[Declude.Virus] Issues
The past few days I am occuring a lot of these type errors in the virus log:
02/18/2005 06:03:21 Qcb35092800dc91ac Couldn't open headers datafile
02/18/2005 06:03:21 Qcb35092800dc91ac ERROR: Could not move virus-infected
E-mail2! Code: 2 0 F:\IMail\spool\Qcb35092800dc91ac.SMD
f:\imail\spool\virus\Qcb35092800dc91ac.SMD
02/18/2005 06:03:21 Qcb35092800dc91ac Error opening mime file
F:\IMail\spool\Dcb35092800dc91ac.SMD
02/18/2005 06:03:21 Qcb35092800dc91ac Scanned: Error starting scanner
02/18/2005 06:03:24 Qcb3e09ed005291c3 Error 183 creating temp directory
F:\IMail\spool\Dcb3e09ed005291c3.vir\.
02/18/2005 06:03:25 Qcb3e09ed005291c3 Scanned: Error starting scanner
02/18/2005 06:03:52 Qcb460a83007a91db Couldn't rename SMD to SM$ [32].
Priority back to 32.
This is a Win2K SP4 machine with Dual Xeon 2.4 GHz w/1GB RAM. Running F-prot
(1st) and then Computer Assoc (2nd). A few days ago, I uninstalled F-prot and
reinstalled it. Copied in a fresh Declude.exe file (ver. 1.82). When this
occurs above, it is a domino effect, it causes mail to backup in the overflow
queue and thus email is not delivered. Is there anything else I can do to fix
this issue. Thanks for the aid.
-Keith
Nf_
ynub!
0u%dj)\jgr[yXXX:.m
fynu(*^{.n+ynubrzjm
j)Zb(
Re: [Declude.Virus] Issues
The past few days I am occuring a lot of these type errors in the virus log: 02/18/2005 06:03:21 Qcb35092800dc91ac Couldn't open headers datafile This indicates that something happened to the D*.SMD file, which contains the E-mail body. If you are running an on-access virus scanner, for example, the on-access virus scanner may have deleted the E-mail. 02/18/2005 06:03:21 Qcb35092800dc91ac ERROR: Could not move virus-infected E-mail2! Code: 2 0 F:\IMail\spool\Qcb35092800dc91ac.SMD f:\imail\spool\virus\Qcb35092800dc91ac.SMD And this one means that the Q*.SMD file isn't there, either. This would seem unusual, except we then get: 02/18/2005 06:03:24 Qcb3e09ed005291c3 Error 183 creating temp directory F:\IMail\spool\Dcb3e09ed005291c3.vir\. This one means that the F:\IMail\spool\Dcb3e09ed005291c3.vir\ directory already exists. That is a major clue, as Declude Virus is the only program that will create a directory with that name. This means that IMail is calling Declude multiple times. We've seen this happen a few times before -- you may want to make sure that you are running the latest version of IMail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Issues
Scott, We are not running on access scanners (very careful about that), we are running Imail 8.15. I didn't even install the Realtime Scanner in f-prot and have CA Realtime disabled as a service.Anything else that I can look at? Keith -Original Message- From: [EMAIL PROTECTED] on behalf of R. Scott Perry Sent: Fri 2/18/2005 7:12 AM To: Declude.Virus@declude.com Cc: Subject: Re: [Declude.Virus] Issues The past few days I am occuring a lot of these type errors in the virus log: 02/18/2005 06:03:21 Qcb35092800dc91ac Couldn't open headers datafile This indicates that something happened to the D*.SMD file, which contains the E-mail body. If you are running an on-access virus scanner, for example, the on-access virus scanner may have deleted the E-mail. 02/18/2005 06:03:21 Qcb35092800dc91ac ERROR: Could not move virus-infected E-mail2! Code: 2 0 F:\IMail\spool\Qcb35092800dc91ac.SMD f:\imail\spool\virus\Qcb35092800dc91ac.SMD And this one means that the Q*.SMD file isn't there, either. This would seem unusual, except we then get: 02/18/2005 06:03:24 Qcb3e09ed005291c3 Error 183 creating temp directory F:\IMail\spool\Dcb3e09ed005291c3.vir\. This one means that the F:\IMail\spool\Dcb3e09ed005291c3.vir\ directory already exists. That is a major clue, as Declude Virus is the only program that will create a directory with that name. This means that IMail is calling Declude multiple times. We've seen this happen a few times before -- you may want to make sure that you are running the latest version of IMail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.Virus] Issues
