIAL OFF BANCRVIRUSES OFF which leaves me with BANCLSID ON which has never been triggered. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, May 28, 2005 12:34 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS Well, here is an example of what I was hoping not to see. 05/27/2005 23:35:14 Q112105DF2AB2 Vulnerability flags = 0 05/27/2005 23:35:14 Q112105DF2AB2 Outlook 'CR' vulnerability [Subject: H] in line 15 05/27/2005 23:35:15 Q112105DF2AB2 Virus scanner 1 reports exit code of 0 05/27/2005 23:35:15 Q112105DF2AB2 File(s) are INFECTED [[Outlook 'CR' Vulnerability]: 0] 05/27/2005 23:35:36 Q112105DF2AB2 Scanned: CONTAINS A VIRUS 05/27/2005 23:35:36 Q112105DF2AB2 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from x.x.x.x] 05/27/2005 23:35:36 Q112105DF2AB2 Subject: How is Rebecca doing? In this case, the subject line is the last line for the message in the Declude Virus log in HIGH and it apparently shows that scanners 2 3 were not called. If it finds a vulnerability, it still should fire the scanners to see if one of them finds an actual virus. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha [ Declude ] Sent: Friday, May 27, 2005 7:21 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS John, There is a processing loop wherein all the scanners are called in succession. It is independent of vulnerability checking. This directive merely tells Declude to break out of the external virus scanner execution loop. If you use this directive to exit the scanning loop on virus detection and (1) you have 5 scanners listed in your cfg file and (2) a virus is detected by the first scanner listed, then the effect is exactly the same in processing as if you had a single scanner listed and a virus were detected by that single scanner. David Franco-Rocha Declude Technical Support - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, May 27, 2005 2:50 AM Subject: [Declude.Virus] EXITSCANONVIRUS A question about this new feature. Am I correct in thinking that as soon as a scanner reports a virus, the next scanner(s) in line will not be called and the message will be processed accordingly, and that it will not be affected by Declude first finding a banned attachment before having it scanned by a scanner? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED
RE: [Declude.Virus] EXITSCANONVIRUS
It appears to be stopping when it finds a vulnerability and does not get scanned for virus. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Saturday, May 28, 2005 5:58 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS ... that's reasonable, John. How does it work up to now? If a vulnerability and a virus are detected, which gets reported? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, May 28, 2005 5:17 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS I agree with Darrell. If it contains a virus, I want it to be marked as a virus. If it does not contain a virus, then if it contains a vulnerability or banned extension then mark as such. An example is that some Sober viruses also contain vulnerability. Well, I want it labeled as a virus not vulnerability. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Saturday, May 28, 2005 10:10 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS My thoughts are this - a virus is a virus and a vulnerability is a vulnerability. My expectation is that if a virus is detected than the other scanners will not be called. However, if a vulnerability is detected the scanners will execute until such time a virus is found. Maybe two switches - EXITSCANONVULNERABILITY... However, on the grander scale of things if nothing changed on this I would still use EXITSCANONVIRUS as long as it observes the various delivery options on vulnerabilities. Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Saturday, May 28, 2005 12:49 PM Subject: RE: [Declude.Virus] EXITSCANONVIRUS John, can you expand on that? In my implementation, there is no difference in message treatment if a vulnerability or virus is detected. Therefore, I am happy to stop the virus scanning if a vulnerability is detected. That is, as long as ALLOWVULNERABILITIESFROM is still respected. Of course, I've already found that these two had too many false positives for the safety they afford, so I've turned them off: BANPARTIAL OFF BANCRVIRUSES OFF which leaves me with BANCLSID ON which has never been triggered. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, May 28, 2005 12:34 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS Well, here is an example of what I was hoping not to see. 05/27/2005 23:35:14 Q112105DF2AB2 Vulnerability flags = 0 05/27/2005 23:35:14 Q112105DF2AB2 Outlook 'CR' vulnerability [Subject: H] in line 15 05/27/2005 23:35:15 Q112105DF2AB2 Virus scanner 1 reports exit code of 0 05/27/2005 23:35:15 Q112105DF2AB2 File(s) are INFECTED [[Outlook 'CR' Vulnerability]: 0] 05/27/2005 23:35:36 Q112105DF2AB2 Scanned: CONTAINS A VIRUS 05/27/2005 23:35:36 Q112105DF2AB2 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from x.x.x.x] 05/27/2005 23:35:36 Q112105DF2AB2 Subject: How is Rebecca doing? In this case, the subject line is the last line for the message in the Declude Virus log in HIGH and it apparently shows that scanners 2 3 were not called. If it finds a vulnerability, it still should fire the scanners to see if one of them finds an actual virus. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha [ Declude ] Sent: Friday, May 27, 2005 7:21 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS John, There is a processing loop wherein all the scanners are called in succession. It is independent of vulnerability checking. This directive merely tells Declude to break out of the external virus scanner execution loop. If you use this directive to exit the scanning loop on virus detection and (1) you have 5 scanners listed in your cfg file and (2) a virus is detected by the first scanner listed, then the effect is exactly the same in processing as if you had a single scanner listed and a virus were detected by that single scanner. David Franco-Rocha Declude Technical Support - Original Message - From: John Tolmachoff (Lists) [EMAIL
[Declude.Virus] EXITSCANONVIRUS
A question about this new feature. Am I correct in thinking that as soon as a scanner reports a virus, the next scanner(s) in line will not be called and the message will be processed accordingly, and that it will not be affected by Declude first finding a banned attachment before having it scanned by a scanner? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] EXITSCANONVIRUS
Thanks. Is this a configurable meaning we have to have either ON or OFF? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha [ Declude ] Sent: Friday, May 27, 2005 7:21 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS John, There is a processing loop wherein all the scanners are called in succession. It is independent of vulnerability checking. This directive merely tells Declude to break out of the external virus scanner execution loop. If you use this directive to exit the scanning loop on virus detection and (1) you have 5 scanners listed in your cfg file and (2) a virus is detected by the first scanner listed, then the effect is exactly the same in processing as if you had a single scanner listed and a virus were detected by that single scanner. David Franco-Rocha Declude Technical Support - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, May 27, 2005 2:50 AM Subject: [Declude.Virus] EXITSCANONVIRUS A question about this new feature. Am I correct in thinking that as soon as a scanner reports a virus, the next scanner(s) in line will not be called and the message will be processed accordingly, and that it will not be affected by Declude first finding a banned attachment before having it scanned by a scanner? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] EXITSCANONVIRUS
Thanks. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha [ Declude ] Sent: Friday, May 27, 2005 8:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS John, This setting defaults to OFF, which is the way it has been historically. The only setting it actually looks for is ON. If you omit the directive completely from your virus.cfg file, it will be OFF. Please note that the actual directive is EXITSCANONVIRUSDETECT ON David Franco-Rocha Declude Technical Support - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, May 27, 2005 11:17 AM Subject: RE: [Declude.Virus] EXITSCANONVIRUS Thanks. Is this a configurable meaning we have to have either ON or OFF? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha [ Declude ] Sent: Friday, May 27, 2005 7:21 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS John, There is a processing loop wherein all the scanners are called in succession. It is independent of vulnerability checking. This directive merely tells Declude to break out of the external virus scanner execution loop. If you use this directive to exit the scanning loop on virus detection and (1) you have 5 scanners listed in your cfg file and (2) a virus is detected by the first scanner listed, then the effect is exactly the same in processing as if you had a single scanner listed and a virus were detected by that single scanner. David Franco-Rocha Declude Technical Support - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, May 27, 2005 2:50 AM Subject: [Declude.Virus] EXITSCANONVIRUS A question about this new feature. Am I correct in thinking that as soon as a scanner reports a virus, the next scanner(s) in line will not be called and the message will be processed accordingly, and that it will not be affected by Declude first finding a banned attachment before having it scanned by a scanner? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BitDefender updates
There updater is there, but like Jerry questioned does it require a user to be logged in? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry Murdock Sent: Friday, May 27, 2005 7:11 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] BitDefender updates Have to admit this has been on my list of things to investigate as well. The auto-update is there, but looks to require the console logged in - but have to admit I haven't looked hard. Any luck running the update as a service or via command line? Jerry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Thursday, May 26, 2005 9:52 PM To: John Tolmachoff (Lists) Subject: Re: [Declude.Virus] BitDefender updates Since it appears that the free version of BitDefender works with Declude, how do you go about doing updates, as it appears there is no auto update for the free version. There's a nice auto-updater in MY free version. :) Maybe you have the wrong download. . . . --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BANZIPEXTS
It will only ban those listed with BANEXT, unless you are also using BANEXT ZIP. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Fisher Sent: Thursday, May 26, 2005 1:02 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] BANZIPEXTS If you are using BANZIPEXTS ON will it only stop zip files that match names in BANEXT or will it stop all zip files. Kyle
[Declude.Virus] BitDefender updates
Since it appears that the free version of BitDefender works with Declude, how do you go about doing updates, as it appears there is no auto update for the free version. Also, is any one using the standard version and if so is the command line the same? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Sober.o and Yahoo
Yahoo is accepting e-mail to user infected with the Sober.o virus and then sending a bounce to the forged address saying the message can not be delivered for user over quota. Now, how funny is that? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] I hate Sober.o
One of the addresses it is using as the forged from address is the postmaster address of one of my major clients. I have received over 50 failure to deliver notices to that address from all kinds of domains including AOL since noon today. That means there are still way to many e-mail servers out there not using Declude Virus. Gr John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot and HTML object exploit
To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] SKIPIFFILE
Is there a SKIPIFFILE similar to SKIPIFEXT for use in the BANNotify.eml file? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot and HTML object exploit
It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Viruses appearing to be getting through...
