RE: [Declude.Virus] ClamAv / ClamWin with Declude
http://oss.netfarm.it/clamav/ -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Gary Steiner Sent: Wednesday, November 24, 2010 12:32 PM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAv / ClamWin with Declude What version or port of ClamAV are you using with Declude? I've been reading on the SmarterTools forums about the problems with ClamWin, and was wondering if the majority are using this port or a different one? SmarterTools has been referring people to this link: http://www.h-online.com/open/news/item/Free-ClamWin-virus-scanner-moves-most -of-Windows-into-quarantine-1139430.html Which port of ClamAV does Declude recommend? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] EZIP files
I'm pretty small (125 employees), so encrypted zip files are rare and they get blocked. I'll manually reprocess them after getting an alert email. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Todd Richards Sent: Tuesday, November 16, 2010 9:25 AM To: declude.virus@declude.com Subject: [Declude.Virus] EZIP files How many of you ban EZIP files via Declude? I have one that is stuck in the virus hold folder, and I am (by default) banning EZIP files. Just out of curiosity, I created one and sent it to Yahoo via my Hotmail account. It arrived with no problem. I have also had legitimate messages get stuck from other vulnerabilities, which I finally disabled. I'd like to balance security without paranoia, if that's possible. Thanks! Todd --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] EZIP files
An email will get generated when they are blocked. I just give them the eyeball test. Generally they are mail that I'd expect from a vendor or partner. If they look to be legit, I move them to the imail\spool folder. If that doesn't take care of it, I'll change the virus.cfg and then reprocess and then change the virus.cfg. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Todd Richards Sent: Tuesday, November 16, 2010 2:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] EZIP files Thanks Scott. We aren't that big either. How do you manually process them? Do you go in and disable the block, reprocess the email, then put the block back? Todd From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Tuesday, November 16, 2010 10:28 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] EZIP files I'm pretty small (125 employees), so encrypted zip files are rare and they get blocked. I'll manually reprocess them after getting an alert email. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Todd Richards Sent: Tuesday, November 16, 2010 9:25 AM To: declude.virus@declude.com Subject: [Declude.Virus] EZIP files How many of you ban EZIP files via Declude? I have one that is stuck in the virus hold folder, and I am (by default) banning EZIP files. Just out of curiosity, I created one and sent it to Yahoo via my Hotmail account. It arrived with no problem. I have also had legitimate messages get stuck from other vulnerabilities, which I finally disabled. I'd like to balance security without paranoia, if that's possible. Thanks! Todd --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Testing Internal Scanner
Speaking of versions. I'm running 4.10.42 I noticed there is a 4.10.48 available but no email notice or release notes. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 8:12 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Testing Internal Scanner Andy what version of Declude are you running ? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, April 28, 2010 8:16 AM To: declude.virus@declude.com Subject: [Declude.Virus] Testing Internal Scanner Hi, I've been watching this now for a few months. The internal scanner NEVER ever catches a virus - while my two other scanner catch them daily. However, since CommTouch doesn't allow the Eicar file to pass, there is no way to easily test the internal scanner. I think this is something that should eventually be addressed - either by a parameter that allows a user to disable CommTouch for a few minutes at night while testing OR by CommTouch recognizing the EICAR file as a good file and letting it pass! Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 17,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 17,402 Virus Infected Messages: 4 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE PDF.DROPPER-3 3 0.02% SUSPECT.DOUBLEEXTENSION-ZIPPWD-9 1 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 17,402 Virus Infected Messages: 1 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE GENERIC.DX!SED TROJAN !!! 1 0.01% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX
Can I replace the decludeproc.exe or is a upgrade install needed? -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 01, 2009 2:38 PM To: declude.junkm...@declude.com; declude.virus@declude.com Subject: [Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX If your AVG is not scanning emails, please upgrade immediately to 4.6.35 which is available from the Declude website. If you are unsure whether this means you, we suggest you upgrade, if you need any assistance in this matter please contact supp...@declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Parsing of Report.txt
I think you missed the real point of Andy's email. The last official Declude release was 4.4.0 on 3/17/2008. It's already Febuary 2009, so it's about a year with no with no official releases. That doesn't make me feel like I'm getting much out of my maintenance renewal money. Scott Fisher Director of IT Farm Progress Companies 255 38th Avenue, Suite P St. Charles IL 60174-5410 630/462-2323 fax 630/462-2957 sfis...@farmprogress.com www.farmprogress.com http://www.farmprogress.com/ This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, February 05, 2009 12:02 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Parsing of Report.txt Sensitivity: Personal Hi Andy we will certainly look at this, although to be clear, it is very presumptions to say that adding this will only be 2 min work. Please be careful when making statements like this because it raises a false expectation for others. You have no idea about the complexity of the code, other items being worked on, priorities, resource allocation, support, issues, costs or time available. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, February 05, 2009 12:44 PM To: declude.virus@declude.com Subject: [Declude.Virus] Parsing of Report.txt Sensitivity: Personal Hi, With the ability of ClamD to run at lightning speed as a native Windows service (e.g., http://oss.netfarm.it/clamav, without CygWin), offering frequent updates during the day (quite contrary to the internal scanner that often lags days behind) and has acceptable licensing terms - it certainly is a highly attractive external scanner that should be fully supported by Declude after ClamAV has been around for all these years. Sadly, since Declude hasn't seen any feature updates in ages, the virus.cfg parameter REPORT still can't parse the virus reports generated by ClamDScan. Consequently, the Declude virus log files and virus notification emails are missing file and virus name info. I took 2 minutes and created a small .JS script that parses the ClamDScan report file and then outputs a McAfee lookalike just to make Declude happy. But that means that yet another batch process is now chewing up Windows' limited resources. To justify THIS year's maintenance renewal money, can PLEASE have someone spend the same 2 minutes in the Declude source code to correctly parse the ClamDScan output: -- c:\maintenance\eicar.com: Eicar-Test-Signature FOUND Thanks in advance. Best Regards, Andy Schmidt www.Anamera.com // RunClam.js // Launches ClamD and reformats output to compensate // for Decludes inability to correctly parse the report // (Declude is no longer actively maintained.) // Application Constants var strClamAV = C:\\Program Files\\ClamAV\\ClamDScan.exe; // Get Command Line Parameter if ( WScript.Arguments.Count() == 0 ) // nothing to scan WScript.Quit( 2 ); var strPath = WScript.Arguments(0); // Run ClamAV var objShell = new ActiveXObject(WScript.Shell); var objExec = objShell.Exec( strClamAV + + strPath ); var strLine; var nSeperator, nFound; var bHaveFound = false; while ( !objExec.StdOut.AtEndOfStream ) { // Process ClamAV Output strLine = objExec.StdOut.ReadLine(); if ( bHaveFound ) continue; nFound = strLine.indexOf( FOUND ); if ( nFound 0 ) { nSeperator = strLine.indexOf( : ); if ( nSeperator 1 ) continue; // Appears to be a possible virus report bHaveFound = true; var objFS = new ActiveXObject(Scripting.FileSystemObject); objTS = objFS.CreateTextFile( Report.txt ); // Create Declude Report File objTS.WriteLine( strLine.substring( 0, nSeperator ) + FOUND + strLine.substring( nSeperator + 2, nFound ) ); objTS.Close(); } } // Wait
RE: [Declude.Virus] ClamAv with Declude
I use the runclamscan program to call clamav. Here's my virus.cfg lines SCANFILE1 c:\clamav\runclamscan.exe log=1 C:\clamav\clamdscan.exe --quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Dodell Sent: Sunday, December 28, 2008 11:29 AM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAv with Declude On Dec 28, 2008, at 8:36 AM, Hirthe, Alexander wrote: http://www.mail-archive.com/declude.virus@declude.com/msg14082.html Ok, thanks for the excellent beginning ... I'm using the Clamav-win32 from sosdg.org Freshclam installed all the latest files just fine Got it all installed ... but something still not working: (1) I got clamd installed as a service (2) In my virus.cfg I have scanfile c:\imail\declude\clamav\clamdscan.exe --quiet -l report.txt viruscode 1 report FOUND (3) In my logs it reports Could Not Parse String FOUND in report.txt Error 2 in virus scanner 1 Scanned: Error in Virus scanner [MIME: 1 991] - So I'm assuming I need another type code or way for freshclam to exit cleanly if it doesn't find a virus? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] exe in zip file why not blocked...
Declude 4.3.57 AVAFTERJM ON YES. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 30, 2007 7:48 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... Scott, What version of Declude ? Are you using the directive AVAFTERJM ON? David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, July 27, 2007 3:06 PM To: declude.virus@declude.com Subject: [Declude.Virus] exe in zip file why not blocked... I was looking at my spam folder and noticed an email with a zip that contained an exe. 07/27/2007 11:10:14.234 q18d4010e464c.smd Vulnerability flags = 862 07/27/2007 11:10:14.234 q18d4010e464c.smd MIME file: fungame.zip [base64; Length=19363 Checksum=2473579] 07/27/2007 11:10:17.749 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:20.390 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:23.015 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:25.640 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:28.374 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:30.374 q18d4010e464c.smd Could not find parse string Found in report.txt 07/27/2007 11:10:30.374 q18d4010e464c.smd Error 8 in virus scanner 2. 07/27/2007 11:10:30.374 q18d4010e464c.smd Scanned: Error in virus scanner. [MIME: 2 19668] virus.cfg lines: BANEXTexe BANZIPEXTS ON I believe this should have been blocked (regardless of the problem with scanner 2). Scott Fisher Dir of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 Tel: 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] exe in zip file why not blocked...
I'm not sure my server can take the performance hit of putting AVAFTERJM to OFF. I reforwarded the message through and it was caught. So I'm working on the assumption my Virusscan problems were messing things up. I've disabled Viruscan. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 30, 2007 11:24 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... AVAFTERJM ON means if the email reaches the JM either HOLD or DELETE to not call the AV in the Declude code. Try switching this OFF to see if it resolves the issue. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, July 30, 2007 10:27 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... Declude 4.3.57 AVAFTERJM ON YES. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 30, 2007 7:48 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] exe in zip file why not blocked... Scott, What version of Declude ? Are you using the directive AVAFTERJM ON? David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, July 27, 2007 3:06 PM To: declude.virus@declude.com Subject: [Declude.Virus] exe in zip file why not blocked... I was looking at my spam folder and noticed an email with a zip that contained an exe. 07/27/2007 11:10:14.234 q18d4010e464c.smd Vulnerability flags = 862 07/27/2007 11:10:14.234 q18d4010e464c.smd MIME file: fungame.zip [base64; Length=19363 Checksum=2473579] 07/27/2007 11:10:17.749 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:20.390 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:23.015 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:25.640 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:28.374 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:30.374 q18d4010e464c.smd Could not find parse string Found in report.txt 07/27/2007 11:10:30.374 q18d4010e464c.smd Error 8 in virus scanner 2. 07/27/2007 11:10:30.374 q18d4010e464c.smd Scanned: Error in virus scanner. [MIME: 2 19668] virus.cfg lines: BANEXTexe BANZIPEXTS ON I believe this should have been blocked (regardless of the problem with scanner 2). Scott Fisher Dir of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 Tel: 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] exe in zip file why not blocked...
