RE: [Declude.Virus] 4.2.20 Error in Log
Do you have a second/external scanner defined. May be the internal scanner (AVG) deletes an attachment and then Declude complains that its gone when it tries to launch the secondary? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, July 12, 2006 05:46 PM To: declude.virus@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.Virus] 4.2.20 Error in Log Since upgrading to 4.2.20 I started seeing the following error: 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 This only happens when AVG catches a virus. It did not get logged under 3.x version. Nor do I have an On Access Virus Scanner. Anyone else seeing this? Darrell See the log snippet below. 07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] 4.2.20 Error in Log
Since upgrading to 4.2.20 I started seeing the following error: 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 This only happens when AVG catches a virus. It did not get logged under 3.x version. Nor do I have an On Access Virus Scanner. Anyone else seeing this? Darrell See the log snippet below. 07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] RE: Trying to install Declude 4.2.20
Hi Dave, Okay, then Declude's error message is misleading. Here is what I had done: - I had defined McAfee as "scanner 2", assuming that the internal was going to be scanner 1. - Based on your explanation, the internal scanner is "scanner 0". So, in effect, I had defined a "scanner 2" without having any "scanner 1" defined. - The result of "skipping" a scanner number is this ambiguous error message: Your virus scanner DOES NOT EXIST (at C:\IMail\spool\proc\work\D65900~1.VIR\); NOT SCANNING ATTACHMENTS! [2] Error String: [The system cannot find the file specified.] I "fixed" the problem by defining McAfee as Scanner 1 (by removing any number behind the 3 parameters). So - it seems as if this is a "usability" issue. Declude should not try to start Scanner 1 if none has been defined - even if a higher scanner number IS defined. At least, it should indicate a meaningful configuration error, such as "Scanner nnn not defined - this and all subsequent scanneres are skipped". Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, July 12, 2006 05:31 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Trying to install Declude 4.2.20 The built in scanner works as scanner "0" so that your scanner 1 and 2 would be as it has always been. If you are just running MacAfee as you show try using: SCANFILEC:\Progra~1\Common~1\Networ~1\Engine\SCAN.EXE VIRUSCODE 13 REPORT Found Im not sure what the /LOAD D:\IMAIL\Declude\SCAN.CFG is used for ? David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Wednesday, July 12, 2006 5:21 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Trying to install Declude 4.2.20 Hi Dave, Okay - another try... A) Is the "built-in" scanner considered the scanner #1 and any additional" scanner have to be set up as the #2 scanner, etc. Or are the "external" scanners counting from 1? B) I defined McAfee as the external scanner SCANFILE2 C:\Progra~1\Common~1\Networ~1\Engine\SCAN.EXE /LOAD D:\IMAIL\Declude\SCAN.CFG VIRUSCODE2 13 REPORT2 Found I copied and pasted the executable to the command line window confirm that it is being found: D:\IMail>C:\Progra~1\Common~1\Networ~1\Engine\SCAN.EXE McAfee VirusScan for Win32 v4.40.0 Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights reserved. (408) 988-3832 EVALUATION COPY - Sep 23 2004 Scan engine v4.4.00 for Win32. Virus data file v4804 created Jul 11 2006 Scanning for 200919 viruses, trojans and variants. However, Declude reports: 07/12/2006 17:11:51.000 q6590017100aa.smd Vulnerability flags = 0 07/12/2006 17:11:51.484 q6590017100aa.smd Your virus scanner DOES NOT EXIST (at C:\IMail\spool\proc\work\D65900~1.VIR\); NOT SCANNING ATTACHMENTS! [2] Error String: [The system cannot find the file specified.] 07/12/2006 17:11:51.500 q6590017100aa.smd Scanned: Error starting scanner Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Ambiguous Virus Scanner ID in log
The External McAfee Scanner, if you run logs on DEBUG you will see that the AVG (Internal) Scanner reports as AVG. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Wednesday, July 12, 2006 5:38 PM To: declude.virus@declude.com Subject: [Declude.Virus] Ambiguous Virus Scanner ID in log Hi Dave, My log indicates: 07/12/2006 17:34:20.625 q6ad4014a0137.smd Vulnerability flags = 0 07/12/2006 17:34:21.593 q6ad4014a0137.smd Virus scanner 1 reports exit code of 0 Which one is considered "Virus scanner 1" - the INTERNAL (AVG) scanner that comes with Declude 4.2.20 - or my EXTERNAL McAfee Scanner? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Ambiguous Virus Scanner ID in log
