[Declude.Virus] ping

[Colbeck, Andrew]

Title: Message



The usual new 
subscriber test.  Sorry for the inconvenience, this list seems pretty 
quiet!
 
Andrew Colbeck
Technical Specialist
Bentall Capital LP
[EMAIL PROTECTED]
(604) 661-5047
 

RE: [Declude.Virus] ping

[Colbeck, Andrew]

Har, har, har...

Well, with a dearth of fresh messages, I whiled away my evening over at
mail-archive.com instead.


Andrew 8)

-Original Message-
From: Bill Landry [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 09, 2004 7:00 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] ping


Yeah, I'm sorry to say, the list is definitely down.  I am just sending you
this reply to let you know that I didn't get your test message - well,
because the list is down...  ;-)

- Original Message - 
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 09, 2004 4:49 PM
Subject: [Declude.Virus] ping


> The usual new subscriber test.  Sorry for the inconvenience, this list 
> seems pretty quiet!
>
> Andrew Colbeck
> Technical Specialist
> Bentall Capital LP
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> (604) 661-5047
>
>

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Multiple responses in the report.txt

[Colbeck, Andrew]

Hey, folks.

What if I want to have multiple response lines in the antivirus
scanner's report.txt?

fpcmd.exe emits a line with "Infection:" before the filename if it's a
virus.

But if it's malware, it emits a line with "is a security risk named"
before the filename.

Since I bought the Lite edition, putting in multiple
SCANFILE+VIRUSCODE+REPORT lines isn't going to be an option for me.

I'm guessing that providing exactly the same parameters in SCANFILE0 and
SCANFILE1 would suppress the actual virus scanning, as with JunkMail,
thus letting me have multiple REPORT lines. That is, if I had the Pro
version.

Andrew.


_
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Parallel processing

[Colbeck, Andrew]

Thanks, John.  Asking here was quicker than breaking out that free file
monitor (FileMon) from SysInternals.com ...

Andrew 8)

-Original Message-
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] 
Sent: Friday, December 10, 2004 3:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Parallel processing


Declude creates a separate directory for each message for scanning, so
while the report name is the same, the directory is unique.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Colbeck, Andrew
> Sent: Friday, December 10, 2004 3:31 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.Virus] Parallel processing
> 
> I'm using the f-prot command line scanner, and the lines in the 
> virus.cfg look like this:
> 
> SCANFILEC:\F-Prot\fpcmd.exe /ai /type /silent /archive=5 /dumb
> /noboot /nomem /packed /report=report.txt
> VIRUSCODE 3
> VIRUSCODE 6
> REPORT  Infection:
> 
> That's working fine, but in my testing I'm only putting a few messages

> through at a time.  I note that the /report variable is setting one 
> specific filename.  What happens when two or more declude processes 
> are launched and both want to call the virus scanner at the same time?

> I realize that scanning is relatively quick, but I can see that 
> collisions would result.
> 
> If Declude doesn't handle this internally to set a different report 
> name per instance, then I think paranoia would pushe me to set 
> MAXATONCE 1 ... ?
> 
> Andrew.
> 
> 
> _
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.


_
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Multiple responses in the report.txt

[Colbeck, Andrew]

Thanks, Matt.

I only went for the Lite version because this is a gateway scanner.  The
internal mail servers are indeed protected by a different vendor's
product.

I'm setting up these two layers because my company prefers to quarantine
all viral messages, and then substitute any other inbound executables
with a text message in the original message.  This way, our users don't
receive unnecessary emails.

The "other" log line I'm seeing is independent of the usage of the /ai
switch.  As for investigation of the /ai switch, this email is part of
that due diligence!

Andrew 8)

-Original Message-
From: Matt [mailto:[EMAIL PROTECTED] 
Sent: Friday, December 10, 2004 3:58 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Multiple responses in the report.txt


Andrew,

A separate instance is set up for each message's attachments that are 
scanned, there is no cause for any concern.  MAXATONCE was designed for 
licensing reasons and shouldn't be used in most installations.  If you 
set MAXATONCE below the number of processes that might be launched (this

is a highly variable number), then it will cause overflow to occur or 
otherwise backup your system needlessly.

Regarding your other question, I believe that you are seeing this 
because you are using the /ai switch.  I don't use that switch, though I

couldn't say why exactly.  I have found however with many such things 
that their definitions of a non-virus that throw off such things might 
vary widely and include things such as encrypted zip files, something 
that Declude handles more flexibly.  It's always a good idea to get as 
much information about new or alternative switches before using them.  I

have found info in KB's, release notes, and also by E-mailing the 
companies.  These things aren't always as descriptive as you might want,

so dig deep.

I would also very strongly recommend a second scanner.  Simply put, 
things will sometimes not function properly.  There have been at least 4

occasions in about a year that F-Prot has messed up and would have 
caused significant virus leaking.  Currently I would recommend McAfee, 
but I would recommend ClamAV after a period of stability emerges since 
the daemon is faster than anything but F-Prot.  McAfee is of course a 
bit more responsible with their definitions, so if capacity isn't a 
problem, I would use that over ClamAV regardless.

Matt



Colbeck, Andrew wrote:

>I'm using the f-prot command line scanner, and the lines in the 
>virus.cfg look like this:
> 
>SCANFILEC:\F-Prot\fpcmd.exe /ai /type /silent /archive=5 /dumb
>/noboot /nomem /packed /report=report.txt
>VIRUSCODE 3
>VIRUSCODE 6
>REPORT  Infection:
> 
>That's working fine, but in my testing I'm only putting a few messages 
>through at a time.  I note that the /report variable is setting one 
>specific filename.  What happens when two or more declude processes are

>launched and both want to call the virus scanner at the same time?  I 
>realize that scanning is relatively quick, but I can see that 
>collisions would result.
> 
>If Declude doesn't handle this internally to set a different report 
>name per instance, then I think paranoia would pushe me to set 
>MAXATONCE 1 ... ?
>
>Andrew.
>
>
>_
>---
>[This E-mail was scanned for viruses by Declude Virus 
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
>just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.Virus".The archives can be found
>at http://www.mail-archive.com.
>
>
>  
>

-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.


_
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Multiple responses in the report.txt

[Colbeck, Andrew]

Title: Message




I'm 
doing a head to head comparison on a few tens of thousands of messages 
right now.  I have already been using the command line McAfee as a 
post-processing scripted thingmajig late at night in order to find out how many 
viruses I was really catching as spam.  I picked my poison based on two 
months of postings over at Mail-Archive (including your 8 way competition) as 
well as the incidental stuff that bled over to the JunkMail list I've been on 
for 2 years.  I'm not worried about the stability of F-Prot, and I'm not 
impressed with the message decoding or speed of McAfee.
 
And we 
can always upgrade later if we want to put in more engines.
 
For 
what it's worth, last month for every ham message we received, we received 3 
spam and one-sixth of a virus.  And those numbers are *down* from the 
month before, because our inbound ham has been growing faster than spam.  
Spam has been growing, and I'm seeing a 6 to 9% increase every month over the 
previous month.
 
Andrew 
8)

  
  -Original Message-From: Matt 
  [mailto:[EMAIL PROTECTED] Sent: Friday, December 10, 2004 4:28 
  PMTo: [EMAIL PROTECTED]Subject: Re: 
  [Declude.Virus] Multiple responses in the report.txtYou 
  could essentially do that with just Declude and a bit of programming for 
  stripping the attachments out of messages.Regardless, having one 
  scanner is not going to do a good enough job if you rely on F-Prot based on 
  results from the last year.  I would recommend McAfee over F-Prot as a 
  single scanner since it appears that they are more stable, though it is clear 
  that any single scanner can have issues from time to 
  time.MattColbeck, Andrew wrote: 
  Thanks, Matt.

I only went for the Lite version because this is a gateway scanner.  The
internal mail servers are indeed protected by a different vendor's
product.

I'm setting up these two layers because my company prefers to quarantine
all viral messages, and then substitute any other inbound executables
with a text message in the original message.  This way, our users don't
receive unnecessary emails.

The "other" log line I'm seeing is independent of the usage of the /ai
switch.  As for investigation of the /ai switch, this email is part of
that due diligence!

Andrew 8)

-Original Message-
From: Matt [mailto:[EMAIL PROTECTED]] 
Sent: Friday, December 10, 2004 3:58 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Multiple responses in the report.txt


Andrew,

A separate instance is set up for each message's attachments that are 
scanned, there is no cause for any concern.  MAXATONCE was designed for 
licensing reasons and shouldn't be used in most installations.  If you 
set MAXATONCE below the number of processes that might be launched (this

is a highly variable number), then it will cause overflow to occur or 
otherwise backup your system needlessly.

Regarding your other question, I believe that you are seeing this 
because you are using the /ai switch.  I don't use that switch, though I

couldn't say why exactly.  I have found however with many such things 
that their definitions of a non-virus that throw off such things might 
vary widely and include things such as encrypted zip files, something 
that Declude handles more flexibly.  It's always a good idea to get as 
much information about new or alternative switches before using them.  I

have found info in KB's, release notes, and also by E-mailing the 
companies.  These things aren't always as descriptive as you might want,

so dig deep.

I would also very strongly recommend a second scanner.  Simply put, 
things will sometimes not function properly.  There have been at least 4

occasions in about a year that F-Prot has messed up and would have 
caused significant virus leaking.  Currently I would recommend McAfee, 
but I would recommend ClamAV after a period of stability emerges since 
the daemon is faster than anything but F-Prot.  McAfee is of course a 
bit more responsible with their definitions, so if capacity isn't a 
problem, I would use that over ClamAV regardless.

Matt



Colbeck, Andrew wrote:

  
I'm using the f-prot command line scanner, and the lines in the 
virus.cfg look like this:

SCANFILEC:\F-Prot\fpcmd.exe /ai /type /silent /archive=5 /dumb
/noboot /nomem /packed /report=report.txt
VIRUSCODE 3
VIRUSCODE 6
REPORT  Infection:

That's working fine, but in my testing I'm only putting a few messages 
through at a time.  I note that the /report variable is setting one 
specific filename.  What happens when two or more declude processes are

  
launched and both want to call the virus scanner at the same time?  I 
realize that scanning is relatively quick, but I can see that 
collisions would result.

If Declude doesn't handle this internally to set a different report 
name per instance, then I think paranoi

RE: [Declude.Virus] wuaurlt.exe

[Colbeck, Andrew]

I've seen a variant of RBOT that was similar; the naming format is try
to confuse you that it is part of windows update, which is wuauserv.exe

There is a gray area between the antivirus scanners and the spyware
scanners in picking this stuff up.  You'll want to get that machine
patched, the registry cleaned for the HKLM, HKDU and the HKCU for
whomever was logged in when it ran.

If the affected OS has one, you'll also need to empty the
%windir%\prefetch folder, as some antivirus scanners won't find it
because the extension is renamed (or they have a blind spot for that
folder).

Since this worm has a dropper and an active component, you'll need to
clean out both.

If your antivirus scanner isn't picking it up, you can use:

http://housecall.trendmicro.com

which downloads an ActiveX control version of their scanner, which will
do a full sweep of the local hard drive.

And yes, this TrendMicro name does have aliases.  Depending on which
vendor you talk to, you'll also see it as GAOBOT or SDBOT.  This
specific name has no alias, according to this site, which is the only
one I know of that tracks the virus lingo across vendors:
http://www.virusbtn.com/resources/vgrep/index.xml

There is also this site, to which you can upload a virus to have it
checked by multiple vendors' scan engines and email you a report.  Some
engines have been removed due to legal pressures:
http://www.virustotal.com/flash/index_en.html

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nick
Sent: Tuesday, December 14, 2004 9:40 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] wuaurlt.exe


On 14 Dec 2004 at 12:31, Nick wrote:

> Has anyone seen or heard of a virus/worm that uses this file? It seems

> to be attacking several pc's at my day job..
As a follow up - I just found this - 
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_R
BOT.ADG&VSect=T

Nothing on mcafee or fprot though. Is there an alias that exists?

Thanks again - 

-Nick

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Mcaffee commandline scanner is it really free with updates??

[Colbeck, Andrew]

It's not free.  There is a paper tiger licence that goes with it.  They
depend upon your honesty to purchase and renew the licence.


Andrew 8)

p.s. If I had a nickle for every home computer that I cleaned up because
the user was sure that the were protected, but the "complimentary"
licence had expired, well, I could at least afford a Starbucks coffee.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn
Sent: Wednesday, December 15, 2004 9:44 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Mcaffee commandline scanner is it really free
with updates??


I am confused.

I have recently found the Mcaffee command line scanner on several
freeware apps.  Is it free?  They claim everything on their site is 100%
legit.

Additionally they even explain how to update it using the superdat.  

Is it too old to be properly effective??  Not the signatures but the
engine of course.

What is missing from the rendition of the commandline scanner because I
know nothing in life is free!!

Thanks

DC

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Blocked Extension getting through

[Colbeck, Andrew]

Hermann, since we're not seeing a response in this list, I'd suggest
that your directly contact [EMAIL PROTECTED] about this.

I hope that what you're assuming is NOT true.  Given that Declude Virus
unpacks all of the attachments and calls your antivirus scanner(s) on
the unpacked attachments, I would expect that the BAN option takes
effect based on that MIME decoding, so that it sees the correct
filename.

If you do get an official answer, please let us know.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hermann Strassner
Sent: Wednesday, December 15, 2004 5:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Blocked Extension getting through


What do you want me to do?

I still have BANEXT CHM in my virus.cfg, and i successfully block .chm
attachments. Here it is not working because of the "encryption" of the
filename, as you can see in the mail.

I show you the virus logfile:
vir1215.log: 12/15/2004 04:06:29 Qaa3414bd035a6555 MIME file:
=?koi8-r?B?UmVjaG51bmcxODc0NTUxNC5j?==?koi8-r?B?aG0=?= [base64;
Length=33018 Checksum=3232477]
vir1215.log: 12/15/2004 04:06:29 Qaa3414bd035a6555 Scanned: Virus Free
[MIME: 2 33569]


Hermann

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of William 
> Stillwell
> Sent: Wednesday, December 15, 2004 2:00 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] Blocked Extension getting through
> 
> 
> BANEXT CHM
> 
> 
> 
> - Original Message -
> From: "Hermann Strassner" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, December 15, 2004 4:12 AM
> Subject: [Declude.Virus] Blocked Extension getting through
> 
> 
> > Hello!
> >
> > I have blocked a few extensions in Declude Virus, e.g. zip,
> exe, bat,
> > scr, pif, chm and a few others. Normally that workes.
> >
> > But since a few days some mails (with virus) are getting through. 
> > They have an attachment like Rechnung18745514.chm, it is
> displayed as
> > Rechnung18745514.chm in Outlook or other mail clients, but
> in virus scan
> > or in raw mail format its name is:
> > 86BA342CB7A4
> > Content-Type: CHEMICAL/X-CS-CHEMDRAW; 
> > name="=?koi8-r?B?UmVjaG51bmcxODc0NTUxNC5j?=
> > =?koi8-r?B?aG0=?="
> > Content-transfer-encoding: base64
> > Content-Disposition: attachment; 
> > filename="=?koi8-r?B?UmVjaG51bmcxODc0NTUxNC5j?=
> > =?koi8-r?B?aG0=?="
> >
> > What can i do to block this? This is a new worm yet not
> detected from
> > virus scanners. This happens often. But this mails are blocked by 
> > extension filtering. Now they are getting through to the clients.
> >
> > Hermann
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To 
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> > ---
> > This email has been scanned for possible viruses by Declude
> Antivirus.
> > For more information on Declude Antivirus, Visit www.declude.com
> >
> > 
> 
> ---
> This email has been scanned for possible viruses by Declude Antivirus.

> For more information on Declude Antivirus, Visit www.declude.com
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Parallel processing

[Colbeck, Andrew]

I'm using the f-prot command line scanner, and the lines in the
virus.cfg look like this:
 
SCANFILEC:\F-Prot\fpcmd.exe /ai /type /silent /archive=5 /dumb
/noboot /nomem /packed /report=report.txt
VIRUSCODE 3
VIRUSCODE 6
REPORT  Infection:
 
That's working fine, but in my testing I'm only putting a few messages
through at a time.  I note that the /report variable is setting one
specific filename.  What happens when two or more declude processes are
launched and both want to call the virus scanner at the same time?  I
realize that scanning is relatively quick, but I can see that collisions
would result.
 
If Declude doesn't handle this internally to set a different report name
per instance, then I think paranoia would pushe me to set MAXATONCE 1
... ? 

Andrew.


_
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] SKIPEXT - PDF

[Colbeck, Andrew]

As per Matt's link there has been one virus ("Peachy").  Actually, one
virus embedded in a document which was attached to the PDF, and it was
more of a proof of concept, but there you go.

Darn near every version of Acrobat Reader so far has had buffer overflow
problems, but they've not been exploited by the bad guys.  I know about
the buffer overflow problems because I'm the kind of guy that reads the
readme.txt that comes with software updates.

So given this info, it's up to you to decide whether to scan or skip PDF
files.  Ask yourself:

How confident are you that a virus won't infect a PDF?
How worried are you about a false positive in a clean PDF?
Are you pinched for CPU time on your mail server?
Is there another way to save CPU time on this box?


Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith
Sent: Tuesday, December 14, 2004 6:13 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] SKIPEXT - PDF


Does anyone know of a reason why to scan PDF files?

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] AVAFTERJM not working

[Colbeck, Andrew]

Title: Message




I 
think I ran into this too; for my part, it was a thinko.
 
The 
correct usage is:
 
AVAFTERJM ON
 
but 
with all the talk on this forum about "AVAFTERJM", that's all I used (that is, I 
left out the "ON" part).
 
Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Mark E. SmithSent: Monday, December 20, 2004 8:37 
  AMTo: [EMAIL PROTECTED]Subject: [Declude.Virus] 
  AVAFTERJM not working
  I've 
  been working with Darrell from Invariant systems using their log 
  utility.
  We've been running AVAFTERJM based on the following 
  logic:
   
  We 
  delete about 50% of email as spam via Junkmail (gateway system 
  only).
  If 
  we delete 50% of the email then we can reduce the load on Declude/FProt AV by 
  50% as long as the AV messages are scanned after JM.
   
  So, 
  we put AVAFTERJM in the virus.cfg per the instructions.
   
  Darrell looked at our logs and found the following: 
  Opened up our DEC and VIR1217.LOG.  
  
  In the VIRlog he found the message 
  Q67df4aae4237 which has a virus.  
  
  Then he went to the DEC1217.LOG and searched for 
  the message and did not find it.  
  
  So, 
  it would seem that AVAFTERJM isn't working properly
   
  Thoughts?
 
The information contained in this email is intended solely for the addressee. This message may contain confidential and/or privileged material and access to this email by anyone else is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. 
 
Les informations transmises par la présente sont destinées uniquement au(x) destinataires(s) sousmentionné(s). Le message peut contenir des informations confidentielles. L'accès à ce message par toute autre personne que celle(s) nommément désignée(s) en est donc interdit et la confidentialité du message doit être sauvegardée. Toute référence aux informations qui y figurent, toute retransmission, dissémination ou utilisation de celles-ci par quiconque qui n'en a pas l'autorisation est strictement défendu. Si vous avec reçu cette communication par erreur, veuillez nous en aviser immédiatement et détruire l'original.
 

RE: Re[6]: [Declude.Virus] testvirus.org #22

[Colbeck, Andrew]

What happens when you set:

PRESCAN OFF

...?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of William Stillwell
Sent: Monday, December 20, 2004 11:12 AM
To: [EMAIL PROTECTED]
Subject: Re: Re[6]: [Declude.Virus] testvirus.org #22


>
> Test #17: Eicar virus hidden using the "CR Vulnerability" (attachment 
> can
> be
> opened by all versions of Microsoft Outlook and Outlook Express)
>
> It is not a virus so I think the Vulnerability test of Declude should
> catch
> it.
>
> Oh well it comes through our system as well.
>
> Regards,
> Kami
>

I plucked the SMD files for #17 out of the queue and manually ran
mcaffee on it, with the "Same" flags that declude calles and my result
is this:

---

Scanning C: []
Scanning C:\virus\DF1F901860D8F.SMD
C:\virus\Df1f901860d8f.SMD\eicar.com ... Found: EICAR test file NOT
a 
virus.

Summary report on C:\virus\DF1F901860D8F.SMD
File(s)
Total files: ...   2
Clean: .   1
Possibly Infected: .   1


Time: 00:00.00

-

Which SHOWS there is a virus, But declude Doesn't pick it up, My local
POP3 
Scanner
also failes to catch it, but if I save the "EML" to my desktop, my On
Demand 
scanner detects
it.

Also, Outlook Express failes to show it as an Attachment.

It appears the "X" attachments that declude appends to the header are 
messing with the test.


---
This email has been scanned for possible viruses by Declude Antivirus.
For more information on Declude Antivirus, Visit www.declude.com

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
 
The information contained in this email message is solely for the intended 
addressee. This message may contain confidential and/or privileged material and 
access to this message by anyone other than the intended addressee is 
unauthorized. Unauthorized recipients are required to maintain confidentiality. 
Any review, retransmission, dissemination or other use of this message by 
persons or entities other than the intended recipient is prohibited and may be 
unlawful. If you have received this message in error, please notify us 
immediately and destroy the original. 
 
Les informations transmises par la presente sont destinees uniquement au(x) 
destinataires(s) sousmentionne(s). Le message peut contenir des informations 
confidentielles. L'acces a ce message par toute autre personne que celle(s) 
nommement designee(s) en est donc interdit et la confidentialite du message 
doit etre sauvegardee. Toute reference aux informations qui y figurent, toute 
retransmission, dissemination ou utilisation de celles-ci par quiconque qui 
n'en a pas l'autorisation est strictement defendu. Si vous avec recu cette 
communication par erreur, veuillez nous en aviser immediatement et detruire 
l'original.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: Re[6]: [Declude.Virus] testvirus.org #22

[Colbeck, Andrew]

I know that you're using McAfee, but for what it's worth, my system does
catch this viral email. I'm using:

* F-Prot (fpcmd)
* /dumb and /packed options
* REPORTInfection:
* PRESCAN   ON
* BANCRVIRUSES  OFF
* AUTOFORGE ON
* AVAFTERJM ON

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of William Stillwell
Sent: Monday, December 20, 2004 11:12 AM
To: [EMAIL PROTECTED]
Subject: Re: Re[6]: [Declude.Virus] testvirus.org #22


>
> Test #17: Eicar virus hidden using the "CR Vulnerability" (attachment 
> can
> be
> opened by all versions of Microsoft Outlook and Outlook Express)
>
> It is not a virus so I think the Vulnerability test of Declude should
> catch
> it.
>
> Oh well it comes through our system as well.
>
> Regards,
> Kami
>

I plucked the SMD files for #17 out of the queue and manually ran
mcaffee on it, with the "Same" flags that declude calles and my result
is this:

---

Scanning C: []
Scanning C:\virus\DF1F901860D8F.SMD
C:\virus\Df1f901860d8f.SMD\eicar.com ... Found: EICAR test file NOT
a 
virus.

Summary report on C:\virus\DF1F901860D8F.SMD
File(s)
Total files: ...   2
Clean: .   1
Possibly Infected: .   1


Time: 00:00.00

-

Which SHOWS there is a virus, But declude Doesn't pick it up, My local
POP3 
Scanner
also failes to catch it, but if I save the "EML" to my desktop, my On
Demand 
scanner detects
it.

Also, Outlook Express failes to show it as an Attachment.

It appears the "X" attachments that declude appends to the header are 
messing with the test.


---
This email has been scanned for possible viruses by Declude Antivirus.
For more information on Declude Antivirus, Visit www.declude.com

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: Re[8]: [Declude.Virus] testvirus.org #22

[Colbeck, Andrew]

Ditto.  I thought Declude called the scanner(s) on the d*.smd, plus
extracted all the segments out and scanned those too.  Is that
incorrect?

Also, does Declude recursively unpack MIME segments, if one of the
attachments is itself a .eml file or .smd file, would any attachments
inside it be unpacked and the scanner(s) called on those?

Sorry to ask that second part, as I know I could test that second case,
but first I'd have to go and turn off my internal scanner!

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan
Sent: Monday, December 20, 2004 1:48 PM
To: Declude.Virus@declude.com
Subject: Re[8]: [Declude.Virus] testvirus.org #22


>>I turned if off and it still got through.

>>Test #17: Eicar virus hidden using the "CR Vulnerability" (attachment 
>>can be opened by all versions of Microsoft Outlook and Outlook 
>>Express)

RSP> I just checked this one, and it got through here, too.  I examined 
RSP> the raw source of the E-mail, and there doesn't appear to be a lone

RSP> CR character in it, so it doesn't appear to actually contain the 
RSP> Outlook "CR Vulnerability".

Scott, what do you get for test #22. Some have reported it caught while
others haven't. My F-Prot config is:

SCANFILE P:\Progra~1\fsi\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM
/ARCHIVE=3 /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6
VIRUSCODE 8 REPORT Infection:


-- 
Best regards,
 Davidmailto:[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: Re[8]: [Declude.Virus] testvirus.org #22

[Colbeck, Andrew]

Thanks, Scott.  I constructed 2 tests anyway, one with an executable in
an attached .eml file and one where that executable is a virus.

It *looks* like this is a special case, i.e. where all unpacked
attachments, including .smd are unpacked, and then the folder scanned:

So with a single message, the .smd file is not scanned.  If an
attachment is itself an .smd file, it will be scanned and also all of
the attachments that need to be unpacked and scanned.  Ditto for .mim
attachments that contain an executable.

I haven't trotted out Winternals FileMon to verify that though... I'm
guesstimating based on what I see at DEBUG level.

I'd agree with Bill Landry and also request that Declude implement a
switch in virus.cfg that lets us choose whether to scan the "native"
email and all "native" attachment formats.

Since you wrote that optimization into Declude, the antivirus scanners
have progressed.  F-Prot has the /dumn and /server options, and McAfee
has the /MIME option.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Monday, December 20, 2004 2:16 PM
To: Declude.Virus@declude.com
Subject: RE: Re[8]: [Declude.Virus] testvirus.org #22



>Also, does Declude recursively unpack MIME segments, if one of the 
>attachments is itself a .eml file or .smd file, would any attachments 
>inside it be unpacked and the scanner(s) called on those?

Yes.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in
mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.



This outgoing message is guaranteed to be authentic by Message Level
users. Guarantee the authenticity of your email @
http://www.messagelevel.com.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] PB installing 2.0B

[Colbeck, Andrew]

Hey, Declude Support, I'm interested in a manual installation, too!

...

Now, I don't want to sound like I'm shooting the messenger, but I hope
you guys aren't doing this on your production server.

Since I'm interested in the manual installation, I'll install it on the
development server, note the changes, and then after testing, bring it
over to the live server.

Which is the same as I've done the last few times.  If you're going to
implement beta software, it's worth the effort.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Tuesday, December 21, 2004 7:02 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] PB installing 2.0B


- Original Message - 
From: "Serge" <[EMAIL PROTECTED]>

> you are probably right
> we use to have the same issue with manual install
> However, the full install notes specificaly say that "no service need 
> to
be
> stoped when upgrading"
> So they need get their act together, or give us back our old manual
install

I agree, the old manual download/install should at least be an option.
I don't like downloading 6.66mb file, just to get a 500kb declude.exe
file. Especially when that 6mb install file takes over 3.5 minutes to
complete its installation process, and then changes my config files in
the process without warning (as Kami noted, it changes the .eml files -
did the same thing here), and then did not install properly.

After running the install, which completed without error, I ended up
with a 288kb declude.exe file that did not work - I had to revert back
to version 1.81 to get Declude JunkMail & Virus to function again.  What
size declude.exe file have others that successfully installed 2.0B ended
up with?

Bill

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] This site is defaced!!! - Way OT

[Colbeck, Andrew]

It turns out that Jerrod's problem is actually a worm that attacks PHPbb
(patched Nov 18th, 2004) ... he's probably still busy on that, but for
for everyone else's benefit:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SAN
TY.A

http://isc.sans.org/diary.php?date=2004-12-21


Andrew.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerod M. Bennett
Sent: Monday, December 20, 2004 2:12 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] This site is defaced!!! - Way OT


Hello everyone,
 
It appears one of my IIS servers has been compromised :(
 
All valid pages return a black page with the following red text:
 
This site is defaced!!!
 



 
NeverEverNoSanity WebWorm generation 10. 
 
I was hoping someone might have seen this before, and might be able to
point me in the right direction of how to get rid of it.
 
Thanks,
-Jerod 

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Upgrade issues

[Colbeck, Andrew]

You have it exactly, Serge.

The MAC address is guaranteed to be unique on the planet, but only the
local network needs a MAC to be unique. A router needs a MAC to be
unique on each network it can directly see.

Entering a MAC into the configuration for your network card is often
called LAA (Locally Administered Address); using a custom MAC is
uncommon, but certainly not rare.

