q9e3d01cb331c.smd Virus scanner 2 reports exit
code of 0
05/09/2006 09:50:58.616 q9e3d01cb331c.smd Virus scanner 3 reports exit
code of 0
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Carter
Sent: Tuesday, 09 May 2006 9:41 AM
To: Declude.Virus
Temporarily go to LOGLEVEL DEBUG and use the test virus sender. It should
show AVG working. MID and HIGH levels didn't show which scanner caught
EICAR, but DEBUG did.
John C
05/09/2006 08:34:55.687 q9a7b016d30e4.smd AVG Virus detected. Not
continuing with any remaining scanners.
05/09/2006
place online is for 4.0.8.
Kevin Bilbee
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of John Carter
Sent: Wednesday, May 03, 2006 1:17 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Built in virus detector
Just noticed
Sorry for the last incomplete message. Hit Send accidentally.
Just joined the Releases list. Has the 4.2.3 notice gone out yet? Will
include some background on the operation of the built-in scanner how and how
often it updates, etc.?
Thanks,
John C
-Original Message-
From: John Carter
Just noticed yesterday's 4.2.3 release notes:
EVA ADD BUILTINSCANNEROFF
Located in Virus.cfg. Will disable the internal AVG scanner.
EVA ADD Integrated AVG Scanner into Decludeproc no configuration required.
Can someone supply info on this? I must have missed the discussion, if
Imail 8.22Declude 4.0.9Is anyone else
having the problem ofhaving forged virus notices sent even though you are
using SKIPIFFORGING. I went back in the archives and found this from late
2004, so Scott was probably talking about 1.8x or early 2.x version. Did
SKIPIFFORGING go away?
John
Is it possible to have two different bannotify messages (as in bannotify.eml
and bannotify2.eml)? As postmaster I need to get notices on all held banned
messages. But I want the second EML to use ONLYSENDIFRECIP and sent the
notice to select recipients.
If yes, this leads to the second
There is a free version of Windows based Baregrep at
http://www.baremetalsoft.com/baregrep/. Runs through the logs pretty fast.
John C
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Don Brown
Sent: Wednesday, February 01, 2006 9:24 AM
To: Markus
Have you tried the virus log analyzer at http://www.csonline.net/imailstuff/viruslog.htm
(found on Declude's Tools page.)
John C
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
ImailSent: Friday, January 27, 2006 2:56 PMTo:
Declude.Virus@declude.comSubject: RE:
3.0.5.22. Yes, you will need to run the regular 3.x install.
John C
-- Original Message --
From: Grant Griffith [EMAIL PROTECTED]
Reply-To: Declude.Virus@declude.com
Date: Thu, 22 Dec 2005 05:02:25 -0500
Hello All,
We just upgrade to Imail 8.22
a
disk crash a month or so back.
Sorry for the waste of bandwidth on this -- I asked for help before
thoroughly researching things here.
John C
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Carter
Sent: Monday, December 05, 2005 2:19 PM
Imail 8.21
Declude Pro 3.0.5.21
Is anyone else still having problems with not getting notices? Someone
mentioned a patched version that fixed this, but was pre-.21. I would have
assumed that those patches would have been in .21. I have all removed except
the BANnotify.eml (see below). This one
using SmarterMail, I'm waiting for version 3.0.5.22.
Gary Steiner
Original Message
From: John Carter [EMAIL PROTECTED]
Sent: Monday, December 05, 2005 3:22 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Notifications
Imail 8.21
Declude Pro 3.0.5.21
Is anyone
SmarterMail
http://www.declude.com/version/Upgrade/SM/Decludeproc30522.exe
David B
www.declude.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Carter
Sent: Monday, December 05, 2005 3:19 PM
To: Declude.Virus@declude.com
Subject
Windows 2003, 1 GB RAM, 3.2 GHz, P4
3 drives -
C - o/s, Imail
D - spool
E - users, lists etc
used only of mail, no other applications
Imail 8.21, 9,500 +- accounts
Just renewed SA to beat the price
Declude 3.0.5.20
Virus Pro - F-prot, ClamAV
Junkmail Pro - About 35 tests/filters total,
Gary:
I got to looking and I don't see notices going out (with 3.0.5.20). Testing
by sending EICAR to myself, I found if I removed the SKIPIFFORGING line in
the recip.eml, the notice would go out -- but wouldn't if it was in place.
