[Declude.Virus] SKIPIFVIRUSNAME
I have this in recip.eml SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEHAS Bugbear but it still sends out the mail why and what to do ? Med vennlig hilsen Benny Samuelsen ISPhuset Visual Web Norge Da tlf +47 32 26 02 00 fax +47 32 81 13 55 http://isphuset.info / http://isphuset.no --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SKIPIFVIRUSNAME
yes and its working on 100 % of klez and 99 % of bugbear but some still slips by... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: 11. oktober 2002 14:10 To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] SKIPIFVIRUSNAME I have this in recip.eml SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEHAS Bugbear but it still sends out the mail why and what to do ? Are you running Declude v1.47 or later (you can type \IMail\Declude -diag from a command prompt, exactly like that, to find out)? The catch with the SKIPIFVIRUSNAMEHAS is that there can only be one space or tab between it and the virus name. Also, this will of course only work if your virus scanner reports the name of the virus, so if you do not see the virus name in the notifications, the SKIPIFVIRUSNAMEHAS will not work. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] forged, what would that mean?
I'm sure you've handed out the info b4, but can you point me to the info on FORGINGVIRUS option? TY Andrew - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 11, 2002 8:11 AM Subject: Re: [Declude.Virus] forged, what would that mean? here's a copy of my latest virus alert, I've never seen [forged] before, I have relay turned off. The Klez virus forges the return address, that's all that means. The [Forged] is used in conjunction with the FORGINGVIRUS option, so that you won't get mad at the person who apparently sent you the E-mail, since it wasn't really them that sent it. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] forged, what would that mean?
here's a copy of my latest virus alert, I've never seen [forged] before, I have relay turned off. The Klez virus forges the return address, that's all that means. The [Forged] is used in conjunction with the FORGINGVIRUS option, so that you won't get mad at the person who apparently sent you the E-mail, since it wasn't really them that sent it. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] SKIPIFVIRUSNAME
I have this in recip.eml SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEHAS Bugbear but it still sends out the mail why and what to do ? Are you running Declude v1.47 or later (you can type \IMail\Declude -diag from a command prompt, exactly like that, to find out)? The catch with the SKIPIFVIRUSNAMEHAS is that there can only be one space or tab between it and the virus name. Also, this will of course only work if your virus scanner reports the name of the virus, so if you do not see the virus name in the notifications, the SKIPIFVIRUSNAMEHAS will not work. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SKIPIFVIRUSNAME
I mean the message is sent to the recipient i a few cases like this Date: Thu, 10 Oct 2002 21:09:53 +0200 Message-Id: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable From: hostmaster [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Virusadvarsel / virusvarning X-Mailer: IMail v7.10 Status: U X-UIDL: 310012853 Norske brukere: Vart virus scanningsprogram pa visual-web.no har rapportert at du ble sendt et virus fra [EMAIL PROTECTED], med folgnede emne SV: leieavtale etc. E-mailen er som inneholdt viruset er satt i karantene pa var server med dette konummer: Dd07f1fe1005055c8.SMD Den slettes i lopet av de neste 2 -3 dogn. Onsker du likevel a motta denne e-mail, sender du denne e-mail videre til [EMAIL PROTECTED] Dette skjer dog helt pa eget ansvar. E-mailen inneholdt en melding som var infisert med : W32/Bugbear.A@mm / 286.doc.scr -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Tolmachoff Sent: 11. oktober 2002 15:32 To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] SKIPIFVIRUSNAME yes and its working on 100 % of Klez and 99 % of bugbear but some still slips by.. Examples? John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SKIPIFVIRUSNAME
I mean the message is sent to the recipient i a few cases like this Normally, people have the recipient receive the notifications for all viruses. Does your recip.eml file have the SKIPIFVIRUSNAMEHAS Bugbear in it (on a line by itself, only once space/tab in it, before the first blank line)? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot 3.12b