Mostly I see this being done on firewalls or a new home-user firewall
box to alleviate the bother of going to the ISP to register a new MAC
address, thus letting the user keep the same IP they had.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Serge
Sent: Tuesday, December 21, 2004 4:59 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Upgrade issues 


Douglas,
Any problems can result from changing mac ? (besside conflict with a
local 
machine)
TIA


- Original Message - 
From: "Douglas Cohn" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, December 22, 2004 12:02 AM
Subject: RE: [Declude.Virus] Upgrade issues


> What exactly does this mean?  How long will you wait and does Deculde 
> run without the key?
>>>The built-in failsafes are designed to ensure that you won't need to 
>>>wait
> until the next business >>day to get a new license key.
>
> It is not like MAC addresses are impossible to change.  Many drivers 
> allow you to type in a MAC address.
>
> If you are truly concerned about people using the product without a
> license
> use a hardware key .  That will certainly help to keep the product
> running on just the server it was intended for.
>
> http://www.safenet-inc.com/products/sentinel/index.asp
>
> Unluckily they cost about $35 per machine but this stuff truly works 
> and
> in
> 99.99% of all cases is foolproof.
>
> DC
>
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
> Sent: Tuesday, December 21, 2004 6:47 PM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] Upgrade issues
>
>
>>Am I hearing correctly that, beginning with 2.0, licensing is tied to 
>>the MAC address?
>
> Correct.
>
>>If so, what about those of us who load balance the traffic to the 
>>server across multiple NICs?  This is a must to avoid downtime due to 
>>failure of a NIC (it's saved our bacon a couple of times).
>>
>>Also, if a NIC is replaced, or we migrate to a different server, what 
>>is the process the get a new license key...and is that available 
>>24/7/365?
>>
>>We absolutely need to be able to handle these situations immediately 
>>without waiting until the next business day to get a new license key.
>
> The built-in failsafes are designed to ensure that you won't need to 
> wait until the next business day to get a new license key.
>
>-Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail 
> mailservers since 2000. Declude Virus: Ultra reliable virus detection 
> and the leader in mailserver vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
>
> 
> This outgoing message is guaranteed to be authentic by Message Level
> users.
> Guarantee the authenticity of your email @
http://www.messagelevel.com.
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
> just
> send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
>
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] MAC addresses for licenseing?

[Colbeck, Andrew]

With "Adapter Fault Tolerance", you only have one MAC.  The inactive
card's actual MAC address is suppressed, and the driver uses the LAA
(Locally Administered Address) ability to use that MAC when it becomes
the active card.  There is a tiny pause where the switch has to learn
that the MAC has moved to a different physical port.

If the server is downed, and the first NIC removed or unplugged, then
the secondary NIC's own MAC is used, and that would get you in trouble
with an aggressive MAC based licencing scheme.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark E. Smith
Sent: Wednesday, December 22, 2004 10:09 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] MAC addresses for licenseing?


We use AFT in all of our servers. How does this impact us?

Why not just do a web-based key generator and allow for two or three
keys to be generated. Have the user enter the IP, machine name and MAC
and then spit back a key. If you exceed the number of keys then they
need to call you.

Every time this type of key has been used we get screwed because the
company goes out of business and we can't license the software on a new
machine.

I think there's a better way of going about this

Just my .02


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Microsoft Antivirus in your future ?

[Colbeck, Andrew]

Title: Message



My 
reading this morning on canoe.ca was that their purchase in 2003 of RAV is going 
to surface as a subscription based retroactive cleaning system for only the 
topmost current viruses.  Microsoft is still going to encourage the 
purchase of big-name vendors' products for desktops and servers.  That 
should stave off further anti-competitive lawsuits from those big-name 
vendors.
 
Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of SergeSent: Thursday, January 06, 2005 11:09 
  AMTo: Declude.Virus@declude.comSubject: [Declude.Virus] 
  Microsoft Antivirus in your future ?
   
   
  http://www.cnn.com/2005/TECH/01/06/microsoft.antivrus.ap/index.html
   
   

[Declude.Virus] Microsoft AntiSpyware in your future ?

[Colbeck, Andrew]

Title: Message



Microsoft has made progress on 
rebranding Giant AntiSpyware as a Microsoft product.  See here for the free 
beta which expires in about a year:
 
http://www.microsoft.com/athome/security/spyware/software/about.mspx
 
My 
take on this is that they've re-branded it, but not yet improved the 
functionality.  You can't exempt a single detection from further 
reports.  You can't get a signature download through a proxy server.  
It's about as fast as LavaSoft AdAware.
  Andrew 
8) 

RE: [Declude.Virus] FW: MS Windows/Critical Error

[Colbeck, Andrew]

Interesting.

On the one hand, using RAR compression is likely to get the trojan
message past antivirus scanners to lots of users.

On the other hand, I hope that anyone who has taken the step to install
the free unrar or actually bought RAR has enough of a clue to discard
this email as an obvious malware infection attempt!*

My f-prot powered Declude Virus caught a test I just created and sent to
myself.  My internal Trend Micro ScanMail for Exchange also caught a
test I just created and sent to myself.  So at least two antivirus
vendors think it's a credible threat and was worth coding against.

Andrew 8)


* Kind of like that popular email joke Mac|*nix|OS/2 self-inflicted
virus (please install this virus manually).

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt
Sent: Wednesday, January 26, 2005 1:34 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] FW: MS Windows/Critical Error


Just got that one - attached was a WindowsUpdate.rar, 43 KB.

-Original Message-
From: Microsoft INC [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 26, 2005 09:15 PM
To: [EMAIL PROTECTED]
Subject: MS Windows/Critical Error


Dear Sir/Madam,
We kindly ask you to install this update to your PC as soon as possible.

In the libraries of OS WindowsR critical errors have been found. This
errors lead to destruction of the system files from your computer
without an opportunity on restoration. The given service-pack fixes
libraries and does not allow various Trojan modules to penetrate into
your computer. 

Yours Faithfully,
Microsoft INC




---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: Re[10]: [Declude.Virus] testvirus.org #22

[Colbeck, Andrew]

My configuration is catching it.  I've attached the entire configuration
file with my email address and licence munged.  I've also attached what
my log lines look line when the virus is caught.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan
Sent: Wednesday, February 02, 2005 9:36 AM
To: Declude.Virus@declude.com
Subject: Re[10]: [Declude.Virus] testvirus.org #22


Sorry to revive this old thread. But I just had a customer report that
22 is still getting through. Could someone that's catching this with
F-prot please share your configs. I've got Declude 1.82 F-Prot 3.16 with
the following virus.cfg:

SCANFILE P:\Progra~1\fsi\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM
/ARCHIVE=3 /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6
VIRUSCODE 8 REPORT Infection:

PRESCAN OFF


BANCLSIDON
BANPARTIAL  ON

DELIVERERRORS   ON

BANCRVIRUSESON


-- 
Best regards,
 Davidmailto:[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
02/02/2005 10:00:11 Q14fe0ca90028970d Scanner 1: Virus=EICAR_Test_File 
Attachment=eicar.zip [25] O
02/02/2005 10:00:11 Q14fe0ca90028970d File(s) are INFECTED [EICAR_Test_File: 3]
02/02/2005 10:00:16 Q14fe0ca90028970d Scanned: CONTAINS A VIRUS [MIME: 2 939]
02/02/2005 10:00:16 Q14fe0ca90028970d From: [EMAIL PROTECTED] To: [EMAIL 
PROTECTED] [outgoing from 206.158.107.157]
02/02/2005 10:00:16 Q14fe0ca90028970d Subject: Virus Scanner Test #22


virus.cfg
Description: virus.cfg

RE: Re[10]: [Declude.Virus] testvirus.org #22

[Colbeck, Andrew]

And thank you in turn, Markus.  I believe that you've been the top
contributor for the manually kept forging virus list; mine was cobbled
together from postings here as well as viruses I catch internally on
desktops (which I then research, and if I find that it spreads via email
and is forging, have added to my list).

Here is the alphabetized join of the active entries in our lists (in
particular, I suggest that if you include "IFrame" as a generic
forgingvirus indicator, that you also include "Trojan"):

FORGINGVIRUS Anonymous Driver
FORGINGVIRUS Bagle
FORGINGVIRUS Bridex
FORGINGVIRUS Bugbear
FORGINGVIRUS Dumar
FORGINGVIRUS Exploit-ObjectData
FORGINGVIRUS Fizzer
FORGINGVIRUS Ganda
FORGINGVIRUS Holar
FORGINGVIRUS Hybris
FORGINGVIRUS IFrame
FORGINGVIRUS IFromot
FORGINGVIRUS Illwill
FORGINGVIRUS Inor
FORGINGVIRUS Klez
FORGINGVIRUS Lentin
FORGINGVIRUS Lovgate
FORGINGVIRUS Mabuto
FORGINGVIRUS Magistr
FORGINGVIRUS MiMail
FORGINGVIRUS MyDoom
FORGINGVIRUS Netsky
FORGINGVIRUS ObjData
FORGINGVIRUS Palyh
FORGINGVIRUS Phish-
FORGINGVIRUS Plexus
FORGINGVIRUS Proxy-Cidra
FORGINGVIRUS Reblin
FORGINGVIRUS Sober
FORGINGVIRUS SoBig
FORGINGVIRUS Somefool
FORGINGVIRUS Tanx
FORGINGVIRUS Torvil
FORGINGVIRUS Trojan
FORGINGVIRUS Wurmark
FORGINGVIRUS Yaha
FORGINGVIRUS Zafi
FORGINGVIRUS Zerolin

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Wednesday, February 02, 2005 1:17 PM
To: Declude.Virus@declude.com
Subject: RE: Re[10]: [Declude.Virus] testvirus.org #22



Andrew,

Your comment "so we'll still keep this list up to date from postings on
the Declude.Virus newslist"

Here is my actual FORGINGVIRUS list, maintained for F-Prot/McAfee virus
names:

#FORGINGVIRUS   Unknown Virus
FORGINGVIRUSMagistr
FORGINGVIRUSKlez
FORGINGVIRUSYaha
FORGINGVIRUSLentin
FORGINGVIRUSBridex
FORGINGVIRUSBugbear
FORGINGVIRUSSoBig
FORGINGVIRUSFizzer
FORGINGVIRUSPalyh
FORGINGVIRUSMiMail
#FORGINGVIRUS   Lirva
FORGINGVIRUSDumar
FORGINGVIRUSSober
FORGINGVIRUSHybris
FORGINGVIRUSBagle
FORGINGVIRUSMyDoom
FORGINGVIRUSTanx
FORGINGVIRUSNetsky
FORGINGVIRUSProxy-Cidra
FORGINGVIRUSTorvil
FORGINGVIRUSExploit-ObjectData
FORGINGVIRUSAnonymous Driver
FORGINGVIRUSZafi
FORGINGVIRUSMabuto
FORGINGVIRUSIllwill
FORGINGVIRUSObjData
FORGINGVIRUSZerolin
FORGINGVIRUSInor
FORGINGVIRUSIFromot
FORGINGVIRUSIFrame
FORGINGVIRUSPlexus
FORGINGVIRUSPhish-
FORGINGVIRUSLovgate
FORGINGVIRUSWurmark
FORGINGVIRUSSomefool
FORGINGVIRUSReblin

Thanks for the great comments in your cfg file
Markus

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: Re[13]: [Declude.Virus] testvirus.org #22

[Colbeck, Andrew]

No problem, happy to oblige.  See attached text file.

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan
Sent: Thursday, February 03, 2005 11:55 AM
To: R. Scott Perry
Subject: Re[13]: [Declude.Virus] testvirus.org #22


Hello R.,

Thursday, February 3, 2005, 2:05:48 PM, you wrote:


>>Ok, Scott...Anybodyany idea why this one is getting through after 
>>looking at my logs? It looks like they're saying:
>>
>>02/02/2005 14:59:04.646 Q310830a90096022a Not starting scanner since 
>>no files to scan.

RSP> That's because the E-mail is text-only, which means that Declude 
RSP> Virus won't scan it, since text files can't contain viruses.

But I can't figure out why Andrew catches it and I'm not. I compared the
config files and the only difference is I have Prescan OFF and I let
normal .zips through.

Andrew, could you run Declude in Debug and send test 22 through so we
could see your log file?

-- 
Best regards,
 Davidmailto:[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
02/03/2005 12:01:21.453  Setting AVBEFOREJM to ON.
02/03/2005 12:01:21.453  Setting Scan File 1 toD:\F-Prot\fpcmd.exe /ai 
/type /silent /archive=5 /dumb /noboot /nomem /packed /report=report.txt.
02/03/2005 12:01:21.453  CFG: Setting report parse 1 to Infection: .
02/03/2005 12:01:21.453  Setting virus directory to: D:\IMail\spool\virus
02/03/2005 12:01:21.453  Setting MAXATONCE to 0.
02/03/2005 12:01:21.453  Incoming E-mail scanning turned ON
02/03/2005 12:01:21.453  Outgoing E-mail scanning turned ON
02/03/2005 12:01:21.453  Setting scanner timeout to 90 seconds
02/03/2005 12:01:21.453  Scanner 0 Virus Codes: 3 6 8 .  OK Codes: 
02/03/2005 12:01:21.453  Skip Extensions: GIF TXT MPG PNG BMP PDF MOV TIF WMV 
02/03/2005 12:01:21.453  7 Ban Extensions: scr pif cpl lnk ani ico shs 
02/03/2005 12:01:21.453  Declude v1.82
02/03/2005 12:01:21.671 Q830e0f26011c5c69 Declude Virus Lite Registered
02/03/2005 12:01:21.671 Q830e0f26011c5c69 Starting locality check 
(sender=testvirus.org; nr=1 ca=off).
02/03/2005 12:01:21.671 Q830e0f26011c5c69 CL Opening 
HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains
02/03/2005 12:01:21.671 Q830e0f26011c5c69 Local host = mail.bentall.com
02/03/2005 12:01:21.671 Q830e0f26011c5c69 [EMAIL PROTECTED] Offset=9 Flags=0
02/03/2005 12:01:21.671 Q830e0f26011c5c69 Msgid: <[EMAIL PROTECTED]>
02/03/2005 12:01:21.671 Q830e0f26011c5c69 Subject: Virus Scanner Test #22
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Starting virus scanning section...
02/03/2005 12:01:31.796 Q830e0f26011c5c69 MIMELAYER=0
02/03/2005 12:01:31.796 Q830e0f26011c5c69 DoAv( 
D:\IMail\spool\D830e0f26011c5c69.SMD );
02/03/2005 12:01:31.796 Q830e0f26011c5c69 avtempdir=D:\IMail\spool
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Temp dir set to: 
D:\IMail\spool\D830e0f26011c5c69.vir\
02/03/2005 12:01:31.796 Q830e0f26011c5c69 fp=4501a0
02/03/2005 12:01:31.796 Q830e0f26011c5c69 MIMELAYER++
02/03/2005 12:01:31.796 Q830e0f26011c5c69 DOMIME START
02/03/2005 12:01:31.796 Q830e0f26011c5c69 CT: Content-Type: 
multipart/mixed;boundary="
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Got boundary; 
=--=_804689079==_.
02/03/2005 12:01:31.796 Q830e0f26011c5c69 DOMIME end-of-headers
02/03/2005 12:01:31.796 Q830e0f26011c5c69 ISMULTI
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Hit boundary... Recursing... 0 (0-0-).
02/03/2005 12:01:31.796 Q830e0f26011c5c69 MIMELAYER++
02/03/2005 12:01:31.796 Q830e0f26011c5c69 DOMIME START
02/03/2005 12:01:31.796 Q830e0f26011c5c69 CT: Content-Type: text/plain; 
charset="us-ascii"; format=flowed
02/03/2005 12:01:31.796 Q830e0f26011c5c69 DOMIME end-of-headers
02/03/2005 12:01:31.796 Q830e0f26011c5c69 !ISMULTI
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Handling a MIME segment 
[Boundary=--=_804689079==_].
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Encoding type: *DEFAULT* [1/]
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Starting BASE64
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Hit new boundary (fseek)
02/03/2005 12:01:31.796 Q830e0f26011c5c69 curpos=1243
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Deleting (1) plaintext segment 
D:\IMail\spool\D830e0f26011c5c69.vir\0..
02/03/2005 12:01:31.796 Q830e0f26011c5c69 MIMELAYER--
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Done Recursing...
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Hit boundary... Recursing... 1 (0-0-).
02/03/2005 12:01:31.796 Q830e0f26011c5c69 MIMELAYER++
02/03/2005 12:01:31.796 Q830e0f26011c5c69 DOMIME START
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Got Encoding base64.
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Setting MimeName to eicar.zip [9].
02/03/2005 12:01:31.796 Q830e0f26011

RE: [Declude.Virus] McAfee and POP3 service crash

[Colbeck, Andrew]

FWIW, I recently ran into a weirdness with McAfee; I use the daily dat
download (engine plus dats), and have so for some months.  What I do is
for reporting completeness, I do a nightly scan of my spam folder to
find out how many viruses were caught as spam.

January didn't work, and I didn't notice for most of the month.  What
was happening was that the script was taking forever, and not completing
for the script ran again the next night.

I copied my spam folder to my local machine and ran the script again,
with much the same result.  I ran SystInternals.com's FileMon and found
that McAfee's scan.exe was reading the current folder and the root of
the drive bazillions of times.  With a small-ish corpus, these
extraneous reads made no difference to the scan time.  With a large
number of files in a directory with a very large number of files, the
scan wasn't worth running.

So just at the end of last week, I modified the script to use F-Prot
instead of McAfee, and that has been working fine.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Monday, February 07, 2005 7:04 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] McAfee and POP3 service crash


Although I cannot explain the cause of the issues you've seen, I would
suggest that you upgrade your scan engine:
http://www.mcafeesecurity.com/us/downloads/default.asp?wt.mc_n=us_update
s&wt.mc_t=ext_li_con&cid=10373.
Download and run the SuperDat, file which contains the latest dat and
engine updates (version 4400\4426).

Bill
- Original Message - 
From: "Matt" <[EMAIL PROTECTED]>
To: 
Sent: Monday, February 07, 2005 6:27 AM
Subject: [Declude.Virus] McAfee and POP3 service crash


> I've never seen this before, but beginning on Saturday morning, I 
> started getting appearances of "Application Error" in my Event Log 
> about
> McAfee:
>
>
> Faulting application Scan.exe, version 4.3.2.0, faulting module 
> mcscan32.dll, version 4.3.2.0, fault address 0x0001cfd0.
>
>
> Then this morning the POP3 service started also giving errors in 
> addition to McAfee:
>
>
> Faulting application POP3d32.exe, version 12.11.9.8, faulting module 
> POP3d32.exe, version 12.11.9.8, fault address 0x00010bcb.
>
>
> The POP3 service had in fact crashed and it needed to be restarted (I 
> rebooted just to be safe).  I believe that this is the first time that

> I have ever seen the POP3 service crash.  Although I don't believe 
> that POP3 has anything direct relationship to McAfee on my server 
> since that app is only used as a command line scanner, I'm quite 
> suspicious of this causing the issue.
>
> Has anyone else seen either one of these errors on their systems?
>
> Thanks,
>
> Matt
>
> --
>
> =
>
> MailPure custom filters for Declude JunkMail Pro.
>
> http://www.mailpure.com/software/ 
>
> =
>

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] McAfee and POP3 service crash

[Colbeck, Andrew]

Title: Message



I 
don't mean scanning the files in the root repetitively.  In 
particular, FileMon was showing me that scan.exe was READing D:\ (as opposed to 
OPEN, CLOSE, QUERY INFORMATION, or SET INFORMATION - all of which are other 
request types that FileMon can log).  
 
Actually, it might have been D: instead of D:\ ... I'm not sure 
now.  My conclusion was that it was re-reading the contents 
of the directory over and over.  As you suggest, using the /exclude 
parameter to excerpt the root of the drive may have helped.
 
The 
scan.exe file is dated October 2004, and my script was certainly working before 
and after that date, so it is also possible that a hotfix applied in late 
December or early January changed the behaviour of some API that scan.exe uses; 
I really don't know how much a DAT file can control the scanning behaviour, but 
the DATs are the only part of the McAfee client that 
changed!
 
Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of MattSent: Monday, February 07, 2005 10:35 
  AMTo: Declude.Virus@declude.comSubject: Re: 
  [Declude.Virus] McAfee and POP3 service 
  crashAndrew,When you say "reading the root of the 
  drive" do you mean the boot sector, or the files contained in the root of C: 
  or the drive that was defined in the command line?  And also just to 
  clarify, "reading" in this case meaning "scanning", correct?Seems like 
  being able to turn that off, or at least remove files from the root might make 
  a big performance difference when you have high 
  volume.Thanks,MattColbeck, Andrew wrote: 
  FWIW, I recently ran into a weirdness with McAfee; I use the daily dat
download (engine plus dats), and have so for some months.  What I do is
for reporting completeness, I do a nightly scan of my spam folder to
find out how many viruses were caught as spam.

January didn't work, and I didn't notice for most of the month.  What
was happening was that the script was taking forever, and not completing
for the script ran again the next night.

I copied my spam folder to my local machine and ran the script again,
with much the same result.  I ran SystInternals.com's FileMon and found
that McAfee's scan.exe was reading the current folder and the root of
the drive bazillions of times.  With a small-ish corpus, these
extraneous reads made no difference to the scan time.  With a large
number of files in a directory with a very large number of files, the
scan wasn't worth running.

So just at the end of last week, I modified the script to use F-Prot
instead of McAfee, and that has been working fine.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Bill Landry
Sent: Monday, February 07, 2005 7:04 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] McAfee and POP3 service crash


Although I cannot explain the cause of the issues you've seen, I would
suggest that you upgrade your scan engine:
http://www.mcafeesecurity.com/us/downloads/default.asp?wt.mc_n=us_update
s&wt.mc_t=ext_li_con&cid=10373.
Download and run the SuperDat, file which contains the latest dat and
engine updates (version 4400\4426).

Bill
- Original Message - 
From: "Matt" <[EMAIL PROTECTED]>
To: 
Sent: Monday, February 07, 2005 6:27 AM
Subject: [Declude.Virus] McAfee and POP3 service crash


  
I've never seen this before, but beginning on Saturday morning, I 
started getting appearances of "Application Error" in my Event Log 
about
McAfee:


Faulting application Scan.exe, version 4.3.2.0, faulting module 
mcscan32.dll, version 4.3.2.0, fault address 0x0001cfd0.


Then this morning the POP3 service started also giving errors in 
addition to McAfee:


Faulting application POP3d32.exe, version 12.11.9.8, faulting module 
POP3d32.exe, version 12.11.9.8, fault address 0x00010bcb.


The POP3 service had in fact crashed and it needed to be restarted (I 
rebooted just to be safe).  I believe that this is the first time that

  
I have ever seen the POP3 service crash.  Although I don't believe 
that POP3 has anything direct relationship to McAfee on my server 
since that app is only used as a command line scanner, I'm quite 
suspicious of this causing the issue.

Has anyone else seen either one of these errors on their systems?

Thanks,

Matt

--

=

MailPure custom filters for Declude JunkMail Pro.

http://www.mailpure.com/software/ 

=


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing li

RE: [Declude.Virus] McAfee and POP3 service crash

[Colbeck, Andrew]

Title: Message



I 
should have also mentioned that the script first makes a list of the files to 
scan, then tells scan.exe to scan the files in the list.
 
I 
don't just tell scan.exe to scan the folder (if I had, I could buy the behaviour 
of reading the directory over and over again).
 
Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Colbeck, AndrewSent: Monday, February 07, 2005 10:54 
  AMTo: Declude.Virus@declude.comSubject: RE: 
  [Declude.Virus] McAfee and POP3 service crash
  I 
  don't mean scanning the files in the root repetitively.  In 
  particular, FileMon was showing me that scan.exe was READing D:\ (as opposed 
  to OPEN, CLOSE, QUERY INFORMATION, or SET INFORMATION - all of which are other 
  request types that FileMon can log).  
   
  Actually, it might have been D: instead of D:\ ... I'm not sure 
  now.  My conclusion was that it was re-reading the 
  contents of the directory over and over.  As you suggest, using the 
  /exclude parameter to excerpt the root of the drive may have 
  helped.
   
  The 
  scan.exe file is dated October 2004, and my script was certainly working 
  before and after that date, so it is also possible that a hotfix 
  applied in late December or early January changed the behaviour of some API 
  that scan.exe uses; I really don't know how much a DAT file can control the 
  scanning behaviour, but the DATs are the only part of the McAfee client that 
  changed!
   
  Andrew 8)
  

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of MattSent: Monday, February 07, 2005 10:35 
AMTo: Declude.Virus@declude.comSubject: Re: 
[Declude.Virus] McAfee and POP3 service 
crashAndrew,When you say "reading the root of 
the drive" do you mean the boot sector, or the files contained in the root 
of C: or the drive that was defined in the command line?  And also just 
to clarify, "reading" in this case meaning "scanning", correct?Seems 
like being able to turn that off, or at least remove files from the root 
might make a big performance difference when you have high 
volume.Thanks,MattColbeck, Andrew wrote: 
FWIW, I recently ran into a weirdness with McAfee; I use the daily dat
download (engine plus dats), and have so for some months.  What I do is
for reporting completeness, I do a nightly scan of my spam folder to
find out how many viruses were caught as spam.

January didn't work, and I didn't notice for most of the month.  What
was happening was that the script was taking forever, and not completing
for the script ran again the next night.

I copied my spam folder to my local machine and ran the script again,
with much the same result.  I ran SystInternals.com's FileMon and found
that McAfee's scan.exe was reading the current folder and the root of
the drive bazillions of times.  With a small-ish corpus, these
extraneous reads made no difference to the scan time.  With a large
number of files in a directory with a very large number of files, the
scan wasn't worth running.

So just at the end of last week, I modified the script to use F-Prot
instead of McAfee, and that has been working fine.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Bill Landry
Sent: Monday, February 07, 2005 7:04 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] McAfee and POP3 service crash


Although I cannot explain the cause of the issues you've seen, I would
suggest that you upgrade your scan engine:
http://www.mcafeesecurity.com/us/downloads/default.asp?wt.mc_n=us_update
s&wt.mc_t=ext_li_con&cid=10373.
Download and run the SuperDat, file which contains the latest dat and
engine updates (version 4400\4426).

Bill
- Original Message - 
From: "Matt" <[EMAIL PROTECTED]>
To: 
Sent: Monday, February 07, 2005 6:27 AM
Subject: [Declude.Virus] McAfee and POP3 service crash


  
  I've never seen this before, but beginning on Saturday morning, I 
started getting appearances of "Application Error" in my Event Log 
about
McAfee:


Faulting application Scan.exe, version 4.3.2.0, faulting module 
mcscan32.dll, version 4.3.2.0, fault address 0x0001cfd0.


Then this morning the POP3 service started also giving errors in 
addition to McAfee:


Faulting application POP3d32.exe, version 12.11.9.8, faulting module 
POP3d32.exe, version 12.11.9.8, fault address 0x00010bcb.


The POP3 service had in fact crashed and it needed to be restarted (I 
rebooted just to be safe).  I believe that this is the first time that

  
  I have ever seen the POP3 service crash.  Although I don't believe 
that POP3 has anything direct relationship to McAfee on my server 
since that app is only used as a command line scanner, I'm quite 
suspicious of this causing the issue.

Has anyone else seen either one of these errors on their systems?

Thanks,

Matt

--

==

RE: [Declude.Virus] New MyDoom virus

[Colbeck, Andrew]

Are you sure that your F-Prot is up to date?

I saw this same thing yesterday, and submitted a sample via their web
submission report.  They responded this morning, but in the meantime I
had checked again later that afternoon yesterday and I was seeing
detections as W32/Mydoom.gen (and McAfee saw the detection as
W32/[EMAIL PROTECTED]).

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Don Hickey
Sent: Wednesday, February 16, 2005 4:00 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] New MyDoom virus


We are many of these since about 5pm central time. Mcafee has definition
updates to catch this. We were catching it by the blocked extensions
before the Mcafee update was installed.

http://vil.nai.com/vil/content/v_131856.htm

At this time F-prot is not catching these..

Don



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.8 - Release Date: 2/14/2005

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New MyDoom virus

[Colbeck, Andrew]

Yep, it's very new.  Here's one vendor's write-up, indicating it was
spreading well by 5PM Pacific time on Wednesday night:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYD
OOM.BB

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gary Brumm
Sent: Wednesday, February 16, 2005 5:38 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] New MyDoom virus


I just got one with the latest F-Prot update that shows as
w32/[EMAIL PROTECTED] .

