RE: [Declude.Virus] MISSING_REVERSE_DNS:Which of the eicartest files should be blocked
> Below is the list of files that get threw into my inbox: > >Test eicar.com file [eicarbinhexmime] >Test eicar.com file [eicarbinhex] >Test eicar.com file [eicarmimeuu] >Test eicar.com file [eicarquoted] >Test eicar.com file [eicarrfc822] >Test eicar.com file [eicarpegasus] >Test eicar.com file [eicarinline] >Test eicar.com file [eicarbinary] OK, in that case it isn't an issue with the eicar inline file; it sounds like there is simply a problem detecting any viruses. That would make sense if you are running a virus scanner that is interfering with Declude (if the F-Prot.exe file reports no virus, the E-mail will get delivered along with the attachment that contains the virus). -Scott This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] MISSING_REVERSE_DNS:Which of the eicartest files should be blocked
> It was the formatting in the last email. I have attached a >section of the log file below. > >11/09/2001 16:02:31 Q44660b8 Virus scanner reports exit code of 0 Here, we see that F-Prot has reported that it found no viruses. But: >11/09/2001 16:02:31 Q44660b8 Couldn't delete >D:\IMAIL\spool\D44660b8.vir\0.com: 5. Here, Windows reported that Declude doesn't have access to delete the 0.com file (the one with the eicar.com file in it). Do you have an on-access virus scanner running? If so, you should disable it (or set it not to scan the subdirectories off of \IMail\spool). -Scott This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] MISSING_REVERSE_DNS:Which of the eicartest files should be blocked
> We are using F-Prot and I have included my cfg file below. What >am I doing wrong? It the SCANFILE option all on one line (starting with "SCANFILE" and ending with "/REPORT=report.txt")? If it is on two separate lines (as it appears in the E-mail, although that may be due to formatting), the "/DUMB" will not get sent to F-Prot. Is only the inline version of the eicar.com file not getting caught, or are there other ones that are not getting caught? The next step would be to send the inline version of the eicar.com file again, this time using the Declude debug mode. To do this, change the "LOGLEVEL LOW" line in \IMail\Declude\virus.cfg to "LOGLEVEL DEBUG". Then, send the inline eicar.com file through again, and then switch back to "LOGLEVEL LOW". You can then E-mail me the \IMail\Declude\vir.log file (or, if you cut out just the part for that one E-mail, you can post it here if you prefer), and I can take a look at it to see what the problem may be. -Scott This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] MISSING_REVERSE_DNS:Which of the eicartest files should be blocked
>We just ran a test with the "Test eicar.com file [eicarinline]" and it >was received. Should this file been blocked? Yes, it should be caught (all the encoding methods used on that page should be caught). That ones uses a ".zl6" extension, which may be the problem. If you are using F-Prot, you need to have " /DUMB" on the SCANFILE line in the virus.cfg file; if using McAfee, you should have " /ALL" on that line. That will ensure that all files are scanned, regardless of the extension. If that doesn't take care of the problem, please let me know. Thanks. -Scott This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .