RE: [Declude.Virus] Containing: Possibly a new variant of JS/ virus
Matt, My config is similar to yours except you have AI/Packed/SERVER. What are the additional benefits to using these switches? Mark ReimerIT Project ManagerAmerican CareSource214-596-2464 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of MattSent: Friday, March 24, 2006 5:44 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virusKami,This is F-Prot that is detecting this and not Declude. I believe that the reason is the "/PARANOID" switch that you are using. This is not a commonly used switch and it's not documented in the executable's help. Here's my config for F-Prot. I believe this should stop your issues if you change to it: C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /SERVER /DUMB /REPORT=report.txtI have no virus hits that match what you are showing for F-Prot using this config.MattKami Razvan wrote: Hi Matt.. thanks for your quick reply. Here is the virus log entries: 03/24/2006 14:34:08.042 q49aa01741b4f.smd Vulnerability flags = 003/24/2006 14:34:10.777 q49aa01741b4f.smd Virus scanner 1 reports exit code of 003/24/2006 14:34:11.871 q49aa01741b4f.smd Virus scanner 2 reports exit code of 803/24/2006 14:34:11.965 q49aa01741b4f.smd Scanner 2: Virus= Possibly a new variant of JS/ Attachment=[HTML segment] [17] I03/24/2006 14:34:12.012 q49aa01741b4f.smd File(s) are INFECTED [ Possibly a new variant of JS/: 8]03/24/2006 14:34:12.059 q49aa01741b4f.smd Deleting file with virus03/24/2006 14:34:12.121 q49aa01741b4f.smd Deleting E-mail with virus!03/24/2006 14:34:12.153 q49aa01741b4f.smd Scanned: CONTAINS A VIRUS [MIME: 1 2652]03/24/2006 14:34:12.184 q49aa01741b4f.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 10.119.249.109]03/24/2006 14:34:12.215 q49aa01741b4f.smd Subject: Response here is our entries in the virus.cfg file SCANFILE1 C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL /NOMEM /NOBEEP /PANALYZE /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txtVIRUSCODE1 13REPORT1Found # F-PROT - 2nd scanner SCANFILE2 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI /TYPE /SILENT /server /PARANOID /NOMEM /ARCHIVE=5 /PACKED /NOBOOT /DUMB /REPORT=report.txtVIRUSCODE2 3VIRUSCODE2 6VIRUSCODE2 8REPORT2 Infection: # AVG - 3rd ScannerSCANFILE3 C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txtVIRUSCODE34VIRUSCODE35VIRUSCODE36VIRUSCODE37VIRUSCODE39REPORT3 identified # CLAM- 4th ScannerSCANFILE4C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE4 1 Hope that helps.. Regards, - Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Friday, March 24, 2006 5:56 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virusKami,You might want to post your full Declude Virus log snippet for one such message and identify both your Declude version and your virus scanners.Matt
Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus
Mark, A full list of the switches are located on the F-Prot site at the following address: http://www.f-prot.com/support/windows/fpwin_faq/20.html Sometimes we must make assumptions about what these things mean. I believe that the three switches that you asked about are commonly used by Declude users on the lists, though I am not sure what the manual might be listing at this time. Matt Mark Reimer wrote: Matt, My config is similar to yours except you have AI/Packed/SERVER. What are the additional benefits to using these switches? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Sent: Friday, March 24, 2006 5:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus Kami, This is F-Prot that is detecting this and not Declude. I believe that the reason is the "/PARANOID" switch that you are using. This is not a commonly used switch and it's not documented in the executable's help. Here's my config for F-Prot. I believe this should stop your issues if you change to it: C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /SERVER /DUMB /REPORT=report.txt I have no virus hits that match what you are showing for F-Prot using this config. Matt Kami Razvan wrote: Hi Matt.. thanks for your quick reply. Here is the virus log entries: 03/24/2006 14:34:08.042 q49aa01741b4f.smd Vulnerability flags = 0 03/24/2006 14:34:10.777 q49aa01741b4f.smd Virus scanner 1 reports exit code of 0 03/24/2006 14:34:11.871 q49aa01741b4f.smd Virus scanner 2 reports exit code of 8 03/24/2006 14:34:11.965 q49aa01741b4f.smd Scanner 2: Virus= Possibly a new variant of JS/ Attachment=[HTML segment] [17] I 03/24/2006 14:34:12.012 q49aa01741b4f.smd File(s) are INFECTED [ Possibly a new variant of JS/: 8] 03/24/2006 14:34:12.059 q49aa01741b4f.smd Deleting file with virus 03/24/2006 14:34:12.121 q49aa01741b4f.smd Deleting E-mail with virus! 03/24/2006 14:34:12.153 q49aa01741b4f.smd Scanned: CONTAINS A VIRUS [MIME: 1 2652] 03/24/2006 14:34:12.184 q49aa01741b4f.