I was looking at my spam folder and noticed an email with a zip that contained an exe. 07/27/2007 11:10:14.234 q18d4010e464c.smd Vulnerability flags = 862 07/27/2007 11:10:14.234 q18d4010e464c.smd MIME file: fungame.zip [base64; Length=19363 Checksum=2473579] 07/27/2007 11:10:17.749 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:20.390 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:23.015 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:25.640 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:28.374 q18d4010e464c.smd Virus scanner 2 reports exit code of 8 07/27/2007 11:10:30.374 q18d4010e464c.smd Could not find parse string Found in report.txt 07/27/2007 11:10:30.374 q18d4010e464c.smd Error 8 in virus scanner 2. 07/27/2007 11:10:30.374 q18d4010e464c.smd Scanned: Error in virus scanner. [MIME: 2 19668] virus.cfg lines: BANEXTexe BANZIPEXTS ON I believe this should have been blocked (regardless of the problem with scanner 2). Scott Fisher Dir of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 Tel: 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Clam AV Upgrade to 0.90.2-1
The -mbox parameter died in .90.1 series. I'm still using the other two: SCANFILE1 d:\imail\declude\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --max-ratio 0 --max-space 1M -l report.txt - Original Message - From: Mark Reimer To: declude.virus@declude.com Sent: Monday, April 16, 2007 2:45 PM Subject: [Declude.Virus] Clam AV Upgrade to 0.90.2-1 I just upgraded to Clam av 0.90.2-1. It appears that three parameters that I used per Scott's recommendation no longer work. Anyone else seeing this? --mbox --max-ratio --max-space Mark Reimer IT System Admin American CareSource 972-308-6887 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Clam Av virus: MSRBL change malware.com.br
2 thoughts. I had to have cygwin1.dll in the same folder as my rsync (rsync246.exe for me). I also had to open up Port 873 TCP on my firewall. - Original Message - From: Ernesto [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, March 27, 2007 11:09 AM Subject: RE: [Declude.Virus] Clam Av virus: MSRBL change malware.com.br I'm trying everything I can find on rsync working on a windows machine, and I haven't been able to get rsync to work. I'm not sure if it's because of the arguments that I'm using, or what, but I keep getting errors about the connection being refused (111). rsync error: error in socket IO (code 10) at clientserver.c(104) [receiver=2.6.9] any idea what I should do? thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, March 26, 2007 9:19 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Clam Av virus: MSRBL change malware.com.br 1. I noticed my clamav's MSRBL Signatures hadn't been updated for a week or so. I t looks like they have moved from ftp access to rsync. Here's what I use to download them now: rsync246 rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images.hdb . rsync246 rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb . erase c:\clamav-devel\share\clamav\MSRBL-SPAM.ndb copy MSRBL-SPAM.ndb c:\clamav-devel\share\clamav\MSRBL-SPAM.ndb erase c:\clamav-devel\share\clamav\MSRBL-Images.hdb copy MSRBL-Images.hdb c:\clamav-devel\share\clamav\MSRBL-Images.hdb - Scott Fisher Director of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 630-462-2323 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Clam Av virus: MSRBL change malware.com.br
1. I noticed my clamav's MSRBL Signatures hadn't been updated for a week or so. I t looks like they have moved from ftp access to rsync. Here's what I use to download them now: rsync246 rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images.hdb . rsync246 rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb . erase c:\clamav-devel\share\clamav\MSRBL-SPAM.ndb copy MSRBL-SPAM.ndb c:\clamav-devel\share\clamav\MSRBL-SPAM.ndb erase c:\clamav-devel\share\clamav\MSRBL-Images.hdb copy MSRBL-Images.hdb c:\clamav-devel\share\clamav\MSRBL-Images.hdb 2. I've found another potential Malware block list with clam-av addons: http://www.malware.com.br/ Here's what I use to download them: wget -O - http://www.malware.com.br/cgi/submit?action=list_clamav mbl.db wget -O - http://www.malware.com.br/cgi/submit?action=list_clamav_ext mble.db erase c:\clamav-devel\share\clamav\mbl.db copy mbl.db c:\clamav-devel\share\clamav\mbl.db erase c:\clamav-devel\share\clamav\mble.db copy mbl.db c:\clamav-devel\share\clamav\mble.db 3. I get postmaster notifications of virus activity. I've added these skips for the various clamav addon dbs to postmaster.eml SKIPIFVIRUSNAMEHAS MSRBL-SPAM SKIPIFVIRUSNAMEHAS MSRBL-Images SKIPIFVIRUSNAMEHAS MBL_ SKIPIFVIRUSNAMEHAS Email.Spam SKIPIFVIRUSNAMEHAS Html.Spam SKIPIFVIRUSNAMEHAS Email.Scam SKIPIFVIRUSNAMEHAS Html.Scam SKIPIFVIRUSNAMEHAS Email.Job SKIPIFVIRUSNAMEHAS Html.Job SKIPIFVIRUSNAMEHAS Email.Stk SKIPIFVIRUSNAMEHAS Html.Stk SKIPIFVIRUSNAMEHAS Email.Loan SKIPIFVIRUSNAMEHAS Html.Loan SKIPIFVIRUSNAMEHAS Email.Hdr SKIPIFVIRUSNAMEHAS Email.Dipl SKIPIFVIRUSNAMEHAS Html.Dipl SKIPIFVIRUSNAMEHAS Email.Img SKIPIFVIRUSNAMEHAS Html.Img SKIPIFVIRUSNAMEHAS Email.Bou SKIPIFVIRUSNAMEHAS Html.Bou SKIPIFVIRUSNAMEHAS Html.Phishing SKIPIFVIRUSNAMEHAS Email.Phishing SKIPIFVIRUSNAMEHAS Email.Malware SKIPIFVIRUSNAMEHAS Html.Malware - Scott Fisher Director of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Current Version of Clam AV
I definitely still getting them with Clam .90 They only happen here when I run clamav as a service. When I run it as a non-service (which is CPU foolish), I don't get these. I also use the clamscan wrapper (runclamscan.exe), so that might be in the mix. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, March 01, 2007 11:57 AM Subject: Re: [Declude.Virus] Current Version of Clam AV Does anyone want to comment on what might be causing the error? Is this a ClamAV problem or a Declude problem? It seems that the normal mechanism for deleting those files is somehow interrupted. Is there a way in Declude to increase the time allocated to each antivirus process? Though since I upgraded to SOSDG's version 0.90-1, I haven't seen any leftover .vir directories. Original Message From: Brian T. [EMAIL PROTECTED] Sent: Thursday, March 01, 2007 11:53 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV Does anyone know of a way to fix this problem with the leftover .vir directories? I was thinking about switching to ClamAV from F-Prot but don't want to constantly be cleaning up leftover files. Thanks, Brian - Original Message - From: Darrell ([EMAIL PROTECTED]) To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 11:44 AM Subject: Re: [Declude.Virus] Current Version of Clam AV In my normal maintenance window (once a week) all services are stopped and I clean out the work, error, proc, spool, and review folders. Since I stop CLAMAV as well I am able to delete those directories. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Stephan To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 11:22 AM Subject: Re: [Declude.Virus] Current Version of Clam AV Thanks for responding. I can't delete them until I restart the ClamAV service. Do you have a way of automatically deleting them, or do you schedule a task to restart ClamAV and then delete them? I tried using a schedule task but for some reason they still don't get deleted (but it's possible to do it manually.) -Original Message- From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] Sent 2/27/2007 10:17:46 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV ? FWIW - I have always had left over directories from .84 on up. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Stephan To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 8:41 AM Subject: Re: [Declude.Virus] Current Version of Clam AV I am also running the 0.90-1, and it's working fine, except I still get leftover .vir directories inside the declude/proc dir. The error in the clamav log shows: - d:\imail\spool\proc\work\d716a0~1.vir\/0: Unable to create temporary directory ERROR I've tried checking permissions, and made sure I have the clamav tmpdir variable set to my clamav tmp dir (which fixed a similar error that stopped the clamav service from starting.) But I haven't been able to fix this one. Anyone know how to fix this error? Thanks. -Original Message- From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] Sent 2/26/2007 1:30:43 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV Gary, I upgraded on Friday and have not ran into any issues. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, February 26, 2007 1:01 PM Subject: RE: [Declude.Virus] Current Version of Clam AV I see that SOSDG released a new version (0.90-1) of their Windows port of ClamAV on 02-22-2007. http://www.sosdg.org/clamav-win32/ Has anyone upgraded to it yet? Any problems? Gary Steiner Original Message From: Mark Reimer [EMAIL PROTECTED] Sent: Friday, February 16, 2007 2:04 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Current Version of Clam AV Clam AV releases prior to 0.90 have Dos issues I believe. Is their a 0.90
Re: [Declude.Virus] Current Version of Clam AV
How about native Declude support for Clam AV like AVG? That would be nice. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, March 01, 2007 11:57 AM Subject: Re: [Declude.Virus] Current Version of Clam AV Does anyone want to comment on what might be causing the error? Is this a ClamAV problem or a Declude problem? It seems that the normal mechanism for deleting those files is somehow interrupted. Is there a way in Declude to increase the time allocated to each antivirus process? Though since I upgraded to SOSDG's version 0.90-1, I haven't seen any leftover .vir directories. Original Message From: Brian T. [EMAIL PROTECTED] Sent: Thursday, March 01, 2007 11:53 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV Does anyone know of a way to fix this problem with the leftover .vir directories? I was thinking about switching to ClamAV from F-Prot but don't want to constantly be cleaning up leftover files. Thanks, Brian - Original Message - From: Darrell ([EMAIL PROTECTED]) To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 11:44 AM Subject: Re: [Declude.Virus] Current Version of Clam AV In my normal maintenance window (once a week) all services are stopped and I clean out the work, error, proc, spool, and review folders. Since I stop CLAMAV as well I am able to delete those directories. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Stephan To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 11:22 AM Subject: Re: [Declude.Virus] Current Version of Clam AV Thanks for responding. I can't delete them until I restart the ClamAV service. Do you have a way of automatically deleting them, or do you schedule a task to restart ClamAV and then delete them? I tried using a schedule task but for some reason they still don't get deleted (but it's possible to do it manually.) -Original Message- From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] Sent 2/27/2007 10:17:46 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV ? FWIW - I have always had left over directories from .84 on up. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Stephan To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 8:41 AM Subject: Re: [Declude.Virus] Current Version of Clam AV I am also running the 0.90-1, and it's working fine, except I still get leftover .vir directories inside the declude/proc dir. The error in the clamav log shows: - d:\imail\spool\proc\work\d716a0~1.vir\/0: Unable to create temporary directory ERROR I've tried checking permissions, and made sure I have the clamav tmpdir variable set to my clamav tmp dir (which fixed a similar error that stopped the clamav service from starting.) But I haven't been able to fix this one. Anyone know how to fix this error? Thanks. -Original Message- From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] Sent 2/26/2007 1:30:43 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV Gary, I upgraded on Friday and have not ran into any issues. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, February 26, 2007 1:01 PM Subject: RE: [Declude.Virus] Current Version of Clam AV I see that SOSDG released a new version (0.90-1) of their Windows port of ClamAV on 02-22-2007. http://www.sosdg.org/clamav-win32/ Has anyone upgraded to it yet? Any problems? Gary Steiner Original Message From: Mark Reimer [EMAIL PROTECTED] Sent: Friday, February 16, 2007 2:04 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Current Version of Clam AV Clam AV releases prior to 0.90 have Dos issues I believe. Is their a 0.90 release for windows? Mark Reimer IT System Admin American CareSource 972-308-6887 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer
Re: [Declude.Virus] pay-pal phishing
One drawback of spamdomains: I believe the spamdomains compares the smtp sender with the revdns. Many phish will come from a SMTP sender of [EMAIL PROTECTED] and thus won't fail a spamdomains test. I second the CLAMAV with sanesecurity phish addons. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, February 16, 2007 5:06 AM Subject: Re: [Declude.Virus] pay-pal phishing Isn't that basically what the spamdomains test does? Specifies what domains a mail server can be in that sends for a particular domain... Darin. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, February 15, 2007 7:22 PM Subject: RE: [Declude.Virus] pay-pal phishing One way you could do this is to use the following lines in a filter #PAYPAL REVDNS END ENDSWITH .paypal.com MAILFROM 20 ENDSWITH @paypal.com Also as far as I know the genuine paypal IP's are listed with BONDEDSENDER David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McGregor Sent: Thursday, February 15, 2007 5:17 PM To: Declude-List Subject: [Declude.Virus] pay-pal phishing Anyone configured a way to stop some of the pay-pal scam emails? thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t
Maybe you love to hate them? - Original Message - From: Matt To: declude.virus@declude.com Sent: Thursday, January 04, 2007 3:23 PM Subject: Re: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t I hate autoresponders...but people sometimes tell me that I am too critical, so I guess I actually love them. Matt Colbeck, Andrew wrote: I think I received 36 of them. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, January 04, 2007 12:55 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t Importance: High Is it me or did everyone get this autoresponder about 300 times? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roconnor Sent: Thursday, January 04, 2007 9:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t I'm currently on a business trip down south and will be returning January 5th, 2007. If this is an emergency please call our office at 360.527.9111 Thanks, Rick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] EXE in RAR file
Does Declude check for banned extension in RAR files? If not, please add this to the wish list. RAR files are becoming more popular and it is difficult to ban RAR files. I had an email come in with an .EXE file in a RAR file. So I believe it doesn't. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] EXE in RAR file
The possible catch is the email was in Chinese. Time to forward it to Declude. - Original Message - From: John T (Lists) To: declude.virus@declude.com Sent: Wednesday, December 06, 2006 10:25 AM Subject: RE: [Declude.Virus] EXE in RAR file RAR files should be treated the same as ZIP files, so unless something has changed if you have BANZIPEXTS ON and have BANEXT EXE it should be banned. John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, December 06, 2006 7:40 AM To: declude.virus@declude.com Subject: [Declude.Virus] EXE in RAR file Does Declude check for banned extension in RAR files? If not, please add this to the wish list. RAR files are becoming more popular and it is difficult to ban RAR files. I had an email come in with an .EXE file in a RAR file. So I believe it doesn't. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Hijack Question
-David Since it is out there, I also have seen rare D* messages without Q* file stranded in the work folder also. For me about 2 a month. They tend to be spam (of course so does 80% of all mail). If it is a legit message, I'll just forge up a corresponding Q* message and reprocess them. I'm running Declude 4.3.14 I'm quite confident that it isn't a real-time scanning problem here. I think the virus program would probable quarantine a D* file and leave the q* file. Instead the Q* file is gone, elaving the D* file. The next time I get one, I'll check the logs for that message for anything unusual. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, October 31, 2006 1:52 PM Subject: RE: [Declude.Virus] Hijack Question 1. Make sure that the Real-Time scanner of F-prot is disabled 2. At a minimum you should be running Declude 3.11 David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mario Antonio Sent: Tuesday, October 31, 2006 2:38 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Hijack Question David, I am running f-prot 3.16f Take a look at my configs SCANFILE C:\f-prot_windows\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /PACKED /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 REPORT Infection: Any suggestions? Regards Mario Antonio - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, October 31, 2006 1:58 PM Subject: RE: [Declude.Virus] Hijack Question There should not be orphan files I would think you are running some type of virus scanner that is removing the D*.smd files from the \work directory. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mario Antonio Sent: Tuesday, October 31, 2006 11:50 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Hijack Question David, One more question, I am seeing that some Q files remain in the spool\proc\work folder, is this normal? why? Should I clean them manually? Where are the corresponding D files? Regards Mario Antonio - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, October 31, 2006 10:18 AM Subject: RE: [Declude.Virus] Hijack Question Stop/Start the decludeproc will reset the hijack counter. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mario Antonio Sent: Tuesday, October 31, 2006 9:42 AM To: declude.virus@declude.com Subject: [Declude.Virus] Hijack Question Does anyone know if you have to restart the declude process after you have moved back files from the HOLD2 folder into the spool ---Declude 3.0.5/Imail 8.22? In the Declude 2.X you had to close the foreground screen/console (which restarts Hijack) in order to clean all the IP addresses that have been banned. Regards Mario Antonio --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] stration work
It looks like the Stration worm is causing backscatter today: The W32/Stration.drvirus drops the mass mailing worm W32/[EMAIL PROTECTED]. that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer. The W32/Stration.dr is written using Microsoft Visual C++ and also contains functionality to connect to a remote web server to download a file. I've added it as a forging virus FORGINGVIRUSStration -Scott FisherDirector of ITFarm Progress Companies191 S Gary AveCarol Stream, IL 60188630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] AVG Updates
