[Declude.Virus] F-Prot?

[Hirthe, Alexander]

Hello,

I'm sometimes getting this error with F-Prot 

07/09/2004 00:54:11 Qd08844ad00207366 Could not find report file
C:\IMAIL\spool\Dd08844ad00207366.vir\report.txt.
07/09/2004 00:54:11 Qd08844ad00207366 Error -1073741819 in virus scanner 1.
07/09/2004 00:54:12 Qd08844ad00207366 Scanned: Error in virus scanner.
[MIME: 1 2213]
(Medium Log, I switched to High right now :)

F-Prot is working with this commandline. 
SCANFILE1 C:\PROGRA~1\FSI\F-PROT\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE
/NOBOOT /DUMB /REPORT=report.txt
VIRUSCODE1   3
VIRUSCODE1   6
REPORT1  Infection

Has anyone else a similiar behaviour? Running F-Prot 3.14B on W2003 

Alex 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] wave of unknown viruses?

[Hirthe, Alexander]

Hello Markus,
 

  
  I'm not sure but 
  in the last few minutes I can see in increased number of "unknown virus" 
  reports from my F-Prot 3.14e scan engine.
   
  how many do you get? I'm getting about 10-15 a 
  day. Nearly all from Dial In IP Areas.
  3 Scanners, 
  F-Prot, AVG and ClamAV :)
   
  07/28/2004 11:13:02 Q6e14239e00bccf4d MIME 
  file: [text/html][7bit; Length=194 Checksum=16426]07/28/2004 11:13:02 
  Q6e14239e00bccf4d MIME file: dbfsjsrjof.jpeg [base64; Length=957 
  Checksum=96567]07/28/2004 11:13:02 Q6e14239e00bccf4d MIME file: 
  Updates.zip [base64; Length=31241 Checksum=3968295]07/28/2004 11:13:02 
  Q6e14239e00bccf4d Found encrypted .ZIP file07/28/2004 11:13:02 
  Q6e14239e00bccf4d Banning .ZIP file with encrypted exe 
  extension.07/28/2004 11:13:03 Q6e14239e00bccf4d Scanner 3: Virus= 
  Attachment= [5] I07/28/2004 11:13:03 Q6e14239e00bccf4d File(s) are 
  INFECTED [: 1]07/28/2004 11:13:03 Q6e14239e00bccf4d Scanned: CONTAINS A 
  VIRUS [Prescan OK][MIME: 3 32490]07/28/2004 11:13:03 Q6e14239e00bccf4d 
  From: @yyy.yy To: 
  @aaa.dd [incoming from 
  217.185.36.93]07/28/2004 11:13:03 Q6e14239e00bccf4d Subject: Re: Incoming 
  Message
  Alex

[Declude.Virus] OT: Kerio Mail?

[Hirthe, Alexander]

Hello,

we are looking for an "update" to our Exchange 5.5 Server. 
Running only internal network, Imail get's all external mail and a Tool
transfers all mail from Imail to Exchange.

Has anyone experiences with Kerio Mail? 
They released Version 6 last week, which looks good (and much much cheaper
than MSX 2003) to me :)

Alex 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] IMail?

[Hirthe, Alexander]

Hello,
 
where can I buy IMail? 
(not at Ipswitch.com, cheaper :) 
 
Alex 

[Declude.Virus] Buffer Overflow in Imail

[Hirthe, Alexander]

Hello,

there is an Buffer Overflow in Imail 8.1x and a Hotfix 8.14 HF1 to fix this 
see http://www.ipswitch.com/Support/ICS/updates/im814hf1.html

Details (in German) http://www.heise.de/security/news/meldung/53332
according to heise.de there is an exploit available that opens a Shell on
Port .

Alex

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] OT - Reboot with AVG?

[Hirthe, Alexander]

Hello,

is it possible to avoid the reboots from AVG? 

We are running two servers one with W2KServer and one with W2K3. 
Both with Imail8, Declude Virus + Junkmail, AVG and other Scanners. 

The AVG on the W2K3 wants me every 6-8 weeks to reboot the machine to get an
update working. 
The W2K server needs this in a completly different schedule, I rebootet the
W2K3 now, and the W2K a week ago.

???

Alex
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Something strange out...

[Hirthe, Alexander]

Hello,

this is a new Sober. 

Alex 

> -Original Message-
> From: Markus Gufler [mailto:[EMAIL PROTECTED] 
> Sent: Friday, November 19, 2004 10:09 AM
> To: [EMAIL PROTECTED]
> Subject: [Declude.Virus] Something strange out...
> 
> >From this morning on (09:00 am GMT+1) on we can see a lot of "unknown
> viruses"
> 
> As this messages contains from one to many recipients there 
> are comming back
> a lot of NDR's from our warning messages. (Scott: you know we 
> can not SKIPIF
> unknown virus)
> So at the momen I've disabled all warning messages on our server.
> 
> Looking at the messages there are often file attachments 
> (pif, scr xls.zip
> ...)
> Here's a sample content of the body:
> 
> Note that "HTWM", "htwm.de" in this case is part of the 
> forged sender. It is
> different in practically every infected message.
> The same for "INDEPENDENT" and "www.independent.it" - in this case the
> recipients Domain.
> 
> 
> =
> This mail was generated automatically.
> More info about --HTWM-- under: http://www.htwm.de
> 
> ---
> Occured_Errors:
> 
> 26.186.253.126_does_not_like_sender.
> # 547: mailbox_unavailable
> # 158: This_account_has_been_disabled_[#206].
> # 373: Remote_host_said:_Requested_action_not_taken
> # 516: MAILBOX NOT FOUND
> 
> End
> ---
> 
> The corrected mail is attached.
> 
> Auto_Mail.System: [htwm]
> 
> 
> *-*-* Attachment: No Virus found
> *-*-* INDEPENDENT- Anti_Virus Service
> *-*-* http://www.independent.it
> =
> 
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] F-Prot 3.16 available.

[Hirthe, Alexander]

Hello,

fyi:
--
FRISK Software has released version 3.16 of F Prot Antivirus
for Windows as well as versions 4.4.8 of F-Prot Antivirus for
all UNIX based platforms. 

More information on these releases can be found on our
website:

http://www.f-prot.com/news/gen_news/041118_release_win316.html
http://www.f-prot.com/news/gen_news/041119_release_unix_all.html

We recommend that users of F-Prot Antivirus for Windows, for
Linux x86, for BSD x86, for Solaris x86, for Solaris SPARC,
for AIX on IBM pSeries and for Linux on IBM zSeries update
their programs to these newest versions as soon as
possible.
--
No, I won't install it friday evening :)

Alex
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Where is the 'CR' vulnerability

[Hirthe, Alexander]

Hello Markus,

I got it twice, one with an attached cr_vuln.txt at 9:31 this morning, one
with the headers inline at 11:56.

Alex 

> -Original Message-
> From: Markus Gufler [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, February 09, 2005 10:55 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Where is the 'CR' vulnerability
> 
> Beside the question: I've send this message (with the message 
> in the body)
> yesterday evening but it was not delivered to the list. So 
> I've resend the
> message (with the message as attachment) this morning and it showed up
> immediatly on the list.  ??
> 
> Markus
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
> > Sent: Tuesday, February 08, 2005 8:56 PM
> > To: Declude.Virus@declude.com
> > Subject: [Declude.Virus] Where is the 'CR' vulnerability
> > 
> > 
> > A customers PHP script is sending out the following message:
> > 
> > 
> > 
> ~~
> > Received: from lx.domain.net [217.123.123.123] by 
> > mail.zcom.it with ESMTP
> >   (SMTPD32-8.13) id AD887060072; Tue, 08 Feb 2005 17:49:12 +0100
> > Received: by lx.domain.net (Postfix, from userid 33)
> > id 93432A1C4; Tue,  8 Feb 2005 17:47:19 +0100 (CET)
> > To: [EMAIL PROTECTED]
> > Subject: Danke
> > From: "customer.it" <[EMAIL PROTECTED]>
> > X-Mailer: PITA-Server 1.5-Z8 1107902839 Message-Id:
> > <[EMAIL PROTECTED]>
> > Date: Tue,  8 Feb 2005 17:47:19 +0100 (CET)
> > X-Declude-Sender: [EMAIL PROTECTED] [217.123.123.123]
> > X-Spam-Tests-Failed: None [0]
> > X-Country-Chain: 
> > X-Note: Sent from [EMAIL PROTECTED] -  
> ([217.123.123.123]) incoming.
> > X-Declude-Virus: Detected [Outlook 'CR' Vulnerability].
> > 
> > 
> > Danke dass Sie sich bei immobilien-prisma.it erkundigen.
> > 
> > Besuchen Sie uns wieder!
> > 
> > --
> > Immobilien in Brixen und Umgebung
> > http://www.immobilien-prisma.it/
> > mailto:[EMAIL PROTECTED]
> > 
> ~~
> > 
> > 
> > Question: Where is the CR vulnerability?
> > 
> > Markus
> > 
> > ---
> > [This E-mail was scanned for viruses by Declude Virus 
> > (http://www.declude.com)]
> > 
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To 
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> > 
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] ClamAV?

[Hirthe, Alexander]

Hello,

I'm getting errors with Zip Files larger than about 10 MB.

In the virus.log:
02/17/2005 17:12:03 Qbede796f012201de MIME file: 123.zipxxx [base64;
Length=13024694 Checksum=1676135806]
02/17/2005 17:12:07 Qbede796f012201de Scanner 3: Virus= Attachment= [6] O
02/17/2005 17:12:07 Qbede796f012201de File(s) are INFECTED [: 1]
02/17/2005 17:12:07 Qbede796f012201de Scanned: CONTAINS A VIRUS [MIME: 2
13024860]
The file is without any virus. Sure :)

from virus.cfg:
SCANFILE3 C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose
--no-summary -l report.txt
VIRUSCODE3 1
REPORT3 FOUND

Has anyone else such errors? 
The user told me, this could/would happen with all zipped files larger than
6 MB. 

Alex
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] AV Gateway for external Customer

[Hirthe, Alexander]

Hello,

I want to provide Declude Services for a customer with his own Dominio
Mailserver. Do I only need the Host entry and I'm done?
I found http://support.ipswitch.com/kb/IM-19980116-DM01.htm
 

At the moment the MX records are pointing to the customer's SMTP Security
Gateway.
In future they will/should point to our mailserver, and I'll create a
declude subdirectory for them \declude\customer.domain\$default$.JunkMail

Did I forget anything? I sounds to easy :-)

Alex


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] AV Gateway for external Customer

[Hirthe, Alexander]

I'll go home now, to silly to post to mails to the same list :-/
The other mail I mentioned was postet to the Junkmail list.

Alex

> -Original Message-
> From: Hirthe, Alexander [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, May 12, 2005 1:47 PM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] AV Gateway for external Customer
> 
> Hello,
> 
> I want to provide Declude Services for a customer with his own Dominio
> Mailserver. Do I only need the Host entry and I'm done?
> I found http://support.ipswitch.com/kb/IM-19980116-DM01.htm
> <http://support.ipswitch.com/kb/IM-19980116-DM01.htm> 
> 
> At the moment the MX records are pointing to the customer's 
> SMTP Security
> Gateway.
> In future they will/should point to our mailserver, and I'll create a
> declude subdirectory for them 
> \declude\customer.domain\$default$.JunkMail
> 
> Did I forget anything? I sounds to easy :-)
> 
> Alex
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] AVG 7.1?

[Hirthe, Alexander]

Hello,

did anyone else get the (automatic) AVG Update to 7.1? 

Looks like there is no need to change anything. Nice :)

fyi: the Update needs a reboot. 

