ClamAV can be configured to scan URLs, if so desired.
Bill
- Original Message -
From: John T (Lists) [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Tuesday, April 11, 2006 12:40 PM
Subject: RE: [Declude.Virus] url file extensions
You nor I nor Declude nor any one knows where
-
From: Nick Hayer [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Tuesday, April 11, 2006 1:30 PM
Subject: Re: [Declude.Virus] url file extensions
Bill,
Will you kindly elaborate? :)
I see in clamd.conf the MailFollowURLs but the advice is not to use it -
-Nick
Bill Landry wrote:
ClamAV
Title: Message
The was definitely a change between Declude Version
3.0.5.23 and Version 3.0.5.26 in its handling of header processing. We had
to roll back to .23 because .26 was causing strange behavior with certain mime
encapsulated messages. I sent evidence to David Franco-Rocha off-line
I reported this issue quite some time ago, when
Scott was still running the show, and never got a satisfactory answer. You
can scan the raw d*.smd file with f-prot and it will detect the virus, but run
it through Declude Virus, and the virus goes though undetected. After
pestering and
Andrew, I already have PRESCAN set to off and use
the /server switch with F-Prot, so those were not the issue that was causing
this behavior for me. From my virus.cfg:
#
F-ProtSCANFILE1C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB
-NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER
Scan timeouts were not the issue either, since my
secondary Declude Virus scanner (TrendMicro) would catch the virus fine, and the
logs would show the scanning to be taking a mere second or two.
Bill
- Original Message -
From:
Colbeck,
Andrew
To:
Hmmm, maybe try switching that from totalvirus to virustotal.
Bill
- Original Message -
From: Goran Jovanovic [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Thursday, December 15, 2005 7:53 AM
Subject: RE: [Declude.Virus] Where to send exe's to check if they are a
virus?
I
Seeing them here, as well. So far, the virus is only being detected by NAI
(New Malware.n) and ClamAV (Worm.Mytob.T-2). However, TrendMicro, AVG,
BitDefender, Sophos, and F-Prot are not yet detecting this new virus.
Bill
- Original Message -
From: John T (Lists) [EMAIL PROTECTED]
What specific 3.x version did you upgrade to? The latest is 3.0.5.18.
Bill
- Original Message -
From: David Dodell [EMAIL PROTECTED]
To: declude.virus@declude.com
Sent: Saturday, November 05, 2005 11:04 AM
Subject: [Declude.Virus] Update on Upgrade
It appears it is generating out
Those are just the receipt log entries, where are the delivery log entries?
Search the log file for 25FB0282.
Bill
- Original Message -
From: David Dodell [EMAIL PROTECTED]
To: Bill Landry Declude.Virus@declude.com
Sent: Saturday, November 05, 2005 12:18 PM
Subject: Re[4
My virus caught messages are being delivered right away with version
3.0.5.18.
Bill
- Original Message -
From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Saturday, November 05, 2005 1:13 PM
Subject: Re: Re[2]: [Declude.Virus] Help! Upgraded from
I am running IMail 8.21/Declude 3.0.5.18. My queue retry timer is set to 30
minutes. And both postmaster and recipient virus notifications are being
delivered immediately.
Bill
- Original Message -
From: David Dodell [EMAIL PROTECTED]
To: Bill Landry Declude.Virus@declude.com
Sent
- Original Message -
From: Matt
So it would be possibly useful in this case, but again, solving the
issue that created the CBL listing is the most direct route, and less
dependencyon any particular test by adding something like Sniffer
and reducing weights on such things I think is
My wget script for updating F-Prot has been working just fine for a few
years now, and still continues to function properly.
Bill
- Original Message -
From: Douglas Cohn [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Wednesday, May 04, 2005 8:13 AM
Subject: RE: [Declude.Virus]
Yes, this is a problem! I rolled back to my latest defs prior to the last
update and all is well again. I disabled my updates for a while to see if
F-Prot fixes this issue.
Bill
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent:
Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV
(Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot (although
I have F-Prot updates disabled for now, until they get there problem with
HTML/[EMAIL PROTECTED] fixed).
Bill
- Original Message -
From:
Sent: Monday, May 02, 2005 11:50 AM
Subject: Re: [Declude.Virus] F-Prot and HTML object exploit
How can I roll back ??