I don't think EICAR, being a test virus, is considered a forging
I submit this one for the laugh factor only. Just got one of these
claiming to be from [EMAIL PROTECTED] (Center for Disease Control) with a
download manager to view Paris Hilton/Nicole Richie videos! Finally the
federal government has got something right -- anything to do with Hilton
Richie
Second the motion on ClamAV. Being free and very good against phishing, I
would definitely consider it. It can be a bit of a memory hog (just a
spike), there is a persistent mode that helps that.
John C
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
This raises a question(s): Has anyone done any real testing of which AVs
(in relation to Declude) perform the best, use the least resources, what is
the best scanning order, and how many to use (how many is too many and what
is the point of diminishing returns)? I realize something like this
Thanks for info and link. I was searching the
archives with little success.
John
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
MattSent: Friday, November 04, 2005 9:09 AMTo:
Declude.Virus@declude.comSubject: Re: [Declude.Virus] Second
scanner
I suppose that I might be
We are currently getting hit with a blast of emails with ZIP attachments.
They are showing clean, at least with F-Prot and ClamAV under Declude, plus
a manual scan by Trend Micro. They fake our user as sender.
Attachments are among others: info_price.zip, text_sms.zip, max.zip,
Actually didn't get John T's post. As to the payload, think someone else
has posted on that. Sorry, just not brave (?) enough to open them (the
zips). I just hold, review, and delete.
John C
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of System
David:
I just went from 3.0.5.6 to 3.0.5.10 (and I see now .11 is out and that it
is considered a full release.) Will we be informed when we need to do more
than the decludeproc replacement steps? Like maybe when a whole re-install
is needed?
Thanks,
John C
-Original Message-
From:
I have some particular users for whom I want to virus scan their messages
but would like to by-pass the holding on banned extension under normal
circumstances. Is there anything in the current release or the beta that
would allow this?
If not, my suggestion would be
BYPASSBAN Sender
Sorry, I am just getting my head back into Declude/Imail/etc from Katrina.
Is 3.0+ ok for single processor systems?
John
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL PROTECTED])
Sent: Wednesday, September 14, 2005 3:38 PM
To:
This is directed to Stephen Slater (csonline.net), author of
VirusLogAnalyzer 3.0 beta.
Stephen:
A change in logging format for Declude Virus (EVA) apparently has broken the
program. (Getting a division by zero error.) Any chance you might be
updating this program? Really did like it.
Thanks,
John
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, June 07, 2005 3:28 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Virus log program / new log format
John,
The answer to your question is Yes
I use ClamAV (with Runclamscan/Runclamd) as my second scanner and it works
great. The only downside is it is a resource hog (but still worth it.) If
and when you move to AV/JM 2.0.6.16, consider using the new directive
EXITSCANONVIRUSDETECT. It has helped.
John
-Original Message-
, June 03, 2005 2:03 PM
To: John Carter
Subject: Re[4]: [Declude.Virus] Second Scanner
Looks like I have clam up and running. I'm testing it as my primary scanner
to make sure it catches viruses and all looks good so far. It looks like it
takes about as much CPU as FProt.
I have Rundclamd running
Release notes indicate default is off. To use it, use:
EXITSCANONVIRUSDETECT ON
John C
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Friday, May 27, 2005 10:18 AM
To: Declude.Virus@declude.com
Subject: RE:
I don't think that is a valid directive. Right now I
believe cr-vulnerability function is either a "on or off" thing. There
isn't much in options there. Until there is, you may want to consider a
custom script/program to periodically look at held messages and releasing
(moving back to the
Thanks.I did only check the manual and not release
notes.
