Re: [Declude.Virus] ClamAV 0.90.1-2 problems
Do you know what is the impact of removing that --mbox parameter?Is anyone using this new version yet (0.90.1-3)? Do you know if it fixes the left over .vir directory bug?Stephan-Original Message-From: "Gary Steiner" [EMAIL PROTECTED]Sent 3/14/2007 3:53:24 PMTo: declude.virus@declude.comSubject: RE: [Declude.Virus] ClamAV 0.90.1-2 problemsA new version (0.90.1-3) was posted on the SOSDG web site. Bri Bruns told me that the --mbox parameter no longer works, so you should remove it from the line in your virus.cfg file before installing 0.90.1-3. Gary Original Message From: "Gary Steiner" [EMAIL PROTECTED] Sent: Tuesday, March 13, 2007 3:13 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV 0.90.1-2 problems The following was just posted to clamav-announce: Original Message From: "Bri Bruns" [EMAIL PROTECTED] Sent: Tuesday, March 13, 2007 2:43 PM To: [EMAIL PROTECTED] Subject: [clamav-announce] Problems with ClamAV/SOSDG For WIndows 0.90. 1-1 and -2 Okay, been getting reports of people having problems with the 0.90.1 builds of ClamAV/SOSDG For Windows I've been releasing lately. Please do not use 0.90.1-1, as the clamd.exe it has is outdated, I'm no t quite sure how such an old version got into the build, but it is unreliable, and you probably are getting errors if you are using it. 0.90.1-2 is also having problems for some people, which I'm looking int o now. I'm not sure of the cause, but there appears to have been alot of underlying changes in ClamAV over the past few months. For now, if you are having problems with -2, I suggest going back to 0.90-1, which you can grab from here: http://downloads.sosdg.org/clamav/clamav-0.90-1.exe And is known to work well for most people. Please keep any bug reports for -2 coming in, as its helping me narrow down the cause of the issues. -- Brie Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org ___ ClamAV For Windows Announcement Mailing List http://lists.sosdg.org/mailman/listinfo/clamav-announce --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] Current Version of Clam AV
I get them both running ClamAV with the clamscan wrapper (runclamscan) and just with ClamAV installed as a service (using the windows resource kit to install it as a service.) I think it's a clamav bug when it is running as a service. I don't think it's a declude or service wrapper issue. The error (can't create tmp directory) seems to be maybe a cygwin/clamav internal error of some sort (clamav uses cygwin to emulate unix if I understand correctly).-Original Message-From: "Scott Fisher" [EMAIL PROTECTED]Sent 3/1/2007 3:04:35 PMTo: declude.virus@declude.comSubject: Re: [Declude.Virus] Current Version of Clam AVI definitely still getting them with Clam .90 They only happen here when I run clamav as a service. When I run it as a non-service (which is CPU foolish), I don't get these. I also use the clamscan wrapper (runclamscan.exe), so that might be in the mix. - Original Message - From: "Gary Steiner" [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, March 01, 2007 11:57 AM Subject: Re: [Declude.Virus] Current Version of Clam AV Does anyone want to comment on what might be causing the error? Is this a ClamAV problem or a Declude problem? It seems that the normal mechanism for deleting those files is somehow interrupted. Is there a way in Declude to increase the time allocated to each antivirus process? Though since I upgraded to SOSDG's version 0.90-1, I haven't seen any leftover .vir directories. Original Message From: "Brian T." [EMAIL PROTECTED] Sent: Thursday, March 01, 2007 11:53 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV Does anyone know of a way to fix this problem with the leftover .vir directories? I was thinking about switching to ClamAV from F-Prot but don't want to constantly be cleaning up leftover files. Thanks, Brian - Original Message - From: Darrell ([EMAIL PROTECTED]) To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 11:44 AM Subject: Re: [Declude.Virus] Current Version of Clam AV In my normal maintenance window (once a week) all services are stopped and I clean out the work, error, proc, spool, and review folders. Since I stop CLAMAV as well I am able to delete those directories. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Stephan To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 11:22 AM Subject: Re: [Declude.Virus] Current Version of Clam AV Thanks for responding. I can't delete them until I restart the ClamAV service. Do you have a way of automatically deleting them, or do you schedule a task to restart ClamAV and then delete them? I tried using a schedule task but for some reason they still don't get deleted (but it's possible to do it manually.) -Original Message- From: "Darrell ([EMAIL PROTECTED])" [EMAIL PROTECTED] Sent 2/27/2007 10:17:46 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV ? FWIW - I have always had left over directories from .84 on up. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. ----- Original Message - From: Stephan To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 8:41 AM Subject: Re: [Declude.Virus] Current Version of Clam AV I am also running the 0.90-1, and it's working fine, except I still get leftover .vir directories inside the declude/proc dir. The error in the clamav log shows: - d:\imail\spool\proc\work\d716a0~1.vir\/0: Unable to create temporary directory ERROR I've tried checking permissions, and made sure I have the clamav tmpdir variable set to my clamav tmp dir (which fixed a similar error that stopped the clamav service from starting.) But I haven't been able to fix this one. Anyone know how to fix this error? Thanks. -Original Message- From: "Darrell ([EMAIL PROTECTED])" [EMAIL PROTECTED] Sent 2/26/2007 1:30:43 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV Gary, I upgraded on Friday and have not ran into any issues. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overfl
Re: [Declude.Virus] Current Version of Clam AV
Thanks for responding. I can't delete them until I restart the ClamAV service. Do you have a way of automatically deleting them, or do you schedule a task to restart ClamAV and then delete them? I tried using a schedule task but for some reason they still don't get deleted (but it's possible to do it manually.)-Original Message-From: "Darrell ([EMAIL PROTECTED])" [EMAIL PROTECTED]Sent 2/27/2007 10:17:46 AMTo: declude.virus@declude.comSubject: Re: [Declude.Virus] Current Version of Clam AV FWIW - I have always had left over directories from .84 on up. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Stephan To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 8:41 AM Subject: Re: [Declude.Virus] Current Version of Clam AV I am also running the 0.90-1, and it's working fine, except I still get leftover .vir directories inside the declude/proc dir. The error in the clamav log shows:- d:\imail\spool\proc\work\d716a0~1.vir\/0: Unable to create temporary directory ERRORI've tried checking permissions, and made sure I have the clamav tmpdir variable set to my clamav tmp dir (which fixed a similar error that stopped the clamav service from starting.) But I haven't been able to fix this one. Anyone know how to fix this error?Thanks.-Original Message-From: "Darrell ([EMAIL PROTECTED])" [EMAIL PROTECTED]Sent 2/26/2007 1:30:43 PMTo: declude.virus@declude.comSubject: Re: [Declude.Virus] Current Version of Clam AVGary, I upgraded on Friday and have not ran into any issues. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Gary Steiner" [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, February 26, 2007 1:01 PM Subject: RE: [Declude.Virus] Current Version of Clam AV I see that SOSDG released a new version (0.90-1) of their Windows port of ClamAV on 02-22-2007. http://www.sosdg.org/clamav-win32/ Has anyone upgraded to it yet? Any problems? Gary Steiner Original Message From: "Mark Reimer" [EMAIL PROTECTED] Sent: Friday, February 16, 2007 2:04 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Current Version of Clam AV Clam AV releases prior to 0.90 have Dos issues I believe. Is their a 0.90 release for windows? Mark Reimer IT System Admin American CareSource 972-308-6887 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Friday, February 16, 2007 10:06 AM To: declude.virus@declude.com Subject: [Declude.Virus] Current Version of Clam AV What is the current release of Clam AV for windows? I saw 0.90 stable is out now. Mark Reimer IT System Admin American CareSource 972-308-6887 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
[Declude.Virus] Re: [Declude.Virus] Declude Security Suite 4.3.23 Released / AVG Vulnerability?