Just upgraded from F-Prot 3.12a to 3.12b, after which my virus logs show : 10/11/2002 12:30:48 Qfcb815c MIME file: [text/html][7bit; Length=6601 Checksum=546749] 10/11/2002 12:30:48 Qfcb815c 1 [1 of 2 not deleted] files were deleted. Use ONACCESS ON if you use an external (on access) virus scanner. 10/11/2002 12:30:48 Qfcb815c Scanned: Virus Free [MIME: 2 9121] My virus.cfg has: SCANFILE :\Progra~1\FSI\F-Prot\fpcmd.exe -TYPE -SILENT -NOMEM -ARCHIVE -DUMB REPORT=Report.txt VIRUSCODE 3 VIRUSCODE 6 REPORT Infection ONACCESSOFF I can run this the fpcmd.exe command from a DOS prompt, but receive no output. Suggestions? Douglas Hardison Bits, Bytes and Pieces Internet Service 3332A-3 Airport Boulevard Wilson, NC 27896 Voice: 252-234-7040 Fax: 252-291-2119 [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot 3.12b
Just upgraded from F-Prot 3.12a to 3.12b, after which my virus logs show : 10/11/2002 12:30:48 Qfcb815c 1 [1 of 2 not deleted] files were deleted. Use ONACCESS ON if you use an external (on access) virus scanner. SCANFILE :\Progra~1\FSI\F-Prot\fpcmd.exe -TYPE -SILENT -NOMEM -ARCHIVE -DUMB REPORT=Report.txt If you change it to -REPORT=report.txt, it should work. The problem is that the report.txt file isn't being created, so Declude Virus thinks that one of the files was deleted. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot 3.12b
Excellent. That did the trick. Just another fat-finger error on my part. Thanks, Douglas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Friday, October 11, 2002 12:46 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] F-Prot 3.12b Just upgraded from F-Prot 3.12a to 3.12b, after which my virus logs show : 10/11/2002 12:30:48 Qfcb815c 1 [1 of 2 not deleted] files were deleted. Use ONACCESS ON if you use an external (on access) virus scanner. SCANFILE :\Progra~1\FSI\F-Prot\fpcmd.exe -TYPE -SILENT -NOMEM -ARCHIVE -DUMB REPORT=Report.txt If you change it to -REPORT=report.txt, it should work. The problem is that the report.txt file isn't being created, so Declude Virus thinks that one of the files was deleted. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] declude log
Hi Scott: I found a declude.log file in c:\ I opened it and found a lot of strange logs... look at this 10/08/2002 18:56:07 Q708602ed01947d88 Couldn't move/copy data file [32]. Priority back to 32. 10/08/2002 18:56:21 Q708602ed01947d88 WARNING: Could not unlock file due to error #2. 10/08/2002 18:56:22 Q7087000201b8821c Couldn't move/copy data file [32]. Priority back to 32. 10/08/2002 18:56:22 Q7087000201b8821c Couldn't move/copy data file [32]. Priority back to 32. 10/08/2002 18:56:22 Q7087000201b8821c WARNING: Could not unlock file due to error #2. 10/08/2002 18:56:22 Q7087000201b8821c Couldn't move/copy data file [32]. Priority back to 32. 10/08/2002 18:56:22 Q7087000201b8821c WARNING: Could not unlock file due to error #2. 10/08/2002 18:56:22 Q7087000201b8821c Couldn't move/copy data file [32]. Priority back to 32. 10/08/2002 18:56:22 Q7087000201b8821c WARNING: Could not unlock file due to error #2. 10/08/2002 18:56:22 Q7087000201b8821c Couldn't move/copy data file [32]. Priority back to 32. 10/08/2002 18:56:22 Q7087000201b8821c WARNING: Could not unlock file due to error #2. it strange, there are days of intense activity and some days that don't register any activity at all. here are just the latest logs 10/11/2002 08:47:47 Qd639018701eabfb6 WARNING: Could not unlock file due to error #2. 10/11/2002 11:54:33 Q022c2aa001406c90 Couldn't move/copy data file [32]. Priority back to 32. 10/11/2002 11:54:33 Q022c2aa001406c90 Couldn't move/copy data file [32]. Priority back to 32. 10/11/2002 11:54:51 Q022d018301e47115 Could not lock d:\IMail\spool\Q022d018301e47115.SMD; timed out (j=2). 10/11/2002 11:54:51 Q022d018301e47115 Error: Couldn't lock file d:\IMail\spool\Q022d018301e47115.SMD (183) 10/11/2002 11:54:51 Q022c2aa001406c90 WARNING: Could not unlock file due to error #2. 10/11/2002 11:55:45 Q023b2aa10140a851 Couldn't move/copy data file [32]. Priority back to 32. 10/11/2002 11:55:45 Q023b2aa10140a851 Couldn't move/copy data file [32]. Priority back to 32. 10/11/2002 11:55:45 Q023b006c0204a851 Couldn't move/copy data file [32]. Priority back to 32. 10/11/2002 11:55:45 Q023b2aa10140a851 WARNING: Could not unlock file due to error #2. 