Title: Re: [Declude.Virus] Issues Scott, Continue to see a lot of these type things, at times, the only to aid the situation is stop/restart the Queue Mgr/SMTP 02/18/2005 11:44:11 Q1b3d04d2006a5060 ERROR: Could not open recip file F:\IMail\spool\_1b3d04d2006a5060.~MD [2]02/18/2005 11:44:11 Q1a58046e00fc4c6c ERROR: Could not open recip file F:\IMail\spool\_1a58046e00fc4c6c.~MD [2]02/18/2005 11:44:11 Q1b4902b000745089 ERROR: Could not open recip file F:\IMail\spool\_1b4902b000745089.~MD [2]02/18/2005 11:44:11 Q1a58046e00fc4c6c ERROR: Could not open recip file F:\IMail\spool\_1a58046e00fc4c6c.~MD [2]02/18/2005 11:44:11 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:11 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b43039c00b2507a ERROR: Could not open recip file F:\IMail\spool\_1b43039c00b2507a.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b43039c00b2507a ERROR: Could not open recip file F:\IMail\spool\_1b43039c00b2507a.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b4a020101285097 ERROR: Could not open recip file F:\IMail\spool\_1b4a020101285097.~MD [2]02/18/2005 11:44:12 Q1b43039c00b2507a ERROR: Could not open recip file F:\IMail\spool\_1b43039c00b2507a.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b4a020101285097 ERROR: Could not open recip file F:\IMail\spool\_1b4a020101285097.~MD [2]02/18/2005 11:44:12 Q1b43039c00b2507a ERROR: Could not open recip file F:\IMail\spool\_1b43039c00b2507a.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b4a020101285097 ERROR: Could not open recip file F:\IMail\spool\_1b4a020101285097.~MD [2]02/18/2005 11:44:12 Q1b43039c00b2507a ERROR: Could not open recip file F:\IMail\spool\_1b43039c00b2507a.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2]02/18/2005 11:44:12 Q1b32017700ee5028 ERROR: Could not open recip file F:\IMail\spool\_1b32017700ee5028.~MD [2]02/18/2005 11:44:12 Q1b4a03a500a05092 ERROR: Could not open recip file F:\IMail\spool\_1b4a03a500a05092.~MD [2]02/18/2005 11:44:12 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:12 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:12 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:12 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:12 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:12 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:13 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:13 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2] Any ideas or suggestions? Keith From: Keith Johnson [mailto:[EMAIL PROTECTED] On Behalf Of Keith JohnsonSent: Friday, February 18, 2005 7:57 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Issues Scott, We are not running on access scanners (very careful about that), we are running Imail 8.15.I didn't even install the Realtime Scanner in f-prot and have CA Realtime disabled as a service. Anything else that I can look at? Keith -Original Message- From: [EMAIL PROTECTED]on behalf ofR. Scott Perry Sent: Fri 2/18/2005 7:12 AM To: Declude.Virus@declude.com Cc: Subject: Re: [Declude.Virus] Issues The past few days I am occuring a lot of these type errors in the virus log: 02/18/2005 06:03:21 Qcb35092800dc91ac Couldn't open headers datafile This indicates that something happened to the D*.SMD file, which contains the E-mail body. If you are running an on-access virus scanner, for example, the on-access virus scanner may have deleted the E-mail. 02/18/2005 06:03:21 Qcb35092800dc91ac ERROR: Could not move virus-infected E-mail2! Code: 2 0 F:\IMail\spool\Qcb35092800dc91ac.SMD f:\imail\spool\virus\Qcb35092800dc91ac.SMD
RE: [Declude.Virus] Issues
Continue to see a lot of these type things, at times, the only to aid the situation is stop/restart the Queue Mgr/SMTP If stopping/restarting the Queue Manager and/or SMTP fixes the problem, it is almost certainly an issue with IMail. In this case: 02/18/2005 11:44:11 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:11 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] 02/18/2005 11:44:12 Q1b37039c00b25045 ERROR: Could not open recip file F:\IMail\spool\_1b37039c00b25045.~MD [2] Here, IMail tried starting Declude at least 10 times on the same E-mail. It sounds like something is being corrupted in IMail that is causing it to keep re-trying the same E-mail. Note that this all happened in the space of about 1 second, so IMail isn't simply re-trying an E-mail because it couldn't be delivered. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Issues with F-prot 3.16 or not?