Is the built-in avg version included still vulnerable? Or has it been fixed already?Very glad to see the iamil 2006 authowhite is now working.Thanks.-Original Message-From: "David Barker" [EMAIL PROTECTED]Sent 11/24/2006 8:08:51 PMTo: declude.virus@declude.comSubject: RE: [Declude.Virus] AVG Vulnerability From AVG "the update has been released for beta testing, if there are no troubles, we publish it as an official build during the next week." David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno BloksmaSent: Friday, November 24, 2006 4:29 PMTo: declude.virus@declude.comSubject: Re: [Declude.Virus] AVG Vulnerability Hi, And...? Met vriendelijke groet,Bonno Bloksmahoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhovent 040 296 28 28 / f 040 237 35 20[EMAIL PROTECTED] / www.tio.nl - Original Message - From: David Barker To: declude.virus@declude.com Sent: Tuesday, November 21, 2006 10:24 PM Subject: RE: [Declude.Virus] AVG Vulnerability We have a request in with Grisoft remember there is a time zone differenceas they are in CZDavid -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MarkReimerSent: Tuesday, November 21, 2006 4:01 PMTo: declude.virus@declude.comSubject: RE: [Declude.Virus] AVG VulnerabilityAny updates on this yet? Should we be turning off AVG scanning?Mark ReimerIT System AdminAmerican CareSource972-308-6887-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DavidBarkerSent: Tuesday, November 21, 2006 9:24 AMTo: declude.virus@declude.comSubject: RE: [Declude.Virus] AVG VulnerabilityDarrell,We are currently looking into this new report and are contacting AVG we willpost here as soon as we have an answer.David BarkerDirector of Product ManagementYour Email security is our business978.499.2933 office978.988.1311 fax[EMAIL PROTECTED]-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell([EMAIL PROTECTED])Sent: Tuesday, November 21, 2006 8:48 AMTo: Declude.Virus@declude.comSubject: [Declude.Virus] AVG VulnerabilityDavid / Declude,Is the integrated AVG scanner vulnerable? How do we deterimine what versionof AVG is embedded inside of Declude?DarrellMODERATE: Grisoft AVG Anti-Virus Multiple VulnerabilitiesAffected: AVG Anti-Virus versions prior to 7.1.407Description: AVG Anti-Virus, a popular anti-virus system, contains multiplevulnerabilities. By sending a specially-crafted file through the system, anattacker could exploit these vulnerabilities to execute arbitrary code withthe privileges of the anti-virus process. No technical details for thesevulnerabilities are currently available.Status: Grisoft confirmed, updates available.Council Site Actions: The affected software and/or configuration are not inproduction or widespread use, or are not officially supported at any of thecouncil sites. They reported that no action was necessary.References:Grisoft Release Noteshttp://www.grisoft.com/doc/36365/lng/us/tpl/tpl01SecurityFocus BIDhttp://www.securityfocus.com/bid/21029Check out http://www.invariantsystems.com for utilities for Declude AndImail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTGIntegration, and Log Parsers. ---This E-mail came from the Declude.Virus mailing list. To unsubscribe, justsend an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com.---This E-mail came from the Declude.Virus mailing list. To unsubscribe, justsend an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com.---This E-mail came from the Declude.Virus mailing list. To unsubscribe, justsend an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com.---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com.---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe
[Declude.Virus] IE Vulnerability
This is a bit off topic, but for anyone who doesn't monitor the NTBugTraq
list, check out the following post. I've already had one user get nailed.
Steve
Yesterday NTBugtraq was informed of an active attack against users of
Internet Explorer. I'd like to thank Steve Shockley for informing me.
The attack comprised of a banner, hosted by FortuneCity.com, which in turn
used JavaScript to redirect the self-closing pop-under banner to a site
hosted by EV1.NET (Everyone's Internet.) An EV1.NET site then delivered
executable code which in turn invoked the HTA vulnerability.
The HTA vulnerability is a known and as yet unpatched vulnerability in IE.
Interestingly, vulnerability was described thoroughly by Thor Larholm on
Monday at the 5th annual NTBugtraq Retreat, prior to notification of the
active attack. He explains it much better than I, but my short version is;
When the Object Data vulnerability is exercised, IE renders and executes the
ActiveX object referenced in the JavaScript code. During the check to
determine whether the content is safe, IE mistakenly believes the ActiveX
object code to be simple HTML/Jscript. Therefore, it does not prompt to save
to disk. Subsequently, it remembers it is HTA content, and invokes MSHTA.EXE
to drop and execute the object code. That code is x[1].hta, which in turn
creates and executes AOLFIX.exe.
AOLFIX.EXE is downloaded into the \temp directory and executed, and deleted.
It caused a variety of actions;
1. It created empty directories called;
%systemdrive%:\bdtemp
%systemdrive%:\bdtemp\temp
2. It deleted AOLFIX.EXE
3. It created the following file, which contains the letter A;
%systemdrive%:\%systemroot%\winlog
4. It created a hosts file in the \%systemroot%\help directory which
contains numerous static IP address to search engine website mappings.
5. It created the following registry entries;
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\I
nterfaces\windows]
r0x=your s0x
NameServer=69.57.146.14
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\I
nterfaces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]
NameServer=69.57.146.14
HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DataBasePath=%SystemRoot%\help
At last check (8:15pm EDT 10/1/2003) the banner page at FortuneCity.com was
still serving up the banner which leads to the malcode.