10/11/2002 11:55:53 Q023b006c0204a851 WARNING: Could not unlock file due to error #2. 10/11/2002 11:55:53 Q023b2aa10140a851 WARNING: Could not unlock file due to error #2. 10/11/2002 11:55:57 Q02452be70130cddb Couldn't move/copy data file [32]. Priority back to 32. 10/11/2002 11:55:58 Q024600a701f6d240 Couldn't move/copy data file [32]. Priority back to 32. 10/11/2002 11:55:58 Q0246023b01acd359 Couldn't move/copy data file [32]. Priority back to 32. 10/11/2002 11:55:58 Q0246032f022cd4d0 Couldn't move/copy data file [32]. Priority back to 32. 10/11/2002 11:56:05 Q0246023b01acd359 WARNING: Could not unlock file due to error #2. 10/11/2002 11:56:05 Q02452be70130cddb WARNING: Could not unlock file due to error #2. 10/11/2002 11:56:05 Q0246032f022cd4d0 WARNING: Could not unlock file due to error #2. 10/11/2002 11:56:05 Q024600a701f6d240 WARNING: Could not unlock file due to error #2. 10/11/2002 11:56:37 Q0248016c01b0dcee Could not lock d:\IMail\spool\Q0248016c01b0dcee.SMD; timed out (j=2). 10/11/2002 11:56:37 Q0248016c01b0dcee Error: Couldn't lock file d:\IMail\spool\Q0248016c01b0dcee.SMD (183) 10/11/2002 11:57:14 Q024906c8015cddd8 Could not lock d:\IMail\spool\Q024906c8015cddd8.SMD; timed out (j=2). 10/11/2002 11:57:14 Q024906c8015cddd8 Error: Couldn't lock file d:\IMail\spool\Q024906c8015cddd8.SMD (183) 10/11/2002 11:57:14 Q024906c8015cddd8 Could not lock d:\IMail\spool\Q024906c8015cddd8.SMD; timed out (j=2). 10/11/2002 11:57:14 Q024906c8015cddd8 Error: Couldn't lock file d:\IMail\spool\Q024906c8015cddd8.SMD (183) 10/11/2002 11:57:14 Q024a0430017ae3c4 Could not lock d:\IMail\spool\Q024a0430017ae3c4.SMD; timed out (j=2). 10/11/2002 11:57:14 Q024a0430017ae3c4 Error: Couldn't lock file d:\IMail\spool\Q024a0430017ae3c4.SMD (183) 10/11/2002 11:57:14 Q024a0430017ae3c4 Could not lock d:\IMail\spool\Q024a0430017ae3c4.SMD; timed out (j=2). 10/11/2002 11:57:14 Q024a0430017ae3c4 Error: Couldn't lock file d:\IMail\spool\Q024a0430017ae3c4.SMD (183) what do you think? what is this? is declude working fine? has problems? any other information from me declude is running in d:\imail\ thanks Luis Arango --- [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] [Email scanned for viruses by Panda Consulting -www.pandacons.com-] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] declude log
I found a declude.log file in c:\ 10/11/2002 08:47:47 Qd639018701eabfb6 WARNING: Could not unlock file due to error #2. 10/11/2002 11:54:33 Q022c2aa001406c90 Couldn't move/copy data file [32]. Priority back to 32. The Couldn't move/copy data file [32] indicates a sharing violation, and the Could not unlock file due to error #2 indicates that the E-mail no longer existed when Declude Virus tried to handle it. Both of those almost always are evidence of an on-access virus scanner interfering with Declude Virus. If an on-access scanner is scanning the files that Declude Virus creates, it can allow the E-mails to go through undetected (and therefore, the on-access scanner should be turned off, or set not to scan the subdirectories off of the \IMail\spool directory). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot 3.12b
Sorry if I missed the discussion on this one, but.. I noticed that some people are using hyphens with the command line arguments (-type) and some (like me) use slash (/type). I am using 3.12b. Are these interchangeable? Thanks, John R. Scott Perry wrote: Just upgraded from F-Prot 3.12a to 3.12b, after which my virus logs show : 10/11/2002 12:30:48 Qfcb815c 1 [1 of 2 not deleted] files were deleted. Use ONACCESS ON if you use an external (on access) virus scanner. SCANFILE :\Progra~1\FSI\F-Prot\fpcmd.exe -TYPE -SILENT -NOMEM -ARCHIVE -DUMB REPORT=Report.txt If you change it to -REPORT=report.txt, it should work. The problem is that the report.txt file isn't being created, so Declude Virus thinks that one of the files was deleted. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot 3.12b
Sorry if I missed the discussion on this one, but.. I noticed that some people are using hyphens with the command line arguments (-type) and some (like me) use slash (/type). I am using 3.12b. Are these interchangeable? Good question! I've heard that fpcmd.exe has to use -, but I've also heard that it can't use -. The F-Prot site shows samples with / (just like F-Prot.exe uses), so that's what I would recommend. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