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Monday, May 02, 2005 2:12 PM
Subject: Re: [Declude.Virus] F-Prot and HTML
I e-mailed you the latest, non-affected defs, offline. I run 3.16b and it
has the same problem (since it's a detection issue with the virus
definition, not the application), but I would still upgrade to the latest
version.
Bill
- Original Message -
From: Kevin Rogers [EMAIL PROTECTED]
F-Prot may have pulled the latest defs do to the number of complaints
received, which could explain why the app reports that you have the latest
version.
Bill
- Original Message -
From: Kevin Rogers [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Monday, May 02, 2005 1:54 PM
Matt, I searched 2 weeks of logs on both of my
servers (both of which run F-Prot and TrendMicro) and could only find 4
instances of "Could not find parse string Infection", and they were found on the
server that is very heavily loaded. I use the following F-Prot strings in
my virus.cfg:
#
It's not all that new, we have been running it since early March without
issue.
Bill
- Original Message -
From: Goran Jovanovic [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Monday, April 11, 2005 12:36 PM
Subject: [Declude.Virus] F-Prot 3.16b
Hi,
Anyone know anything about
Although I cannot explain the cause of the issues you've seen, I would
suggest that you upgrade your scan engine:
http://www.mcafeesecurity.com/us/downloads/default.asp?wt.mc_n=us_updateswt.mc_t=ext_li_concid=10373.
Download and run the SuperDat, file which contains the latest dat and engine
- Original Message -
From: Andy Schmidt [EMAIL PROTECTED]
Now we just need McAfee to scan inside RAR files G
Indeed! Even F-Prot scans inside of .rar files:
=
cat report.txt
Virus scanning report - 27 January 2005 @ 16:46
F-PROT ANTIVIRUS
Program version: 3.16a
Engine version:
- Original Message -
From: Andy Schmidt [EMAIL PROTECTED]
Just got that one - attached was a WindowsUpdate.rar, 43 KB.
On a Linux test server we run, I tested one of these messages and of the 7
virus scanners we have running on this test server (AVG, Sophos, TrendMicro,
McAfee,
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
So, if I am banning ZIPEXT, this should be caught since rar is treated
same
as zip in Declude, correct?
Don't know...
What is the file in the rar?
The MsWindowsUpdate.rar archive contains a single file called
- Original Message -
From: Serge [EMAIL PROTECTED]
you are probably right
we use to have the same issue with manual install
However, the full install notes specificaly say that no service need to
be
stoped when upgrading
So they need get their act together, or give us back our old
testing, bring it
over to the live server.
Which is the same as I've done the last few times. If you're going to
implement beta software, it's worth the effort.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Tuesday, December 21
Nice to know that Declude is listening to our requests.
Thanks Ralph!
Bill
- Original Message -
From: Ralph Krausse
To: [EMAIL PROTECTED]
Sent: Tuesday, December 21, 2004 10:57 AM
Subject: Declude 2.0b Install
Hello
Bill,
I wanted to let
you know that I was monitoring the
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
This is exactly why Scott and I had that whole e-mail exchange a few
weeks
ago. I have found a few viruses now that are not caught when decoded by
Declude but when the D*.SMD files is scanned manually at the command line
by
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Monday, December 20, 2004 1:57 PM
Subject: RE: Re[8]: [Declude.Virus] testvirus.org #22
Ditto. I thought Declude called the scanner(s) on the d*.smd,
plus extracted all the segments out
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
So Declude doesn't actually Send the SMD file to the Scanner..
Correct.
It takes the Message Body, wirtes it to a Tmp File, and then scans it?
Why not just scan the SMD file , Headers and All ?
Because very few AV
Yeah, I'm sorry to say, the list is definitely down. I am just sending you
this reply to let you know that I didn't get your test message - well,
because the list is down... ;-)
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, December
- Original Message -
From: Nick [EMAIL PROTECTED]
Total messages scanned for the day and the total number of viruses
found for that day (not count of individual virus)?
Correct.I have no interest in this case of an indv virus count. Just
totals. That is what I want to feed to mrtg
- Original Message -
From: Nick [EMAIL PROTECTED]
Bill?.. or anyone :)
Is there a way in a single line to use grep or a similar tool on a
virus log file and have it return 2 values: total_scanned and viruses
found?