I saw a big bunch about 2 hours ago that were stopped by banned zip extensions. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 10:58 AM To: Declude. Virus Subject: [Declude.Virus] Viruses appearing to be getting through... I am seeing several files getting through that appear to have viruses attached as zip files. I am running Declude with F-Prot. We ban encrypted zips and I have error code 8 included. Anyone else seeing this behavior? Here is part of the log. 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 Scanned: Virus Free [MIME: 2 53979] Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot and HTML object exploit
I saw it start at about 10:00 AM PDT. Some one please contact F-Prot. I would but I am at a client trying to recover data from a failed hard drive. Fun. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Hickey Sent: Monday, May 02, 2005 11:14 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I am having the same problems here. It all started around 12:30 Central time... Don - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 12:56 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit John, Thanks a bunch for pointing this out. I have found two of these in the last hour that are tagging what appears to be legitimate E-mail, bother from the same person. This is gatewayed E-mail: 05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: [text/html][quoted-printable; Length=6657 Checksum=558425] 05/02/2005 13:44:21 Q66F5EF3A00E815E6 Found potentially dangerous stuff in F:\D66F5EF3A00E815E6.vir\0.! 05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: image001.jpg [base64; Length=11748 Checksum=1305364] 05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: image002.gif [base64; Length=2184 Checksum=243507] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Scanner 1: Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML segment] [0] O 05/02/2005 13:44:22 Q66F5EF3A00E815E6 File(s) are INFECTED [HTML/[EMAIL PROTECTED]: 0] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Deleting file with virus 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Deleting E-mail with virus! 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Scanned: CONTAINS A VIRUS [MIME: 4 21877] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Subject: RE: NCC Docket 2005 - 2 It looks like turning F-Prot off might be a good idea, or at least configuring it to not delete viruses. Matt John Tolmachoff (Lists) wrote: It appears that something has updated on F-Prot in the last hour. Now, a lotof outbound HTML e-mails are being flagged by F-Prot as having the HTMLobject exploit. Running the file on www.virustotal.com shows clean.Any one else seeing problems?For now, as I am at a client, I have turned off F-Prot scanning relying onAVG.John TeServices For You---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype unsubscribe Declude.Virus. The archives can be foundat http://www.mail-archive.com. -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
RE: [Declude.Virus] Viruses appearing to be getting through...
Mine has the 01:32 PM time stamp and the last update time was at 10:00 AM which is after when I saw the problem, so I would have to say the 01:32 time stamp is the problem one. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, May 02, 2005 11:38 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Viruses appearing to be getting through... F-Prot may have already fixed their pattern file. My current sign.def is timestamped: 05/02/2005 03:53 AM and checking their website and downloading the current version manually shows that the current version is: 05/02/2005 01:32 PM Can anybody with the issue confirm which pattern file they are using that has the problem? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 11:20 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Viruses appearing to be getting through... Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot (although I have F-Prot updates disabled for now, until they get there problem with HTML/[EMAIL PROTECTED] fixed). Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 11:11 AM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... I saw a big bunch about 2 hours ago that were stopped by banned zip extensions. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 10:58 AM To: Declude. Virus Subject: [Declude.Virus] Viruses appearing to be getting through... I am seeing several files getting through that appear to have viruses attached as zip files. I am running Declude with F-Prot. We ban encrypted zips and I have error code 8 included. Anyone else seeing this behavior? Here is part of the log. 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 Scanned: Virus Free [MIME: 2 53979] Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Adobe PDF embedded attachment
Is it possible in the first place for malicious or executable code to occur in a PDF? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, April 26, 2005 10:40 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Adobe PDF embedded attachemt Although Adobe recommends enabling scanning all file types in order to scan a PDF (and ass/u/me'ing its embedded contents as well), an AV scanner is not currently going to be able to scan this encrypted content until the content has been rendered/unencrypted at the desktop. Is there any info from Adobe or any AV-company about the ability/possibility to scan and detect such encrypted content. If there is any possibilty to detect encrypted PDFs I think declude should be prepared to add BANEXT ePDF to the config file before there will appear the first worms... At this point maybe I can place also the feature request that we can block certain (archiving) file types if they have a small size and a suspicious file inside. For example all ZIP-files below 100 kB and any executable file inside. This should help to block new virus variants until there are available appropriate signatures from the AV-companies. I'm not 100% sure but I can't imagine why someone should send a legit zip-file having a small executable inside. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to check VIRUSCODEs
Encrypted zip containing an exe and zip extension was changed. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, April 21, 2005 9:21 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] How to check VIRUSCODEs John, If you don't mind sharing, what was the issue that you had last week with F-Prot throwing a code 8 on legitimate E-mail? Or did I get that wrong? Thanks, Matt John Tolmachoff (Lists) wrote: From my understanding is that code 8 means the file is suspect but does not exactly match a known pattern in the definition file. It is not automatically flagged for encrypted zips. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, April 20, 2005 8:35 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] How to check VIRUSCODEs What you have means that a matching virus code was found for each scanner. If a scanner throws a code besides one that you specify, it will be logged in much the same way that the virus is shown. The following is exactly what F-Prot will show when it throws a code of 8 and when you aren't configured to tag that as a virus: 04/20/2005 00:28:37 Qda6b06e0014e9ee2 Error 8 in virus scanner 1. We're going on 5 or 6 days now where F-Prot has been throwing a Virus Code 8 for some newer Bagle variants, and it is starting to look more and more like this is purposeful, though if so it would also be short-sighted. Maybe someone should contact F-Prot and ask for an explanation and indicate that it would be helpful not to mix the codes like this for known viruses. Apparently Virus Code 8 can hit non-viruses, and I think it will throw that code when it detects an encrypted zip of any sort, but I'm not certain about that either. I would certainly prefer to not have to rely on Virus Code 8 in F-Prot because I don't want to be deleting E-mail that doesn't contain a virus and where Declude offers better granularity (such as only banning encrypted zips with a banned extension within it). Has anyone contacted F-Prot? Matt Goran Jovanovic wrote: This was originally a thread from the Junkmail list but I am moving it over to the virus list. Check your virus log and you may see some code 8 errors in it. Adding viruscode 8 will at least stop them. How do you see if there are any code 8s in the virus log file. I use F-Prot and McAfee. My viruscodes for F-Prot are 3 and 6 and for McAfee is only 13 An example of a virus 04/20/2005 05:03:10 Q1AB803D9008C6B32 MIME file: demo.exe [base64; Length=40800 Checksum=4318001] 04/20/2005 05:03:10 Q1AB803D9008C6B32 Banning file with exe extension [application/x-msdownload]. 04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 1: Virus= W32/Plexus.G Attachment=demo.exe [2] O 04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 2: Virus= the MultiDropper-KR trojan !!! Attachment=demo.exe [2] O 04/20/2005 05:03:10 Q1AB803D9008C6B32 File(s) are INFECTED [ W32/Plexus.G: 13] 04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanned: CONTAINS A VIRUS [MIME: 2 40959] 04/20/2005 05:03:10 Q1AB803D9008C6B32 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 213.59.118.9] 04/20/2005 05:03:10 Q1AB803D9008C6B32 Subject: Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me... The only thing that I see that resembles my viruscodes is the line File(s) are INFECTED [ W32/Plexus.G: 13] and the 13 in this line is from McAfee (scanner2). I do not see any result from F-Prot (scanner1). I am logging on high. Am I missing something here? Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of Tyler Jensen Sent: Wednesday, April 20, 2005 8:22 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] New Spam or Virus!! I had something similar over the weekend. Standard zip file. If you are using F-Prot you may want to add VirusCode 8 to the config. This will stop them as Unknown Virus. Check your virus log and you may see some code 8 errors in it. Adding viruscode 8 will at least stop them. Ouside of email NAV was calling it Trojan.Tooso.H and F-Prot was calling it w32/mitglieder.c. I submitted my findings to Declude support earlier in the week and spoke with a someone yesterday. Sent the file to him and he said the AVG called it a Bagle of some sort. What is strange is outside of email, f-prot was detecting it. But without viruscode 8, nothing. Tyler -- Original Message -- From: Chuck Schick [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Wed, 20