Here are mine: declude\scanners\AVG\db\avi7.avg 2/21/2006 1:27 PM declude\scanners\AVG\db\miniavi.avg 9/6/2006 9:40 AM declude\scanners\AVG\db\microavi.avg 9/7/2006 3:42 PM declude\scanners\AVG\db\incavi.avm 9/8/2006 10:43 AM - Original Message - From: Mark Reimer To: Declude. [EMAIL PROTECTED] com Sent: Tuesday, September 12, 2006 4:32 PM Subject: [Declude.Virus] AVG Updates What are the latest AVG updates that everyone has? IÂ’m worried that my AVG stopped updating for some reason. Or is it from Declude moving all their stuff around? Mark Reimer IT Project Manager American CareSource 214-596-2464 ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] Oversized.RAR FOUND in ClamAV
I used (and probably posted the --max-ratio 0 ). The max-ratio defines the maximum compression ratio for scanned files. I kept getting legit text files that were zipped that were over ratio, so that's why I why I went to the max-ration 0. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, September 06, 2006 9:31 PM Subject: [Declude.Virus] Oversized.RAR FOUND in ClamAV I have an email that was held as a virus after ClamAV was triggered with the result Oversized.RAR FOUND. I looked for an explanation but couldn't find anything detailed. Apparently this is due to some type of bug in ClamAV that shows up with certain RAR or ZIP files. I found one posting that suggested that the problem could be fixed by adjusting the max-ratio value. The default max-ratio value for ClamAV is 250. The suggested value for running it with Declude is 0. What would be the safest value to run with and why? Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Oversized.RAR FOUND in ClamAV
I think it is in their to defend against an archive bomb. Archive bomb: This is a seemingly small archive file that is actually highly compressed and expands into a huge file or several identical files. Such archives typically take quite a long time to scan, thus potentially forming a DDoS attack on an anti-virus program that tries to scan them. Good anti-virus programs include a smart algorithm to avoid extracting such files - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, September 07, 2006 1:26 PM Subject: RE: [Declude.Virus] Oversized.RAR FOUND in ClamAV Disclaimer: I haven't implemented ClamAV with Declude, so I'm guessing here... It sounds like the max-ratio solution is a red herring. It sounds like ClamAV returned an error because it couldn't scan the overlarge file (compressed or not). It sounds like Gary's configuration is quarantining emails based on any non-zero return code from ClamAV and that this is not the behaviour he really wants. Comments? Flames? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, September 07, 2006 7:02 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Oversized.RAR FOUND in ClamAV I used (and probably posted the --max-ratio 0 ). The max-ratio defines the maximum compression ratio for scanned files. I kept getting legit text files that were zipped that were over ratio, so that's why I why I went to the max-ration 0. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, September 06, 2006 9:31 PM Subject: [Declude.Virus] Oversized.RAR FOUND in ClamAV I have an email that was held as a virus after ClamAV was triggered with the result Oversized.RAR FOUND. I looked for an explanation but couldn't find anything detailed. Apparently this is due to some type of bug in ClamAV that shows up with certain RAR or ZIP files. I found one posting that suggested that the problem could be fixed by adjusting the max-ratio value. The default max-ratio value for ClamAV is 250. The suggested value for running it with Declude is 0. What would be the safest value to run with and why? Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fw: New ClamAV scam database
Just kind of curious which scam this is targeting? Pump and Dump stock? Work at home? 419/Lottery scams? - Original Message - From: Bill Landry [EMAIL PROTECTED] To: declude.junkmail@declude.com; declude.virus@declude.com Sent: Monday, August 07, 2006 3:39 PM Subject: [Declude.Virus] Fw: New ClamAV scam database For anyone that is possibly running ClamAV for virus scanning, and is already taking advantage of the added phish detection provided by Steve Basford's phish.ndb, he has put together another database geared to tagging scam e-mails, including those pesky image spams. The new scam database is working great here, lots of catches so far and no FPs yet. If you want to give it a run, please do heed Steve's request at the end of this message about scripting the downloads for the new scam.ndb, at least for now... Thanks, Bill - Original Message - From: Steve Basford [EMAIL PROTECTED] To: Bill Landry [EMAIL PROTECTED] Sent: Monday, August 07, 2006 12:51 PM Subject: Re: scam database Hi Bill, Just to let you know I've done a big update to the scam database, which isn't publicily known about yet but it's working a treat this end, with a lot of those image spams :) If you want to give a manual trial run: http://www.sanesecurity.com/clamav/scam.ndb.gz Cheers, Steve Bill Landry wrote: Wow, Steve, this is working very well! Nice work. Do you mind if I let others know about the availability of this new scam database? That's great! It's working too, for me at work... and two other brave test sites :) Yep, you can let people know but... Please could you ask people to only *manually* download the file for the time being, no scripts, it'll only get updated once a day at the moment, when I see a big new image spam run: Main Site: http://www.sanesecurity.com/clamav/ Scam Database: http://www.sanesecurity.com/clamav/scam.ndb.gz Phishing Database: http://www.sanesecurity.com/clamav/phish.ndb.gz Glad it's helping :) Cheers, Steve --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude error, not ClamAV error
Your command lines exactly matches my Clamav lines which are working. I'm using Declude 3.x - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, July 14, 2006 4:43 PM Subject: [Declude.Virus] Declude error, not ClamAV error Upon further research, the statement Attachment=[Unknown: Err] is generated by Declude, not ClamAV. So does Declude have a problem with ClamAV? Original Message From: Gary Steiner [EMAIL PROTECTED] Sent: Friday, July 14, 2006 1:32 PM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV error I recently installed ClamAv as my third scanner after AVG and F-Prot. For some reason it indicates an error related to the attachment when it detects a virus (Attachment=[Unknown: Err]). Here is an example from the Declude virus log file: 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; Length=17424 Checksum=1974090] 07/13/2006 19:32:18.843 366626185 Banning file with pif extension [application/octet-stream]. 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D: 7] 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=your_letter.pif [1] I 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 (366626185.eml,366626) 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D Attachment=[Unknown: Err] [1] I 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 17604] 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 72.82.177.22] 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter It doesn't seem to matter what kind of virus is involved. Even when it detects a phishing attempt you still see the same error. Here is what I have in the virus.cfg: SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Is anyone else experiencing this, or have any ideas? Thanks, Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
as every instance we have seen of this has been invalid email. I certainly regularly receive incorrectly formatted email. I'm pretty small volumne, but looking over my logs (I have an external test for this condition), it is 111 non-spam messages this month. My email volume is pretty low. But I'm not looking forward to hand correcting 120 of these a month. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, June 28, 2006 2:07 PM Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Matt, The CRLF problem has more to do with the email server and not Declude, emails that are so badly broken should be either rejected by the email server or these headers should be standardized by the email server. Eitherway this is a much more complex issue than you make it out to be, by just fixing it with a simple regexp, if it was as easy as that, do you not think we would have done this already ? Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. This is not how we are dealing with this issue, it is not an additional Spam test as I clearly stated we are dealing with this as a vulnerability because this should be addressed at the email server level and not Declude, therefore the message will be quarentined - as every instance we have seen of this has been invalid email. The Long base 64 encoding is a similar issue whereby the mail server should deal with these before they get to Declude as such emails are clearly in violation of the RFC's and should be treated as suspect from the very beginning. To conclude, we are making every effort to address these issues because it is not being done at the server level, have you contacted Imail and asked for their response and/or fix ? David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 2:48 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. Regarding the other things, I'm very alarmed that the official position is still not even recognizing that these bugs surely exist, much less fixed at this point. This concerns me greatly since I rely on this product for my business, and if it takes months to just confirm a bug, especially one that is widely reported, I can't responsibly rely on that product. It is pretty much the same thing as having a virus scanner that takes months to catch a particular virus, or having a Web browser that is never patch for a critical flaw. I consider both the Mail From issue and the base 64 encoding issues to be critical flaws that warrant immediate fixes. I am not alone in this. If you don't have a lot of people still griping about this stuff, it is because they are either not aware of the flaws, or they have already given up on trying to get you guys to fix them, or given up on relying on Declude altogether. These things should be fixed in hours or days and not weeks or months when they occur. I assume that you are not the person making these development decisions, so this isn't directed at you, but those that make the calls need to fully understand the critical nature of these flaws, and their role in making sure that Declude can respond rapidly to such things not just now, but as they occur in the future. Thanks, Matt David Barker wrote: Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and
[Declude.Virus] ALLOWVULNERABULITY recommendations
I'm curious if there is a concensus out there on which ALLOWVULNERABILITY are appropriate to use? ALLOWVULNERABILITY OBJECTDATA HTML Object Data Vulnerability ALLOWVULNERABILITY OLCR Outlook CR Vulnerability ALLOWVULNERABILITY OLSPACEGAP Outlook Space Gap Vulnerability ALLOWVULNERABILITY OLBLANKFOLDING Outlook Blank Folding Vulnerability ALLOWVULNERABILITY OLMIMEHEADER Outlook MIME Header Vulnerability ALLOWVULNERABILITY OLMIMESEGMIMEPRE Outlook MIME Segment in MIME Preamble Vulnerability ALLOWVULNERABILITY MIMESEGMIMEPOST Outlook MIME Segment in MIME Postamble Vulnerability ALLOWVULNERABILITY OLLONGBOUNDARY Outlook Long Boundary Vulnerability ALLOWVULNERABILITY OLBOUNDARYSPACEGAP Outlook Boundary Space Gap Vulnerability ALLOWVULNERABILITY OLLONGFILENAME Outlook Long File Name Vulnerability
Re: [Declude.Virus] skip if file size more than.....
I don't think Declude can do this. This might be possible with your individual virus scan engines: Viruscan has a command line parameter /MAXFILESIZE so /MAXFILESIZE 5 would not scan files over 5 MB. ClamAV has a limit of how much to check from archives (I believe they mean zip files). While this isn't a exact match it is something. --max-space 1M Extract first #n kilobytes from each archive. You maygive thenumber in megabytes in format xM or xm, where x is a number.This option protects your system against DoS attacks (default:10 MB) - Original Message - From: Craig Edmonds To: Declude.Virus@declude.com Sent: Thursday, May 11, 2006 11:01 AM Subject: [Declude.Virus] skip if file size more than. Is it possible to have the virus scanner skip files over a certain size? Is this recommended and what size should the threshold be? If possible, where and how is this implemented? Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]Marbella Guide Web PortalW: www.marbellaguide.comE: [EMAIL PROTECTED]
Re: [Declude.Virus] url file extensions
I originally had them banned, but then I got tired of reproecessing the legit email that had the attachments, so they are allowed in here. - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, April 11, 2006 2:09 PM Subject: [Declude.Virus] url file extensions I been asked to remove the block I have on these - and since I have forgotten why I am blocking them Is there a valid reason to block these? Thanks in advance -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] which virus is it then? word doc being stopped.
-Craig, you can use runclamscan which is a wrapper program that returns the virus name to Declude. http://www.smartbusiness.net/imail/declude/ - Original Message - From: Craig Edmonds To: Declude.Virus@declude.com Sent: Wednesday, March 08, 2006 3:27 AM Subject: [Declude.Virus] which virus is it then? word doc being stopped. Hi, I am using declude/imail/clam av I have had someone complain that [EMAIL PROTECTED]i14.com tried to send an email to [EMAIL PROTECTED]i14.comand it did not go through. [EMAIL PROTECTED]14.comsent an email with a Word Doc attached. I quickly checked the vir0307.log and found the following lines. The line in red below says a virus was found, how can I find out exactly which virus this is and explain to to [EMAIL PROTECTED]14.comthat she needs to run a virus scan? 03/07/2006 12:17:36.427 q6bc7040e00f8c308.smd Vulnerability flags = 0 03/07/2006 12:17:36.437 q6bc7040e00f8c308.smd MIME file: Proyecto OFmálaga1 [base64; Length=376 Checksum=3348] 03/07/2006 12:17:36.637 q6bc7040e00f8c308.smd MIME file: Proyecto OFmálaga1 [base64; Length=57344 Checksum=3154948] 03/07/2006 12:17:44.584 q6bc7040e00f8c308.smd Virus scanner 1 reports exit code of 103/07/2006 12:17:44.645 q6bc7040e00f8c308.smd Scanner 1: Virus= Attachment= [48] I03/07/2006 12:17:44.735 q6bc7040e00f8c308.smd File(s) are INFECTED [: 1]03/07/2006 12:17:44.735 q6bc7040e00f8c308.smd Scanned: CONTAINS A VIRUS [MIME: 2 57809]03/07/2006 12:17:44.735 q6bc7040e00f8c308.smd From: [EMAIL PROTECTED]14.com To: [EMAIL PROTECTED]14.com [incoming from 217.126.31.88]03/07/2006 12:17:44.735 q6bc7040e00f8c308.smd Subject: 03/07/2006 12:17:44.825 q6bc7040e00f8c308.smd ERROR: No recipients in C:\IMAIL\Declude\recip.eml (is there a To: line before the first blank line?) Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED] DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir, copiar de ninguna forma, ni emprender ninguna accion en relacion con ella.=
Re: Re[2]: [Declude.Virus] Virus Notification Variables No Longer Working
Remotehost Yes. Reciphost no. Declude 3.06 .eml: REMOTE HOST NAME: %REMOTEHOST% RECIPIENT HOST: %RECIPHOST% result: REMOTE HOST NAME: farmprogress.com RECIPIENT HOST: - Original Message - From: David Sullivan [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, March 08, 2006 11:04 AM Subject: Re[2]: [Declude.Virus] Virus Notification Variables No Longer Working I'm feeling lonely here...like I'm talking to myself... Could someone PLEASE check the %RECIPHOST% and %REMOTEHOST% variables in your email notification on 3.0.6 just to make sure it's not me for some reason. You don't have to mess with your active notifications. Just put another .eml file in the Declude folder with these two variables. Thanks. -David Thursday, March 2, 2006, 12:10:55 PM, you wrote: DS Ok, no one else has so I'll respond to my own post. 3.06 and still no DS change. Can someone try a notification with the %RECIPHOST% and DS %REMOTEHOST% variables and see if they work? DS Thanks DS -David DS Friday, February 24, 2006, 2:39:34 PM, you wrote: DS Has anyone else had trouble with the RECIPIENT HOST and REMOTE HOST DS NAME variables in your virus notification email since going to 3.x? We DS send all data to a program alias for notification processing, but DS since December now we can't get the RECIPIENT HOST data. DS Below is our notify email file and below that is a slightly munged DS example of the output. Notice lines 11 and 12 in the output. This DS behavior persistent and used to work before upgrading. DS Anyone else experiencing this? DS From: [EMAIL PROTECTED] DS To: [EMAIL PROTECTED] DS Subject: Virus Notification DS 1 ALLRECIPS: %ALLRECIPS% DS 2 BANNED EXTENSION: %BANEXT% DS 3 DATE (mm/dd/yyy): %DATE% DS 4 HEADERS: %HEADERS% DS 5 INOROUT: %INOROUT% DS 6 LOCALHOST: %LOCALHOST% DS 7 MAILFROM: %MAILFROM% DS 8 MESSAGE ID: %MSGID% DS 9 NUMBER OF RECIPIENTS: %NRECIPS% DS 10 QUEUE FILE NAME: %QUEUENAME% DS 11 RECIPIENT HOST: %RECIPHOST% DS 12 REMOTE HOST NAME: %REMOTEHOST% DS 13 REMOTE IP: %REMOTEIP% DS 14 SENDER HOST: %SENDERHOST% DS 15 SUBJECT: %SUBJECT% DS 16 CURRENT TIME (hh/mm/ss): %TIME% DS 17 VIRUS FILE: %VIRUSFILE% DS 18 VIRUS NAME: %VIRUSNAME% DS 19 SOFTWARE VERSION: %VERSION% DS 1 ALLRECIPS: [EMAIL PROTECTED] DS 2 BANNED EXTENSION: DS 3 DATE (mm/dd/yyy): 24 Feb 2006 DS 4 HEADERS: Received: from mx1.ourpostfixserver.com [192.168.200.60] by DS mail5.ourimailserver.com with ESMTP DS (SMTPD32-8.15) id A5ADFD770080; Fri, 24 Feb 2006 12:43:09 -0500 DS Received: from localhost (adsl-146-64-253.mia.bellsouth.net [70.146.64.253]) DS by mx1.ourpostfixserver.com (Postfix) with SMTP id 4150B1464ED DS for [EMAIL PROTECTED]; Fri, 24 Feb 2006 12:45:43 + (GMT) DS Message-ID: [EMAIL PROTECTED] DS From: Jay Ross [EMAIL PROTECTED] DS To: [EMAIL PROTECTED] DS Subject: Software At Low Pr1ce DS Date: Fri, 24 Feb 2006 12:42:58 -0500 DS MIME-Version: 1.0 DS Content-Type: multipart/alternative; DS boundary==_NextPart_000_0001_01C63993.BFF33280 DS X-Priority: 3 DS X-MSMail-Priority: Normal DS X-Mailer: Microsoft Outlook Express 6.00.2900.2180 DS X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 DS 5 INOROUT: outgoing DS 6 LOCALHOST: mail5.ourimailserver.com DS 7 MAILFROM: [EMAIL PROTECTED] DS 8 MESSAGE ID: [EMAIL PROTECTED] DS 9 NUMBER OF RECIPIENTS: 1 DS 10 QUEUE FILE NAME: D45adfd7700801edf.smd DS 11 RECIPIENT HOST: DS 12 REMOTE HOST NAME: DS 13 REMOTE IP: 192.168.200.60 DS 14 SENDER HOST: bellamorris.com DS 15 SUBJECT: Software At Low Pr1ce DS 16 CURRENT TIME (hh/mm/ss): 12:43:27 DS 17 VIRUS FILE: [No attachment] DS 18 VIRUS NAME: [Outlook 'Blank Folding' Vulnerability] DS 19 SOFTWARE VERSION: 3.0.5.26 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV leaving locked files?