John
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guhl, Markus
(LDS)Sent: Wednesday, May 04, 2005 8:09 AMTo:
Declude.Virus@declude.comSubject: AW: [Declude.Virus]
allowvulnerabilities
hi john,
Shortly after adding ClamAV to the Imail Server a few days ago, my system
started sending virus notices on Mytob (and so far, only Mytob) even though
I have SKIPIFFORGING in the sender.eml, recip.eml and postmaster.eml, plus I
have Mytob in the list of forging viruses in the virus.cfg. In the
using F-Prot,
but have added the appropriate lines to eml and virus.cfg files as John has.
The only other difference is that I'm using SmarterMail.
Shayne
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Carter
Sent: Friday, April 15, 2005 10:48 AM
Looks like yesterday's RAR's coming in as ZIPs. And my F-Prot/ClamAV and
desktop Trend Micro still don't see anything!! Deleting them nevertheless.
John
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Friday, April 15,
I am currently getting a LOT of msgs with RAR attachments coming in. None
of the scanners are finding anything yet, the nature of volume,
sender/recipient is suspicious. Often as not the username of sender and
recipient are the same, but sender domain is always changing. Have not seen
any
Starting to see repeat names. Reminds me of viruses sent by RAR last year
(and caught by scanners.) Names: Forest, It_is_about_you, prices, jokes
John
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe
Scott:
I'm sure you have been watching this thread. Suggestion: if Declude is
determined to use only the install program, have person responsible for it
add an option to update only -- copying over the old declude.exe and leaving
the configuration and eml's intact. (I haven't used the install
FYI 1st scanner is
F-Prot. 2nd is ClamAV. I am using the runclamscan
wrapper found at http://www.smartbusiness.com/imail/declude/.
Today I havent had any left over
directories and vir*.log is clean of errors. It may have been the
particular load at that time and message size as someone
Has anyone using ClamAV had problems with it taking longer than 60 seconds
to run? After installing it last week and working out a few problems, it
has done well. Today I noticed a number of *.vir folders left on the drive.
The VIR*.log showed that ClamAV was not completing in 60 seconds. This
Has anyone else installed the GUI version of ClamAV? I got a successful
install using the default settings (C:\Program Files\ClamWin\). Now I am
getting an error code 50 in the Declude log.
Plus the Declude manual says nothing about a REPORT line in the virus cfg
for ClamAV, but a reply in the
-devel\bin\clamdscan.exe --quiet --mbox -l report.txt
VIRUSCODE2 1
REPORT2 FOUND
If you have Declude Pro and you can afford to turn off Prescan, CLAMav will
catch phish for you.
- Original Message -
From: John Carter [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, November 10
Having started this thread, I now feel that
maybe it was too quick to expect anything from Declude other than a We
are reviewing the situation will get back too you soon. It has
been only 24 hours. A thought-out response is better than a quick, off
the top of the head one. Technically the
Is there any chance of getting a DELETEVULNERABILITIES or a separate
directory for them?
John
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Tuesday, October 19, 2004 6:29 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus]
Now that 1.80 does not delete vulnerabilities even with DELETEVIRUSES ON,
what is the best way of deleting them?
Thanks,
John
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send
Dan:
(See Scotts reply) BANEXT
EZIP (as well as the BANEXT ZIP) works well. Remember, even legit ZIPs
are held.
I may not be handling it the best way, but
after the messages are moved the \spool\virus directory, I manually scan with
my desktop scanner. For some reason a manual scan
Is there any way for Declude to scan for viruses in banned extensions,
then if it passes that test, allow me to hold for further action. I
realize this is a little against the logic of banning particular
extensions, but ...
Rationale: I'm banning a number of extensions. However a vast majority
North American Title Group
-
- Original Message -
From: John Carter [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, June 17, 2004 4:03 PM
Subject: [Declude.Virus] banned ext
Is there any way for Declude to scan for viruses in banned extensions,
then if it passes that test, allow
Make sure Imail didn't reset the Delivery Application. Imail
Administrator
Click Localhost Services SMTP Advanced
Should be Declude.exe in the Imail directory (ex. C:\Imail\Declude.exe)
John
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John
Ok, I can live with that. No notices on any viruses, forging or
non-forging. If clean (survives the scan detection), a notice goes out.
