RE: [Declude.Virus] ClamAV
Thanks Michael for the effort to 'splain! I appreciated it. Make sure you are using the sanesecurity sigs as well as the MSRBL's -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Michael Cummins mich...@i-magery.com Sent: Thursday, April 29, 2010 3:02 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps up FreshClam as a service and gets everything pointed and configured for Declude to use. It includes pthreadVC2.dll , but I don't know if it uses it once we replace the files here in a bit, because. .when FreshClam goes to update the DB, it mangles the DB dies, because version 0.92 isn't supported anymore. Immediately after installing ClamAID I stopped the ClamAVSvc and FreshClam services and I commented out the lines it added in virus.cfg so I could get it all running properly again. I downloaded the clamav-win32-0.96.7z from http://oss.netfarm.it/clamav/ and extracted the files to a folder. I grabbed all the .exe and .dll files and replaced the old ones in \Program Files\Clam AV. I edited \conf\clamd.conf and commented out the deprecated MailFollowURLs on line 226. I deleted the files in \data\ and crated a \db\. I set the log levels in clamd.conf and freshclam.conf to high so I could see things chugging along until I was comfortable. I hard set the database to \db\ in the conf files, and set verbose logging. I cranked up the services, and watched FreshClam download new profiles to \db\. Once the db was downloaded, I tested Clam from the command prompt as described on the armresearch page, and everything looked like it was working fine. I uncommented the lines in Declude, restarted Declude, and watched it all start humming. Now I am just keeping an eye on things, and waiting for Clam to catch a virus. -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
David - At times like this its OK to sigh these emails: David your pinata Barker :) -Nick From: David Barker dbar...@declude.com Sent: Wednesday, June 03, 2009 4:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Nice. Thank you for your feedback Markus. MANY if not most of all Declude users has initially chosen the Swiss army knife as their tool who they can customize, enhance and integrate in their FULLY email filter system. This is true from the past and for many older Declude customers, but the market has changed over the years - there are not enough people looking for the Swiss army knife approach anymore. With managed services, hardware appliances etc. anti-spam and AV is a cost center for most ISP's and they would rather not have to deal with it at all. IMail themselves started losing market share for the same reasons which had a direct impact on the Declude business. So what was is no more. evolution and new functionality in order to be able to stay ahead or at least near on top of the market leaders. Agreed, but also take into account the changing Mail systems, we support both IMail and Smartermail, specifically supporting Smartermail as they were growing while IMail was shrinking. Every time a new release of IMail or Smartermail comes out something inevitably changes meaning we have to deal with the MUST do's rather than innovation. Again to combat this we just need additional developer/s so that we can dedicate one to maintenance and the other/s to innovation. To do this we need $ and that cost will always be carried over to you the customer, which I have done my utmost best to avoid. noted the active community who has definitively helped to let Declude become what it is/was isn't there anymore. Yes that community was (and what is left) is extremely helpful and useful. All this isn't there anymore. Why? Because people who was ready to contribute hasn't received back what they want and need: If such people has asked for a new feature even if it was a little piece of thing the maximum to hear was that it will be placed on a long list of planned to-do's. Depending on when this was and who was making the Declude decisions at the time. But if I should speak for myself. I realize I can't make everyone happy its part of my job. Here is a case in point, let's use this scenario. 1. AVG fails 2.IMail release version 11 which is incompatible with Declude If I choose to fix AVG first - IMail users scream If I choose to fix IMail first - All users scream So in this instance best decision is to let IMail users complain. Either way Declude in one group of people is going to be the company that is not doing enough for its customers. This is not really true but rather the perception. In the case you hasn't discovered it yet, from the begin of April on there was a big increase of spam activity This information is very useful and this is why the lists exist if we can share information we have a community that benefits. If there would be really someone taking technical care of this product he has should put more then on eye in the past 2 months in order to keep this product at least near to other spam filtering products. The cow was milked and milked and milked and does urgently need now some fresh grass, water and maybe also a new clean stable. The only thing that would change this current situation is revenues which means price increase. (Maybe it is time?) David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Gufler Markus | Limitis Sent: Wednesday, June 03, 2009 3:26 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Declude Virus inoperable for 13% of th year? Sensitivity: Personal Hi David, I'm observing not only this AVG issue but many different things in the past 4 years (while paying SA fee's). Your price is not that much that other Spamfilter vendors ask for but keep in mind that MANY if not most of all Declude users has initially chosen the Swiss army knife as their tool who they can customize, enhance and integrate in their FULLY email filter system. Maybe we could start a long and never ending thread if Declude should be a flexible tool or a complete suite for customers, but in any case both type of customers would need definitively one thing, and this is evolution and new functionality in order to be able to stay ahead or at least near on top of the market leaders. At the moment Declude stand-alone without additional external tests, additional external AV-engines and additional pre-filtering gateways like Alligate, IMHO is not a full, secure and reliable solution. Its still an important piece but as you maybe has also noted the active community who has definitively helped to let Declude become what it is/was isn't there anymore. There
[Declude.Virus] [Fwd: [clamav-announce] ClamAV/SOSDG 0.90.2-1 has been released! (Security Fix)]
fyi - Original Message Subject: [clamav-announce] ClamAV/SOSDG 0.90.2-1 has been released! (Security Fix) Date: Fri, 13 Apr 2007 17:05:54 -0400 From: Brie Bruns [EMAIL PROTECTED] Organization: The Summit Open Source Development Group To: [EMAIL PROTECTED] Hello all, I've released ClamAV/SOSDG 0.90.2-1 today, in response to notification of a security issue with the older 0.90.1-4 version. You can find more info about the security issue here: http://secunia.com/advisories/24891/ In the meantime, you can download 0.90.2-1 from our website, or directly at: http://code.google.com/p/clamav-sosdg/ Please let me know of any issues! -- Brie Bruns The Summit Open Source Development Group http://www.sosdg.org --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] [Fwd: [clamav-announce] ClamAV/SOSDG For Windows 0.90.1-3 Is Now Available]
fyi - Original Message Subject: [clamav-announce] ClamAV/SOSDG For Windows 0.90.1-3 Is Now Available Date: Wed, 14 Mar 2007 16:02:48 -0400 From: Bri Bruns [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hello all, With help from various people, I've got a new build of ClamAV/SOSDG For Windows 0.90.1 available - release 3 fixes bugs in -1 and -2 that people reported. I believe the problem was relating to fixes once needed in pre-0.90.1 versions of ClamAV. http://www.sosdg.org/clamav-win32/ Direct download: http://www.sosdg.org/clamav-win32/clamav-devel.exe Once again, thanks to everyone who provided feedback. -- Bri Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org ___ ClamAV For Windows Announcement Mailing List http://lists.sosdg.org/mailman/listinfo/clamav-announce --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV 0.90.1-2 problems
Exit code of 2 means ClamAV had an error - Is clamd running? will clamdscan.exe file to be scanned work? eg no parameters? -Nick Gary Steiner wrote: Ever since I upgraded to ClamAV 0.90.1-2 (the SOSDG windows port), I've been unable to get it to work. The Declude log files show an error like this: 03/12/2007 19:17:29.359 62376245 Vulnerability flags = 861 03/12/2007 19:17:29.359 62376245 MIME file: [text/html][7bit; Length=429 Checksum=38095] 03/12/2007 19:17:30.171 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:32.218 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:34.265 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:36.312 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:38.359 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:40.359 62376245 Could not find report file c:\SmarterMail\Spool\proc\work\62376245.vir\report.txt. 03/12/2007 19:17:40.359 62376245 Error 2 in virus scanner 1. 03/12/2007 19:17:40.562 62376245 Virus scanner 2 reports exit code of 0 03/12/2007 19:17:40.562 62376245 Scanned: Error in virus scanner. [MIME: 2 815] If I try to run it from the command line using the parameters from my virus.cfg file, I get the following: C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt 62376245.eml /cygdrive/c/clamav-devel/bin/clamdscan: unrecognized option `--mbox' ERROR: Unknown option passed. ERROR: Can't parse the command line Anyone else seeing anything like this? Did something change in 0.90 to make these paramenters invalid? Thanks, Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] [Fwd: [clamav-announce] Problems with ClamAV/SOSDG For WIndows 0.90.1-1 and -2]