Very similiar problem here. I have a vir folder left over with a filename of 0. Imail 8.22 , clamav 0.88-2 (SOSDB Cygwin version), Declude 3.06. Using runclamd and runclamscan wrapper - Original Message - From: Ken Weise [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, March 08, 2006 12:26 PM Subject: [Declude.Virus] ClamAV leaving locked files? I have a problem with ClamAV apparently leaving locked pdf files behind. I get these messages the the virus log: 03/08/2006 11:50:34.721 262309704382 WARNING: Couldn't remove .vir directory e:\SmarterMail\Spool\proc\work\262309704382.vir\: EXTRA FILES THERE. [145] Error String: [The directory is not empty.] 03/08/2006 11:50:34.721 262309704382 Likely problem: Your virus scanner is leaving extra files/directories behind, so Declude can't delete the directory. The files that are remaining are named 0.pdf or 1.pdf. Any ideas where these are coming from? Why are they staying behind after clam finishes? What's locking them? Using the newest versions of all, SmarterMail, clamav, and Declude Virus/Junkmail. _ Ken Weise Econocaribe Consolidators, Inc. 2401 NW 69th ST * Miami, FL 33147 (p) 305.693.5133 * (f) 305.894.3666 --- [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] clam-av as a service
Here's my clam command line: SCANFILE2 d:\imail\declude\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt I call clamdscan.exe not clamscan.exe I use the runclamscam wrapperL This program is just a wrapper calling clamscan or clamdscan to return the correct virus name to declude. - Original Message - From: Harry Vanderzand To: Declude.Virus@declude.com Sent: Tuesday, March 07, 2006 11:15 AM Subject: [Declude.Virus] clam-av as a service I am trying to run clamav as a service. I have switch to the clamav port and now have the following config in my virus.cfg: SCANFILE2 c:\clamav~1\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE2 1 I also started clamd as per documentation However I see the clamd process running and also multiple instances of clamscan.exe. Up to 50 or more of them. Is that normal? I also see that virus scanner2 is not finishing after 60 seconds in some instances, see below Did I miss something? I am running al this on dual xeon 3.4 with 2GB ram, imail 8.22, declude 4.09, sniffer and invurbl Should I adjust any settings? Thank you 03/07/2006 12:11:43.774 qbe91081414fe.smd ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating.03/07/2006 12:11:43.805 qbe91081414fe.smd Virus scanner 2 reports exit code of 003/07/2006 12:11:44.945 qbe91081414fe.smd Scanned: Virus Free [MIME: 1 3864]03/07/2006 12:11:48.336 qbecf08e61570.smd Vulnerability flags = 86203/07/2006 12:11:48.414 qbecf08e61570.smd MIME file: [text/html][quoted-printable; Length=619 Checksum=47952]03/07/2006 12:11:48.758 qbecf08e61570.smd Virus scanner 1 reports exit code of 003/07/2006 12:11:49.570 qbed308ff1575.smd Vulnerability flags = 86203/07/2006 12:11:50.305 qbebe08de154c.smd Vulnerability flags = 86203/07/2006 12:11:50.539 qbed308ff1575.smd Virus scanner 1 reports exit code of 003/07/2006 12:11:50.758 qbebe08de154c.smd MIME file: [text/html][quoted-printable; Length=2124 Checksum=177522]03/07/2006 12:11:51.024 qbebe08de154c.smd MIME file: abandonment.gif [base64; Length=43248 Checksum=5360168]03/07/2006 12:11:51.445 qbebe08de154c.smd Virus scanner 1 reports exit code of 003/07/2006 12:11:51.492 qbe9908a4150a.smd ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating.03/07/2006 12:11:51.492 qbe9908a4150a.smd Virus scanner 2 reports exit code of 003/07/2006 12:11:52.008 qbed508ec1578.smd Vulnerability flags = 86203/07/2006 12:11:52.305 qbed508ec1578.smd MIME file: [text/html][quoted-printable; Length=1045 Checksum=72663]03/07/2006 12:11:52.664 qbe9908a4150a.smd Scanned: Virus Free [MIME: 10 77594]03/07/2006 12:11:52.695 qbed508ec1578.smd Virus scanner 1 reports exit code of 003/07/2006 12:11:52.789 qbebe08bb154b.smd Virus scanner 2 reports exit code of 003/07/2006 12:11:52.883 qbebe08bb154b.smd Scanned: Virus Free [MIME: 1 363] Thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2519-741-1222
Re: [Declude.Virus] clamwin second scanner error
Here's a couple of parameters I personally use for Clam-AV: --max-ratio 0 --max-space 1M max ratio sets a maximum ratio for compressed files. I've had zip files that contained txt files get false positives. Setting it to 0 disables this test. max space sets the maximum amount of megabytes to extract for a compressed file. I figured no need to over scan compressed files especially with more than one scanner. - Original Message - From: Harry Vanderzand To: Declude.Virus@declude.com Sent: Friday, March 03, 2006 4:15 PM Subject: [Declude.Virus] clamwin second scanner error I added clamav as a second scanner to my virus.cfg file as follows: SCANFILE C:\F-Prot\fpcmd.exe -TYPE -SILENT -NOMEM -ARCHIVE=5 -DUMB -NOBOOT -REPORT=report.txtVIRUSCODE 3VIRUSCODE 6VIRUSCODE 8REPORT Infection: SCANFILE C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE 1 Now I get the folowing error in the virus log: 03/03/2006 17:11:59.307 qbf26019990d6.smd Vulnerability flags = 86203/03/2006 17:12:09.448 qbf26019990d6.smd Could not find parse string Infection: in report.txt03/03/2006 17:12:09.448 qbf26019990d6.smd Error 50 in virus scanner 1.03/03/2006 17:12:09.448 qbf26019990d6.smd Your virus scanner DOES NOT EXIST (at D:\IMail\spool\proc\work\DBF260~1.VIR\); NOT SCANNING ATTACHMENTS! [2] Error String: [The system cannot find the file specified.]03/03/2006 17:12:09.448 qbf26019990d6.smd Scanned: Error starting scanner Any idea what I did wrong? thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2519-741-1222
Re: [Declude.Virus] CLAMSCAN Scanner Command Line
My guess is they refer to different builds of clamav. - Original Message - From: Goran Jovanovic To: Declude.Virus@declude.com Sent: Monday, March 06, 2006 9:44 AM Subject: [Declude.Virus] CLAMSCAN Scanner Command Line Hi, I have just added the CLAM scanner to my config and was wondering about the command lines described in the Declude manual. I am using the first option SCANFILE [Drive:]\[Path]\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE 1 or SCANFILE [Drive:]\[Path]\clamwin\bin\clamscan.exe --verbose --database="[Drive:]\[Path]\db" --tempdir="c:\Temp" -- no-summary -l report.txt VIRUSCODE 1 What is the database the second version is pointing to? I have no DB directory in C:\clamav-devel nor are there any files called DB in that directory. From what I understand the virus and phishing signatures are in C:\clamav-devel\share\clamav and clamscan.exe figures it out automatically. Am I missing something here? Goran Jovanovic Omega Network Solutions
Re: [Declude.Virus] CLAMSCAN Scanner Command Line
I use runclamd and run it as a service. clamscan is pretty CPU intensive. Using clamdscan with the clamd service really cuts down on the CPU time. - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, March 06, 2006 3:38 PM Subject: RE: [Declude.Virus] CLAMSCAN Scanner Command Line I see. Do most people run CLAM as a daemon or just call it for every message? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of george kulman Sent: Monday, March 06, 2006 2:26 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] CLAMSCAN Scanner Command Line The first is for the Windows port of Clam-AV. The second is for ClamWin. Different setups. George -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Monday, March 06, 2006 10:45 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] CLAMSCAN Scanner Command Line Hi, I have just added the CLAM scanner to my config and was wondering about the command lines described in the Declude manual. I am using the first option SCANFILE [Drive:]\[Path]\bin\clamscan.exe --quiet --log-verbose --no- summary --max-ratio 0 -l report.txt VIRUSCODE 1 or SCANFILE [Drive:]\[Path]\clamwin\bin\clamscan.exe --verbose -- database=[Drive:]\[Path]\db --tempdir=c:\Temp -- no-summary -l report.txt VIRUSCODE 1 What is the database the second version is pointing to? I have no DB directory in C:\clamav-devel nor are there any files called DB in that directory. From what I understand the virus and phishing signatures are in C:\clamav- devel\share\clamav and clamscan.exe figures it out automatically. Am I missing something here? Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAV sanesecurity definitions
As a followupon last week's discussions on the SaneSecurity phish definitions for ClamAv. ClamAv (without SaneSecurity) caught 273 phish for me in February (all 28 days). SaneSecurity definitions caught 178 phish for me in the last 8 days of February. McAfee caught 118 and none after I installed the SaneSecurity definitions. SaneSecurity has done a wonderful job here. Thanks again Bill! -Scott FisherDirector of ITFarm Progress Companies191 S Gary AveCarol Stream, IL 60188630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
Re: [Declude.Virus] ClamAV sanesecurity definitions
I running clamav as one of my scanners. The SaneSecurity is an additional defintion database named phish.ndb. I put the phish.ndb into my c:\clamav-devel\share\clamav folder and it does all of the rest. - Original Message - From: Colbeck, Andrew To: Declude.Virus@declude.com Sent: Wednesday, March 01, 2006 2:15 PM Subject: RE: [Declude.Virus] ClamAV sanesecurity definitions Scott, Are you running ClamAV with the SaneSecurity antiphishing signatures as an external spam test in Declude Pro, or as an antivirus engine in Declude Virus Pro? Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Wednesday, March 01, 2006 12:06 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] ClamAV sanesecurity definitions As a followupon last week's discussions on the SaneSecurity phish definitions for ClamAv. ClamAv (without SaneSecurity) caught 273 phish for me in February (all 28 days). SaneSecurity definitions caught 178 phish for me in the last 8 days of February. McAfee caught 118 and none after I installed the SaneSecurity definitions. SaneSecurity has done a wonderful job here. Thanks again Bill! -Scott FisherDirector of ITFarm Progress Companies191 S Gary AveCarol Stream, IL 60188630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
Re: [Declude.Virus] ClamAV sanesecurity definitions
Personally I haven't seen any false positives. I spot checked a few messages, and they were phish. All of the subject lines are definitely phishy. I whitelisted the Declude support lists, so I don't have any concerns about blocking the support lists. What I also liked was that it only took about 15 minutes to get it working with a scheduled task to update itself. - Original Message - From: Colbeck, Andrew To: Declude.Virus@declude.com Sent: Wednesday, March 01, 2006 2:46 PM Subject: RE: [Declude.Virus] ClamAV sanesecurity definitions Thanks, Scott. I appreciate your posts on this topic. I have been following the hows and whys of using the phish.ndb and getting updates for it. I was thinking that for my own usage, I'd rather worry about false positives and run it as a Declude JunkMail antispam external test. It is certainly working for you to catch scams, but have you checked for false positives? I was thinking that in particular,I mightmiss posts to the support lists regarding Declude text filters to fight 419 scams, and more generally, my users might be affected. I am looking forward to implementing this when I have more time to spare in the office. (At my current rate, probably in April. Seriously.) Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Wednesday, March 01, 2006 12:29 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] ClamAV sanesecurity definitions I running clamav as one of my scanners. The SaneSecurity is an additional defintion database named phish.ndb. I put the phish.ndb into my c:\clamav-devel\share\clamav folder and it does all of the rest. - Original Message - From: Colbeck, Andrew To: Declude.Virus@declude.com Sent: Wednesday, March 01, 2006 2:15 PM Subject: RE: [Declude.Virus] ClamAV sanesecurity definitions Scott, Are you running ClamAV with the SaneSecurity antiphishing signatures as an external spam test in Declude Pro, or as an antivirus engine in Declude Virus Pro? Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Wednesday, March 01, 2006 12:06 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] ClamAV sanesecurity definitions As a followupon last week's discussions on the SaneSecurity phish definitions for ClamAv. ClamAv (without SaneSecurity) caught 273 phish for me in February (all 28 days). SaneSecurity definitions caught 178 phish for me in the last 8 days of February. McAfee caught 118 and none after I installed the SaneSecurity definitions. SaneSecurity has done a wonderful job here. Thanks again Bill! -Scott FisherDirector of ITFarm Progress Companies191 S Gary AveCarol Stream, IL 60188630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
Re: [Declude.Virus] Running declude 4.x
If your Imail, I'd go to 3.0.5.23... That had a licensing fix. This release fixes a bug in the IMail version of Declude whereby the wrong service level (Pro, Standard, Lite) was being reported. This issue affected IMail users only. - Original Message - From: John Pearson [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, February 19, 2006 12:12 PM Subject: Re: [Declude.Virus] Running declude 4.x I get this problem too. Declude denies it is their problem. It is happening with one of my lists. I rolled back to 3.0.5.20 and it works again, but 3.0.5.26 triggers the problem for me. the same problem happened with 4.x Regards, John - Original Message - From: Kaj Søndergaard Laursen [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, February 19, 2006 3:52 AM Subject: RE: [Declude.Virus] Running declude 4.x -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: 19. februar 2006 08:33 To: Declude.Virus@declude.com Subject: [Declude.Virus] Running declude 4.x I am wondering if the headers showing in the body of this message was intentional. If not then there is a bug in declude 4.x. I'm also seeing this with Declude 3.0.5.26. Some mails, like the Oxygen mail-list from Panda consistently shows up with some headers shown in the mail. I'm using Outlook 2003. Regards, Kaj --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Changes @ Declude
-Barry, I did not receive the email sent to every customer (and I have Declude whitelisted). That irks me even more. Not having received the email, this all comes straight out of left field for me. If I had received the email, perhaps it wouldn't be such an unpleasant shock. It certainly is ruining my day off, I'll tell you that. As for two continuing with two different version levels, I'll tell you my comfort level for running the lower version definitely isn't high. Today you are committed to the version 3 customers, but just with the version numbers, I'm feeling I have a lesser product. Declude version 3 is a dead end on the Declude product tree. It is just a matter of when. Will all future enhancements be going into version 3? What are the planned enhancements? Tell us how Declude is planning to improve the product. - Original Message - From: [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, February 10, 2006 12:47 PM Subject: [Declude.Virus] Changes @ Declude In the last 10 days we have received a number of inquiries to the email sent to every customer explaining the changes that are happening here at Declude. To summarize the answers to those questions: * No existing customer is required to move to the new annual pricing. * Our current customers can continue to pay the annual Service Agreements. * No customer is required to move to 4.0 Over and above that we are continuing to enhance and support both 3.0 and 4.0 and we have provided great deals for customers wishing to move to the 4.0 version and also committed to keeping them on Service Agreements. I have responded to each and every customer who has contacted me since the email was sent out and if any one has any further questions they can contact me either by email or telephone (978) 499-2933. Barry
[Declude.Virus] declude and clamav 0.88-1/0.88-2
I upgraded to clamav 0.88-1 yesterday (and 0.88-2 today) and since the upgrades, I'm seeing sporadic .vir folders left behind. These all have a file name 0 in them 02/03/2006 10:04:08.258 q7eb10620bac6.smd WARNING: Couldn't remove .vir directory D:\IMail\spool\proc\work\D7eb10620bac6.vir\: EXTRA FILES THERE. [145] Error String: [The directory is not empty.]02/03/2006 10:04:08.258 q7eb10620bac6.smd Likely problem: Your virus scanner is leaving extra files/directories behind, so Declude can't delete the directory. -Scott FisherDirector of ITFarm Progress Companies191 S Gary AveCarol Stream, IL 60188630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