We have received reports from many locations around the world indicating
they have had the effects of this. NAI is calling this QHOSTS-1, see
http://vil.nai.com/vil/content/v_100719.htm for more details.
Thus far there isn't much you can do beyond disabling Active Scripting
(Georgi's old mantra.)
If you apply default deny, the concept that your perimeter only allows out
that which you have permitted, then outbound DNS by clients will fail,
making them unable to browse or do anything involving DNS (including
internal DNS resolution.) If you don't use default deny, consider doing
so, or block outbound DNS (port 53) to thwart the replaced DNS entries.
Personal Firewalls which understand and can block specific applications from
accessing the network (such as Zone Labs, Symantec Personal Firewall, see
what you get if you come to the Retreat!), should be configured not to allow
MSHTA.EXE. The use of MSHTA in this attack doesn't prevent everything, but
it should prevent the redirected DNS from occurring.
Thor Larholm explained to me why disabling the HTA MIME type works. I really
should've been paying closer attention to his talk rather than trying to
talk over him...;-] Anyway, although IE is failing to properly handle the
content type application/hta when it checks if it should do a save-as
dialog, it does use it when it comes to render. Hence, it doesn't pop up,
but it does use the MIME type to determine what to invoke when it renders.
If you lose the key, even if only temporarily, it won't find MSHTA.EXE.
It is worth noting that disabling ActiveX (any of the number IE entries
which relate to ActiveX) will do nothing to prevent exploitation of this
vulnerability. The problem lies in the way IE perceives the content, and
while it should recognize it as ActiveX, it does not. Hence disabling
ActiveX will not provide a mitigator.
More tomorrow.
Cheers,
Russ - NTBugtraq Editor
---
This e-mail has been scanned for viruses by the anti-virus systems of CyberShift, Inc.
The information contained in or attached to this message is intended
solely for the personal and confidential use of the designated
recipients named in the body of the e-mail or within the attached documents.
This message may be legally privileged, and as such is confidential. If the
reader of this message is not the intended recipient or any agent responsible
for delivering it to the intended recipient, you are hereby notified that you
have received this document in error, and that any review, dissemination,
distribution or copying of this message is strictly prohibited.
RE: [Declude.Virus] Blue Screen on Imail with Declude Virus and Declude Junkmail
If it's worth $245 to you, I have had some success with Microsoft support being able to pinpoint the culprit using the memory dumps. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mailing Lists Sent: Monday, September 08, 2003 1:08 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Blue Screen on Imail with Declude Virus and Declude Junkmail Hi all, hopefully someone can give us some insight to a problem related to BSOD we have been encountering on our Imail server Server is running Imail 8.02 with Declude Virus with scanners below and Declude Junkmail. Nothing else is running on the server. Declude Virus Config appears at end of this email. Ipswitch claims this is not caused by Imail Declude Virus has the following virus scanners: F-Prot version 3.14a Netshield 2000 SP1 Grisoft AVG 7 Server Edition On access virus scanning is disabled. What seems to be happening is that when there is a high volume of mail processed, the server will blue screen with: The computer has rebooted from a bugcheck. The bugcheck was: 0x007f (0x000d, 0x, 0x, 0x). Microsoft Windows 2000 [v15.2195]. A dump was saved in: C:\WINNT\MEMORY.DMP. BSOD shows UNEXPECTED_KERNEL_MODE_TRAP At first we thought it was a hardware related issue since this was a new server built for Imail. So we rebuilt another server and installed to that new server but problem still persists. Examining logs (Declude and Imail) show nothing peculiar, and nothing is reported in the event log except for the reboot and bugcheck. We then thought it may be related to the Imail Queue manager so to test this we stopped Imail Queue Service for a while and simulated the problem by sending large amounts of mail to the server and sure enough it crashed again (with Queue Manager stopped). This should exclude Queue Manager. Server specs are: Intel 7501WV2 Motherboard with dual onboard Nics Intel SRCZCR Raid Controller Card 2 x 18 GB u320 Maxtor Raid 1 (OS) 2 x 36 GB u320 Maxtor Raid 1 (Imail) 1 GB Crucial RAM Any insight anyone? Thanks Peter Verzoni --- This e-mail has been scanned for viruses by the anti-virus systems of CyberShift, Inc. The information contained in or attached to this message is intended solely for the personal and confidential use of the designated recipients named in the body of the e-mail or within the attached documents. This message may be legally privileged, and as such is confidential. If the reader of this message is not the intended recipient or any agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error, and that any review, dissemination, distribution or copying of this message is strictly prohibited. Thank You, The CyberShift NOC --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SkipVirus Option