fyi - Original Message Subject: [clamav-announce] Problems with ClamAV/SOSDG For WIndows 0.90.1-1 and -2 Date: Tue, 13 Mar 2007 14:20:20 -0400 From: Bri Bruns [EMAIL PROTECTED] To: [EMAIL PROTECTED] Okay, been getting reports of people having problems with the 0.90.1 builds of ClamAV/SOSDG For Windows I've been releasing lately. Please do not use 0.90.1-1, as the clamd.exe it has is outdated, I'm not quite sure how such an old version got into the build, but it is unreliable, and you probably are getting errors if you are using it. 0.90.1-2 is also having problems for some people, which I'm looking into now. I'm not sure of the cause, but there appears to have been alot of underlying changes in ClamAV over the past few months. For now, if you are having problems with -2, I suggest going back to 0.90-1, which you can grab from here: http://downloads.sosdg.org/clamav/clamav-0.90-1.exe And is known to work well for most people. Please keep any bug reports for -2 coming in, as its helping me narrow down the cause of the issues. -- Brie Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org ___ ClamAV For Windows Announcement Mailing List http://lists.sosdg.org/mailman/listinfo/clamav-announce --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude 4.3.40 Released
Thanks David -Nick David Barker wrote: FIX ZEROHOUR passing weight to SM when email WHITELISTED FIX Ignore Case checking in Imail Address book 2006 FIX Improved performance when OUTBOUNDSPAMSCANNING OFF FIX Updated CommTouch ZEROHOUR Dll FIX EXITSCANONVIRUSDETECT ON works between AVG and Commtouch ADD SM allows both email addresses and domains in their trusted sender list, declude will match on either ADD Support for Regular Expressions http://support.declude.com/Customer/KBArticle.aspx?articleid=97 in the Filters using PCRE library We will also be sending an email to notify customers of important changes. David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Release Update
Hi David, What will this release contain? -Nick David Barker wrote: We had scheduled a release for 31 January 2007, which we are delaying for some changes next date is Monday 5 February 2007 Thanks David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin.
Darrell ([EMAIL PROTECTED]) wrote: Also, for me to get the virus name I had to use the wrapper. fyi - The names are otherwise recorded in the clamd.log -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fw: A secret e-card has been sent fot you!!
Darrell ([EMAIL PROTECTED]) wrote: Pretty nice peice of social engineering below - how many of your users will click on this tomorrow :) Who can resist the temptation of a "secret" greeting card. I get quite a few of these - here is my postcard-phish.txt SKIPIFWEIGHT 26 REVDNS END ENDSWITH 1001.com BODY END NOTCONTAINS postcards.org HEADERS 5 CONTAINS @postcards1001.com BODY 5 CONTAINS .exe -Nick The link actually takes you to http://www.lkkm.cz/help/postcard.gif.exe Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: e-greetings.com To: [EMAIL PROTECTED] Sent: Thursday, September 28, 2006 10:20 PM Subject: A secret e-card has been sent fot you!! Hello friend ! A friend has sent you an ecard from e-greetings.com Send free ecards from e-greetings.com with your choice of colors, words and music. Your ecard will be available with us for the next 10 days. If you wish to keep the greeting longer, you may save it on your computer or take a print. To view your ecard, click on the following Internet address. http://www.e-greetings.com/view.php?sid=1246 Hope you will visit us, e-greetings.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV Exit codes
Failure I do believe, probably ClamD is not running? -Nick Markus Gufler wrote: Does anyone know what exit codes ClamAV has and what they mean? From 2006-09-27 06:50PM on I can see a huge number of Virus scanner 2 reports exit code of 2 ...in the virus-logfile. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVG Updates
Mine is 9/8. -Nick Mark Reimer wrote: What are the latest AVG updates that everyone has? Im worried that my AVG stopped updating for some reason. Or is it from Declude moving all their stuff around? Mark Reimer IT Project Manager American CareSource 214-596-2464 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
[Declude.Virus] ClamAV
I have noticed now with 4x that if ClamAv is the first scanner it fails - it cannot find the file to scan. However it it is moved to the 2 'hole' or 3 'hole' - identical config otherwise - it works like a charm. Does any one else see this anomolie? -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 4.2.3 Built-in scanner slight off topic reply
I just switched to 4x and noticed in the logs that scan times are recorded - here are some sample scan times against the same email - 2062ms Clamscan 468ms Mcafee scan.exe 171ms fprot These relative scan time proportional differences appear to remain the same against other emails. Switching from clamscan.exe to clamdscan.exe ClamAV averages 15ms against all emails it sees. That is like a factor of 10 faster than fprot its closest performance competitor. Since its free and w/Sanesecurity phish sigs I give it an editors choice :) It would be nice to see [feature request?] the ms response time for AVG - -Nick John Shacklett wrote: Sorry for the tardy response, I've been traveling. I used mcafee on my old system in combination with f-prot, and never had any problems there either. On my new box [new since May], I started out with a different program from eTrust because we're moving away from McAfee across the board, but I had issues with the new program and switched to scan.exe. I don't remember exactly when I made that last switch, but I have NEVER gotten scan to return anything on anything it has scanned. I send myself a report daily on activity for the previous day, and it always says in the virus detections that "0 mcafee detected for 07-10-2006", a day when clamav found 82 and f-prot and AVG each found four more. I'm away from my office until next week, and I'm going to do some more experimenting then to figure out why mcafee fails. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, 06 July 2006 4:51 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] 4.2.3 Built-in scanner John, What problems are you having with scan.exe? A lot of us use McAfee and have no issues. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. John Shacklett writes: After loading 4.2.20 this afternoon, my AVG scanner is now finally detecting viruses. Oh happy day. Now if I can just get scan.exe to work, I'll have a full house. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Shacklett Sent: Thursday, 11 May 2006 11:44 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner "Declude 4.2.3 Diagnostics" right on the top line. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Carter Sent: Thursday, 11 May 2006 9:30 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Just curious, what does your diags.txt? Did 4.2.3 in fact get fully installed and running? John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Shacklett Sent: Thursday, May 11, 2006 6:56 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner I guess I should have been more dramatic. What I intended this to mean was that I still don't see any evidence that AVG is working at all. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Shacklett Sent: Tuesday, 09 May 2006 3:04 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Just for fun, I completely commented out the three scanners in my virus.cfg and resent the eicar plain test file, and it made it to my Inbox. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Shacklett Sent: Tuesday, 09 May 2006 9:58 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Forget my last post, I have different problems. Sorry. I followed John C's suggestion and sent myself a standard base64 MIME encoded eicar.com file [which should have occurred to me earlier], and I ended up with the following lines in the debug output: 05/09/2006 09:50:57.007 q9e3d01cb331c.smd AVG Reports No Virus 05/09/2006 09:50:57.178 q9e3d01cb331c.smd Virus scanner 1 reports exit code of 3 05/09/2006 09:50:58.444 q9e3d01cb331c.smd Virus scanner 2 reports exit code of 0 05/09/2006 09:50:58.616 q9e3d01cb331c.smd Virus scanner 3 reports exit code of 0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Carter Sent: Tuesday, 09 May 2006 9:41 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Temporarily go to LOGLEVEL DEBUG and use the test virus sender. It should show AVG working. MID and HIGH levels didn't show which scanner caught EICAR, but DEBUG did. John C 05/09/2006 08:34:55.687 q9a7b016d30e4.smd AVG Virus detected. Not continuing with any remaining scanners. 05/09/2006 08:34:55.687 q9a7b016d30e4.smd AVG
[Declude.Virus] url file extensions
I been asked to remove the block I have on these - and since I have forgotten why I am blocking them Is there a valid reason to block these? Thanks in advance -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] url file extensions
Hi John, I was referring to file attachments that had a .url extension - I have that extension banned in my virus.cfg and wondered why - -Nick John T (Lists) wrote: You nor I nor Declude nor any one knows where that leads too. You can not scan the destination for a url. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Tuesday, April 11, 2006 12:10 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] url file extensions I been asked to remove the block I have on these - and since I have forgotten why I am blocking them Is there a valid reason to block these? Thanks in advance -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] url file extensions
Bill, Will you kindly elaborate? :) I see in clamd.conf the MailFollowURLs but the advice is not to use it - -Nick Bill Landry wrote: ClamAV can be configured to scan URLs, if so desired. Bill - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, April 11, 2006 12:40 PM Subject: RE: [Declude.Virus] url file extensions You nor I nor Declude nor any one knows where that leads too. You can not scan the destination for a url. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, April 11, 2006 12:10 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] url file extensions I been asked to remove the block I have on these - and since I have forgotten why I am blocking them Is there a valid reason to block these? Thanks in advance -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] url file extensions
Thanks!
-Nick
John T (Lists) wrote:
Yep,
exactly what I meant. I ban them as
there is no way to scan them (Although Bill says ClamAV can do it) to
know what
they are going to lead to.
John T
eServices
For You
"Seek,
and ye shall
find!"
-Original
Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer
Sent: Tuesday,
April 11, 2006 1:09
PM
To:
Declude.Virus@declude.com
Subject: Re:
[Declude.Virus] url
file extensions
Hi John,
I was referring to file attachments that had a .url extension - I have
that
extension banned in my virus.cfg and wondered why -
-Nick
John T (Lists) wrote:
You nor I nor Declude nor any one knows where that leads too. You can not
scan the destination for a url.