Gary


At 04:46 PM 2/16/2005, you wrote:
>Are you sure that your F-Prot is up to date?
>
>I saw this same thing yesterday, and submitted a sample via their web 
>submission report.  They responded this morning, but in the meantime I 
>had checked again later that afternoon yesterday and I was seeing 
>detections as W32/Mydoom.gen (and McAfee saw the detection as 
>W32/[EMAIL PROTECTED]).
>
>Andrew 8)
>
>-Original Message-
>From: [EMAIL PROTECTED] 
>[mailto:[EMAIL PROTECTED] On Behalf Of Don Hickey
>Sent: Wednesday, February 16, 2005 4:00 PM
>To: Declude.Virus@declude.com
>Subject: [Declude.Virus] New MyDoom virus
>
>
>We are many of these since about 5pm central time. Mcafee has 
>definition updates to catch this. We were catching it by the blocked 
>extensions before the Mcafee update was installed.
>
>http://vil.nai.com/vil/content/v_131856.htm
>
>At this time F-prot is not catching these..
>
>Don
>
>
>
>--
>No virus found in this outgoing message.
>Checked by AVG Anti-Virus.
>Version: 7.0.300 / Virus Database: 265.8.8 - Release Date: 2/14/2005
>
>---
>[This E-mail was scanned for viruses by Declude Virus 
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
>just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.Virus".The archives can be found
>at http://www.mail-archive.com.
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
>just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.Virus".The archives can be found
>at http://www.mail-archive.com.

ComsecNet
Dedicated Data Services
Stockton, CA
Phone:(209) 463-2809
Fax:(209) 938-0481
Email: [EMAIL PROTECTED]
Web: www.comsec.net

This message is intended for the use of the individual or entity to
which 
it is addressed and may contain information that is privileged, 
confidential, and exempt from disclosure under applicable law. If the 
reader of this message is not the intended recipient or an employee or 
agent responsible for delivering to the intended recipient, you are
hereby 
notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this 
communication in error please destroy this message and notify the sender
by 
reply email.




---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Organization changes at Declude

[Colbeck, Andrew]

Thank you, Barry.

Scott, I wish you all the best in your future endeavours... it's been a
swell ride!


Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, February 21, 2005 10:10 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Organization changes at Declude


After 4 years of hard work and little sleep Scott Perry has decided to
move away from customer facing activities with Declude and will be
spending more of his time working with the Red Cross.

Scott continues his commitment to Declude in an advisory role.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Yet another MyDoom in the wild

[Colbeck, Andrew]

For the writeup from TrendMicro, see
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYD
OOM.BE

And for a practical tip, add to your virus.cfg:

BANNAME example.com.zip

Where example.com is of course replaced by your own Internet domain(s).

Andrew 8)
 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Yet another MyDoom in the wild

[Colbeck, Andrew]

Well, if you're already banning zip files entirely, there's no purpose
in my suggestion *today*.

However, I would posit that you'll change that policy at some point, and
then this suggestion may be useful to you.

Bad guys certainly recycle their techniques, so there's no telling how
long this ban would be useful.  I'm guessing that we'll see a few more
iterations of this technique, and given that antivirus patterns always
lag the actual viruses... I'm keeping this entry in my virus.cfg file.

I hope that helps,

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of William Stillwell
Sent: Tuesday, February 22, 2005 12:20 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Yet another MyDoom in the wild


soo I should remove my ZIP that I already ban..



----- Original Message - 
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, February 22, 2005 3:02 PM
Subject: [Declude.Virus] Yet another MyDoom in the wild


For the writeup from TrendMicro, see
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYD
OOM.BE

And for a practical tip, add to your virus.cfg:

BANNAME example.com.zip

Where example.com is of course replaced by your own Internet domain(s).

Andrew 8)

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This email has been scanned for possible viruses by Declude Antivirus.
For more information on Declude Antivirus, Visit www.declude.com


---
This email has been scanned for possible viruses by Declude Antivirus.
For more information on Declude Antivirus, Visit www.declude.com

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Weak little report on found viruses

[Colbeck, Andrew]

On another list there was a request for a simple quick way (and free?)
to find out how many viruses Declude Virus has caught.

This will do the trick, but of course it depends on what you're *really*
after:

gawk "$4 ~ /Scanner/" vir0307.log

Awk will then check column 4 in the file for a regular expression that
matches "Scanner" and output the whole line.

You could count the lines in Awk and output the total, but then that
would probably require a little bit more than you want to learn, so just
tack on an easy utility to do that total for you:

gawk "$4 ~ /Scanner/" vir0307.log | wc -l

Andrew 8)

p.s. On my system, I mostly see NetSky, then MyDoom, then IFrame
exploits.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Weak little report on found viruses

[Colbeck, Andrew]

Rather than figure out the date subtraction in the command shell, when I
want yesterday's date, I cheat.

I schedule the job at 11:59 PM, then parse the date, then continue.  For
one specific job, I really wanted a log file to be finished, so I then
issued waitfor.exe and made it pause for 10 minutes... functionally, it
executed today, but on yesterday's data.

WaitFor.exe is in the usual Microsoft OS Resource Kits.

Back in the day, I used to set environment variables called TodayMM,
TodayDD, Today and likewise for Yesterday.  I also ignored 00:00 for
any jobs, and used 23:59 or 00:01, but typically 00:01 and the Yesterday
variables.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Monday, March 07, 2005 7:04 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] Weak little report on found viruses


I run this batch job every night at just before midnight. It does
everything you asked for and more :) and if you act quickly we can throw
in some steak knives.

And while I am at it does anyone have and batch code that will figure
out yesterdays date? I would love to run my report after midnight and
get yesterday's log file.

Thanx

BTW change the .txt to .cmd and some variables inside.
 
 
 
 Goran Jovanovic
 The LAN Shoppe


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus- 
> [EMAIL PROTECTED] On Behalf Of Bill Landry
> Sent: Monday, March 07, 2005 6:54 PM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] Weak little report on found viruses
> 
> grep INFECTED vir0307.log | cut -d " " -f 7- | usort | uniq -c | usort
> 
> Bill
> - Original Message -
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, March 07, 2005 12:50 PM
> Subject: [Declude.Virus] Weak little report on found viruses
> 
> 
> On another list there was a request for a simple quick way (and free?)

> to find out how many viruses Declude Virus has caught.
> 
> This will do the trick, but of course it depends on what you're
*really*
> after:
> 
> gawk "$4 ~ /Scanner/" vir0307.log
> 
> Awk will then check column 4 in the file for a regular expression that

> matches "Scanner" and output the whole line.
> 
> You could count the lines in Awk and output the total, but then that 
> would probably require a little bit more than you want to learn, so
just
> tack on an easy utility to do that total for you:
> 
> gawk "$4 ~ /Scanner/" vir0307.log | wc -l
> 
> Andrew 8)
> 
> p.s. On my system, I mostly see NetSky, then MyDoom, then IFrame 
> exploits.
> ---
> [This E-mail was scanned for viruses by Declude Virus 
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Covad has a problem with our RBL

[Colbeck, Andrew]

Kevin, you're probably using your ISP's DNS servers to do the RBL
lookups for you.  Either your operating system is configured with
Covad's DNS servers, or you have your own DNS server configured to do
"DNS forwarding".

What you want to do is run your own DNS server, and NOT have it
configured for "DNS forwarding".  In this way, you won't abuse Covad's
name servers.

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers
Sent: Thursday, March 31, 2005 2:03 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Covad has a problem with our RBL


I received the following email today from Covad - our access provider.  
It looks like they have a problem with Declude checking inbound emails 
against a realtime blackhole list.  (The problem could also be several 
emails we've received lately with hundreds of recipients, many of which 
were invalid - so it could be the NDR problem mentioned). 

Does anyone know if Declude, setup normally without much modification, 
is using more than 1 RBL, or, irregardless of how many it uses, would it

be checking the RBL 12000 times an hour for a mail server that delivers 
about 6000 messages a day?  Or do you think this most likely has to do 
with the too-many-invalid-recipients problem?

Thanks.  Kevin

MESSAGE FOLLOWS
---
Dear Covad Customer,

Our records indicate that your computer has made 12497 requests during 
the hour we monitored it which accounted for 5.13% of the total traffic 
to the Covad nameservers in your region. The high volume of requests 
made by your computer to our nameservers causes a degradation of service

for other Covad customers.

The IP address implicated is:

XX.XXX.XXX.XXX

Possible causes for this excessive activity includes, but not limited to

the following reasons:

-Virus infected computer(s) sending infected emails which causes Covad 
servers to receive MX queries for every infected message. -Computer
hosting an open proxy or relay that is being abused by a 
spammer.  Each outbound email will generate a DNS request. -Mail server
configured to check every inbound email on a realtime 
blackhole list (RBL).  This could oppose a problem if there are more 
than two lists being queried.
-Mail server configured to send a non delivery receipt (NDR) for every 
email received at an invalid email address.  NDR messages cause Covad 
servers to receive DNS requests as well as generate unnecessary traffic 
on a customer's network.  NDR messages is also a way for spammers to 
confirm valid email addresses which could cause mail servers to receive 
even more spammed emails.

---
[This E-mail was scanned for viruses.]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Covad has a problem with our RBL

[Colbeck, Andrew]

... and, Kevin, you should get back to Covad and tell them that you will
remediate the problem.  This will let them know that you play nice, and
stop them from taking actions against your traffic!

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL PROTECTED])
Sent: Thursday, March 31, 2005 2:19 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Covad has a problem with our RBL


Yes, its very possible. 

10 RBLS x 1200 emails in an hour is easily 12K hits. 

The 10 RBLS is also conservative.  I am sure they will end up doing what

AT&T does and just blackhole queries to certain RBL's.  I would look at 
setting up a local DNS server. 

Darrell 

 

Check out http://www.invariantsystems.com for utilities for Declude And 
Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI integration,
MRTG 
Integration, and Log Parsers. 


Kevin Rogers writes: 

> I received the following email today from Covad - our access provider.

> It
> looks like they have a problem with Declude checking inbound emails 
> against a realtime blackhole list.  (The problem could also be several

> emails we've received lately with hundreds of recipients, many of
which 
> were invalid - so it could be the NDR problem mentioned).  
> 
> Does anyone know if Declude, setup normally without much modification,

> is
> using more than 1 RBL, or, irregardless of how many it uses, would it
be 
> checking the RBL 12000 times an hour for a mail server that delivers
about 
> 6000 messages a day?  Or do you think this most likely has to do with
the 
> too-many-invalid-recipients problem? 
> 
> Thanks.  Kevin
> 
> MESSAGE FOLLOWS
> ---
> Dear Covad Customer,
> 
> Our records indicate that your computer has made 12497 requests during

> the
> hour we monitored it which accounted for 5.13% of the total traffic to
the 
> Covad nameservers in your region. The high volume of requests made by
your 
> computer to our nameservers causes a degradation of service for other 
> Covad customers. 
> 
> The IP address implicated is:
> 
> XX.XXX.XXX.XXX
> 
> Possible causes for this excessive activity includes, but not limited 
> to
> the following reasons: 
> 
> -Virus infected computer(s) sending infected emails which causes Covad
> servers to receive MX queries for every infected message.
> -Computer hosting an open proxy or relay that is being abused by a 
> spammer.  Each outbound email will generate a DNS request.
> -Mail server configured to check every inbound email on a realtime 
> blackhole list (RBL).  This could oppose a problem if there are more
than 
> two lists being queried.
> -Mail server configured to send a non delivery receipt (NDR) for every

> email received at an invalid email address.  NDR messages cause Covad 
> servers to receive DNS requests as well as generate unnecessary
traffic on 
> a customer's network.  NDR messages is also a way for spammers to
confirm 
> valid email addresses which could cause mail servers to receive even
more 
> spammed emails. 
> 
> ---
> [This E-mail was scanned for viruses.]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
 

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Covad has a problem with our RBL

[Colbeck, Andrew]

You probably want to take this in baby steps.  Let's start with - are
you sure that you're not already running a DNS server on your
mailserver?  Then you can go on with using Add/Remove to add the DNS
server.

To avoid any issue with your mailserver needing DNS records at all, just
change your Declude configuration to use the new DNS server.  In section
6.4 of the Declude.JunkMail manual you will see the DNS command to put
in your global.cfg to use the local DNS service, e.g.

DNS 127.0.0.1

by doing that, only Declude changes.  Your IMail will continue to
perform DNS as it was, which Covad will not complain about, and you
won't accidentally change something delicate.

Andrew 8)

p.s. There is no corresponding setting in your Declude.Virus config
file, but no worry, at worst it will make one DNS query per viral
message detected, if you're using the "AUTOFORGE ON" feature.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers
Sent: Thursday, March 31, 2005 2:42 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Covad has a problem with our RBL


Thanks for the response guys.  You're talking to a newb, so bear with 
me.  In order to setup my own DNS server on the same box as Imail, I 
need to:

1. Add that service in the Add/Remove Windows components (running W2K 
Server).
2. In Imail's SMTP service area of IAdmin.exe, change the Domain Name 
Server address field to the local IP address of the newly created DNS 
service.

Do I need to change any MX or A records?
Where is this newly created DNS server looking up the DNS records?  
(Dumb question, I know, but hey.)
What are some of the things I need to worry about when doing this? 



Kevin Rogers wrote:

> I received the following email today from Covad - our access
> provider.  It looks like they have a problem with Declude checking 
> inbound emails against a realtime blackhole list.  (The problem could 
> also be several emails we've received lately with hundreds of 
> recipients, many of which were invalid - so it could be the NDR 
> problem mentioned).
> Does anyone know if Declude, setup normally without much modification,

> is using more than 1 RBL, or, irregardless of how many it uses, would 
> it be checking the RBL 12000 times an hour for a mail server that 
> delivers about 6000 messages a day?  Or do you think this most likely 
> has to do with the too-many-invalid-recipients problem?
>
> Thanks.  Kevin
>
> MESSAGE FOLLOWS
> ---
> Dear Covad Customer,
>
> Our records indicate that your computer has made 12497 requests during
> the hour we monitored it which accounted for 5.13% of the total 
> traffic to the Covad nameservers in your region. The high volume of 
> requests made by your computer to our nameservers causes a degradation

> of service for other Covad customers.
>
> The IP address implicated is:
>
> XX.XXX.XXX.XXX
>
> Possible causes for this excessive activity includes, but not limited
> to the following reasons:
>
> -Virus infected computer(s) sending infected emails which causes Covad
> servers to receive MX queries for every infected message.
> -Computer hosting an open proxy or relay that is being abused by a 
> spammer.  Each outbound email will generate a DNS request.
> -Mail server configured to check every inbound email on a realtime 
> blackhole list (RBL).  This could oppose a problem if there are more 
> than two lists being queried.
> -Mail server configured to send a non delivery receipt (NDR) for every

> email received at an invalid email address.  NDR messages cause Covad 
> servers to receive DNS requests as well as generate unnecessary 
> traffic on a customer's network.  NDR messages is also a way for 
> spammers to confirm valid email addresses which could cause mail 
> servers to receive even more spammed emails.
>
> ---
> [This E-mail was scanned for viruses.]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> ---
> [This E-mail was scanned for viruses.]
>
>
>

---
[This E-mail was scanned for viruses.]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Windows Update!

[Colbeck, Andrew]

Title: Message



No, 
that email address is not valid.  Those emails have been easily held over 
on my system.
 
You 
can certainly block that bogus MAILFROM but since the bad guys will continue to 
change it as they hatch new spoofs, why not split out your SPAMDOMAINS into 
groups that are likely to be abused, and weight those high enough to meet your 
HOLD weight?
 
Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Kami RazvanSent: Sunday, April 10, 2005 12:38 
  PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] 
  Windows Update!
  Hi;
   
  In the past hour 
  I have seen several emails caught as spam but the weight still not high enough 
  to be deleted with subject: Urgent Windows Update.
   
  As everyone (?) 
  knows this is the recent attempt to install a worm on the visitor's computer- 
  there is a link to the Express install and no attachments.
   
  The link is an 
  IP address.
   
  I think ClamAV 
  detects such behavior but it is not catching it yet and I just checked the 
  update.
   
  I think for now 
  I created a filter that if the email is from Microsoft and there is an IP 
  address in the body for the email to be blocked.
   
  This one email 
  came from [EMAIL PROTECTED] - I 
  really don't think that is a valid MS address.  Anyone knows if this is a 
  valid address?  May be it is worthwhile to block it for 
  now.
   
  This week MS 
  will be releasing some major updates and from what I read this scam was about 
  to be released today.. so it is starting at least one our 
  system.
   
  Regards,
  Kami

RE: [Declude.Virus] F-Prot 3.16b

[Colbeck, Andrew]

Title: Message



http://www.f-prot.com/download/release_notes_archive/Release-Notes-Windows-3.16b.txt
 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Goran JovanovicSent: Monday, April 11, 2005 12:36 
  PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] 
  F-Prot 3.16b
  
  Hi,
   
  Anyone know anything 
  about the new version that just came out?
   
  
   
   
   
   
  Goran 
  Jovanovic
   
  The LAN 
  Shoppe
<>

RE: [Declude.Virus] Declude Update

[Colbeck, Andrew]

Go to the www.declude.com website and click on Tech Support, you end up
on a dense page but the manuals are there for each product.

I didn't know either; about two weeks ago I was surprised that the
manual wasn't in the software download, so I sent an email to tech
support and that was the answer.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nick
Sent: Tuesday, April 12, 2005 6:22 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Declude Update


On 11 Apr 2005 at 20:45, Barry Simpson wrote:

> 
> Declude Version 2.0.6 was posted to www.declude.com earlier today. 
> Updated Release Notes and Documentation are also available.
Hi -
Where is the virus manual? I wasn't able to find it.  Reason  was  
looking was BANEZIPEXTS is not listed in the sample virus.cfg file - 
I want to verify this option  still exists [or not]

Thanks

-Nick

> Barry
> 
> 
> --- [This E-mail scanned for viruses by Findlay Internet] --- This E- 
> mail came from the Declude.Virus mailing list. To unsubscribe, just 
> send an E-mail to [EMAIL PROTECTED], and type "unsubscribe 
> Declude.Virus". The archives can be found at http://www.mail- 
> archive.com.


---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot tagging zips as code 8

[Colbeck, Andrew]

Title: Message



John, 
I don't think you mention what kind of file was in your encrypted 
zip.  I just took a try at repeating the test as it may be applicable to my 
own environment.
 
I 
block encrypted banned extensions with:
 
BANEZIPEXTS ON
 
and 
.doc file is not in my list of banned extensions, just the usual 
executable extension.  I also use return code 8 with my 
f-prot.
 
I sent 
a zip file with a single password protected MS Word .doc file (using 
the standard zip password scheme) using a non-trivial password in case there is 
password guessing involved.  No problem, it came through Declude just 
fine.
 
I then 
renamed the zip file to blahblah._ip and sent the test message again.  No 
problem, it came through just fine.
 
If 
you're talking about sending executables, then I'm not worried about whether 
F-Prot returns code 8 (suspicious file) or whether BANEZIPEXTS ON catches, as I 
expect to catch these.  This is acceptable in my corporate 
environment.
 
We 
have never advised people to rename files in order to work around our antivirus 
software, but they've always tried!  They've also always failed, as our 
internal software (Trend Micro) does not trust extensions as file-type 
identification.
 
I hope 
that helps,
 
Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of John Tolmachoff (Lists)Sent: Thursday, April 14, 2005 
  11:33 AMTo: Declude.Virus@declude.comSubject: RE: 
  [Declude.Virus] F-Prot tagging zips as code 8
  
  I guess my question 
  is what has changed in F-Prot and is any one else seeing this? F-Prot was not 
  tagging these before?
   
  
  John 
  T
  eServices For 
  You
   
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of MattSent: Thursday, 
  April 14, 2005 
  11:13 
  AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] F-Prot 
  tagging zips as code 8
   
  My fault for the misread, but I also addressed the 
  issue regardless.  Remove VIRUS CODE 8 from your config if you don't want 
  for this to happen.MattJohn Tolmachoff (Lists) wrote: 
  
  John, I know that you don't follow this logic, but banning regular zips isextreme and unnecessary IMO.  Declude will scan any attachment     Matt, my original post said encrypted zips. This was an encrypted zip andcontained a executable. I do not ban regular zips unless they contain an executable. This zip has to go out encrypted. John TeServices For You  ---This E-mail came from the Declude.Virus mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".    The archives can be foundat http://www.mail-archive.com.    
  -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=

RE: [Declude.Virus] Another new virus

[Colbeck, Andrew]

I've seen one sample in the last few minutes.  It arrives as jokes.zip, and 
www.virustotal.com describes the enclosed 123456.exe as:

This is a report processed by VirusTotal on 04/16/2005 at 00:11:32 (CET) after 
scanning the file "123456.exe" file.
Antivirus Version Update Result 
AntiVir 6.30.0.7 04.15.2005 no virus found 
AVG 718 04.15.2005 no virus found 
BitDefender 7.0 04.15.2005 BehavesLike:Win32.SiteHijack 
ClamAV devel-20050307 04.15.2005 Worm.Bagle.BB 
DrWeb 4.32b 04.15.2005 Win32.HLLM.Beagle.37888 
eTrust-Iris 7.1.194.0 04.15.2005 Win32/Glieder.T!Trojan 
eTrust-Vet 11.7.0.0 04.15.2005 no virus found 
Fortinet 2.51 04.15.2005 no virus found 
F-Prot 3.16b 04.15.2005 no virus found 
Ikarus 2.32 04.15.2005 Email-Worm.Win32.Bagle.pac 
Kaspersky 4.0.2.24 04.16.2005 Email-Worm.Win32.Bagle.pac 
McAfee 4470 04.15.2005 W32/[EMAIL PROTECTED] 
NOD32v2 1.1064 04.15.2005 Win32/TrojanDownloader.Small.ZL 
Norman 5.70.10 04.14.2005 W32/Downloader 
Panda 8.02.00 04.15.2005 W32/Bagle.CA.worm 
Sybari 7.5.1314 04.15.2005 Troj/BagleDl-N 
Symantec 8.0 04.15.2005 Trojan.Tooso.F 
VBA32 3.10.3 04.15.2005 Email-Worm.Win32.Bagle.pac 

VirusTotal is a free service offered by Hispasec Sistemas. There are no 
guarantees about the availability and continuity of this service. Although the 
detection rate afforded by the use of multiple antivirus engines is far 
superior to that offered by just one product, these results DO NOT guarantee 
the harmlessness of a file. Currently, there is not any solution that offers a 
100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact 
En español 

www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail [EMAIL PROTECTED]

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff 
(Lists)
Sent: Friday, April 15, 2005 2:33 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Another new virus


I am getting lots of banned attachment notices and lots of bounces in the last 
90 minutes.

THANKFULLY, I am blocking zip files which contain executables otherwise these 
would have all be delivered to users.

Any one have an idea of what this one is, it is kind of acting like Bagle.

John T
eServices For You


---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just 
send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] How to check VIRUSCODEs

[Colbeck, Andrew]

Title: Message



The 
return code = 8 in F-Prot does mean "suspicious file" and not "virus".  In 
this case, they are not calling the executable Bagle, they are calling it 
Mitglieder, which is a Bagle-related file and is commonly seen as a 
dropper.
 
I sent 
a support request asking them reconsider how they are classifying this 
executable.  I'm not holding my breath though, because previous email 
support response time as been between 4 days and 2 weeks, by which time I expect 
this particular problem to be gone.
 
In 
fact, I'm seeing no new warnings in 15 hours.
 
Also, 
I spot-checked a few IP addresses that had sent us multiple copies, and one came 
from a known spammer block (as listed in SBL) in Brazil, and another from 
Korea.  I used to think it was the spammers who were sloppy and had 
infected machines; nope, it's pretty clear now that the spammers and virus 
authors are collaborating.
 
Wouldn't it be nifty if Declude shared some stats on their MTLDB database 
vis-a-vis correlating IPs that send viruses to IPs that send 
spam?
 
Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of MattSent: Wednesday, April 20, 2005 8:35 
  PMTo: Declude.Virus@declude.comSubject: Re: 
  [Declude.Virus] How to check VIRUSCODEsWhat you have 
  means that a matching virus code was found for each scanner.  If a 
  scanner throws a code besides one that you specify, it will be logged in much 
  the same way that the virus is shown.  The following is exactly what 
  F-Prot will show when it throws a code of 8 and when you aren't configured to 
  tag that as a virus:    04/20/2005 00:28:37 
  Qda6b06e0014e9ee2 Error 8 in virus scanner 1.We're going on 5 or 6 
  days now where F-Prot has been throwing a Virus Code 8 for some newer Bagle 
  variants, and it is starting to look more and more like this is purposeful, 
  though if so it would also be short-sighted.  Maybe someone should 
  contact F-Prot and ask for an explanation and indicate that it would be 
  helpful not to mix the codes like this for known viruses.  Apparently 
  Virus Code 8 can hit non-viruses, and I think it will throw that code when it 
  detects an encrypted zip of any sort, but I'm not certain about that 
  either.  I would certainly prefer to not have to rely on Virus Code 8 in 
  F-Prot because I don't want to be deleting E-mail that doesn't contain a virus 
  and where Declude offers better granularity (such as only banning encrypted 
  zips with a banned extension within it).Has anyone contacted 
  F-Prot?MattGoran Jovanovic wrote: 
  




This was originally a thread from the Junkmail list 
but I am moving it over to the virus list.

> Check your virus log and you may see some code 
8
> errors in it. Adding viruscode 8 will at least 
stop them.

How do you see if there are any code 8s in the virus 
log file. I use F-Prot and McAfee. My viruscodes for F-Prot are 3 and 6 and 
for McAfee is only 13

An example of a virus

04/20/2005 05:03:10 Q1AB803D9008C6B32 MIME file: 
demo.exe [base64; Length=40800 
Checksum=4318001]
04/20/2005 05:03:10 Q1AB803D9008C6B32 Banning file 
with exe extension [application/x-msdownload].
04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 1: 
Virus= W32/Plexus.G Attachment=demo.exe [2] O
04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 2: 
Virus= the MultiDropper-KR trojan !!! Attachment=demo.exe [2] 
O
04/20/2005 05:03:10 Q1AB803D9008C6B32 File(s) are 
INFECTED [ W32/Plexus.G: 13]
04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanned: 
CONTAINS A VIRUS [MIME: 2 40959]
04/20/2005 05:03:10 Q1AB803D9008C6B32 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 
213.59.118.9]
04/20/2005 05:03:10 Q1AB803D9008C6B32 Subject: 
Greets! I offer you full base of accounts with passwords of mail server 
yahoo.com. Here is archive with small part of it. You can see that all 
information is real. If you want to buy full base, please reply me... 
 

The only thing that I see that resembles my 
viruscodes is the line “File(s) are INFECTED [ W32/Plexus.G: 13]” and the 13 
in this line is from McAfee (scanner2). I do not see any result from F-Prot 
(scanner1). 

I am logging on high. Am I missing something 
here?


 Goran 
Jovanovic
 The LAN Shoppe



> -Original Message-
> From: [EMAIL PROTECTED] 
[mailto:Declude.JunkMail-
> [EMAIL PROTECTED]] On Behalf Of Tyler 
Jensen
> Sent: Wednesday, April 20, 2005 8:22 
PM
> To: Declude.JunkMail@declude.com
> Subject: Re: [Declude.JunkMail] New Spam or 
Virus!!
> 
> I had something similar over the weekend. 
Standard zip file. If you are
> using F-Prot you may want to add VirusCode 8 to 
the config. This will stop
> them as Unknown Virus. Check 

RE: [Declude.Virus] How to check VIRUSCODEs

[Colbeck, Andrew]

Title: Message



http://www.f-prot.com/support/contact_support.html
 
Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of MattSent: Thursday, April 21, 2005 9:22 
  AMTo: Declude.Virus@declude.comSubject: Re: 
  [Declude.Virus] How to check VIRUSCODEsI'm going to send 
  a support request as well.  Maybe if others would do the same, it might 
  have a better chance of getting attention.MattColbeck, 
  Andrew wrote: 
  

The return code = 8 in F-Prot does mean "suspicious file" and not 
"virus".  In this case, they are not calling the executable Bagle, they 
are calling it Mitglieder, which is a Bagle-related file and is 
commonly seen as a dropper.
 
I 
sent a support request asking them reconsider how they are classifying this 
executable.  I'm not holding my breath though, because previous email 
support response time as been between 4 days and 2 weeks, by which time I 
expect this particular problem to be gone.
 
In 
fact, I'm seeing no new warnings in 15 hours.
 
Also, I spot-checked a few IP addresses that had sent us multiple 
copies, and one came from a known spammer block (as listed in SBL) in 
Brazil, and another from Korea.  I used to think it was the spammers 
who were sloppy and had infected machines; nope, it's pretty clear now that 
the spammers and virus authors are collaborating.
 
Wouldn't it be nifty if Declude shared some stats on their MTLDB 
database vis-a-vis correlating IPs that send viruses to IPs that send 
spam?
 