If I got that right, it is close enough for me. Main thing is for people
sending legit attachments to at least know something is going on and
they need to work
Thanks, Greg. Will consider this.
John
-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Little
Sent: Wednesday, April 28, 2004
4:14 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus]
Bannotify and SKIPIFFORGING
I assume you don't
Scott:
Are there any issues between Declude antivirus or junkmail and Imail 8.1
we need to be aware of or address if/when we choice to upgrade?
Thanks,
John
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing
Scott:
Is EICAR considered forged?
Using Tools page I sent myself tests for eicardynamicencodedzip and
eicarencodedzip. Both were stopped (see logs below) but no notice was
sent. Should I have gotten a notice if:
- Running i9
- VIRUS.CFG (logging MID) has BANEXT ZIP and BANEXT EZIP
-
No problem. Thanks for the help.
John
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, March 04, 2004 9:26 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Ban notice
Is EICAR considered forged?
Sorry, my mistake.
We have a netsvc.eml notice which is sent to the helpdesk if Declude
detects a virus in a message from a local user. It uses
ONLYSENDIFLOCALSENDER. Problem is with forging viruses. We get notices
when an infected INBOUND message forges our domain as the sender (see
example below.)
Is there
Scott:
Using SKIPIFFORGING means we don't have to keep adding
SKIPIFVIRUSNAMEHAS to the eml's for each new forging virus, right???
Can we then remove the SKIPIFVIRUSNAMEHAS lines?
What specifically do we put in virus.cfg and/or the individual eml's?
(Manual doesn't address it yet and archive
Does the extension name of a file play in the proper scanning of an
attachment? IE: If we rename a ZIP file to say test.ziz to get by the
ban on ZIPs. Will it still get scanned ok?
(Idea is if I intentional rename the extension and I tell you in the
message what I and how to save it, it is not
I bought Trend Micro PC-cillin for a second scanner -- use F-Prot for
first scanner. Anyway, what is the command line file to use for
scanning. The example in the Manual shows pcscan.exe, but it is not in
the Trend folder. Is there another or did I mess up buying this
version? (I can at least
We have a special virus notification that is set to
ONLYSENDIFLOCALSENDER. It goes to the helpdesk to let us know someone on
campus possibly has a virus. Unfortunately with Sobig spoofing some of
our user names and sending messages to us from outside campus, the helpdesk is
being flooding
Thanks, Scott. You are one of the big reasons I stay with Imail.
(Sorry my subject line was kind of off. Message started off about
combining the use of statements, but the manual straighten me out on
that. But it didn't help with the problem of still getting notices from
inside campus
Regards a major increase in Sobig, this is what happened here.
John
Log File Summary -
Log NameVirus Count Total Scanned
vir0801.log 2 2
vir0802.log 5 5
vir0803.log 1
I think that is it. Note: I have Log_Ok None in the config. So the
total scanned only shows caught emails and total clean is zero. But I
prefer the smaller virus log files.
John
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt
Sent:
I got the Windows version and turned off the real-time protector. Use
the built-in updater every 12 hours.
John C.
Mark Smith wrote:
I'm adding F-Prot as a virus detector in addition to CA.
Which version of F-Prot should I buy/install Windows or DOS?
Thanks!
---
[This E-mail scanned for
The holiday junk mail sure has kicked up its pace. Declude Antivirus is
catching so many of them by Outlook vulnerabilities, starting to
wonder if I really need Junkmail -- (don't worry, Scott, the order
should be on it way shortly.)
Who do I get in contact with about the Antivirus log
I see what you are talking about. But I came in to over a 100 notices
this morning. Started writing down names and finally just thought that
if the analyzer included from addresses, maybe it would speed things up.
(Oh, agree with your other response about having the ability to add
comments
Thanks for looking at it.
John C.