John T
eServices For You
"Seek, and ye shall find!"
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Nick Hayer
Sent: Tuesday, April 11, 2006 12:10 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] url file extensions
I been asked to remove the block I have on these - and since I have
forgotten why I am blocking them Is there a valid reason to block
these?
Thanks in advance
-Nick
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.Virus] url file extensions
I enabled it on one of the windows clamav boxes. I'll see what happens. Thanks -Nick Bill Landry wrote: Nick, it's advised not to use it because it take additional time to process e-mails with embedded or attached URLs, since it has to simulate a user and access the URL in order to scan it. If you already have a heavily utilized system, then you would be wise not to enable this feature. However, if you have available resources, you should be fine. Also, at least on Linux, you need to have curl installed and compile with libcurl support: Optional Packages: --with-PACKAGE[=ARG]use PACKAGE [ARG=yes] --with-libcurl support URLs downloading with libcurl (default=no) However, I don't know if this is the case with the Windows version of ClamAV, since I have never actually run it on Windows. We have been running with this feature enabled on our two Linux gateways for about a year now and thus far have had no problems with it. Bill - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, April 11, 2006 1:30 PM Subject: Re: [Declude.Virus] url file extensions Bill, Will you kindly elaborate? :) I see in clamd.conf the MailFollowURLs but the advice is not to use it - -Nick Bill Landry wrote: ClamAV can be configured to scan URLs, if so desired. Bill - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, April 11, 2006 12:40 PM Subject: RE: [Declude.Virus] url file extensions You nor I nor Declude nor any one knows where that leads too. You can not scan the destination for a url. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, April 11, 2006 12:10 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] url file extensions I been asked to remove the block I have on these - and since I have forgotten why I am blocking them Is there a valid reason to block these? Thanks in advance -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Switches
Hi Mark, Mark Reimer wrote: After seeing Matt's response I'm curious what other users are using for their F-prot switches. here are mine: SCANFILE1e:\Progra~1\FSI\F-Prot\fpcmd.exe /ARCHIVE=5 /DUMB /NOBOOT /NOMEM /PACKED /SERVER /SILENT /TYPE /REPORT=report.txt VIRUSCODE13 VIRUSCODE16 VIRUSCODE18 VIRUSCODE19 VIRUSCODE110 REPORT1Infection: #2 SCANFILE2e:\mcafee\scan.exe /ALL /ANALYZE /MAILBOX /MIME /NOBEEP /NOBOOT /NOBREAK /NODDA /NOMEM /PROGRAM /SILENT /UNZIP /REPORT report.txt VIRUSCODE213 REPORT2Found #3 SCANFILE3c:\clamav-devel\bin\clamdscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE31 -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Updates from Declude
David Barker wrote: The next release of Declude which is currently being tested and soon to be released ahh David - wanna share? What will the new ver have to offer? :) -Nick David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grant Griffith Sent: Wednesday, March 08, 2006 12:47 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude Is anyone else using confirm and can let me know if it is working for you now or not? I know John is busy and may not of had time to try it yet and Declude is not responding. Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grant Griffith Sent: Monday, March 06, 2006 8:06 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude Sounds good John, was just curious if you were still seeing the issue also. Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: Friday, March 03, 2006 5:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude No I have not tested lately. I have been extremely busy this week. I will try on Saturday. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grant Griffith Sent: Friday, March 03, 2006 5:38 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Updates from Declude Barry, Wasnt the confirm issues supposed to be resolved in this version? I just tested it and it still does not subscribe the user after they confirm be replying to the message?!?! John, have you tried this yet with the same results? Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications Corp. (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 02, 2006 5:04 PM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] Updates from Declude Product Naming After considering all the choices we have decided to rename the new product "Declude Security Suite". I will be notifying the winner(s) of the competition shortly. Declude Security Suite for IMail We have now released additional versions of the software for different levels of IMail and these can be found at http://www.declude.com//Purchase.asp?cat=13 As usual if anyone has questions please contact me and we will do our best to answer. Barry [EMAIL PROTECTED] Office: (978) 499-2933 Cell: (978) 853-9593
Re: [Declude.Virus] Encoded viruses...worried topic change - to Bill Landry
