RE: [Declude.Virus] Blocking the files in mydoom /Archive=3
F-prot 3.15 reports C:\Program Files\FSI\F-Prot>fpcmd /? Usage: f-prot [drive, file or directory] [options] -ai Enable neural-network virus detection. -append Append to existing report file. -archive=n Scan inside archives (n levels deep) Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in mydoom /Archive=3
I just checked my version 3.14e and indeed it is able to accept the /archive=3 parameter even though the help option does not show that as a valid option C:\Test>q:\progra~1\fsi\f-prot\fpcmd /? Usage: f-prot [drive, file or directory] [options] -ai Enable neural-network virus detection. -append Append to existing report file. -archiveScan inside .ZIP and .ARJ files. Goran Jovanovic The LAN Shoppe > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > [EMAIL PROTECTED] On Behalf Of Rick Davidson > Sent: Tuesday, July 27, 2004 11:23 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Blocking the files in mydoom /Archive=3 > > Correct if you do not use that option F-prot will only search one level, > that option tells F-Prot to search zips within zips. I think you need > Version 3.14e or better to use this option > > /Archive=2 will catch the current mydoom variants > > /Archive=3 will search a third level if it exists > > you can easily test this with the eicar test file > > Rick Davidson > National Systems Manager > North American Title Group > - > - Original Message - > From: "Jim Matuska" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, July 27, 2004 11:12 AM > Subject: Re: [Declude.Virus] Blocking the files in mydoom /Archive=3 > > > > Scott, > > Can I get a clarification on this /Archive=3 Option. Should we be > setting > > this option? If we don't will F-Prot not see past the first zip file? > If > > we do set the 3 will it let us pick up viruses in the second or 3rd zip > > file? > > > > Jim Matuska Jr. > > Computer Tech II > > CCNA > > Nez Perce Tribe > > Information Systems > > [EMAIL PROTECTED] > > ----- Original Message - > > From: "Goran Jovanovic" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, July 26, 2004 4:33 PM > > Subject: RE: [Declude.Virus] Blocking the files in mydoom > > > > > > For F-Prot do you need the /ARCHIVE parameter to scan zip within zip or > > do you need the /ARCHIVE=3 option? I checked the help on fpcmd command > > and there is no indication that the /ARCHIVE takes any options. > > > > > > > > Goran Jovanovic > > The LAN Shoppe > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > > > [EMAIL PROTECTED] On Behalf Of Matt > > > Sent: Monday, July 26, 2004 7:18 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [Declude.Virus] Blocking the files in mydoom > > > > > > Scott, > > > > > > Thanks for the clarifications. I have the latest definitions from > > both > > > McAfee and F-Prot, and I have F-Prot set to scan 3 deep into zips. > > > > > > I have dozens of these files in my spam capture account. It seems > > > however that many of the more recent ones are very small files on the > > > order of just 2K, and I would imagine that these are damaged payloads > > > and that's why they are passing through Declude Virus with F-Prot and > > > McAfee. > > > > > > My real issue though is that my logs show absolutely no indications of > > > MyDoom.O. I fear that I have no protection against this virus, and I > > > fear that there is an issue with the detection of double-zips. I am > > > definitely seeing double zips. > > > > > > Matt > > > > > > > > > > > > > > > R. Scott Perry wrote: > > > > > > > > > > >> Please excuse me, but I'm having trouble figuring out exactly what > > is > > > >> going on here. > > > >> > > > >> It sounds like this virus is double-zipping files, and that this > > > >> technique is tricking the virus scanners. Is that correct? > > > > > > > > > > > > McAfee is reporting that *some* copies are being double-zipped (a > > .ZIP > > > > file within a .ZIP file). I'm not aware of any virus scanners that > > > > will be fooled by that. I'm guessing only a very small percentage > > are > > > > double-zipped. > > > > > > > >> If so, BANZIPEXTS, which will by default ban double-zips in > > addition > > > >> to other banned extensions, is the presumeably best work-around? > > If > > > >> not that, then custom filters in Declude? &
RE: [Declude.Virus] Blocking the files in mydoom
http://www.informationweek.com/story/showArticle.jhtml?articleID=25600493 According to this it is double zipping so the only way I can think of stopping it is by banning .zip files completely. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, July 26, 2004 5:07 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Blocking the files in mydoom Please excuse me, but I'm having trouble figuring out exactly what is going on here. It sounds like this virus is double-zipping files, and that this technique is tricking the virus scanners. Is that correct? If so, BANZIPEXTS, which will by default ban double-zips in addition to other banned extensions, is the presumeably best work-around? If not that, then custom filters in Declude? I'm seeing a fair number of MyDoom.M (F-Prot)/MyDoom.N(McAfee), but no MyDoom.O that the scanners have picked up on. Am I missing something? Thanks, Matt R. Scott Perry wrote: > >> Maybe even a BANZIPEXT ON (not just e-zip) so that people >> can get zipped .JPGs but not zipped .exe's > > > BANZIPEXTS ON is in v1.79. For any file extension that you ban with > the BANEXT option, it will then be blocked if it is in a .ZIP file as > well. > >-Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail > mailservers since 2000. > Declude Virus: Ultra reliable virus detection and the leader in > mailserver vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking the files in mydoom