Hi Dave, My log indicates: 07/12/2006 17:34:20.625 q6ad4014a0137.smd Vulnerability flags = 0 07/12/2006 17:34:21.593 q6ad4014a0137.smd Virus scanner 1 reports exit code of 0 Which one is considered "Virus scanner 1" - the INTERNAL (AVG) scanner that comes with Declude 4.2.20 - or my EXTERNAL McAfee Scanner? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 4.2.3 Built-in scanner slight off topic reply
I just switched to 4x and noticed in the logs that scan times are recorded - here are some sample scan times against the same email - 2062ms Clamscan 468ms Mcafee scan.exe 171ms fprot These relative scan time proportional differences appear to remain the same against other emails. Switching from clamscan.exe to clamdscan.exe ClamAV averages 15ms against all emails it sees. That is like a factor of 10 faster than fprot its closest performance competitor. Since its free and w/Sanesecurity phish sigs I give it an editors choice :) It would be nice to see [feature request?] the ms response time for AVG - -Nick John Shacklett wrote: Sorry for the tardy response, I've been traveling. I used mcafee on my old system in combination with f-prot, and never had any problems there either. On my new box [new since May], I started out with a different program from eTrust because we're moving away from McAfee across the board, but I had issues with the new program and switched to scan.exe. I don't remember exactly when I made that last switch, but I have NEVER gotten scan to return anything on anything it has scanned. I send myself a report daily on activity for the previous day, and it always says in the virus detections that "0 mcafee detected for 07-10-2006", a day when clamav found 82 and f-prot and AVG each found four more. I'm away from my office until next week, and I'm going to do some more experimenting then to figure out why mcafee fails. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, 06 July 2006 4:51 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] 4.2.3 Built-in scanner John, What problems are you having with scan.exe? A lot of us use McAfee and have no issues. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. John Shacklett writes: After loading 4.2.20 this afternoon, my AVG scanner is now finally detecting viruses. Oh happy day. Now if I can just get scan.exe to work, I'll have a full house. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Shacklett Sent: Thursday, 11 May 2006 11:44 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner "Declude 4.2.3 Diagnostics" right on the top line. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Carter Sent: Thursday, 11 May 2006 9:30 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Just curious, what does your diags.txt? Did 4.2.3 in fact get fully installed and running? John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Shacklett Sent: Thursday, May 11, 2006 6:56 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner I guess I should have been more dramatic. What I intended this to mean was that I still don't see any evidence that AVG is working at all. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Shacklett Sent: Tuesday, 09 May 2006 3:04 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Just for fun, I completely commented out the three scanners in my virus.cfg and resent the eicar plain test file, and it made it to my Inbox. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Shacklett Sent: Tuesday, 09 May 2006 9:58 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Forget my last post, I have different problems. Sorry. I followed John C's suggestion and sent myself a standard base64 MIME encoded eicar.com file [which should have occurred to me earlier], and I ended up with the following lines in the debug output: 05/09/2006 09:50:57.007 q9e3d01cb331c.smd AVG Reports No Virus 05/09/2006 09:50:57.178 q9e3d01cb331c.smd Virus scanner 1 reports exit code of 3 05/09/2006 09:50:58.444 q9e3d01cb331c.smd Virus scanner 2 reports exit code of 0 05/09/2006 09:50:58.616 q9e3d01cb331c.smd Virus scanner 3 reports exit code of 0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Carter Sent: Tuesday, 09 May 2006 9:41 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Temporarily go to LOGLEVEL DEBUG and use the test virus sender. It should show AVG working. MID and HIGH levels didn't show which scanner caught EICAR, but DEBUG did. John C 05/09/2006 08:34:55.687 q9a7b016d30e4.smd AVG Virus detected. Not continuing with any remaining scanners. 05/09/2006 08:34:55.687 q9a7b016d30e4.smd AVG
RE: [Declude.Virus] 4.2.3 Built-in scanner
Sorry for the tardy response, I've been traveling. I used mcafee on my old system in combination with f-prot, and never had any problems there either. On my new box [new since May], I started out with a different program from eTrust because we're moving away from McAfee across the board, but I had issues with the new program and switched to scan.exe. I don't remember exactly when I made that last switch, but I have NEVER gotten scan to return anything on anything it has scanned. I send myself a report daily on activity for the previous day, and it always says in the virus detections that "0 mcafee detected for 07-10-2006", a day when clamav found 82 and f-prot and AVG each found four more. I'm away from my office until next week, and I'm going to do some more experimenting then to figure out why mcafee fails. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, 06 July 2006 4:51 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] 4.2.3 Built-in scanner John, What problems are you having with scan.exe? A lot of us use McAfee and have no issues. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. John Shacklett writes: > After loading 4.2.20 this afternoon, my AVG scanner is now finally > detecting viruses. Oh happy day. Now if I can just get scan.exe to > work, I'll have a full house. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett > Sent: Thursday, 11 May 2006 11:44 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner > > "Declude 4.2.3 Diagnostics" right on the top line. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Carter > Sent: Thursday, 11 May 2006 9:30 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner > > Just curious, what does your diags.txt? Did 4.2.3 in fact get fully > installed and running? > > John C > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett > Sent: Thursday, May 11, 2006 6:56 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner > > I guess I should have been more dramatic. What I intended this to mean > was that I still don't see any evidence that AVG is working at all. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett > Sent: Tuesday, 09 May 2006 3:04 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner > > Just for fun, I completely commented out the three scanners in my > virus.cfg and resent the eicar plain test file, and it made it to my Inbox. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett > Sent: Tuesday, 09 May 2006 9:58 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner > > Forget my last post, I have different problems. Sorry. > > I followed John C's suggestion and sent myself a standard base64 MIME > encoded eicar.com file [which should have occurred to me earlier], and > I ended up with the following lines in the debug output: > > 05/09/2006 09:50:57.007 q9e3d01cb331c.smd AVG Reports No Virus > 05/09/2006 09:50:57.178 q9e3d01cb331c.smd Virus scanner 1 reports > exit code of 3 > 05/09/2006 09:50:58.444 q9e3d01cb331c.smd Virus scanner 2 reports > exit code of 0 > 05/09/2006 09:50:58.616 q9e3d01cb331c.smd Virus scanner 3 reports > exit code of 0 > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Carter > Sent: Tuesday, 09 May 2006 9:41 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner > > Temporarily go to LOGLEVEL DEBUG and use the test virus sender. It > should show AVG working. MID and HIGH levels didn't show which scanner > caught EICAR, but DEBUG did. > > John C > > > 05/09/2006 08:34:55.687 q9a7b016d30e4.smd AVG Virus detected. Not > continuing with any remaining scanners. > 05/09/2006 08:34:55.687 q9a7b016d30e4.smd AVG Reports VIRUS: > EICAR_Test > 05/09/2006 08:34:55.687 q9a7b016d30e4.smd AVG Reports Not Healable > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Barker > Sent: Tuesday, May 09, 2006 8:13 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner > > 1. Use the test virus sender http://www.declude.com/Articles.asp?ID=99 > 2. Check your virus logs > 3. Declude\Scanners\AVG\DB > 4. Check the date on the database files > >