Alex 

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Second scanner

[Hirthe, Alexander]

I run both, AVG as second, Clam as third (and F-Prot as first)


> -Original Message-
> From: Kaj Søndergaard Laursen [mailto:[EMAIL PROTECTED] 
> Sent: Friday, November 04, 2005 2:51 PM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Second scanner
> 
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: 4. november 2005 07:22
> > To: Declude.Virus@declude.com
> > Subject: RE: [Declude.Virus] Second scanner
> > 
> > I use AVG as the second scanner and am happy with the 
> > results.
> 
> Me too...
> 
> I have not tried the windows version of ClamAV - the cygwin 
> version did not run well in my setup.
> 
> Regards,
> 
> Kaj
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Bugfix: Imail 8.22 and ICS 2.02 released

[Hirthe, Alexander]

Hello,

there are two bugs in Imail, one for authenticated users in Imap, one for
all in SMTP. 
Please upgrade your systems!

http://www.ipswitch.com/support/ics/updates/ics202.asp
 
http://www.ipswitch.com/support/imail/releases/imail_professional/im822.asp
 

Advisories:
-
http://www.idefense.com/application/poi/display?id=347&type=vulnerabilities
 
-
http://www.idefense.com/application/poi/display?id=346&type=vulnerabilities
 

Alex
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Mail.zip from AOL Encrypted Messaging Service?

[Hirthe, Alexander]

Title: Mail.zip from AOL Encrypted Messaging Service?






Hello,


I got a mail.zip from "AOL Encrypted Messaging Service", including a .hta file with encrypted content. Does'nt look good to me :)

Has anyone else seen this mail? 

Does anyone know DadaMail? 


---

Received: from thbafiqcm.com [217.198.112.101] by siller.de with ESMTP

  (SMTPD-8.22) id A9DB33088; Thu, 19 Jan 2006 19:26:35 +0100

Date: Thu, 19 Jan 2006 19:28:38 +0100

From: [EMAIL PROTECTED]

X-Mailer: DadaMail 2.1

Reply-To: [EMAIL PROTECTED]

X-Priority: 3 (Normal)

Message-ID: [EMAIL PROTECTED]

To: [EMAIL PROTECTED]

Subject: [Suspect Mail]Encrypted Message Service

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="ABCD6E90"

X-Antivirus: avast! (VPS 0603-3, 18.01.2006), Outbound message

X-Antivirus-Status: Clean

X-OriginalArrivalTime: 19 Jan 2006 18:36:26.0852 (UTC) FILETIME=[419F3240:01C61D27]


--ABCD6E90

Content-Type: text/plain; charset=us-ascii

Content-Transfer-Encoding: 7bit


--ABCD6E90

Content-Type: application/x-zip-compressed; name="mail.zip"

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename="mail.zip"



--ABCD6E90--

---


Alex

AW: [Declude.Virus] CLAMAV - 88.3-1 - 7/11/2006 Release

[Hirthe, Alexander]

Hi Darell,

I'm running it since last Monday, nothing special.

Alex  

> -Ursprüngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im 
> Auftrag von Darrell ([EMAIL PROTECTED])
> Gesendet: Montag, 31. Juli 2006 03:18
> An: Declude.Virus@declude.com
> Betreff: [Declude.Virus] CLAMAV - 88.3-1 - 7/11/2006 Release
> 
> I noticed a new build from the SOSDG group has been released (88.3-1).
> http://www.sosdg.org/clamav-win32/index.php
> 
> Anyone running it yet?
> 
> Darrell
> --
> --
> Check out http://www.invariantsystems.com for utilities for 
> Declude And Imail.  IMail/Declude Overflow Queue Monitoring, 
> SURBL/URI integration, MRTG Integration, and Log Parsers. 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> 


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] AVG?

[Hirthe, Alexander]

Title: AVG?






Hello,


I'm not shure, If AVG is running, how can I verify this? (After upgrading to 4.3.7)


In the logfile I  see this: 

09/22/2006 15:08:37.046 qe051017b01b9.smd Outlook 'Space Gap' Vulnerability in line 36

09/22/2006 15:08:37.875 qe051017b01b9.smd Virus scanner 1 reports exit code of 0

09/22/2006 15:08:41.718 qe051017b01b9.smd Virus scanner 2 reports exit code of 0

09/22/2006 15:08:41.718 qe051017b01b9.smd Found a bogus .com file


??


Scanners are #1 = Clam, #2 = Fprot, and where is AVG? :-)


Alex 




---This E-mail came from the Declude.Virus mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.

[Declude.Virus] Couldn't rename SMD to SM$ [183]

[Hirthe, Alexander]

Hello,
 
what should this message tell me? :)
-
12/18/2006 23:51:47.687 q1a18019903bb.smd Couldn't rename SMD to SM$
[183].  Priority back to 32. Error String: [Cannot create a file when
that file already exists.]
[C:\IMail\spool\proc\work\D1a18019903bb.smd]
[C:\IMail\spool\proc\work\D1a18019903bb.sm$]
-
and why does it happen?
 
I found it multiple times in the logfile, running declude v4.3.14 with
AVG Built-In and ClamAV.
 
Alex 


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

AW: [Declude.Virus] Couldn't rename SMD to SM$ [183]

[Hirthe, Alexander]

Hello John,
 
the error is both in the declude and in the viruslog:
 
declude.log:
12/19/2006 07:40:18.453 q89350234819c.smd Tests failed [weight=515]:
IPNOTINMX=IGNORE[0] CBL=WARN[60] MXRATE-BLOCK=IGNORE[80]
SORBS-DUHL=IGNORE[60] UCEPROTECT-1=IGNORE[80] UCEPROTECT-2=IGNORE[70]
CMDSPACE=IGNORE[80] SUBCHARS-50=IGNORE[10] SUBCHARS-55=IGNORE[10]
SUBCHARS-60=IGNORE[10] SNIFFER-GREYMAIL=WARN[90] FOREIGN=IGNORE[15]
TLD-TRUSTED-HELO=IGNORE[0] TLD-TRUSTED-MAILFROM=IGNORE[0]
TLD-TRUSTED-REVDNS=IGNORE[0] Y!DIRECTED=IGNORE[50]
ANTI-Y!DIRECTED=IGNORE[-40] WEIGHT50=WARN[50] WEIGHT80=SUBJECT[80]
WEIGHT100=SUBJECT[100] WEIGHT150=SUBJECT[150] WEIGHT200=ATTACH[200]
WEIGHT250=DELETE[250] WEIGHT300=IGNORE[300] WEIGHT350=IGNORE[350] 
12/19/2006 07:40:18.453 q89350234819c.smd Couldn't move/copy ATTACH
data file [183]
12/19/2006 07:40:18.453 q89350234819c.smd Action(s) taken for
[EMAIL PROTECTED] = IGNORE WARN SUBJECT ATTACH DELETE  [LAST
ACTION=DELETE]
12/19/2006 07:40:18.453 q89350234819c.smd Cumulative action(s) on
this email = IGNORE WARN SUBJECT ATTACH DELETE  [LAST ACTION=DELETE]
12/19/2006 07:45:18.469 q89350234819c.smd Couldn't rename SMD to SM$
[183].  Priority back to 32. Error String: [Cannot create a file when
that file already exists.]
[C:\IMAIL\spool\proc\work\D89350234819c.smd]
[C:\IMAIL\spool\proc\work\D89350234819c.sm$]

virus.log:
12/19/2006 07:45:18.469 q89350234819c.smd Couldn't rename SMD to SM$
[183].  Priority back to 32. Error String: [Cannot create a file when
that file already exists.]
[C:\IMAIL\spool\proc\work\D89350234819c.smd]
[C:\IMAIL\spool\proc\work\D89350234819c.sm$]
 
Why does declude try to Attach the (Spam-Mail) file, if it should delete
it? 
And where does the file come from?
 
Alex 
 
 
 




Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag
von John T (Lists)
Gesendet: Dienstag, 19. Dezember 2006 00:45
An: declude.virus@declude.com
Betreff: RE: [Declude.Virus] Couldn't rename SMD to SM$ [183]



Search for all log lines for that message in both the junkmail
and virus logs to see if there is another error message preceding that.

 

John T

eServices For You

 

"Life is a succession of lessons which must be lived to be
understood."

Ralph Waldo Emerson (1802-1882)

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Hirthe, Alexander
Sent: Monday, December 18, 2006 2:54 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] Couldn't rename SMD to SM$ [183]

 

Hello,

 

what should this message tell me? :)

-

12/18/2006 23:51:47.687 q1a18019903bb.smd Couldn't rename
SMD to SM$ [183].  Priority back to 32. Error String: [Cannot create a
file when that file already exists.]
[C:\IMail\spool\proc\work\D1a18019903bb.smd]
[C:\IMail\spool\proc\work\D1a18019903bb.sm$]
-

and why does it happen?

 

I found it multiple times in the logfile, running declude
v4.3.14 with AVG Built-In and ClamAV.

 

Alex 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] WG: [Declude.Virus] Couldn't rename SMD to SM$ [183]

[Hirthe, Alexander]

Hello,
 
has anyone a good idea for me? I have 15895 sm$ Files in my
imail\spool\proc directory. 28.12 till now.
all (marked as) Spam, all similar Logfile entries.
 
???
 
Alex 
 





Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag
von Hirthe, Alexander
Gesendet: Mittwoch, 20. Dezember 2006 08:46
An: declude.virus@declude.com
Betreff: AW: [Declude.Virus] Couldn't rename SMD to SM$ [183]


Hello John,
 
the error is both in the declude and in the viruslog:
 
declude.log:
12/19/2006 07:40:18.453 q89350234819c.smd Tests failed
[weight=515]: IPNOTINMX=IGNORE[0] CBL=WARN[60] MXRATE-BLOCK=IGNORE[80]
SORBS-DUHL=IGNORE[60] UCEPROTECT-1=IGNORE[80] UCEPROTECT-2=IGNORE[70]
CMDSPACE=IGNORE[80] SUBCHARS-50=IGNORE[10] SUBCHARS-55=IGNORE[10]
SUBCHARS-60=IGNORE[10] SNIFFER-GREYMAIL=WARN[90] FOREIGN=IGNORE[15]
TLD-TRUSTED-HELO=IGNORE[0] TLD-TRUSTED-MAILFROM=IGNORE[0]
TLD-TRUSTED-REVDNS=IGNORE[0] Y!DIRECTED=IGNORE[50]
ANTI-Y!DIRECTED=IGNORE[-40] WEIGHT50=WARN[50] WEIGHT80=SUBJECT[80]
WEIGHT100=SUBJECT[100] WEIGHT150=SUBJECT[150] WEIGHT200=ATTACH[200]
WEIGHT250=DELETE[250] WEIGHT300=IGNORE[300] WEIGHT350=IGNORE[350] 
12/19/2006 07:40:18.453 q89350234819c.smd Couldn't move/copy
ATTACH data file [183]
12/19/2006 07:40:18.453 q89350234819c.smd Action(s) taken
for [EMAIL PROTECTED] = IGNORE WARN SUBJECT ATTACH DELETE  [LAST
ACTION=DELETE]
12/19/2006 07:40:18.453 q89350234819c.smd Cumulative
action(s) on this email = IGNORE WARN SUBJECT ATTACH DELETE  [LAST
ACTION=DELETE]
12/19/2006 07:45:18.469 q89350234819c.smd Couldn't rename
SMD to SM$ [183].  Priority back to 32. Error String: [Cannot create a
file when that file already exists.]
[C:\IMAIL\spool\proc\work\D89350234819c.smd]
[C:\IMAIL\spool\proc\work\D89350234819c.sm$]

virus.log:
12/19/2006 07:45:18.469 q89350234819c.smd Couldn't rename
SMD to SM$ [183].  Priority back to 32. Error String: [Cannot create a
file when that file already exists.]
[C:\IMAIL\spool\proc\work\D89350234819c.smd]
[C:\IMAIL\spool\proc\work\D89350234819c.sm$]
 
Why does declude try to Attach the (Spam-Mail) file, if it
should delete it? 
And where does the file come from?
 
Alex 
 
 
 




Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im
Auftrag von John T (Lists)
Gesendet: Dienstag, 19. Dezember 2006 00:45
An: declude.virus@declude.com
Betreff: RE: [Declude.Virus] Couldn't rename SMD to SM$
[183]



Search for all log lines for that message in both the
junkmail and virus logs to see if there is another error message
preceding that.