Check the typo on Bugbear and Sobig. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mario Antonio Sent: Tuesday, January 14, 2003 10:30 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] SkipVirus Option Scott, I am running Declude Virus v1.65. The skip option for the virus Sobig is not working. (I verified this by looking at the Imail logs) Am I missing something? This is one of my .eml files -BOF SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS Magistr SKIPIFVIRUSNAMEHAS Hybris SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSVIRUSNAME Bugbear SKIPIFVIRUSVIRUSNAME Sobig To: %ALLRECIPS% From: [EMAIL PROTECTED] Subject: Virus Warning The Webjogger Anti-Virus Protection System has reported that you were sent an E-mail from %MAILFROM%, containing the %VIRUSNAME% virus in the %VIRUSFILE% attachment. The subject of the E-mail was %SUBJECT%. The E-mail containing the virus has been quarantined to prevent further damage. Original message headers follow: %HEADERS% ---EOF Regards Mario Antonio Garcia Webjogger Internet Services --- [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This e-mail has been scanned for viruses by the anti-virus systems of CyberShift, Inc. The information contained in or attached to this message is intended solely for the personal and confidential use of the designated recipients named in the body of the e-mail or within the attached documents. This message may be legally privileged, and as such is confidential. If the reader of this message is not the intended recipient or any agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error, and that any review, dissemination, distribution or copying of this message is strictly prohibited. Thank You, The CyberShift NOC --- This e-mail has been scanned for viruses by the anti-virus systems of CyberShift, Inc. The information contained in or attached to this message is intended solely for the personal and confidential use of the designated recipients named in the body of the e-mail or within the attached documents. This message may be legally privileged, and as such is confidential. If the reader of this message is not the intended recipient or any agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error, and that any review, dissemination, distribution or copying of this message is strictly prohibited. Thank You, The CyberShift NOC --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: Holar
Wouldn't the double extension just get blocked by the exe rule? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Thursday, December 05, 2002 9:33 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New Virus: Holar At one point you talked about detection of double file extensions. Was that ever implemented? It's a good idea, but tough to implement properly. The problem is with filenames such as www.yahoo.com.url, and spreadsheet.2002.nov.xls. So adding such detection would get a bit complicated. Setting it up to only catch certain double extensions -- such as *.*.exe might be a good idea, though. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This e-mail has been scanned for viruses by the anti-virus systems of CyberShift, Inc. The information contained in or attached to this message is intended solely for the personal and confidential use of the designated recipients named in the body of the e-mail or within the attached documents. This message may be legally privileged, and as such is confidential. If the reader of this message is not the intended recipient or any agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error, and that any review, dissemination, distribution or copying of this message is strictly prohibited. Thank You, The CyberShift NOC --- This e-mail has been scanned for viruses by the anti-virus systems of CyberShift, Inc. The information contained in or attached to this message is intended solely for the personal and confidential use of the designated recipients named in the body of the e-mail or within the attached documents. This message may be legally privileged, and as such is confidential. If the reader of this message is not the intended recipient or any agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error, and that any review, dissemination, distribution or copying of this message is strictly prohibited. Thank You, The CyberShift NOC --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] .HTA attachments
Yes. They're on the list of extensions that Microsoft suggests blocking. There's a KB article regarding this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff Sent: Friday, November 22, 2002 2:12 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] .HTA attachments Is any one banning these? I saw a reference to banning these on another list. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This e-mail has been scanned for viruses by the anti-virus systems of CyberShift, Inc. The information contained in or attached to this message is intended solely for the personal and confidential use of the designated recipients named in the body of the e-mail or within the attached documents. This message may be legally privileged, and as such is confidential. If the reader of this message is not the intended recipient or any agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error, and that any review, dissemination, distribution or copying of this message is strictly prohibited. Thank You, The CyberShift NOC --- This e-mail has been scanned for viruses by the anti-virus systems of CyberShift, Inc. The information contained in or attached to this message is intended solely for the personal and confidential use of the designated recipients named in the body of the e-mail or within the attached documents. This message may be legally privileged, and as such is confidential. If the reader of this message is not the intended recipient or any agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error, and that any review, dissemination, distribution or copying of this message is strictly prohibited. Thank You, The CyberShift NOC --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