Andrew 8)

  -Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of MattSent: Wednesday, April 20, 2005 8:35 
  PMTo: Declude.Virus@declude.comSubject: 
  Re: [Declude.Virus] How to check VIRUSCODEsWhat you 
  have means that a matching virus code was found for each scanner.  If 
  a scanner throws a code besides one that you specify, it will be logged in 
  much the same way that the virus is shown.  The following is exactly 
  what F-Prot will show when it throws a code of 8 and when you aren't 
  configured to tag that as a virus:    04/20/2005 
  00:28:37 Qda6b06e0014e9ee2 Error 8 in virus scanner 1.We're going 
  on 5 or 6 days now where F-Prot has been throwing a Virus Code 8 for some 
  newer Bagle variants, and it is starting to look more and more like this 
  is purposeful, though if so it would also be short-sighted.  Maybe 
  someone should contact F-Prot and ask for an explanation and indicate that 
  it would be helpful not to mix the codes like this for known 
  viruses.  Apparently Virus Code 8 can hit non-viruses, and I think it 
  will throw that code when it detects an encrypted zip of any sort, but I'm 
  not certain about that either.  I would certainly prefer to not have 
  to rely on Virus Code 8 in F-Prot because I don't want to be deleting 
  E-mail that doesn't contain a virus and where Declude offers better 
  granularity (such as only banning encrypted zips with a banned extension 
  within it).Has anyone contacted 
  F-Prot?MattGoran Jovanovic wrote: 
  




This was originally a thread from the Junkmail 
list but I am moving it over to the virus 
list.

> Check your virus log and you may see some 
code 8
> errors in it. Adding viruscode 8 will at 
least stop them.

How do you see if there are any code 8s in the 
virus log file. I use F-Prot and McAfee. My viruscodes for F-Prot are 3 
and 6 and for McAfee is only 13

An example of a 
virus

04/20/2005 05:03:10 Q1AB803D9008C6B32 MIME file: 
demo.exe [base64; Length=40800 
Checksum=4318001]
04/20/2005 05:03:10 Q1AB803D9008C6B32 Banning 
file with exe extension 
[application/x-msdownload].
04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 1: 
Virus= W32/Plexus.G Attachment=demo.exe [2] 
O
04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 2: 
Virus= the MultiDropper-KR trojan !!! Attachment=demo.exe [2] 
O
04/20/2005 05:03:10 Q1AB803D9008C6B32 File(s) 
are INFECTED [ W32/Plexus.G: 13]
04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanned: 
CONTAINS A VIRUS [MIME: 2 40959]
04/20/2005 05:03:10 Q1AB803D9008C6B32 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 
213.59.118.9]
04/20/2005 05:03:10 Q1AB803D9008C6B32 Subject: 
Greets! I offer you full base of accounts with passwords of mail server 
yahoo.com. Here is archive with small part of it. You can see that all 
information is real. If you want to buy full base, please reply me... 
 

The only t

RE: [Declude.Virus] How to check VIRUSCODEs

[Colbeck, Andrew]

Title: Message



Thanks 
for the insight, Matt.
 
We are 
used to seeing virus authors doing their seeding from the home-user cable, DSL 
and even dial-up pools, but these samples were definitely spammer web and email 
server blocks, and not XBL listings and not collateral damage SBL 
listings.
 
Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of MattSent: Thursday, April 21, 2005 10:27 
  AMTo: Declude.Virus@declude.comSubject: Re: 
  [Declude.Virus] How to check VIRUSCODEsI've sent my 
  request.Andrew, regarding the SBL IP's that are sending out 
  viruses.  There is no doubt that seeding is taking place, however this is 
  always done from other hijacked machines.  SBL has a very bad practice of 
  tagging blocks from /24 to /16 in residential or mixed IP space especially in 
  Asia.  This has caused numerous false positives for me when scanning SBL 
  on multiple hops because I get a fair amount of legitimate Asian 
  traffic.  I'm guessing that the IP's that you are seeing that are listed 
  in SBL are in fact just zombies, and no different than a Comcast or RR zombie 
  when it comes down to it.I've send probably 6 different E-mails to SBL 
  in the past year asking them to stop this practice, but instead of stopping, 
  they have been stepping it up, and they have even chosen to do collateral 
  damage to ISP's by listing their legitimate mail servers as well.  I see 
  this as being no different than listing Comcast's mail servers, something that 
  wouldn't be tolerated, yet these Asian hosts are probably pretty much clueless 
  and/or otherwise incapable of stopping the zombies on their networks because 
  they tend to be many years behind us in terms of infrastructure.  SBL 
  should not be listing DUL space.MattColbeck, Andrew 
  wrote: 
  

The return code = 8 in F-Prot does mean "suspicious file" and not 
"virus".  In this case, they are not calling the executable Bagle, they 
are calling it Mitglieder, which is a Bagle-related file and is 
commonly seen as a dropper.
 
I 
sent a support request asking them reconsider how they are classifying this 
executable.  I'm not holding my breath though, because previous email 
support response time as been between 4 days and 2 weeks, by which time I 
expect this particular problem to be gone.
 
In 
fact, I'm seeing no new warnings in 15 hours.
 
Also, I spot-checked a few IP addresses that had sent us multiple 
copies, and one came from a known spammer block (as listed in SBL) in 
Brazil, and another from Korea.  I used to think it was the spammers 
who were sloppy and had infected machines; nope, it's pretty clear now that 
the spammers and virus authors are collaborating.
 
Wouldn't it be nifty if Declude shared some stats on their MTLDB 
database vis-a-vis correlating IPs that send viruses to IPs that send 
spam?
 
Andrew 8)

  -Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of MattSent: Wednesday, April 20, 2005 8:35 
  PMTo: Declude.Virus@declude.comSubject: 
  Re: [Declude.Virus] How to check VIRUSCODEsWhat you 
  have means that a matching virus code was found for each scanner.  If 
  a scanner throws a code besides one that you specify, it will be logged in 
  much the same way that the virus is shown.  The following is exactly 
  what F-Prot will show when it throws a code of 8 and when you aren't 
  configured to tag that as a virus:    04/20/2005 
  00:28:37 Qda6b06e0014e9ee2 Error 8 in virus scanner 1.We're going 
  on 5 or 6 days now where F-Prot has been throwing a Virus Code 8 for some 
  newer Bagle variants, and it is starting to look more and more like this 
  is purposeful, though if so it would also be short-sighted.  Maybe 
  someone should contact F-Prot and ask for an explanation and indicate that 
  it would be helpful not to mix the codes like this for known 
  viruses.  Apparently Virus Code 8 can hit non-viruses, and I think it 
  will throw that code when it detects an encrypted zip of any sort, but I'm 
  not certain about that either.  I would certainly prefer to not have 
  to rely on Virus Code 8 in F-Prot because I don't want to be deleting 
  E-mail that doesn't contain a virus and where Declude offers better 
  granularity (such as only banning encrypted zips with a banned extension 
  within it).Has anyone contacted 
  F-Prot?MattGoran Jovanovic wrote: 
  




This was originally a thread from the Junkmail 
list but I am moving it over to the virus 
list.

> Check your virus log and you may see some 
code 8
> errors in it. Adding viruscode 8 will at 
least stop them.

How do you see if there are 

RE: [Declude.Virus] High CPU F-Prot

[Colbeck, Andrew]

I've seen no change in the cpu usage on my F-Prot implementation of
Declude Virus.

My server picked up the most recent update an hour ago, so that may be
important to you.  

In checking that I was confused, because the time stamp hadn't been hit
yet.  From viewing all three date columns in Explorer, it looks like
they are publishing their MODIFIED timestamp in UTC.

I don't know if this is territory that is already well-trod, but I
recently stopped using the F-Prot Updater in their Scheduler.  I keep a
user logged in anyway, but this was too interactive, and with relatively
frequent incidents where the scheduler failed to update and notified the
logged in user, I was sure that I was missing updates until the
resulting message boxes were cleared.

I followed:

http://www.f-prot.com/support/windows/fpwin_faq/88.html

And it's working great.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL PROTECTED])
Sent: Wednesday, April 27, 2005 2:47 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] High CPU F-Prot


In the last 24 hours I have seen F-Prot start to use an excessive amount
of 
CPU.  Normally it very rarely shows up in task manager and now it has
been 
using a considerable amount of CPU. 

Thoughts?
Darrell 

 
Comprehensive Declude Virus and Junkmail reporting with DLAnalyzer - 
http://www.invariantsystems.com
---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] High CPU F-Prot

[Colbeck, Andrew]

Title: Message



Hmm, 
it won't help any directly, but I can tell you that I've had zero instances of 
this timeout error so far this month.
 
For 
what it's worth, the only errors in my vir04??.log file are all about 
double-scanning by Declude (for a message with a single addressee).  I see 
timestamps with the Declude JunkMail entries, then the Virus entries (clean), 
then the same lines in Declude again (but 35 seconds later) and then the 
Virus entry indicates 
 
4/26/2005 09:40:26 Q6C323086024ED01A Error opening mime file 
D:\IMAIL\SPOOL\D6C323086024ED01A.SMD4/26/2005 09:40:26 Q6C323086024ED01A 
Scanned: Error starting scanner
 
This 
has happened 10 times in 140,000 unique* messages.  Each of those ten times 
was during the server's peak period.
 
Andrew 
8)
 
I 
measured unique messages, not recipients, i.e.
 
for %i 
in (vir04??.log) do @gawk "{print $3}" %i | usort | uniq | wc 
-l
 
 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of MattSent: Wednesday, April 27, 2005 3:58 
  PMTo: Declude.Virus@declude.comSubject: Re: 
  [Declude.Virus] High CPU F-ProtI did some monitoring and 
  fpcmd.exe isn't normally causing excessive load and it's completely 
  updated.  On the other hand, I have seen now 9 different timeouts for 
  F-Prot on my system today, and every timeout for F-Prot was for a message that 
  McAfee detected as a virus.  There are two possibilities here that I can 
  think of.  The most obvious would be that this variant of Mytob is 
  causing issues with F-Prot, possibly targeting a bug in the app that we don't 
  know about.  The second issue might be related to the fact that I 
  upgraded last night from 1.82 and so I can't rule that out, but I'm leaning 
  heavily towards F-Prot having issues.  Looks like yet another F-Prot 
  hiccup...
  4/27/2005 01:32:09 Q23D834BB010C8222 MIME file: file.zip 
[base64; Length=50820 Checksum=6317600]04/27/2005 01:32:39 
Q23D834BB010C8222 ERROR: Virus scanner 1 didn't finish after 30 seconds; 
terminating.04/27/2005 01:32:42 Q23D834BB010C8222 Scanner 2: Virus=the 
W32/[EMAIL PROTECTED] Attachment= [0] O04/27/2005 01:32:42 Q23D834BB010C8222 
File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/27/2005 01:32:42 
Q23D834BB010C8222 Deleting file with virus04/27/2005 01:32:42 
Q23D834BB010C8222 Deleting E-mail with virus!04/27/2005 01:32:42 
Q23D834BB010C8222 Scanned: CONTAINS A VIRUS [MIME: 2 50998]04/27/2005 
01:32:42 Q23D834BB010C8222 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 
208.7.179.200]04/27/2005 01:32:42 Q23D834BB010C8222 Subject: Mail 
Delivery System04/27/2005 01:32:34 Q23F1665600C08266 MIME file: 
document.zip [base64; Length=50828 Checksum=6318531]04/27/2005 01:33:04 
Q23F1665600C08266 ERROR: Virus scanner 1 didn't finish after 30 seconds; 
terminating.04/27/2005 01:33:06 Q23F1665600C08266 Scanner 2: Virus=the 
W32/[EMAIL PROTECTED] Attachment= [0] O04/27/2005 01:33:06 Q23F1665600C08266 
File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/27/2005 01:33:06 
Q23F1665600C08266 Deleting file with virus04/27/2005 01:33:06 
Q23F1665600C08266 Deleting E-mail with virus!04/27/2005 01:33:06 
Q23F1665600C08266 Scanned: CONTAINS A VIRUS [MIME: 2 51075]04/27/2005 
01:33:06 Q23F1665600C08266 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 
208.7.179.200]04/27/2005 01:33:06 Q23F1665600C08266 Subject: Good 
day04/27/2005 12:53:45 QC34F126601208E36 MIME file: readme.zip 
[base64; Length=60534 Checksum=7436894]04/27/2005 12:54:15 
QC34F126601208E36 ERROR: Virus scanner 1 didn't finish after 30 seconds; 
terminating.04/27/2005 12:54:16 QC34F126601208E36 Scanner 2: Virus=the 
 Attachment= [0] O04/27/2005 12:54:16 
QC34F126601208E36 File(s) are INFECTED [the : 
13]04/27/2005 12:54:16 QC34F126601208E36 Deleting file with 
virus04/27/2005 12:54:16 QC34F126601208E36 Deleting E-mail with 
virus!04/27/2005 12:54:16 QC34F126601208E36 Scanned: CONTAINS A VIRUS 
[MIME: 2 60735]04/27/2005 12:54:16 QC34F126601208E36 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 
208.7.179.200]04/27/2005 12:54:16 QC34F126601208E36 Subject: MAIL 
TRANSACTION FAILED04/27/2005 15:01:22 QE18023A80136D4FB MIME file: 
message.pif [base64; Length=68608 Checksum=8328934]04/27/2005 15:01:22 
QE18023A80136D4FB Banning file with PIF extension 
[application/octet-stream].04/27/2005 15:01:52 QE18023A80136D4FB ERROR: 
Virus scanner 1 didn't finish after 30 seconds; terminating.04/27/2005 
15:01:54 QE18023A80136D4FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] 
Attachment=message.pif [0] O04/27/2005 15:01:54 QE18023A80136D4FB 
Invalid PIF Vulnerability04/27/2005 15:01:54 QE18023A80136D4FB Found a 
bogus .pif file04/27/2005 15:01:54 QE18023A80136D4FB File(s) are 
INFECTED [the W32/[EMAIL PROTECTED]: 13]04/27/2005 15:01:54 QE18023A80136D4F

RE: [Declude.Virus] High CPU F-Prot

[Colbeck, Andrew]

The "could not parse" string occurs whenever F-Prot returns a result
that *isn't* equal to 3.  Only return code 3 provides a string in the
result file that says "Infection: " followed by the virus name.

I'd like to help you out with this Matt, but with only one antivirus
scanner, I don't see the evidence of a space gap.

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nick
Sent: Thursday, April 28, 2005 10:29 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] High CPU F-Prot


On 28 Apr 2005 at 12:57, Matt wrote:

Matt - 

If this becomes a real problem that you see and can monitor I would 
revert back to an older scan.exe to eliminate the issue of versions.

This is a possible clue:
> " Could not find parse string Infection: in report.txt"
What does this mean?

Your virus.cfg needs a different setup parameter or report.txt cannot 
be found?

-Nick
> 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr
> [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04
> QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04
> QB18D740700A83968 Banning file with SCR extension
> [application/octet-stream]. --- 6 second gap where F-Prot scans
> message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find
> parse string Infection: in report.txt 04/28/2005 05:49:11
> QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED]
> Attachment=document.scr [0] O 04/28/2005 05:49:11
> QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]
> 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus
> 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus!
> 04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS
> [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From:
> [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
> 12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL
> TRANSACTION FAILED
> 
> 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64;
> Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans
> message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find
> parse string Infection: in report.txt 04/28/2005 09:09:46
> QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED]
> Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s)
> are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46
> QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46
> QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46
> QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605]
> 04/28/2005 09:09:46 QE095EDCB006E8802 From: From:
> [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
> 208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject:
> hello
> 
> 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64;
> Length=56320 Checksum=6982245] 04/28/2005 09:47:55
> QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55
> QE98BF4DC00DA98FB Banning file with SCR extension
> [application/octet-stream]. --- 9 second gap where F-Prot scans
> message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find
> parse string Infection: in report.txt 04/28/2005 09:48:05
> QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED]
> Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB
> File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005
> 09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005
> 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005
> 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2
> 56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From:
> [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
> 208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good
> day
> I'm virtually certain that this is what was happening yesterday, but 
> under heavier load, F-Prot was taking longer to scan the messages than

> the 30 seconds that I allow it to. There are no other long delays like

> this that I can find. F-Prot based on past testing should detect a 
> typical virus in 100 ms on my system, but it is not only taking much 
> more time to scan a very small file, it is also missing the virus.
> 
> I suspect that this is happening on other systems, but the timeout 
> issue probably wasn't seen as often because I have my timeout set to 
> 30 seconds instead of 60 seconds, and I had very heavy load for much 
> of the day yesterday. If others are running two virus scanners 
> including F-Prot, it would help to confirm my findings by searching 
> for a hit on the second virus scanner hitting, but F-Prot missing and 
> also taking several seconds or more to return a result.
> 
> If you search your logs for "Could not find parse string Infection: 

RE: [Declude.Virus] High CPU F-Prot

[Colbeck, Andrew]

Title: Message



Matt, 
no there is no related Q line in my log files above that 
error.
 
And 
given the load on my server, there is no way to correlate a useful gap between 
my DECmmdd.log and VIRmmdd.log files; rather, I expect random 
gaps.
 
Also, 
I've noticed that F-Prot has definitely leaked viruses, because they're caught 
on my internal Exchange servers.  Whenever I notice this however, I've been 
able to attribute these to late pattern updates.
 
I 
don't think my server has problem that you have, but I've certainly 
looked.
 
Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of MattSent: Thursday, April 28, 2005 10:58 
  AMTo: Declude.Virus@declude.comSubject: Re: 
  [Declude.Virus] High CPU F-ProtAndrew,If you are 
  only using F-Prot, you should be able to find evidence of at least the delays 
  by searching for "Could not find parse string Infection" and then checking for 
  a gap above that point to where the message began to be scanned.If I'm 
  correct about this, and it seems that I am, F-Prot has been missing a fair 
  number of viruses every day at least going back to April 11th.  Their new 
  scan engine, 3.16b was released back on March 7th and this may be related, but 
  I don't have logs going back past April to confirm.F-Prot users should 
  all probably pay very close attention to this.  I haven't yet contacted 
  F-Prot because I'm busy at this moment and this was only just confirmed by 
  someone else.  I would have to say that Scott would be quite useful in a 
  situation like this because it appeared that he had a line of contact with 
  them (Scott, are you out there?).MattColbeck, Andrew 
  wrote: 
  The "could not parse" string occurs whenever F-Prot returns a result
that *isn't* equal to 3.  Only return code 3 provides a string in the
result file that says "Infection: " followed by the virus name.

I'd like to help you out with this Matt, but with only one antivirus
scanner, I don't see the evidence of a space gap.

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Nick
Sent: Thursday, April 28, 2005 10:29 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] High CPU F-Prot


On 28 Apr 2005 at 12:57, Matt wrote:

Matt - 

If this becomes a real problem that you see and can monitor I would 
revert back to an older scan.exe to eliminate the issue of versions.

This is a possible clue:
  
" Could not find parse string Infection: in report.txt"
What does this mean?

Your virus.cfg needs a different setup parameter or report.txt cannot 
be found?

-Nick
  
04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr
[base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04
QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04
QB18D740700A83968 Banning file with SCR extension
[application/octet-stream]. --- 6 second gap where F-Prot scans
message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find
parse string Infection: in report.txt 04/28/2005 05:49:11
QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED]
Attachment=document.scr [0] O 04/28/2005 05:49:11
QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]
04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus
04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus!
04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS
[MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From:
[EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL
TRANSACTION FAILED

04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64;
Length=55408 Checksum=6875560] --- 4 second gap where F-Prot scans
message --- 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find
parse string Infection: in report.txt 04/28/2005 09:09:46
QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED]
Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s)
are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46
QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46
QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46
QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605]
04/28/2005 09:09:46 QE095EDCB006E8802 From: From:
[EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject:
hello

04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64;
Length=56320 Checksum=6982245] 04/28/2005 09:47:55
QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55
QE98BF4DC00DA98FB Banning file with SCR extension
[application/octet-stream]. --- 9 second gap where F-Prot scans
message --- 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find
parse string

RE: [Declude.Virus] F-Prot missing viruses and is slow (renamed)

[Colbeck, Andrew]

Title: Message



I 
downloaded and manually scanned the file with F-Prot and McAfee multiple 
times.
 
Desktop, WXP SP2, P4, 2.8 GHz
F-Prot 
- 5 seconds
McAfee 
- 0.4 seconds
 

Server, W2K SP4, P3, 866 Hz
F-Prot 
- 10.1 seconds
McAfee 
- 1.21 seconds
 
F-Prot 
is indeed returning an errorlevel of 8 on this, and it's definitely way out of 
line with the scanning time on this file.
 
I'm 
enclosing the batch file I use to manually scan (and not clean) files.  I 
monkeyed with all of the documented options and could not reduce the F-Prot 
scanning time.  On the bright side, reviewing the parameters revealed that 
if you're not mindful and specify both the /type and /dumb options, the last one 
in the line wins (oops, I did that in my virus.cfg).  Also, I learned that 
/packed is always on.
 
I'm 
going to check for a similar malware detection, and submit it to F-Prot as 
a bug.
 
I did 
get a reply on my previous report to them (after 6 days); they brought my 
request to the attention of the developers, but then reminded me that any 
non-zero return code is "undesirable".  The request was to re-classify 
Mitglieder from "suspicious" to "virus" so that I could get the correct return 
code and thus the correct handling in my Declude Virus.
 
Andrew 
8)
 
p.s. I 
use the TimeThis.exe command line utility from Microsoft to get sub-second 
intervals in batch files.
 
-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
Behalf Of MattSent: Thursday, April 28, 2005 3:13 
PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] 
F-Prot missing viruses and is slow (renamed)
Ok, I've captured one of these 
  files and confirmed from a manual scan that it is still taking an excessive 
  amount of time...but wait, there's more.  The report.txt file that it 
  creates shows that it detected Mytob, but every test where I send this to 
  myself in E-mail results in no virus detected by F-Prot using VIRUSCODE 3, 6, 
  8, 9 or 10.  I haven't gone as far as coding something up that can 
  capture the exit code from the command line yet, but I would be curious what 
  if any was returned.Here's what Declude Virus shows for this file when 
  I send it to myself:
  04/28/2005 17:40:57 Q58666795008E87C7 MIME file: 
[text/html][7bit; Length=695 Checksum=54365]04/28/2005 
17:40:57 Q58666795008E87C7 MIME file: doc.zip [base64; Length=56432 
Checksum=6987426]--- 10 second gap while F-Prot scans 
---04/28/2005 17:41:07 Q58666795008E87C7 Could not find 
parse string Infection:  in report.txt04/28/2005 
17:41:08 Q58666795008E87C7 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= 
[0] I04/28/2005 17:41:08 Q58666795008E87C7 File(s) are 
INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 17:41:08 
Q58666795008E87C7 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 
57490]04/28/2005 17:41:08 Q58666795008E87C7 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 
192.168.100.100]04/28/2005 17:41:08 Q58666795008E87C7 
Subject: [Fwd: Mail Delivery System]Here's a link to 
  the virus for those that might want to test it out for themselves.  Turn 
  off your real-time virus scanner, right click the file and press save as, and 
  rename it as doc.zip (it's not really a text file).
  http://administration.mailpure.com/virus/doc.txtHere's 
  the command line for F-Prot that I was using with the file located in 
  C:\test\doc.zip:
  C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM 
/ARCHIVE=5 /PACKED /DUMB /REPORT=C:\test\report.txt 
  C:\test\doc.zipHere's the output from the report.txt file 
  when manually scanned:
  Virus scanning report  -  28 April 2005 @ 
17:45F-PROT ANTIVIRUSProgram version: 3.16bEngine version: 
3.16.6VIRUS SIGNATURE FILESSIGN.DEF created 28 April 
2005SIGN2.DEF created 28 April 2005MACRO.DEF created 20 April 
2005Search: C:\test\doc.zipAction: Report onlyFiles: "Dumb" 
scan of all filesSwitches: /ARCHIVE /PACKED /SERVER 
/REPORT=C:\test\report.txt /SILENT /NOBOOT /NOMEMMemory was not 
scanned.Hard disk boot sectors were not 
scanned.C:\test\doc.zip->doc.scr->(Packed)  is a security 
risk named W32/[EMAIL PROTECTED]Results of virus scanning:Files: 
1MBRs: 0Boot sectors: 0Objects scanned: 2Infected: 
0Suspicious: 1Disinfected: 0Deleted: 0Renamed: 
0Time: 0:10So it takes 10 seconds, find a 
  "security risk named W32/[EMAIL PROTECTED]" and says it is "Suspicious", but I have 
  Declude configured to treat an exit code of 8 as a virus currently, and that's 
  what Suspicious files are supposedly marked as.  I don't know if there is 
  a different code being returned, or if F-Prot is just bugging out and not 
  returning a code.  Maybe some of you can clear that part 
  up.Matt-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
@echo off

RE: [Declude.Virus] F-Prot missing viruses and is slow (renamed)

[Colbeck, Andrew]

Title: Message



Yes, 
during the entire interval I measured the CPU time was 98-100% for the fpcmd.exe 
process only.
 
On 
LOGLEVEL MED, there is a line that shows the errorlevel returned by the scanner, 
plus the error line indicating that the search string wasn't found in the 
resulting text file, e.g. this is what is returned on my v2.0.6 system when a 
"suspicious file" is returned:
 
04/27/2005 07:48:33 QA63CBF0600647AB8 Could not find parse string 
Infection:  in report.txt04/27/2005 07:48:33 QA63CBF0600647AB8 
File(s) are INFECTED [: 8]04/27/2005 07:48:33 
QA63CBF0600647AB8 Scanned: CONTAINS A VIRUS [MIME: 3 23729]04/27/2005 
07:48:33 QA63CBF0600647AB8 From: munged To: munged [outgoing from 
70.187.178.183]04/27/2005 07:48:33 QA63CBF0600647AB8 Subject: Forum 
notify
 
The 
resulting virus name is [Unknown File] but adding such a line to my 
FORGINGVIRUS strings doesn't stop the notification email (but they only go to 
postmaster, so no big deal for me).
 
I 
don't know if it made it into the support database, but on testing Declude 
Virus, I immediately requested a feature enhancement to extend the virus 
matching string "REPORT" parallel with the "VIRUSCODE" lines for this 
reason.
 
Otherwise, Matt, I agree on both of your conclusions regarding how F-Prot 
falls short.
 
Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of MattSent: Thursday, April 28, 2005 9:16 
  PMTo: Declude.Virus@declude.comSubject: Re: 
  [Declude.Virus] F-Prot missing viruses and is slow 
  (renamed)Ok, follow-up time.  It appears that 
  Declude is detecting this with VIRUSCODE 8 and I was just merely confused by 
  the logs.  I set things to Debug and found the following:
  04/29/2005 00:06:48.652 QB2D6AB7001342A79 [6224] Virus 
Scanner Started: C:\Progra~1\FSI\F-Prot\fpcmd.exe -SILENT -NOBOOT -NOMEM 
-ARCHIVE=5 -PACKED -SERVER -DUMB -REPORT=report.txt 
F:\DB2D6A~1.VIR\04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] 
Scanning Time: 4812ms [kernel=78 user=4734]04/29/2005 00:06:53.667 
QB2D6AB7001342A79 [6224] Virus scanner 1 reports exit code of 
804/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] 
F:\DB2D6AB7001342A79.vir\04/29/2005 00:06:53.667 QB2D6AB7001342A79 
[6224] F:\DB2D6AB7001342A79.vir\report.txt04/29/2005 00:06:53.667 
QB2D6AB7001342A79 [6224] report.txt len=722 rflen=35 cs=004/29/2005 
00:06:53 QB2D6AB7001342A79 Could not find parse string Infection:  in 
report.txtSo I would assume that on other log levels 
  and with other scanners detecting the viruses, there just isn't a clear 
  indication of the virus being found with F-Prot, but it is in fact being 
  detected.  Maybe Declude should change the logging to indicate the exit 
  code in other log levels when it matches a VIRUSCODE value.That leaves 
  two real issues; 1) Time/CPU utilization with F-Prot, and 2) F-Prot continuing 
  to report viruses with an exit code of 8.MattMatt 
  wrote: 
  Colbeck, 
Andrew wrote: 

  F-Prot is indeed returning an errorlevel of 8 on this, and it's 
  definitely way out of line with the scanning time on this 
  file.Your script no doubt shows that F-Prot 
returns an error level of 8 when run on this file, however there is one big 
issue here...I have declude now set for VIRUSCODE 8 and it isn't detecting 
it.  I just tested this by sending it to myself and it still didn't 
detect it as a virus.  Here's my config:
SCANFILE1    
  C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM /ARCHIVE=5 
  /PACKED /DUMB /REPORT=report.txtVIRUSCODE1    
  3VIRUSCODE1    6VIRUSCODE1    
  8REPORT1        Infection: 
I used this same command line with your script, 
making obvious edits for the path and it returned an 8.  I'm confused 
why either Declude isn't picking this up, or why F-Prot isn't somehow 
reporting it to Declude properly...The time issue is also a big deal 
of course, but probably not as big as Declude with F-Prot missing it.  
Can anyone confirm with this sample file whether or not Declude with F-Prot 
and VIRUSCODE 8 is catching this?