 

John T

eServices For You

 

"Life is a succession of lessons which must be lived to
be understood."

Ralph Waldo Emerson (1802-1882)

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Hirthe, Alexander
Sent: Monday, December 18, 2006 2:54 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] Couldn't rename SMD to SM$
[183]

 

Hello,

 

what should this message tell me? :)

-

12/18/2006 23:51:47.687 q1a18019903bb.smd Couldn't
rename SMD to SM$ [183].  Priority back to 32. Error String: [Cannot
create a file when that file already exists.]
[C:\IMail\spool\proc\work\D1a18019903bb.smd]
[C:\IMail\spool\proc\work\D1a18019903bb.sm$]
-

and why does it happen?

 

I found it multiple times in the logfile, running
declude v4.3.14 with AVG Built-In and ClamAV.

 

Alex 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to
[EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be
found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to
[EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be
found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Vi

WG: [Declude.Virus] Couldn't rename SMD to SM$ [183]

[Hirthe, Alexander]

Hello,
 
has anyone a good idea for me? I have 15895 sm$ Files in my
imail\spool\proc directory. 28.12 till now.
all (marked as) Spam, all similar Logfile entries.
 
???
 
Alex 
 





Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag
von Hirthe, Alexander
Gesendet: Mittwoch, 20. Dezember 2006 08:46
An: declude.virus@declude.com
Betreff: AW: [Declude.Virus] Couldn't rename SMD to SM$ [183]


Hello John,
 
the error is both in the declude and in the viruslog:
 
declude.log:
12/19/2006 07:40:18.453 q89350234819c.smd Tests failed
[weight=515]: IPNOTINMX=IGNORE[0] CBL=WARN[60] MXRATE-BLOCK=IGNORE[80]
SORBS-DUHL=IGNORE[60] UCEPROTECT-1=IGNORE[80] UCEPROTECT-2=IGNORE[70]
CMDSPACE=IGNORE[80] SUBCHARS-50=IGNORE[10] SUBCHARS-55=IGNORE[10]
SUBCHARS-60=IGNORE[10] SNIFFER-GREYMAIL=WARN[90] FOREIGN=IGNORE[15]
TLD-TRUSTED-HELO=IGNORE[0] TLD-TRUSTED-MAILFROM=IGNORE[0]
TLD-TRUSTED-REVDNS=IGNORE[0] Y!DIRECTED=IGNORE[50]
ANTI-Y!DIRECTED=IGNORE[-40] WEIGHT50=WARN[50] WEIGHT80=SUBJECT[80]
WEIGHT100=SUBJECT[100] WEIGHT150=SUBJECT[150] WEIGHT200=ATTACH[200]
WEIGHT250=DELETE[250] WEIGHT300=IGNORE[300] WEIGHT350=IGNORE[350] 
12/19/2006 07:40:18.453 q89350234819c.smd Couldn't move/copy
ATTACH data file [183]
12/19/2006 07:40:18.453 q89350234819c.smd Action(s) taken
for [EMAIL PROTECTED] = IGNORE WARN SUBJECT ATTACH DELETE  [LAST
ACTION=DELETE]
12/19/2006 07:40:18.453 q89350234819c.smd Cumulative
action(s) on this email = IGNORE WARN SUBJECT ATTACH DELETE  [LAST
ACTION=DELETE]
12/19/2006 07:45:18.469 q89350234819c.smd Couldn't rename
SMD to SM$ [183].  Priority back to 32. Error String: [Cannot create a
file when that file already exists.]
[C:\IMAIL\spool\proc\work\D89350234819c.smd]
[C:\IMAIL\spool\proc\work\D89350234819c.sm$]

virus.log:
12/19/2006 07:45:18.469 q89350234819c.smd Couldn't rename
SMD to SM$ [183].  Priority back to 32. Error String: [Cannot create a
file when that file already exists.]
[C:\IMAIL\spool\proc\work\D89350234819c.smd]
[C:\IMAIL\spool\proc\work\D89350234819c.sm$]
 
Why does declude try to Attach the (Spam-Mail) file, if it
should delete it? 
And where does the file come from?
 
Alex 
 
 
 




Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im
Auftrag von John T (Lists)
Gesendet: Dienstag, 19. Dezember 2006 00:45
An: declude.virus@declude.com
Betreff: RE: [Declude.Virus] Couldn't rename SMD to SM$
[183]



Search for all log lines for that message in both the
junkmail and virus logs to see if there is another error message
preceding that.

 

John T

eServices For You

 

"Life is a succession of lessons which must be lived to
be understood."

Ralph Waldo Emerson (1802-1882)

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Hirthe, Alexander
Sent: Monday, December 18, 2006 2:54 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] Couldn't rename SMD to SM$
[183]

 

Hello,

 

what should this message tell me? :)

-

12/18/2006 23:51:47.687 q1a18019903bb.smd Couldn't
rename SMD to SM$ [183].  Priority back to 32. Error String: [Cannot
create a file when that file already exists.]
[C:\IMail\spool\proc\work\D1a18019903bb.smd]
[C:\IMail\spool\proc\work\D1a18019903bb.sm$]
-

and why does it happen?

 

I found it multiple times in the logfile, running
declude v4.3.14 with AVG Built-In and ClamAV.

 

Alex 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to
[EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be
found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to
[EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be
found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Vi

AW: [Declude.Virus] AVG Virus updates - No updates from declude since 4/7/7

[Hirthe, Alexander]

Hello Darell,
 
are you (or David :) sure with the return codes? 
 
I'm getting 0.0.0.1 and these files on both servers:
 
DarellAlex
incavi.avm - 4/15/2007 - 4/06/2007   
microavi.avg - 4/5/2007 - 4/05/2007  
miniavg.avg - 2/16/2007 - 2/16/2007 
avi7.avg - 2/21/2007 - 21/02/2007 
 
I stopped decludeproc, renamed the AVG Files and started decludeproc and
I got the same files, all from today, but with the same size than bevor.

 
Alex 





Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag
von Darrell ([EMAIL PROTECTED])
Gesendet: Montag, 16. April 2007 14:37
An: declude.virus@declude.com
Betreff: Re: [Declude.Virus] AVG Virus updates - No updates from
declude since 4/7/7


Honestly, I am not sure what all the individual files are, but
here are my dates
 
incavi.avm - 4/15/2007
microavi.avg - 4/5/2007
miniavg.avg - 2/16/2007
avi7.avg - 2/21/2007
 
Howard - you can try this post from David from the Archive-

http://www.mail-archive.com/declude.virus@declude.com/msg13473.html
 
Darrell


Check out http://www.invariantsystems.com for utilities for
Declude And Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI
integration, MRTG Integration, and Log Parsers.

- Original Message - 
From: Howard Smith (N.O.R.A.D.)
  
To: declude.virus@declude.com 
Cc: [EMAIL PROTECTED] ; 'David Barker'
  
Sent: Monday, April 16, 2007 6:28 AM
Subject: [Declude.Virus] AVG Virus updates - No updates
from declude since 4/7/7


I have not had a virus update from decludes AVG builtin
scanner since 4/6/7 , has any one received any later updates , or
suggestions  to fix problem

 

 

Howard Smith

N.O.R.A.D. Inc.

P.O. Box 680116

Miami, Florida 33168  

www.norad.com 

[EMAIL PROTECTED]

 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to
[EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be
found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com. 
--
Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955
--



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] You should not use an on-access virus scanner that scans the ....

[Hirthe, Alexander]

Hello,

after updating to 4.0.46 I've got these entries in one of our
Mailservers:

04/17/2007 08:49:18.391 q6de201f80068.smd Virus scanner 1 reports
exit code of 0
04/17/2007 08:49:18.391 q6de201f80068.smd 1 [1 of 2 not deleted]
files were deleted.  You should not use an on-access virus scanner that
scans the \IMail directory or sub-directories.
04/17/2007 08:49:18.391 q6de201f80068.smd Scanned: Virus Free [MIME:
1 2108]

Yes, I know I should disable to on-access Scanner :)

But:
- there is a local AVG installed, *without* real-time scanner
- and ClamAV
- and nothing else (F-Prot is removed after changing the licensing :)
so I can't find anything that could delete a virus.

Could it be a "wrong" setting from ClamAV (not ClamWin)?

SCANFILE1 C:\imail\declude\runclamscan.exe log=1
C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt
VIRUSCODE1 1
REPORT1 FOUND
Clam is running with Sanesecurity and malware.com.br signatures.

Alex
--
Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955
--



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

AW: [Declude.Virus] You should not use an on-access virus scanner that scans the ....

[Hirthe, Alexander]

Hello John,
 

1)  86 the read receipt requests! 

Sorry. I'm trying, but sometimes I forget to disable it. 

 

2)  You should be running 4.3.46 at this point due to a
problem with a recent change in AVG. 

Typo, it *is* 4.3.46 

 

3)  Is this happening on every email, or random? 

This morning (after updating) it happend all times, now I can't
see any entries in the log. (and we are getting virusmails :)

I'll keep an eye on the logfiles.

 

4)  Since you are only running one virus scanner (aside from
the built in AVG,) I do not think you need to have the number 1 for each
line, i.e. SCANFILE1 and VIRUSCODE1. 

modified (and no entry before and after) 

 

Alex 

 
--
Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955
--



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

AW: [Declude.Virus] Declude 4.3.46 Release - Memory usage??

[Hirthe, Alexander]

Hello,

How much memory does your decludeproc.exe use? 
on the first system: 40 MB real + 40 MB VM 
on the second:  1440 MB real + 1600 MB VM (now: 1650/2000)

I stopped and restarted it, 10 minutes later the same size and growing.

The Proc directory was "full", now the box is under load and sending out mail. 
(Imail Spool viewer: Sorry, there are over 5000 E-mails in the spool directory 
-- I cannot continue.)

???

running 
--
Declude 4.3.46 Diagnostics
Compilation Platform: IMail
Copyright (c) 2000-2005 Declude, Inc.
--