COPYFILE does not add any Declude headers. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Friday, January 27, 2006 1:28 PM Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME Dan,You might try COPYFILE which is essentially HOLD, but it adds the Declude headers to the messages. COPYFILE won't block the E-mail however, so you might want to either ROUTETO null, or HOLD and just delete what is in that folder since you have another copy. I am unclear about whether or not the COPYFILE action happens before or after virus scanning with AVAFTERJM ON, so that would need to be verified, but it might be a good workaround if this is a problem.MattDan Horne wrote: IIRC, the HOLD action was where the risk came in. Messages that are held by Declude using AVAFTERJM and then manually re-queued (via, say, the old SpamReview app) would NOT be scanned for viruses at all, since re-queued messages bypass Declude altogether. HOLD is the only 'semi-final' action. All other actions either deliver the email to an mbox (in which case it is scanned by EVA), or remove the message completely (which is where the saved cycles come in). IMO, AVAFTERJM should be changed so that only deleted emails, not held ones, by pass the AV scan. In other words, all messages should be first scanned for spam, then the ones that are not DELETED should all be scanned for viruses. This would close the security risk from re-queued messages. The AVAFTERJM option would then only be useful for those that use the DELETE action, but with the huge security risk involved in requeueing unscanned messages I think that it is ALREADY only useful for those that use the DELETE action. Unfortunately the manual isn't clear on this point. At the very least, Declude should add a warning to the manual around AVAFTERJM that says that AVAFTERJM and HOLD should not be used in the same configuration. --DH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Thanks, Matt that'll be helpful. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Friday, January 27, 2006 2:32 PM Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME Sorry. If you add the following directive to your Global.cfg it will: COPYFILEACTIONWITHHEADERS ONThis was introduced somewhere in the 2.x series. It's a very useful tweak for me.MattScott Fisher wrote: COPYFILE does not add any Declude headers. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Friday, January 27, 2006 1:28 PM Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME Dan,You might try COPYFILE which is essentially HOLD, but it adds the Declude headers to the messages. COPYFILE won't block the E-mail however, so you might want to either ROUTETO null, or HOLD and just delete what is in that folder since you have another copy. I am unclear about whether or not the COPYFILE action happens before or after virus scanning with AVAFTERJM ON, so that would need to be verified, but it might be a good workaround if this is a problem.MattDan Horne wrote: IIRC, the HOLD action was where the risk came in. Messages that are held by Declude using AVAFTERJM and then manually re-queued (via, say, the old SpamReview app) would NOT be scanned for viruses at all, since re-queued messages bypass Declude altogether. HOLD is the only 'semi-final' action. All other actions either deliver the email to an mbox (in which case it is scanned by EVA), or remove the message completely (which is where the saved cycles come in). IMO, AVAFTERJM should be changed so that only deleted emails, not held ones, by pass the AV scan. In other words, all messages should be first scanned for spam, then the ones that are not DELETED should all be scanned for viruses. This would close the security risk from re-queued messages. The AVAFTERJM option would then only be useful for those that use the DELETE action, but with the huge security risk involved in requeueing unscanned messages I think that it is ALREADY only useful for those that use the DELETE action. Unfortunately the manual isn't clear on this point. At the very least, Declude should add a warning to the manual around AVAFTERJM that says that AVAFTERJM and HOLD should not be used in the same configuration. --DH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Excellent idea! - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, January 25, 2006 4:37 PM Subject: [Declude.Virus] Feature request: DELETEVIRUSNAME Maybe someone has already requested it: Why not allow commands like DELETEVIRUSNAME Netsky DELETEVIRUSNAME Bagle ... in the virus.cfg file? I won't and can't delete all viruses on our server because there is always the possibility that a scanner is catching something as suspicious or generic But commands to delete certain virusnames should be very easy to implement and allow us to eliminate 95% of all hold viruses on out servers. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVG
When I used AVG it was consistantly in the back of the pack for virus detections. It lagged so badly at the beginning of the encrypted zip days, that I had to swap it out with Clam. It had pretty good scanning times. I use FProt, Clam AV as a service and Mcafee VirusScan. From a cost perspective ClamAV is free, and if you can find someone to sell you the command line VirusScan, it should be under $30 a year. I use a real-time Virus scanner of Symantec. I'd really recommend a different vendor as a real-time a/v to provide another level of security. - Original Message - From: Dean Lawrence To: declude.virus@declude.com Sent: Tuesday, December 20, 2005 7:29 AM Subject: [Declude.Virus] AVG I am looking for a new virus scanner for my Windows 2003 server and was wondering what all of thought about AVG. This is both a web server and my mail server (imail) and I would be looking at it to be both my full-time file scanner and act as a secondary Declude scanner (I already am running F-Prot). If you like it and would recommend it, which version do you use? Would it be the file server edition? Thanks, Dean-- __Dean Lawrence, CIO/PartnerInternet Data Technology888.GET.IDT1 ext. 701 * fax: 888.438.4381http://www.idatatech.com/Corporate Internet Development and Marketing Specialists
Re: [Declude.Virus] OT: Virus Backscatter
I use a customized version of Mailpure's antiav filter. I then combo this with a mailfrom-postmaster filter to add points when the bounce comes from a postmaster. - Original Message - From: Marc Catuogno [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 8:12 AM Subject: [Declude.Virus] OT: Virus Backscatter The latest outbreak has caused me a great deal of backscatter. You sent a banned file, virus in an attachment sent by you, undeliverables and so. I am very hesitant to try to create rules in JM to stop all notices like this because some of them are necessary. I've pretty much told the users to ignore them unless it looks like something they may have sent, but some people are getting really flooded. What is everyone else doing? --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second scanner
I use F-Prot 1, McAfee 2, Clam 3 I use the Cygwin version of clam with runclamd and runclamscan. You'll find those at http://www.smartbusiness.net/imail/declude/ runclamd runs clam as a service. much faster. runclamscan returns a virus name to Declude Don't forget this is allowable: # # (2.0.6.16) This new directive, when added to the virus.cfg file, will cause Declude to stop calling # the remaining scanners after a virus has been detected. This directive has meaning only when there # is more than one scanner listed in the configuration file. The default behavior is for Declude to # call all scanners. # # EXITSCANONVIRUSDETECT ON As mentioned Prescan OFF will catch a majority of phishing attempts thought you will pay a performance penalty. # # Declude Virus Pro can pre-scan HTML files. If no dangerous code is detected, the # virus scanner will not get called. This can significantly cut down on CPU usage. # PRESCAN OFF - Original Message - From: David Dodell [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, November 03, 2005 11:24 PM Subject: [Declude.Virus] Second scanner After many years of using Virus Standard, I upgraded to Virus Pro to take advantage of a second scanner. I've scanned the previous threads on what others like for a second scanner to F-Prot, but can't seem to find any common thread ... So I would appreciate what seems to be the next most popular virus scanner to run as a secondary scanner to F-Prot? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 3.0.5.10
I would consider 3.0.5.10/11 interim releases... Scott would never have documented them. I too would like to see the release notes updated with each and every version... but it's a long long standing issue. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Saturday, October 22, 2005 7:36 AM Subject: Re: [Declude.Virus] 3.0.5.10 On that note, I would also like to reraise the need for documentation on reported/known issues with a particular release. A simple page with a quick note about each reported issue would be very beneficial. Also, I would think each release would be reported on the Declude Releases list like Scott used to do. Now we have to go check the website for new releases. Very inefficient. Darin. - Original Message - From: John Carter [EMAIL PROTECTED] To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Sent: Saturday, October 22, 2005 12:27 AM Subject: [Declude.Virus] 3.0.5.10 This one is just for the record since .10 is not on the website anymore -- thank goodness. Put 3.0.5.10 in place to this afternoon (before I knew .11 was available). MISTAKE! Things looked ok at first, but didn't realize mail was stacking up in \proc\. When I was not getting anything at the house, came back in (around 11pm) and found 6,500 msgs in \proc. Put in .11 and restarted. It is flowing now. Wonder if that is the reason .10 disappeared from the web site so fast. This raises (at least for me) an old discussion. I know new documentation for each little update is not possible or even reasonable to expect. But maybe a quick and dirty page on what the update fixed.?? John --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Clamd help needed
So I though with Declude 3 running ok, I'm going to try the clam av service again. I'm running into a problem with runclamd when I issue a runclamd -start, these log messages are produced 10-20-2005 11:42:39 SERVICE_START_PENDING10-20-2005 11:42:39 Status: 410-20-2005 11:42:41 startfailed 0 Now the services mmc shows that Run Clamd is started . Any ideas anyone?
Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content
I block all encrypted zips based on the fact that I can't virus scan them. But then again I'm slightly paranoid and should not be trusted with sharp objects. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 3:08 PM Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content So it's this forum's consensus that if I have PRO I should not block all EZIPs - I should just block the other extensions even if they are found within ZIP files? I do send out notices when a file gets blocked, but I don't have a requeue script in place. I'll search for one and see what I can do. Thanks. Darin Cox wrote: If you have Declude Virus/EVA Pro you can switch to banning extensions within zips. With Standard, you may want to continue to ban encrypted zips. In either case, you will probably want to send out notices for banned files, notifying the intended recipient that a file sent to them was blocked. Include a link in the notification for them to requeue the message if it was legit and they want to receive it. Scripts to requeue messages have been posted to the list in the past, but they are very simple to create by just moving the Q and D files back to the spool directory... possibly going as far as launching the SMTP32 process to immediately send the message if you don't want your user to wait for the next queue run. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 1:26 AM Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content We're looking for a simple way to opportunistically allow our users to encrypt or password-protect certain emails and/or their attachments that contain sensitive data. We're running Declude Pro and have banned EZIP extensions (the highly recommended suggestion from several people on this forum), so that kinda rules out PKZIP and any kind of ZIP program (because as soon as you password-protect a ZIP file, it becomes an EZIP file). We looked at PGP, but it seems very complex and seems to require a hardware proxy in between our mail server and the Net. Is there a simple and effective way to encrypt or password protect documents for email transmission that doesn't cause problems with Imail or Declude and doesn't require software to be installed on the recipient's end? Thanks. Kevin --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Conflicting Decoding oddity
I've caught 76 conflicting encoding messages with EVA this month all 3 days. All spam messages. What's odd is I've I had 53 conflicting encoding messages the whole last month. Is this a change in Declude 3.05 or a shift in my spammers?
Re: [Declude.Virus] Seemingly bad virus this morning
Arrrggg. Mr. Obvious says if you rename the win_netware_betadat.zip, wget will never find a file to compare it to and will always download the update. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 5:34 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Scott and Andrew,It does in fact work on my system. I'm using Wget 1.8.1+cvs. The beta definitions do change very frequently, so this might throw you off. Try executing a derivative of the following command twice and see what happens (remove the line break and adjust the paths):C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zipMattScott Fisher wrote: -Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's.I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%"IF ERRORLEVEL 1 GOTO ENDC:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\:ENDENDLOCALMattMarkus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morningHi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL
Re: [Declude.Virus] Seemingly bad virus this morning
Great catch Matt. Mine's gone too since August 2 Thank you Declude for multiple virus scanner option. Try: http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip From: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 2:26 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htmI was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
Here's the Mcafee page: http://vil.mcafeesecurity.com/vil/virus-4d.asp - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 2:26 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htmI was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
-Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's.I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%"IF ERRORLEVEL 1 GOTO ENDC:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\:ENDENDLOCALMattMarkus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morningHi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERS
Re: [Declude.Virus] Sudden Internet Slowdown
You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown Maybe someone should reboot the Internet. Matt Keith Johnson wrote: I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Zip Vulnerability?
http://www.mail-archive.com/declude.virus@declude.com/msg12070.html This vulnerability is triggered if the file format diverges from the official ZIP format specification. - Original Message - From: Grant Griffith [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, August 09, 2005 1:42 PM Subject: [Declude.Virus] Zip Vulnerability? Have a customer trying to send an message and it is being caught saying Invalid ZIP Vulnerability. Anyone know what this is? Nothing in the Declude manual on this one. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Zip Vulnerability?
As a publishing company, long ago I had some trouble with some Mac zip's being caught incorrectly with the Invalid ZIP I'd submit the .zip to Declude and see what they have to say. As for stopping it... the best I can think of to try would be: ALLOWVULNERABILITIESFROM option that instructs Declude Virus to allow vulnerabilities from a specific E-mail address or domain. - Original Message - From: Grant Griffith [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, August 09, 2005 2:13 PM Subject: RE: [Declude.Virus] Zip Vulnerability? Thanks Scott, Sounds like the same problem the other person was talking about. I can not find anything in the archives or manual, but I thought you could tell Declude to skip certain vulnerability test, is this true? If so, how can I do that? This is a printing company and I am sure they are using Mac's which might not put things in the correct format. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, August 09, 2005 2:09 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Zip Vulnerability? http://www.mail-archive.com/declude.virus@declude.com/msg12070.html This vulnerability is triggered if the file format diverges from the official ZIP format specification. - Original Message - From: Grant Griffith [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, August 09, 2005 1:42 PM Subject: [Declude.Virus] Zip Vulnerability? Have a customer trying to send an message and it is being caught saying Invalid ZIP Vulnerability. Anyone know what this is? Nothing in the Declude manual on this one. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Patch Tuesday and graphic images
...and hope that Declude or the AV-Engine will catch this vulnerability as soon as possible. I completely agree. As a publishing company we receive lots of large jpeg files and the thought of having to virus scan all those, makes my mail server want to run and hide. I'd like to see a comment from Declude. But they seem to be in their information cloak cycle again. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, July 12, 2005 3:52 PM Subject: RE: [Declude.Virus] Patch Tuesday and graphic images Andrew thanks for the info ...you will want to remove these optimizations from your Declude virus.cfg file: SKIPEXT JPG SKIPEXT JPEG SKIPEXT PNG SKIPEXT TIF SKIPEXT TIFF ... and hope that Declude or the AV-Engine will catch this vulnerability as soon as possible. As much as I can understand from reading the KB-Article it's something similar to the GDI-Exploit but not the same. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Limit Size of message to be scanned?
I use skipext to bypass some of my larger file types: SKIPEXTEPSSKIPEXTGIFSKIPEXTinddSKIPEXTJPGSKIPEXTJPEGSKIPEXTMPGSKIPEXTMPEGSKIPEXTMOVSKIPEXTP65SKIPEXTPMDSKIPEXTPDFSKIPEXT PSDSKIPEXT QXDSKIPEXT TIFSKIPEXT TIFF Of course by skipping these extensions (especially the jpeg and PDF) I do run a possible future risk, but it's a risk my CPU must take. A skip by message size would be interesting. Say skip all zips over 1 MB? It might also get a SIZE parameter into the Junkmail side which would be nice. - Original Message - From: Grant Griffith To: Declude.Virus@declude.com Sent: Friday, July 08, 2005 8:50 AM Subject: RE: [Declude.Virus] Limit Size of message to be scanned? Yep, we had one client send a 50+ and 45+ at the same time. That is about the same time the system locked up. It is a Dual Pentium 3.6 processors with at least 2 gig of memory. I would of hoped it could keep up, but seems to be a pattern this week whenever huge emails get sent thru the server, it locks up and needs rebooted to fix it. How does anyone else handle this? I would guess there would be a way to not scan messages over a certain size Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)Sent: Friday, July 08, 2005 2:05 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Limit Size of message to be scanned? 50 MB e-mail attachments? Youch! John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant GriffithSent: Thursday, July 07, 2005 8:36 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Limit Size of message to be scanned? Hello All, Is there a way to limit the size of the message that Declude/F-Prot can scan? We have some customers that are sending 50+ meg files and it is causing our servers to have major issues. Is there a setting to say skip anything over a certain size? Either in F-Prot or Declude? We fixed it currently by setting it to OFF for certain domains, but really want to ban extensions and vulnerabilities for those domainsÂ…. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000
Re: [Declude.Virus] [sniffer] New Spam/Virus?