OOOPs Just got this. FRISK Software has released version 3.16a of F Prot Antivirus for Windows. More information on this release can be found on our website: http://www.f-prot.com/news/gen_news/041124_release_win316a.html We recommend that users of F-Prot Antivirus for Windows update their programs to version 3.16a as soon as possible == I see a lot of posts surrounding F-prot 3.16. I have not updated my server yet. Is there an issue with it and declude? Should the fpcmd.exe line be changed from prior to 3.16? (Scott?) One thing I do notice when using the desktop scanner version of 3.16. It detects Word macros as viruses much more frequently. It also detects several utility programs as viruses that neither previous versions of F-prot nor Norton Corp 8.0 were detecting before. Zebra's printer driver--- C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K52VK16B\ZNetUtil.zip could be an archive bomb MSDN downloads D:\CD Flat\msdn-extract\sms20sp3enu.exe-SP3enuCD/SMSSETUP/NETMON/ALPHA/McSvcps.dl l could be a corrupted executable file D:\CD Flat\W2K Server Reskit\W2KRESKIT\APPS\CRYSTAL\DISK12\CRWEXE.00_-(PackWord) could be a corrupted executable file D:\CD Flat\W2K Server Reskit\W2KRESKIT\APPS\CRYSTAL\DISK4\CRPEDLL.00_-(PackWord) could be a corrupted executable file Scan settings: Safe tools. E:\storage\Foundstone\udpflood.zip-udpflood.exe is a destructive program Virus-infected files in archives cannot be disinfected. E:\storage\InfoZip\Wiz.exe could be a corrupted executable file The scanning was aborted by the user, with infected or suspicious --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Issues with F-prot 3.16 or not?
I've tried the link several times and don't seem to be getting anywhere. The news release about 3.16a comes up, directs you to the Updates page, but when I log in the updates page only offers 3.16 dated November 17th. Anyone have a direct link to the update? Thanks, Rodney Bertsch IS Coordinator Kirk NationaLease Co. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Douglas Cohn Sent: Wednesday, November 24, 2004 1:18 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Issues with F-prot 3.16 or not? OOOPs Just got this. FRISK Software has released version 3.16a of F Prot Antivirus for Windows. More information on this release can be found on our website: http://www.f-prot.com/news/gen_news/041124_release_win316a.html We recommend that users of F-Prot Antivirus for Windows update their programs to version 3.16a as soon as possible == I see a lot of posts surrounding F-prot 3.16. I have not updated my server yet. Is there an issue with it and declude? Should the fpcmd.exe line be changed from prior to 3.16? (Scott?) One thing I do notice when using the desktop scanner version of 3.16. It detects Word macros as viruses much more frequently. It also detects several utility programs as viruses that neither previous versions of F-prot nor Norton Corp 8.0 were detecting before. Zebra's printer driver--- C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K52VK16B\ZNetUtil.zip could be an archive bomb MSDN downloads D:\CD Flat\msdn-extract\sms20sp3enu.exe-SP3enuCD/SMSSETUP/NETMON/ALPHA/McSvcps.dl l could be a corrupted executable file D:\CD Flat\W2K Server Reskit\W2KRESKIT\APPS\CRYSTAL\DISK12\CRWEXE.00_-(PackWord) could be a corrupted executable file D:\CD Flat\W2K Server Reskit\W2KRESKIT\APPS\CRYSTAL\DISK4\CRPEDLL.00_-(PackWord) could be a corrupted executable file Scan settings: Safe tools. E:\storage\Foundstone\udpflood.zip-udpflood.exe is a destructive program Virus-infected files in archives cannot be disinfected. E:\storage\InfoZip\Wiz.exe could be a corrupted executable file The scanning was aborted by the user, with infected or suspicious --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Issues with F-prot 3.16 or not?