Jim, The BOUNCE action was changed to "BOUNCEONLYIFYOUMUST" in the newer releases. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. Jim Nitterauer writes: Question: My declude log contains the following cryptic message: 07/26/2004 15:32:21 Q6a3e178601c0f0dc Warning: misconfiguration in following line in configuration file (BOUNCE is not an ACTION). May be a duplicate test definition? I have checked both config files and cannot find any duplicates. I recently installed the MTLDB test. I am using 1.79i8 Thanks Any ideas? Jim Nitterauer President Creative Data Concepts Limited, Inc. 3 W. Garden Street Suite 326 Pensacola, FL 32502 http://www.creativedata.net 850-434-7645 800-607-6168 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, July 26, 2004 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Blocking the files in mydoom Something must be broken or something must be unusual about this file. I just added BANEXT ZIP It is catching other files that I have banned. And I was able to forward this file ([EMAIL PROTECTED])to myself from a user that sent it to me. Does declude treat a forwarded file differently somehow? CRAP. No, the forwarded files are not treated differently. Does the E-mail you received (the one you forwarded) have a .ZIP file attachment? Are you sure it is .ZIP? I am using F-protect and I updated it about noon and I'm using an interim downloaded about three days ago. Noon EST? If so, I would recommend downloading the virus definitions again. The date of them should be July 26 or later. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. - [This E-mail scanned for viruses courtesy of Creative Data Concepts http://www.creativedata.net] - [This E-mail scanned for viruses courtesy of Creative Data Concepts http://www.creativedata.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking the files in mydoom
I know this is a busy day to bug about this but . . . Will we be getting separate extension lists for normal files and inside zips soon? For Example: Block EXE but allow EXE inside Zips (I'd like to block them but I'd get hung) Block COM and SRC in both places. Currently I block extensions outside of Zips but let all the Zips (except password protected) through. Greg Little R. Scott Perry wrote: BANZIPEXTS ON is in v1.79. For any file extension that you ban with the BANEXT option, it will then be blocked if it is in a .ZIP file as well. -Scott --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking the files in mydoom
Please excuse me, but I'm having trouble figuring out exactly what is going on here. It sounds like this virus is double-zipping files, and that this technique is tricking the virus scanners. Is that correct? If so, BANZIPEXTS, which will by default ban double-zips in addition to other banned extensions, is the presumeably best work-around? If not that, then custom filters in Declude? I'm seeing a fair number of MyDoom.M (F-Prot)/MyDoom.N(McAfee), but no MyDoom.O that the scanners have picked up on. Am I missing something? Thanks, Matt R. Scott Perry wrote: Maybe even a BANZIPEXT ON (not just e-zip) so that people can get zipped .JPGs but not zipped .exe's BANZIPEXTS ON is in v1.79. For any file extension that you ban with the BANEXT option, it will then be blocked if it is in a .ZIP file as well. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking the files in mydoom
Will we be getting separate extension lists for normal files and inside zips soon? For Example: Block EXE but allow EXE inside Zips (I'd like to block them but I'd get hung) Block COM and SRC in both places. It's something that we would like to add to Declude Virus, but I can't say for sure if/when it will happen. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in mydoom
Why did this just start appearing in the logs? Never saw it before. Jim Nitterauer President Creative Data Concepts Limited, Inc. 3 W. Garden Street Suite 326 Pensacola, FL 32502 http://www.creativedata.net 850-434-7645 800-607-6168 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, July 26, 2004 3:42 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Blocking the files in mydoom >07/26/2004 15:32:21 Q6a3e178601c0f0dc Warning: misconfiguration in >following line in configuration file (BOUNCE is not an ACTION). May be >a duplicate test definition? That's because about 90% of the people using the BOUNCE action in Declude JunkMail were doing so in a very, very bad way (essentially causing themselves to be spammers without realizing it). If you fully understand who those bounce messages are going to, and that you may get blacklisted if you are not careful, you can change the action name to BOUNCEONLYIFYOUMUST. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. - [This E-mail scanned for viruses courtesy of Creative Data Concepts http://www.creativedata.net] - [This E-mail scanned for viruses courtesy of Creative Data Concepts http://www.creativedata.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in mydoom
OK Thanks Jim Nitterauer President Creative Data Concepts Limited, Inc. 3 W. Garden Street Suite 326 Pensacola, FL 32502 http://www.creativedata.net 850-434-7645 800-607-6168 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha Sent: Monday, July 26, 2004 3:46 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Blocking the files in mydoom Jim, Because lots of customers were using the BOUNCE action without realizing that, in the majority of cases, the bounced message would never go back to the spammer who forged the originating address, we have changed the name of the action to: BOUNCEONLYIFYOUMUST David Franco-Rocha Declude Technical Support - Original Message - From: "Jim Nitterauer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 26, 2004 16.37 Subject: RE: [Declude.Virus] Blocking the files in mydoom > Question: > > My declude log contains the following cryptic message: > > 07/26/2004 15:32:21 Q6a3e178601c0f0dc Warning: misconfiguration in following > line in configuration file (BOUNCE is not an ACTION). May be a duplicate > test definition? > > I have checked both config files and cannot find any duplicates. I recently > installed the MTLDB test. I am using 1.79i8 > > Thanks > Any ideas? > > > Jim Nitterauer > President > Creative Data Concepts Limited, Inc. > 3 W. Garden Street > Suite 326 > Pensacola, FL 32502 > http://www.creativedata.net > 850-434-7645 > 800-607-6168 > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry > Sent: Monday, July 26, 2004 3:22 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] Blocking the files in mydoom > > > >Something must be broken or something must be unusual about this file. > >I just added > > > >BANEXT ZIP > > > >It is catching other files that I have banned. And I was able to > >forward this file ([EMAIL PROTECTED])to myself from a user > >that sent it to me. Does declude treat a forwarded file differently > somehow? > >CRAP. > > No, the forwarded files are not treated differently. Does the E-mail you > received (the one you forwarded) have a .ZIP file attachment? Are you sure > it is .ZIP? > > >I am using F-protect and I updated it about noon and I'm using an > >interim downloaded about three days ago. > > Noon EST? If so, I would recommend downloading the virus definitions again. > The date of them should be July 26 or later. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > since 2000. > Declude Virus: Ultra reliable virus detection and the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, just > send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > - > [This E-mail scanned for viruses courtesy of Creative Data Concepts > http://www.creativedata.net] > > > > > - > [This E-mail scanned for viruses courtesy of Creative Data Concepts http://www.creativedata.net] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. - [This E-mail scanned for viruses courtesy of Creative Data Concepts http://www.creativedata.net] - [This E-mail scanned for viruses courtesy of Creative Data Concepts http://www.creativedata.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking the files in MyDoom
I am seeing this to, I also have zip files blocked until things chill out. Symantec still has this listed as mydoom.m but its at level 4 now > Also, I have temporarily blocked all zip files, as I am seeing quite a few > that are not being caught by banned extension or F-Prot or AVG. I am > investigating these. Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking the files in mydoom
Jim, Because lots of customers were using the BOUNCE action without realizing that, in the majority of cases, the bounced message would never go back to the spammer who forged the originating address, we have changed the name of the action to: BOUNCEONLYIFYOUMUST David Franco-Rocha Declude Technical Support - Original Message - From: "Jim Nitterauer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 26, 2004 16.37 Subject: RE: [Declude.Virus] Blocking the files in mydoom > Question: > > My declude log contains the following cryptic message: > > 07/26/2004 15:32:21 Q6a3e178601c0f0dc Warning: misconfiguration in following > line in configuration file (BOUNCE is not an ACTION). May be a duplicate > test definition? > > I have checked both config files and cannot find any duplicates. I recently > installed the MTLDB test. I am using 1.79i8 > > Thanks > Any ideas? > > > Jim Nitterauer > President > Creative Data Concepts Limited, Inc. > 3 W. Garden Street > Suite 326 > Pensacola, FL 32502 > http://www.creativedata.net > 850-434-7645 > 800-607-6168 > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry > Sent: Monday, July 26, 2004 3:22 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] Blocking the files in mydoom > > > >Something must be broken or something must be unusual about this file. > >I just added > > > >BANEXT ZIP > > > >It is catching other files that I have banned. And I was able to > >forward this file ([EMAIL PROTECTED])to myself from a user > >that sent it to me. Does declude treat a forwarded file differently > somehow? > >CRAP. > > No, the forwarded files are not treated differently. Does the E-mail you > received (the one you forwarded) have a .ZIP file attachment? Are you sure > it is .ZIP? > > >I am using F-protect and I updated it about noon and I'm using an > >interim downloaded about three days ago. > > Noon EST? If so, I would recommend downloading the virus definitions again. > The date of them should be July 26 or later. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > since 2000. > Declude Virus: Ultra reliable virus detection and the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, just > send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > - > [This E-mail scanned for viruses courtesy of Creative Data Concepts > http://www.creativedata.net] > > > > > - > [This E-mail scanned for viruses courtesy of Creative Data Concepts http://www.creativedata.net] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in mydoom