Alex 



> -Ursprüngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im 
> Auftrag von David Barker
> Gesendet: Montag, 16. April 2007 20:24
> An: declude.virus@declude.com
> Betreff: [Declude.Virus] Declude 4.3.46 Release
> 
> Addresses this AVG issue. If you currently only have AVG as 
> your virus scanner I would consider this a critical update.
> 
> EVA   ADD Improved AVG virus database format for optimization
> EVA   ADD Improved speed of AVG scanning by 15-20%
> EVA   ADD Updated AVG (avgsdk.dll 1.2.449)
> DEC   ADD Updated Commtouch ZEROHOUR (asapsdk.dll 5.03.0013) 
> JMFIX Smartermail HELO was being picked up from the 
> headers rather
> than the envelope
> JMFIX Fixed log entry for PCRE when matching on 
> location SUBJECT
> 
> David Barker
> VP Operations  |  Declude
> Your Email Security is our business
> O: 978.499.2933  x7007
> F: 978.988.1311   
> E: [EMAIL PROTECTED]
> 
> 
> ________
> 
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of Hirthe, Alexander
> Sent: Monday, April 16, 2007 10:09 AM
> To: declude.virus@declude.com
> Subject: AW: [Declude.Virus] AVG Virus updates - No updates 
> from declude since 4/7/7
> 
> 
> Hello Darell,
>  
> are you (or David :) sure with the return codes? 
>  
> I'm getting 0.0.0.1 and these files on both servers:
>  
> DarellAlex
> incavi.avm - 4/15/2007 - 4/06/2007   
> microavi.avg - 4/5/2007 - 4/05/2007  
> miniavg.avg - 2/16/2007 - 2/16/2007 
> avi7.avg - 2/21/2007 - 21/02/2007 
>  
> I stopped decludeproc, renamed the AVG Files and started 
> decludeproc and I got the same files, all from today, but 
> with the same size than bevor. 
>  
> Alex 
> 
> 
> 
> 
> 
>   Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> Im Auftrag von Darrell ([EMAIL PROTECTED])
>   Gesendet: Montag, 16. April 2007 14:37
>   An: declude.virus@declude.com
>   Betreff: Re: [Declude.Virus] AVG Virus updates - No 
> updates from declude since 4/7/7
>
>
>   Honestly, I am not sure what all the individual files 
> are, but here are my dates
>
>   incavi.avm - 4/15/2007
>   microavi.avg - 4/5/2007
>   miniavg.avg - 2/16/2007
>   avi7.avg - 2/21/2007
>
>   Howard - you can try this post from David from the Archive-
>
> http://www.mail-archive.com/declude.virus@declude.com/msg13473.html
>
>   Darrell
>
> --
> --
>   Check out http://www.invariantsystems.com for utilities 
> for Declude And Imail.  IMail/Declude Overflow Queue 
> Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers.
> 
>   - Original Message - 
>   From: Howard Smith (N.O.R.A.D.) 
> <mailto:[EMAIL PROTECTED]>  
>   To: declude.virus@declude.com 
>   Cc: [EMAIL PROTECTED] ; 'David Barker'
> <mailto:[EMAIL PROTECTED]>  
>   Sent: Monday, April 16, 2007 6:28 AM
>   Subject: [Declude.Virus] AVG Virus updates - No 
> updates from declude since 4/7/7
> 
> 
>   I have not had a virus update from decludes AVG 
> builtin scanner since 4/6/7 , has any one received any later 
> updates , or suggestions  to fix problem
> 
>
> 
>
> 
>   Howard Smith
> 
>   N.O.R.A.D. Inc.
> 
>   P.O. Box 680116
> 
>   Miami, Florida 33168  
> 
>   www.norad.com 
> 
>   [EMAIL PROTECTED]
> 
>
> 
> 
>   ---
>   This E-mail came from the Declude.Virus mailing list. To
>   unsubscribe, just send an E-mail to 
> [EMAIL PROTECTED], and
>   type "unsubscribe Declude.Virus". The archives 
> can be found
>   at http://www.mail-archive.com. 
> 
> 
>   ---
&

AW: [Declude.Virus] Declude 4.3.46 Release - Memory usage??

[Hirthe, Alexander]

Update, I think something with the update went wrong on this server.

I installed the 4.3.46 Update again and now the memory usage is about 50 MB, 
growing to ~ 70 and falling back to 40. 



> -Ursprüngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im 
> Auftrag von Hirthe, Alexander
> Gesendet: Mittwoch, 18. April 2007 11:51
> An: declude.virus@declude.com
> Betreff: AW: [Declude.Virus] Declude 4.3.46 Release - Memory usage??
> 
> Hello,
> 
> How much memory does your decludeproc.exe use? 
> on the first system: 40 MB real + 40 MB VM on the second:  
> 1440 MB real + 1600 MB VM (now: 1650/2000)
> 
> I stopped and restarted it, 10 minutes later the same size 
> and growing.
> 
> The Proc directory was "full", now the box is under load and 
> sending out mail. 
> (Imail Spool viewer: Sorry, there are over 5000 E-mails in 
> the spool directory -- I cannot continue.)
> 
> ???
> 
> running
> --
> Declude 4.3.46 Diagnostics
> Compilation Platform: IMail
> Copyright (c) 2000-2005 Declude, Inc.
> --
> 
> 
> Alex 
> 
> 
> 
> > -Ursprüngliche Nachricht-
> > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im 
> > Auftrag von David Barker
> > Gesendet: Montag, 16. April 2007 20:24
> > An: declude.virus@declude.com
> > Betreff: [Declude.Virus] Declude 4.3.46 Release
> > 
> > Addresses this AVG issue. If you currently only have AVG as 
> > your virus scanner I would consider this a critical update.
> > 
> > EVA ADD Improved AVG virus database format for optimization
> > EVA ADD Improved speed of AVG scanning by 15-20%
> > EVA ADD Updated AVG (avgsdk.dll 1.2.449)
> > DEC ADD Updated Commtouch ZEROHOUR (asapsdk.dll 5.03.0013) 
> > JM  FIX Smartermail HELO was being picked up from the 
> > headers rather
> > than the envelope
> > JM  FIX Fixed log entry for PCRE when matching on 
> > location SUBJECT
> > 
> > David Barker
> > VP Operations  |  Declude
> > Your Email Security is our business
> > O: 978.499.2933  x7007
> > F: 978.988.1311   
> > E: [EMAIL PROTECTED]
> > 
> > 
> > 
> > 
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> > Behalf Of Hirthe, Alexander
> > Sent: Monday, April 16, 2007 10:09 AM
> > To: declude.virus@declude.com
> > Subject: AW: [Declude.Virus] AVG Virus updates - No updates 
> > from declude since 4/7/7
> > 
> > 
> > Hello Darell,
> >  
> > are you (or David :) sure with the return codes? 
> >  
> > I'm getting 0.0.0.1 and these files on both servers:
> >  
> > DarellAlex
> > incavi.avm - 4/15/2007 - 4/06/2007   
> > microavi.avg - 4/5/2007 - 4/05/2007  
> > miniavg.avg - 2/16/2007 - 2/16/2007 
> > avi7.avg - 2/21/2007 - 21/02/2007 
> >  
> > I stopped decludeproc, renamed the AVG Files and started 
> > decludeproc and I got the same files, all from today, but 
> > with the same size than bevor. 
> >  
> > Alex 
> > 
> > 
> > 
> > 
> > 
> > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> > Im Auftrag von Darrell ([EMAIL PROTECTED])
> > Gesendet: Montag, 16. April 2007 14:37
> > An: declude.virus@declude.com
> > Betreff: Re: [Declude.Virus] AVG Virus updates - No 
> > updates from declude since 4/7/7
> >
> >
> > Honestly, I am not sure what all the individual files 
> > are, but here are my dates
> >  
> > incavi.avm - 4/15/2007
> > microavi.avg - 4/5/2007
> > miniavg.avg - 2/16/2007
> > avi7.avg - 2/21/2007
> >  
> > Howard - you can try this post from David from the Archive-
> >
> > http://www.mail-archive.com/declude.virus@declude.com/msg13473.html
> >  
> > Darrell
> >
> > --
> > --
> > Check out http://www.invariantsystems.com for utilities 
> > for Declude And Imail.  IMail/Declude Overflow Queue 
> > Monitoring, SURBL/URI integration, MRTG Integration, and 
> Log Parsers.
> > 
> > - Original Message - 
> > From: Howard Smith (N.O.R.A.D.) 
> > <mailto:[EMAIL PROTECTED]>  
> > To: declude.virus@declude.com 
> > Cc: [EMAIL PROTECTED] ; 'David Barker'
> > <mailto:[EMAIL PROTECTED]>  
> >  

[Declude.Virus] WG: [clamav-announce] ClamAV/SOSDG 0.90.2-2 Has Been Released!

[Hirthe, Alexander]

fyi




-Ursprüngliche Nachricht-
Von: Brie Bruns [mailto:[EMAIL PROTECTED] 
Gesendet: Mittwoch, 18. April 2007 20:54
An: [EMAIL PROTECTED]
Betreff: [clamav-announce] ClamAV/SOSDG 0.90.2-2 Has Been Released!

Hello all,

I've released ClamAV/SOSDG 0.90.2-2 today.  I highly recommend all users update 
ASAP, as this appears to fix another potential security issue.

http://www.sosdg.org/clamav-win32

There is a direct download as well:

http://clamav-sosdg.googlecode.com/files/clamav-0.90.2-2.exe

Mirrors are going to take time to update.

--
Brie Bruns
The Summit Open Source Development Group http://www.sosdg.org
--
Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955
--


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

AW: [Declude.Virus] Virus?

[Hirthe, Alexander]

Same here, I disabled ClamAV and it seems to get better.


> -Ursprüngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von
> Todd Richards
> Gesendet: Montag, 21. Mai 2007 15:44
> An: declude.virus@declude.com
> Betreff: [Declude.Virus] Virus?
>
> Hi Everyone -
>
> Yesterday, I started receiving bounces from one of our main ListServes
> from
> about 5 recipients.  From the 5 bounces, there were 3 variations with
> all of
> them referencing the fact that the email contained...
> "Email.Phishing.RB-882".
>
> I'm running IMail 8.22 (with all hot fixes), the latest version of
> Declude
> with AVG and Clam.  I've tried to Google this message but come up
> empty.
>
> Anyone else see this or have any thoughts?
>
> Thanks!
>
> Todd
>
>
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
>
>
--
Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955
--


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

AW: [Declude.Virus] Virus?

[Hirthe, Alexander]

I've got it here in a plaintext Email (generated on a webserver) with a link 
and some lines of text in it.

He tried to forward me the error:

05/21/2007 15:24:58.325 xxx.smd Virus scanner 1 reports exit code of 1
05/21/2007 15:24:58.325 xxx.smd Scanner 1: Virus= Email.Phishing.RB-882 
Attachment= [48] I
05/21/2007 15:24:58.325 xxx.smd Scanned: CONTAINS A VIRUS [MIME: 1 2000]
05/21/2007 15:24:58.325 xxx.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 
[incoming from 12.12.12.12]
05/21/2007 15:24:58.325 xxx.smd Subject: WG: Undeliverable Mail

and it was caught as RB-882 Attachement.

I was surprised today, how many servers are using Clam and the phising 
signatures :)

Alex

> -Ursprüngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von
> Todd Richards
> Gesendet: Montag, 21. Mai 2007 17:12
> An: declude.virus@declude.com
> Betreff: RE: [Declude.Virus] Virus?
>
> I'm seeing it from other email servers though - not mine.  So I don't
> see
> how Clam is the culprit, unless the bounces I'm getting are from
> servers
> also running Clam?  Below are two messages I receive.
>
> Todd
>
>
> ***  #1  ***
> undeliverable to [EMAIL PROTECTED]
>
> Body of message generated response:
> 554 A virus was found in this message! Rejecting message. (#5.3.0)
>
>
> ***  #2  ***
> SMTP connection faile
> undeliverable to [EMAIL PROTECTED]
>
> Body of message generated response:
> 554 Your email was rejected because it contains the Email.Phishing.RB-
> 882
> virus
>
>
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Hirthe,
> Alexander
> Sent: Monday, May 21, 2007 9:48 AM
> To: declude.virus@declude.com
> Subject: AW: [Declude.Virus] Virus?
>
> Same here, I disabled ClamAV and it seems to get better.
>
>
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
>
>
--
Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955
--


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

AW: [Declude.Virus] False Positive ClamAV

[Hirthe, Alexander]

It's the Sane Database.

Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Darrell ([EMAIL 
PROTECTED])
Gesendet: Montag, 21. Mai 2007 17:15
An: declude.virus@declude.com
Betreff: Re: [Declude.Virus] False Positive ClamAV

Are you sure CLAMAV is hitting on this or is this a hit from the SANE phish 
database being used with CLAM?

Darrell

Check out http://www.invariantsystems.com for utilities for Declude And Imail.  
IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG 
Integration, and Log Parsers.
- Original Message -
From: Bonno Bloksma
To: Declude.Virus@declude.com
Sent: Monday, May 21, 2007 7:09 AM
Subject: [Declude.Virus] False Positive ClamAV

Hi,

Some of our mail is getting caught bij ClamAV. I've had two reports on two 
completely unrelated mails.

Body of message generated response:
554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net

I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it as a false 
positive report. When I hit Submit I get an error stating this virus is already 
known and I should fix something in the submission. :-(

Can anyone tell me:
1) Whether this is normail behaviour for that page?
2) Where I can report this bug in the webpage? It's not a bug in the program so 
I don't think the Bugzilla page is the right place. If I need to report it via 
a mailing list, which one?
3) How I can check whether my report was received?

Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer

tio hogeschool hotelmanagement en toerisme
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20
[EMAIL PROTECTED]  / www.tio.nl

---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
--
Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955
--



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

AW: [Declude.Virus] RE: [Declude.JunkMail] 4.3.46

[Hirthe, Alexander]

Hello,

our declude is crashing, no matter if I try 4.3.46 or 4.3.64.
It looks like a "special offer" with about 1400 "To" Addresses.