Total messages scanned for the day and the total number of viruses
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
Hmmm, I thought that since Declude Virus does the decoding and scanner
calls, that you might be interested it testing this yourself...
Yes. That's why I tested it, and found that Declude Virus is decoding the
attachments
I thought that this got fixed many versions ago, but it appears to be back
again (Declude 1.81), where the virus name is taken from Scanner 1, but
the file name is taken from the last scanner listed in the virus.cfg.
Snippet from the postmaster e-mail:
=
Declude Antivirus v1.81 caught the
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
Nope, in my testing of three command-line scanners, the attached
test.txt
file contains the minimum needed to detect the file as containing a virus
(copied your virustrap address, as well, in case this gets blocked to the
- Original Message -
From: Matt [EMAIL PROTECTED]
I believe that Declude creates a directory for all attachments in each
message, and then Declude calls the scanner to scan the entire
directory. I believe that for inline content such as text/plain and
text/html, these files will be
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
If the virus scanner were at fault (because of a decoding issue) then I
have
to ask again, why can TrendMicro detect the virus when scanning the raw
D*.SMD file, but not when sent to it by Declude Virus?
You would have to
- Original Message -
From: Matt [EMAIL PROTECTED]
I believe that Declude creates a directory for all attachments in each
message, and then Declude calls the scanner to scan the entire
directory. I believe that for inline content such as text/plain and
text/html, these files will be
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
Scott, attached is the raw source of this BOFRA.B message, it looks like
HTML to me. In fact, when I scan the D*.SMD file from the command-line,
TrendMicro identifies the file as HTML_BOFRA.B and ClamAV as
Scott, we have the following entry in our virus.cfg files on
both of our IMail/Declude servers:
SCANFILE2C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM
/NM /NB /NC /Q /VSTEMP=m:\temp\
/LR=report.txtVIRUSCODE21REPORT2Found
I also have: PRESCANOFF
However, this particularPayPal phishing
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
Scott, we have the following entry in our virus.cfg files on both of our
IMail/Declude servers:
SCANFILE2 C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q
/VSTEMP=m:\temp\ /LR=report.txt
VIRUSCODE2 1
REPORT2
- Original Message -
From: Jim Nitterauer [EMAIL PROTECTED]
I will try that.
Yes, I checked to make sure.
I also looked at the supported options for fpcmd.exe
The following are not supported:
/nomem
/noboot
/nofloppy
Are these soemthing that you have indluced within Declude?
The updated version is there now. I sent F-Prot support an e-mail asking
why they would send out an update notification before they actually posted
the updated version for download - got a canned auto-reply...
Bill
- Original Message -
From: Rodney Bertsch [EMAIL PROTECTED]
To: [EMAIL
- Original Message -
From: Alan Walters [EMAIL PROTECTED]
I recently added BitDefender Free Edition v7.2 as a second scanner. This
is
for testing purposes in anticipation of purchasing a more suitable Server
Class version. I attempted to search the archives for information on this
- Original Message -
From: Alan Walters [EMAIL PROTECTED]
As to your comments about my config having extraneous settings (/Files),
I'll agree - but for a different reason. The /Files is used to specify
the
PATH, not the type of files to scan. After reviewing
Matt, thanks for the analysis. I would very much like to know what the
additional load is on your server by setting PRESCAN to OFF. Please do post
your results if you test this. I have had PRESCAN OFF for a few weeks now,
and have not noticed much of an increase on my servers, but I was not
actually affects my systems.
Bill
- Original Message -
From:
Matt
To: [EMAIL PROTECTED]
Sent: Wednesday, November 10, 2004 1:33
PM
Subject: Re: [Declude.Virus]
PRESCAN
Bill Landry wrote:
Matt, thanks for the analysis. I would very much like to know what the
additional
And this just arrived from F-Prot:
=
New virus signature files for F-Prot Antivirus have been
released. These files are dated 9 November 2004 and contain
detection for W32/[EMAIL PROTECTED], W32/[EMAIL PROTECTED] and other
new threats.