RE: [Declude.Virus] How to check VIRUSCODEs
From my understanding is that code 8 means the file is suspect but does not exactly match a known pattern in the definition file. It is not automatically flagged for encrypted zips. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, April 20, 2005 8:35 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] How to check VIRUSCODEs What you have means that a matching virus code was found for each scanner. If a scanner throws a code besides one that you specify, it will be logged in much the same way that the virus is shown. The following is exactly what F-Prot will show when it throws a code of 8 and when you aren't configured to tag that as a virus: 04/20/2005 00:28:37 Qda6b06e0014e9ee2 Error 8 in virus scanner 1. We're going on 5 or 6 days now where F-Prot has been throwing a Virus Code 8 for some newer Bagle variants, and it is starting to look more and more like this is purposeful, though if so it would also be short-sighted. Maybe someone should contact F-Prot and ask for an explanation and indicate that it would be helpful not to mix the codes like this for known viruses. Apparently Virus Code 8 can hit non-viruses, and I think it will throw that code when it detects an encrypted zip of any sort, but I'm not certain about that either. I would certainly prefer to not have to rely on Virus Code 8 in F-Prot because I don't want to be deleting E-mail that doesn't contain a virus and where Declude offers better granularity (such as only banning encrypted zips with a banned extension within it). Has anyone contacted F-Prot? Matt Goran Jovanovic wrote: This was originally a thread from the Junkmail list but I am moving it over to the virus list. Check your virus log and you may see some code 8 errors in it. Adding viruscode 8 will at least stop them. How do you see if there are any code 8s in the virus log file. I use F-Prot and McAfee. My viruscodes for F-Prot are 3 and 6 and for McAfee is only 13 An example of a virus 04/20/2005 05:03:10 Q1AB803D9008C6B32 MIME file: demo.exe [base64; Length=40800 Checksum=4318001] 04/20/2005 05:03:10 Q1AB803D9008C6B32 Banning file with exe extension [application/x-msdownload]. 04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 1: Virus= W32/Plexus.G Attachment=demo.exe [2] O 04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 2: Virus= the MultiDropper-KR trojan !!! Attachment=demo.exe [2] O 04/20/2005 05:03:10 Q1AB803D9008C6B32 File(s) are INFECTED [ W32/Plexus.G: 13] 04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanned: CONTAINS A VIRUS [MIME: 2 40959] 04/20/2005 05:03:10 Q1AB803D9008C6B32 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 213.59.118.9] 04/20/2005 05:03:10 Q1AB803D9008C6B32 Subject: Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me... The only thing that I see that resembles my viruscodes is the line File(s) are INFECTED [ W32/Plexus.G: 13] and the 13 in this line is from McAfee (scanner2). I do not see any result from F-Prot (scanner1). I am logging on high. Am I missing something here? Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of Tyler Jensen Sent: Wednesday, April 20, 2005 8:22 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] New Spam or Virus!! I had something similar over the weekend. Standard zip file. If you are using F-Prot you may want to add VirusCode 8 to the config. This will stop them as Unknown Virus. Check your virus log and you may see some code 8 errors in it. Adding viruscode 8 will at least stop them. Ouside of email NAV was calling it Trojan.Tooso.H and F-Prot was calling it w32/mitglieder.c. I submitted my findings to Declude support earlier in the week and spoke with a someone yesterday. Sent the file to him and he said the AVG called it a Bagle of some sort. What is strange is outside of email, f-prot was detecting it. But without viruscode 8, nothing. Tyler -- Original Message -- From: Chuck Schick [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Wed, 20 Apr 2005 18:05:08 -0600 Starting to see messages that have a zip attachement with the format 5.zip or 7.zip - I do not know if it is spam or a virus. Anyone else seeing this? Virus scanner is not catching it so I do not know if it is a virus or not. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be
RE: [Declude.Virus] Another new virus
Looks like another outbreak in progress. File appears to be your_text . zip without the spaces. Appears to be another MyTob. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, April 15, 2005 3:14 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Another new virus I've seen one sample in the last few minutes. It arrives as jokes.zip, and www.virustotal.com describes the enclosed 123456.exe as: This is a report processed by VirusTotal on 04/16/2005 at 00:11:32 (CET) after scanning the file 123456.exe file. Antivirus Version Update Result AntiVir 6.30.0.7 04.15.2005 no virus found AVG 718 04.15.2005 no virus found BitDefender 7.0 04.15.2005 BehavesLike:Win32.SiteHijack ClamAV devel-20050307 04.15.2005 Worm.Bagle.BB DrWeb 4.32b 04.15.2005 Win32.HLLM.Beagle.37888 eTrust-Iris 7.1.194.0 04.15.2005 Win32/Glieder.T!Trojan eTrust-Vet 11.7.0.0 04.15.2005 no virus found Fortinet 2.51 04.15.2005 no virus found F-Prot 3.16b 04.15.2005 no virus found Ikarus 2.32 04.15.2005 Email-Worm.Win32.Bagle.pac Kaspersky 4.0.2.24 04.16.2005 Email-Worm.Win32.Bagle.pac McAfee 4470 04.15.2005 W32/[EMAIL PROTECTED] NOD32v2 1.1064 04.15.2005 Win32/TrojanDownloader.Small.ZL Norman 5.70.10 04.14.2005 W32/Downloader Panda 8.02.00 04.15.2005 W32/Bagle.CA.worm Sybari 7.5.1314 04.15.2005 Troj/BagleDl-N Symantec 8.0 04.15.2005 Trojan.Tooso.F VBA32 3.10.3 04.15.2005 Email-Worm.Win32.Bagle.pac VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. Go to: Home Contact En español www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail [EMAIL PROTECTED] Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, April 15, 2005 2:33 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Another new virus I am getting lots of banned attachment notices and lots of bounces in the last 90 minutes. THANKFULLY, I am blocking zip files which contain executables otherwise these would have all be delivered to users. Any one have an idea of what this one is, it is kind of acting like Bagle. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E- mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Another new virus
I am getting lots of banned attachment notices and lots of bounces in the last 90 minutes. THANKFULLY, I am blocking zip files which contain executables otherwise these would have all be delivered to users. Any one have an idea of what this one is, it is kind of acting like Bagle. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot tagging zips as code 8
I sent an encrypted zip file out, changing the .zip to ._ip. F-prot scanned it and returned code 8, so Declude dutifly tagged it as infected. Virus Code 8 means suspect, correct? If this is what F-Prot is going to do, we need to rethink having users/clients rename files. 04/14/2005 09:04:54.958 Q949B0A0BD0F1 [392] 0 - filename._ip 04/14/2005 09:04:54.958 Q949B0A0BD0F1 [392] Scanning files (2 scanners) 04/14/2005 09:04:54.973 Q949B0A0BD0F1 [392] Starting scanner #1: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt F:\SPOOL\D949B0~1.VIR\ 04/14/2005 09:04:54.973 Q949B0A0BD0F1 [392] Waiting for free processes [20 fpcmd.exe] 04/14/2005 09:04:54.973 Q949B0A0BD0F1 [392] Done waiting for free processes [0]. 04/14/2005 09:04:54.973 Q949B0A0BD0F1 [392] Virus Scanner Started: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt F:\SPOOL\D949B0~1.VIR\ 04/14/2005 09:04:55.067 Q949B0A0BD0F1 [392] Scanning Time: 109ms [kernel=31 user=78] 04/14/2005 09:04:55.067 Q949B0A0BD0F1 [392] Virus scanner 1 reports exit code of 8 John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot tagging zips as code 8
John, I know that you don't follow this logic, but banning regular zips is extreme and unnecessary IMO. Declude will scan any attachment Matt, my original post said encrypted zips. This was an encrypted zip and contained a executable. I do not ban regular zips unless they contain an executable. This zip has to go out encrypted. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot tagging zips as code 8
I guess my question is what has changed in F-Prot and is any one else seeing this? F-Prot was not tagging these before? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, April 14, 2005 11:13 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot tagging zips as code 8 My fault for the misread, but I also addressed the issue regardless. Remove VIRUS CODE 8 from your config if you don't want for this to happen. Matt John Tolmachoff (Lists) wrote: John,I know that you don't follow this logic, but banning regular zips isextreme and unnecessary IMO. Declude will scan any attachment Matt, my original post said encrypted zips. This was an encrypted zip andcontained a executable.I do not ban regular zips unless they contain an executable.This zip has to go out encrypted.John TeServices For You---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype unsubscribe Declude.Virus. The archives can be foundat http://www.mail-archive.com. -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
[Declude.Virus] Possible new virus?