The Header looks not very strange:

Received: from moutng.kundenserver.de [212.227.126.186] by xx-GmbH.de with 
ESMTP
  (SMTPD-8.22) id A2ED0348; Fri, 19 Oct 2007 19:01:33 +0200
Received: from ics-id.de (p578b6f85.dip0.t-ipconnect.de [87.139.111.133])
by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis)
id 0MKwtQ-1Iitka1tTt-00035s; Fri, 19 Oct 2007 17:41:54 +0200
Received: from mail pickup service by ics-id.de with Microsoft SMTPSVC;
 Fri, 19 Oct 2007 16:45:57 +0200
Return-Path: <[EMAIL PROTECTED]>
Delivery-Date: Fri, 19 Oct 2007 16:36:56 +0200
Received-SPF: pass (mxeu24: domain of srs.kundenserver.de designates 
212.227.126.187 as permitted sender) client-ip=212.227.126.187; [EMAIL 
PROTECTED]; helo=moutng.kundenserver.de;
Return-Path: <[EMAIL PROTECTED]>
Delivery-Date: Fri, 19 Oct 2007 10:39:31 +0200
Received-SPF: none (mxeu18: 12.107.122.224 is neither permitted nor denied by 
domain of europastar.com) client-ip=12.107.122.224; [EMAIL PROTECTED]; 
helo=vnu001glbmxh01.enterprisenet.org;
Message-ID: <[EMAIL PROTECTED]>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Content-class: urn:content-classes:message
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="_=_NextPart_001_01C8122B.6A62C395"
Subject: 
=?utf-8?Q?TR:_EUROTEC_NR_355_=286/07=29_-_=C3=A4ussert_attraktives_Sonder?=
=?utf-8?Q?angebot!?=
Date: Fri, 19 Oct 2007 16:45:57 +0200
X-Mailer: Microsoft CDO for Exchange 2000
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: 
=?utf-8?Q?EUROTEC_NR_355_=286/07=29_-_=C3=A4ussert_attraktives_Sonderange?=
=?utf-8?Q?bot!?=
Thread-Index: AcgRkreGKI2IQ6TCQ3W3v9rY5iSFDAAAc3swACTqwAA=
From: "Bailly-Henguely, Jocelyne" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>,


And this repeated till line 1459.
It's 164 KB in size, with "mid" nothing in the logfile.
Eventlog says "stopped unexpectedly" :)

?

Alex






Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] bit OT: RunClamD on 64 Bit Windows 2003?

[Hirthe, Alexander]

Hello,

has anyone tried runclamd on 64 Bit Windows 2003?

I can't get it to work :-/
---
03-20-2008 11:15:39Status: 2
03-20-2008 11:15:39 SERVICE_START_PENDING
03-20-2008 11:15:39Status: 4
03-20-2008 11:15:39 startfailed 0
---

That's the only "error" I'm getting. Nothing in /log, nothing in the eventlog, 
just this "startfailed".
The Service RunClamD is running, but ClamD does not work (no log and clamdscan 
says "can't connect to ClamD")

I tried the one I got from my IMail / Declude installation (on 32 Bit 2003 
Server), I tried the one from ClamAV 
(\clamav-devel\thirdparty\runclamd\runclamd.exe)

Same error. It's running on the 32 Bit machines, so I think (hope :) it could 
be the 64 Bit OS and not me :))

If I start ClamD from the command line it works. Path is correct, Logfile could 
be written, Security is ok.

I don't know, what else it should be.

Alex




Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

AW: [Declude.Virus] bit OT: RunClamD on 64 Bit Windows 2003?

[Hirthe, Alexander]

Hi,

good idea, it looks like missing / wrong permissions. I replaced everything 
from /clamav/ with the permissions ("replace permissions on all child 
objects"). Works now.

Alex


> -Ursprüngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von
> Gary Steiner
> Gesendet: Donnerstag, 20. März 2008 19:12
> An: declude.virus@declude.com
> Betreff: re: [Declude.Virus] bit OT: RunClamD on 64 Bit Windows 2003?
>
> Don't know if this relates to your situation, but hope it helps. I ran
> into a problem similar to this, but on a 32-bit machine.  It was caused
> when the software was installed with an account that had administrator
> privileges, but not THE Administrator account.  So possibly you are
> looking at some type of permissions problem.
>
> Gary
>
>
>  Original Message 
> > From: "Hirthe, Alexander" <[EMAIL PROTECTED]>
> > Sent: Thursday, March 20, 2008 3:42 AM
> > To: "declude.virus@declude.com" 
> > Subject: [Declude.Virus] bit OT: RunClamD on 64 Bit Windows 2003?
> >
> > Hello,
> >
> > has anyone tried runclamd on 64 Bit Windows 2003?
> >
> > I can't get it to work :-/
> > ---
> > 03-20-2008 11:15:39Status: 2
> > 03-20-2008 11:15:39 SERVICE_START_PENDING
> > 03-20-2008 11:15:39Status: 4
> > 03-20-2008 11:15:39 startfailed 0
> > ---
> >
> > That's the only "error" I'm getting. Nothing in /log, nothing in the
> eventlog, just this "startfailed".
> > The Service RunClamD is running, but ClamD does not work (no log and
> clamdscan says "can't connect to ClamD")
> >
> > I tried the one I got from my IMail / Declude installation (on 32 Bit
> 2003 Server), I tried the one from ClamAV (\clamav-
> devel\thirdparty\runclamd\runclamd.exe)
> >
> > Same error. It's running on the 32 Bit machines, so I think (hope :)
> it could be the 64 Bit OS and not me :))
> >
> > If I start ClamD from the command line it works. Path is correct,
> Logfile could be written, Security is ok.
> >
> > I don't know, what else it should be.
> >
> > Alex
> >
> >
> > 
> >
> > Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
> > Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
> > Aufsichtsratsvorsitzender: Armin Sohler
> > Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955
> >
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
>
>
>
>
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
>
>
>



Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

AW: [Declude.Virus] ClamAV Error-Looking For Suggestions

[Hirthe, Alexander]

Hi Brian,

do you have an on accesss scanner?

Try to scan with "c:\clamav\bin\clamscan c:\temp" (or something else)  on the 
command line.
Maybe you will get a "better" error :)
Try both, c:\clamav\bin\clamscan and clamDscan. Maybe just ClamD isn't running 
:)

If this would be the error, look for thirdparty\runclamscan in your ClamDir, 
this is the easy way to run ClamD.

Alex




> -Ursprüngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von
> Brian T
> Gesendet: Freitag, 28. März 2008 18:38
> An: declude.virus@declude.com
> Betreff: [Declude.Virus] ClamAV Error-Looking For Suggestions
>
> I recently switch my antivirs over to ClamAV and now my virus log is
> showing
> the following errors:
>
>  03/28/2008 12:56:17.781 q22fc01b601b4.smd Virus scanner 1 reports
> exit
> code of 40
>  03/28/2008 12:56:19.984 q22fc01b601b4.smd Could not find report
> file
> C:\IMail\spool\proc\work\D22fc01b601b4.vir\report.txt.
>  03/28/2008 12:56:20.000 q22fc01b601b4.smd Error 40 in virus
> scanner 1.
>  03/28/2008 12:56:20.453 q22fc01b601b4.smd Scanned: Error in virus
> scanner. [MIME: 2 3032]
>  03/28/2008 12:56:21.828 q231001b601d6.smd Virus scanner 1 reports
> exit
> code of 40
>
>  What I have in my virus.cfg file is as follows:
>
>  #Runclamscan log levels
>
>  # log=0 (No Logging)
>
>  # log=1 (minimal logging only date, time. elapsed times, viruses)
>
>  # log=2 (log all messages same as 1)
>
>  # log=3 (debug log - whole bunch of stuff - multiple lines)
>
>  SCANFILE c:\imail\declude\runclamscan.exe log=1
>  C:\clamav-devel\bin\clamdscan.exe --quiet --max-ratio 0 --max-space
> 1M -l
> report.txt
>
>  VIRUSCODE 1
>
>  REPORT FOUND
>
> I am hoping that someone on the list might have some suggestions.
>
> Thanks in advance.
>
> Brian Thompson
>
>
>
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
>
>
>



Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

AW: [Declude.Virus] ZEROHOUR caught a virus

[Hirthe, Alexander]

Here too.
in

message.scr
Unknown File
[.SCR file]
...

Alex

Von: [EMAIL PROTECTED] [EMAIL PROTECTED] im Auftrag von Bonno Bloksma [EMAIL 
PROTECTED]
Gesendet: Montag, 5. Mai 2008 08:27
An: Declude.Virus@declude.com
Betreff: [Declude.Virus] ZEROHOUR caught a virus

Hi,

Suddenly ZEROHOUR starts catching virusses but it does not know WHAT it caught.
-
Declude Virus v4.3.64 caught the ZEROHOUR Unknown virus in readme.zip
from [Forged] to:  [EMAIL PROTECTED].

Date:   04 May 2008 12:36:21
Subject:Returned mail: see transcript for details
Spool File: D7b90047bbde0.smd
Remote IP:  77.42.92.137
-

>From the virlog:
-
C:\Temp>GREP -i BDE0 vir0504.log
05/04/2008 12:36:21.061 q7b90047bbde0.smd Vulnerability flags = 0
05/04/2008 12:36:21.076 q7b90047bbde0.smd MIME file: readme.zip [base64; 
Length=29054 Checksum=3149200]
05/04/2008 12:36:21.139 q7b90047bbde0.smd ZEROHOUR Reports VIRUS: Unknown
05/04/2008 12:36:21.139 q7b90047bbde0.smd File(s) are INFECTED [ZEROHOUR 
Unknown]
05/04/2008 12:36:21.342 q7b90047bbde0.smd Virus scanner 1 reports exit code 
of 3
05/04/2008 12:36:21.342 q7b90047bbde0.smd Forging virus found: Likely 
forged sender was [EMAIL PROTECTED]
05/04/2008 12:36:21.342 q7b90047bbde0.smd Scanner 1: Virus=: W32/[EMAIL 
PROTECTED] Attachment=readme.zip [50] I
05/04/2008 12:36:21.342 q7b90047bbde0.smd Scanned: CONTAINS A VIRUS [MIME: 
2 29533]
05/04/2008 12:36:21.342 q7b90047bbde0.smd From: [Forged] To: [EMAIL 
PROTECTED] [incoming from 77.42.92.137]
05/04/2008 12:36:21.342 q7b90047bbde0.smd Subject: Returned mail: see 
transcript for details
-
I seems one of my other scanners thinks it's a virus as well, and... it reports 
a name.

1) I've seen a ZEROHOUR virus just once before, is this a new feature?

2) Does ZEROHOUR ever know the name of the virus?

3) Could we have a new feature where Declude uses the "real" name of a virus 
when multiple scanners report a virus and some don't know the name?



Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer

tio hogeschool hospitality en toerisme
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20
[EMAIL PROTECTED]  / www.tio.nl

---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.



Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

AW: [Declude.Virus] ZEROHOUR caught a virus

[Hirthe, Alexander]

We do not have Zerohour, as we host mails for our customers :-)

Alex



Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von David Barker
Gesendet: Montag, 5. Mai 2008 21:53
An: declude.virus@declude.com
Betreff: RE: [Declude.Virus] ZEROHOUR caught a virus

It could be ZEROHOUR as it identifies viruses based on attributes other than 
virus signatures thereby providing zerohour protection, in many cases the virus 
has no name as it has not been identified yet.

David B

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee
Sent: Monday, May 05, 2008 2:52 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] ZEROHOUR caught a virus

If I remember correctly, it is not the ZEROHOUR spam test catching a virus. It 
is the internal AVG virus scanner saying it has caught an unknown virus, or 
what it thinks is a virus.



Kevin Bilbee

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma
Sent: Sunday, May 04, 2008 11:27 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] ZEROHOUR caught a virus

Hi,

Suddenly ZEROHOUR starts catching virusses but it does not know WHAT it caught.
-
Declude Virus v4.3.64 caught the ZEROHOUR Unknown virus in readme.zip
from [Forged] to:  [EMAIL PROTECTED].

Date:   04 May 2008 12:36:21
Subject:Returned mail: see transcript for details
Spool File: D7b90047bbde0.smd
Remote IP:  77.42.92.137
-

>From the virlog:
-
C:\Temp>GREP -i BDE0 vir0504.log
05/04/2008 12:36:21.061 q7b90047bbde0.smd Vulnerability flags = 0
05/04/2008 12:36:21.076 q7b90047bbde0.smd MIME file: readme.zip [base64; 
Length=29054 Checksum=3149200]
05/04/2008 12:36:21.139 q7b90047bbde0.smd ZEROHOUR Reports VIRUS: Unknown
05/04/2008 12:36:21.139 q7b90047bbde0.smd File(s) are INFECTED [ZEROHOUR 
Unknown]
05/04/2008 12:36:21.342 q7b90047bbde0.smd Virus scanner 1 reports exit code 
of 3
05/04/2008 12:36:21.342 q7b90047bbde0.smd Forging virus found: Likely 
forged sender was [EMAIL PROTECTED]
05/04/2008 12:36:21.342 q7b90047bbde0.smd Scanner 1: Virus=: W32/[EMAIL 
PROTECTED] Attachment=readme.zip [50] I
05/04/2008 12:36:21.342 q7b90047bbde0.smd Scanned: CONTAINS A VIRUS [MIME: 
2 29533]
05/04/2008 12:36:21.342 q7b90047bbde0.smd From: [Forged] To: [EMAIL 
PROTECTED] [incoming from 77.42.92.137]
05/04/2008 12:36:21.342 q7b90047bbde0.smd Subject: Returned mail: see 
transcript for details
-
I seems one of my other scanners thinks it's a virus as well, and... it reports 
a name.

1) I've seen a ZEROHOUR virus just once before, is this a new feature?

2) Does ZEROHOUR ever know the name of the virus?

3) Could we have a new feature where Declude uses the "real" name of a virus 
when multiple scanners report a virus and some don't know the name?


Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer

tio hogeschool hospitality en toerisme
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20
[EMAIL PROTECTED]  / www.tio.nl

---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.



Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

AW: [Declude.Virus] ZEROHOUR caught a virus

[Hirthe, Alexander]

This is really a great feature to know what will happen.

We do *NOT* have Commtouch licensed, because we host mailservers for other 
customers
But we are getting unknown virus "zerohour".

???
Alex


Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von David Barker
Gesendet: Mittwoch, 7. Mai 2008 16:20
An: declude.virus@declude.com
Betreff: RE: [Declude.Virus] ZEROHOUR caught a virus

Zerohour does not catch viruses based on signatures. It is a virus signature 
that defines it's name. Signature-less protection is an essential complement to 
traditional AV technologies. By proactively scanning the Internet and 
identifying massive virus outbreaks as soon as they emerge, Commtouch's 
Zero-Hour provides proactive virus blocking that is effective and 
signature-independent.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma
Sent: Wednesday, May 07, 2008 2:42 AM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] ZEROHOUR caught a virus

Hi,

Wel it is happening al lot more now and
C:\Temp>grep -i zerohour vir0506.log
05/06/2008 00:57:58.462 q90f204c285d1.smd ZEROHOUR Reports VIRUS: Unknown
05/06/2008 00:57:58.462 q90f204c285d1.smd File(s) are INFECTED [ZEROHOUR 
Unknown]
05/06/2008 00:58:23.994 q910c05dc85ee.smd ZEROHOUR Reports VIRUS: Unknown
05/06/2008 00:58:23.994 q910c05dc85ee.smd File(s) are INFECTED [ZEROHOUR 
Unknown]
05/06/2008 11:20:00.552 q22b604dcdf98.smd ZEROHOUR Reports VIRUS: Unknown
05/06/2008 11:20:00.552 q22b604dcdf98.smd File(s) are INFECTED [ZEROHOUR 
Unknown]
05/06/2008 11:40:16.701 q27610537e398.smd ZEROHOUR Reports VIRUS: Unknown
05/06/2008 11:40:16.701 q27610537e398.smd File(s) are INFECTED [ZEROHOUR 
Unknown]
05/06/2008 19:52:39.166 q9ad505b654de.smd ZEROHOUR Reports VIRUS: Unknown
05/06/2008 19:52:39.166 q9ad505b654de.smd File(s) are INFECTED [ZEROHOUR 
Unknown]
05/06/2008 20:06:40.255 q9e0c04c25a91.smd ZEROHOUR Reports VIRUS: Unknown
05/06/2008 20:06:40.255 q9e0c04c25a91.smd File(s) are INFECTED [ZEROHOUR 
Unknown]

But:
05/06/2008 00:57:58.744 q90f204c285d1.smd Scanner 1: Virus=: W32/[EMAIL 
PROTECTED] Attachment=document.zip [50] I
05/06/2008 00:58:24.213 q910c05dc85ee.smd Scanner 1: Virus=: HTML/IFrame 
Attachment=[HTML segment] [50] I
05/06/2008 11:20:00.755 q22b604dcdf98.smd Scanner 1: Virus=: W32/[EMAIL 
PROTECTED] Attachment=data.zip [50] I
05/06/2008 11:40:16.904 q27610537e398.smd Scanner 1: Virus=: HTML/IFrame 
Attachment=[HTML segment] [50] I
05/06/2008 19:52:39.416 q9ad505b654de.smd Scanner 1: Virus=: W32/[EMAIL 
PROTECTED] Attachment=message.zip [50] I
05/06/2008 20:06:40.474 q9e0c04c25a91.smd Scanner 1: Virus=: HTML/IFrame 
Attachment=[HTML segment] [50] I

In each instance ZEROHOUR reported a virus but did not know what it was, one of 
my other scanners DID know what it was and reported it so.
I sure hope Declude will change this behaviour and report the known virus name 
when one of the scanners DOES report a name.
I'm right now using Declude 4.3.64, I'll start using 4.4.0 later this week.
Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer

tio hogeschool hospitality en toerisme
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20
[EMAIL PROTECTED]  / www.tio.nl
- Original Message -
From: David Barker
To: declude.virus@declude.com
Sent: Monday, May 05, 2008 9:53 PM
Subject: RE: [Declude.Virus] ZEROHOUR caught a virus

It could be ZEROHOUR as it identifies viruses based on attributes other than 
virus signatures thereby providing zerohour protection, in many cases the virus 
has no name as it has not been identified yet.

David B

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
Behalf Of Kevin Bilbee
Sent: Monday, May 05, 2008 2:52 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] ZEROHOUR caught a virus

If I remember correctly, it is not the ZEROHOUR spam test catching a virus. It 
is the internal AVG virus scanner saying it has caught an unknown virus, or 
what it thinks is a virus.



Kevin Bilbee

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma
Sent: Sunday, May 04, 2008 11:27 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] ZEROHOUR caught a virus

Hi,

Suddenly ZEROHOUR starts catching virusses but it does not know WHAT it caught.
-
Declude Virus v4.3.64 caught the ZEROHOUR Unknown virus in readme.zip
from [Forged] to:  [EMAIL PROTECTED].

Date:   04 May 2008 12:36:21
Subject:Returned mail: see transcript for details
Spool File: D7b90047bbde0.smd
Remote IP:  77.42.92.137
-

>From the virlog:
--

AW: [Declude.Virus] ClamAV

[Hirthe, Alexander]

Hi Bonno,

Don't know if there was a howto, now there is one :-)

there are two compilations of Clam on Windows, ClamWin and SOSDG ClamAV. 
(http://www.sosdg.org/clamav-win32)
I think both are running stable at the moment, but I'm not sure (ClamAV was not 
really stable about a year or two ago)

We use ClamAV, I think ClamWin is almost the same.


* Install ClamAV

* Configure ClamAV to run as a Service/Daemon (you can run it without 
the service, but it will save you CPU cycles)

* Create a job that starts Freshclam (Signature Update)

* If you want, create a job that gets the Sanesecurity Signatures 
(Anti-Phising, really great!, http://www.sanesecurity.co.uk/)

* Configure Declude the use runclamscan

Daemon:
C:\clamav-devel\thirdparty\runclamd  (Install the thirdparty Tools)
Modify the ini file, start runclamd --install, "net start runclamd"
Check the logfile, I've got the problem with Windows 64, that it won't start on 
the first try. Windows 32 works well. Don't know, if it's the server or 
anything else.

Freshclam:
C:\clamav-devel\bin\freshclam.exe --log c:\logs\Freshclam-update.log
(here you can find errors, default is C:\clamav-devel\log\...)

Sanesecurity:
Simple Batch
---
cd\temp
wget http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
wget http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz
unzip phish.ndb.gz
unzip scam.ndb.gz
copy phish.ndb C:\clamav-devel\share\clamav\phish.ndb
copy scam.ndb C:\clamav-devel\share\clamav\scam.ndb
del c:\temp\phish.ndb
del c:\temp\scam.ndb
---

Declude:
C:\clamav-devel\thirdparty\runclamscan

The readme says:
SCANFILE3 C:\imail\declude\runclamscan.exe log=1 
C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt
VIRUSCODE3 1
REPORT3 FOUND

But the --mbox option isn't recognized any more.

I have:
SCANFILE C:\imail\declude\runclamscan.exe log=1 
C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt
VIRUSCODE 1
REPORT FOUND
in my virus.cfg

You can test both, ClamDscan and ClamScan (C:\clamav-devel\bin), ClamDScan uses 
the Daemon if it's available.
Btw: I tried it right now, "ClamDscan C:\temp" and "ClamScan C:\temp"
ClamDscan takes 0.375 seconds, ClamScan 10.359.


Alex





Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Bonno Bloksma
Gesendet: Donnerstag, 5. Juni 2008 22:18
An: Declude.Virus@declude.com
Betreff: [Declude.Virus] ClamAV

Hi,

Been using the old F-prot v3 as a second scanner but I disabled it today. As 
the new F-prot 6 scanner is not allowed with Declude, well sort of but I don't 
want to pay that mucht ;-) I wanted to use ClamAV asn an extra scanner.

In the past it was a bit dificult I seem to remember but Is it realy as 
easy as 1-2-3 today?
Go to http://w32.clamav.net/ and download
- The Windows msi file
- The initial virus sigantures
- Pthreads (I seem to need it).
Install the msi
Copy the initial signature files to C:\Program Files\clamAV\data or something 
like it.

But then
Make sure the sig files are updated... but how?

Let Declude (according to http://www.declude.com/searchresults.asp?Cat=124) 
call ClamAV using:
 SCANFILE [Drive:]\[Path]\bin\clamscan.exe --quiet --log-verbose --no-summary 
--max-ratio 0  -l report.txt
Which would probably translate to
 SCANFILE C:\Program Files\bin\clamscan.exe --quiet --log-verbose --no-summary 
--max-ratio 0  -l report.txt
or would
 SCANFILE C:\IMail\Declude\Scanners\clamscan.exe --quiet --log-verbose 
--no-summary --max-ratio 0  -l report.txt
be a better solution.

There is also a clamscam.txt file in the C:\IMail\declude\scanners\ClamAV 
directory that seems to suggest something else.

So where is a HOWTO to get it up and running with Declude? I'm sure I'm not the 
first to look at the combination, so how dit YOU do it. :-)



Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer

tio hogeschool hospitality en toerisme
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20
[EMAIL PROTECTED]  / www.tio.nl

---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.



Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Armin Sohler
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

AW: [Declude.Virus] Re: AVG updates

[Hirthe, Alexander]

Hi David,

> Looked at ClamAV ... any good installation instructions for usage with
> Declude/Imail ???   Looked through Google, did not find anything well
> written ... any pointers, suggestions?
I wrote one a while ago:
http://www.mail-archive.com/declude.virus@declude.com/msg14082.html


Alex


Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Dr. Peter Baumeister
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] OT - looking for a command line email tool - with attachments

[Hirthe, Alexander]

Hello,

can anyone help me?

