RE: [Declude.Virus] DELETEVIRUSES Not working.
So why put them in the virus folder? There is no way (that I know of) to requeue these messages? ... Or fix the vulnerability... True? What is Horizon's best practices theory on how to deal with messages that land in the virus folder? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, October 19, 2004 5:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] DELETEVIRUSES Not working. It seems that DELETEVIRUSES ON isn't working in Declude Virus 1.81 I have it set to: DELETEVIRUSES ON In my virus.cfg but they're staying in my E:\IMail\spool\virus folder. That is by design. Viruses are getting deleted, other E-mails (vulnerabilities and banned file extensions) are not, as they usually do not contain viruses or other dangerous code. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] DELETEVIRUSES Not working.
So why put them in the virus folder? There is no way (that I know of) to requeue these messages? Requeueing them is easy; copy the D*.SMD file and matching Q*.SMD file from the \IMail\spool\virus directory to the \IMail\spool directory. ... Or fix the vulnerability... You probably could do that, but the effort involved would likely outweigh the benefits. What is Horizon's best practices theory on how to deal with messages that land in the virus folder? It's kind of like having a best practices on dealing with spam -- there isn't a one size fits all approach. Just as some organizations are fine deleting all viruses and vulnerabilities, others need to archive them just to be safe. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] DELETEVIRUSES Not working.
Is there any chance of getting a DELETEVULNERABILITIES or a separate directory for them? John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, October 19, 2004 6:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] DELETEVIRUSES Not working. It seems that DELETEVIRUSES ON isn't working in Declude Virus 1.81 I have it set to: DELETEVIRUSES ON In my virus.cfg but they're staying in my E:\IMail\spool\virus folder. That is by design. Viruses are getting deleted, other E-mails (vulnerabilities and banned file extensions) are not, as they usually do not contain viruses or other dangerous code. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] DELETEVIRUSES Not working.
On 19 Oct 2004 at 19:29, R. Scott Perry wrote: Can 'by design' mean a switch be addeded to allow deletion? I would like to be able to make that decision - not declude. Thanks -Nick It seems that DELETEVIRUSES ON isn't working in Declude Virus 1.81 I have it set to: DELETEVIRUSES ON In my virus.cfg but they're staying in my E:\IMail\spool\virus folder. That is by design. Viruses are getting deleted, other E-mails (vulnerabilities and banned file extensions) are not, as they usually do not contain viruses or other dangerous code. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] DELETEVIRUSES Not working.
If you're looking for what others have done as well... we delete viruses, for banned files notify the recipient with a link in the notification to a web script that will requeue the file if they want to receive it, and review vulnerabilities, deleting or requeueing as needed. Darin. - Original Message - From: Tim Collins (Home) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 6:57 AM Subject: RE: [Declude.Virus] DELETEVIRUSES Not working. So why put them in the virus folder? There is no way (that I know of) to requeue these messages? ... Or fix the vulnerability... True? What is Horizon's best practices theory on how to deal with messages that land in the virus folder? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, October 19, 2004 5:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] DELETEVIRUSES Not working. It seems that DELETEVIRUSES ON isn't working in Declude Virus 1.81 I have it set to: DELETEVIRUSES ON In my virus.cfg but they're staying in my E:\IMail\spool\virus folder. That is by design. Viruses are getting deleted, other E-mails (vulnerabilities and banned file extensions) are not, as they usually do not contain viruses or other dangerous code. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Banned ZIP with .exe extension
I am having files blocked since upgrading to 8.1 with this log: Q59b21fa60030b5ea Banning .ZIP file with EXE extension. Is this a self-extracting Zip or zipped .exe? This was a firmware upgrade from Linksys. Thanks, Chris Patterson, CCNA Network Engineer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Banned ZIP with .exe extension
Its likely a self extracting zip archive, winzip allows you to create exe zip archives Rick Davidson National Systems Manager North American Title Group 440-953-9346 - Office 440-953-0925 - Fax 440-487-7344 - Mobile [EMAIL PROTECTED] - - Original Message - From: Chris Patterson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 10:58 AM Subject: [Declude.Virus] Banned ZIP with .exe extension I am having files blocked since upgrading to 8.1 with this log: Q59b21fa60030b5ea Banning .ZIP file with EXE extension. Is this a self-extracting Zip or zipped .exe? This was a firmware upgrade from Linksys. Thanks, Chris Patterson, CCNA Network Engineer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] DELETEVIRUSES Not working.