I'm getting that same issue. The updater doesn't find anything either. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Wednesday, November 24, 2004 4:45 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Issues with F-prot 3.16 or not? I've tried the link several times and don't seem to be getting anywhere. The news release about 3.16a comes up, directs you to the Updates page, but when I log in the updates page only offers 3.16 dated November 17th. Anyone have a direct link to the update? Thanks, Rodney Bertsch IS Coordinator Kirk NationaLease Co. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Douglas Cohn Sent: Wednesday, November 24, 2004 1:18 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Issues with F-prot 3.16 or not? OOOPs Just got this. FRISK Software has released version 3.16a of F Prot Antivirus for Windows. More information on this release can be found on our website: http://www.f-prot.com/news/gen_news/041124_release_win316a.html We recommend that users of F-Prot Antivirus for Windows update their programs to version 3.16a as soon as possible == I see a lot of posts surrounding F-prot 3.16. I have not updated my server yet. Is there an issue with it and declude? Should the fpcmd.exe line be changed from prior to 3.16? (Scott?) One thing I do notice when using the desktop scanner version of 3.16. It detects Word macros as viruses much more frequently. It also detects several utility programs as viruses that neither previous versions of F-prot nor Norton Corp 8.0 were detecting before. Zebra's printer driver--- C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K52VK16B\ZNetUtil.zip could be an archive bomb MSDN downloads D:\CD Flat\msdn-extract\sms20sp3enu.exe-SP3enuCD/SMSSETUP/NETMON/ALPHA/McSvcps.dl l could be a corrupted executable file D:\CD Flat\W2K Server Reskit\W2KRESKIT\APPS\CRYSTAL\DISK12\CRWEXE.00_-(PackWord) could be a corrupted executable file D:\CD Flat\W2K Server Reskit\W2KRESKIT\APPS\CRYSTAL\DISK4\CRPEDLL.00_-(PackWord) could be a corrupted executable file Scan settings: Safe tools. E:\storage\Foundstone\udpflood.zip-udpflood.exe is a destructive program Virus-infected files in archives cannot be disinfected. E:\storage\InfoZip\Wiz.exe could be a corrupted executable file The scanning was aborted by the user, with infected or suspicious --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Issues with F-prot 3.16 or not?