  I did get a reply on my previous report to them (after 6 days); 
  they brought my request to the attention of the developers, but then 
  reminded me that any non-zero return code is "undesirable".  The 
  request was to re-classify Mitglieder from "suspicious" to "virus" so that 
  I could get the correct return code and thus the correct handling in my 
  Declude Virus.I got what was probably the 
exact same response after a similar amount of time.  The person that 
replied didn't understand the question or used something that was 
canned.  I replied back again nevertheless.  I haven't sent 
anything concerning this 

RE: [Declude.Virus] F-Prot missing viruses and is slow (renamed)

[Colbeck, Andrew]

ing this with VIRUSCODE 8 and I was just merely confused 
  by the logs.  I set things to Debug and found the following:
  04/29/2005 00:06:48.652 QB2D6AB7001342A79 [6224] 
Virus Scanner Started: C:\Progra~1\FSI\F-Prot\fpcmd.exe -SILENT -NOBOOT 
-NOMEM -ARCHIVE=5 -PACKED -SERVER -DUMB -REPORT=report.txt 
F:\DB2D6A~1.VIR\04/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] 
Scanning Time: 4812ms [kernel=78 user=4734]04/29/2005 00:06:53.667 
QB2D6AB7001342A79 [6224] Virus scanner 1 reports exit code of 
804/29/2005 00:06:53.667 QB2D6AB7001342A79 [6224] 
F:\DB2D6AB7001342A79.vir\04/29/2005 00:06:53.667 QB2D6AB7001342A79 
[6224] F:\DB2D6AB7001342A79.vir\report.txt04/29/2005 00:06:53.667 
QB2D6AB7001342A79 [6224] report.txt len=722 rflen=35 cs=004/29/2005 
00:06:53 QB2D6AB7001342A79 Could not find parse string Infection:  
in report.txtSo I would assume that on other log 
  levels and with other scanners detecting the viruses, there just isn't a 
  clear indication of the virus being found with F-Prot, but it is in fact 
  being detected.  Maybe Declude should change the logging to indicate 
  the exit code in other log levels when it matches a VIRUSCODE 
  value.That leaves two real issues; 1) Time/CPU utilization with 
  F-Prot, and 2) F-Prot continuing to report viruses with an exit code of 
  8.MattMatt wrote: 
  Colbeck, 
Andrew wrote: 

  F-Prot is indeed returning an errorlevel of 8 on this, and it's 
  definitely way out of line with the scanning time on this 
  file.Your script no doubt shows that 
F-Prot returns an error level of 8 when run on this file, however there 
is one big issue here...I have declude now set for VIRUSCODE 8 and it 
isn't detecting it.  I just tested this by sending it to myself and 
it still didn't detect it as a virus.  Here's my config:
SCANFILE1    
  C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM 
  /ARCHIVE=5 /PACKED /DUMB 
  /REPORT=report.txtVIRUSCODE1    
  3VIRUSCODE1    6VIRUSCODE1    
  8REPORT1        Infection: 
  I used this same command line with your script, 
making obvious edits for the path and it returned an 8.  I'm 
confused why either Declude isn't picking this up, or why F-Prot isn't 
somehow reporting it to Declude properly...The time issue is 
also a big deal of course, but probably not as big as Declude with 
F-Prot missing it.  Can anyone confirm with this sample file 
whether or not Declude with F-Prot and VIRUSCODE 8 is catching this?

  I did get a reply on my previous report to them (after 6 days); 
  they brought my request to the attention of the developers, but then 
  reminded me that any non-zero return code is "undesirable".  The 
  request was to re-classify Mitglieder from "suspicious" to "virus" so 
  that I could get the correct return code and thus the correct handling 
  in my Declude Virus.I got what was 
probably the exact same response after a similar amount of time.  
The person that replied didn't understand the question or used something 
that was canned.  I replied back again nevertheless.  I 
haven't sent anything concerning this issue, although it seems related, 
but there also seems to be a different bug here with at least F-Prot but 
possibly also Declude.Matt-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

RE: [Declude.Virus] f-prot update script

[Colbeck, Andrew]

Well, you've got two problems here, Daniel.

The first is that the script depends on an external program called wget
that you probably don't have installed.

The second is that this script should be deprecated, because the FTP
method is no longer provided by F-Prot!

As Jim and Keith pointed out, following the F-Prot article is the way to
go.

I just implemented this last week; here's my comment:

http://www.mail-archive.com/declude.virus@declude.com/msg11870.html


Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ivey
Sent: Monday, May 02, 2005 8:06 AM
To: 'Declude.Virus@declude.com'
Subject: RE: [Declude.Virus] f-prot update script


I have tried using this script.  I keep getting an error referring to
wget.exe and it doesn't update F-Prot.

Daniel

===
Daniel Ivey
GCR Company / GCR Online
Voice:  434 - 570 - 1765
Fax:434 - 572 - 1981
[EMAIL PROTECTED]

-Original Message-
From: Goran Jovanovic [mailto:[EMAIL PROTECTED]
Sent: Monday, May 02, 2005 11:02 AM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] f-prot update script

Take a look at:

http://www.declude.com/Articles.asp?ID=100

F-Prot for DOS updater - A batch file that automatically updates F-Prot
and its virus definitions (old version here), and a Cygwin version, and
a complete .ZIPed version. Finally, a Simple version!




 Goran Jovanovic
 The LAN Shoppe



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus- 
> [EMAIL PROTECTED] On Behalf Of Daniel Ivey
> Sent: Monday, May 02, 2005 9:52 AM
> To: 'Declude.Virus@declude.com'
> Subject: [Declude.Virus] f-prot update script
>
> Does anyone have an f-prot update script that they wouldn't mind
sharing?
> I
> have tried one that I found, but never could get it to work.  Any help
is
> appreciated.
>
> Thanks,
> Daniel
>
> ===
> Daniel Ivey
> GCR Company / GCR Online
> Voice:  434 - 570 - 1765
> Fax:434 - 572 - 1981
> [EMAIL PROTECTED]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Viruses appearing to be getting through...

[Colbeck, Andrew]

F-Prot may have already fixed their pattern file.  My current sign.def
is timestamped:

05/02/2005  03:53 AM

and checking their website and downloading the current version manually
shows that the current version is:

05/02/2005  01:32 PM

Can anybody with the issue confirm which pattern file they are using
that has the problem?

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Monday, May 02, 2005 11:20 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Viruses appearing to be getting through...


Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV 
(Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot
(although 
I have F-Prot updates disabled for now, until they get there problem
with 
HTML/[EMAIL PROTECTED] fixed).

Bill
- Original Message - 
From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
To: 
Sent: Monday, May 02, 2005 11:11 AM
Subject: RE: [Declude.Virus] Viruses appearing to be getting through...


>I saw a big bunch about 2 hours ago that were stopped by banned zip  
>extensions.
>
> John T
> eServices For You
>
>
>> -Original Message-
>> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
>> On Behalf Of Chuck Schick
>> Sent: Monday, May 02, 2005 10:58 AM
>> To: Declude. Virus
>> Subject: [Declude.Virus] Viruses appearing to be getting through...
>>
>> I am seeing several files getting through that appear to have viruses

>> attached as zip files.  I am running Declude with F-Prot.  We ban
> encrypted
>> zips and I have error code 8 included.  Anyone else seeing this 
>> behavior? Here is part of the log.
>>
>>
>> 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip 
>> [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 
>> Scanned: Virus Free [MIME: 2 53979]
>>
>> Chuck Schick
>> Warp 8, Inc.
>> (303)-421-5140
>> www.warp8.com
>>
>> ---
>> This E-mail came from the Declude.Virus mailing list.  To 
>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>> type "unsubscribe Declude.Virus".The archives can be found
>> at http://www.mail-archive.com.
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Is this sort of stuff necessary on a list?

[Colbeck, Andrew]

Thanks, Chuck. I appreciate your contribution.  I've added several
strings from this Zaep email to my filter that blocks lousy
Challenge-Response emails.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
Sent: Monday, May 02, 2005 11:49 AM
To: Declude. Virus
Subject: [Declude.Virus] Is this sort of stuff necessary on a list?


I posted to list about a virus problem then I get this stupid (IMHO)
challenge-response stuff.  If everyone did this on all the lists I
belong to
- I would do a posting and then spend the next 3 days answering all the
challenge-responses.  I think I will report this as spam.

Dear Greg Hedgepath - get a clue.  

Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com



Dear Chuck,



Thank you,

Greg Hedgepath


---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot and HTML object exploit

[Colbeck, Andrew]

I don't think the engine version matters, just the pattern file.

I've confirmed that the culprit is this, the most recent sign.def from 

05/02/2005  01:32 PM

And yes, I've sent in a support request via their web page; I'd like to
supply them with several samples.

I've also played around with the switch settings and found that there
are no relevant switches that can be used as a workaround (i.e. "/ai"
"/noheur" and "/server" make no difference in the detection or not of
this false-positive).

All of the messages detected either had Office 10 or Office 11 headers
or were replies to messages created with Office 10 or Office 11.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Monday, May 02, 2005 1:10 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] F-Prot and HTML object exploit


Question: Have you all running the latest v3.16b ?

I can't see any appearance of "HTML/ObjData" in the entire current
logfile, but I've still running 3.16a

Markus


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of John 
> Tolmachoff (Lists)
> Sent: Monday, May 02, 2005 7:47 PM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] F-Prot and HTML object exploit
> 
> It appears that something has updated on F-Prot in the last
> hour. Now, a lot of outbound HTML e-mails are being flagged  
> by F-Prot as having the HTML object exploit. Running the file 
> on www.virustotal.com shows clean.
> 
> Any one else seeing problems?
> 
> For now, as I am at a client, I have turned off F-Prot
> scanning relying on AVG.
> 
> John T
> eServices For You
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot and HTML object exploit

[Colbeck, Andrew]

Well, what matters is that you have the correct (older) *.def files, not
whether the GUI says you're up to date.  As far as it knows, you are.

Remember to temporarily disable your updater, or correct (older) *.def
files will just get overwritten again when the auto-updater kicks in.

Andrew 8)

p.s. Once I received the automated confirmation message from F-Prot, I
replied to it with the full information we've discussed here, and
supplied 10 sample false-positives.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers
Sent: Monday, May 02, 2005 1:54 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] F-Prot and HTML object exploit


I also filled out the form at FProt's site.  Thanks for the defs.  When 
I open up FProt, though, it says that my defs are up-to-date, even 
though I replaced the newest ones with the ones that you sent.  I hope 
that that message indicates whether we've downloaded the latest - not 
whether we are actually using the latest defs.



Colbeck, Andrew wrote:

>I don't think the engine version matters, just the pattern file.
>
>I've confirmed that the culprit is this, the most recent sign.def from
>
>05/02/2005  01:32 PM
>
>And yes, I've sent in a support request via their web page; I'd like to

>supply them with several samples.
>
>I've also played around with the switch settings and found that there 
>are no relevant switches that can be used as a workaround (i.e. "/ai" 
>"/noheur" and "/server" make no difference in the detection or not of 
>this false-positive).
>
>All of the messages detected either had Office 10 or Office 11 headers 
>or were replies to messages created with Office 10 or Office 11.
>
>Andrew 8)
>
>-Original Message-
>From: [EMAIL PROTECTED] 
>[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
>Sent: Monday, May 02, 2005 1:10 PM
>To: Declude.Virus@declude.com
>Subject: RE: [Declude.Virus] F-Prot and HTML object exploit
>
>
>Question: Have you all running the latest v3.16b ?
>
>I can't see any appearance of "HTML/ObjData" in the entire current 
>logfile, but I've still running 3.16a
>
>Markus
>
>
>  
>
>>-Original Message-
>>From: [EMAIL PROTECTED] 
>>[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff 
>>(Lists)
>>Sent: Monday, May 02, 2005 7:47 PM
>>To: Declude.Virus@declude.com
>>Subject: [Declude.Virus] F-Prot and HTML object exploit
>>
>>It appears that something has updated on F-Prot in the last hour. Now,

>>a lot of outbound HTML e-mails are being flagged
>>by F-Prot as having the HTML object exploit. Running the file 
>>on www.virustotal.com shows clean.
>>
>>Any one else seeing problems?
>>
>>For now, as I am at a client, I have turned off F-Prot scanning 
>>relying on AVG.
>>
>>John T
>>eServices For You
>>
>>
>>
>>---
>>This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

>>just send an E-mail to [EMAIL PROTECTED], and
>>type "unsubscribe Declude.Virus".The archives can be found
>>at http://www.mail-archive.com.
>>
>>
>>
>
>---
>This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
>just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.Virus".The archives can be found
>at http://www.mail-archive.com.
>---
>This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
>just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.Virus".The archives can be found
>at http://www.mail-archive.com.
>---
>[This E-mail was scanned for viruses.]
>
>
>
>  
>

---
[This E-mail was scanned for viruses.]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot Alternative

[Colbeck, Andrew]

Matt posted the authoritative roundup in a head to head comparison when
he revamped his Declude Virus setup.

Unless he chimes in here with an updated answer, the answer is somewhere
in the archives.

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
Sent: Monday, May 02, 2005 2:03 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] F-Prot Alternative


We have been running F-prot as the virus scanner with Declude for over a
year but lately it seems to have more and more bugs in it.  What do
others recommend as low-cost scanners to work with declude?

Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Viruses appearing to be getting through...

[Colbeck, Andrew]

I don't have any samples of the latest Sober, but *if* you're using the
penultimate pattern file for F-Prot and have your auto-update disabled,
then according to the writeups, either of these two techniques in your
virus.cfg will keep this specific virus out of your user's mailboxes:

BANEXT PIF
BANZIPEXTS ON

or

BANNAME account_info.zip
BANNAME autoemail-text.zip
BANNAME LOL.zip
BANNAME Fifa_Info-Text.zip
BANNAME mail_info.zip
BANNAME okTicket-info.zip
BANNAME our_secret.zip
BANNAME _PassWort-Info.zip

Andrew 8)

p.s. Now, back to the day job, already!


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma
Sent: Monday, May 02, 2005 2:20 PM
To: Declude.Virus@declude.com
Subject: Fw: [Declude.Virus] Viruses appearing to be getting through...


Hi,

Oops, correct that. F-prot is catching it as Sober.O, Sophos is still
not 
catching it. :-(

Sure glad I'm using two scanners. ;-)

> As of now I'm still getting hit by a virus with attachments like our _
> secret . zip which Sophos catches as Sober.O.
>
> Ff-prot is still nopt catching them and there is as of yet no update. 
> Just
> did a manual update and no new version. I'm at:
> SIGN.DEF 2-may-2005, 13:32 CET
> SIGN2.DEF 2-may-2005, 16:46 CET
> Using f-prot 3.16b

Groetjes,


 Bonno Bloksma

> - Original Message -
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, May 02, 2005 8:37 PM
> Subject: RE: [Declude.Virus] Viruses appearing to be getting
through...
>
>
> F-Prot may have already fixed their pattern file.  My current sign.def

> is timestamped:
>
> 05/02/2005  03:53 AM
>
> and checking their website and downloading the current version 
> manually shows that the current version is:
>
> 05/02/2005  01:32 PM
>
> Can anybody with the issue confirm which pattern file they are using 
> that has the problem?
>
> Andrew 8)
>
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
> Sent: Monday, May 02, 2005 11:20 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] Viruses appearing to be getting 
> through...
>
>
> Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV 
> (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot 
> (although I have F-Prot updates disabled for now, until they get there

> problem with
> HTML/[EMAIL PROTECTED] fixed).
>
> Bill
> - Original Message -
> From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, May 02, 2005 11:11 AM
> Subject: RE: [Declude.Virus] Viruses appearing to be getting
through...
>
>
>>I saw a big bunch about 2 hours ago that were stopped by banned zip 
>>extensions.
>>
>> John T
>> eServices For You
>>
>>
>>> -Original Message-
>>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]
>>> On Behalf Of Chuck Schick
>>> Sent: Monday, May 02, 2005 10:58 AM
>>> To: Declude. Virus
>>> Subject: [Declude.Virus] Viruses appearing to be getting through...
>>>
>>> I am seeing several files getting through that appear to have 
>>> viruses
>
>>> attached as zip files.  I am running Declude with F-Prot.  We ban
>> encrypted
>>> zips and I have error code 8 included.  Anyone else seeing this 
>>> behavior? Here is part of the log.
>>>
>>>
>>> 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip 
>>> [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382
>>> Scanned: Virus Free [MIME: 2 53979]
>>>
>>> Chuck Schick
>>> Warp 8, Inc.
>>> (303)-421-5140
>>> www.warp8.com
>>>
>>> ---
>>> This E-mail came from the Declude.Virus mailing list.  To 
>>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>>> type "unsubscribe Declude.Virus".The archives can be found
>>> at http://www.mail-archive.com.
>>
>> ---
>> This E-mail came from the Declude.Virus mailing list.  To 
>> unsubscribe,
>
>> just send an E-mail to [EMAIL PROTECTED], and
>> type "unsubscribe Declude.Virus".The archives can be found
>> at http://www.mail-archive.com.
>>
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

> just send an

RE: [Declude.Virus] F-Prot and HTML object exploit

[Colbeck, Andrew]

The sign*.def files have been updated to:

05/02/2005  11:46 PM

Which I'm pretty sure is UTC. However, these still have the
false-positive.  As of this writing, I've received no reply to my ticket
with F-Prot.

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Monday, May 02, 2005 2:03 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] F-Prot and HTML object exploit


F-Prot may have pulled the latest defs do to the number of complaints
received, which could explain why the app reports that you have the
latest version.

Bill
- Original Message - 
From: "Kevin Rogers" <[EMAIL PROTECTED]>
To: 
Sent: Monday, May 02, 2005 1:54 PM
Subject: Re: [Declude.Virus] F-Prot and HTML object exploit


> I also filled out the form at FProt's site.  Thanks for the defs.  
> When I open up FProt, though, it says that my defs are up-to-date, 
> even though I replaced the newest ones with the ones that you sent.  I

> hope that that message indicates whether we've downloaded the latest -

> not whether we are actually using the latest defs.
>
>
>
> Colbeck, Andrew wrote:
>
> >I don't think the engine version matters, just the pattern file.
> >
> >I've confirmed that the culprit is this, the most recent sign.def 
> >from
> >
> >05/02/2005  01:32 PM
> >
> >And yes, I've sent in a support request via their web page; I'd like 
> >to supply them with several samples.
> >
> >I've also played around with the switch settings and found that there

> >are no relevant switches that can be used as a workaround (i.e. "/ai"

> >"/noheur" and "/server" make no difference in the detection or not of

> >this false-positive).
> >
> >All of the messages detected either had Office 10 or Office 11 
> >headers or were replies to messages created with Office 10 or Office 
> >11.
> >
> >Andrew 8)
> >
> >-Original Message-
> >From: [EMAIL PROTECTED] 
> >[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
> >Sent: Monday, May 02, 2005 1:10 PM
> >To: Declude.Virus@declude.com
> >Subject: RE: [Declude.Virus] F-Prot and HTML object exploit
> >
> >
> >Question: Have you all running the latest v3.16b ?
> >
> >I can't see any appearance of "HTML/ObjData" in the entire current 
> >logfile, but I've still running 3.16a
> >
> >Markus
> >
> >
> >
> >
> >>-Original Message-
> >>From: [EMAIL PROTECTED] 
> >>[mailto:[EMAIL PROTECTED] On Behalf Of John 
> >>Tolmachoff (Lists)
> >>Sent: Monday, May 02, 2005 7:47 PM
> >>To: Declude.Virus@declude.com
> >>Subject: [Declude.Virus] F-Prot and HTML object exploit
> >>
> >>It appears that something has updated on F-Prot in the last hour. 
> >>Now, a lot of outbound HTML e-mails are being flagged by F-Prot as 
> >>having the HTML object exploit. Running the file on 
> >>www.virustotal.com shows clean.
> >>
> >>Any one else seeing problems?
> >>
> >>For now, as I am at a client, I have turned off F-Prot scanning 
> >>relying on AVG.
> >>
> >>John T
> >>eServices For You
> >>
> >>
> >>
> >>---
> >>This E-mail came from the Declude.Virus mailing list.  To 
> >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >>type "unsubscribe Declude.Virus".The archives can be found
> >>at http://www.mail-archive.com.
> >>
> >>
> >>
> >
> >---
> >This E-mail came from the Declude.Virus mailing list.  To 
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.Virus".The archives can be found
> >at http://www.mail-archive.com.
> >---
> >This E-mail came from the Declude.Virus mailing list.  To 
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.Virus".The archives can be found
> >at http://www.mail-archive.com.
> >---
> >[This E-mail was scanned for viruses.]
> >
> >
> >
> >
> >
>
> ---
> [This E-mail was scanned for viruses.]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
>

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot and HTML object exploit

[Colbeck, Andrew]

Agreed, the current *.def files no longer trigger on my sample
false-positive files.

Also, I had exactly the same message from F-Prot support waiting for me
that Uwe received this morning regarding the false-positives as
"HTML/[EMAIL PROTECTED]".

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wind
Sent: Tuesday, May 03, 2005 8:04 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] F-Prot and HTML object exploit


I tested it the last hours and had no FP since the new update.

Uwe

- Original Message - 
From: "Chris Fitch" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, May 03, 2005 4:44 PM
Subject: RE: [Declude.Virus] F-Prot and HTML object exploit


>I have these installed and appears to have corrected.
>
>
> Chris Fitch
> Sr Network Administrator
> Industrial Chemicals Inc.
> [EMAIL PROTECTED]
> 205-823-7330 Ext. 1039
>
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Wind
> Sent: Tuesday, May 03, 2005 8:02 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] F-Prot and HTML object exploit
>
> Hello,
>
> in the moment I got this email from F-prot support:
>
> Unfortunately, virus signature files released at 17:00 on 2 May 2005 
> included a false positive detection identified as: "Infection: 
> HTML/[EMAIL PROTECTED]" (exact name) causing problems for some of our 
> users. New virus signature files that fix this problem have now been 
> released. These files are dated 3 May 2005 and users need only update 
> to avoid any further false positives.
>
>
> Greetings,
> Uwe
>
> - Original Message -
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> To: 
> Sent: Tuesday, May 03, 2005 3:21 AM
> Subject: RE: [Declude.Virus] F-Prot and HTML object exploit
>
>
> The sign*.def files have been updated to:
>
> 05/02/2005  11:46 PM
>
> Which I'm pretty sure is UTC. However, these still have the 
> false-positive.  As of this writing, I've received no reply to my 
> ticket with F-Prot.
>
> Andrew 8)
>
>
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
> Sent: Monday, May 02, 2005 2:03 PM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] F-Prot and HTML object exploit
>
>
> F-Prot may have pulled the latest defs do to the number of complaints 
> received, which could explain why the app reports that you have the 
> latest version.
>
> Bill
> - Original Message -
> From: "Kevin Rogers" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, May 02, 2005 1:54 PM
> Subject: Re: [Declude.Virus] F-Prot and HTML object exploit
>
>
>> I also filled out the form at FProt's site.  Thanks for the defs. 
>> When I open up FProt, though, it says that my defs are up-to-date, 
>> even though I replaced the newest ones with the ones that you sent.  
>> I
>
>> hope that that message indicates whether we've downloaded the latest 
>> -
>
>> not whether we are actually using the latest defs.
>>
>>
>>
>> Colbeck, Andrew wrote:
>>
>> >I don't think the engine version matters, just the pattern file.
>> >
>> >I've confirmed that the culprit is this, the most recent sign.def 
>> >from
>> >
>> >05/02/2005  01:32 PM
>> >
>> >And yes, I've sent in a support request via their web page; I'd like

>> >to supply them with several samples.
>> >
>> >I've also played around with the switch settings and found that 
>> >there
>
>> >are no relevant switches that can be used as a workaround (i.e. 
>> >"/ai"
>
>> >"/noheur" and "/server" make no difference in the detection or not 
>> >of
>
>> >this false-positive).
>> >
>> >All of the messages detected either had Office 10 or Office 11 
>> >headers or were replies to messages created with Office 10 or Office

>> >11.
>> >
>> >Andrew 8)
>> >
>> >-Original Message-
>> >From: [EMAIL PROTECTED] 
>> >[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
>> >Sent: Monday, May 02, 2005 1:10 PM
>> >To: Declude.Virus@declude.com
>> >Subject: RE: [Declude.Virus] F-Prot and HTML object exploit
>> >
>> >
>> >Question: Have you all running the latest v3.16b ?
>> >
>> >I can't see any appearance of "HTML/ObjData" in the entire current 
>>

RE: [Declude.Virus] f-prot update script

[Colbeck, Andrew]

Hmmm.  Well, I went to the F-Prot website and picked out their link to
download the latest signatures.

They do not support the FTP method anymore, but:

wget -N http://updates.f-prot.com/cgi-bin/get_randomly?fp-def

and

wget -N http://updates.f-prot.com/cgi-bin/get_randomly?macrdef2

do work very well.  Thanks for pointing that out, Bill.

It may be worth mentioning that when the GUI scheduler had problems, it
would tell me instead of quietly erroring out or retrying, which was why
I switched to the method discussed, which was to invoke:

http://www.f-prot.com/support/windows/fpwin_faq/88.html

from Task Scheduler or AT commands.  Since I switched to this method, my
downloads have been flawless.  I won't be switching to wget with http
unless this turns out to be bad.

For what it's worth, I've been using 3.16a and now 3.16b ...

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Wednesday, May 04, 2005 8:27 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] f-prot update script


My wget script for updating F-Prot has been working just fine for a few 
years now, and still continues to function properly.

Bill
- Original Message - 
From: "Douglas Cohn" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, May 04, 2005 8:13 AM
Subject: RE: [Declude.Virus] f-prot update script


> This update is the worst method IMO  (The one referenced in the link
> here).
> I used to update every hour and using this I would find the machine
with 
> the
> updater hung on the screen timed out at least once a week.
>
> W2K Server SP4.  What OS are you using it on where it does NOT create 
> issues?
>
> I started writing a simple updater using 4NT copy /u which copies 
> across anonymous ftp and http links and only copies new files.  
> Perfect but then I read somewhere that fprot has no FTP updates 
> available anymore so I rewrote
> the one for Mcafee command line instead since I do not have the full 
> version
> installed on this machine and do not want to install the full version.
>
> The script pulls the superdat expands it and then the daily dat.
>
> I could not get the wget Mcafee script from the Declude links to work 
> for long either.  Wget got corrupted after 2 days saying it was not a 
> valid win32 application.  Those links on the Declude site should be 
> removed as that stuff does not work anymore.
>
> 4NT from Jpsoft is simply the best tool for the job anyway.  That and
> unzip
> from infozip and it is done.
>
> DC
>
>
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson
> Sent: Monday, May 02, 2005 11:21 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] f-prot update script
>
> Daniel,
> Give this a try:
>
> http://www.f-prot.com/support/windows/fpwin_faq/88.html
>
> -Keith
>
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ivey
> Sent: Monday, May 02, 2005 11:06 AM
> To: 'Declude.Virus@declude.com'
> Subject: RE: [Declude.Virus] f-prot update script
>
> I have tried using this script.  I keep getting an error referring to 
> wget.exe and it doesn't update F-Prot.
>
> Daniel
>
> ===
> Daniel Ivey
> GCR Company / GCR Online
> Voice:  434 - 570 - 1765
> Fax:434 - 572 - 1981
> [EMAIL PROTECTED]
>
> -Original Message-
> From: Goran Jovanovic [mailto:[EMAIL PROTECTED]
> Sent: Monday, May 02, 2005 11:02 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] f-prot update script
>
> Take a look at:
>
> http://www.declude.com/Articles.asp?ID=100
>
> F-Prot for DOS updater - A batch file that automatically updates 
> F-Prot
> and
> its virus definitions (old version here), and a Cygwin version, and a
> complete .ZIPed version. Finally, a Simple version!
>
>
>
>
> Goran Jovanovic
> The LAN Shoppe
>
>
>
>> -Original Message-
>> From: [EMAIL PROTECTED] [mailto:Declude.Virus- 
>> [EMAIL PROTECTED] On Behalf Of Daniel Ivey
>> Sent: Monday, May 02, 2005 9:52 AM
>> To: 'Declude.Virus@declude.com'
>> Subject: [Declude.Virus] f-prot update script
>>
>> Does anyone have an f-prot update script that they wouldn't mind
> sharing?
>> I
>> have tried one that I found, but never could get it to work.  Any 
>> help
> is
>> appreciated.
>>
>> Thanks,
>> Daniel
>>
>> ===
>> Daniel Ivey
>> GCR Company / GCR Online
>> Voice:  434 - 570 - 1765
>> Fax:434 - 572 - 1981
>> [EMAIL PROTECTED]
>>
>> ---
>> This E-mail came from the Declude.Virus mailing list.  To 
>> unsubscribe,
>
>> just send an E-mail to [EMAIL PROTECTED], and
>> type "unsubscribe Declude.Virus".The archives can be found
>> at http://www.mail-archive.com.
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
> just
> send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> ---
> T

RE: [Declude.Virus] f-prot update script

[Colbeck, Andrew]

Darin you're depending on legacy support.  I'd suggest that if you want
to stick to this method, you work on your backup plan.  See the Windows
Updater FAQ:

http://www.f-prot.com/support/windows/fpwin_faq/fpwin_faq_6.html

which lists:

http://www.f-prot.com/support/windows/fpwin_faq/30.html


Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
Sent: Wednesday, May 04, 2005 9:43 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] f-prot update script


Huh?  What about FTP is not working?

We're still FTPing from them.  Latest defs are Monday at 10:34am.  I
just ran the FTP update script manually and it ran fine.

