08/22/2003 09:01:15 Q221e106 Could not find parse string Found in
report.txt
08/22/2003 08:58:07 Q211910e WARNING: Couldn't remove .vir directory
d:\IMail\spool\D211910e.vir\: EXTRA FILES THERE.
08/22/2003 08:58:07 Q211910e Likely problem: Your virus scanner is
leaving extra files/directories
08/22/2003 09:01:15 Q221e106 Could not find parse string Found in
report.txt
This will happen if the virus scanner detects a virus, but the report.txt
file that it creates does not include the virus name where Declude Virus
expects it (more specifically, in this case, the word Found was not in
Is there a way to make Declude email postmaster at the originating IP
address reverse DNS domain and not the domain in the FROM field which is
usually spoofed?
-- Dan
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the
Is there a way to make Declude email postmaster at the originating IP
address reverse DNS domain and not the domain in the FROM field which is
usually spoofed?
No. The SKIPIFVIRUSNAMEHAS option is used for cases like this.
We have considered using reverse DNS, IPWHOIS, [EMAIL PROTECTED], etc.,
In my virus_cfg.txt file, I have:
FORGINGVIRUSKlez
To add the sobig virus, do I add another line? like this?
FORGINGVIRUSKlez
FORGINGVIRUSSobig
[EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the
Yep..Exactly...you got it.
Have a great day.
-Original Message-
From: Paul Fuhrmeister [mailto:[EMAIL PROTECTED]
Sent: Friday, August 22, 2003 11:26 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Using FORGINGVIRUS with more than one virus
In my virus_cfg.txt file, I have:
In my virus_cfg.txt file, I have:
FORGINGVIRUSKlez
To add the sobig virus, do I add another line? like this?
FORGINGVIRUSKlez
FORGINGVIRUSSobig
That is correct. You may want to take a look at the default files at
http://www.declude.com/virus/manual.htm to see what other viruses
And the reason being is that many if not most mail server are not configured
to accept messages to the IP address. Also, in the case of Sobig, that would
not work anyway, as the IP address is of the workstation infected, which
could be anywhere.
John Tolmachoff MCSE CSSA
Engineer/Consultant
Hello R.,
Thursday, August 21, 2003, 2:59:18 PM, you wrote:
I did that with eicar and the On-Demand Scanner picked it up. However, when
I did it with Sobig.F, there was no attachment. Then I noticed that it was a
bounced message from another server (not using SKIPIFVIRUSNAMEHAS). I'm now
No only that - but what's this web address that will be updated.
If it's an IP - then it should be easy to contact the upstream provider.
If it's a FQDN - then it should be easy for the registrar to lock this
particular domain against updates
I don't see why this is supposedly so difficult to
The Pentagon would never buy Declude. It's not pricey enough, it's too
straight forward and easy to use, you don't have to hire a consultant to
study it for several million dollars, and it's name is not Pentagon proper.
Perhaps Scott can rename it to Declude Electronic Communication Attack
According to this NBC news report, it will occur every Friday and Sunday.
http://www.nbc4.tv/technology/2426381/detail.html?treets=latml=la_natlbreak
ts=Ttmi=la_natlbreak_15913_01270008222003
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
See http://isc.sans.org/diary.html?date=2003-08-22
Sobig Update Cycle
SoBig-F, the most recent incarnation in the family of Sobig mass mailing
viruses, will be entering its update cycle today at 19:00 UTC. Between 19:00
and 22:00 UTC, the virus will attempt to contact a predefined set of hosts
Exactly, if the servers are known, why doesn't the upstream providers be pro-active
and block those ip's from being accessed ?
-- Original Message --
From: Andy Schmidt [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Fri, 22 Aug 2003 14:20:53 -0400
http://www.washingtonpost.com/wp-dyn/articles/A32161-2003Aug22.html
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe
Thanks for the heads-up, Kris. We have applied filter rules to all of our
Internet routers to block all outbound IP access to the IP addresses listed
below and to block all outbound udp access to port 8998.
Bill
- Original Message -
From: Kris Rickerson [EMAIL PROTECTED]
To: [EMAIL
It make's me really wonder how many stupid people is not able to patch
the own system (or at least outlook).
Exactly!
they can't do more. (except write a worm that install automatically all
available patches from MS)
What they (M$) really need to do, is make windows update integrated into
What they (M$) really need to do, is make windows update
integrated into Windows, the problem is they tell you Stay
current with updates in a little box above the taskbar when
There are huge debates about this. It's amazing that people are against
this.
Look at the newsgroups, etc...
If it was easy, and if every computer user was computer literate and
responsible, we wouldn't have jobs...
Andy
- Original Message -
From: Markus Gufler [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, August 22, 2003 3:17 PM
Subject: RE: [Declude.Virus] Sobig- Phase II bombardment
Any one seeing hearing of any happenings on this?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
Any one seeing hearing of any happenings on this?
F-Secure has reported that 1 of the 20 servers appears to be up, but it is
so overwhelmed that viruses aren't getting anything from it. But that does
mean that some could be getting through.
All we've seen is what seems to be a precautionary
What is sick is their scanner loaded on Dell computers is NOT picking up
Sobig.F either.
I just ran a complete scan on a client computer with the installed McAfee,
and it came back clean. This was using their online scanner as installed on
computers. Sick.
I wonder how many home users out there
22 matches
Mail list logo