I have seen in the last hour 4 e-mails blocked for [RAR-EXE] and each one had a blank subject line. Each one also had the recipients user part of the e-mail address as the sender's user part of the e-mail address. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot tagging zips as code 8
Title: Message The thing is, it used to work as I have done that before. Renaming the file is only to bypass the banned extension. The file is still scanned. However, F-Prot never stopped it as code 8 before. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, April 14, 2005 11:57 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot tagging zips as code 8 John, I don't think you mention whatkind offile was in your encrypted zip. I just took a try at repeating the test as it may be applicable to my own environment. I block encrypted banned extensions with: BANEZIPEXTS ON and ..doc file is not in my list of banned extensions, just the usual executable extension. I also use return code 8 with my f-prot. I sent a zip file with a single password protectedMS Word .docfile (using the standard zip password scheme) using a non-trivial password in case there is password guessing involved. No problem, it came through Declude just fine. I then renamed the zip file to blahblah._ip and sent the test message again. No problem, it came through just fine. If you're talking about sending executables, then I'm not worried about whether F-Prot returns code 8 (suspicious file) or whether BANEZIPEXTS ON catches, as I expect to catch these. This is acceptable in my corporate environment. We have never advised people to rename files in order to work around our antivirus software, but they've always tried! They've also always failed, as our internal software (Trend Micro) does not trust extensions as file-type identification. I hope that helps, Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, April 14, 2005 11:33 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot tagging zips as code 8 I guess my question is what has changed in F-Prot and is any one else seeing this? F-Prot was not tagging these before? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, April 14, 2005 11:13 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot tagging zips as code 8 My fault for the misread, but I also addressed the issue regardless. Remove VIRUS CODE 8 from your config if you don't want for this to happen. Matt John Tolmachoff (Lists) wrote: John,I know that you don't follow this logic, but banning regular zips isextreme and unnecessary IMO. Declude will scan any attachment Matt, my original post said encrypted zips. This was an encrypted zip andcontained a executable.I do not ban regular zips unless they contain an executable.This zip has to go out encrypted.John TeServices For You---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype unsubscribe Declude.Virus. The archives can be foundat http://www.mail-archive.com. -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
RE: [Declude.Virus] Declude and Linux?
I bet Scott is smirking reading that and if Len saw it look out. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Horne Sent: Wednesday, March 30, 2005 2:06 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Declude and Linux? I'd definitely like to see Declude plug into postfix. But then wouldn't that be kind of like Len and Scott holding hands? ~Shudder~ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha Sent: Wednesday, March 30, 2005 4:52 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Declude and Linux? That is definitely in the stack of cards, Jeff. But we cannot yet project a release date. We will, however, keep you informed as we get closer to formulating that project. We would be interested in hearing any input you would care to provide, such as: your Linux platform, the mail server(s) you would like to see targeted, etc. David Franco-Rocha - Original Message - From: Jeff Kratka [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, March 30, 2005 4:29 PM Subject: [Declude.Virus] Declude and Linux? Will there be a version of Declude for Linux? Jeff Kratka TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] WinZip Companion for Outlook (OT)
Yep, I block them for good reason. A virus scanner can not (and should not) scan what is inside an encrypted Zip file. My policy stays the same: If you have to send a potentially malicious file, you will have to rename the extension. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Monday, February 28, 2005 12:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] WinZip Companion for Outlook (OT) This is going to a problem for me if it catches on people will think it is cool to password their zip files, and since I block them Just thought I'd heads up the group in case any of you automatically block encrypted files as well. A choice of Zip 2.0 or 128- or 256-bit AES encryption AES encryption provides much greater cryptographic security than the traditional Zip 2.0 encryption method used in earlier versions of WinZip. Encryption applied to an attachment is done when the file is zipped. The recipient of the attachment must then use a password to extract the contents from the Zip file. The Companion's advanced encryption (FIPS-197 certified) uses the Rijndael cryptographic algorithm which, in 2001, was specified by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standards (FIPS) Publication 197 as the Advanced Encryption Standard (AES). Note: Recipients to whom you send AES-encrypted Zip files must have a compatible Zip file utility, such as WinZip 9.0, in order to decrypt the files. Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Organization changes at Declude
Scott, may your new endeavors be as rewarding or more than the ones now behind you. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, February 21, 2005 10:10 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Organization changes at Declude After 4 years of hard work and little sleep Scott Perry has decided to move away from customer facing activities with Declude and will be spending more of his time working with the Red Cross. Scott continues his commitment to Declude in an advisory role. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New MyDoom virus
I have been wondering what is going on in the last half hour. Been getting a larger than normal amount of banned extension blocks. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Hickey Sent: Wednesday, February 16, 2005 4:00 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New MyDoom virus We are many of these since about 5pm central time. Mcafee has definition updates to catch this. We were catching it by the blocked extensions before the Mcafee update was installed. http://vil.nai.com/vil/content/v_131856.htm At this time F-prot is not catching these.. Don -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.8 - Release Date: 2/14/2005 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Where is the 'CR' vulnerability
Markus, I received the post with the attachment and time stamped 12:17 AM PST. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, February 09, 2005 1:55 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Where is the 'CR' vulnerability Beside the question: I've send this message (with the message in the body) yesterday evening but it was not delivered to the list. So I've resend the message (with the message as attachment) this morning and it showed up immediatly on the list. ?? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, February 08, 2005 8:56 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Where is the 'CR' vulnerability A customers PHP script is sending out the following message: ~ ~ Received: from lx.domain.net [217.123.123.123] by mail.zcom.it with ESMTP (SMTPD32-8.13) id AD887060072; Tue, 08 Feb 2005 17:49:12 +0100 Received: by lx.domain.net (Postfix, from userid 33) id 93432A1C4; Tue, 8 Feb 2005 17:47:19 +0100 (CET) To: [EMAIL PROTECTED] Subject: Danke From: customer.it [EMAIL PROTECTED] X-Mailer: PITA-Server 1.5-Z8 1107902839 Message-Id: [EMAIL PROTECTED] Date: Tue, 8 Feb 2005 17:47:19 +0100 (CET) X-Declude-Sender: [EMAIL PROTECTED] [217.123.123.123] X-Spam-Tests-Failed: None [0] X-Country-Chain: X-Note: Sent from [EMAIL PROTECTED] - ([217.123.123.123]) incoming. X-Declude-Virus: Detected [Outlook 'CR' Vulnerability]. Danke dass Sie sich bei immobilien-prisma.it erkundigen. Besuchen Sie uns wieder! -- Immobilien in Brixen und Umgebung http://www.immobilien-prisma.it/ mailto:[EMAIL PROTECTED] ~ ~ Question: Where is the CR vulnerability? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] HiJack Question
First, you should be actively monitoring the HOLD2 directory. There are some scripts on the Declude Tools sight that can be used for this. Second, you do not need to cycle the SMTP service. However, you will have to rename the HOLD2 files if you want to release them and then manually move them. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Sent: Sunday, February 06, 2005 11:12 PM To: declude.virus@declude.com Subject: [Declude.Virus] HiJack Question Scenario: Dialup ISP using dynamic IP allocation. Customer#1 using IP address of 1.2.3.4 trips threshold #2. Logs off. Customer #2 logs on and obtains the same IP that customer #1 had (1.2.3.4) My understanding is that HiJack will block Customer #2's outbound email as well. At leastuntil the Declude Console (DECCON.EXE) is closed. Question: If this is true, is it acceptable practice to cleanup HOLD2, stop the SMTP service, kill the DECCON PID and restart the SMTP service? Thx. -M --- The toughest part of getting to the top of the ladder, is getting through the crowd at the bottom. -- unknown
RE: [Declude.Virus] RAR Support - why not?