Here's what we use

open ftp.frisk.is
user
anonymous
[EMAIL PROTECTED]
cd pub
binary
hash
prompt
get fp-def.zip
get macrdef2.zip
close
quit


Darin.


- Original Message ----- 
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, May 04, 2005 12:19 PM
Subject: RE: [Declude.Virus] f-prot update script


Hmmm.  Well, I went to the F-Prot website and picked out their link to
download the latest signatures.

They do not support the FTP method anymore, but:

wget -N http://updates.f-prot.com/cgi-bin/get_randomly?fp-def

and

wget -N http://updates.f-prot.com/cgi-bin/get_randomly?macrdef2

do work very well.  Thanks for pointing that out, Bill.

It may be worth mentioning that when the GUI scheduler had problems, it
would tell me instead of quietly erroring out or retrying, which was why
I switched to the method discussed, which was to invoke:

http://www.f-prot.com/support/windows/fpwin_faq/88.html

from Task Scheduler or AT commands.  Since I switched to this method, my
downloads have been flawless.  I won't be switching to wget with http
unless this turns out to be bad.

For what it's worth, I've been using 3.16a and now 3.16b ...

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Wednesday, May 04, 2005 8:27 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] f-prot update script


My wget script for updating F-Prot has been working just fine for a few
years now, and still continues to function properly.

Bill
- Original Message - 
From: "Douglas Cohn" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, May 04, 2005 8:13 AM
Subject: RE: [Declude.Virus] f-prot update script


> This update is the worst method IMO  (The one referenced in the link 
> here). I used to update every hour and using this I would find the 
> machine
with
> the
> updater hung on the screen timed out at least once a week.
>
> W2K Server SP4.  What OS are you using it on where it does NOT create 
> issues?
>
> I started writing a simple updater using 4NT copy /u which copies 
> across anonymous ftp and http links and only copies new files. Perfect

> but then I read somewhere that fprot has no FTP updates available 
> anymore so I rewrote the one for Mcafee command line instead since I 
> do not have the full version
> installed on this machine and do not want to install the full version.
>
> The script pulls the superdat expands it and then the daily dat.
>
> I could not get the wget Mcafee script from the Declude links to work 
> for long either.  Wget got corrupted after 2 days saying it was not a 
> valid win32 application.  Those links on the Declude site should be 
> removed as that stuff does not work anymore.
>
> 4NT from Jpsoft is simply the best tool for the job anyway.  That and 
> unzip from infozip and it is done.
>
> DC
>
>
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson
> Sent: Monday, May 02, 2005 11:21 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] f-prot update script
>
> Daniel,
> Give this a try:
>
> http://www.f-prot.com/support/windows/fpwin_faq/88.html
>
> -Keith
>
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ivey
> Sent: Monday, May 02, 2005 11:06 AM
> To: 'Declude.Virus@declude.com'
> Subject: RE: [Declude.Virus] f-prot update script
>
> I have tried using this script.  I keep getting an error referring to 
> wget.exe and it doesn't update F-Prot.
>
> Daniel
>
> ===
> Daniel Ivey
> GCR Company / GCR Online
> Voice:  434 - 570 - 1765
> Fax:434 - 572 - 1981
> [EMAIL PROTECTED]
>
> -Original Message-
> From: Goran Jovanovic [mailto:[EMAIL PROTECTED]
> Sent: Monday, May 02, 2005 11:02 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] f-prot update script
>
> Take a look at:
>
> http://www.declude.com/Articles.asp?ID=100
>
> F-Prot for DOS u

RE: [Declude.Virus] Question concerning SKIPEXT and GDI+ Vulnerability detection

[Colbeck, Andrew]

Me three, as I have the same configuration.

For what it's worth, I have seen this exploit blocked on our web proxy
server many times, but I've only seen it a few times in email; each of
those times, the .jpg was not contained in the message, it was dropped
from inside a compressed executable, or it was fetched from a webserver.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Friday, May 06, 2005 10:43 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Question concerning SKIPEXT and GDI+
Vulnerability detection


I'd like to know the answer to this as well...

I do use
SKIPEXT  JPG
SKIPEXT  JPEG

to skip JPEGs since the larger couple MB JPEGs sure choke the virus
scanning 
engines.

- Original Message - 
From: "Matt" <[EMAIL PROTECTED]>
To: 
Sent: Friday, May 06, 2005 11:57 AM
Subject: [Declude.Virus] Question concerning SKIPEXT and GDI+
Vulnerability 
detection


> To my good buddies at Declude :)  (ok, you made me very happy twice
> yesterday)
>
> I understand that SKIPEXT JPG would cause files with JPG extensions to

> not
> be scanned with the virus scanners, but would that also disable the 
> JPG/GDI+ Vulnerability detection?
>
> Many of us stopped skipping JPG's and other associated files when the 
> GDI+
> exploits were first discovered, but they seem to have become duds as
far 
> as actively spreading viruses (though I have seen them on sites linked
to 
> in spam as a way to install spyware).  JPG's however are fairly common
in 
> E-mail and it would be a big improvement to be able to skip scanning
them, 
> and if we were protected with the vulnerability detection, I would
feel 
> comfortable turning off virus scanning of JPG's until a mass-mailing
virus 
> is seen.  I wouldn't want to leave myself completely unprotected
however.
>
> Thanks,
>
> Matt
>
> --
> =
> MailPure custom filters for Declude JunkMail Pro.
> http://www.mailpure.com/software/
> =
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] EXITSCANONVIRUS

[Colbeck, Andrew]

John, can you expand on that?

In my implementation, there is no difference in message treatment if a
vulnerability or virus is detected.  Therefore, I am happy to stop the
virus scanning if a vulnerability is detected.  That is, as long as
ALLOWVULNERABILITIESFROM is still respected.

Of course, I've already found that these two had too many false
positives for the safety they afford, so I've turned them off:

BANPARTIAL OFF
BANCRVIRUSES OFF

which leaves me with

BANCLSID ON

which has never been triggered.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Saturday, May 28, 2005 12:34 AM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] EXITSCANONVIRUS


Well, here is an example of what I was hoping not to see.

05/27/2005 23:35:14 Q112105DF2AB2 Vulnerability flags = 0 05/27/2005
23:35:14 Q112105DF2AB2 Outlook 'CR' vulnerability [Subject: H] in
line 15 05/27/2005 23:35:15 Q112105DF2AB2 Virus scanner 1 reports
exit code of 0 05/27/2005 23:35:15 Q112105DF2AB2 File(s) are
INFECTED [[Outlook 'CR'
Vulnerability]: 0]
05/27/2005 23:35:36 Q112105DF2AB2 Scanned: CONTAINS A VIRUS 
05/27/2005 23:35:36 Q112105DF2AB2 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [incoming from x.x.x.x] 05/27/2005
23:35:36 Q112105DF2AB2 Subject: How is Rebecca doing?

In this case, the subject line is the last line for the message in the
Declude Virus log in HIGH and it apparently shows that scanners 2 & 3
were not called. If it finds a vulnerability, it still should fire the
scanners to see if one of them finds an actual virus.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of David Franco-Rocha [ Declude ]
> Sent: Friday, May 27, 2005 7:21 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] EXITSCANONVIRUS
> 
> John,
> 
> There is a processing loop wherein all the scanners are called in 
> succession. It is independent of vulnerability checking. This 
> directive merely tells Declude to break out of the external virus 
> scanner execution loop. If you use this directive to exit the scanning

> loop on virus
detection
> and (1) you have 5 scanners listed in your cfg file and (2) a virus is

> detected by the first scanner listed, then the effect is exactly the 
> same
in
> processing as if you had a single scanner listed and a virus were 
> detected by that single scanner.
> 
> David Franco-Rocha
> Declude Technical Support
> 
> - Original Message -
> From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
> To: 
> Sent: Friday, May 27, 2005 2:50 AM
> Subject: [Declude.Virus] EXITSCANONVIRUS
> 
> 
> A question about this new feature.
> 
> Am I correct in thinking that as soon as a scanner reports a virus, 
> the
next
> scanner(s) in line will not be called and the message will be 
> processed accordingly, and that it will not be affected by Declude 
> first finding a banned attachment before having it scanned by a 
> scanner?
> 
> John T
> eServices For You
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] EXITSCANONVIRUS

[Colbeck, Andrew]

... that's reasonable, John.

How does it work up to now?  If a vulnerability and a virus are
detected, which gets reported?

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Saturday, May 28, 2005 5:17 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] EXITSCANONVIRUS


I agree with Darrell. If it contains a virus, I want it to be marked as
a virus. If it does not contain a virus, then if it contains a
vulnerability or banned extension then mark as such.

An example is that some Sober viruses also contain vulnerability. Well,
I want it labeled as a virus not vulnerability.

John T
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Darrell ([EMAIL PROTECTED])
> Sent: Saturday, May 28, 2005 10:10 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] EXITSCANONVIRUS
> 
> My thoughts are this - a virus is a virus and a vulnerability is a 
> vulnerability.  My expectation is that if a virus is detected than the
other
> scanners will not be called.  However, if a vulnerability is detected 
> the scanners will execute until such time a "virus" is found.
> 
> Maybe two switches - EXITSCANONVULNERABILITY...
> 
> However, on the grander scale of things if nothing changed on this I 
> would still use EXITSCANONVIRUS as long as it observes the various 
> delivery options on vulnerabilities.
> 
> Darrell
> 
> ---
> invURIBL - Intelligent URI Filtering.  Stops 85%+ SPAM with the 
> default configuration. Download a copy today - 
> http://www.invariantsystems.com
> 
> 
> - Original Message -
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> To: 
> Sent: Saturday, May 28, 2005 12:49 PM
> Subject: RE: [Declude.Virus] EXITSCANONVIRUS
> 
> 
> John, can you expand on that?
> 
> In my implementation, there is no difference in message treatment if a

> vulnerability or virus is detected.  Therefore, I am happy to stop the

> virus scanning if a vulnerability is detected.  That is, as long as 
> ALLOWVULNERABILITIESFROM is still respected.
> 
> Of course, I've already found that these two had too many false 
> positives for the safety they afford, so I've turned them off:
> 
> BANPARTIAL OFF
> BANCRVIRUSES OFF
> 
> which leaves me with
> 
> BANCLSID ON
> 
> which has never been triggered.
> 
> Andrew 8)
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
> (Lists)
> Sent: Saturday, May 28, 2005 12:34 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] EXITSCANONVIRUS
> 
> 
> Well, here is an example of what I was hoping not to see.
> 
> 05/27/2005 23:35:14 Q112105DF2AB2 Vulnerability flags = 0 
> 05/27/2005 23:35:14 Q112105DF2AB2 Outlook 'CR' vulnerability 
> [Subject: H] in line 15 05/27/2005 23:35:15 Q112105DF2AB2 Virus 
> scanner 1 reports exit code of 0 05/27/2005 23:35:15 Q112105DF2AB2

> File(s) are INFECTED [[Outlook 'CR'
> Vulnerability]: 0]
> 05/27/2005 23:35:36 Q112105DF2AB2 Scanned: CONTAINS A VIRUS 
> 05/27/2005 23:35:36 Q112105DF2AB2 From: 
> [EMAIL PROTECTED]
> To: [EMAIL PROTECTED] [incoming from x.x.x.x] 05/27/2005
> 23:35:36 Q112105DF2AB2 Subject: How is Rebecca doing?
> 
> In this case, the subject line is the last line for the message in the

> Declude Virus log in HIGH and it apparently shows that scanners 2 & 3 
> were not called. If it finds a vulnerability, it still should fire the

> scanners to see if one of them finds an actual virus.
> 
> John T
> eServices For You
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> > On Behalf Of David Franco-Rocha [ Declude ]
> > Sent: Friday, May 27, 2005 7:21 AM
> > To: Declude.Virus@declude.com
> > Subject: Re: [Declude.Virus] EXITSCANONVIRUS
> >
> > John,
> >
> > There is a processing loop wherein all the scanners are called in 
> > succession. It is independent of vulnerability checking. This 
> > directive merely tells Declude to break out of the external virus 
> > scanner execution loop. If you use this directive to exit the 
> > scanning
> 
> > loop on virus
> detection
> > and (1) you have 5 scanners listed in your cfg file and (2) a virus 
> > is
> 
> > detected by the first scanner listed, then the effect is exactly the

> > same
> in
> > processing as if you had a single scanner listed and a virus were 
> > detected by that single scanner

RE: [Declude.Virus] EXITSCANONVIRUS

[Colbeck, Andrew]

... right, but what's the behaviour without the new:

EXITSCANONVIRUS ON

option when a vulnerability and virus are in a single message?  Which
gets reported?

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Saturday, May 28, 2005 7:23 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] EXITSCANONVIRUS


It appears to be stopping when it finds a vulnerability and does not get
scanned for virus.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Colbeck, Andrew
> Sent: Saturday, May 28, 2005 5:58 PM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] EXITSCANONVIRUS
> 
> ... that's reasonable, John.
> 
> How does it work up to now?  If a vulnerability and a virus are 
> detected, which gets reported?
> 
> Andrew 8)
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
> (Lists)
> Sent: Saturday, May 28, 2005 5:17 PM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] EXITSCANONVIRUS
> 
> 
> I agree with Darrell. If it contains a virus, I want it to be marked 
> as a virus. If it does not contain a virus, then if it contains a 
> vulnerability or banned extension then mark as such.
> 
> An example is that some Sober viruses also contain vulnerability. 
> Well, I want it labeled as a virus not vulnerability.
> 
> John T
> eServices For You
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> > On Behalf Of Darrell ([EMAIL PROTECTED])
> > Sent: Saturday, May 28, 2005 10:10 AM
> > To: Declude.Virus@declude.com
> > Subject: Re: [Declude.Virus] EXITSCANONVIRUS
> >
> > My thoughts are this - a virus is a virus and a vulnerability is a 
> > vulnerability.  My expectation is that if a virus is detected than 
> > the
> other
> > scanners will not be called.  However, if a vulnerability is 
> > detected the scanners will execute until such time a "virus" is 
> > found.
> >
> > Maybe two switches - EXITSCANONVULNERABILITY...
> >
> > However, on the grander scale of things if nothing changed on this I

> > would still use EXITSCANONVIRUS as long as it observes the various 
> > delivery options on vulnerabilities.
> >
> > Darrell
> >
> > ---
> > invURIBL - Intelligent URI Filtering.  Stops 85%+ SPAM with the 
> > default configuration. Download a copy today - 
> > http://www.invariantsystems.com
> >
> >
> > - Original Message -
> > From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Saturday, May 28, 2005 12:49 PM
> > Subject: RE: [Declude.Virus] EXITSCANONVIRUS
> >
> >
> > John, can you expand on that?
> >
> > In my implementation, there is no difference in message treatment if

> > a
> 
> > vulnerability or virus is detected.  Therefore, I am happy to stop 
> > the
> 
> > virus scanning if a vulnerability is detected.  That is, as long as 
> > ALLOWVULNERABILITIESFROM is still respected.
> >
> > Of course, I've already found that these two had too many false 
> > positives for the safety they afford, so I've turned them off:
> >
> > BANPARTIAL OFF
> > BANCRVIRUSES OFF
> >
> > which leaves me with
> >
> > BANCLSID ON
> >
> > which has never been triggered.
> >
> > Andrew 8)
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of John 
> > Tolmachoff
> > (Lists)
> > Sent: Saturday, May 28, 2005 12:34 AM
> > To: Declude.Virus@declude.com
> > Subject: RE: [Declude.Virus] EXITSCANONVIRUS
> >
> >
> > Well, here is an example of what I was hoping not to see.
> >
> > 05/27/2005 23:35:14 Q112105DF2AB2 Vulnerability flags = 0 
> > 05/27/2005 23:35:14 Q112105DF2AB2 Outlook 'CR' vulnerability
> > [Subject: H] in line 15 05/27/2005 23:35:15 Q112105DF2AB2 Virus 
> > scanner 1 reports exit code of 0 05/27/2005 23:35:15 
> > Q112105DF2AB2
> 
> > File(s) are INFECTED [[Outlook 'CR'
> > Vulnerability]: 0]
> > 05/27/2005 23:35:36 Q112105DF2AB2 Scanned: CONTAINS A VIRUS 
> > 05/27/2005 23:35:36 Q112105DF2AB2 From: 
> > [EMAIL PROTECTED]
> > To: [EMAIL PROTECTED] [incoming from x.x.x.x] 05/27/2005 
> > 23:35:36 Q112105DF2AB2 Subject: How is Rebecca do

RE: [Declude.Virus] EXITSCANONVIRUS

[Colbeck, Andrew]

Title: Message



Ouch.
 
We've 
periodically had problems with Compaq (now HP) Proliant servers that have been 
mostly about the pre-failure being too sensitive; it's now part of our best 
practice to keep up with driver and ROM updates.  This used to be 
difficult, but now HP has a ROM update bootable ISO image we download, it 
detects and updates the ROMs on the motherboard, the array cards, and the 
microcode on the hard drives.  It's called the Firmware Maintenance 
CD.
 
Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of John Tolmachoff (Lists)Sent: Monday, May 30, 2005 
  9:07 AMTo: Declude.Virus@declude.comSubject: RE: 
  [Declude.Virus] EXITSCANONVIRUS
  
  Windows. Power went 
  out, for some reason the UPS went into shutdown mode, it appears some thing on 
  the server hung preventing it from shutting down before the UPS shutdown timer 
  expired, the rest is history. Turns out the Ghost image is inconsistent, so I 
  am rebuilding the OS from the ground, will try to do a restore from a backup I 
  made of the extracted OS partition in Ghost, not sure how that is going to go, 
  but if not then will have to recreate in IIS 47 web sites. Data for the sites 
  is fine, as that was on a pair of separate SCSI drives.
   
  So much for getting 
  caught up on other work.
   
  
  John 
  T
  eServices For 
  You
   
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Darin 
  CoxSent: Monday, May 
  30, 2005 
  6:43 
  AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] 
  EXITSCANONVIRUS
   
  
  Oh man...I feel 
  your pain!  Happened to us mid-April.  Fortunately it was just 
  after midnight on a Friday, 
  so we had everything back up before morning and no one noticed the 
  interruption in service.
  
   
  
  Was it Windows 
  mirroring or hardware level?
  
  Darin.
  
   
  
   
  
  - Original 
  Message - 
  
  From: John Tolmachoff (Lists) 
  
  
  To: Declude.Virus@declude.com 
  
  
  Sent: 
  Monday, May 30, 
  2005 
  3:30 
  AM
  
  Subject: RE: 
  [Declude.Virus] EXITSCANONVIRUS
  
   
  Off the topic, but 
  it interrupted my work on my mail server.
   
  Any one ever loose 
  both mirrored OS drives at the same time?
   
  FUN FUN 
  FUN
   
  NOT!
   
  At least Ghost is 
  able to read the master.
   
  
  John 
  T
  eServices For 
  You
   
  ==

RE: [Declude.Virus] New virus out?

[Colbeck, Andrew]

Yes, a new Bagle and MyTob are out.

See:

http://isc.sans.org/diary.php?date=2005-05-31

http://www.viruslist.com/en/weblog

My current F-Prot *.def is detecting this as a suspicious file (return
code = 8); I've only seen two that were caught by Declude Virus, but it
could be quite a few more caught as spam.  When I run F-Prot on them
manually, they are detected as "W32/[EMAIL PROTECTED]".

That's interesting, because I thought that Mitglieder and MyTob were the
same; maybe there's only one new virus but in the form of a dropper and
a payload?  I remember something a few weeks back (maybe in the
Kaspersky diary?) that mentioned that some virus programmer had
essentially used "plug n play" code to mix and match one delivery agent
with another payload in one viral executable.

I haven't seen any of the new MyTob yet, but for more detailed info:

WORM_MyTob.BI

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FM
YTOB%2EBI&VSect=P


Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Tuesday, May 31, 2005 8:00 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] New virus out?


One of the servers I manage is getting hit with lots of messages being
caught with banned exe within zip.

They are coming from different IPs

John T
eServices For You


---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New virus out?

[Colbeck, Andrew]

On my "8.zip" sample, McAfee finds W32/[EMAIL PROTECTED] so VirusTotal
probably has an older McAfee update.

VirusTotal doesn't use Trend Micro, but they don't think it warrants a
new signature.  They already catch it as TROJ_BAGLE.GEN

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gianbattista
Toffetti Carughi
Sent: Tuesday, May 31, 2005 9:59 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] New virus out?


This is a report processed by VirusTotal on 05/31/2005 at 17:52:48 (CET)

after scanning the file "8.zip" file.
  Antivirus Version Update Result
  AntiVir 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR
  AVG 718 05.31.2005 no virus found
  Avira 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR
  BitDefender 7.0 05.31.2005 [EMAIL PROTECTED]
  ClamAV devel-20050501 05.31.2005 Worm.Bagle.BB-gen
  DrWeb 4.32b 05.31.2005 Win32.HLLM.Beagle.36352
  eTrust-Iris 7.1.194.0 05.31.2005 no virus found
  eTrust-Vet 11.9.1.0 05.31.2005 no virus found
  Fortinet 2.27.0.0 05.31.2005 W32/Mitglieder.CD.gen-tr
  Ikarus 2.32 05.31.2005 no virus found
  Kaspersky 4.0.2.24 05.31.2005 Email-Worm.Win32.Bagle.bo
  McAfee 4502 05.30.2005 no virus found
  NOD32v2 1.1116 05.31.2005 probably unknown NewHeur_PE virus
  Norman 5.70.10 05.30.2005 W32/Downloader
  Panda 8.02.00 05.31.2005 Suspect File
  Sybari 7.5.1314 05.31.2005 Email-Worm.Win32.Bagle.bo
  Symantec 8.0 05.30.2005 Trojan.Tooso.B
  VBA32 3.10.3 05.31.2005 suspected of Worm.Bagle.3


- Original Message - 
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, May 31, 2005 6:39 PM
Subject: RE: [Declude.Virus] New virus out?


Yes, a new Bagle and MyTob are out.

See:

http://isc.sans.org/diary.php?date=2005-05-31

http://www.viruslist.com/en/weblog

My current F-Prot *.def is detecting this as a suspicious file (return
code = 8); I've only seen two that were caught by Declude Virus, but it
could be quite a few more caught as spam.  When I run F-Prot on them
manually, they are detected as "W32/[EMAIL PROTECTED]".

That's interesting, because I thought that Mitglieder and MyTob were the
same; maybe there's only one new virus but in the form of a dropper and
a payload?  I remember something a few weeks back (maybe in the
Kaspersky diary?) that mentioned that some virus programmer had
essentially used "plug n play" code to mix and match one delivery agent
with another payload in one viral executable.



---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] MS05-16 Exploit

[Colbeck, Andrew]

Title: Message



Declude Virus will *not* detect abuse of MS05-16 with the Declude CLSID 
vulnerability detector.
 
They 
are entirely different animals, which happen to have CLSID at their 
heart.
 
The 
only way to attack MS05-16 abuse with Declude Virus is with a) keep your virus 
scanner up to date, and/or b) to watch for virus news and ban extensions that 
are deliberately crafted as bogus, e.g. .d0c or .doc_ instead of 
.doc
 
The 
only way to attack MS05-16 abuse with Declude JunkMail is to dream up ways to 
tell apart MIME filename lines that are valid from the ones that are 
bogus.  Given that Macintoshes will send files to PC users without a file 
extenstion, and given the lack of regular expressions and fine control over 
substring matching, I think this is a fool's errand.  Leave it up to your 
antivirus scanner.
 
Ok, 
John, get back to fixing that mirrored drive set.
 
Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of MattSent: Tuesday, May 31, 2005 2:21 PMTo: 
  Declude.Virus@declude.comSubject: Re: [Declude.Virus] MS05-16 
  ExploitThis is the one that Andy pointed out:
  Microsoft Windows Shell Remote Code Execution 
Vulnerabilityhttp://www.securityfocus.com/bid/13132/discussion/Microsoft 
Windows is prone to a vulnerability that may allow remote attackers to 
execute code through the Windows Shell. The cause of the vulnerability is 
related to how the operating system handles unregistered file types. The 
specific issue is that files with an unknown extension may be opened with 
the application specified in the embedded CLSID.The victim of the 
attack would be required to open a malicious file, possibly hosted on a Web 
site or sent through email. Social engineering would generally be required 
to entice the victim into opening the file. I can't say 
  whether or not it is a broad enough threat to be exploited in a mass-mailing 
  virus.  Declude defaults to BANCSLID ON which may or may not protect from 
  such an attack.  Some CSLID calls are entire valid and normal for 
  Outlook/Office generated E-mails, and I'm not totally sure what Declude 
  considers to be good to ban with this switch.  Andrew previously 
  indicated that he had never seen it triggered.Anyway, these things pop 
  up about once a month and most are never exploited in E-mail viruses, so there 
  is probably no reason to not treat all of them the same.  I see no reason 
  why virus scanners wouldn't detect the infected attachments once they were 
  updated with definitions for known 
  threats.MattJohn Tolmachoff (Lists) wrote: 
  Since I am pressed for time and am presently unable to completely digest
what the vulnerability is and how to stop it, how can we configure our
Declude installs to protect/find/stop these messages?

John T
eServices For You


  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
  
On Behalf Of Andy Schmidt
Sent: Tuesday, May 31, 2005 11:30 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] MS05-16 Exploit

Hi,

Enclosed a notice for the MS05-16 Exploit.

For the record:
I'm actually in favor of using STRICT interpretation of vulnerabilities -
no
  
matter how seldom one might actually occur.  Whether a violation of
standards is due to an actual virus - or just a poor mass-mailer
application, I gladly use the reason of "vulnerability" of a potential
virus
  
to reject these messages early.

As far as some features suggested here:

- I do agree that it might be helpful for some people not to scan for
viruses, if a vulnerability is found (to conserve CPU).

- I do agree that there is little reason (other than statistics) to run
the
  
second scanner after the first scanner already found a virus.

- I do agree that it is desirable for some people, if there was an option
that would delete vulnerabilities rather than "isolate" them in the Virus
folder.

- I do NOT agree that Declude should NOT detect certain vulerabilities,
just
  
because they only occur very rarely.


Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206



  -Original Message-
From: Nick FitzGerald [mailto:[EMAIL PROTECTED]]
Sent: Sunday, May 29, 2005 9:31 AM
To: Bugtraq@securityfocus.com
Subject: Spam exploiting MS05-016

  Yesterday at least two of my spam-traps received the following message
(I've elided the MIME boundary values just in case...):

   Subject: We make a business offer to you
   MIME-Version: 1.0
   Content-type: multipart/mixed;
   boundary="[...]"

   [...]
   Content-Type: text/plain;
   charset="Windows-1252"
   Content-Transfer-Encoding: 8bit

   Hello!  It is not spam, so don't delete this message.
   We have a business offer to you.
   Read our offer.
   You can increase the business in 1,5 times.
   We hope you do not miss this information.


   Best regard

RE: [Declude.Virus] viruses getting through

[Colbeck, Andrew]

Title: Message



Also, 
if your server is highly stressed, IMail will steal messages from Declude 
(alternately, "something" makes the file in use and Declude can't 
process the message in a timely fashion and so fails open) and the file is 
delivered by IMail without Declude writing the headers or updating the log 
files.
 
Andrew.
 
p.s. 
We suffered self-induced delayed-server-upgrade for 6 months and saw too much of 
this.  The new server is quite happy, thank you very 
much.
 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of MattSent: Wednesday, June 08, 2005 2:09 
  PMTo: Declude.Virus@declude.comSubject: Re: 
  [Declude.Virus] viruses getting throughIf you restart 
  your server without first stopping IMail SMTP service, it will leak messages 
  for several seconds.  Also, if you restart the IMail Queue Manager 
  service it will steal messages from Declude.  Both situations can lead to 
  messages being passed without headers.MattDaniel Ivey 
  wrote: 
  Yes, I do have AVAFTERJM ON in the virus.cfg file.  One clarification too,
when I mentioned that the headers for Declude Virus were not there, there
was also no headers for Declude Junkmail either, with I know those are
working.  I have attached the virus log file for so far today.  We have them
set to only write on error.

Daniel

===
Daniel Ivey
GCR Company / GCR Online
Voice:  434 - 570 - 1765
Fax:434 - 572 - 1981
[EMAIL PROTECTED]

-Original Message-
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 08, 2005 4:12 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] viruses getting through

Declude Virus has no definitions to update.

Are you using AFTERJM ON?

Logs, what do the logs say?

John T
eServices For You

  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
  
On Behalf Of Daniel Ivey
Sent: Wednesday, June 08, 2005 12:54 PM
To: 'Declude.Virus@declude.com'
Subject: [Declude.Virus] viruses getting through

Greetings,

  Over the past 2 days, I have had some viruses get through my Declude
Virus, with updated definitions.  Has anyone else seen this?  Also, when I
receive an email and look at the headers of the email, I am not seeing
where
  
Declude Virus scanned the message.  Does anyone have any suggestions?  I
am
  
running version 1.82.