I emailed them and the response was that their servers were overloaded. Jim Nitterauer President Creative Data Concepts Limited, Inc. 3 W. Garden Street Suite 326 Pensacola, FL 32502 http://www.creativedata.net 850-434-7645 800-607-6168 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Horne Sent: Wednesday, November 24, 2004 4:22 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Issues with F-prot 3.16 or not? I'm getting that same issue. The updater doesn't find anything either. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Wednesday, November 24, 2004 4:45 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Issues with F-prot 3.16 or not? I've tried the link several times and don't seem to be getting anywhere. The news release about 3.16a comes up, directs you to the Updates page, but when I log in the updates page only offers 3.16 dated November 17th. Anyone have a direct link to the update? Thanks, Rodney Bertsch IS Coordinator Kirk NationaLease Co. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Douglas Cohn Sent: Wednesday, November 24, 2004 1:18 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Issues with F-prot 3.16 or not? OOOPs Just got this. FRISK Software has released version 3.16a of F Prot Antivirus for Windows. More information on this release can be found on our website: http://www.f-prot.com/news/gen_news/041124_release_win316a.html We recommend that users of F-Prot Antivirus for Windows update their programs to version 3.16a as soon as possible == I see a lot of posts surrounding F-prot 3.16. I have not updated my server yet. Is there an issue with it and declude? Should the fpcmd.exe line be changed from prior to 3.16? (Scott?) One thing I do notice when using the desktop scanner version of 3.16. It detects Word macros as viruses much more frequently. It also detects several utility programs as viruses that neither previous versions of F-prot nor Norton Corp 8.0 were detecting before. Zebra's printer driver--- C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K52VK16B\ZNetUtil.zip could be an archive bomb MSDN downloads D:\CD Flat\msdn-extract\sms20sp3enu.exe-SP3enuCD/SMSSETUP/NETMON/ALPHA/McSvcps.dl l could be a corrupted executable file D:\CD Flat\W2K Server Reskit\W2KRESKIT\APPS\CRYSTAL\DISK12\CRWEXE.00_-(PackWord) could be a corrupted executable file D:\CD Flat\W2K Server Reskit\W2KRESKIT\APPS\CRYSTAL\DISK4\CRPEDLL.00_-(PackWord) could be a corrupted executable file Scan settings: Safe tools. E:\storage\Foundstone\udpflood.zip-udpflood.exe is a destructive program Virus-infected files in archives cannot be disinfected. E:\storage\InfoZip\Wiz.exe could be a corrupted executable file The scanning was aborted by the user, with infected or suspicious --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. - [This E-mail scanned for viruses courtesy of Creative Data Concepts http://www.creativedata.net] - [This E-mail scanned for viruses courtesy of Creative Data Concepts http://www.creativedata.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Issues with F-prot 3.16 or not?
The updated version is there now. I sent F-Prot support an e-mail asking why they would send out an update notification before they actually posted the updated version for download - got a canned auto-reply... Bill - Original Message - From: Rodney Bertsch [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 1:44 PM Subject: RE: [Declude.Virus] Issues with F-prot 3.16 or not? I've tried the link several times and don't seem to be getting anywhere. The news release about 3.16a comes up, directs you to the Updates page, but when I log in the updates page only offers 3.16 dated November 17th. Anyone have a direct link to the update? Thanks, Rodney Bertsch IS Coordinator Kirk NationaLease Co. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Douglas Cohn Sent: Wednesday, November 24, 2004 1:18 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Issues with F-prot 3.16 or not? OOOPs Just got this. FRISK Software has released version 3.16a of F Prot Antivirus for Windows. More information on this release can be found on our website: http://www.f-prot.com/news/gen_news/041124_release_win316a.html We recommend that users of F-Prot Antivirus for Windows update their programs to version 3.16a as soon as possible == I see a lot of posts surrounding F-prot 3.16. I have not updated my server yet. Is there an issue with it and declude? Should the fpcmd.exe line be changed from prior to 3.16? (Scott?) One thing I do notice when using the desktop scanner version of 3.16. It detects Word macros as viruses much more frequently. It also detects several utility programs as viruses that neither previous versions of F-prot nor Norton Corp 8.0 were detecting before. Zebra's printer driver--- C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K52VK16B\ZNetUtil.zip could be an archive bomb MSDN downloads D:\CD Flat\msdn-extract\sms20sp3enu.exe-SP3enuCD/SMSSETUP/NETMON/ALPHA/McSvcps.dl l could be a corrupted executable file D:\CD Flat\W2K Server Reskit\W2KRESKIT\APPS\CRYSTAL\DISK12\CRWEXE.00_-(PackWord) could be a corrupted executable file D:\CD Flat\W2K Server Reskit\W2KRESKIT\APPS\CRYSTAL\DISK4\CRPEDLL.00_-(PackWord) could be a corrupted executable file Scan settings: Safe tools. E:\storage\Foundstone\udpflood.zip-udpflood.exe is a destructive program Virus-infected files in archives cannot be disinfected. E:\storage\InfoZip\Wiz.exe could be a corrupted executable file The scanning was aborted by the user, with infected or suspicious --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Issues running the fpcmd.exe scanner
Title: Issues running the fpcmd.exe scanner Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe. Upon testing the f-prot.exe works great, reports in the log just fine, and sends out the notifications emails. If I use the fpcmd file, the file gets seen, however nothing is done with it and the original email gets sent on its way. I set the log to DEBUG for this test and below is my trace, any aid would be greatly appreciated. This test used the eicar2.zip test file from www.eicar.com and sent locally using Outlook Express. 12/20/2002 12:59:44 Q5a90002f0078444b Declude Virus Pro Registered 12/20/2002 12:59:44 Q5a90002f0078444b Starting locality check 12/20/2002 12:59:44 Q5a90002f0078444b CL Opening HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains 12/20/2002 12:59:44 Q5a90002f0078444b [EMAIL PROTECTED] [0] is local domain1 12/20/2002 12:59:44 Q5a90002f0078444b [EMAIL PROTECTED] [0] is local main domain 12/20/2002 12:59:44 Q5a90002f0078444b Local host = ntad.com 12/20/2002 12:59:44 Q5a90002f0078444b [EMAIL PROTECTED] Offset=9 Flags=1 12/20/2002 12:59:44 Q5a90002f0078444b Msgid: 000901c2a851$93ec27e0$[EMAIL PROTECTED] 12/20/2002 12:59:44 Q5a90002f0078444b Subject: testing virus10 12/20/2002 12:59:44 Q5a90002f0078444b C:\IMail\spool\Q5a90002f0078444b.SMD 12/20/2002 12:59:44 Q5a90002f0078444b Starting virus scanning section... 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER=0 12/20/2002 12:59:44 Q5a90002f0078444b Exclude Default=1 12/20/2002 12:59:44 Q5a90002f0078444b Exclude Domain=0 12/20/2002 12:59:44 Q5a90002f0078444b Exclude peruser=-1 12/20/2002 12:59:44 Q5a90002f0078444b DoAv( C:\IMail\spool\D5a90002f0078444b.SMD ); 12/20/2002 12:59:44 Q5a90002f0078444b avtempdir=C:\IMail\spool 12/20/2002 12:59:44 Q5a90002f0078444b Temp dir set to: C:\IMail\spool\D5a90002f0078444b.vir\ 12/20/2002 12:59:44 Q5a90002f0078444b fp=444d40 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++ 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START 12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: multipart/mixed;boundary==_NextPart_000_0 12/20/2002 12:59:44 Q5a90002f0078444b Got boundary; =--=_NextPart_000_0005_01C2A827.AB057E10. 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers 12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=multipart/mixed NameEnd= 0 0 12/20/2002 12:59:44 Q5a90002f0078444b ISMULTI 12/20/2002 12:59:44 Q5a90002f0078444b Hit boundary... Recursing... 0 (3-0-). 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++ 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START 12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: multipart/alternative;boundary==_NextPart 12/20/2002 12:59:44 Q5a90002f0078444b Got boundary; =--=_NextPart_001_0006_01C2A827.AB057E10. 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers 12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=multipart/alternative NameEnd= 0 0 12/20/2002 12:59:44 Q5a90002f0078444b ISMULTI 12/20/2002 12:59:44 Q5a90002f0078444b Hit boundary... Recursing... 0 (3-0-). 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++ 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START 12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: text/plain;charset=iso-8859-1 12/20/2002 12:59:44 Q5a90002f0078444b Got Encoding quoted-printable. 