Yes I have seen them too: email starts with: Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons. - Original Message - From: Jim Matuska To: sniffer@SortMonster.com Sent: Monday, June 06, 2005 4:13 PM Subject: [sniffer] New Spam/Virus? Is anyone else seeing a huge rash of spam/virus messages in the last hour or so? I have multiple users that are getting messages that are forging our own addresses and have a link that appears to go to our website but instead goes elsewhere with a IP address link. These do not appear to be infecting as file attachments but from the web link itself. Pete, I have forwarded a few to your spam@ address, let me know what you think. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: Re[2]: [Declude.Virus] Second Scanner
I also use Terry's runclamscan with no issues. I have had rare email melt downs when I was running runclamd. I could never pin it firmly on anything. So I stopped the runclamd to see how it handles. - Original Message - From: David Sullivan [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Saturday, June 04, 2005 1:18 PM Subject: Re[2]: [Declude.Virus] Second Scanner Hello Scott, Friday, June 3, 2005, 10:48:47 PM, you wrote: SF One last ClamAV comment... SF I've added the command line switch --max-ratio 0 SF I've had some false positives on some .zip files that forced me to add the SF switch. Thanks for the info. I've been running clam now with Terry's runclamscan since last night on 2 machines. At one point on each machine started getting these errors in the Declude Virus file: 06/04/2005 14:06:54 Qed820cb43917 ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 06/04/2005 14:06:54 Qed820cb43917 WARNING: Couldn't remove .vir directory o:\spool\Ded820cb43917.vir\: SHARING VIOLATION. 06/04/2005 14:06:54 Qed820cb43917 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. Then, they balloon to ones like this: 06/04/2005 14:07:25 Qed87026a0076c30a ERROR: Could not move virus-infected E-mail! Code: 32 0 o:\spool\Ded87026a0076c30a.SMD L:\virustrap\Ded87026a0076c30a.SMD. Re-trying. 06/04/2005 14:07:26 Qed82035200bac2f1 ERROR: Could not move virus-infected E-mail! Code: 32 0 o:\spool\Ded82035200bac2f1.SMD L:\virustrap\Ded82035200bac2f1.SMD. Re-trying. 06/04/2005 14:07:26 Qed8402890066c2fa ERROR: Could not move virus-infected E-mail! Code: 32 0 o:\spool\Ded8402890066c2fa.SMD L:\virustrap\Ded8402890066c2fa.SMD. Re-trying. It took a reboot of both machines to fix the problem. On one I had 288 process running which fouls everything else up. Clam is SCANNER2 Any ideas? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.Virus] Second Scanner
P.S. You can schedule freshclam often because it makes a DNS call to determine if there is a new version of the database, it will only download if that DNS result tells it to. Very efficient. I schedule freshclam every 15 minutes. - Original Message - From: David Sullivan [EMAIL PROTECTED] To: Terry Fritts Declude.Virus@declude.com Sent: Friday, June 03, 2005 11:14 AM Subject: Re[2]: [Declude.Virus] Second Scanner Hello Terry, TF ClamAV - TF http://www.sosdg.org/clamav-win32/index.php TF Get my utilities: runclamd, runclamdscan TF http://www.smartbusiness.com/imail/declude/ TF Set up a scheduled task to periodically run freshclam to keep the TF database update. TF Works extremely well for us. Thanks, I'll give it a try. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.Virus] Second Scanner
One other ClamAV tip. If you can afford the performance hit and can use PRESCAN OFF, clamav will be a very effective Phish blocker. - Original Message - From: David Sullivan [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, June 03, 2005 3:20 PM Subject: Re[2]: [Declude.Virus] Second Scanner Hello Terry, Friday, June 3, 2005, 3:26:33 PM, you wrote: How can I figure out if freshclam is grabbing the latest defs? TF I set up a scheduled task update_clamav to run every 2 hours or so: TF start in: c:\clamav-devel\bin\ TF run: freshclam.exe --quiet -l c:\clamav-devel\log\freshclam.log Works like a charm. TF Then I can check the freshclam.log file. Looks good. I have Rundclamd running as a service under LocalSystem. Should I set the startup type to Automatic or leave it at Manual? TF Mine is set to automatic. Done Now have clam setup as Scanner2. Am I to assume that anything showing up in the runclamscan.log is something that got by Fprot? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Newbie question
The MAILFROM filter test is seperate from anything in the headers. It is the envelope sender. If you want to test on the header from (I call it display from because that's what Outlook displays), you need to check the HEADERS. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, June 03, 2005 3:26 AM Subject: Re: [Declude.Virus] Newbie question Great. Exactly what I needed. I was also confused about the MAILFROM. Does MAILFROM mean what is displayed as the FROM: in the headers or what it says in the X-Note: This E-mail was sent from 206-72-95-86.wi.skypipeline.com ([206.72.95.86]) or in the X-Declude-Sender field? Maybe I should just use the HEADERS 0 CONTAINS instead. Thanks again. Scott Fisher wrote: One caveat. The MAILFROM uses the envelope mailfrom, which is different than the ones displayed in the headers. If the below doesn't stop it, add HEADERS 0 CONTAINS [EMAIL PROTECTED] HEADERS 0 CONTAINS [EMAIL PROTECTED] - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 10:37 PM Subject: Re: [Declude.Virus] Newbie question I looked up the filter section at the manual. This is what I did. I made a file called filter.txt. This contains: MAILFROM0CONTAINS[EMAIL PROTECTED] MAILFROM 0CONTAINS[EMAIL PROTECTED] etc. I then added this line in global.cfg: MYFILTERfilterC:\Imail\Declude\filter.txtx200 In my $default$.junkmail file there was already this line: WEIGHT20HOLD Do I need to do anything else to the junkmail file to reference MYFILTER or does the WEIGHT20 take care of everything? Thanks. Kevin Darin Cox wrote: Nope... add a filter test and put those lines in it. The same thing I mentioned without pro applies here for adding test names to the global.cfg and $default$.junkmail. The manual at http://declude.com/junkmail/manual.htm decribes adding filter files pretty well. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 7:09 PM Subject: Re: [Declude.Virus] Newbie question I have pro. How do I add filters? Should I add that line MAILFROM10 CONTAINS [EMAIL PROTECTED] in virus.cfg or global.cfg? Do I need to use another file? If I use the HEADERS option HEADERS 10 CONTAINS [EMAIL PROTECTED] - where would I put that? Sorry for the newbie questions. Kevin Scott Fisher wrote: If you've got pro, you could add a filter: MAILFROM10 CONTAINS [EMAIL PROTECTED] that will check the envelope mailfrom. To check for those addresses in the headers: HEADERS 10 CONTAINS [EMAIL PROTECTED] Another option is to update your virus software more often to minimize the opportunity window for the virus. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 5:15 PM Subject: [Declude.Virus] Newbie question How do I ban certain email addresses? Some viruses have gotten through lately (first that I know about since installing Declude) sent from forged email addresses using our own domain. We do not whitelist our domain. I'd like to ban some of these common addresses (e.g., [EMAIL PROTECTED], [EMAIL PROTECTED], etc.) Thanks. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail
Re: Re[4]: [Declude.Virus] Second Scanner
I'm running 2.0.6.16 and would consider it as stable as 1.82 - Original Message - From: David Sullivan [EMAIL PROTECTED] To: John Carter Declude.Virus@declude.com Sent: Friday, June 03, 2005 2:02 PM Subject: Re[4]: [Declude.Virus] Second Scanner Looks like I have clam up and running. I'm testing it as my primary scanner to make sure it catches viruses and all looks good so far. It looks like it takes about as much CPU as FProt. I have Rundclamd running as a service under LocalSystem. Should I set the startup type to Automatic or leave it at Manual? If I leave it on Manual do I need to rerun runclamd -start after a reboot? JC I use ClamAV (with Runclamscan/Runclamd) as my second scanner and it works JC great. The only downside is it is a resource hog (but still worth it.) If JC and when you move to AV/JM 2.0.6.16, consider using the new directive JC EXITSCANONVIRUSDETECT. It has helped. I'm still at 1.86. Been afraid to move up until it shakes out. 2.0.6.16 considered stable now? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
One last ClamAV comment... I've added the command line switch --max-ratio 0 I've had some false positives on some .zip files that forced me to add the switch. - Original Message - From: Terry Fritts [EMAIL PROTECTED] To: David Sullivan Declude.Virus@declude.com Sent: Thursday, June 02, 2005 5:52 PM Subject: Re: [Declude.Virus] Second Scanner I was interested in what folks were using as a second scanner aside from F-Prot. ... I thought someone had posted some stats about this but can't find them. Any suggestions? ClamAV - http://www.sosdg.org/clamav-win32/index.php Get my utilities: runclamd, runclamdscan http://www.smartbusiness.com/imail/declude/ Set up a scheduled task to periodically run freshclam to keep the database update. Works extremely well for us. --- Terry Fritts --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
Matt posted speed comparison's I'd say about a year ago. I use F-Prot ClamAV and McAfee - Original Message - From: David Sullivan [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 4:50 PM Subject: [Declude.Virus] Second Scanner I know this comes up every now and then, but the last thread I can find is from May 2004. I was interested in what folks were using as a second scanner aside from F-Prot. I've heard AVG is good but slow, Kaspersky fast with updates but expensive, MacAfee good but hard to get a command line. I thought someone had posted some stats about this but can't find them. Any suggestions? -- Best regards, David mailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Newbie question
If you've got pro, you could add a filter: MAILFROM10 CONTAINS [EMAIL PROTECTED] that will check the envelope mailfrom. To check for those addresses in the headers: HEADERS 10 CONTAINS [EMAIL PROTECTED] Another option is to update your virus software more often to minimize the opportunity window for the virus. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 5:15 PM Subject: [Declude.Virus] Newbie question How do I ban certain email addresses? Some viruses have gotten through lately (first that I know about since installing Declude) sent from forged email addresses using our own domain. We do not whitelist our domain. I'd like to ban some of these common addresses (e.g., [EMAIL PROTECTED], [EMAIL PROTECTED], etc.) Thanks. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Newbie question
I was going to suggest a fromfile. One potential problem.. the fromfile would use the enevelope from. In the case of a virus, I don't know if the envelope from would have the forged address in it. You'd have to capture some of the messages to know for sure. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 5:48 PM Subject: Re: [Declude.Virus] Newbie question You don't have to have PRO. You can also use a FROMFILE test with a text file listing all of the email addresses and/or domains you want to penalize. Just put a line like this in your Global.CFG: FROMBLACKLIST fromfile C:\IMail\Declude\fromblacklist.txt x 200 0 This penalizes every address/domain in the fromblacklist.txt file with 200 points. You'll need to add the action for the test name to the bottom of your Global.cfg for outgoing messages, and add it to your $default$.junkmail as well. Lastly, make sure you have a carriage return at the end of the fromblacklist.txt to avoid the last line being ignored.. Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 6:37 PM Subject: Re: [Declude.Virus] Newbie question If you've got pro, you could add a filter: MAILFROM10 CONTAINS [EMAIL PROTECTED] that will check the envelope mailfrom. To check for those addresses in the headers: HEADERS 10 CONTAINS [EMAIL PROTECTED] Another option is to update your virus software more often to minimize the opportunity window for the virus. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 5:15 PM Subject: [Declude.Virus] Newbie question How do I ban certain email addresses? Some viruses have gotten through lately (first that I know about since installing Declude) sent from forged email addresses using our own domain. We do not whitelist our domain. I'd like to ban some of these common addresses (e.g., [EMAIL PROTECTED], [EMAIL PROTECTED], etc.) Thanks. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Newbie question
One caveat. The MAILFROM uses the envelope mailfrom, which is different than the ones displayed in the headers. If the below doesn't stop it, add HEADERS 0 CONTAINS [EMAIL PROTECTED] HEADERS 0 CONTAINS [EMAIL PROTECTED] - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 10:37 PM Subject: Re: [Declude.Virus] Newbie question I looked up the filter section at the manual. This is what I did. I made a file called filter.txt. This contains: MAILFROM0CONTAINS[EMAIL PROTECTED] MAILFROM 0CONTAINS[EMAIL PROTECTED] etc. I then added this line in global.cfg: MYFILTERfilterC:\Imail\Declude\filter.txtx200 In my $default$.junkmail file there was already this line: WEIGHT20HOLD Do I need to do anything else to the junkmail file to reference MYFILTER or does the WEIGHT20 take care of everything? Thanks. Kevin Darin Cox wrote: Nope... add a filter test and put those lines in it. The same thing I mentioned without pro applies here for adding test names to the global.cfg and $default$.junkmail. The manual at http://declude.com/junkmail/manual.htm decribes adding filter files pretty well. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 7:09 PM Subject: Re: [Declude.Virus] Newbie question I have pro. How do I add filters? Should I add that line MAILFROM10 CONTAINS [EMAIL PROTECTED] in virus.cfg or global.cfg? Do I need to use another file? If I use the HEADERS option HEADERS 10 CONTAINS [EMAIL PROTECTED] - where would I put that? Sorry for the newbie questions. Kevin Scott Fisher wrote: If you've got pro, you could add a filter: MAILFROM10 CONTAINS [EMAIL PROTECTED] that will check the envelope mailfrom. To check for those addresses in the headers: HEADERS 10 CONTAINS [EMAIL PROTECTED] Another option is to update your virus software more often to minimize the opportunity window for the virus. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 5:15 PM Subject: [Declude.Virus] Newbie question How do I ban certain email addresses? Some viruses have gotten through lately (first that I know about since installing Declude) sent from forged email addresses using our own domain. We do not whitelist our domain. I'd like to ban some of these common addresses (e.g., [EMAIL PROTECTED], [EMAIL PROTECTED], etc.) Thanks. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] EXITSCANONVIRUS
I'll second the EXITSCANONVULNERABILITY option. There is an occasional need to requeue a message that false positived on a vulnerability, so I would myself prefer that all those messages would be checked for viruses. I'd run: EXITSCANONVIRUS ON EXITSCANONVULNERABILITY OFF I think it would also be interesting if the virus-laden emailsand vulnerabilites-laden emailsgot put into different folders. I don't know if this is an Imail or a Declude function. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Sunday, May 29, 2005 12:23 AM Subject: Re: [Declude.Virus] EXITSCANONVIRUS John,I don't think that the behavior displayed in your logs was entirely purposeful. Declude tagged it with a vulnerability and then it ran your first virus scanner and found no virus, and then apparently it decided not to run the last two virus scanners. This of course is only interim functionality and I would imagine that they would be open to reports of unexpected behavior as well as tweaks for more optimal behavior.I believe that the intended functionality for EXITSCANONVIRUS ON would be to ignore the vulnerabilities and only skip further virus scanning when a prior virus scanner reports an exit code that you have configured to mark it as a virus. This seems consistent with what you are saying it should be.In an older thread regarding some bugs with F-Prot and other related things, Andrew also suggested separate functionality that would skip virus scanning when a vulnerability was found since that would be enough to block it on most systems. At that time I suggested that this was not necessarily a good idea, but I made a mistake. For my system, and many others running BANCRVIRUSES ON, it might be an even bigger CPU savings to skip all virus scanners when a vulnerability is detected. The only downside to this is that you will fill up your virus directory when using such a switch unless you are using another new directive, DELETEVULNERABILITIES ON. Naturally skipping virus scanning for vulnerabilities would be optional and not the default setting, and so would be deleting vulnerabilities. I would be in favor of seeing something like EXITSCANONVULNERABILITY added to Declude.Note that there are many issues with the current set of vulnerability checks that Declude does, and it would help to address these at the same time. We do have a switch to turn most of this off, but I get the impression that they are aware of the issues and are considering or may have decided to approach vulnerabilities differently, or possibly retiring some where appropriate. Deleting messages that fail vulnerability checks but aren't tagged as viruses should only really be done if you can rely on the vulnerability checks to be accurate.MattJohn Tolmachoff (Lists) wrote: It appears to be stopping when it finds a vulnerability and does not get scanned for virus. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Saturday, May 28, 2005 5:58 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS ... that's reasonable, John. How does it work up to now? If a vulnerability and a virus are detected, which gets reported? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, May 28, 2005 5:17 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS I agree with Darrell. If it contains a virus, I want it to be marked as a virus. If it does not contain a virus, then if it contains a vulnerability or banned extension then mark as such. An example is that some Sober viruses also contain vulnerability. Well, I want it labeled as a virus not vulnerability. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Saturday, May 28, 2005 10:10 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS My thoughts are this - a virus is a virus and a vulnerability is a vulnerability. My expectation is that if a virus is detected than the other scanners will not be called. However, if a vulnerability is detected the scanners will execute until such time a "virus" is found. Maybe two switches - EXITSCANONVULNERABILITY... However, on the grander scale of things if nothing changed on this I would still use EXITSCANONVIRUS as long as it observes the various delivery options on vulnerabilities. Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: "Colbeck,
Re: [Declude.Virus] Invalid ZIP Vulnerability
I've seen it here rarely also. Not positive here but here is a theory: The zip file may gave been created on a Mac and contain some Mac specific size 0 files? - Original Message - From: Paul Navarre [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, May 27, 2005 12:54 AM Subject: [Declude.Virus] Invalid ZIP Vulnerability What exactly triggers the Invalid ZIP Vulnerability? I am a small ISP, and one of my client keeps getting expected zips from a graphics company caught by this. Thanks, Paul --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Alternative
Mcafee command line. If you can find a license it should run about $25 a year. - Original Message - From: Chuck Schick [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 4:02 PM Subject: [Declude.Virus] F-Prot Alternative We have been running F-prot as the virus scanner with Declude for over a year but lately it seems to have more and more bugs in it. What do others recommend as low-cost scanners to work with declude? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] McAfee throwing errors
I haven't seen anything obvious in a quick glance through today's logs. Do you have an example? Usually, I just force another download of the dats. - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, April 25, 2005 3:42 PM Subject: [Declude.Virus] McAfee throwing errors I've noted that McAfee will throw errors from time to time when called with Declude, and when it does, they tend to come in droves, otherwise I can go weeks with it being absolutely quiet. I have a feeling that this might be related to the daily dats. Today I have seen over a dozen such errors. Is anyone else seeing this? Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Skipifforging not working on Mytob
I also had to add the SKIPIFVIRUSNAMEHAS Mytob to my eml files. - Original Message - From: John Carter [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, April 15, 2005 2:53 PM Subject: RE: [Declude.Virus] Skipifforging not working on Mytob Shayne: I haven't heard anything from anyone else. To the existing SKIPIFFORGING, I have added the following to sender, recip, and postmaster eml's. I know it is just covering up the underlying problem, but a cure is a cure. Will let you know if it helps. SKIPIFVIRUSNAMEHAS Mytob John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shayne Embry Sent: Friday, April 15, 2005 11:53 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Skipifforging not working on Mytob I have also been experiencing this, for over a week. I'm only using F-Prot, but have added the appropriate lines to eml and virus.cfg files as John has. The only other difference is that I'm using SmarterMail. Shayne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Friday, April 15, 2005 10:48 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Skipifforging not working on Mytob Shortly after adding ClamAV to the Imail Server a few days ago, my system started sending virus notices on Mytob (and so far, only Mytob) even though I have SKIPIFFORGING in the sender.eml, recip.eml and postmaster.eml, plus I have Mytob in the list of forging viruses in the virus.cfg. In the virus log lines below, scanner 1 is F-Prot and scanner 2 is ClamAV. The timing to the addition to ClamAV may be only a coincidence. Any ideas about what's happening? Thanks, John Notice lines: == Declude Virus 2.0.5 caught a incoming virus Subject: hello From: [Forged] To: [EMAIL PROTECTED] Msg ID: [EMAIL PROTECTED] Queue#: D74590703010e25a9.SMD Remote IP: 63.197.109.187 Virus Name/File: W32/[EMAIL PROTECTED] data.zip postmaster.eml == SKIPIFFORGING From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: E-mail virus notice Declude Virus %VERSION% caught a %INOROUT% virus Subject: %SUBJECT% From: %MAILFROM% To: %ALLRECIPS% Msg ID: %MSGID% Queue#: %QUEUENAME% Remote IP: %REMOTEIP% Virus Name/File: %VIRUSNAME% %VIRUSFILE% Headers: %HEADERS% Virus log lines: 04/15/2005 02:59:36 Q74590703010e25a9 Banning .ZIP file with exe extension. 04/15/2005 02:59:36 Q74590703010e25a9 Scanner 1: Virus=W32/[EMAIL PROTECTED] Attachment=data.zip [36] I 04/15/2005 02:59:37 Q74590703010e25a9 Scanner 2: Virus= Worm.Mytob.T-2 Attachment=data.zip [36] I 04/15/2005 02:59:37 Q74590703010e25a9 File(s) are INFECTED [W32/[EMAIL PROTECTED]: 1] 04/15/2005 02:59:37 Q74590703010e25a9 Deleting file with virus 04/15/2005 02:59:37 Q74590703010e25a9 Deleting E-mail with virus! 04/15/2005 02:59:37 Q74590703010e25a9 Scanned: CONTAINS A VIRUS [MIME: 2 58859] 04/15/2005 02:59:37 Q74590703010e25a9 From: [Forged] To: [EMAIL PROTECTED] [incoming from 63.197.109.187] 04/15/2005 02:59:37 Q74590703010e25a9 Subject: hello --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Possible new virus?