With these, you don't need to run CygWin ports or the Microsoft Windows Services for Unix. Bill Landry put the Declude and Message Sniffer mailing list users on to these a long time ago, and I'm still grateful to him. Well I am grateful and frustrated at times- because it can do so much and I have such hard time getting the results I want! Bill, As I recall you were putting together a group of neat scripts to run against our logs - did that ever happen and I missed it? It sure would be helpful... ! Thanks -Nick I did some speed tests a long time ago, and found that the grep tool mentioned above was an order of magnitude faster than the find.exe that comes with Windows. John T: Sorry, you were probably viewing the output with NotePad. I use a different editor that accomodates CR or CR/LF as the end-of-line sequence. Good old edit and WordPad will do the trick. So will using "less.exe" instead of piping to "more". Markus: Great tip, I just might make that part of my standard commands anyway. Matt: No problem, the .UU part of the search will also find all the lines that mention the .UUE format. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Don Brown Sent: Wednesday, February 01, 2006 7:24 AM To: Markus Gufler Subject: Re: [Declude.Virus] Encoded viruses...worried Off list - what grep do you use or which is the best for a W32 box? Wednesday, February 1, 2006, 8:40:19 AM, Markus Gufler [EMAIL PROTECTED] wrote: MG MG MG I've grep'ed trough the logfiles for the last 7 days on my servers MG MG MG MG 2981 lines has sources of "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" MG (ignoring double counts for the second av scanner) MG MG MG MG After filtering out all lines containing "Kapser" and "Mywife" MG there remains the following 4 lines MG MG MG MG 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with MG mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG assuming .exe MG 01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with MG mismatched extensions [Attachments00.HQX-Removed Attachment.txt]; MG assuming .exe MG 01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with MG mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG assuming .exe MG 01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning: EOF in middle MG of MIME segment [] [--=_NextPart_001_0008_01C6238B.B6472520] MG MG MG MG This looks very promising that declude is already handling it in MG order to catch malicious code inside such attachments. MG MG Note: the 4.th line is listed due the "MIME" MG MG MG MG Markus MG MG MG MG MG MG MG MG MG From: [EMAIL PROTECTED] MG [mailto:[EMAIL PROTECTED]] On Behalf Of Matt MG Sent: Wednesday, February 01, 2006 3:19 PM MG To: Declude.Virus@declude.com MG Subject: Re: [Declude.Virus] Encodedviruses...worried MG MG You know, I was going to ask if you would do a search, but I MG figured you might do it anyway :) You did leave out the ".uue" MG extension, but I doubt that would have changed your results. MG I supposethat if these extensions aren't hardly ever used MG anymore, it might be prudentenough to just watch for the MG possibility of the tactic to become widespreadand then take action. MG I do have a fair number of Mac users and probablymore MG overseas traffic that you do, so I think that I am going to have MG tosearch a little on my own. Unfortunately I zip all of my MG logs nightly,so it isn't practical to search through all ofthem. MG Matt MG Colbeck, Andrew wrote: MG MG On the plus side, there are mitigating circumstances... MG MG First, let me point out that although the antivirus MG companies will lag behind the virus authors, the antivirus guys aren't sleeping. MG MG For many years, the bad guys have been using encoding MG methods and 3rd party applications to obfusticate their software MG as a cheaper alternative on their time than writing MG polymorphic code whose very technique gave them away. MG MG PKLite was probably the first 3rd party tool used. I've MG recently seen PAK, UPX and FSG... all three of which were MG caught by F-Prot because the antivirus guys simply make signatures MG for the binary itself, and don't bother including unpacking MG methods for all possible compression/encryption methods. MG This explains why we have relatively few upgrades on the engines themselves. MG MG The F-Prot documentation mentions (I think) only zip MG decoding, but we know that it certainly does UPX and RAR decoding MG based on issues that have been raised with each (for the MG former, pathetic speed and the former, a buffer overflow). MG MG If you want to see what your virMMDD.log might reveal MG about this latest
Re: [Declude.Virus] Encoded viruses...worried topic change - to Bill Landry
Excellent. Thanks Bill - -Nick Bill Landry wrote: Nick, I put this together quite some time ago and have sent it to people upon request. Hopefully posting it here will make it more widely accessible. At least it can point you to some tutorials and give you a sampling of how the tools can be used and maybe will inspire others to create some cool scripts that they would be willing to share with others on the list. Bill - Original Message - From: Nick Hayer Well I am grateful and frustrated at times- because it can do so much and I have such hard time getting the results I want! Bill, As I recall you were putting together a group of neat scripts to run against our logs - did that ever happen and I missed it? It sure would be helpful... ! Thanks -Nick
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Don Brown wrote: #1 "The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources." correct. #2 "It still gets virus scanned." only those emails that get past the junkmail scanning. If you do not delete any junkmail then there is no benefit -Nick So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). If that is so, then how does it cut down on machine resources? Friday, January 27, 2006, 9:43:19 AM, Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] wrote: Dsic Keith, Dsic It still gets virus scanned. I have tons of viruses in my virus drop point Dsic for ROUTETO accounts. Dsic Darrell Dsic --- Dsic Check out http://www.invariantsystems.com for utilities for Declude, Imail, Dsic mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI Dsic integration, MRTG Integration, and Log Parsers. Dsic Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. Dsic Dsic --- Dsic [This E-mail was scanned for viruses by Declude EVA www.declude.com] Dsic --- Dsic This E-mail came from the Declude.Virus mailing list. To Dsic unsubscribe, just send an E-mail to [EMAIL PROTECTED], and Dsic type "unsubscribe Declude.Virus".The archives can be found Dsic at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Declude.JunkMail] Declude Hardware Issue
David, David Franco-Rocha wrote: B) Your software is NEVER downgraded for any reason, either automatically or otherwise hmm - would you kindly shut down your key server for awhile and monitor the list in the meantime? -Nick We have had a few reports from customers who have licensed versions of Pro, saying that they are receiving messages in their log files that they do not have the Pro version. We will identify the source of that issue tomorrow when the office reopens and will resolve it. It does not have any relation to the key authentication mechanism with the server, since the actual authentication with IMail versions of Declude continues to be via the old codes entered into the configuration files. David Franco-Rocha Declude Technical / Engineering
Re: [Declude.Virus] Hardware Issue
Hi David, Would you kindly elaborate on the ramifications of such a failure? I am interested in when its fixed but more importantly its ramifications. Are you saying that a hardware/network/software issue on your end can in anyway disarm/defuse/alter/change the way Declude functions on its installed user base? Thanks! -Nick David Franco-Rocha wrote: Due to the long holiday weekend, we have been away from the office for a few days. Unfortunately it has come to our attention that there could be a problem with key validation on the server there. After some testing, we have determined that there is in fact a hardware issue that we expect to have resolved today. We appreciate that you have taken the time to bring this matter to our attention and appreciate your patience while we rectify the situation. We will once again post to this list when the issue has been corrected. Declude Technical / Engineering David Franco-Rocha wrote: Due to the long holiday weekend, we have been away from the office for a few days. Unfortunately it has come to our attention that there could be a problem with key validation on the server there. After some testing, we have determined that there is in fact a hardware issue that we expect to have resolved today. We appreciate that you have taken the time to bring this matter to our attention and appreciate your patience while we rectify the situation. We will once again post to this list when the issue has been corrected. Declude Technical / Engineering
Re: [Declude.Virus] Declude 3.0.5.18 Posted
Thanks for the info David! -Nick David Barker wrote: Declude 3.0.5.18 ALL - Fixed un-defined variables causing intermittent stop/start with the decludeproc service. JM - Fixed SmarterMail incoming email recipient domain aliases. AV - Fixed un-defined variables, causing incorrect Virus Names. David B www.declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second scanner
Hi David, Mcafee is one - the command line scanner is only $11 - if you can find a vendor to sell it to you. ClamAV is another choice and its free. I use it w/clamd. http://www.sosdg.org/clamav-win32/index.php I use all three.. -Nick David Dodell wrote: After many years of using Virus Standard, I upgraded to Virus Pro to take advantage of a second scanner. I've scanned the previous threads on what others like for a second scanner to F-Prot, but can't seem to find any common thread ... So I would appreciate what seems to be the next most popular virus scanner to run as a secondary scanner to F-Prot? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 3.0.5.10
Thanks David! -Nick David Barker wrote: 3.0.5.10 - Change was made to reset the winsock when the \proc directory reached 0 messages 3.0.5.11 - Change was made to reset the winsock when the \proc directory reached 0 messages and threads in the \work had completed processing I will update documentation etc. and post changes for releases, as soon as I have the relevant information. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Saturday, October 22, 2005 12:27 AM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] 3.0.5.10 This one is just for the record since .10 is not on the website anymore -- thank goodness. Put 3.0.5.10 in place to this afternoon (before I knew .11 was available). MISTAKE! Things looked ok at first, but didn't realize mail was stacking up in \proc\. When I was not getting anything at the house, came back in (around 11pm) and found 6,500 msgs in \proc. Put in .11 and restarted. It is flowing now. Wonder if that is the reason .10 disappeared from the web site so fast. This raises (at least for me) an old discussion. I know new documentation for each little update is not possible or even reasonable to expect. But maybe a quick and dirty page on what the update fixed.?? John --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] error line in log file