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 10.119.249.109] 03/24/2006 14:34:12.215 q49aa01741b4f.smd Subject: Response here is our entries in the virus.cfg file SCANFILE1 C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL /NOMEM /NOBEEP /PANALYZE /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txt VIRUSCODE1 13 REPORT1Found # F-PROT - 2nd scanner SCANFILE2 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI /TYPE /SILENT /server /PARANOID /NOMEM /ARCHIVE=5 /PACKED /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE2 3 VIRUSCODE2 6 VIRUSCODE2 8 REPORT2 Infection: # AVG - 3rd Scanner SCANFILE3 C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txt VIRUSCODE34 VIRUSCODE35 VIRUSCODE36 VIRUSCODE37 VIRUSCODE39 REPORT3 identified # CLAM- 4th Scanner SCANFILE4C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE4 1 Hope that helps.. Regards, - Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Friday, March 24, 2006 5:56 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus Kami, You might want to post your full Declude Virus log snippet for one such message and identify both your Declude version and your virus scanners. Matt
[Declude.Virus] Containing: Possibly a new variant of JS/ virus
Hi; We are having a major problem. A large number of emails are getting caught with the following message: Containing: Possibly a new variant of JS/ virus In: [HTML segment] attachment I have added: ALLOWVULNERABILITYJS but it is not working. Almost every HTML email and newsletter is getting caught by this vulnerability "feature". How can we disable this? IT seems like allow directive is not working. Regards, Kami
Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus
Kami, You might want to post your full Declude Virus log snippet for one such message and identify both your Declude version and your virus scanners. Matt Kami Razvan wrote: Hi; We are having a major problem. A large number of emails are getting caught with the following message: Containing: Possibly a new variant of JS/ virus In: [HTML segment] attachment I have added: ALLOWVULNERABILITYJS but it is not working. Almost every HTML email and newsletter is getting caught by this vulnerability "feature". How can we disable this? IT seems like allow directive is not working. Regards, Kami
RE: [Declude.Virus] Containing: Possibly a new variant of JS/ virus
Hi Matt.. thanks for your quick reply. Here is the virus log entries: 03/24/2006 14:34:08.042 q49aa01741b4f.smd Vulnerability flags = 003/24/2006 14:34:10.777 q49aa01741b4f.smd Virus scanner 1 reports exit code of 003/24/2006 14:34:11.871 q49aa01741b4f.smd Virus scanner 2 reports exit code of 803/24/2006 14:34:11.965 q49aa01741b4f.smd Scanner 2: Virus= Possibly a new variant of JS/ Attachment=[HTML segment] [17] I03/24/2006 14:34:12.012 q49aa01741b4f.smd File(s) are INFECTED [ Possibly a new variant of JS/: 8]03/24/2006 14:34:12.059 q49aa01741b4f.smd Deleting file with virus03/24/2006 14:34:12.121 q49aa01741b4f.smd Deleting E-mail with virus!03/24/2006 14:34:12.153 q49aa01741b4f.smd Scanned: CONTAINS A VIRUS [MIME: 1 2652]03/24/2006 14:34:12.184 q49aa01741b4f.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 10.119.249.109]03/24/2006 14:34:12.215 q49aa01741b4f.smd Subject: Response here is our entries in the virus.cfg file SCANFILE1 C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL /NOMEM /NOBEEP /PANALYZE /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txtVIRUSCODE1 13REPORT1Found # F-PROT - 2nd scanner SCANFILE2 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI /TYPE /SILENT /server /PARANOID /NOMEM /ARCHIVE=5 /PACKED /NOBOOT /DUMB /REPORT=report.txtVIRUSCODE2 3VIRUSCODE2 6VIRUSCODE2 8REPORT2 Infection: # AVG - 3rd ScannerSCANFILE3 C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txtVIRUSCODE34VIRUSCODE35VIRUSCODE36VIRUSCODE37VIRUSCODE39REPORT3 identified # CLAM- 4th ScannerSCANFILE4C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE4 1 Hope that helps.. Regards, - Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, March 24, 2006 5:56 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus Kami,You might want to post your full Declude Virus log snippet for one such message and identify both your Declude version and your virus scanners.Matt
Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus
Kami, This is F-Prot that is detecting this and not Declude. I believe that the reason is the "/PARANOID" switch that you are using. This is not a commonly used switch and it's not documented in the executable's help. Here's my config for F-Prot. I believe this should stop your issues if you change to it: C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /SERVER /DUMB /REPORT=report.txt I have no virus hits that match what you are showing for F-Prot using this config. Matt Kami Razvan wrote: Hi Matt.. thanks for your quick reply. Here is the virus log entries: 03/24/2006 14:34:08.042 q49aa01741b4f.smd Vulnerability flags = 0 03/24/2006 14:34:10.777 q49aa01741b4f.smd Virus scanner 1 reports exit code of 0 03/24/2006 14:34:11.871 q49aa01741b4f.smd Virus scanner 2 reports exit code of 8 03/24/2006 14:34:11.965 q49aa01741b4f.smd Scanner 2: Virus= Possibly a new variant of JS/ Attachment=[HTML segment] [17] I 03/24/2006 14:34:12.012 q49aa01741b4f.smd File(s) are INFECTED [ Possibly a new variant of JS/: 8] 03/24/2006 14:34:12.059 q49aa01741b4f.smd Deleting file with virus 03/24/2006 14:34:12.121 q49aa01741b4f.smd Deleting E-mail with virus! 03/24/2006 14:34:12.153 q49aa01741b4f.smd Scanned: CONTAINS A VIRUS [MIME: 1 2652] 03/24/2006 14:34:12.184 q49aa01741b4f.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 10.119.249.109] 03/24/2006 14:34:12.215 q49aa01741b4f.smd Subject: Response here is our entries in the virus.cfg file SCANFILE1 C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL /NOMEM /NOBEEP /PANALYZE /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txt VIRUSCODE1 13 REPORT1Found # F-PROT - 2nd scanner SCANFILE2 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI /TYPE /SILENT /server /PARANOID /NOMEM /ARCHIVE=5 /PACKED /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE2 3 VIRUSCODE2 6 VIRUSCODE2 8 REPORT2 Infection: # AVG - 3rd Scanner SCANFILE3 C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txt VIRUSCODE34 VIRUSCODE35 VIRUSCODE36 VIRUSCODE37 VIRUSCODE39 REPORT3 identified # CLAM- 4th Scanner SCANFILE4C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE4 1 Hope that helps.. Regards, - Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Friday, March 24, 2006 5:56 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus Kami, You might want to post your full Declude Virus log snippet for one such message and identify both your Declude version and your virus scanners. Matt
RE: [Declude.Virus] Containing: Possibly a new variant of JS/ virus
Hi Kami, I've in use F-Prot 3.16f (latest version) here and can't find any appearance of "Possibly a new variant of JS"in my logfiles. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Saturday, March 25, 2006 12:32 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Containing: Possibly a new variant of JS/ virus Hi Matt.. thanks for your quick reply. Here is the virus log entries: 03/24/2006 14:34:08.042 q49aa01741b4f.smd Vulnerability flags = 003/24/2006 14:34:10.777 q49aa01741b4f.smd Virus scanner 1 reports exit code of 003/24/2006 14:34:11.871 q49aa01741b4f.smd Virus scanner 2 reports exit code of 803/24/2006 14:34:11.965 q49aa01741b4f.smd Scanner 2: Virus= Possibly a new variant of JS/ Attachment=[HTML segment] [17] I03/24/2006 14:34:12.012 q49aa01741b4f.smd File(s) are INFECTED [ Possibly a new variant of JS/: 8]03/24/2006 14:34:12.059 q49aa01741b4f.smd Deleting file with virus03/24/2006 14:34:12.121 q49aa01741b4f.smd Deleting E-mail with virus!03/24/2006 14:34:12.153 q49aa01741b4f.smd Scanned: CONTAINS A VIRUS [MIME: 1 2652]03/24/2006 14:34:12.184 q49aa01741b4f.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 10.119.249.109]03/24/2006 14:34:12.215 q49aa01741b4f.smd Subject: Response here is our entries in the virus.cfg file SCANFILE1 C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL /NOMEM /NOBEEP /PANALYZE /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txtVIRUSCODE1 13REPORT1Found # F-PROT - 2nd scanner SCANFILE2 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI /TYPE /SILENT /server /PARANOID /NOMEM /ARCHIVE=5 /PACKED /NOBOOT /DUMB /REPORT=report.txtVIRUSCODE2 3VIRUSCODE2 6VIRUSCODE2 8REPORT2 Infection: # AVG - 3rd ScannerSCANFILE3 C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txtVIRUSCODE34VIRUSCODE35VIRUSCODE36VIRUSCODE37VIRUSCODE39REPORT3 identified # CLAM- 4th ScannerSCANFILE4C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE4 1 Hope that helps.. Regards, - Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, March 24, 2006 5:56 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus Kami,You might want to post your full Declude Virus log snippet for one such message and identify both your Declude version and your virus scanners.Matt
RE: [Declude.Virus] Containing: Possibly a new variant of JS/ virus
Hi Matt Marcus.. Many thanks for your response.. I changed my config file to see if that resolves the problem. This problem comes and goes.. a lot of web forms appear to be having this issue. I added Matt's config file to see if that helps.. thanks Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, March 24, 2006 6:44 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus Kami,This is F-Prot that is detecting this and not Declude. I believe that the reason is the "/PARANOID" switch that you are using. This is not a commonly used switch and it's not documented in the executable's help. Here's my config for F-Prot. I believe this should stop your issues if you change to it: C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /SERVER /DUMB /REPORT=report.txtI have no virus hits that match what you are showing for F-Prot using this config.Matt