I had some today that fit this description. Mcafee found them as: the W32/[EMAIL PROTECTED] - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, April 14, 2005 4:19 PM Subject: [Declude.Virus] Possible new virus? I have seen in the last hour 4 e-mails blocked for [RAR-EXE] and each one had a blank subject line. Each one also had the recipients user part of the e-mail address as the sender's user part of the e-mail address. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Spam .com files being blocked.
Unfortunately Declude doesn't list the IP: (Maybe this could be corrected?) 03/15/2005 19:09:58 Q876023ed02a22c68 Banning file with com extension [image/gif].03/15/2005 19:10:00 Q876023ed02a22c68 Found a bogus .com file03/15/2005 19:10:00 Q876023ed02a22c68 Scanned: Banned file extension. [MIME: 3 10049]03/15/2005 19:10:00 Q876023ed02a22c68 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] - Original Message - From: Chris Fitch To: Declude.Virus@declude.com Sent: Wednesday, March 16, 2005 10:23 AM Subject: RE: [Declude.Virus] Spam .com files being blocked. Are they all coming from the same domain or mail server? If the mail server I would block the IP at the router or firewall. Another option would be to deny SMTP from the domain Chris Fitch Sr Network Administrator Industrial Chemicals Inc. [EMAIL PROTECTED] 205-823-7330 Ext. 1039 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Wednesday, March 16, 2005 10:19 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Spam .com files being blocked. And a quick follow-up about this. It appears that it is a spammer that is causing the hit. Here's a sample of a MIME boundary that Declude is detecting as an invalid COM file:--=_NextPart_000_00QP_00N2764VQ_00Y.154D01N0Content-Type: image/gif; name="[EMAIL PROTECTED]"Content-Transfer-Encoding: base64Content-ID: [EMAIL PROTECTED]Still though, this should get quietly blocked without a bounce because Declude detected the file as being a bogus COM file, just like it does/did with bogus ZIP, JPG and other files, and not use the banned extension bouncing when such a condition is detected.MattDarin Cox wrote: Yep. I just added SKIPIFEXTCOM to my bannotify.eml yesterday. Darin. - Original Message - From: Scott Fisher To: Declude.Virus@declude.com Sent: Tuesday, March 15, 2005 3:31 PM Subject: [Declude.Virus] Spam .com files being blocked. I block .com files. The last 3 days, I've been getting consistent blocking of spam messages referring to a gif file named .com: Content-Type: image/gif; name="wdjgamexmail.com" These are getting blocked, but the users are getting a little tired of the bannotify.eml messages that this triggers. So I'm reluctantly forced to add SKIPIFEXT COM to my bannotify.eml file. Has anyone else been seeing this? -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
Re: [Declude.Virus] Spam .com files being blocked.
Title: Message 1.82 is what I am running. I get an IP address with vulnerabilities and with viruses but not withBanned file extensions. - Original Message - From: Andy Schmidt To: Declude.Virus@declude.com Sent: Wednesday, March 16, 2005 11:38 AM Subject: RE: [Declude.Virus] Spam .com files being blocked. Hm, What version of Declude Virus are you using? mine reads: 03/16/2005 11:49:53 Q63864DC00020B8C3 Deleting file with virus03/16/2005 11:49:53 Q63864DC00020B8C3 Deleting E-mail with virus!03/16/2005 11:49:53 Q63864DC00020B8C3 Scanned: CONTAINS A VIRUS [MIME: 2 17610]03/16/2005 11:49:53 Q63864DC00020B8C3 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 217.247.3.127]03/16/2005 11:49:53 Q63864DC00020B8C3 Subject: Re: Hi and I'm pretty certain that I've been able to get Virus statistcs (using DLAnalyzer)with the originating IP long BEFORE Declude 2.0? IP Summary Virus Report Total Incoming Messages from External Networks: 2,792Virus Infected Messages: 593Percentage Infected: 21.24% IP ADDRESS # INFECTED PERCENTAGE061092229014.ctinets.com.200.72%par69-3-82-224-162-161.fbx.proxad.net160.57%nitrogen.onspeed.com.130.47%maywood-is-0003.webhost.hm-software.com..120.43%ip-225-194.sn1.eutelia.it.90.32%195.25.76.51..80.29%202.163.77.18180.29%253-111.ip.ll.net.80.29%cc273613-a.emmen1.dr.home.nl..80.29%62-101-126-213.fastres.net80.29%IGLD-80-230-80-220.inter.net.il...80.29%host158-188.pool8249.interbusiness.it.80.29%host54-157.pool8251.interbusiness.it..80.29%host213-118.pool8257.interbusiness.it.80.29%210.92.57.169.70.25%host209-107.pool82104.interbusiness.it70.25%santaana-a392.racsa.co.cr.50.18%host-217-172-243-1.gdynia.mm.pl...50.18%wsip-70-182-91-175.ok.ok.cox.net..50.18%ARouen-203-1-37-98.w80-14.abo.wanadoo.fr..50.18%89.102.99-84.rev.gaoland.net..50.18%151.197.99.18640.14%ppp-84-73.29-151.libero.it40.14%d12a1.ppp.halden.net..40.14%d126a1.ppp.halden.net.40.14%d49a1.ppp.halden.net..40.14%adsl2p158.access.maltanet.net.40.14%santaana-a219.racsa.co.cr.40.14%ip88.bb203.pacific.net.hk.40.14%207-255-1-025-static.jst.pa.atlanticbb.net40.14% Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Wednesday, March 16, 2005 12:02 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Spam .com files being blocked. Unfortunately Declude doesn't list the IP: (Maybe this could be corrected?) 03/15/2005 19:09:58 Q876023ed02a22c68 Banning file with com extension [image/gif].03/15/2005 19:10:00 Q876023ed02a22c68 Found a bogus .com file03/15/2005 19:10:00 Q876023ed02a22c68 Scanned: Banned file extension. [MIME: 3 10049]03/15/2005 19:10:00 Q876023ed02a22c68 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] attachment: HMSoftSmall.jpg
Re: [Declude.Virus] New virus new__price.zip
F-Prot was catching some price...zips Mcafee caught one at 6:30 But then this appears: 03/01/2005 09:09:30 Q8599093a02820e36 MIME file: price.zip [base64; Length=15789 Checksum=2053241] 03/01/2005 09:09:30 Q8599093a02820e36 Banning .ZIP file with exe extension. 03/01/2005 09:09:33 Q8599093a02820e36 Could not find parse string Infection: in report.txt With no one catching it. Maybe a couple of mutations of the virus out there. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, March 01, 2005 9:25 AM Subject: [Declude.Virus] New virus new__price.zip Seems there is something going on, please check your virus logs. ... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV?
Try adding this to your command line: --max-ratio 0 The support compression ratio feature (--max-ratio). Overly compressed files may get falsely detected. I believe the 0 turns it off. it worked for me. - Original Message - From: Hirthe, Alexander [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, February 17, 2005 11:34 AM Subject: [Declude.Virus] ClamAV? Hello, I'm getting errors with Zip Files larger than about 10 MB. In the virus.log: 02/17/2005 17:12:03 Qbede796f012201de MIME file: 123.zipxxx [base64; Length=13024694 Checksum=1676135806] 02/17/2005 17:12:07 Qbede796f012201de Scanner 3: Virus= Attachment= [6] O 02/17/2005 17:12:07 Qbede796f012201de File(s) are INFECTED [: 1] 02/17/2005 17:12:07 Qbede796f012201de Scanned: CONTAINS A VIRUS [MIME: 2 13024860] The file is without any virus. Sure :) from virus.cfg: SCANFILE3 C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose --no-summary -l report.txt VIRUSCODE3 1 REPORT3 FOUND Has anyone else such errors? The user told me, this could/would happen with all zipped files larger than 6 MB. Alex --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Prescan idea
I'd like to submit this for a Declude Virus feature change: I like having Prescan OFF to provide the maximum amount of protection that I can. I also run 3 virus scanners. I'm wondering if it would possible to migrate the Prescan parameter into the virus engines definitions to turn it on or off for individual engines. I might do this: SCANFILE1 ... PRESCAN1 ON SCANFILE2 ... PRESCAN2 OFF SCANFILE1 ... PRESCAN3 ON In my case: Scanner 1. Fprot. No benefit to running with Prescan OFF that I have noticed. Scanner 2. Clam.Scanner detects some malware and most Phish with Prescan OFF. Good benefits. Scanner 3. Mcafee. Scanner detects some malware and a few Phish. No real benefit over Clam. I'd see a performance benefit for only having the Prescan OFF option apply to my Scanner 2 and running Scanner 1 and 3 with a Prescan ON setting.
Re: Re[3]: [Declude.Virus] RAR Support - why not?
If you wish the banned file extensions to apply to files with .ZIP files, you can add a line BANZIPEXTS ON to your \{MAILSERVER}\Declude\virus.cfg file. For example, if you have a line BANEXT EXE and BANZIPEXTS ON, then .EXE files within .ZIP files will be blocked. You can also use BANEZIPEXTS ON to do the same thing, but only applying to encrypted .ZIP files. - Original Message - From: William Stillwell [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, January 31, 2005 2:03 PM Subject: Re: Re[3]: [Declude.Virus] RAR Support - why not? Declude never has to my knowledge ban based on the contents of a compressed file. only if there were a virus inside of said compressed file. furthermore, declude doesn't decompress files, mcafee does the uncompressing and scanning of the files, so, if you want rar scanning, contact your virus vendor, as which, this is why mcafee doesn't support it. v1.82 was just a bugfix to v1.81 no new features. as there was a y2k5 bug in v1.81 - Original Message - From: David Sullivan [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, January 31, 2005 2:52 PM Subject: Re[3]: [Declude.Virus] RAR Support - why not? Hello David, Monday, January 31, 2005, 1:17:08 PM, you wrote: DS Hello R., DS Thursday, January 27, 2005, 6:21:06 PM, you wrote: RSP How about 1.82? :) DS Is 1.82 out? If so, do we need BANERAR like BANEZIPS? Ok, I checked the Junkmail list and it looks like Declude is at 1.82 based on the messages but I didn't see an official notice. 1.82 is not an option to download when I logon to Declude's site. Also, original question still holds. Do we need to make a change to the virus.cfg to employ blocking of executable extensions in encrypted .rar files? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[5]: [Declude.Virus] RAR Support - why not?