=
Bill
- Original Message -
From: William
- Original Message -
From: Joey Proulx [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, November 04, 2004 8:03 AM
Subject: [Declude.Virus] F-Prot Updater timing out?
I'm running Declude 1.81 with F-Prot. It's on my NT 4.0 mail server,
which
is one of five servers we have,
BitDefender work fine with Declude Virus, don't know about mxGuard.
Bill
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, November 03, 2004 9:27 AM
Subject: RE: [Declude.Virus] BitDefender
PP
For
: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Bill Landry
Sent: Wednesday, November 03, 2004 9:41 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] BitDefender
BitDefender work fine with Declude Virus, don't know about mxGuard.
Bill
- Original Message -
From: John
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
What I am wondering is does ICS standard include the same executable for
BitDefender that your are using with your version for Declude?
Don't know, but here are the details of the BitDefender command-line exe I
call
In addition to what others have been reporting here, I am also seeing F-Prot
reporting these today:
Declude Antivirus v1.81 caught the Possibly a new variant of JS/ virus in
[HTML segment]
They are coming in with subjects like:
Subject:DM Direct Newsletter: October 29, 2004
Subject:
- Original Message -
From: Chris Patterson [EMAIL PROTECTED]
Does anyone else agree using the 32 bit command
line scanner is better than the dos?
Absolutely! If you have it available to you (meaning you have the Windows
version of F-Prot), using it will provide a nice performance
- Original Message -
From: Mark Smith [EMAIL PROTECTED]
Any way to purge 'em all without writing a script?
We're running about 200k messages per day across 4 servers and don't
bother
to check them all.
Come on, you're talking about a 10 second script:
del c:\imail\spool\virus\*.smd
I just found that if you have PRESCAN set to on, you will not be able to
catch these BankFraud/Phishing e-mails. However, if you set PRESCAN to
OFF, you can catch these if your virus scanner supports it. So far I have
found that ClamAV, McAfee, and TrendMicro all support detection of these
- Original Message -
From: Mark Smith [EMAIL PROTECTED]
Actually this breaks Declude because Declude Virus can't look for multiple
REPORT lines.
Scott,
How can we setup Declude Virus to look for multiple lines in the
report.txt
file?
I've been running F-Prot Version 3.15b since
- Original Message -
From: Scott Fisher [EMAIL PROTECTED]
I use three scanners. Which scanner does Declude Virus use to determine
the name of the virus?
Should use the first scanner's naming convention. However, there have been
slip-ups in the past, so it could depend on what version
- Original Message -
From: Jeff Kratka [EMAIL PROTECTED]
Does anyone have a config they want to share for Declude Junk mail and
SURBL
SURBL is not currently support in Decude JunkMail. However, you can
download the various surbl zone files and run them as a body filter, but
that can
Yep, I've seen a bunch of them this morning, as
well. Here, only McAfee and BitDefender are currently catching it. I
have reported the virus to ClamAV, F-Prot, and TrendMicro.
Bill
- Original Message -
From:
Markus Gufler
To: [EMAIL PROTECTED]
Sent: Monday, August
- Original Message -
From: Panda Consulting S.A. Luis Alberto Arango [EMAIL PROTECTED]
What is the suggested configuration for this option?
PRESCAN ON or OFF ?
Comments...? thanks
I have prescan on and, if you are running Virus Pro, I don't know why you
wouldn't want to enable
- Original Message -
From: Jeff Maze [EMAIL PROTECTED]
Anyone else see this one yet?
Yep, seen lots of them, and all are being detected by McAfee, TrendMicro,
F-Prot, BitDefender, and ClamAV.
Bill
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
Another one is BitDefender. Their free scanner has just the right
features for Declude Virus.
Does not look like it can be called by command line.
The following Declude Virus configuration works with the
- Original Message -
From: Russ Uhte (Lists) [EMAIL PROTECTED]
At 12:17 PM 6/15/2004, Matt wrote:
This domain was recently moved to our DNS and I suspect that someone at
their old DNS hosting provider is infected and using their old unremoved
DNS entries and that is why they are
- Original Message -
From: Brad Morgan [EMAIL PROTECTED]
If you are running Declude Virus Pro, then you could add one or more of
the
free virus scanners to your configuration. I added ClamAV after seeing an
article that said it was very high on the list of who gets updates out the
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
Another one is BitDefender. Their free scanner has just the right
features
for Declude Virus.
It doesn't appear to be free for commercial use.
I was sure that it allowed commercial use (or rather commercial use was
- Original Message -
From: Bob McGregor [EMAIL PROTECTED]
what does the /packed parameter on the scanfile line in the config file
do?
Is it a switch that I want on? It's not mentioned in the manual for
declude virus.
Bob, you don't mention which virus scanner you're using, but I'm
- Original Message -
From: Jeff Pereira [EMAIL PROTECTED]
Thanks for the reply, but I think you misunderstood
I know the IP of my computer, I don't know the IP of a piece of equipment
that I have, but I do know what the MAC address is.
Ping the broadcast address for the address
- Original Message -
From: Bill [EMAIL PROTECTED]
The very last line shows the total message count including messages that
did not fail any tests. My program, as it is now, does not look at any
of the declude actions, just the tests failed. I primarily use it is to
determine if any
Very nice! Thanks for sharing this, Bill!
Bill
- Original Message -
From: Bill [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, April 13, 2004 12:33 PM
Subject: RE: [Declude.Virus] Scott, what do you use to generate this report
Hi,
I have a utility to do
Bill, would you consider adding the OK count so that we could also see the
counts and percentages of what was delivered successfully, as well.
Thanks again,
Bill
- Original Message -
From: Bill [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, April 13, 2004
- Original Message -
From: Darin Cox [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, March 18, 2004 8:08 AM
Subject: Re: [Declude.Virus] Log error with latest interim release
Scott,
What are your thoughts on the /AI and /PACKED switches? Any particular
reason to use or not
]
To: [EMAIL PROTECTED]
Sent: Thursday, March 18, 2004 9:48 AM
Subject: Re: [Declude.Virus] Log error with latest interim release
Hi Bill,
Yeah, I had seen your configs...just wanted to get Scott's feedback on
the -AI and -PACKED switches.
Darin.
- Original Message -
From: Bill Landry
Oops, may to say do NOT get held.
Bill
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, March 16, 2004 10:42 PM
Subject: [Declude.Virus] Question about virus log entries
Scott, I am see a bunch on the following type entries in my virus logs
Scott, I am see a bunch on the following type entries in my virus logs:
Found potentially dangerous stuff in
M:\IMail\spool\Dc62d3de40042810d.vir\0.!
Found potentially dangerous stuff in
M:\IMail\spool\Dc800179a006ca25f.vir\0.htm!
Found potentially dangerous stuff in
I am trying to understand this, but the reality doesn't work like I think
you are saying it should. If I have the following in my virus.cfg file:
BANEXT EZIP
with or without:
BANZIPEXTS ON
BANEZIPEXTS ON
I catch the encrypted/password protected virus files. However, if I use
just:
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
The new format will ban the same extensions that you are already banning,
but will do so in .ZIP files. The BANZIPEXTS ON option will ban the
files
if they are un-encrypted, the BANEZIPEXTS ON will ban the files if they
That shouldn't make any difference, since virus notifications do not get
sent to IP address, they get sent to the sender's e-mail address or the
[EMAIL PROTECTED]
Bill
- Original Message -
From: Russ Uhte (Lists) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, March 01, 2004 6:30
- Original Message -
From: Serge [EMAIL PROTECTED]
just looked at the directory, and there is only scan32.exe
i may need to reinstall netshield ?
The files, scan32.exe and scan.exe, are not in the same directory. Scan.exe
can be found in:
C:\Program Files\Common Files\Network
Scott, if Declude Virus encounters an Error 5 with scanner 1, does it not
even attempt to run the message through the second scanner?
Normal virus detected without Error 5:
=
02/25/2004 05:32:05 Qa3d35c70b2d0 Scanner 1: Virus= W32/[EMAIL PROTECTED]
Attachment=part3.zip [14] O
02/25/2004
Wow, F-Prot is johnny-on-spot and catching these with the latest definition
from about an hour ago. However, RAV and TrendMicro are not catching this
one yet..
Bill
- Original Message -
From: Patrick Childers (by way of R. Scott Perry [EMAIL PROTECTED])
[EMAIL PROTECTED]
To: [EMAIL
Typically the McAfee command line scanned, scan.exe, has been located in
c:\program files\common files\Network Associates\VirusScan Engine\4.0.xx, or
whatever version number you are running. Here is the McAfee entry from the
Declude Virus manual at http://www.declude.com/virus/manual.htm:
or scan32.exe on the drive.
Gene Head
ACCRAM Inc.
MCP,Net+,A+,CCNA,CCDA
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Tuesday, February 24, 2004 6:36 PM
To: [EMAIL PROTECTED]
Subject: Re
A new variant of W32/[EMAIL PROTECTED] that we just caught a couple of. RAV nor
F-Prot caught it, but TrendMico, ClamAV (Clam id it as MyDoom.E) McAfee
did.
The attachments were named: object.zip hnmhjn.exe
Subjects were: JPWMDWXACRNSN Fake
Anyway, be on the lookout...
Bill
---
[This
Maybe a corrupted declude.exe file? Try downloading the file again from the
Declude web site and see if that fixes the problem.
Bill
- Original Message -
From: jan k wikhaug [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, February 19, 2004 1:14 PM
Subject: [Declude.Virus]
Matt, what does your report line look like?
If it's:
REPORT1
Infections:
maybe try instead
REPORT1Identified
without a colon ":". Just curious if that
fixes it, since the report does not contain "Infections:", but does contain
"Identified".
Bill
- Original Message -
From:
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
Would it be possible to E-mail one of the quarantined D*.SMD files to
our
virustrap@ account? We can then analyze it and should be able to get
a
better idea of why this is happening.
I sent sample d*.smd virus files
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
I resent it last night from my yahoo account. Did you receive it at the
virustrap address?
No -- the only E-mail to arrive there was the one from GroupShield for
Exchange.
Please check the virustrap mailbox again,
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
Please check the virustrap mailbox again, hopefully third attempt is a
charm...
It came through -- it looks like the one from last night probably did as
well, but got caught here.
Are you running 3 virus scanners with
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
This is indeed due to an issue with Declude Virus -- it will be fixed
in
the next interim release.
Scott, I upgraded to Declude v1.77i26 and that took care of the file name
issue - thanks! However, I am now noticing
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
02/01/2004 09:32:06 Q3816855d009e4e46 Scanner 2: Virus=
[ WORM_MYDOOM.A](1) in
M:\IMail\spool\D38168~1.VIR\1.zip,(body.txt
is that appearing all on one line, or on two separate lines in the log
file?
All
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
This is indeed due to an issue with Declude Virus -- it will be fixed in
the next interim release.
Scott, I upgraded to Declude v1.77i26 and that took care of the file name
issue - thanks! However, I am now noticing that
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
Scott, I am running Declude v1.77i24 and I am wondering why Declude Virus
is
using the file name from the second virus scanner instead of the first...
This should only happen if the first virus scanner did not report the
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
I was looking at the virus manual site and noticed that the TrendMicro
config entry does not have a report line. Is this because Trend does
not
provide a report output the Declude can track? Just wondering because we
are
Pest Patrol is a spyware application that is support by Declude Virus, at
least it is shown in the manual at http://www.declude.com/virus/manual.htm.
Bill
- Original Message -
From: Bridges, Samantha [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, January 26, 2004 7:49 AM
Subject:
Here's what I have used for over a year and recommended to the list at that
time:
# F-Prot
SCANFILE1
C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE -DUMB -NOBOOT -NOBREAK -NOMEM
-PACKED -SILENT -TYPE -REPORT=report.txt
VIRUSCODE1 3
VIRUSCODE1 6
VIRUSCODE1 8
REPORT1 Infection:
I include the
for -packed, for example.
Also a test shows that the /NOBOOT command is applicable to FPCMD.exe
and
saves scanning the boot records.
Mike Nice
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, January 25, 2004 1:35 PM
Subject: Re
I think it depends on your virus scanner, but I believe that most virus
scanners will now detect the zip of death.
Bill
- Original Message -
From: Craig Gittens [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, October 28, 2003 11:52 AM
Subject: [Declude.Virus] Zip vulnerability
1 - 100 of 132 matches
Mail list logo