My log files go to a separate directory (partition if available) and are zipped either weekly or monthly depending on size and when there are enough they get burned to CD then deleted. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, January 28, 2005 2:24 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] RAR Support - why not? Darin, What do you do with the old log files? Do you put them on another machine for processing/analysis/archiving? If you are archiving how long do you keep the data? Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, January 28, 2005 5:15 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] RAR Support - why not? Notices only go out for banned files. We include a statement that the email will be available to be requeued for x number of days...so automatic processes clean it up if it's unclaimed. Regarding the space problem, are you moving logs off to another partition on a nightly basis? Between that, automatic cleanup, and zipping old logs ours stays pretty clean. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, January 28, 2005 5:05 PM Subject: RE: [Declude.Virus] RAR Support - why not? Hi Goran: Oh, I've been thinking about just that. However does that mean you hold all virus files? I don't think I could afford the additional disk space (the spool file is already too big as it is.) Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, January 28, 2005 12:48 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] RAR Support - why not? Andy, Someone posted on this list a while ago a small ASP page that I am using to requeue a banned file. I send out a bannotify.eml what has the link back to the server with the appropriate file name. The user says I really really want this file and clicks on the link. It gets requeued automatically into the spool directory and it is not scanned/banned again and the user gets it within 30 minutes. I remember that there was some discussion on the list a while ago about having the users authenticate and fill in a form etc. I decided not to bother with that. I can send you my bannotify.eml and the asp file if you wish. Let me know Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, January 27, 2005 6:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] RAR Support - why not? 1.82 will treat encrypted .RAR files the same as encrypted .ZIP files, and will block banned file extensions in .RAR files the same way as it blocks banned file extensions in .ZIP files. Beautiful! Now we just need McAfee to scan inside RAR files G (Globally banning zipped .EXE files is not an option for me - I gotta give those customers SOME practical way to send/receive restricted file types.) Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an
RE: [Declude.Virus] FW: MS Windows/Critical Error
So, if I am banning ZIPEXT, this should be caught since rar is treated same as zip in Declude, correct? What is the file in the rar? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Wednesday, January 26, 2005 1:34 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] FW: MS Windows/Critical Error Just got that one - attached was a WindowsUpdate.rar, 43 KB. -Original Message- From: Microsoft INC [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 26, 2005 09:15 PM To: [EMAIL PROTECTED] Subject: MS Windows/Critical Error Dear Sir/Madam, We kindly ask you to install this update to your PC as soon as possible. In the libraries of OS WindowsR critical errors have been found. This errors lead to destruction of the system files from your computer without an opportunity on restoration. The given service-pack fixes libraries and does not allow various Trojan modules to penetrate into your computer. Yours Faithfully, Microsoft INC --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] hlp attachments
I just had a client request blocking of hlp attachments. I have been extremely busy with 2 major projects and have not seen anything about this. Any one have information on a virus that uses that? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Declude Licensing codes
Here is some information for all who have concerns about the new licensing and tie in to IPs and/or MACs: I have spoken to Barry today, and while I will not reveal the little bit of information I was given, I will state on my honor that I have no problem with the new license code process what ever you want to call it. Additionally, Declude has designed and taken steps to make sure there will be no problems in the event you need to change IPs or hardware overnight, on a weekend, on an extended weekend or even if disaster were to strike and the Declude offices were not available for a week. Hopefully, you can now rest assured that Declude will not stop working if you have to fix your server. FYI, there is also a process in place for a cold spare server to be prepared and ready ahead of time. You will need to contact Declude to specifically set that up. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] PB installing 2.0B
I also would like to continue to have the option of a manual install. The beauty of Declude is its adaptation and customization. An auto install takes that away and can mess with customized files. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, December 21, 2004 10:26 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] PB installing 2.0B Hey, Declude Support, I'm interested in a manual installation, too! ... Now, I don't want to sound like I'm shooting the messenger, but I hope you guys aren't doing this on your production server. Since I'm interested in the manual installation, I'll install it on the development server, note the changes, and then after testing, bring it over to the live server. Which is the same as I've done the last few times. If you're going to implement beta software, it's worth the effort. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Tuesday, December 21, 2004 7:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] PB installing 2.0B - Original Message - From: Serge [EMAIL PROTECTED] you are probably right we use to have the same issue with manual install However, the full install notes specificaly say that no service need to be stoped when upgrading So they need get their act together, or give us back our old manual install I agree, the old manual download/install should at least be an option. I don't like downloading 6.66mb file, just to get a 500kb declude.exe file. Especially when that 6mb install file takes over 3.5 minutes to complete its installation process, and then changes my config files in the process without warning (as Kami noted, it changes the .eml files - did the same thing here), and then did not install properly. After running the install, which completed without error, I ended up with a 288kb declude.exe file that did not work - I had to revert back to version 1.81 to get Declude JunkMail Virus to function again. What size declude.exe file have others that successfully installed 2.0B ended up with? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot 3.14 causing server freezes
Yes, this is a known problem. Resolution is to switch to the 32 bit windows version. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Brandes Sent: Tuesday, December 14, 2004 8:10 AM To: '[EMAIL PROTECTED]' Subject: [Declude.Virus] F-Prot 3.14 causing server freezes I am using the DOS version of F-Prot 3.14 and am having problems with F-Prot freezing the server which forces me to do a hard reset of the system. The event log entry reads: Application popup: 16 bit MS-DOS Subsystem : D:\FProt\F-Prot.exe X#=0D, CS=01CF IP=5703. The NTVDM CPU has encountered an unhandled exception. Choose 'Close' to terminate the application. I searched the archives and found some messages but they were too old to view. Are other users of F-Prot experiencing this problem? Is there a better alternative to F-Prot for virus checking that won't cause these problems? Matthew Brandes, MCSE, CCA IT Manager Integra Realty Resources, Inc. 1901 W. 47th Place, #300 Westwood, KS 66205 T. 913-748-4720 F.913-236-4307 http://www.irr.com
RE: [Declude.Virus] Parallel processing
Declude creates a separate directory for each message for scanning, so while the report name is the same, the directory is unique. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, December 10, 2004 3:31 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Parallel processing I'm using the f-prot command line scanner, and the lines in the virus.cfg look like this: SCANFILEC:\F-Prot\fpcmd.exe /ai /type /silent /archive=5 /dumb /noboot /nomem /packed /report=report.txt VIRUSCODE 3 VIRUSCODE 6 REPORT Infection: That's working fine, but in my testing I'm only putting a few messages through at a time. I note that the /report variable is setting one specific filename. What happens when two or more declude processes are launched and both want to call the virus scanner at the same time? I realize that scanning is relatively quick, but I can see that collisions would result. If Declude doesn't handle this internally to set a different report name per instance, then I think paranoia would pushe me to set MAXATONCE 1 ... ? Andrew. _ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Parallel processing
;) I only use filemon when other avenues come up empty. Too much data to look at. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, December 10, 2004 3:46 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Parallel processing Thanks, John. Asking here was quicker than breaking out that free file monitor (FileMon) from SysInternals.com ... Andrew 8) -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Friday, December 10, 2004 3:39 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Parallel processing Declude creates a separate directory for each message for scanning, so while the report name is the same, the directory is unique. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, December 10, 2004 3:31 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Parallel processing I'm using the f-prot command line scanner, and the lines in the virus.cfg look like this: SCANFILEC:\F-Prot\fpcmd.exe /ai /type /silent /archive=5 /dumb /noboot /nomem /packed /report=report.txt VIRUSCODE 3 VIRUSCODE 6 REPORT Infection: That's working fine, but in my testing I'm only putting a few messages through at a time. I note that the /report variable is setting one specific filename. What happens when two or more declude processes are launched and both want to call the virus scanner at the same time? I realize that scanning is relatively quick, but I can see that collisions would result. If Declude doesn't handle this internally to set a different report name per instance, then I think paranoia would pushe me to set MAXATONCE 1 ... ? Andrew. _ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. _ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Favsin virus.