I'm looking for a command line tool to send mail (within our company) including 
an attachment.
(I want to forward the incoming fax to the inbox of the user :)

I can create the pdf, put it in a directory and now I only need a command line 
mailer *with* attachment.

I tried different tools now, the best sent me the mail and the embedded pdf 
font was missing :-/
if I open the pdf on the server it's all working.

?

Alex




Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Dr. Peter Baumeister
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Goodbye

[Hirthe, Alexander]

Goodbye to all of you, I'm leaving the company and I don't think I'll get in 
touch with declude again.

Thanks for all the help in the past years!

Alex



Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
Aufsichtsratsvorsitzender: Dr. Peter Baumeister
Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: REVDNS:Re: [Declude.Virus] Sircam still going through...

[Hirthe, Alexander]

Hello out there,

I though I've got to use Norton Antivirus, because we bought it for our
other servers .-)

I mailed Scott the command line parameters, he told me what I should use, 
but NAV quit's with an Errorlevel 255.
I installed F-Prot and everything worked fine, I paid F-Prot 40 $ for 20
clients, and now I can scan some servers twice ;-)

Greetings 

Alex 


> -Original Message-
> From: Ric Stevenson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 09, 2001 3:56 PM
> To: [EMAIL PROTECTED]
> Subject: REVDNS:Re: [Declude.Virus] Sircam still going through...
> 
> 
> thought i'd try once more.  i want to buy declude but i am 
> not sure what
> virus scanner to get with it.   f-prot, mcafee, another?  i'd 
> like to talk
> to someone that is using it to determine what to get.
> 
> thanks
> 
> Ric Stevenson
> Systems Administrator
> Midway Truck Center
> 7601 NE 38th St.
> Kansas City, MO  64161
> phone - 816.413.3198
> fax - 816.414.6498
> 
> - Original Message -
> From: "R. Scott Perry" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, August 08, 2001 10:40 PM
> Subject: Re: [Declude.Virus] Sircam still going through...
> 
> 
> >
> > >I added the /DUMB switch to the scanfile settings and the 
> virus is still
> > >going through. Any other ideas? I think it is just 
> happening when it is a
> > >.doc.lnk extension.
> >
> > We're able to catch Sircam with the .doc.lnk extension using F-Prot
> > here.  Could you E-mail me your \IMail\Declude\virus.cfg and
> > \IMail\spool\vir.log files so I can look at them?
> >
> > If possible, the best way to find out what is going wrong 
> is to get a
> virus
> > that does go through into a mailbox by itself, and E-mail the whole
> mailbox
> > to us.  That way, we can test is here with the exact same 
> file as is being
> > received on your server.
> >   -Scott
> >
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".  You can E-mail
> > [EMAIL PROTECTED] for assistance.  You can visit our web
> > site at http://www.declude.com .
> >
> 
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".  You can E-mail
> [EMAIL PROTECTED] for assistance.  You can visit our web
> site at http://www.declude.com .
> 
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

MISSING_REVERSE_DNS:RE: [Declude.Virus] Compromised IIS Server ...

[Hirthe, Alexander]

Hello 

Symantec says:
-

System Modifications

When executed the worm determines from where it is being executed. The worm
then overwrites MMC.EXE in the Windows Directory or creates a copy of itself
in the Windows Temporary Directory.

The worm then infects commonly used executables listed in the registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

The worm hooks the system by modifying the system.ini file as follows:

Shell = explorer.exe load.exe -dontrunold

It also replaces the file Riched20.dll. Riched20.dll is a legitimate Windows
.DLL used by applications such as Microsoft Word. By replacing this DLL, the
worm is executed each time applications such as Microsoft Word are executed.

The worm copies itself as the file:

%Windows\System%\load.exe

NOTE: %Windows\System% is a variable. The worm locates the \Windows\System
folder (by default this is C:\Windows\System) and copies itself to that
location

The worm then attempts to modify files with the extension .htm, .html., and
.asp or filenames matching default, index, main and readme on the local
system that are shared with other network computers. .EXE files are infected
and .EML and .NWS files are replaced by the virus.

Next, the worm creates open network shares for all drives on the computer by
modifying the registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\[C$ -> Z$]

A reboot of the computer is required for these settings to take effect.

The worm searches for all open shares on the network by iterating through
the Network Neighborhood. All files on any open network shares are examined
for possible infection. .EXE files are infected by the worm except
WINZIP32.EXE. .EML and .NWS files are copied to the open network shares and
the worm copies itself over as riched20.dll to any directory with .DOC
files.

During execution, the worm may attempt to delete copies of itself. If the
file is in use or locked, the worm will create WININIT.INI with an entry to
delete itself upon reboot.

The worm contains bugs and can be resource intensive. Thus, not all actions
may occur and system instability may be noticable.

>>>

I did not find the Open Shared unter NT, and I did not find the
System.ini/wininit.ini changes.

Alex 



> -Original Message-
> From: R. Scott Perry [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 19, 2001 5:33 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] Compromised IIS Server ...
> 
> 
> 
> >Has anyone been successful in removing
> >W32/Nimda@MM from their IIS 4.0 servers?
> 
> Microsoft recommends a rebuild.  But, this post was seen 
> recently, and 
> might be worth a try (but remember that not rebuilding might not fix 
> everything...):
>  -Scott
> 
> ---
> 
> I have cleaned (I think) one Win2k server. Here are the steps 
> I followed:
> Here's some suggestions that I've used successfully (so far at least).
> YMMV.
> Be sure and check your "Guest" user account. The worm will 
> enable it and
> also put it in the local administrators group.
> To fix the web pages:
> Open one of them in notepad or something and look at the last 
> line of the
> file. You should see:
> I used Search & Replace from www.funduc.com to search for 
> this string in all
> *.htm, *.html, and *.asp files and remove it.
> Search for readme.eml, .eml, .nws, admin.dll, readme.exe, 
> riched20.dll.
> Delete them if the modified date on them is today. Also, 
> mmc.exe. The good
> one should be in \winnt\system32 and will be a larger file size. Note
> admin.dll is a valid file for Front Page and will have a 
> smaller file size
> and different date.
> Search for MEP*.TMP.EXE in the \temp directory and delete them.
> Look for root.exe in your web directories and remove it.
> Remove the drive shares on the root of your drives.
> Other files to look for are load.exe and a modified 
> system.ini. I did not
> see these on NT.
> I also re-applied SP2 and rebooted.
> 
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".  You can E-mail
> [EMAIL PROTECTED] for assistance.  You can visit our web
> site at http://www.declude.com .
> 
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

MISSING_REVERSE_DNS:RE: [Declude.Virus] two scanner Support

[Hirthe, Alexander]

Hello Scott,

> >Scott, any chance of getting declude to support two scanners natively
> >without using a batch file?
> It's in the suggestion database.  It's not requested that 
> often, but I do think that it would be a nice feature to have built-in
support for.
Request ;-)

Greetings Alex 
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

MISSING_REVERSE_DNS:RE: [Declude.Virus] F-Prot

[Hirthe, Alexander]

hello out there,

on http://www.f-prot.com/f-prot/ you should buy the "F-Prot Antivirus for
Windows
The licensed package includes F-Prot Antivirus for Windows 95/98/NT/2000/XP,
and F-Prot Antivirus for DOS" 

it's 2$ per Computer, and you must buy at least 20 licenses. 
(http://www.f-prot.com/f-prot/products/pricecomwin.html)

bye 
Alex 

> -Original Message-
> From: Grant Griffith [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, November 28, 2001 6:25 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.Virus] F-Prot
> 
> 
> Where can I get the DOS virus scanner to use with Declude 
> Virus?  I just
> purchased this and need to get the scanner now.  From what I 
> recall it was
> like $20 or something like that.
> 
> Thanks!
> Grant Griffith
> 
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".  You can E-mail
> [EMAIL PROTECTED] for assistance.  You can visit our web
> site at http://www.declude.com .
> 
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

[Declude.Virus] MISSING_REVERSE_DNS:Reports?

[Hirthe, Alexander]

Hello,

is it possible to report a virus to "some" postmasters, depending on the
domain name? 

I'd like to inform the admin of a specific domain, if one of their accounts
was sent a virus or tried to sent a virus.
(not the "otherpostmaster", we are hosting some domains, and these admins
want to be informed)

is this possible?  (running declude virus pro, IMail 7, on a windows NT4
Server)

Bye 

Alex 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

[Declude.Virus] Lentin & SKIPIFVIRUSNAMEHAS ?

[Hirthe, Alexander]

Hello,

we are getting some Lentin Viruses, and one of them I found strange:

---
Received: from mail.siller.de [80.128.231.29] by siller.de
  (SMTPD32-7.07) id A885F57014E; Sun, 30 Jun 2002 16:41:09 +0200
From: Mail Delivery System<[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Undelivered Mail Returned to Sender -goldfish
Date: Sun,30 Jun 2002 16:37:15 PM
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=swhofdh
Message-Id: <[EMAIL PROTECTED]>
---
it looks like we are sending the virus to ourself, but 80.128 is a dial-in
pool of the german telekom, not really our ip range :)

is this a normal behaviour? 

Alex 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

RE: [Declude.Virus] Virus software

[Hirthe, Alexander]

Hello,

SCANFILE  C:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE
/NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt
VIRUSCODE 3
VIRUSCODE 6
REPORTInfection:

if you have a f-prot.pif in program files\fsi\f-prot: delete it. 
It will avoid f-prot exiting after a scan completed.

(taken from http://www.declude.com/virus/manual.htm)

Alex 



> -Original Message-
> From: Paul R. Weber [mailto:[EMAIL PROTECTED]]
> Sent: Monday, July 15, 2002 9:27 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.Virus] Virus software
> 
> 
> What is the command line arguments needed for f-prot to do an 
> on demand
> scan with Declude?  Can I simply put these in the Declude config file?
> 
> Paul R. Weber
> 
> Director/IT
> Cornell Law School
> 481 Myron Taylor Hall
> Phone: 607 255-1315
> Email: [EMAIL PROTECTED]
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Hunt
> Sent: Monday, July 15, 2002 2:40 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] Virus software
> 
> Paul,  for a whopping $40 you could get the commercial 
> version of F-Prot
> 
> that also gives you a licence for 19 other PCs.
> 
> www.frisk.is
> 
> Personally, I've found McAfee and Symantec use way to much PC 
> resources.
> 
> Chris
> 
> 
> At 02:35 PM 07/15/2002 -0400, you wrote:
> 
> >We own a copy of Declude Virus.  The version of the virus software is
> >
> >MacAfee 4.0 using the scan.exe file with Declude.  We now need to
> upgrade 
> >to 6.0.  Will Declude work with this? How do I unconfigure 4.0 and 
> >configure 6.0 to work.  Normally the Net admin would do this 
> but he is
> on 
> >vacation so I get the job.
> >
> >
> >
> >Paul R. Weber
> >
> >
> >
> >Director/IT
> >
> >Cornell Law School
> >
> >481 Myron Taylor Hall
> >
> >Phone: 607 255-1315
> >
> >Email: [EMAIL PROTECTED]
> >
> >
> 
> ---
> [This E-mail scanned for viruses by Declude/F-Prot AV]
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".  You can E-mail
> [EMAIL PROTECTED] for assistance.  You can visit our web
> site at http://www.declude.com .
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

[Declude.Virus] BANext for domains?

[Hirthe, Alexander]

Hello,

is it possible to ban extensions on a per domain base? 
I'd like to let our customers do whatever they want, but I don't want to get
.mp3 files.

is this possible with declude virus pro? 

Alex 


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] DSN:KLEZ virus

[Hirthe, Alexander]

Hello,

go to \imail\declude\virus.cfg
modify the Loglevel to DEBUG 
try sending you a virus from http://www.declude.com/tools/mailsend.html
what does your logfile now say (\imail\spool\vir0927.log) if such a mail
comes in? 

it should look like 
09/27/2002 18:47:15 Q8b924e790110ed6e MIME file: eicar.com [base64;
Length=68 Checksum=4622]
09/27/2002 18:47:15 Q8b924e790110ed6e Scanner 1: Virus=: EICAR_Test_File
Attachment=eicar.com [0] I
09/27/2002 18:47:15 Q8b924e790110ed6e Found a bogus .com file
09/27/2002 18:47:15 Q8b924e790110ed6e File(s) are INFECTED [3]
09/27/2002 18:47:15 Q8b924e790110ed6e Scanned: CONTAINS A VIRUS [MIME: 2
487]
09/27/2002 18:47:15 Q8b924e790110ed6e From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED]
09/27/2002 18:47:15 Q8b924e790110ed6e Subject: Test eicar.com file
[eicarplain]

if not, maybe declude is not running? (try declude --diag)

Alex 


> -Original Message-
> From: Kevin (Linkbrokers Support) [mailto:[EMAIL PROTECTED]]
> Sent: Friday, September 27, 2002 6:17 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] DSN:KLEZ virus
> 
> 
> Question then - Does F-Prot stop Klez?
> Yes its being delivered to my customers.
> 
>  I went through all 17 test from eicar.com
> they all came back - and were caught by the PC's virus scan. 
> Non of them had
> been clean.
> 
> What next?
> - Original Message -
> From: "R. Scott Perry" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, September 27, 2002 11:48 AM
> Subject: Re: [Declude.Virus] DSN:KLEZ virus
> 
>
> >
> > >I would really like to stop this virus from reaching our 
> customers -
> > >What's the best way to config the virus.cfg file to stop 
> this virus  I
> > >have declude virus. can anyone point me in the right direction.
> >
> > Assuming that your virus scanner can detect Klez (which all 
> should be able
> > to do, except ones with old virus definitions), the virus should be
> > detected automatically.  Is it being delivered to your 
> customers?  If so,
> > does the eicar.com file get delivered when sent from the 
> Test Virus Sender
> > at http://www.declude.com/tools ?  If the eicar.com file doesn't get
> > caught, something isn't set up properly (in that case, you 
> can send me
> your
> > \IMail\Declude\virus.cfg file and \IMail\spool\vir.log 
> file, and I can
> > take a look to see what is wrong).
> > -Scott
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> >
> > [Reliable Web Hosting by -  http://www.linkbrokers.com/hosting.cfm]
> > [This E-mail scanned for viruses by LinkBrokers EMail Service]
> > [This E-mail scanned for spam mail against orbs and spamcop]
> >
> >
> >
> 
> 
> 
> 
> 
> [Reliable Web Hosting by -  http://www.linkbrokers.com/hosting.cfm]
> [This E-mail scanned for viruses by LinkBrokers EMail Service]
> [This E-mail scanned for spam mail against orbs and spamcop]
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] What to do with a virus Mail?

[Hirthe, Alexander]

Hello,

Declude filtered a virus, but the customer want's to have this mail. 
What should I do now? 
Can I copy the file to the spool directory? Or does Declude filters this
mail again? 
I looked at manual.htm, but there is nothing mentioned.

Alex 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] IMail Instant Messaging?

[Hirthe, Alexander]

Hello,

has anybody tried the IMail Instant Messaging? 
How does this work? 
Is it just an add-on for IMail, so Declude Junkmail and Declude Virus will
work, or is it a complete new version with it's own SMTP engine, own users,
...?

Alex 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] [Forged]@...

[Hirthe, Alexander]

Hello,

I'm getting mails "Invalid final delivery userid: [EMAIL PROTECTED]"

in my virus.cfg I have 

# The FORGINGVIRUS option is used to list viruses that forge the return
address, so Declude
# can replace the name of the sender with "[Forged]".
#
FORGINGVIRUSKlez
FORGINGVIRUSSobig


Declude is running in v1.65, F-Prot, IMail 7.13, NT Server.

Has anyone else this problem? 
I thought Declude will report this only to the postmaster and the receiver,
and not to the sender?? ;-)

Alex 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Order of scanning

[Hirthe, Alexander]

Hello,

 found at http://www.declude.com/junkmail/manual.htm :-) -
Processing Order
Both IMail and Declude have a number of different tests that they run on
E-mail. The order used is as follows:

1. IMail's Control Access file (to block IPs)
2. IMail's Kill List (to block return addresses)
3. Declude Hijack
4. Declude Virus
5. Declude JunkMail
6. IMail's filters
---
so Spam Virus would be found ;-)

Alex 


> -Original Message-
> From: Hermann Strassner [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 25, 2003 1:51 PM
> To: Declude. Virus
> Subject: [Declude.Virus] Order of scanning
> 
> 
> Can anybody tell me in which order different Declude products (virus,
> junkmail, hijack, ...) work on mails?
> Are mails, which are quarantined by junkmail, scanned for viri before?
> 
> Hermann
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] F-Prot Upgrade Questions?

[Hirthe, Alexander]

Hello,
 
I'm going to upgrade our F-Prot Windows from 3.12 to 3.13a-m. 
 
Can I just run setup.exe or must I do something bevore / after? 
 
At the moment I have 
 
"SCANFILE C:\PROGRA~1\FSI\F-PROT\F-PROT.EXE /TYP /NOMEM /ARCH /NOFLOPPY
/NOBOOT /DU /Report=report.txt" 
 
in my virus.cfg, will this work or must I change it to fpcmd? 
 
 
Alex 
 

RE: [Declude.Virus] Declude Virus v1.75 (release version) release dd

[Hirthe, Alexander]

Hello,

installed, works like it should ;-)

Alex 

> -Original Message-
> From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, July 22, 2003 7:47 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.Virus] Declude Virus v1.75 (release 
> version) released
> 
> 
> We have just released Declude Virus v1.75 (release version).  See 
> http://www.declude.com/virus/manual.htm .  Notable changes 
> since the last 
> beta include:
> 
>   o A number of minor fixes
> 
> Other additions and fixes can be found in the release notes, at 
> http://www.declude.com/relnotes.htm . Anyone with an 
> up-to-date Service 
> Agreement is entitled to free upgrades (see 
> http://www.declude.com/agree.htm for information on the 
> Declude Service 
> Agreement).
> 
> ---
> 
> Quick Resource Reference:
> 
> Tech Support:  [EMAIL PROTECTED]
> Mailing List: Send E-mail to [EMAIL PROTECTED] with "subscribe 
> declude.virus your name" in the body
> New Releases List: Send E-mail to [EMAIL PROTECTED] with 
> "subscribe 
> declude.releases your name" in the body
> Troubleshooting: See manual URL above; look at 
> "Troubleshooting" section
> Emergency Uninstall:  See manual URL above; look at 
> "Emergency Uninstall" 
> section
> Urgent Support: urgent @declude.com (for 
> urgent/time-sensitive issues only)
> Declude Addons/Tools URL: http://www.declude.com/tools
> Manual: http://www.declude.com/virus/manual.htm 
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot and Mimail

[Hirthe, Alexander]

Hello,

I bought AVG 6 some weeks ago from Grisoft.com as a second scanner. 
Now I finally installed it :-)
75 US$ for 2 systems. They detect it as "Unknown Virus" in "Unknown File".

Alex 

> -Original Message-
> From: Billy [mailto:[EMAIL PROTECTED] 
> Sent: Monday, August 04, 2003 4:12 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.Virus] F-Prot and Mimail
> 
> 
> At this point is F-Prot catching it? If not has anyone found 
> a good work
> around, without having to block all .zips...
> 
> 
> ---
> [This E-mail was scanned for viruses by QuestNet.net 
(http://www.QuestNet.net)]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot and Mimail

[Hirthe, Alexander]

Hello,
http://esd.element5.com/product.html?productid=515471&language=English&style
from=502792
AVG Network Edition (2 licenses) - 75 $.

Alex 

> -Original Message-
> From: paul [mailto:[EMAIL PROTECTED] 
> Sent: Monday, August 04, 2003 4:49 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] F-Prot and Mimail
> 
> 
> Kami,
> 
> >F-Prot:  $50
> >AVG:  $35 [http://www.Grisoft.com]
> 
> Where on the site is $35? I must be blind and missing it. The 
> prices I see
> for AVG are $33 for workstation, not supporting Win2000 
> Server, and mail
> server edition STARTING at $120 for 6 boxes.. help?
> 
> Due to F-prot's inability to get it's act together for this 
> silly virus is
> making us look for a 2nd scanner. Granted, the body filters 
> in place are
> handling the problem nicely, but it's still a pain.
> 
> Paul
> 
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Overflow?

[Hirthe, Alexander]

Hello,

what must I do to use the Declude Queue Feature?

Alex
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Overflow?

[Hirthe, Alexander]

> >what must I do to use the Declude Queue Feature?
> 
> It is automatically enabled (except with very old versions of 
> Declude).
How do I see it working? 
I have ~ 400 Q* Files in my Spooldir, no directory "overflow" or something
like that. 
I'm running Declude 1.77 (%VERSION% ;)

Alex



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Overflow?

[Hirthe, Alexander]

Hello John,

> What is the age of those Q files?
all from today :/ 

> If you go into the Imail Admin, local host, View Queue, how 
> many times does it show that delivery has been attempted?
After a quick look:
50% = no tries
30% = 1 try
20% more than 1 try. (@aol.com, @web.de, ...)

> Is there any pattern to those?
There is a newsletter going out, everything looks for me to be legitimate
mail. 
I'm looking at the sys*.log via wintail, this looks good to me.

Alex 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Overflow?

[Hirthe, Alexander]

Hello,

right, no psapi.dll.
I copied it from another system to \winnt\system32. Suddenly there is a
overflow dir here :)
No reboot, no registration. Just copy.

Thanks Scott!


Alex



> -Original Message-
> From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, January 15, 2004 5:23 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.Virus] Overflow?
> 
> 
> 
> > > >what must I do to use the Declude Queue Feature?
> > >
> > > It is automatically enabled (except with very old versions of
> > > Declude).
> >How do I see it working?
> >I have ~ 400 Q* Files in my Spooldir, no directory 
> "overflow" or something
> >like that.
> 
> If there is no \IMail\spool\overflow directory, the problem 
> is most likely 
> that your server is missing the PSAPI.DLL file (which is 
> normally included 
> in NT/2000/2003 installations).  If you do a Google search 
> for PSAPI, you 
> should be able to find a way to reinstall it.
> 
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail 
> mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver 
> vulnerability detection.
> Find out what you've been missing: Ask about our free 30-day 
> evaluation.
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] BANEXT ?

[Hirthe, Alexander]

Hello,

is there a difference between 
BANEXT .ZIP
and
BANEXT ZIP
?

What will happen with a Virus.zip.exe file? 

Alex 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Good Scanners

[Hirthe, Alexander]

Hello,

we are using F-Prot and AVG, but Grisoft changed the licensing, I think the
AVG Network Edition for 2 Servers should be ok. it costs 75$/€, including 2
years of updates. That's almost as low as F-Prot ;-)

Alex

> -Original Message-
> From: Charles Frolick [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, January 27, 2004 12:53 AM
> To: [EMAIL PROTECTED]
> Subject: [Declude.Virus] Good Scanners
> 
> 
> I just purchased Virus to add to my server.  I have been 
> using F-Prot to
> scan, but I want to add additional scanners (I bought Pro).  Just
> looking for feedback on quality and price, I don't want to buy a
> corporate suite just to run AV on the mail server (we only have 3
> workstations, and run Norton at the other Windows servers).
> 
> Thanks,
> Chuck Frolick
> ArgoLink.net
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Outlook CR Vulnerability Checker?

[Hirthe, Alexander]

Hello,

is there a tool to check mail for Outlook Vulnerabilities? 
Not Declude, a command line tool that tells me the line or something like
that. 

We are getting many of them, from small, big an bigger companies.

Or anything I can see/do? 

Alex 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.