Maybe even a BANZIPEXT ON (not just e-zip) so that people can get zipped .JPGs but not zipped .exe's BANZIPEXTS ON is in v1.79. For any file extension that you ban with the BANEXT option, it will then be blocked if it is in a .ZIP file as well. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in MyDoom
Anything to stop double file extensions? I'd like to get this stopped ASAP Since the files are presumably not dangerous, that is a job for Declude JunkMail -- using Declude JunkMail Pro, you can set up a filter such as "BODY 0 CONTAINS example.com.zip". -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in mydoom
Thanks Scott I'm not totally brain dead (only partially) it was definitely a zip file. I did mistype in my haste to ban the .zip files. I ran a manual F-protect update moments again and it is all up to date. I am now blocking all zip files for now. Any chance wild cards or double extensions can be added to the wish list for Declude Virus? Maybe even a BANZIPEXT ON (not just e-zip) so that people can get zipped .JPGs but not zipped .exe's Thanks - Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, July 26, 2004 4:22 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Blocking the files in mydoom >Something must be broken or something must be unusual about this file. I >just added > >BANEXT ZIP > >It is catching other files that I have banned. And I was able to forward >this file ([EMAIL PROTECTED])to myself from a user that sent it to >me. Does declude treat a forwarded file differently somehow? >CRAP. No, the forwarded files are not treated differently. Does the E-mail you received (the one you forwarded) have a .ZIP file attachment? Are you sure it is .ZIP? >I am using F-protect and I updated it about noon and I'm using an interim >downloaded about three days ago. Noon EST? If so, I would recommend downloading the virus definitions again. The date of them should be July 26 or later. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in mydoom
07/26/2004 15:32:21 Q6a3e178601c0f0dc Warning: misconfiguration in following line in configuration file (BOUNCE is not an ACTION). May be a duplicate test definition? That's because about 90% of the people using the BOUNCE action in Declude JunkMail were doing so in a very, very bad way (essentially causing themselves to be spammers without realizing it). If you fully understand who those bounce messages are going to, and that you may get blacklisted if you are not careful, you can change the action name to BOUNCEONLYIFYOUMUST. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking the files in mydoom
I am. - Original Message - From: "Barry @ CPHZ" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 26, 2004 1:25 PM Subject: RE: [Declude.Virus] Blocking the files in mydoom > Scott, > > Are you available to do a telephone interview for Information week today? > > Barry > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in mydoom
Question: My declude log contains the following cryptic message: 07/26/2004 15:32:21 Q6a3e178601c0f0dc Warning: misconfiguration in following line in configuration file (BOUNCE is not an ACTION). May be a duplicate test definition? I have checked both config files and cannot find any duplicates. I recently installed the MTLDB test. I am using 1.79i8 Thanks Any ideas? Jim Nitterauer President Creative Data Concepts Limited, Inc. 3 W. Garden Street Suite 326 Pensacola, FL 32502 http://www.creativedata.net 850-434-7645 800-607-6168 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, July 26, 2004 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Blocking the files in mydoom >Something must be broken or something must be unusual about this file. >I just added > >BANEXT ZIP > >It is catching other files that I have banned. And I was able to >forward this file ([EMAIL PROTECTED])to myself from a user >that sent it to me. Does declude treat a forwarded file differently somehow? >CRAP. No, the forwarded files are not treated differently. Does the E-mail you received (the one you forwarded) have a .ZIP file attachment? Are you sure it is .ZIP? >I am using F-protect and I updated it about noon and I'm using an >interim downloaded about three days ago. Noon EST? If so, I would recommend downloading the virus definitions again. The date of them should be July 26 or later. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. - [This E-mail scanned for viruses courtesy of Creative Data Concepts http://www.creativedata.net] - [This E-mail scanned for viruses courtesy of Creative Data Concepts http://www.creativedata.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in MyDoom
