Has anyone else installed the GUI version of ClamAV? I got a successful
install using the default settings (C:\Program Files\ClamWin\). Now I am
getting an error code 50 in the Declude log.
Plus the Declude manual says nothing about a REPORT line in the virus cfg
for ClamAV, but a reply in the
Doesn't the newer versions of Declude Virus catch the IFRAME vulnerability?
The problem with the current virus strains is that they do not contain any
vulnerabilty at all
The IFRAME vulnerability exists on the site contained in the body link
Rick Davidson
National Systems Manager
North American
I use this version of clamav: http://www.sosdg.org/clamav-win32/index.php
with this wrapper to get virus names:
http://www.smartbusiness.com/imail/declude/
My global.cfg lines:
SCANFILE2 d:\imail\declude\runclamscan.exe log=0
C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt
I did as Scott recommended and turned off prescan; but afterwards I
noticed in the clam logs that ClamAV had caught phish previously with
prescasn ON sooo why would you think that is so? eg - I guess what
I'm asking is will ClamAV reliably anti-phish to its capability with
prescan on?
PRESCAN
McAfee is catching the "virus generated" e-mails as W32/Mydoom.gen!eml
http://vil.nai.com/vil/content/v_129633.htm
Virus
Characteristics:
This is a
generic detection covering email messages sent by W32/[EMAIL PROTECTED]
and
Maybe the new MyDoom virus suggests a change in the way that PRESCAN
qualifies messages?
These messages don't contain any exploitable code, however it is likely
that these viruses will all be linked by way of an IP. So maybe sending
messages to the virus scanner when they contain an IP would
Since these are HTML segments, my guess this is
another case of where Declude Virus Pro's Prescan would need to be turned off
for these to be scanned.
I am catching these segments with Prescan off with
Clam and Mcafee.
- Original Message -
From:
Greg Little
To: [EMAIL
Thanks. Since I didn't really need the GUI, I uninstalled it, went with the
other version, and used your virus.cfg lines. It seems to be happy now.
John
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Wednesday, November 10, 2004 9:14
We are on exactly the same track.
If this kind of attack catches on, and the e-mail can look like almost
anything. Passing everything to the more CPU consuming AV engine may be
needed.
This attack will work just fine in a plain text (non-HTLM) e-mail. (Will
the link work easy?)
Greg
Matt
Greg,
Plain text E-mail will not link in Outlook unless it appears as a URL
that begins with www, and that means that it is very unlikely that a
successful exploit could be constructed in plain text as the infected
computers won't have A records pointing at them that begin with www.
As far as
Matt, thanks for the analysis. I would very much like to know what the
additional load is on your server by setting PRESCAN to OFF. Please do post
your results if you test this. I have had PRESCAN OFF for a few weeks now,
and have not noticed much of an increase on my servers, but I was not
I have a filter I use for a whitelist which I give a negative weight to for
certain e-mail addresses. Is there a limit of the amount of addresses that
can be put into a whitelist?
There is a limit of 200 WHITELIST entries in the global.cfg file for
Declude JunkMail, but the filters can have an
Bill Landry wrote:
Matt, thanks for the analysis. I would very much like to know what the
additional load is on your server by setting PRESCAN to OFF. Please do post
your results if you test this. I have had PRESCAN OFF for a few weeks now,
and have not noticed much of an increase on my
On 10 Nov 2004 at 16:33, Matt wrote:
Matt -
Would you elaborate on the Passler app? Where from how much?
-Nick
Bill Landry wrote:
Matt, thanks for the analysis. I would very much like to know
what the additional load is on your server by setting PRESCAN to
OFF. Please do
Hello Matt,
Wednesday, November 10, 2004, 2:41:59 PM, you wrote:
M is McAfee though, and turning PRESCAN OFF might soon become my only
M realistic choice. I'm going to guess that this might remove more than
M 25% of my system's capacity however, and that gets costly.
FYI - one of our boxes is
Wow, that is quite a jump in processor
utilization. I also run two scanners (TrendMicro F-Prot), but I
might not have noticed as much of an increase because I am running on
dual-processor systems. When I get a minute I will throw up a monitor and
check to see how the PRESCAN ON/OFF
Two replies in one...
Nick, it would have helped if I spelled Paessler correctly :)
(http://www.paessler.com/ipcheck) The Professional License ($349) is
required in order to do SNMP monitoring, but the features go far beyond
that. I purchased it because it can alert me based on events, and it
17 matches
Mail list logo