Hi - would anyone know what Couldn't create map1 would mean in the Declude virus log file? Thanks! -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Beta 3.0.4.4 Posted
Hi Andy, Andy Schmidt wrote: Thanks Bill. I had gotten the impression as if everyone with dual-processor system was reporting this and that people were still seeing it with the latest version. If you will would you let me know more about this issue. I haven't been following exactly so I do not know what I should be looking for :) I have 3.0.4.4 running on my quad processor [with hyper threading] box without ant problems - at least as far as I can tell. If I'm I missing something I will revert back to 2.0.6.16 in a heartbeat! -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Beta 3.0.4.4 Posted
Andy Schmidt wrote: Hi Nick: I'm only repeating what I'm told - I don't have factual information on my own. chuckle chuckle chuckle. you are very funny at times! Declude is supposed to check the /proc folder and ONLY go to sleep (for 30 seconds), if the folder contains no messages. On systems that have that problem, Declude goes to sleep even though there ARE messages to process. Gotcha. No biggie for me to monitor at least. Haven't seen that symptom yet but now the other emails regarding this make sense. Thanks - -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
Hi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. This link works - ftp.nai.com /pub/antivirus/datfiles/4.x -Nick Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Patch Tuesday and graphic images
Thanks Andrew! -Nick Colbeck, Andrew wrote: Today is Microsoft Patch Tuesday for July 2005. One of the bulletins is: http://www.microsoft.com/technet/security/Bulletin/MS05-036.mspx Which fails to indicate which graphics formats are affected by this vulnerability. It does mention that abuse thereof is indeed in the wild. Presumably on websites, but if you want to make sure that it is not happening in email, you will want to remove these optimizations from your Declude virus.cfg file: SKIPEXT JPG SKIPEXT JPEG SKIPEXT PNG SKIPEXT TIF SKIPEXT TIFF This contradicts my posting in May 2005 that Scott Perry said that JPG skipping was ok vis a vis MS04-028 Q833987 because Declude Virus checks for corrupt JPG regardless of the SKIPEXT behaviour. That is, unless the Declude code is so good that it checks all three of these formats for rigorous adherence to their standards such that it protects the Microsoft libraries! Andrew 8) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] what does this mean in the virus log file?
Thanks David! David Franco-Rocha [ Declude ] wrote: Nick, With the enhancement of turning off checking for individual vulnerabilities, this information indicates for Declude which vulnerabilities are being checked and which ones are not. David Franco-Rocha Declude Technical Support - Original Message - From: NIck Hayer [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, June 06, 2005 5:51 PM Subject: Re: [Declude.Virus] what does this mean in the virus log file? Vulnerability flags = 76 Thanks! -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
I am not real clear on this thread - but if it has to do with clamd - it w/Declude no question has a problem in Windows. I have stopped using it - it may take a week or even a month but it will crash... -Nick Terry Fritts wrote: I can't find anything in the event or application logs that looks bad around this time either. I can't either. I've switched my clamd.conf file settings to run on TCP/IP rather than local socket. In the clamd.log file there were accept() errors recorded when this occurs which is a socket command error. I don't know that running in TCP/IP will help but the conf file says it can help some stability issues on windows servers. I also see that once this starts the other scanners never get a return either - not sure why that would be. --- Terry --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] what does this mean in the virus log file?
Vulnerability flags = 76 Thanks! -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] MS05-16 Exploit
Title: Message Hi Andy, Colbeck, Andrew wrote: Declude Virus will *not* detect abuse of MS05-16 with the Declude CLSID vulnerability detector. They are entirely different animals, which happen to have CLSID at their heart. You are sure up to date with this stuff! The only way to attack MS05-16 abuse with Declude Virus is with a) keep your virus scanner up to date, This is good news. That can be easily accomplished - and/or b) to watch for virus news and ban extensions that are deliberately crafted as bogus, e.g. .d0c or .doc_ instead of .doc Well this won't be effective becase folks now rename extensions as a matter of course to get clean files through eg - .exe .e_x_e :) Leave it up to your antivirus scanner. Perfect and thanks for the insight. -Nick