Thanks,
Daniel

===
Daniel Ivey
GCR Company / GCR Online
Voice:  434 - 570 - 1765
Fax:434 - 572 - 1981
[EMAIL PROTECTED]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

  -- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

RE: [Declude.Virus] F-Prot update

[Colbeck, Andrew]

Title: Message



According to their website, this is a stability update; comparing a 
new install on my test box shows that lots of datestamps have been updated but 
actually not many files changed.  The Help file has not changed, 
and there is no text file that describes the 
changes/updates.
 
As an 
aside, Matt and I each contacted their Support desk regarding slow processing of 
certain UPX encrypted hostiles, and also an overlapping issue where variants of 
MyTob being caught as error code 8 "suspicious" were just as viral as other 
variants that were caught as error code 3 "virus"... well, I went back and 
checked and with the current *.def files, both of those issues have been 
fixed.
 
Andrew 
8)
 
p.s. 
I'm also in Canada, and didn't receive an email update notice for this update, 
nor the previous one.
 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of J PorterSent: Thursday, June 09, 2005 11:14 
  AMTo: Declude.Virus@declude.comSubject: [Declude.Virus] 
  F-Prot update
  I 
  received a notice for 3.16c update from Frisk.I don't recall it being 
  normal for them to recommend updating ASAP.Anyone tried it 
  yet?~Joe 

RE: [Declude.Virus] F-Prot update

[Colbeck, Andrew]

Title: Message



Ah, I 
didn't check the internals of the *.def files.  I simply ran fpcmd manually 
against the viral files I had stashed and noted how long it took and what the 
errorlevel was afterwards.
 
I'll 
re-subscribe to the announcements and see if that helps.  I did check my 
Declude log to see if their announcement had been caught as spam, but no, there 
were no messages.
 
Andrew 
8)
 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Goran JovanovicSent: Thursday, June 09, 2005 7:06 
  PMTo: Declude.Virus@declude.comSubject: RE: 
  [Declude.Virus] F-Prot update
  
  Andrew,
   
  I looked at the sign 
  and sign2.def files and they are binary “junk” to me. What did you use to 
  check the def files?
   
  I resubscribed to the 
  announcements and maybe now I will get 1 announcement J 
  
   
  
   
   Goran 
  Jovanovic
   
  The LAN 
  Shoppe
   
   
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Colbeck, 
  AndrewSent: Thursday, June 
  09, 2005 9:54 PMTo: 
  Declude.Virus@declude.comSubject: RE: [Declude.Virus] F-Prot 
  update
   
  
  According to their 
  website, this is a stability update; comparing a new install on my test 
  box shows that lots of datestamps have been updated but actually not many 
  files changed.  The Help file has not changed, and there is no text 
  file that describes the changes/updates.
  
   
  
  As an aside, Matt and 
  I each contacted their Support desk regarding slow processing of certain UPX 
  encrypted hostiles, and also an overlapping issue where variants of MyTob 
  being caught as error code 8 "suspicious" were just as viral as other variants 
  that were caught as error code 3 "virus"... well, I went back and checked and 
  with the current *.def files, both of those issues have been 
  fixed.
  
   
  
  Andrew 
  8)
  
   
  
  p.s. I'm also in 
  Canada, and didn't receive an email 
  update notice for this update, nor the previous 
  one.
  
   
  
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of J 
PorterSent: Thursday, June 
09, 2005 11:14 AMTo: 
Declude.Virus@declude.comSubject: [Declude.Virus] F-Prot 
update

I received a 
notice for 3.16c update from Frisk.I don't recall it being normal 
for them to recommend updating ASAP.Anyone tried it yet?~Joe 

RE: [Declude.Virus] Declude using CBL to block users sending mail?????

[Colbeck, Andrew]

Doug, you're probably scoring on multiple hops by setting your HOPHIGH
in global.cfg ...

If you don't want RBLs to score on multiple hops, just comment out that
HOPHIGH line.

Alternatively, rename your CBL test to CBL-DYNA (don't forget to change
the global.cfg definition plus the action line wherever it appears in
your configuration files (e.g. CBL WARN to CBL-DYNA WARN).

Andrew 8)

p.s. Is your own machine's address on the Internet, or was CBL listing
an internal, non-routable IP address like 192.168.1.1 ?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn
Sent: Monday, June 13, 2005 5:03 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Declude using CBL to block users sending
mail?


My desktop IP was erroneously listed on CBL.  It seems that declude is
checking autheticated users sending mail for CBL and according to CBL
this is wrong.  SEE below

Here is the header showing what went on with the actual Ips removed to
proect the innocent  (ME). But it sure seems that my desktop machine is
the one being checked and shown as on CBL.  Had 10 points been enough I
would not have been able to send mail.  The ONLY address within the
below HEADER that was actually listed in the CBL is the HOST machine
sending the email. NOT the MAIL servers but MY DESKTOP of which I am an
authenticated sender.  

Why would declude check an authenticated sender on the CBL list?

This all started because Smartermails SPAM does NOT check the
authenticated senders and this is what confused me intially.  IE I
thought Smartermails SPAM was not working properly on another server
where I do NOT have declude ANTISPAM installed.  BUT as you see
according to CBL it should NOT detect CBL on an autheticated senders IP.

According to CBL this is not how the list is designed.


Return-Path: <[EMAIL PROTECTED]> Sun Jun 12 18:35:56 2005
Received: from forwardeddestinationmailserver [123.123.123.123] by
forwardeddestinationmailserver with SMTP;
   Sun, 12 Jun 2005 18:35:56 -0400
Received: from decludesmtpserver [456.456.456.456] by
destinationmailserver with SMTP;
   Sun, 12 Jun 2005 18:35:20 -0400
Received: from UnknownHost [IP-in-CBL=MY DESKTOP] by decludesmtpserver
with SMTP;
   Sun, 12 Jun 2005 18:34:59 -0400
From: "douglas cohn" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Subject: Test cbl
Date: Sun, 12 Jun 2005 18:34:52 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcVvnvNNt9F+fMW3RTWO2wS4w3LH6A==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Declude-Sender: [EMAIL PROTECTED] [IPinCBL=MY DESKTOP]
X-Declude-Spoolname: 37296653.EML
X-Declude-Scan: Score [10] at 18:35:09 on 12 Jun 2005
X-Declude-Fail: CBL, WEIGHT10
X-Country-Chain: UNITED STATES->destination
X-SmarterMail-Spam: SPF_None
X-Rcpt-To: <[EMAIL PROTECTED]>


http://cbl.abuseat.org/

We're getting a lot of reports of spurious blocking caused by sites
using the CBL to block authenticated access to smarthosts / outgoing
mail servers. THE CBL is only designed to be used on INCOMING mail, i.e.
on the hosts that your MX records point to.

If you use the same hosts for incoming mail and smarthosting, then you
should always ensure that you exempt authenticated clients from CBL
checks, just as you would for dynamic/dialup blocklists.

Another way of putting this is: "Do not use the CBL to block your own
users".

---
[This E-mail scanned for viruses by Declude Virus]


---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Declude using CBL to block users sending mail?????

[Colbeck, Andrew]

That's a good point, Matt.

I glossed over analyzing the hops, but wouldn't Declude skip running any
test with DYNA in the name if the message was received via AUTH?  I
remember that you wrote a Master's Thesis on this over in the
Declude.Support mailing list.

Naturally, this would only count with Declude running on IMail, and not
on SmarterMail.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Monday, June 13, 2005 6:14 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Declude using CBL to block users sending
mail?


Andrew,

Just to clear up any confusion, this message was sent by Doug through 
his own SmarterMail/Declude server, so his IP was the connecting hop and

the DYNA/hop limiting tricks won't have an effect here.

I think it might be valuable if people resisted the temptation of 
removing IP's from headers when shared because those that might help out

would often benefit from this information.  Sometimes it doesn't really 
matter of course, and Doug did give enough information to figure this 
out, but the three received headers were confusing without a careful
read.

Matt



Colbeck, Andrew wrote:

>Doug, you're probably scoring on multiple hops by setting your HOPHIGH 
>in global.cfg ...
>
>If you don't want RBLs to score on multiple hops, just comment out that

>HOPHIGH line.
>
>Alternatively, rename your CBL test to CBL-DYNA (don't forget to change

>the global.cfg definition plus the action line wherever it appears in 
>your configuration files (e.g. CBL WARN to CBL-DYNA WARN).
>
>Andrew 8)
>
>p.s. Is your own machine's address on the Internet, or was CBL listing 
>an internal, non-routable IP address like 192.168.1.1 ?
>
>
>-Original Message-
>From: [EMAIL PROTECTED] 
>[mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn
>Sent: Monday, June 13, 2005 5:03 PM
>To: Declude.Virus@declude.com
>Subject: [Declude.Virus] Declude using CBL to block users sending 
>mail?
>
>
>My desktop IP was erroneously listed on CBL.  It seems that declude is 
>checking autheticated users sending mail for CBL and according to CBL 
>this is wrong.  SEE below
>
>Here is the header showing what went on with the actual Ips removed to 
>proect the innocent  (ME). But it sure seems that my desktop machine is

>the one being checked and shown as on CBL.  Had 10 points been enough I

>would not have been able to send mail.  The ONLY address within the 
>below HEADER that was actually listed in the CBL is the HOST machine 
>sending the email. NOT the MAIL servers but MY DESKTOP of which I am an

>authenticated sender.
>
>Why would declude check an authenticated sender on the CBL list?
>
>This all started because Smartermails SPAM does NOT check the 
>authenticated senders and this is what confused me intially.  IE I 
>thought Smartermails SPAM was not working properly on another server 
>where I do NOT have declude ANTISPAM installed.  BUT as you see 
>according to CBL it should NOT detect CBL on an autheticated senders 
>IP.
>
>According to CBL this is not how the list is designed.
>
>
>Return-Path: <[EMAIL PROTECTED]> Sun Jun 12 18:35:56 2005
>Received: from forwardeddestinationmailserver [123.123.123.123] by 
>forwardeddestinationmailserver with SMTP;
>   Sun, 12 Jun 2005 18:35:56 -0400
>Received: from decludesmtpserver [456.456.456.456] by 
>destinationmailserver with SMTP;
>   Sun, 12 Jun 2005 18:35:20 -0400
>Received: from UnknownHost [IP-in-CBL=MY DESKTOP] by decludesmtpserver 
>with SMTP;
>   Sun, 12 Jun 2005 18:34:59 -0400
>From: "douglas cohn" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Cc: <[EMAIL PROTECTED]>
>Subject: Test cbl
>Date: Sun, 12 Jun 2005 18:34:52 -0400
>MIME-Version: 1.0
>Content-Type: text/plain;
>   charset="us-ascii"
>Content-Transfer-Encoding: 7bit
>X-Mailer: Microsoft Office Outlook, Build 11.0.6353
>Thread-Index: AcVvnvNNt9F+fMW3RTWO2wS4w3LH6A==
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-Declude-Sender: [EMAIL PROTECTED] [IPinCBL=MY DESKTOP]
>X-Declude-Spoolname: 37296653.EML
>X-Declude-Scan: Score [10] at 18:35:09 on 12 Jun 2005
>X-Declude-Fail: CBL, WEIGHT10
>X-Country-Chain: UNITED STATES->destination
>X-SmarterMail-Spam: SPF_None
>X-Rcpt-To: <[EMAIL PROTECTED]>
>
>
>http://cbl.abuseat.org/
>
>We're getting a lot of reports of spurious blocking caused by sites 
>using the CBL to block authenticated access to smarthosts / outgoing 
>mail servers. THE CBL is only designed to be used on INCOMING mail, 
>i.e. on the hosts that your MX records point to.
>
>If you use the same hosts for incoming mail and smarthost

RE: [Declude.Virus] FYI - new virus as yet unidentified

[Colbeck, Andrew]

Title: Message



12 
hours after Darin's post, I see that the ISC Storm Center has seen 
it.
 
http://isc.sans.org/diary.php?date=2005-06-25
 

"New Bagle VariantWe're receiving early reports of a new Bagle 
variant making the rounds. At the time of writing, many Antivirus products are 
not detecting this most recent mutation of the mass mailer. Identifying 
characteristics include a reference to SMS in the subject line, and ZIP 
attachments with various names containing an EXE named f22-013.exe with an md5 
checksum of 3f123980866092fedd6bc75e9b273087. Our thanks go out to the numerous 
ISC readers who alerted us to this. "
 
I 
hunted around our undeliverables and found more than one copy.  Each had 
"SMS" in the subject, e.g. "Is sent SMS" and "The picture is sent on 
SMS".
 
Trend 
Micro detects the executable as Bagle.BB but everyone else who detects it calls 
it Bagle.BQ or Bagle.Gen (generic).  McAfee and Symantec are not detecting 
it.  ClamAV does.  F-Prot calls it an errorlevel = 8 security risk 
called "W32/_newstuff.2".
 
Each 
message was 32 KB.
 
I hope 
that helps,
 
Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Darin CoxSent: Sunday, June 26, 2005 11:33 
  AMTo: Declude.Virus@declude.comSubject: [Declude.Virus] 
  FYI - new virus as yet unidentified
  Don't know what it is yet, but the attached file 
  was named kitten.zip containing an 
  unencrypted EXE.
  Darin.
   
   

RE: [Declude.Virus] FYI - new virus as yet unidentified

[Colbeck, Andrew]

Title: Message



Not 
much news on this Bagle variant.  Here are all the zip filenames that I've 
seen:
 
beach.zipin_park.zipkitten.ziplegs.zipnew.ziporiginal.zip
Andrew 
8)
 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Markus GuflerSent: Sunday, June 26, 2005 11:39 
  PMTo: Declude.Virus@declude.comSubject: RE: 
  [Declude.Virus] FYI - new virus as yet unidentified
  Thanks for the info's
  I've seen some of this "SMS" subject lines in the virus 
  log (while searching for kitten.zip)
   
  06/26/2005 22:37:03 Q11e3167a00d2c413 Scanner 2: 
  Virus=W32/Bagle.dldr Attachment= [42] I06/26/2005 22:37:22 
  Q1200168000d2c41c Scanned: Virus Free [Prescan OK][MIME: 3 
  19716]06/26/2005 22:37:24 Q11e3167a00d2c413 Scanned: CONTAINS A VIRUS 
  [Prescan OK][MIME: 2 21646]06/26/2005 22:37:24 Q11e3167a00d2c413 From: 
  [Forged] To: [Hidden] [incoming from 71.97.144.45]06/26/2005 22:37:24 
  Q11e3167a00d2c413 Subject: Is sent SMS
   
  This 
  was yesterday evening (06/26/2005 22:37:24 GMT+1) 
  Scanner 2 is Mcafee and following the logfiles it's 
  called "Bagle.dldr"
  Scanner 1 (F-Prot) has catched it 2 hours later with 
  errorlevel 8.
   
  Markus
   
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, 
AndrewSent: Monday, June 27, 2005 8:14 AMTo: 
Declude.Virus@declude.comSubject: RE: [Declude.Virus] FYI - new 
virus as yet unidentified

12 
hours after Darin's post, I see that the ISC Storm Center has seen 
it.
 
http://isc.sans.org/diary.php?date=2005-06-25
 

"New Bagle VariantWe're receiving early reports of a new Bagle 
variant making the rounds. At the time of writing, many Antivirus products 
are not detecting this most recent mutation of the mass mailer. 
Identifying characteristics include a reference to SMS in the subject line, 
and ZIP attachments with various names containing an EXE named f22-013.exe 
with an md5 checksum of 3f123980866092fedd6bc75e9b273087. Our thanks go out 
to the numerous ISC readers who alerted us to this. "
 
I 
hunted around our undeliverables and found more than one copy.  Each 
had "SMS" in the subject, e.g. "Is sent SMS" and "The picture is sent on 
SMS".
 
Trend Micro detects the executable as Bagle.BB but everyone else who 
detects it calls it Bagle.BQ or Bagle.Gen (generic).  McAfee and 
Symantec are not detecting it.  ClamAV does.  F-Prot calls it an 
errorlevel = 8 security risk called "W32/_newstuff.2".
 
Each message was 32 KB.
 
I 
hope that helps,
 
Andrew 8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Darin CoxSent: Sunday, June 26, 2005 11:33 
  AMTo: Declude.Virus@declude.comSubject: 
  [Declude.Virus] FYI - new virus as yet unidentified
  Don't know what it is yet, but the attached 
  file was named kitten.zip containing an 
  unencrypted EXE.
  Darin.
   
   

[Declude.Virus] NetSky and Sasser author sentenced, Microsoft pays up

[Colbeck, Andrew]

Title: Message



Well, 
the speculation on whether Microsoft would make good on their bounty to Sven 
Jaschen's "friends" is over.
 
http://www.f-secure.com/weblog/
 
 
Andrew 
8)

RE: [Declude.Virus] NetSky and Sasser author sentenced, Microsoft pays up

[Colbeck, Andrew]

Sorry, Dan.  I'll be busy myself.

My wife has told me to write the next doom and gloom virus and release
it.  She intends to use the Tor network to secretly blow the whistle on
me, then turn me in to Microsoft for a fat reward.

I never should have taught that accountant how to use her computer for
more than Excel.

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Horne
Sent: Friday, July 08, 2005 1:52 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] NetSky and Sasser author sentenced,
Microsoft pays up


So if I write a virus, who wants to turn me in and split the bounty with
me? 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darrell 
> ([EMAIL PROTECTED])
> Sent: Friday, July 08, 2005 4:18 PM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] NetSky and Sasser author 
> sentenced, Microsoft pays up
> 
> Slap on the wrist and his friends got paid for turning him
> in...  Looks like a win-win for all of them. 
> 
> Darrell
> 
> John Tolmachoff (Lists) writes:
> 
> > So the virus writer got a slap on the wrist. Boy, that will
> sure send
> > a message to would be virus writers.
> > 
> >   
> > 
> > John T
> > 
> > eServices For You
> > 
> >   
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of
> Colbeck, Andrew
> > Sent: Friday, July 08, 2005 11:40 AM
> > To: Declude.Virus@declude.com
> > Subject: [Declude.Virus] NetSky and Sasser author
> sentenced, Microsoft
> > pays up
> > 
> >   
> > 
> > Well, the speculation on whether Microsoft would make good on their
> > bounty to Sven Jaschen's "friends" is over.
> > 
> >   
> > 
> > http://www.f-secure.com/weblog/
> > 
> >   
> > 
> >   
> > 
> > Andrew 8)
> > 
>  
> 
> 
>  
> --
> --
> Check out http://www.invariantsystems.com for utilities for
> Declude And Imail.  IMail/Declude Overflow Queue Monitoring, 
> SURBL/URI integration, MRTG Integration, and Log Parsers. 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Patch Tuesday and graphic images

[Colbeck, Andrew]

Today is Microsoft Patch Tuesday for July 2005.

One of the bulletins is:

http://www.microsoft.com/technet/security/Bulletin/MS05-036.mspx

Which fails to indicate which graphics formats are affected by this
vulnerability.  It does mention that abuse thereof is indeed in the
wild.  Presumably on websites, but if you want to make sure that it is
not happening in email, you will want to remove these optimizations from
your Declude virus.cfg file:

SKIPEXT JPG
SKIPEXT JPEG
SKIPEXT PNG
SKIPEXT TIF
SKIPEXT TIFF

This contradicts my posting in May 2005 that Scott Perry said that JPG
skipping was ok vis a vis MS04-028 Q833987 because Declude Virus checks
for corrupt JPG regardless of the SKIPEXT behaviour.  That is, unless
the Declude code is so good that it checks all three of these formats
for rigorous adherence to their standards such that it protects the
Microsoft libraries!


Andrew 8)




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Breatel.B@MM seems to forging

[Colbeck, Andrew]

... And I just added FunLove to the list.  W32/FunLove.4099 is the full
name given by F-Prot, but it is known as WORM_NETSKY.P to Trend Micro.

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Thursday, July 21, 2005 12:50 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] [EMAIL PROTECTED] seems to forging

Have seen some NDR's yesterday and this morning and so I've added
Breatel to the list of forging viruses.

Markus

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] OT: Online file check?

[Colbeck, Andrew]

To scan a file with a 
bunch of different scanners and get a single report from all of them, use this 
site:
 
http://www.virustotal.com/
 
And if you want to see 
what a malicious file does, use this site:
 
http://sandbox.norman.no/live.html
 
And the best way to get 
rid of a file like that is probably to boot in Safe Mode, then edit all the 
usual registry places to get rid of the malware, and delete each instance of the 
file.  Also check that the hosts. file has no bogus entries.  If you 
can't delete a file because it's running, rename the file on the 
drive.  If you want to terminate a process that Task Manager won't let you 
terminate, use pskill.exe from http://www.sysinternals.com/ as an 
Administrator-equivalent userid.
 
It won't hurt to also, as 
the user, install http://www.javacoolsoftware.com/ 
which will tighten up their Internet Explorer settings, and turn on the "kill 
bit" for many CLASSIDs of known malware.  If you don't mind fetching 
updates interactively, Spyware Blaster is free for personal use.
 
For a general perusal and 
interactive utility to see what applications are set to start from where, check 
out HijackThis from http://www.spywareinfo.com/~merijn/downloads.html
 
And for the next week, I 
think the best interactive tool to ferret out start all the startup applications 
and places is still Microsoft Antispyware.  They've taken a hit recently 
because although they continue to find several Adware vendors' software, they 
now suggest an action of "Ignore" instead of "Remove".  http://www.microsoft.com/athome/security/spyware/software/default.mspx
 
 
Andrew 8)
 
p.s. 
You might guess that I've had to remove, oh, just one or two bits of 
malware from users' workstations...

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of William 
  StillwellSent: Monday, July 25, 2005 12:05 PMTo: 
  Declude.Virus@declude.comSubject: [Declude.Virus] OT: Online file 
  check?
  
  At one time i saw a post about a site that you can upload and it will 
  scan it with
  the "popular" scanners and check it..
   
  I have this evil little program that i can't remove from a users 
  computer, and i have done
  everything.. It keeps "Renaming" itself on termination..
   
  It spawns under explorer, rundll32, svchost and just totally takes over, 
  and once its connected
  to an internet connection, downloads just about every peace of 
  malware/spyware it can..
   
  Thanks-
   

RE: [Declude.Virus] OT: Online file check?

[Colbeck, Andrew]

Oh, yes, and a few more 
tips:
 
Configure the IE 
preferences on the Tools, Options, Advanced tab:
 
In the Browsing 
section:
UNCHECK "Enable Install 
on Demand (Internet Explorer)"
UNCHECK "Enable Install 
on Demand (Other)"
UNCHECK "Enable 3rd party 
browser extensions (requires restart)"
 
In the Security 
section:
CHECK "Empty Temporary 
Internet Files folder when browser is closed"
 
I've never seen the first 
two settings conflict with anything or prevent legitimate software 
installations. The third doesn't prevent software from being installed, it stops 
IE from loading such software that has been installed.  In addition to 
malware, this includes the Google Toolbar, or the Yahoo! toolbar that so many 
people get installed incidentally with Adobe Acrobat et al.
 
The fourth setting is 
great, because much of the malware is dropped in the IE temp folder, so when you 
close IE or reboot, poof, it's gone.
 
And of course, make as 
many trips as necessary to Windows Update in order to add patches.  You 
also have to look at other software on the computer that might be older with 
holes, e.g. Real Player, WinAmp, and the Microsoft and Sun Java 
runtimes.
 
Remove the now defunct 
Microsoft JVM altogether with their removal tool.  Either call Product 
Support or Google for "unmsjvm.exe" and then go to http://www.java.com and download Sun's 
implementation, and let it periodically go to the Internet to check for 
updates.
 
Hope that 
helps,
 
Andrew 8)
 
 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, 
  AndrewSent: Monday, July 25, 2005 1:12 PMTo: 
  Declude.Virus@declude.comSubject: RE: [Declude.Virus] OT: Online 
  file check?
  
  To scan a file with a 
  bunch of different scanners and get a single report from all of them, use this 
  site:
   
  http://www.virustotal.com/
   
  And if you want to see 
  what a malicious file does, use this site:
   
  http://sandbox.norman.no/live.html
   
  And the best way to get 
  rid of a file like that is probably to boot in Safe Mode, then edit all the 
  usual registry places to get rid of the malware, and delete each instance of 
  the file.  Also check that the hosts. file has no bogus entries.  If 
  you can't delete a file because it's running, rename the file on the 
  drive.  If you want to terminate a process that Task Manager won't let 
  you terminate, use pskill.exe from http://www.sysinternals.com/ as an 
  Administrator-equivalent userid.
   
  It won't hurt to also, 
  as the user, install http://www.javacoolsoftware.com/ 
  which will tighten up their Internet Explorer settings, and turn on the "kill 
  bit" for many CLASSIDs of known malware.  If you don't mind fetching 
  updates interactively, Spyware Blaster is free for personal use.
   
  For a general perusal 
  and interactive utility to see what applications are set to start from where, 
  check out HijackThis from http://www.spywareinfo.com/~merijn/downloads.html
   
  And for the next week, 
  I think the best interactive tool to ferret out start all the startup 
  applications and places is still Microsoft Antispyware.  They've taken a 
  hit recently because although they continue to find several Adware vendors' 
  software, they now suggest an action of "Ignore" instead of "Remove".  http://www.microsoft.com/athome/security/spyware/software/default.mspx
   
   
  Andrew 8)
   
  p.s. 
  You might guess that I've had to remove, oh, just one or two bits of 
  malware from users' workstations...
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of William 
StillwellSent: Monday, July 25, 2005 12:05 PMTo: 
Declude.Virus@declude.comSubject: [Declude.Virus] OT: Online file 
check?

At one time i saw a post about a site that you can upload and it will 
scan it with
the "popular" scanners and check it..
 
I have this evil little program that i can't remove from a users 
computer, and i have done
everything.. It keeps "Renaming" itself on termination..
 
It spawns under explorer, rundll32, svchost and just totally takes 
over, and once its connected
to an internet connection, downloads just about every peace of 
malware/spyware it can..
 
Thanks-
 

RE: [Declude.Virus] OT: Online file check?

[Colbeck, Andrew]

Greg, my favourite technique for restarting explorer is:

CTRL-SHIFT-ESC to bring up Task Manager.  Kill explorer.exe, then pull
down File, New Task and launch explorer.exe ... This works especially
well when you reboot but get no desktop.  Also good things to launch are
cmd (and WinFile.exe brought over from an older box!).

Andrew 8)


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Greg Little
> Sent: Monday, July 25, 2005 2:08 PM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] OT: Online file check?
> 
> Keep it off the network as much as possible.
> Also a software firewall (like Zone Alarm) will help control 
> the "phone home for updates".
> 
> Another tool I used for those "really hard to remove stains", 
> is KillBox. You can give it a list of files to be deleted at 
> the start of the next boot.
> 
> I've had one that was still locked in memory (and recreating 
> itself to new file names and restoring reg keys) in safe mode 
> with explorer exited.
> (You have to start a Dos Window before killing the Explorer process. 
> Then "explorer" to start it again.)
> It hooked into login, but KillBox got it on bootup before it 
> could install its memory resident program.
> 
> SysInternals has some great tools for Watching processes, 
> Controlling startups, etc.
> http://www.sysinternals.com/SystemInformationUtilities.html
> 
> Greg Little
> 
> PS Does this pest have a name?
> 
> ---
> [This E-mail scanned for viruses by Findlay Internet]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] OT: Online file check?

[Colbeck, Andrew]

Oooh, the thread injection by the dll would make it hard to kill; you'd
have to use a tool like Process Spy that shows you dll files as well as
the executables.

That tool you downloaded probably didn't do the full job, though.  It's
the Kill2Me tool by Merjin, author of HijackThis, and it's more than a
year out of date.

For most spyware (as opposed to malware) you're better off running their
Add/Remove Control Panel applet or going to their website for a removal
tool.  And *then* get out the medieval tools to strip the surviving
stuff out.  

Here's the Look2Me removal tool:

http://www.look2me.com/cgi-bin/UnInstaller
http://www.ad-w-a-r-e.com/cgi-bin/UnInstaller

If you're going to do ad and spyware blocking via DNS, you'll definitely
want to check out this project from the Snort guys at:

http://www.bleedingsnort.com/blackhole-dns/

Which references the MVPS site as one source for a hosts. file, and also
references the excellent Peter Lowe site at http://pgl.yoyo.org

Also check out http://www.bluetack.co.uk/ which has excellent converter
utilities and yet another hosts. file compilation.  If you're running a
web proxy server for your users, you might consider installing their
ProtoWall software instead, or the similar software Peer Guardian 2 from
http://methlabs.org/

Take care with adblocking though, as some of these lists get carried
away.  For example, I've seen that using a hosts. file entry like:

127.0.0.1   media.fastclick.net

Causes a login popup box when IE tries to display one of those pages.

Good luck, and let us know what you decide to do in your Enterprise!