[EMAIL PROTECTED] wrote:
The main reason this has not been done in the past is due to the number of
forged from addresses that show up. Snowhite for example shows up with
in the from address. However we may be able to add something for those that
want to
Duh. I see now. Interesting - in this one (below) Scanner 1 (F-Prot)
reported Lentin and Scanner 2 (McAfee) says Yaha. I see what you mean
now about no advantage of order of scanner. I was kinda wondering if
scanner 1 found something, whether it invoked the second scanner or just
went ahead
I haven't seen any of the Braid virus yet. Don't know if I'm lucky,
catching them under the vulnerability checks, or just missing them.
McAfee and F-Prot are up-to-date. What should I be looking for?
Thanks,
John
---
[This E-mail was scanned for viruses by Declude Virus
Microsoft sent out this security bulletin on the 10th.
http://www.microsoft.com/technet/security/bulletin/MS02-058.asp
John
John Tolmachoff wrote:
Has any one seen this and can Declude Virus help protect against this?
A recently announced flaw in Microsoft's Outlook Express e-mail program
Sorry if I missed the discussion on this one, but..
I noticed that some people are using hyphens with the command line
arguments (-type) and some (like me) use slash (/type). I am using
3.12b. Are these interchangeable?
Thanks,
John
R. Scott Perry wrote:
Just upgraded from F-Prot 3.12a to
Running McAfee and F-Prot with no problems.
John
David Delbridge wrote:
Hi all,
I'm shoppin' for a virus app. Lots to choose from. Which would you
recommend for use with Declude.Virus?
Thank you.
Dave
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail
Sorry if this has been answered before -- On the line with
SKIPIFVIRUSNAMEHAS, is the virus name case sensitive?? Is Klez same as
or different than klez?
Thanks,
John
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
This E-mail came from the Declude.Virus
I'm running McAfee with Declude and still not catching the MyParty
virus. Have Def 4183 with the Extra.dat file as the web site says to
do. When I remove a rule on the MyParty and stop/restart SMTP, the
virus free comes through undetected.
Any ideas / have I missed something in earlier
Michael Abbott wrote:
John,
I believe you need to stop and start McAfee services. I installed them
yesterday morning and it is working find.
Mike
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of John Carter
Sent: Tuesday, January 29
I've seen numerous auto-update batch files for most of the AV products,
but don't remember seeing one for McAfee. Could someone help me out
there? I know simple batch files, AT scheduler, but after looking at
the ftp.nai.com site, I'm not sure which directory and update file to
grab.
Thanks,
I second both thoughts. GUI is ok for complicated configs, but Declude
hasn't gotten there yet.
John
Jeff Pitoniak wrote:
Declude: Please do not use the registry or anything MS for saving
configuration.
Gui Admins: Take a little time to learn the power of batch files and
scripting.
Since the others are commenting --- Declude with McAfee (4164
definitions) caught this at the server.
John
Postmaster wrote:
Declude Virus 1.26a caught a incoming virus
* Subject [Declude.Virus] Magstr.39921
* From [EMAIL PROTECTED]
* To: [EMAIL PROTECTED]
* Msg ID:
Did you test the set up with the EICAR test virus from Scott's site?
Even at our little (volume) server, we get at least five or six a day.
And you're right -- things generally go wrong when we're off site and
can't do anything about it. :)
John
Chris Hunt wrote:
At least your catching
The bottom line: Has anyone else pondered the use of Declude Virus on the
mail servers from a potential liability point of view? Or is our legal
department paranoid? Does anyone have a TOS or AUP that includes statements
about anti-virus protection?
Of course legal departments are
"R. Scott Perry" wrote:
1.16b - returns nothing in %VIRUSNAME% and %VIRUSFILE%
That, too, is not good. Is anyone else seeing this?
I'm not getting anything either -- just figured I didn't have everything
set right and haven't had time to dig into it.
John
[ This E-mail came from the
Thanks, Scott. Check the Basic Config. table entries for F-Prot and
Kaspersky. Was unsure if it was line wrapping or what. Actually mine
has been on one line and I've been catching viruses. However I've just
corrected. (Thanks for simply product to use.)
John
"R. Scott Perry" wrote:
On
81 matches
Mail list logo