the BANZIPEXTS ON is for non encypted zips the BANEZIPEXTS ON is for encrypted zips - Original Message - From: David Sullivan [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, January 31, 2005 2:30 PM Subject: Re[5]: [Declude.Virus] RAR Support - why not? Hello Scott, Monday, January 31, 2005, 3:18:16 PM, you wrote: SF file. For example, if you have a line BANEXT EXE and BANZIPEXTS ON, then SF .EXE files within .ZIP files will be blocked. You can also use BANEZIPEXTS SF ON to do the same thing, but only applying to encrypted .ZIP files. I block about 30 extensions at my inbound with IMGate but also use: BANEZIPEXTS ON Then I repeat my list of banned extensions using: BANEXT BAS BANEXT BAT etc, etc. By my understanding, this will ban these extensions by themselves, ban these extensions when found within encrypted .zip files, NOT ban these extensions from within normal .zip files and with 1.82 ban these extensions in encrypted .rar files. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] virus.cfg
These seem to be the changes I have made: Looking at my config: Change the BANEXT to ban what extensions you want to ban. Decide what to do with Zip files: BANEXT EZIP to ban encrypted zip files if you can get away with it BANZIPEXTSON to apply Banned Extensions to contents of Zip files too BANEZIPEXTSON to apply Banned Extensions to contents of encrypted Zip files too - Original Message - From: Schmeits, Roger To: [EMAIL PROTECTED] Sent: Monday, December 20, 2004 9:34 AM Subject: [Declude.Virus] virus.cfg Greetings: We are new customers with Declude and with any luck mail for faculty and staff should be routing thru declude in the next few hours. Would people like to share there virus.cfg files. How extensive are admins changing the configs on the virus.cfg. I am trying to figure out how much I need to tweak the settings for our environment. Thanks. ##Roger SchmeitsSr. Network EngineerClarkson Collegehttp://www.clarksoncollege.edu(402) 552-2542##
Re: [Declude.Virus] Advice on Antivirus for System Protection
A plus to Symantec for me is that since I can't use Symantec for my Declude e-mail protection, and I do use it on workstations and servers, any e-mail virus needs to make it through an additional and different A/V program on the desktop. The higher the hurdle, the less that can make the leap. - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 12:25 PM Subject: Re: [Declude.Virus] Advice on Antivirus for System Protection I find Symantec Corporate Edition to be my server AV scanner of choice because it is easily configurable (primarily for exclusions), and has a nice feature that shows you exactly what is being scanned in real-time. It hardly costs anything, and they now also offer multi-year licenses. Make sure that you purchase over the Internet to save substantially. http://shopper-search.cnet.com/search?part=q=Symantec+Corporate+Edition+Ser ver+9.0 Matt Bill Green dfn Systems wrote: We've been using Declude/F-Prot to protect our email users, and Symantec Corp. Ed. to protect the server it'self. Our Symantec is up for renewal and I was wondering what others are using that might be less expensive. Bill Green dfn Systems --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV scan time
I have noticed this problem with large files, usually TIFFs. No solutions though... -- Original Message -- From: John Carter [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 15 Nov 2004 16:44:35 -0600 Has anyone using ClamAV had problems with it taking longer than 60 seconds to run? After installing it last week and working out a few problems, it has done well. Today I noticed a number of *.vir folders left on the drive. The VIR*.log showed that ClamAV was not completing in 60 seconds. This has happened about three different times when we were hit with a lot of mail at once. John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamWin
I use this version of clamav: http://www.sosdg.org/clamav-win32/index.php with this wrapper to get virus names: http://www.smartbusiness.com/imail/declude/ My global.cfg lines: SCANFILE2 d:\imail\declude\runclamscan.exe log=0 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt VIRUSCODE2 1 REPORT2 FOUND If you have Declude Pro and you can afford to turn off Prescan, CLAMav will catch phish for you. - Original Message - From: John Carter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 8:15 AM Subject: [Declude.Virus] ClamWin Has anyone else installed the GUI version of ClamAV? I got a successful install using the default settings (C:\Program Files\ClamWin\). Now I am getting an error code 50 in the Declude log. Plus the Declude manual says nothing about a REPORT line in the virus cfg for ClamAV, but a reply in the list archives says to use REPORT FOUND. Tried it both ways without success. What do I use? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus with unusual deployment
Since these are HTML segments, my guess this is another case of where Declude Virus Pro's Prescan would need to be turned off for these to be scanned. I am catching these segments with Prescan off with Clam and Mcafee. - Original Message - From: Greg Little To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 10:05 AM Subject: Re: [Declude.Virus] New virus with unusual deployment McAfee is catching the "virus generated" e-mails as W32/Mydoom.gen!eml http://vil.nai.com/vil/content/v_129633.htm Virus Characteristics: This is a generic detection covering email messages sent by W32/[EMAIL PROTECTED] and W32/[EMAIL PROTECTED] . These messages do not contain an attachment.But without any real violations (virus or vulnerability) in the e-mail it will be hard for the AV companies to tell good from bad. It will be even harder to write good generic detections that catch future versions of this virus, because the virus writer can change almost everything about the e-mail and the only thing that really counts is "does the link work".I not expect Declude's checking to catch this one.I've been wondering what took the virus writers so long to use this model of distribution, Host the virus on each infected PC. It is much harder to stop at the mail server than an attachment. (And there is no central sever to be shut down.) Given enough variation in the virus generated e-mail, I not sure the AV companies will be able to catch future versions of this virus at the mail server.So far the volume is low (I have yet to get one here).http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.AHVSect=SPeriod=1dBut this one or another member of it's family is going to get very wide spread.Greg LittlePS Anybody know how the other AV companies are doing on catching the virus generated e-mails?Rick Davidson wrote: Doesn't the newer versions of Declude Virus catch the IFRAME vulnerability? The problem with the current virus strains is that they do not contain any vulnerability at all The IFRAME vulnerability exists on the site contained in the body link --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Invalid EXE vulnerability question
I've been getting some infrequent Declude bans of EXE files with little or no size that the sender's system must have stripped out the virus portion. Looking through my reports, I note I have never seen an Invalid EXE vulnerability. I see Invalid BAT, COM, CPL, PIF and SCR. Is there such a thing and the Invalid EXE vulnerability? It would be nice to have an Invalid EXE vulnerability to block instances like this where the size is pretty much nothing. --acgiijovecmiubsqcdir Content-Type: application/octet-stream; name="price.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="price.exe" --acgiijovecmiubsqcdir--
Re: [Declude.Virus] Invalid EXE vulnerability question
That's good news. Thanks! - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 11:50 AM Subject: Re: [Declude.Virus] Invalid EXE vulnerability question I've been getting some infrequent Declude bans of EXE files with little or no size that the sender's system must have stripped out the virus portion. Looking through my reports, I note I have never seen an Invalid EXE vulnerability. I see Invalid BAT, COM, CPL, PIF and SCR. Is there such a thing and the Invalid EXE vulnerability? It would be nice to have an Invalid EXE vulnerability to block instances like this where the size is pretty much nothing. There wasn't such a test (with the thought being that a virus wouldn't try to use an .exe extension while really being another file type). But this can handle both the problem with 0-byte .exe files, and also can help protect against script viruses appearing in .exe files (I'm not sure why they would do that, but they might). So this is something that will likely be in the next release. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BitDefender
I use ClamAV. Overall it is very effective. More effective than FProt and AVG. About the same as Mcafee. If you are willing to turn Prescan OFF, it is good at catching Phish too. It did have some bad defs last month that caused about 15 emails to be mis-flagged. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 10:55 AM Subject: [Declude.Virus] BitDefender Has any tried using BitDefender with Declude Virus, or ClamAV for that matter? Does it work? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BitDefender
And the link to that helper/wrapper is here: http://www.smartbusiness.com/imail/declude/ - Original Message - From: Brad Morgan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 11:14 AM Subject: RE: [Declude.Virus] BitDefender I'm using both at the moment. ClamAV needs a helper program for Declude to capture the virus name. Regards, Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff (Lists) Sent: Wednesday, November 03, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] BitDefender Has any tried using BitDefender with Declude Virus, or ClamAV for that matter? Does it work? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Viruses getting through...
Looking at today and yesterday's logs, F-Prot has been catching these here. It was just two viruses shy of Clam/AV in yesterday's results. Virus updates current? - Original Message - From: Chuck Schick [EMAIL PROTECTED] To: Declude. Virus [EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 10:06 AM Subject: [Declude.Virus] Viruses getting through... We are running Declude Pro with Fprot and we see a lot of viruses getting through with the attachment of Joke.com, Joke.exe, Price.com - Anyone else seeing the same thing? It appears to be the beagle variant. Any suggestions on how to fix. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude for Exchange?
It's Friday afternoon and I've cleared out my 1000 messages from the Imail Forum, so I can't resist... Isn't Declude for Exchange part of the soon-to-be-announced Declude Collaboration Suite (DCS)? ;) or is it :( ? - Original Message - From: Jim Matuska To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 3:30 PM Subject: [Declude.Virus] Declude for Exchange? I seem to recall someone on this list mentioning something about a upcoming declude version for Exchange? Any truth to this rumor? Jim Matuska Jr.Computer Tech IICCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: [Declude.Virus] MyDoom.o's slipping through.
Also make sure your F-prot is current and your command line switches have been updated to work with the more current version. About 2 or so months ago a command line switch was changed regarding scanning zip files. you could add a BANNAME RAPIDSYS.COM.ZIP line in the virus.cfg. Odds are you won't get a valid zip file named that way. - Original Message - From: Chris Patterson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 21, 2004 12:01 PM Subject: RE: [Declude.Virus] MyDoom.o's slipping through. Log Files: 10/19/2004 12:58:45 Q47c21ade0114a44b MIME file: [EMAIL PROTECTED] [base64; Length=29144 Checksum=3153474] 10/19/2004 12:58:46 Q47c21ade0114a44b Scanned: Virus Free [MIME: 2 31672] Thanks, Chris Patterson, CCNA Network Engineer -Original Message- From: Matt [mailto:[EMAIL PROTECTED] Sent: Thursday, October 21, 2004 12:51 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] MyDoom.o's slipping through. Chris, It's always helpful to share the actual lines of your log when asking a question such as this. That will clear up any possible misperceptions and allow one to focus on what happened. Matt Chris Patterson wrote: I have had two reports in the last 2 days about a virus coming through. The customer forwarded these to me on an Exchange mailbox using Mcaffee which identified them as MyDoom.o. Tracing the Logs, they were scanned and Deemed Virus Free using Prescan. Anyone have this issue? Declude 1.81, F-Prot Thanks, Chris Patterson, CCNA Network Engineer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Recommended Scanner
The 4 indicates that it is scanner #4 on my system. I think you need Declude Virus Pro to run multiple scanners on a system. - Original Message - From: Chris Ulrich [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 08, 2004 10:42 AM Subject: Re: [Declude.Virus] Recommended Scanner I tried installing it as you indicate but I'm getting in VIR.LOG: 10/08/2004 11:44:32 Qb5de05b600627f6a Your virus scanner DOES NOT EXIST (at e:\IMAIL\spool\DB5DE0~1.VIR\); NOT SCANNING ATTACHMENTS! [2] 10/08/2004 11:44:32 Qb5de05b600627f6a Scanned: Error starting scanner In your config you have: SCANFILE4 d:\imail\declude\runclamscan.exe log=0 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt VIRUSCODE4 1 REPORT4 FOUND For FProt, I have similar, but they are SCANFILE, VIRUSCODE and REPORT, without the 4 on the end. What does the 4 signify? Would this cause a problem? Thanks At 05:43 PM 10/7/2004, you wrote: Here's what I need to do to get clamav running: I used clam-av from here: http://www.sosdg.org/clamav-win32/index.php. Default install. I used the clamscan wrapper from here: http://www.smartbusiness.com/imail/declude/. Extracted files copied into declude folder. (This allows you to log the virus names) I added these to virus.cfg: SCANFILE4 d:\imail\declude\runclamscan.exe log=0 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt VIRUSCODE4 1 REPORT4 FOUND I excluded the c:\cygwin\tmp folder from any server anti-virus that is running. I scheduled c:\clamav-devel\bin\freshclam with the task scheduler. - Original Message - From: marc catuogno [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 07, 2004 4:16 PM Subject: RE: [Declude.Virus] Recommended Scanner I couldn't get Clamav to run on mine. May I ask what version of ClamAV you are using? When I installed it I couldn't figure out if it was in and Declude kept throwing me an error. What is your Declude config line ? Thanks - Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, October 07, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Recommended Scanner My personal scores from best to worst: Clamav (been only a week, but it hasn't missed one) and free (Also catches some phish with prescan off) Mcafee Virusscan (beats F-prot on encyrpted zips) pretty resonably priced if you can secure DOS command line only license. (Also catches some phish with prescan off) F-Prot (catches more corrupted variants than Virusscan) Most expensive at $50 a year AVG (lags behind the others especially with encrypted zips). $75 for two years. I'll note that scanning speed isn't a consideration of mine. Others can comment on that. - Original Message - From: Brian Guenther [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 07, 2004 12:24 PM Subject: [Declude.Virus] Recommended Scanner From the list of virus scanners given in the Declude Virus Manual is there one more preferred than the others and why? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned
Re: [Declude.Virus] Recommended Scanner PART 2
Do you need to change my d:\mail to e:\imail? - Original Message - From: Chris Ulrich [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 08, 2004 10:44 AM Subject: Re: [Declude.Virus] Recommended Scanner PART 2 When I changed it to SCANFILE, VIRUSCODE and REPORT, the error changed to: 10/08/2004 11:46:43 Qb66205aa013e801a Error 21 starting scanner [d:\imail\declude\runclamscan.exe log=0 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt e:\IMAIL\spool\DB6620~1.VIR\]; NOT SCANNING ATTACHMENTS! 10/08/2004 11:46:43 Qb66205aa013e801a Your virus scanner DOES NOT EXIST (at e:\IMAIL\spool\DB6620~1.VIR\); NOT SCANNING ATTACHMENTS! [2] 10/08/2004 11:46:43 Qb66205aa013e801a Scanned: Error starting scanner Thanks Chris = I tried installing it as you indicate but I'm getting in VIR.LOG: 10/08/2004 11:44:32 Qb5de05b600627f6a Your virus scanner DOES NOT EXIST (at e:\IMAIL\spool\DB5DE0~1.VIR\); NOT SCANNING ATTACHMENTS! [2] 10/08/2004 11:44:32 Qb5de05b600627f6a Scanned: Error starting scanner In your config you have: SCANFILE4 d:\imail\declude\runclamscan.exe log=0 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt VIRUSCODE4 1 REPORT4 FOUND For FProt, I have similar, but they are SCANFILE, VIRUSCODE and REPORT, without the 4 on the end. What does the 4 signify? Would this cause a problem? Thanks At 05:43 PM 10/7/2004, you wrote: Here's what I need to do to get clamav running: I used clam-av from here: http://www.sosdg.org/clamav-win32/index.php. Default install. I used the clamscan wrapper from here: http://www.smartbusiness.com/imail/declude/. Extracted files copied into declude folder. (This allows you to log the virus names) I added these to virus.cfg: SCANFILE4 d:\imail\declude\runclamscan.exe log=0 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt VIRUSCODE4 1 REPORT4 FOUND I excluded the c:\cygwin\tmp folder from any server anti-virus that is running. I scheduled c:\clamav-devel\bin\freshclam with the task scheduler. - Original Message - From: marc catuogno [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 07, 2004 4:16 PM Subject: RE: [Declude.Virus] Recommended Scanner I couldn't get Clamav to run on mine. May I ask what version of ClamAV you are using? When I installed it I couldn't figure out if it was in and Declude kept throwing me an error. What is your Declude config line ? Thanks - Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, October 07, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Recommended Scanner My personal scores from best to worst: Clamav (been only a week, but it hasn't missed one) and free (Also catches some phish with prescan off) Mcafee Virusscan (beats F-prot on encyrpted zips) pretty resonably priced if you can secure DOS command line only license. (Also catches some phish with prescan off) F-Prot (catches more corrupted variants than Virusscan) Most expensive at $50 a year AVG (lags behind the others especially with encrypted zips). $75 for two years. I'll note that scanning speed isn't a consideration of mine. Others can comment on that. - Original Message - From: Brian Guenther [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 07, 2004 12:24 PM Subject: [Declude.Virus] Recommended Scanner From the list of virus scanners given in the Declude Virus Manual is there one more preferred than the others and why? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives