RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I switched from i5 to i8 6 hours ago. Until now I can see two empty vir directories. Before I've had one undeleted vir directory per month. (5000 to 7000 msgs / day) What is in those files? Have you checked the Declude Virus log file to see the log file entries for those E-mails? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, I believe it is only with the new encrypted (password) zip files. I saw in my log (when running i8) that my Scanners were picking up and detecting normal zip's, normal pifs, normal scr. etc. of all virus flavors (if there is such thing as normal). I believe I wouldn't see (as long as we have a sig file) any banning of normal zips (un-passworded) since the AV scanner would pick it and process it first before banning. For whatever reason, any password laid virus zip files containing com, pif, scr, exe, or others are not getting picked up on our system with i8, however, they are with i7. I hope this helps. I just used to test this was the Eicar.com virus zipped up with WinZip with an applied password. Ran it through both to an address on the system and also to another Declude protected Imail system, both came straight through. Keith I'm not clear on exactly what is happening. Is the problem *only* with .ZIP files, or is it also occurring with other types of files? -Scott winmail.dat
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I also forwarded the original message to your email addresswith .zip attached. Thanks, Andy - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 7:51 AM Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Matt, that's how I have it setup, and one got through. What is one? A .ZIP file with a banned encrypted file extension? A .ZIP file with a banned non-encrypted file extension? A .ZIP file with an encrypted file that does not have a banned file extension? Something else? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I also forwarded the original message to your email addresswith .zip attached. No, no, NO. NEVER send a virus or any file that you think may be malicious to ANY E-mail address that is not expecting it. We have one and only one E-mail address that viruses or suspicious files may be sent to (the declude.com virustrap address). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, I am not using BANEXT EZIP with i7 nor i8 per your instructions to remove it in place of the new commands: BANEZIPEXTS and BANZIPEXTS ON I used that encoded file to test it under i8 first and it went straight through, that is what tipped me off that something was not right. I then turned around and made my own test from eicar.com and it went through. I just tested it under i7 and it got caught. I am unsure where to turn as our .vir directories are off the charts. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of R. Scott Perry Sent: Wed 3/3/2004 9:01 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files For whatever reason, any password laid virus zip files containing com, pif, scr, exe, or others are not getting picked up on our system with i8, however, they are with i7. I hope this helps. I assume you are using BANEXT EZIP with i7. Are you using it with i8 as well? Do you have BANEXT com, BANEXT pif, etc. in your virus.cfg file? I just used to test this was the Eicar.com virus zipped up with WinZip with an applied password. Ran it through both to an address on the system and also to another Declude protected Imail system, both came straight through. Do the eicarencodedzip E-mail from the Test Virus Sender at http://www.declude.com/tools/ get caught? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, This is my top portion of my virus.cfg file under i7 and i8. Keith -Original Message- From: Keith Johnson on behalf of Keith Johnson Sent: Wed 3/3/2004 8:10 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Scott, This is a 'top' sample of what I have listed in my Virus.CFG file: BANEZIPEXTS ON BANZIPEXTS ON BANEXT exe BANEXT ex_ BANEXT pif BANEXT pi_ BANEXT scr BANEXT sc_ BANEXT bat BANEXT ba_ BANEXT com BANEXT co_ Since we modify extensions at our Firewall, you see the different alternate extensions above. I made no modifications to the above moving to i8. I noticed in my log (tried MID and HIGH) after moving to i8 that I no longer saw any Banning extension with (EXT) lines. Thus, I got concerned. On average, we get a virus every few seconds, and moving back to i7, within a minute, I was catching the banned extension inside of zip's again. When I was on i8, I did a simple test of zipping an Eicar .com virus and password protecting it. I ran it through and it went straight to my inbox. I then dropped back to i7 and ran the same file through and it was picked up and logged, however, the directory couldn't be removed. Thus, this morning I had well over 200 plus .vir directories to delete. Any thoughts? Thanks for the aid. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of R. Scott Perry Sent: Wed 3/3/2004 7:57 AM To: [EMAIL PROTECTED] Cc: Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files I'll second that. Running 1.78i8, with BANZIPEXTS and BANEZIPEXTS ON, the encoded zip eicar test passes through. The regular zip version of the eicar test is caught. Just to clarify, this IS the expected behavior with 1.78i18. BANZIPEXTS ON and BANEZIPEXTS ON will *only* block .ZIP files *if* they contain files that have a banned file extension. So unless you also have a line BANEXT com in the virus.cfg file, an encrypted eicar.com file won't get caught. For others having issues with these new features, please be very clear what is happening. There are a lot of possibilities here. You'll need to specify [1] Whether you are using BANZIPEXTS ON or BANEZIPEXTS ON (or the not-recommended-but-still-useful BANEXT EZIP), [2] Whether you have a BANEXT line to block the appropriate file (BANEXT com, for example), [3] What type of file you are sending through (.com? .com within a .zip?), [4] If it is a .ZIP file, is the file inside it encrypted? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
[Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Title: New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files hi scott, i know, that right now it is more important to fight this new virii, but i might have a small problem with 1.78i8. i am using 1.78i8 (with BANZIPEXTS ON and BANEZIPEXTS ON and no BANEXT EZIP) and some lines like the following are in my viruslog: 03/03/2004 10:19:17 Qa313025b008ed2a1 Invalid COM Vulnerability 03/03/2004 10:19:17 Qa313025b008ed2a1 File(s) are INFECTED [: W32/[EMAIL PROTECTED]: 3] 03/03/2004 10:19:17 Qa313025b008ed2a1 Scanned: CONTAINS A VIRUS [MIME: 2 22057] does this mean that the COM Vulnerability and the virus was discovered? what was the value of %VIRUSNAME% in this case? i use SKIPIFVIRUSNAMEHAS to switch between different emls for normal virii and vulnerabilitys. mfg i.a. gez. markus guhl *** lds nrw dez. 235 tel.: 0211 9449 2578 fax.: 0211 9449 8344 mailto:[EMAIL PROTECTED] ***
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
03/03/2004 10:19:17 Qa313025b008ed2a1 Invalid COM Vulnerability 03/03/2004 10:19:17 Qa313025b008ed2a1 File(s) are INFECTED [: W32/[EMAIL PROTECTED]: 3] does this mean that the COM Vulnerability and the virus was discovered? Correct. v1.78i9 fixes this, so that the Invalid COM Vulnerability will not be used when a virus scanner detects a virus (so users will see W32/Netsky.B in their notifications, rather than Invalid COM Vulnerability). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, I don't know that our firewall is the issue due to it working under i7 and all prior Declude versions. The Firewall only modifies the extension, it does not in anyway alter the file. When you wrote that i7 will not block encrypted zips without the BANEXT EZIP line, it was my understanding if you have the following: BANEZIPEXTS ON BANEXT com then it will block encrypted zip files containg .com files? Am I wrong? Do I need to have all the following lines in there? BANEZIPEXTS ON BANEXT EZIP BANEXT com I thought you mentioned that BANEXT EZIP was 'undesireable' and using the first example above was ideal? Version i7 is causing the .vir directories and the lines in the log that indicate Declude could not remove the .vir directory. Inside those directories are files called 0.zi and 1.zi It was my understanding that i8 fixed this issue with the .vir directory and also added new features for attacking .bat, .scr. Etc. I am currently on i7, due to i8 not catching encrypted .zip files with extensions in my BANEXT listing. This was tested from the encoded zip file as well as an eicar.com file zipped and password protected. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 03, 2004 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files I am not using BANEXT EZIP with i7 nor i8 per your instructions to remove it in place of the new commands: In that case, i7 will *not* block any encrypted .ZIP files. BANEZIPEXTS and BANZIPEXTS ON I used that encoded file to test it under i8 first and it went straight through, that is what tipped me off that something was not right. What extension does the attachment in your mail client show? I'm thinking that the firewall is mucking things up (if it renames the .ZIP to .ZI or .ZI_, for example, Declude Virus won't look at it). I am unsure where to turn as our .vir directories are off the charts. Unfortunately, this isn't useful information without knowing which version(s) caused them, and preferably the log file entries for them as well. There was an old interim that could cause this, but the latest should not. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Matt, I had a space in mine, not a tab. For what it is worth. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, March 03, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Here's a thought. Since this is working in some cases and not in others, maybe there is a syntax bug. I have the following: BANEZIPEXTStabON BANEXTtabEXE BANEXTtabCOM etc. What if someone had spaces, multiple spaces or multiple tabs? How about a space or tab following one of the lines? Maybe Declude isn't parsing this correctly from the config file??? I think it's worth a quick look. Matt R. Scott Perry wrote: I apologize for the flood of emails to you as I know your time is precious. However, I pulled the following that BANZIPEXTS and BANEZIPEXTS was added in i7: Sorry, my mistake. I am unsure on the .zip to .zi_ as I have no issues with Declude with versions 1.78i7 and prior. It was only with i8 that Declude was not seeing the zip with hiding file extensions any longer. Unfortunately, I'm not sure what you are referring to regarding the hiding file extensions. Again, it is vital that people be very clear in their posts. I'm very close to turning this into a moderated list until this all blows over. What we are looking for is to get as much information about bugs in the new interim as quickly as possible on this list, while at the same time minimizing the amount of posts to this list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Matt, Is yours working with the TAB, I'll try anything? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, March 03, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Here's a thought. Since this is working in some cases and not in others, maybe there is a syntax bug. I have the following: BANEZIPEXTStabON BANEXTtabEXE BANEXTtabCOM etc. What if someone had spaces, multiple spaces or multiple tabs? How about a space or tab following one of the lines? Maybe Declude isn't parsing this correctly from the config file??? I think it's worth a quick look. Matt R. Scott Perry wrote: I apologize for the flood of emails to you as I know your time is precious. However, I pulled the following that BANZIPEXTS and BANEZIPEXTS was added in i7: Sorry, my mistake. I am unsure on the .zip to .zi_ as I have no issues with Declude with versions 1.78i7 and prior. It was only with i8 that Declude was not seeing the zip with hiding file extensions any longer. Unfortunately, I'm not sure what you are referring to regarding the hiding file extensions. Again, it is vital that people be very clear in their posts. I'm very close to turning this into a moderated list until this all blows over. What we are looking for is to get as much information about bugs in the new interim as quickly as possible on this list, while at the same time minimizing the amount of posts to this list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Again, it is vital that people be very clear in their posts. I'm very close to turning this into a moderated list until this all blows over. Scott, I can certainly sympathize with what you are going through there. You do an OUTSTANDING job for us and I rank Declude as #1 in my book in all areas. I for one would GLADLY want you to turn this into a moderated list. My inbox is flooded as it is by virus notifications, add to the immense amount of posts on the declude list and it's all I can do to just wade through my e-mail. I subscribe to the declude list to keep up on all the latest virus info, not to read a hundred posts asking the same question over and over again. PLEASE go to a moderated list! Rodney Bertsch IS Coordinator Kirk NationaLease Co. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Here's a thought. Since this is working in some cases and not in others, maybe there is a syntax bug. I have the following: BANEZIPEXTStabON BANEXTtabEXE BANEXTtabCOM etc. What if someone had spaces, multiple spaces or multiple tabs? How about a space or tab following one of the lines? Maybe Declude isn't parsing this correctly from the config file??? I think it's worth a quick look. Matt R. Scott Perry wrote: I apologize for the flood of emails to you as I know your time is precious. However, I pulled the following that BANZIPEXTS and BANEZIPEXTS was added in i7: Sorry, my mistake. I am unsure on the .zip to .zi_ as I have no issues with Declude with versions 1.78i7 and prior. It was only with i8 that Declude was not seeing the zip with hiding file extensions any longer. Unfortunately, I'm not sure what you are referring to regarding the hiding file extensions. Again, it is vital that people be very clear in their posts. I'm very close to turning this into a moderated list until this all blows over. What we are looking for is to get as much information about bugs in the new interim as quickly as possible on this list, while at the same time minimizing the amount of posts to this list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
thanks, Andy - Original Message - From: John Carter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 11:37 AM Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Virustrap at the declude.com domain - Scott wisely doesn't post actual @ addresses on the list. The list archive is probably scanned for addresses just as our websites are. John -Original Message- OK... so I got a No, no, NO but what is the address!!!??? - Original Message - From: R. Scott Perry [EMAIL PROTECTED] We have one and only one E-mail address that viruses or suspicious files may be sent to (the declude.com virustrap address). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
on 3/3/04 12:13 PM, ISPhuset Nordic AS wrote: could you please post the link here http://www.declude.com/interim/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I tried this with 1,2,3 spaces and tabs between the BANZIPEXTS, BANZIPEXTS and the ON. Then I send myself a compress .pif file both pw protected and not pw proteced and every single one was caught (eight total) (as banned extensions ZIP-PIF). All my BANEXT lines have one space between it and the actual extension name...example- BANEXTSPEXE #Regular Zip File BANZIPEXTS ON #Password Protected Zip File BANEZIPEXTS ON Don - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 10:30 AM Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Here's a thought. Since this is working in some cases and not in others, maybe there is a syntax bug. I have the following: BANEZIPEXTStabON BANEXTtabEXE BANEXTtabCOM etc. What if someone had spaces, multiple spaces or multiple tabs? How about a space or tab following one of the lines? Maybe Declude isn't parsing this correctly from the config file??? I think it's worth a quick look. Matt R. Scott Perry wrote: I apologize for the flood of emails to you as I know your time is precious. However, I pulled the following that BANZIPEXTS and BANEZIPEXTS was added in i7: Sorry, my mistake. I am unsure on the .zip to .zi_ as I have no issues with Declude with versions 1.78i7 and prior. It was only with i8 that Declude was not seeing the zip with hiding file extensions any longer. Unfortunately, I'm not sure what you are referring to regarding the hiding file extensions. Again, it is vital that people be very clear in their posts. I'm very close to turning this into a moderated list until this all blows over. What we are looking for is to get as much information about bugs in the new interim as quickly as possible on this list, while at the same time minimizing the amount of posts to this list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
We now have a new interim release 1.78i8 of Declude Virus Pro at http://www.declude.com/interim that will look for invalid .bat, .com, .pif, and .scr files, and will treat them as vulnerabilities. It is expected that this will cut down significantly on the impact of future viruses in the time before new virus definitions are available. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, Can I have a million dollars??? :) R. Scott Perry wrote: We now have a new interim release 1.78i8 of Declude Virus Pro at http://www.declude.com/interim that will look for invalid .bat, .com, .pif, and .scr files, and will treat them as vulnerabilities. It is expected that this will cut down significantly on the impact of future viruses in the time before new virus definitions are available. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Title: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files If we are already blocking those extensions, how would that help? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Tuesday, March 02, 2004 6:40 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files We now have a new interim release 1.78i8 of Declude Virus Pro at http://www.declude.com/interim that will look for invalid .bat, .com, .pif, and .scr files, and will treat them as vulnerabilities. It is expected that this will cut down significantly on the impact of future viruses in the time before new virus definitions are available. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
If we are already blocking those extensions, how would that help? If you are already blocking .bat, .com, .pif, and .scr files, the new interim release won't help. However, if you are not blocking all those files (most of our customers are not), it will help. It can also be used if you want to allow the good files through. For example, if people have a legitimate need to send .PIF files through, the new blocking of bogus .PIF files should prevent any viruses from getting through with .PIF extensions. .bat/.com/.scr have holes that would allow viruses through, but it's unlikely that any viruses would take advantage of those holes (there are other holes that they can use more easily and gain more from). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