I was just putting the relevant lines in (or what I thought was relevant). I am blocking many extensions. I am trying to make sure this file isn't getting through. It is my belief (hope) that the files getting through are non-viable because: 07/26/2004 15:49:04 Q602e069800d0e086 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] 07/26/2004 15:49:04 Q602e069800d0e086 Deleting file with virus 07/26/2004 15:49:04 Q602e069800d0e086 Deleting E-mail with virus! Mydoom.O has been getting caught. I just want to stop the damn files from getting through to my users so a virus can't slip through and so they don't panic and call and e-mail/call me to death. I am also concerned that I can't seem to ban this file from getting through by any means. Anything to stop double file extensions? I'd like to get this stopped ASAP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, July 26, 2004 3:50 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Blocking the files in MyDoom You are way behind the times if all you block are com files. What about exe, bat, cmd and a list of others? Also, I have temporarily blocked all zip files, as I am seeing quite a few that are not being caught by banned extension or F-Prot or AVG. I am investigating these. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of marc catuogno > Sent: Monday, July 26, 2004 12:39 PM > To: [EMAIL PROTECTED] > Subject: [Declude.Virus] Blocking the files in mydoom > > I am running Declude 1.79 and this is in my CFG file: > > BANEZIPEXTS ON > BANEXT com > > In desperation I have added: > > BANNAME prudentialrand.com > BANNAME prudentialrand.com.zip > BANNAME prudentialrand.zip > BANNAME [EMAIL PROTECTED] > BANNAME *prudentialrand.com.zip > > The files are still getting through to my users. Any suggestions? An Imail > rule maybe? > > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in mydoom
Scott, Are you available to do a telephone interview for Information week today? Barry --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in mydoom
Something must be broken or something must be unusual about this file. I just added BANEXT ZIP It is catching other files that I have banned. And I was able to forward this file ([EMAIL PROTECTED])to myself from a user that sent it to me. Does declude treat a forwarded file differently somehow? CRAP. No, the forwarded files are not treated differently. Does the E-mail you received (the one you forwarded) have a .ZIP file attachment? Are you sure it is .ZIP? I am using F-protect and I updated it about noon and I'm using an interim downloaded about three days ago. Noon EST? If so, I would recommend downloading the virus definitions again. The date of them should be July 26 or later. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in mydoom
Something must be broken or something must be unusual about this file. I just added BANEXT ZIP It is catching other files that I have banned. And I was able to forward this file ([EMAIL PROTECTED])to myself from a user that sent it to me. Does declude treat a forwarded file differently somehow? CRAP. Maybe I should go back to the last beta... I am using F-protect and I updated it about noon and I'm using an interim downloaded about three days ago. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of marc catuogno Sent: Monday, July 26, 2004 3:39 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Blocking the files in mydoom I am running Declude 1.79 and this is in my CFG file: BANEZIPEXTS ON BANEXT com In desperation I have added: BANNAME prudentialrand.com BANNAME prudentialrand.com.zip BANNAME prudentialrand.zip BANNAME [EMAIL PROTECTED] BANNAME *prudentialrand.com.zip The files are still getting through to my users. Any suggestions? An Imail rule maybe? --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking the files in mydoom
I am running Declude 1.79 and this is in my CFG file: BANEZIPEXTS ON BANEXT com That won't catch Mydoom.O. That's because Mydoom.O uses .com files in non-encrypted .ZIP files (the above settings block .com files in encrypted .ZIP files, but not standard .ZIP files). You would want to use "BANZIPEXTS ON", which would (in combination with BANEXT com) block .com files within .zip files. In desperation I have added: Those won't work. The BANNAME option only works for the file that you name. If the file is named something different, it won't get blocked. The files are still getting through to my users. Any suggestions? What AV program are you using? When were your virus definitions last updated? I'm not aware of any AV programs that aren't catching this one yet. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking the files in MyDoom
You are way behind the times if all you block are com files. What about exe, bat, cmd and a list of others? Also, I have temporarily blocked all zip files, as I am seeing quite a few that are not being caught by banned extension or F-Prot or AVG. I am investigating these. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of marc catuogno > Sent: Monday, July 26, 2004 12:39 PM > To: [EMAIL PROTECTED] > Subject: [Declude.Virus] Blocking the files in mydoom > > I am running Declude 1.79 and this is in my CFG file: > > BANEZIPEXTS ON > BANEXT com > > In desperation I have added: > > BANNAME prudentialrand.com > BANNAME prudentialrand.com.zip > BANNAME prudentialrand.zip > BANNAME [EMAIL PROTECTED] > BANNAME *prudentialrand.com.zip > > The files are still getting through to my users. Any suggestions? An Imail > rule maybe? > > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.