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers 12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=text/plain NameEnd= 0 0 12/20/2002 12:59:44 Q5a90002f0078444b !ISMULTI 12/20/2002 12:59:44 Q5a90002f0078444b Handling a MIME segment [Boundary=--=_NextPart_001_0006_01C2A827.AB057E10]. 12/20/2002 12:59:44 Q5a90002f0078444b Encoding type: quoted-printable [1/] 12/20/2002 12:59:44 Q5a90002f0078444b Starting BASE64 12/20/2002 12:59:44 Q5a90002f0078444b Hit new boundary (fseek) 12/20/2002 12:59:44 Q5a90002f0078444b curpos=920 12/20/2002 12:59:44 Q5a90002f0078444b Deleting (1) plaintext segment C:\IMail\spool\D5a90002f0078444b.vir\0.. 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER-- 12/20/2002 12:59:44 Q5a90002f0078444b Done Recursing... 12/20/2002 12:59:44 Q5a90002f0078444b Hit boundary... Recursing... 1 (3-0-). 12/20/2002 12:59:44 Q5a90002f0078444b MIMELAYER++ 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME START 12/20/2002 12:59:44 Q5a90002f0078444b CT: Content-Type: text/html;charset=iso-8859-1 12/20/2002 12:59:44 Q5a90002f0078444b Got Encoding quoted-printable. 12/20/2002 12:59:44 Q5a90002f0078444b DOMIME end-of-headers 12/20/2002 12:59:44 Q5a90002f0078444b Not MIME header exploit: type=text/html NameEnd= 0 0 12/20/2002 12:59:44 Q5a90002f0078444b !ISMULTI 12/20/2002 12:59:44 Q5a90002f0078444b Handling a MIME segment [Boundary=--=_NextPart_001_0006_01C2A827.AB057E10]. 12/20/2002 12:59:44 Q5a90002f0078444b Encoding type: quoted-printable [1/htm] 12/20/2002 12:59:44 Q5a90002f0078444b Starting BASE64 12/20/2002 12:59:44
Re: [Declude.Virus] Issues running the fpcmd.exe scanner
Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe 12/20/2002 12:59:44 Q5a90002f0078444b Starting scanner #1: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt C:\IMail\spool\D5A900~1.VIR\ The problem is that you need to remove the /NOFLOPPY from the SCANFILE line in your \IMail\Declude\virus.cfg file. F-Prot.exe requires this, but fpcmd.exe doesn't need it and will actually not work if the /NOFLOPPY is there. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Issues running the fpcmd.exe scanner
Title: Issues running the fpcmd.exe scanner I ran into the same problem. Leave off the /nofloppy I found it easiest to just copy Scott's setup from the online manual then change the drive/directory for your setup. Actually, fpcmd appears to be slightly more efficient on our system running WinNT4 workstation. ~Joe - Original Message - From: Keith Johnson To: [EMAIL PROTECTED] Sent: Friday, December 20, 2002 12:14 PM Subject: [Declude.Virus] Issues running the fpcmd.exe scanner Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe. Upon testing the f-prot.exe works great, reports in the log just fine, and sends out the notifications emails. If I use the fpcmd file, the file gets seen, however nothing is done with it and the original email gets sent on its way. I set the log to DEBUG for this test and below is my trace, any aid would be greatly appreciated. This test used the eicar2.zip test file from www.eicar.com and sent locally using Outlook Express.
RE: [Declude.Virus] Issues running the fpcmd.exe scanner
Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe 12/20/2002 12:59:44 Q5a90002f0078444b Starting scanner #1: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt C:\IMail\spool\D5A900~1.VIR\ The problem is that you need to remove the /NOFLOPPY from the SCANFILE line in your \IMail\Declude\virus.cfg file. F-Prot.exe requires this, but fpcmd.exe doesn't need it and will actually not work if the /NOFLOPPY is there. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Issues running the fpcmd.exe scanner
Scott, Thank you for your wisdom, you are awesome. -Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 2:03 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Issues running the fpcmd.exe scanner Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe 12/20/2002 12:59:44 Q5a90002f0078444b Starting scanner #1: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt C:\IMail\spool\D5A900~1.VIR\ The problem is that you need to remove the /NOFLOPPY from the SCANFILE line in your \IMail\Declude\virus.cfg file. F-Prot.exe requires this, but fpcmd.exe doesn't need it and will actually not work if the /NOFLOPPY is there. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