Can 'by design' mean a switch be addeded to allow deletion? I would like to be able to make that decision - not declude. Thanks -Nick It seems that DELETEVIRUSES ON isn't working in Declude Virus 1.81 I have it set to: DELETEVIRUSES ON In my virus.cfg but they're staying in my E:\IMail\spool\virus folder. That is by design. Viruses are getting deleted, other E-mails (vulnerabilities and banned file extensions) are not, as they usually do not contain viruses or other dangerous code. I use a Perl script to delete all the vulnerabilities and keep only one copy of each virus. I run it manually because once in a blue moon there's a vulnerability that's not spam. I've created separate .eml files for vulnerabilities and viruses (and banned extensions) so I can sort through them easily. Having a quarantined copy of each virus allows me to test changes or additions to my configuration. I think there's enough variations on what people want to do with these files that Scott can't program enough switches to satisfy everyone. Scheduling a batch job isn't that difficult and there's plenty of examples here if you don't want to write your own. Regards, Brad --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Banned ZIP with .exe extension
Does anyone know if there is a way to allow these through and still block .exe's? Thanks, Chris Patterson, CCNA Network Engineer Rapid Systems -Original Message- From: Rick Davidson [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 11:12 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Banned ZIP with .exe extension Its likely a self extracting zip archive, winzip allows you to create exe zip archives Rick Davidson National Systems Manager North American Title Group 440-953-9346 - Office 440-953-0925 - Fax 440-487-7344 - Mobile [EMAIL PROTECTED] - - Original Message - From: Chris Patterson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 10:58 AM Subject: [Declude.Virus] Banned ZIP with .exe extension I am having files blocked since upgrading to 8.1 with this log: Q59b21fa60030b5ea Banning .ZIP file with EXE extension. Is this a self-extracting Zip or zipped .exe? This was a firmware upgrade from Linksys. Thanks, Chris Patterson, CCNA Network Engineer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Banned ZIP with .exe extension
I am having files blocked since upgrading to 8.1 with this log: Q59b21fa60030b5ea Banning .ZIP file with EXE extension. Is this a self-extracting Zip or zipped .exe? This was a firmware upgrade from Linksys. That's a .ZIP file with an .EXE file in it. If you use BANZIPEXTS ON (which says to ban all .ZIP files that contain any files with extensions that you ban) and BANEXT EXE (which bans .EXE files), you'll get the above message if an E-mail comes in with an .EXE file within a .ZIP file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New ZIP exploit confuses some AV products
Some (Most?) of the AV vendors have patches already. Looks like it was quietly announce to the AV vendors about 2 to 3 weeks ago. This mostly impacts e-mail scanning. It's worth the effort to check, if you have one of these vendors. (Some require upgraded software). This vulnerability affects multiple anti-virus vendors including McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. For McAfee you just need the week old 4398 DATs. It is not in the wild yet, but does not look hard to do. (So while we have some time, ...) The problem specifically exists in the parsing of .zip archive headers. The .zip file format stores information about compressed files in two locations - a local header and a global header. The local header exists just before the compressed data of each file, and the global header exists at the end of the .zip archive. It is possible to modify the uncompressed size of archived files in both the local and global header without affecting functionality. This has been confirmed with both WinZip and Microsoft Compressed Folders. An attacker can compress a malicious payload and evade detection by some anti-virus software by modifying the uncompressed size within the local and global headers to zero. Scott, Since, this is a deliberately corrupt ZIP header can you add an exploit check? Greg Tito Macapinlac wrote: Hi, Here is a bulletin re: new vulnerability regarding zip files. Maybe another good reason to ban zip files if your AV is vulnerable. http://www.idefense.com/application/poi/display?id=153type=vulnerabilitiesflashstatus=true Tito --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Banned ZIP with .exe extension
"Another" good reason? IMO, that's overstepping a bit. There's no way that I could block zip files for my clients and maintain their business. The bulletin also indicated that AV vendors had either already updated their products or would do so soon. Declude also has some protections for zip files with malformed headers that might detect this exploit. Matt Tito Macapinlac wrote: Hi, Here is a bulletin re: new vulnerability regarding zip files. Maybe another good reason to ban zip files if your AV is vulnerable. http://www.idefense.com/application/poi/display?id=153type=vulnerabilitiesflashstatus=true Tito Wednesday, October 20, 2004, 8:48:28 AM, you wrote: I am having files blocked since upgrading to 8.1 with this log: Q59b21fa60030b5ea Banning .ZIP file with EXE extension. Is this a self-extracting Zip or zipped .exe? This was a firmware upgrade from Linksys. That's a .ZIP file with an .EXE file in it. If you use BANZIPEXTS ON (which says to ban all .ZIP files that contain any files with extensions that you ban) and BANEXT EXE (which bans .EXE files), you'll get the above message if an E-mail comes in with an .EXE file within a .ZIP file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