http://www.sophos.com/virusinfo/analyses/w32favsina.html Any one have any more information on this new one? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Bagz
Neither F-Prot (3.15b) nor AVG (7.0.289) appear to be catching this. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Bagz
Interesting, out of their list, only ClamWin caught it. I assume that is ClamAV? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fritz Squib Sent: Thursday, November 11, 2004 9:17 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Bagz John, Try submitting it to http://www.virustotal.com and see what they return. Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, November 11, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Bagz I received a reply from AVG this morning saying the file I submitted to them was virus free, even though Scott confirmed it was infected with Bagz. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, November 11, 2004 12:27 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Bagz Marcus, do not take the personally because I am tired and grouchy. That information does me no good. I already know that everyone else is catching these as some form of Bagz. However, no one lists any alias or variant name that AVG or F-Prot might be using, and neither F-Prot or AVG list Bagz as a known virus. I am using F-Prot and AVG with Declude Virus, and these are only being caught with banned extension, not an infected message as they should be. I have submitted to both F-Prot and AVG and am waiting back for their wonderful words of wisdom. And yes, my defs are updated. Programs also. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Thursday, November 11, 2004 12:07 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Bagz Neither F-Prot (3.15b) nor AVG (7.0.289) appear to be catching this. Hm searching on http://vil.nai.com/vil/default.asp for bagz returns a lot of variants. Seems not to be an absolutely new one... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] W32/Bofra-A
Any one know what the link in the body is so we can add filters for it? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sample Configs
Declude JunkMail questions should be directed to the Declude.JunkMail list. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imail_Forum Sent: Thursday, November 04, 2004 8:34 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Sample Configs Hello, Just signed back up for this list again. I was wondering if people could share some sample default junkmail files and cfg files? I am using Declude for anti-spam only as of now and would be interested in seeing how other people are setting theirs up. Our current config is working pretty good, but would love to make it better. Thanks, Mark Mitchell Inwave Internet Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] BitDefender
Has any tried using BitDefender with Declude Virus, or ClamAV for that matter? Does it work? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BitDefender
PP For those responding about ClamAV, my PPSS. I meant mxGuard. Is any one using BitDefender with either Declude or mxGuard? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, November 03, 2004 8:56 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] BitDefender Has any tried using BitDefender with Declude Virus, or ClamAV for that matter? Does it work? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BitDefender
I wonder if ICS standard includes the same executable file for BitDefender as the one you are using. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, November 03, 2004 9:41 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] BitDefender BitDefender work fine with Declude Virus, don't know about mxGuard. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 9:27 AM Subject: RE: [Declude.Virus] BitDefender PP For those responding about ClamAV, my PPSS. I meant mxGuard. Is any one using BitDefender with either Declude or mxGuard? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, November 03, 2004 8:56 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] BitDefender Has any tried using BitDefender with Declude Virus, or ClamAV for that matter? Does it work? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BitDefender
What I am wondering is does ICS standard include the same executable for BitDefender that your are using with your version for Declude? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, November 03, 2004 1:58 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] BitDefender It's the free version: BitDefender Free Edition v7. We don't have it running in production, just on a test server, but it seems to run just fine in testing - although it is the slowest of the virus scanners we have tested: McAfee, F-Prot, TrendMicro, and ClamAV. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 1:34 PM Subject: RE: [Declude.Virus] BitDefender Which BitDefender product are you using? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, November 03, 2004 9:41 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] BitDefender BitDefender work fine with Declude Virus, don't know about mxGuard. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 9:27 AM Subject: RE: [Declude.Virus] BitDefender PP For those responding about ClamAV, my PPSS. I meant mxGuard. Is any one using BitDefender with either Declude or mxGuard? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, November 03, 2004 8:56 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] BitDefender Has any tried using BitDefender with Declude Virus, or ClamAV for that matter? Does it work? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Viruses getting through...
Block executable files. That should be standard defense mode now-a-days. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Tuesday, November 02, 2004 8:07 AM To: Declude. Virus Subject: [Declude.Virus] Viruses getting through... We are running Declude Pro with Fprot and we see a lot of viruses getting through with the attachment of Joke.com, Joke.exe, Price.com - Anyone else seeing the same thing? It appears to be the beagle variant. Any suggestions on how to fix. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.Virus] strange sending problem to the same domain
The Declude Junkmail log lines. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Declude Sent: Thursday, October 28, 2004 9:06 AM To: John Tolmachoff (Lists) Subject: Re[2]: [Declude.Virus] strange sending problem to the same domain Hi John, thank you. Below you can find my answers. Is it of any help ? Uwe JTL 1. Is the sender authenticating during the SMTP send to the server? Yes he is, this was my first thought as well. JTL 2. Log lines for the messages sent please. The odd thing is, that Outlook doesn't let my see the Mail-Headers to the eMails sent. Or do you mean the log lines in IMail ? JTL 3. Is the sender using Outlook 2003? The answer is: Outlook 2002 / SP 2 JTL 4. Headers of the message that came through after changing from DELETE at 20 JTL to WARN. I have to ask the customers to send it to me tomorrow. JTL John Tolmachoff JTL Engineer/Consultant/Owner JTL eServices For You -Original Message- From: [EMAIL PROTECTED] JTL [mailto:[EMAIL PROTECTED] On Behalf Of Declude Sent: Thursday, October 28, 2004 8:20 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] strange sending problem to the same domain Hi list, a customer of us complained today that he could't send any eMail from [EMAIL PROTECTED] to [EMAIL PROTECTED] But he receives eMails to both of the above postboxes from externally. Today I bypassed Declude. (I deleted eMails over weight 20 I guess, now I only do a WARN) Since then it is working fine for him again. I tested his domain remotely with no problems. Although he takes Outlook. It seems as if Outlook as a Mailer-SW is causing problems here. Any ideas ? Uwe --- [This E-mail was scanned for viruses by Declude Virus JTL (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. JTL --- JTL [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] JTL --- JTL This E-mail came from the Declude.Virus mailing list. To JTL unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JTL type unsubscribe Declude.Virus.The archives can be found JTL at http://www.mail-archive.com. -- Best regards, Decludemailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: re[2]: [Declude.Virus] Fw: Ipswitch Service Agreement Status
Not sure if I missed a posting on this so, I recently attended an IPswitch seminar on ICS and ISPs can continue to purchase IMail as a standalone product. Sincerely, John David M. Miller As of yesterday, incorrect. More to come later on my report to the Imail list. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] What are these
Do you have an on-access scanner running? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, October 25, 2004 7:38 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] What are these Also, ERROR: Could not open recip file F:\IMail\spool\_08dc4c3a0030129f.~MD [2] Please advise to what this is, thanks, Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, October 25, 2004 10:24 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] What are these Q06634053002e6803 Error 183 creating temp directory F:\IMail\spool\D06634053002e6803.vir\. 10/25/2004 10:26:26 Q06634053002e6803 Scanned: Error starting scanner Thanks for the aid, running 1.81 --- Keith Johnson Senior Network Engineer Network Advocates, Inc. 9001 Shelbyville Road Burhans Hall, Suite 260 Louisville, KY 40228 TEL: 502.992.5928 FAX: 502.412.1058 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MyDoom.o's slipping through.
Well, if the virus is forging the from, a user receives the zipped file, sees it is from [EMAIL PROTECTED], says to himself hey, I know Joe, he must have sent me a joke, opens the zip and away we go. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Holt Sent: Friday, October 22, 2004 9:07 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MyDoom.o's slipping through. Is it not true that EXEs in zip files are inert until opened by the user? We don't ban EXEs in zips because our users sometimes need to receive EXE files, but we constantly remind them to not open anything that is not verified (content expected from the sender). What do most admins do about this problem? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, October 21, 2004 1:12 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MyDoom.o's slipping through. Why are you not banning executable files within zip files? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Patterson Sent: Thursday, October 21, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MyDoom.o's slipping through. Thanks, I was not aware of the /ARCHIVE=5. I have adjusted that, here is my current cfg line: C:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt If there is something I am missing, please let me know. Thanks, Chris Patterson, CCNA Network Engineer -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Thursday, October 21, 2004 3:25 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MyDoom.o's slipping through. I have had two reports in the last 2 days about a virus coming through. The customer forwarded these to me on an Exchange mailbox using Mcaffee which identified them as MyDoom.o. Tracing the Logs, they were scanned and Deemed Virus Free using Prescan. Given that it is in a .ZIP file, and you are using F-Prot, do you have /ARCHIVE=5 in the SCANFILE line in the \IMail\Declude\virus.cfg file? If it is just /ARCHIVE , you should change it to /ARCHIVE=5 , due to a bug in the latest version of F-Prot. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MyDoom.o's slipping through.