Andrew 8)



> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of William 
> Stillwell
> Sent: Tuesday, July 26, 2005 6:03 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] OT: Online file check?
> 
> hehe.. killbox = no good, nothing would drop the running dll, 
> i couldn't copy it, delete it, rename it, or kill the registry entry.
> 
> here is a nice add in for people:
> 
> http://mvps.org/winhelp2002/hosts.htm
> 
> I am thinking of parsing the file and putting it into our dns 
> servers to prevent all the corporate computers for accessing 
> any of those sites.
> 
> here is the tool i downloaded to remove the thing..
> http://www.atribune.org/downloads/l2mfix.exe
> 
> here is the virustotal response from this morning (its up 
> from yesterdays 3)
> 
> Its pretty much being deteced as "W32/Look2Me.ag.6" or 
> "VeryLince" the VeryLince google search pointed me to a 
> geekstogo forum where someone else had it running.
> 
> here is the URL to the geekstogo thread
> http://www.geekstogo.com/forum/VeryLince_Help_-t44719.html
> 
> you can look at the l2mfix find log and see what it actually 
> hooked itself into.
> 
>   THis was officially the WORST malware/spyware i have 
> seen, it totally took over the machine. and downloaded just 
> about everything on the net and installed it on the users machine.
> 
> I would technically call this "Computer" Trespassing.. Maybe 
> I need to put a "No Trespassing" Sign on this computer :=]
> 
> 
> 
> 
> - Original Message -
> From: "Greg Little" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, July 25, 2005 5:07 PM
> Subject: Re: [Declude.Virus] OT: Online file check?
> 
> 
> > Keep it off the network as much as possible.
> > Also a software firewall (like Zone Alarm) will help 
> control the "phone 
> > home for updates".
> >
> > Another tool I used for those "really hard to remove 
> stains", is KillBox. 
> > You can give it a list of files to be deleted at the start 
> of the next 
> > boot.
> >
> > I've had one that was still locked in memory (and 
> recreating itself to new 
> > file names and restoring reg keys) in safe mode with 
> explorer exited.
> > (You have to start a Dos Window before killing the Explorer 
> process. Then 
> > "explorer" to start it again.)
> > It hooked into login, but KillBox got it on bootup before 
> it could install 
> > its memory resident program.
> >
> > SysInternals has some great tools for Watching processes, 
> Controlling 
> > startups, etc.
> > http://www.sysinternals.com/SystemInformationUtilities.html
> >
> > Greg Little
> >
> > PS Does this pest have a name?
> >
> > ---
> > [This E-mail scanned for viruses by Findlay Internet]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> > ---
> > This email has been scanned for possible viruses by Declude 
> Antivirus.
> > For more information on Declude Antivirus, Visit www.declude.com
> >
> > 
> 
> ---
> This email has been scanned for possible viruses by Declude Antivirus.
> For more information on Declude Antivirus, Visit www.declude.com
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL 

[Declude.Virus] Expect new Bagle variants

[Colbeck, Andrew]

>From the Kaspersky Lab blog at http://www.viruslist.com/en/weblog

Bagle's author back at work

Yury  August 11, 2005 | 17:02  MSK  

It looks as though the Bagle author is back from his vacation. Today
we've detected several new variants (actually old variants which have
been repacked) and they are still coming in.

New malware has been placed on the sites listed in the worms' bodies, so
it maybe that we will see some of these Bagles updating themselves
automatically. We'll keep you posted.



Andrew 8)



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: Re[2]: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???

[Colbeck, Andrew]

David, with your version of Declude Virus, you'd have to turn off all 10
of the CR vulnerability checks at one go.  I'm at the same or similar
version, and that's what I've decided to do.  This directive goes in
your virus.cfg:

BANCRVIRUSESOFF

Andrew 8) 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell
> Sent: Thursday, August 11, 2005 10:11 PM
> To: Matt
> Subject: Re[2]: [Declude.Virus] Outlook 'CR' Vulnerability 
> from Thunderbird ???
> 
> Thursday, August 11, 2005, 8:50:32 PM, Matt wrote:
> 
> > With 2.0.6.16, which is available from the Declude site, 
> you can turn 
> > off the Outlook CR Vulnerability.  I have turned off all 
> but a couple 
> > of these because of numerous false positive issues.
> 
> Unfortunately, I'm still at 1.82 due to budget limitations 
> ... our new budget kicks in December, and I'm still debating 
> if I should upgrade Imail and Declude or switch to Smartmail 
> and Declude  (definitely will be staying with Declude 
> virus/spam) ... I thought there was a way to turn off the 
> testing with 1.82 too, but couldn't find it in the control file ??
> 
> > there was ever an exploit spreading actively in the wild, I would 
> > rethink my position.  I believe that Microsoft has long 
> since patched 
> > the flaw, though it can certainly cause parsing issues in virus 
> > scanners that could lead to missing the payloads due to a 
> message that 
> > was improperly formatted.
> 
> My experience is similar, but 99% of the stuff caught has 
> been spam anyway, so I haven't worried about it ... when I 
> realized today it had caught a legitimate email, I was worried.
> 
> Anyone know if there is a way to turn this off in 1.82??
> 
> -
> Internet Dental Forum  www.internetdentalforum.net
> Dentalcast Podcast www.dentalcast.net
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Expect new Bagle variants

[Colbeck, Andrew]

I hadn't until last night, Markus.  But now I've got 35 copies from
different sources, all flagged by F-Prot as suspicious files.  F-Prot
detects the executable inside a zip file as a Mitglieder variant, and
submitting it to http://www.VirusTotal.com shows that all the big name
vendors there are detecting it as either a Bagle variant or Mitglieder.

Notably absent is Trend Micro, which I tested on my desktop.  Nope,
TrendMicro doesn't detect it at all. [pause] Actually I'm seeing
multiple versions, at least two of which TrendMicro doesn't catch, but
F-Prot caught all of them as 'suspicious'.

Also, it's pretty clear that the text of the message is a template, and
that template was used to send the nuisance message I reported in the
Sniffer forum a week ago.

Andrew 8)


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
> Sent: Thursday, August 11, 2005 11:49 PM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Expect new Bagle variants
> 
> > It looks as though the Bagle author is back from his 
> vacation. Today 
> > we've detected several new variants (actually old variants 
> which have 
> > been repacked) and they are still coming in.
> 
> 
> I can see some "unknown virus" detections in the last 24 hours.  
> 
> Markus
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Adobe Acrobat - Buffer Overflow warning

[Colbeck, Andrew]

See:
 
http://www.adobe.com/support/techdocs/321644.html
 
For a fresh writeup on a buffer overflow affecting one 
of the plugins.  We'll have to wait and see if any antivirus vendors come 
up with a signature for an exploit of this vulnerability.  If so, it would 
no longer be prudent to have this in your virus.cfg :
 
SKIPEXT  PDF
 
Note that this may never turn into an in-the-wild 
exploit, just as the only previous vulnerability for embedding a virus in a PDF 
was never in the wild.
 
Andrew 8)
 

RE: [Declude.Virus] IP list of reported virus infections

[Colbeck, Andrew]

Hmmm. I don't specifically remember that, John.  But this is a handy
place to check:

http://www.dshield.org/warning_explanation.php

DShield is fed by volunteers who run whatever firewall or IDS they like
and submit the logs to DShield.  It's an offshoot of the SANS Internet
Storm Center.

A site of similar vintage is free for personal use, but I don't know if
you have the ability to query for an arbitrary IP:

http://www.mynetwatchman.com/

Meanwhile, Norton/Symantec have a similar site at but I'm pretty sure
that you have to sign up to query their database.  It's free to use but
is subscription based for full support on alerts and fancy reports:

http://analyzer.securityfocus.com/


McAfee runs a similar site but it's informational only:

http://www.hackerwatch.org/


Andrew 8)


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of John 
> Tolmachoff (Lists)
> Sent: Tuesday, August 16, 2005 6:20 PM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] IP list of reported virus infections
> 
> About a year ago, Scott quietly introduced a web page were we 
> could go to enter the IP of say our server to check to see if 
> any viruses had been reported coming from that IP.
> 
> Does any one know is that site still available and is so what 
> is the URL for it?
> 
> John T
> eServices For You
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Sudden Internet Slowdown

[Colbeck, Andrew]

According to this:

http://loadrunner.uits.iu.edu/weathermaps/abilene/

Most of the major links on the Internet are very busy.  Interestingly,
the Houston-Atlanta link is back up, and was hard down due to Katrina
for a week.

Andrew 8)

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch
> Sent: Friday, September 09, 2005 8:30 AM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] Sudden Internet Slowdown
> 
> Hello all!
> 
> This may be off topic, but has anyone else experienced a 
> sudden Internet
> slowdown this morning starting about 11:00 EST?   We have 
> locations across
> the country and are experiencing problems in about half our 
> locations, most using SBC DSL for Internet service.  Our 
> primary Telnet app is DOA in these locations and e-mail and 
> web surfing is slow everywhere.
> 
> Thanks,
> 
> Rodney Bertsch
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Sudden Internet Slowdown

[Colbeck, Andrew]

No problem, Darin.

We'll have Newfoundland reboot it.  They're half an hour off of
everybody else.

Andrew 8)
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
> Sent: Friday, September 09, 2005 10:55 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] Sudden Internet Slowdown
> 
> You mean 4AM ET... We do have some sickos over here that get 
> up to go to work then perhaps we could just send them 
> over to you to solve this whole problem.  If not, perhaps we 
> could just insert an hour between 1am PT/4am ET and 1:00:01am 
> PT/4:00:01am ET.  That would fix it.
> 
> Darin.
> 
> 
> - Original Message -
> From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
> To: 
> Sent: Friday, September 09, 2005 1:42 PM
> Subject: RE: [Declude.Virus] Sudden Internet Slowdown
> 
> 
> Nope, we here on the West coast protested loudly. We clearly 
> stated it could
> not be done before 1 AM. However, 1 AM here is 5 AM in the 
> Atlantic time
> zone, and those people stated it must be done before 5 AM. 
> Therefore the
> normal reboot of the Internet has been on hold for a long 
> time until this
> dispute can be resolved.
> 
> John T
> eServices For You
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> > On Behalf Of Darin Cox
> > Sent: Friday, September 09, 2005 10:33 AM
> > To: Declude.Virus@declude.com
> > Subject: Re: [Declude.Virus] Sudden Internet Slowdown
> >
> > I thought it was rebooted every night around 3 am ET...
> >
> > Darin.
> >
> >
> > - Original Message -
> > From: "Scott Fisher" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Friday, September 09, 2005 12:01 PM
> > Subject: Re: [Declude.Virus] Sudden Internet Slowdown
> >
> >
> > You can't do an internet reboot on a Friday. You need to 
> wait until the
> > weekend.
> >
> > - Original Message -
> > From: "Matt" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Friday, September 09, 2005 10:48 AM
> > Subject: Re: [Declude.Virus] Sudden Internet Slowdown
> >
> >
> > > Maybe someone should reboot the Internet.
> > >
> > > Matt
> > >
> > >
> > >
> > > Keith Johnson wrote:
> > >
> > >>I am seeing this as we attempting to get to certain 
> websites and they
> > >>can't be displayed.
> > >>
> > >>Keith
> > >>
> > >>-Original Message-
> > >>From: [EMAIL PROTECTED]
> > >>[mailto:[EMAIL PROTECTED] On Behalf Of 
> Rodney Bertsch
> > >>Sent: Friday, September 09, 2005 11:30 AM
> > >>To: Declude.Virus@declude.com
> > >>Subject: [Declude.Virus] Sudden Internet Slowdown
> > >>
> > >>Hello all!
> > >>
> > >>This may be off topic, but has anyone else experienced a 
> sudden Internet
> > >>slowdown this morning starting about 11:00 EST?   We have 
> locations
> > >>across
> > >>the country and are experiencing problems in about half 
> our locations,
> > >>most
> > >>using SBC DSL for Internet service.  Our primary Telnet 
> app is DOA in
> > >>these
> > >>locations and e-mail and web surfing is slow everywhere.
> > >>
> > >>Thanks,
> > >>
> > >>Rodney Bertsch
> > >>
> > >>---
> > >>This E-mail came from the Declude.Virus mailing list.  To
> > >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > >>type "unsubscribe Declude.Virus".The archives can be found
> > >>at http://www.mail-archive.com.
> > >>---
> > >>This E-mail came from the Declude.Virus mailing list.  To
> > >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > >>type "unsubscribe Declude.Virus".The archives can be found
> > >>at http://www.mail-archive.com.
> > >>
> > >>
> > >>
> > > ---
> > > This E-mail came from the Declude.Virus mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.Virus".The archives can be found
> > > at http://www.mail-archive.com.
> > >
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-ar

RE: [Declude.Virus] Sudden Internet Slowdown

[Colbeck, Andrew]

Them: When can we have it?

Me: Tomorrow.

Them: No, if we wanted it tomorrow, we'd ask for it tomorrow!


Andrew 8)

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of John 
> Tolmachoff (Lists)
> Sent: Friday, September 09, 2005 12:39 PM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Sudden Internet Slowdown
> 
> NO NO NO NO
> 
> Then all of our clients will be asking us how come we have 
> not done the work yesterday that they asked us to do tomorrow.
> 
> John T
> eServices For You
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> > On Behalf Of Darin Cox
> > Sent: Friday, September 09, 2005 11:39 AM
> > To: Declude.Virus@declude.com
> > Subject: Re: [Declude.Virus] Sudden Internet Slowdown
> > 
> > Hmmm... that gets me thinking... maybe all offices should 
> be located 
> > straddling the international date line.  Then if someone wants 
> > something done on a particular day, and you missed it, you 
> could just 
> > walk over to
> the
> > other side of the building, finish it, and tell them it's done.
> > 
> > Darin.
> > 
> > 
> > - Original Message -
> > From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Friday, September 09, 2005 2:07 PM
> > Subject: RE: [Declude.Virus] Sudden Internet Slowdown
> > 
> > 
> > No problem, Darin.
> > 
> > We'll have Newfoundland reboot it.  They're half an hour off of 
> > everybody else.
> > 
> > Andrew 8)
> > 
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED] 
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
> > > Sent: Friday, September 09, 2005 10:55 AM
> > > To: Declude.Virus@declude.com
> > > Subject: Re: [Declude.Virus] Sudden Internet Slowdown
> > >
> > > You mean 4AM ET... We do have some sickos over here that 
> get up to 
> > > go to work then perhaps we could just send them over 
> to you to 
> > > solve this whole problem.  If not, perhaps we could just 
> insert an 
> > > hour between 1am PT/4am ET and 1:00:01am PT/4:00:01am ET.  That 
> > > would fix it.
> > >
> > > Darin.
> > >
> > >
> > > - Original Message -
> > > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
> > > To: 
> > > Sent: Friday, September 09, 2005 1:42 PM
> > > Subject: RE: [Declude.Virus] Sudden Internet Slowdown
> > >
> > >
> > > Nope, we here on the West coast protested loudly. We 
> clearly stated 
> > > it could not be done before 1 AM. However, 1 AM here is 5 
> AM in the 
> > > Atlantic time zone, and those people stated it must be 
> done before 5 
> > > AM.
> > > Therefore the
> > > normal reboot of the Internet has been on hold for a long 
> time until 
> > > this dispute can be resolved.
> > >
> > > John T
> > > eServices For You
> > >
> > >
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]
> > > > On Behalf Of Darin Cox
> > > > Sent: Friday, September 09, 2005 10:33 AM
> > > > To: Declude.Virus@declude.com
> > > > Subject: Re: [Declude.Virus] Sudden Internet Slowdown
> > > >
> > > > I thought it was rebooted every night around 3 am ET...
> > > >
> > > > Darin.
> > > >
> > > >
> > > > - Original Message -
> > > > From: "Scott Fisher" <[EMAIL PROTECTED]>
> > > > To: 
> > > > Sent: Friday, September 09, 2005 12:01 PM
> > > > Subject: Re: [Declude.Virus] Sudden Internet Slowdown
> > > >
> > > >
> > > > You can't do an internet reboot on a Friday. You need to
> > > wait until the
> > > > weekend.
> > > >
> > > > - Original Message -
> > > > From: "Matt" <[EMAIL PROTECTED]>
> > > > To: 
> > > > Sent: Friday, September 09, 2005 10:48 AM
> > > > Subject: Re: [Declude.Virus] Sudden Internet Slowdown
> > > >
> > > >
> > > > > Maybe someone should reboot the Internet.
> > > > >
> > > > > Matt
> > > > >
> > > > >
> > > > >
> > > > 

RE: [Declude.Virus] McAfee DailyDAT download location change.

[Colbeck, Andrew]

Mr. Obvious says:
 
You would have to change the URL plus the name of the file 
you're unzipping!
 
So that I didn't have to change my script much, I changed 
my wget line to:
 
wget http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 
-O dailyscan.zip
 
The -O parameter tells wget to save the requested file with 
that particular filename.
 
I think that NAI/McAfee changed the path as part of the web 
interface change to funnel people through their EULA.  When I follow it 
through, the web interface takes you to a filenames that now have a dynamic 
instead of static name.
 
If they change the URL again, we may need a smarter script 
that can scrape out the correct name from the webpage.  Hopefully, they'll 
bring the static name back, perhaps parallel to the Stinger 
download.
 
Andrew 8)
 
p.s. I only use McAfee as a backup, standalone 
scanner.  Not part of my Declude at all.
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  MattSent: Monday, September 12, 2005 12:58 PMTo: 
  Declude.Virus@declude.comSubject: Re: [Declude.Virus] McAfee 
  DailyDAT download location change.
  I changed the subject so that people can be alerted to this.  
  Announcements of things like this would be useful to the entire Declude 
  customer base.  I am afraid that we are a little over a month 
  behind.  Those with a single scanner would be screwed.I adjusted 
  my scripts to use the link that you provided and it does in fact work just 
  great...so far :)Thanks,MattScott Fisher 
  wrote: 
  



Great catch Matt.
Mine's gone too since August 2
Thank you Declude for multiple virus scanner 
option.
 
Try:
http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip
 
From:
http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=st&q=dailydat&rnum=1&hl=en#61f1bcbcc4e71848
 
 

  - 
  Original Message - 
  From: 
  Matt 
  
  To: 
  Declude.Virus@declude.com 
  
  Sent: 
  Monday, September 12, 2005 2:26 PM
  Subject: 
  Re: [Declude.Virus] Seemingly bad virus this morning
  This is a new Bagel variant:    http://vil.nai.com/vil/content/v_129588.htmI 
  was wrong about what was detecting it first...it was F-Prot.  I just 
  figured out that my McAfee update script is no longer working.  Does 
  anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.Thanks,MattJohn 
  Tolmachoff (Lists) wrote: 
  OK, so it is cpl file, which we should all have in our list of banned
extensions including banned if within a zip file, so we should all be safe,
correct?

John T
eServices For You


  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
  
On Behalf Of Dan Geiser
Sent: Monday, September 12, 2005 11:49 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Seemingly bad virus this morning

I opened the zip file and it contained one file called "1.cpl" (without
the
  
quotes).  Some sort of malicious Control Panel applet?

- Original Message -
From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
To: 
Sent: Monday, September 12, 2005 11:55 AM
Subject: RE: [Declude.Virus] Seemingly bad virus this morning



  What is the payload inside the zip?

John T
eServices For You


  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
  
On Behalf Of Matt
Sent: Monday, September 12, 2005 7:52 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Seemingly bad virus this morning

FYI, We found a rapidly spreading zip virus beginning at about 8:15
a.m.
  

  
this morning, first coming from Eastern Europe.  McAfee seems to be
detecting all of them now, but F-Prot as of this moment is not on our
system.  Every attachment name seemingly contained the word "price".
Here's a quick filter that I had put together for it:

HEADERSENDNOTCONTAINSboundary="
BODYENDNOTCONTAINSattachment; filename="
BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding
BODY15CONTAINS price

Matt
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)


  -

RE: [Declude.Virus] Seemingly bad virus this morning

[Colbeck, Andrew]

Hmm, yes.
 
Something along the lines of:
 
wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini
 
and then parsing out the line:
 
FileName=dat-4579.zip
 
or
 
DATVersion=4579
 
in order to construct the filename... but it seems like 
re-inventing the wheel.  The readme.txt talks about a SuperDAT 
downloading mechanism, which sounds exactly like the F-Prot GUI 
downloader.
 
 
Andrew 8)
 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Nick 
  HayerSent: Monday, September 12, 2005 1:35 PMTo: 
  Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad 
  virus this morning
  Hi Matt - Matt wrote: 
  I was 
wrong about what was detecting it first...it was F-Prot.  I just 
figured out that my McAfee update script is no longer working.  Does 
anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This 
  link works -ftp.nai.com /pub/antivirus/datfiles/4.x-Nick
  Thanks,MattJohn Tolmachoff (Lists) 
wrote: 
OK, so it is cpl file, which we should all have in our list of banned
extensions including banned if within a zip file, so we should all be safe,
correct?

John T
eServices For You


  
  -Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
  
  On Behalf Of Dan Geiser
Sent: Monday, September 12, 2005 11:49 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Seemingly bad virus this morning

I opened the zip file and it contained one file called "1.cpl" (without
the
  
  quotes).  Some sort of malicious Control Panel applet?

- Original Message -
From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
To: 
Sent: Monday, September 12, 2005 11:55 AM
Subject: RE: [Declude.Virus] Seemingly bad virus this morning



What is the payload inside the zip?

John T
eServices For You


  
  -Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
  
  On Behalf Of Matt
Sent: Monday, September 12, 2005 7:52 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Seemingly bad virus this morning

FYI, We found a rapidly spreading zip virus beginning at about 8:15
a.m.
  
  

  this morning, first coming from Eastern Europe.  McAfee seems to be
detecting all of them now, but F-Prot as of this moment is not on our
system.  Every attachment name seemingly contained the word "price".
Here's a quick filter that I had put together for it:

HEADERSENDNOTCONTAINSboundary="
BODYENDNOTCONTAINSattachment; filename="
BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding
BODY15CONTAINS price

Matt
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)


  ---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.


  

RE: [Declude.Virus] Seemingly bad virus this morning

[Colbeck, Andrew]

Scott, in various older versions of wget, the -N 
parameter as well as the --header=Accept-Encoding:gzip parameter plain 
old didn't work.  Pick up the current version here:
 
http://xoomer.virgilio.it/hherold/#Files
 
and it should be fine.
 
Andrew 8)
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Scott 
  FisherSent: Monday, September 12, 2005 2:28 PMTo: 
  Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad 
  virus this morning
  
  -Matt,
   
  Does the wget -N command work for you with 
  Mcafee.
  I also use the -N and get the full download every 
  time.
  
- Original Message - 
From: 
Matt 

To: Declude.Virus@declude.com 
Sent: Monday, September 12, 2005 4:13 
PM
Subject: Re: [Declude.Virus] Seemingly 
bad virus this morning
Nice script, but the executables don't change regularly, and 
many of us are using the command line version of McAfee that requires an 
unvalidated download.  This also doesn't get the beta DAT's.I 
use a script that calls both wget and WinZip's free command line add-on 
(requires a registered WinZip).  It is easy enough to replace that with 
any other command line unzipping tool.  Personally I find WinZip to be 
perfectly reliable so I'm sticking with it.
C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 
  -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 
  2>&1 | find "100%%"IF ERRORLEVEL 1 GOTO 
  ENDC:\Progra~1\WinZip\wzunzip -ybc 
  C:\Progra~1\McAfee\update\win_netware_betadat.zip 
  C:\Progra~1\McAfee\ :ENDENDLOCALMattMarkus 
Gufler wrote: 

  
  attached you can find a script (I'm not the creator 
  of this script but can't remember who's the genius) that will download the 
  superdats and also the dailydat-files, extract all necessary virus 
  definitiions and also engine updates, write any action to a logfile and 
  keep the downloaded superdats so that you can't revert manualy if it would 
  be necessary.
   
  You need some command line tools like unzip and wget 
  and adapt the path information in the script for your 
  needs.
   
  This script works on my server now for years and I 
  hope it will do so also if now a lot of people will run it on their 
  servers.
   
  Markus
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] 
On Behalf Of Colbeck, AndrewSent: Monday, September 
12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: 
RE: [Declude.Virus] Seemingly bad virus this 
morning
Hmm, yes.
 
Something along the lines of:
 
wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini
 
and then parsing out the line:
 
FileName=dat-4579.zip
 
or
 
DATVersion=4579
 
in order to construct the filename... but it seems 
like re-inventing the wheel.  The readme.txt talks about a 
SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI 
downloader.
 
 
Andrew 8)
 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Nick HayerSent: Monday, September 12, 
  2005 1:35 PMTo: Declude.Virus@declude.comSubject: 
  Re: [Declude.Virus] Seemingly bad virus this 
  morningHi Matt - Matt wrote: 
  I 
was wrong about what was detecting it first...it was F-Prot.  I 
just figured out that my McAfee update script is no longer 
working.  Does anyone have a newer link to the daily DAT's than 
http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This 
  link works -ftp.nai.com /pub/antivirus/datfiles/4.x-Nick
  Thanks,MattJohn Tolmachoff 
(Lists) wrote: 
OK, so it is cpl file, which we should all have in our list of banned
extensions including banned if within a zip file, so we should all be safe,
correct?

John T
eServices For You


  
  -Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
  
  On Behalf Of Dan Geiser
Sent: Monday, September 12, 2005 11:49 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Seemingly bad virus this morning

I opened the zip file and it contained one file called "1.cpl" (without
the
  
  quotes).  Some sort of malicious Control Panel applet?

- Original Message -
From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
To: 
Sent: Monday, September 12, 2005 11:55 AM
Subject: RE: [Declude.Virus] Seemingly bad virus this morning



What is the payload inside the zip?

John T
e

RE: [Declude.Virus] Seemingly bad virus this morning

[Colbeck, Andrew]

 which is all well and good, but...
 
It worked fine for the update.ini, but not for the .zip 
file.  The current stable version of wget does in 
download a full file every time.
 
Andrew 8)
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, 
  AndrewSent: Monday, September 12, 2005 2:47 PMTo: 
  Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad 
  virus this morning
  
  Scott, in various older versions of wget, the -N 
  parameter as well as the --header=Accept-Encoding:gzip 
  parameter plain old didn't work.  Pick up the current version 
  here:
   
  http://xoomer.virgilio.it/hherold/#Files
   
  and it should be fine.
   
  Andrew 8)
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Scott 
FisherSent: Monday, September 12, 2005 2:28 PMTo: 
Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly 
bad virus this morning

-Matt,
 
Does the wget -N command work for you with 
Mcafee.
I also use the -N and get the full download 
every time.

  - Original Message - 
  From: 
  Matt 
  
  To: Declude.Virus@declude.com 
  
  Sent: Monday, September 12, 2005 4:13 
  PM
  Subject: Re: [Declude.Virus] 
  Seemingly bad virus this morning
  Nice script, but the executables don't change regularly, 
  and many of us are using the command line version of McAfee that requires 
  an unvalidated download.  This also doesn't get the beta 
  DAT's.I use a script that calls both wget and WinZip's free 
  command line add-on (requires a registered WinZip).  It is easy 
  enough to replace that with any other command line unzipping tool.  
  Personally I find WinZip to be perfectly reliable so I'm sticking with 
  it.
  C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 
-N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 
2>&1 | find "100%%"IF ERRORLEVEL 1 GOTO 
ENDC:\Progra~1\WinZip\wzunzip -ybc 
C:\Progra~1\McAfee\update\win_netware_betadat.zip 
C:\Progra~1\McAfee\ :ENDENDLOCALMattMarkus 
  Gufler wrote: 
  

attached you can find a script (I'm not the creator 
of this script but can't remember who's the genius) that will download 
the superdats and also the dailydat-files, extract all necessary virus 
definitiions and also engine updates, write any action to a logfile and 
keep the downloaded superdats so that you can't revert manualy if it 
would be necessary.
 
You need some command line tools like unzip and 
wget and adapt the path information in the script for your 
needs.
 
This script works on my server now for years and I 
hope it will do so also if now a lot of people will run it on their 
servers.
 
Markus
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Colbeck, AndrewSent: Monday, September 
  12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: 
  RE: [Declude.Virus] Seemingly bad virus this 
  morning
  Hmm, yes.
   
  Something along the lines 
  of:
   
  wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini
   
  and then parsing out the 
  line:
   
  FileName=dat-4579.zip
   
  or
   
  DATVersion=4579
   
  in order to construct the filename... 
  but it seems like re-inventing the wheel.  The readme.txt talks 
  about a SuperDAT downloading mechanism, which sounds exactly like 
  the F-Prot GUI downloader.
   
   
  Andrew 8)
   
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] 
On Behalf Of Nick HayerSent: Monday, September 12, 
2005 1:35 PMTo: Declude.Virus@declude.comSubject: 
Re: [Declude.Virus] Seemingly bad virus this 
morningHi Matt - Matt wrote: 
I was wrong about what was detecting it first...it 
  was F-Prot.  I just figured out that my McAfee update script 
  is no longer working.  Does anyone have a newer link to the 
  daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This 
link works -ftp.nai.com /pub/antivirus/datfiles/4.x-Nick
Thanks,MattJohn Tolmachoff 
  (Lists) wrote: 
  OK, so it is cpl file, which we should all have in our list of banned
extensions including banned if within a zip file, so we should all be safe,
correct?

John T
eService