Yes John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Patterson Sent: Friday, October 22, 2004 12:52 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MyDoom.o's slipping through. Does anyone else agree using the 32 bit command line scanner is better than the dos? Thanks, Chris Patterson, CCNA Network Engineer -Original Message- From: Douglas Cohn [mailto:[EMAIL PROTECTED] Sent: Friday, October 22, 2004 2:39 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MyDoom.o's slipping through. You should NOT use the dos scanner but instead use the Windows 32 bit command line scanner. You would change the command to C:\Progra~1\FSI\F-Prot\fpcmd.exe. Also there are some other changes needed to reflect the different program. This is my current command line and I found that fpcmd was much better than using the dos scanner. C:\Progra~1\FSI\F-Prot\Fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt C:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Patterson Sent: Thursday, October 21, 2004 4:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MyDoom.o's slipping through. I was up until one of my customers and then one of my Engineers could not receive firmware updates from Linksys. We are still reviewing that decision. Do you think this MyDoom is a result of removing that block? Since adding the /ARCHIVE=5 this afternoon, I have seen it catch 2 of the rapidsys.com.zip attachments destined for the same customer that earlier reported the trouble. Thanks, Chris Patterson, CCNA Network Engineer -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Thursday, October 21, 2004 4:12 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MyDoom.o's slipping through. Why are you not banning executable files within zip files? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Patterson Sent: Thursday, October 21, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MyDoom.o's slipping through. Thanks, I was not aware of the /ARCHIVE=5. I have adjusted that, here is my current cfg line: C:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt If there is something I am missing, please let me know. Thanks, Chris Patterson, CCNA Network Engineer -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Thursday, October 21, 2004 3:25 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MyDoom.o's slipping through. I have had two reports in the last 2 days about a virus coming through. The customer forwarded these to me on an Exchange mailbox using Mcaffee which identified them as MyDoom.o. Tracing the Logs, they were scanned and Deemed Virus Free using Prescan. Given that it is in a .ZIP file, and you are using F-Prot, do you have /ARCHIVE=5 in the SCANFILE line in the \IMail\Declude\virus.cfg file? If it is just /ARCHIVE , you should change it to /ARCHIVE=5 , due to a bug in the latest version of F-Prot. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list
RE: [Declude.Virus] hijack install problems
1. Did configure logging in the hijack.cfg file? 2. Where is it logging to? 3. Of course the SMTP service is running, otherwise no e-mail would come in or out. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Hedgepath Sent: Friday, October 22, 2004 1:34 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Declude.Virus] hijack install problems trying to install declude hijack on spooler server. virus and spam not installed here just hijack IMHO Problem arises on first run of declude.exe via command prompt C:\IMaildeclude Declude 1.81 (C) Copyright 2000-2004 Computerized Horizons. argc2 First time running... installing... C:\IMail C:\IMaildeclude -diag Declude 1.81 (C) Copyright 2000-2004 Computerized Horizons. Diagnostics ON (Declude v1.81). Declude JunkMail: Not installed (no C:\IMail\Declude\global.CFG file). Declude Virus: Not installed (no C:\IMail\Declude\Virus.CFG file). Declude Hijack:Config file found (C:\IMail\Declude\Hijack.CFG). Declude Confirm: Not installed (no C:\IMail\Declude\Confirm.CFG file). First time running... installing... C:\IMail And then nothing. I have stop started the smtp and the quemanager services but I just seem to think there is something else wrong since when I run the declude -diag command I get the first time running info and it then just stops again. The smtp is still running even though declude.exe is set in the SMTP settings. I also checked the sendname regiistry setting and it too is set to c:\imail\declude.exe No hijack log has yet been produced yet either. I am very familiar with declude from my other server running virus and junkmail. But this server is only running hijack. Thanks for your help Greg Hedegpath - [This E-mail scanned for viruses by declude AntiVirus Software] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] hijack install problems
Is Deccon.exe in the \imail folder? yes it is in the base imail folder. Do I need the global.cfg file? I would not think so since this is not running the virus scan. Now that is a interesting question. It might need to be. Imail hands the message to declude.exe. Declude.exe checks to see if hijack.cfg is there and licensed. You might want to call Declude and see if some one is there right now. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] MyDoom.o's slipping through.
Why are you not banning executable files within zip files? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Patterson Sent: Thursday, October 21, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] MyDoom.o's slipping through. Thanks, I was not aware of the /ARCHIVE=5. I have adjusted that, here is my current cfg line: C:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt If there is something I am missing, please let me know. Thanks, Chris Patterson, CCNA Network Engineer -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Thursday, October 21, 2004 3:25 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MyDoom.o's slipping through. I have had two reports in the last 2 days about a virus coming through. The customer forwarded these to me on an Exchange mailbox using Mcaffee which identified them as MyDoom.o. Tracing the Logs, they were scanned and Deemed Virus Free using Prescan. Given that it is in a .ZIP file, and you are using F-Prot, do you have /ARCHIVE=5 in the SCANFILE line in the \IMail\Declude\virus.cfg file? If it is just /ARCHIVE , you should change it to /ARCHIVE=5 , due to a bug in the latest version of F-Prot. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Another easy one
Are you using Declude Hijack? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, October 01, 2004 8:44 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Another easy one Just so you know. There wasn't a CONSOLE anything in either the two files: global.cfg or virus.cfg. When I got the 1.81 upgrade, deccon.exe was put into my new Upgrade 1.81 directory, so I decided to put it in the /Imail directory, and now everything is hunky-dorey. But nonetheless, there was nothing about it in my default .cfg files. R. Scott Perry wrote: I didn't have anything after the LOGFILE and LOGLEVEL (no mention of CONSOLE at all). So I've added a CONSOLE OFF line after that. I don't have Hijack, so I assume this is the way to get around the error? Do you have a CONSOLE ON line in your global.cfg file? It's possible that that could cause the error message, too. If there is no CONSOLE ON line, it defaults to CONSOLE OFF, so I'm guessing the message will still appear. Note that the message doesn't affect how Declude functions (except that the console won't appear, but that isn't something you were expecting). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Virus test tools
Is there going to be a test added to the Tools page to test to see if the GDIplus.dll exploit will be caught? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability
Well, I still see Code Red connection attempts occasionally in my firewall logs. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, September 24, 2004 6:54 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability John Tolmachoff (Lists) wrote: However, the post I was responding to was questioning whether or not there was an actual vulnerability, not what to do with it. What you define it as is subjective. There is no exploit present in the messages that are being blocked, and the true vulnerability exists not in the E-mail but in Outlook, and I believe that a patch was issued quite a while ago for it. Declude doesn't detect an actual exploit, just the precursors for the exploit, in this case a line in the headers with a single space. Clearly this is not RFC compliant, but we also don't live in a perfect world. I like the idea of being able to detect this, but I would only turn it on after finding out that there was code in the wild that was actively exploiting it. There would be no need to turn off the vulnerability detection in Declude if the exploit code was detected in association with the condition because that would seem to be a perfect hit, but considering the time involved to create a suitable parsing engine to do this, it seems like a better idea to just provide the granularity. I believe that the exploit in this case simply creates the ability to bypass virus scanners by putting the attachment in the message headers, and Outlook will read the attachment despite it being misplaced/malformed. That in itself won't infect a computer, but it does make it easy to get past virus scanning software. I also don't think it would be a bad idea to maybe retire some of these things due to patching, but granularity would provide that capability for us to do this on our own. Viruses will have a very hard time spreading when they utilize an exploit that has been patched for a year or more and I would think that with so many other forms of exploits available to them, they would choose something more likely to be successful. For instance, any virus writer would be properly targeting the JPG vulnerability in Microsoft products for some time to come. As things stand, most every desktop scanner is set by default to ignore JPG files, and intercepting such files for scanning prior to display in Internet Explorer could drive many machines into the ground in terms of performance. Shame on Microsoft. Matt -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
RE: [Declude.Virus] PRot 3.15b just released - yeah!!
Goran, I take it you are volunteering as the guinea pig? ;) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, September 24, 2004 10:09 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] PRot 3.15b just released - yeah!! Greetings, We have just released a new version of the windows scanner (3.15b). - Fix: FPAV Windows 3.15b scans JPEG images for exploit Please do not hesitate to contact us again if you need further information. Best regards, Anna Podolskaia F-Prot Antivirus Support Department Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Dave Marchette Sent: Friday, September 24, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-Prot/GDI+ FYI That being the case, can you outline for us the simplest way to strip JPEGs out of a message yet still send the rest of the message through? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, September 24, 2004 8:52 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-Prot/GDI+ FYI Scott, is there anything recommend that we can do strictly from Declude Virus to protect against this until the virus scanners can pick it up? Without blocking all .JPG files, nothing. The problem is that there is a lack of information on how to detect such .JPG's. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability
Yes there is and has been an option for vulnerability notification. It is called adding lines like SKIPIFVIRUSNAMEHAS vulnerability and SKIPIFVIRUSNAMEDOESNOTHAVE vulnerability. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 24, 2004 10:26 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability Scott, Would it be possible for these vulnerabilities to have a notification email associated with them, like banned files? Correct me if I'm wrong, but I don't believe there are any notification possibilities with these currently. If this were added, then our users could be automatically notified of the email and, with a simple web script, be able to have the message requeued. There might be better ways to handle this, like a global or per-domain weighting/exemption system for vulnerabilities, banned files, etc., but this could work until a better solution is found. Darin. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 24, 2004 1:12 PM Subject: Re: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability That's a good question...Scott? We've tried unsuccessfully to contact PayPal in the past, when they were sending out vulnerabilities. However, if people send us samples, we can try to contact them again. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability
Issue is not the notifications. That is how I found out about the problem. The issue is getting Paypal to fix it. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 24, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability Suppose I should have taken the time to read the manual...grin John, does this help with your issue? Darin. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 24, 2004 2:00 PM Subject: Re: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability It would be nice to have more granular control over this, though...to perhaps only send for particular hosts, IPs, or email addresses in response to the existing criteria for virus name and vulnerability. There are many such options -- for example, ONLYSENDIFRECIP, ONLYSENDIFSENDER, ONLYSENDIFIP... -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot/GDI+ FYI
Correct, you can not strip the attachment, the configured action is taken on the whole message. So, if you have Declude Virus configured to automatically delete (not recommended) then the whole message is deleted. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Marchette Sent: Friday, September 24, 2004 11:36 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-Prot/GDI+ FYI Odd. My experience with the BANEXT command is that it caused the entire email be deleted, not just the banned extension. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith Sent: Friday, September 24, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-Prot/GDI+ FYI Dave, BANEXT JPG Scott, Here's the information about how to track the malformed header using SNORT. http://isc.sans.org/diary.php?date=2004-09-23 Also some utilities on scanning your PC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Marchette Sent: Friday, September 24, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-Prot/GDI+ FYI That being the case, can you outline for us the simplest way to strip JPEGs out of a message yet still send the rest of the message through? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, September 24, 2004 8:52 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-Prot/GDI+ FYI Scott, is there anything recommend that we can do strictly from Declude Virus to protect against this until the virus scanners can pick it up? Without blocking all .JPG files, nothing. The problem is that there is a lack of information on how to detect such .JPG's. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability
Sleep, what is that? I spent most of last night working, the rest trying to sleep with a bloody nose, and then the phone rang at 6:30 AM. And no, it was not my wife. I am genetically prone to bloody noses in dry weather. This week, the average humidity in Southern California has been around 15%. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 24, 2004 11:51 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability I understand that. I was trying to help you come up with a workaround in the meantime. Perhaps this would have been a good day to roll over and go back to sleep... Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 24, 2004 2:23 PM Subject: RE: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability Issue is not the notifications. That is how I found out about the problem. The issue is getting Paypal to fix it. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 24, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability Suppose I should have taken the time to read the manual...grin John, does this help with your issue? Darin. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 24, 2004 2:00 PM Subject: Re: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability It would be nice to have more granular control over this, though...to perhaps only send for particular hosts, IPs, or email addresses in response to the existing criteria for virus name and vulnerability. There are many such options -- for example, ONLYSENDIFRECIP, ONLYSENDIFSENDER, ONLYSENDIFIP... -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability
No thanks. I like to feel dry after using a towel when getting out of the shower. As a truck driver, I once made a team run to Marietta Georgia. Once was quite enough thank you. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt Sent: Friday, September 24, 2004 12:10 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability And no, it was not my wife. I am genetically prone to bloody noses in dry weather. This week, the average humidity in Southern California has been around 15%. Gee, come to Florida where we are about to be hit with our FOURTH hurricane in about 6 weeks, lots of rain and humidity here! Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability
This looks like a clear explanation to me: 18.3 Outlook 'Blank Folding' Vulnerability: This vulnerability occurs when there is a line in the headers with just a single space or a single tab character. Outlook can treat this as the end of the headers, allowing it to see a virus that is embedded in the headers. RFC822 3.2.3 says that it is not valid to have such lines, nor is there any legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab (note that it is OK to have a line with a single space or tab in the E-mail body, just not the headers). John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Maynard Sent: Friday, September 24, 2004 5:17 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerabi lity While the PayPal messages apparently aren't properly formatted via the RFC's, they clearly aren't vulnerabilities. I have always considered this one of Declude's most questionable features. For marketing purposes, this is touted as something that Declude stops while other programs don't. It isn't well explained and would lead people to believe that anything it traps is something nasty. The truth is that most things it traps are legitimate emails that are the product of badly-coded email programs. A more accurate method of detecting *real* exploits of the blank folding problem would certainly be very appreciated. -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Friday, September 24, 2004 12:12 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability That's a good question...Scott? We've tried unsuccessfully to contact PayPal in the past, when they were sending out vulnerabilities. However, if people send us samples, we can try to contact them again. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Paypal and Outlook 'Blank Folding' Vulnerability
I would have turned the vulnerability detection off by now except for the fact that more recently there has been good progress on malformed file detection that has been useful in blocking viruses (or at least stopping the banned extension bounce messages on our system). I would prefer that when this is changed and control becomes more granular, that we get the ability to filter on these hits in JunkMail instead of just turning on and off each test. That would allow me to review the messages under the same system as the spam, although segregated. Matt, I am not going to argue that, as that is a valid point, as I would also like to see flexibility in blocking vulnerabilities. However, the post I was responding to was questioning whether or not there was an actual vulnerability, not what to do with it. John Tolmachoff Engineer/Consultant/Owner eServices For You
RE: [Declude.Virus] IMail?
CDW John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Tuesday, September 21, 2004 12:27 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] IMail? Hello, where can I buy IMail? (not at Ipswitch.com, cheaper :) Alex
RE: [Declude.Virus] IMail?
Don't you ever sleep? Good night. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Tuesday, September 21, 2004 12:34 AM To: Hirthe, Alexander Subject: Re: [Declude.Virus] IMail? where can I buy IMail? (not at Ipswitch.com, cheaper :) Google and Froogle are your friends. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Forging candidate - JS/IFrame@exp
I think this is the one where the html body calls an object from a URL which will automatticly download the virus payload. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, September 17, 2004 2:13 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Forging candidate - JS/[EMAIL PROTECTED] In the last hour we have started to see F-Prot tag something called JS/[EMAIL PROTECTED] There were 13 of them since 4 p.m. EST and they don't appear at all in yesterday's logs. This appears to be all spam from forged addresses. Here are some Mail From addresses according to the Virus log: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] And some sample headers retrieved from a failed virus notification (slightly munged by cut and paste). Received: from mx2.mailpure.com [63.170.56.47] by mx1.mailpure.com with ESMTP (SMTPD32-8.05) id AE4C847000A2; Fri, 17 Sep 2004 16:51:24 -0400 Received: from DRAGON-01 ([4.26.147.117]) by mx2.mailpure.com with Microsoft SMTPSVC(5.0.2195.6713); Fri, 17 Sep 2004 16:51:08 -0400 X-Message-Info: 6sXHvz904qYP/ykHtcnKNfQDbcfmM5Kz Received: from chine ([35.244.222.136]) by hqv74-mail.chicano.winsome.compulsion.cable.rogers.com (InterMail vM.5.01.05.12 288-855-644-873-410-51311973) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Tue, 17 Aug 2004 21:49:50 +0100 Message-ID: [EMAIL PROTECTED] Reply-To: Elba Lackey [EMAIL PROTECTED] From: Elba Lackey [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Bill Gates didnt get one either Date: Wed, 18 Aug 2004 02:45:50 +0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--05066188562662264 Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 17 Sep 2004 20:51:11.0635 (UTC) FILETIME=[10876E30:01C49CF8] I can't find any descriptions for the exploit on the F-Prot site nor on Google. Thanks, Matt -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
