I tried what Markus recommended, but this only gives me the dat files, I
need to get McAfee Virus Scan installed while having Trend ServerProtect on
there, How do I do that?
One option would be to uninstall Trend, install McAfee (making sure not to
enable the McAfee on-access virus scanner),
One question though, is there any way to catch those pesky zips. If I turn
of BANEXT ZIP and BANEXT EZIP and run your tests, they get through.
Are you running the latest interim (from http://www.declude.com/interim
)? Do you have an up-to-date Service Agreement (which is required to run
the
That should have been
...If I turn off BANEXT ZIP and BANEXT EZIP and run your tests, they get
through
Ah, that's good. That's the way it should be. The eicardynamicencodedzip
file (like some viruses) can only be caught by blocking encrypted .ZIP files.
So the scanners can't catch them?
Correct.
That's why we came out with the interim release to block all encrypted .ZIP
files. Without being able to do that, you can't block all viruses.
There are static encrypted .ZIP files (which are always the same, and
therefore always have the same file
One option (with Declude Virus Pro) is to ban file extensions within .ZIP
files (blocking all .EXE, .PIF, .SCR, .BAT, .COM, etc. files). The other
option would be to rename the .ZIP file to use another extension.
So if I understand correctly, I should be able to send a zip file to
somebody
I also asked this question in the IMail forum but.
could I maybe do something with the BANNAME keyword without sending the
standard reply which I do want to send for regular files I ban on extention?
As far as I know I have little flexibility (yet) in the the name of the
*.eml file which
I had one slip thru to me this morning also... McAfee detected it on my
system as the W32/Netsky.b.eml!zip virus. Not sure as to where it
quarantined the file too, but I was surprised my banext's did not catch it
also.
The .eml is now being used for E-mails where no virus is detected, but
Is there any thought about changing this? IE removing the attachment and
passing the email through.
That is not likely to happen soon, as it requires MIME encoding (which
Declude doesn't do at all -- it only does MIME decoding).
-Scott
---
I have a problem. I just noticed that since adding the line BANNAME
DELETED0.TXT to my Virus.cfg, my BANnotify.eml file is bouncing
notifications in response to these files. I tried SKIPIFVIRUSNAMEHAS
DELETED0.TXT, but that didn't work. The problem of course is that these
files aren't in fact
Hi all we just had a case where an email was banned because Declude said it
had an exe in the email, when it only had a TXT.
What happened here?
What happened is that either it contained an .exe file, or it had multiple
extensions (in which case Declude Virus assumes the worst, that it is an
I have several examples of that from last night as well, all the txt
attachments were anti-virus generated attachments
03/25/2004 19:11:00 Q751409530072c4c8 MIME file: DELETED0.TXT
[quoted-printable; Length=113 Checksum=12852]
03/25/2004 19:11:00 Q751409530072c4c8 Banning file deleted0.txt.
Hi all we just had a case where an email was banned because Declude said it
had an exe in the email, when it only had a TXT.
What happened here?
The problem here is that the mail client (a program whose name is as poor
as its MIME handling: Mail A.01.77) is giving out 2 different names for
the
The problem here is that the mail client (a program whose name is as poor
as its MIME handling: Mail A.01.77) is giving out 2 different names for
the file. In one location, it calls the file EPM11002.FILES.CANJET, in
the other location it calls it EPM11002.TXT. While Declude Virus knows
FYI, at the request of our customers, we have just set a new mailing list
called Virus Alert. The list is designed to let our customers know as
soon as we find out about new, fast-spreading viruses. The goal is to help
you be as protected as possible before virus definitions are updated.
Sounds good. Now the question of the day is...how do we subscribe?
Oops. :)
You can send an E-mail to [EMAIL PROTECTED] with subscribe virusalert
Your Name in the body of the E-mail.
-Scott
---
Declude JunkMail: The advanced anti-spam
You can send an E-mail to [EMAIL PROTECTED] with subscribe virusalert
Your Name in the body of the E-mail.
BUT, that will not work for everything, such as a alpha/numeric pager or a
cell phone which only had SMS on it, not e-mail.
In that case, you can just E-mail me the address you want added
If F-prot notes a file as suspicious is it stopped by declude or passed.
Can this be a setting possibly? IE if F-prot notes it as suspicious allow
declude to block it.
You can add a line VIRUSCODE 8 to your \IMail\Declude\virus.cfg file to
block E-mails that F-Prot considers suspicious.
Like most people on the list, I told Declude to block EZIP
files. I just
got a call from a client that said that his messages couldn't be sent out
because it was an EZIP file (password protected zip file; payroll). I told
him of the server configuration and suggested that maybe zipping
What is the Partial Vulnerability that Declude Virus is picking up. I have
a customer asking me why and what and how to fix. [Partial Vulnerability]
virus in the Unknown File attachment.
See http://www.declude.com/virus/vulnerability.htm for details. They are
using a *very* outdated option in
Hi anyone else experienced problems with zipfile maked with the latest
winzip version?
Reported by a user it is encryoting in a way per default so that declude
take it as a EZIP and block it.
If a .ZIP files is marked as being split among multiple .ZIP files (whether
or not it actually is),
If a .ZIP files is marked as being split among multiple .ZIP
files (whether or not it actually is), BANEXT EZIP will block
it as well (since it could hide a virus).
No it's a single zip file
It doesn't matter if it is a single .ZIP file or not -- Declude Virus will
block it if it was
How do I turn off virus notification totally.
I am getting too many complaints regarding the volume these days and would
just like to turn all notifications off
If you delete all the \IMail\Declude\*.eml files that are used by Declude
Virus (by default: sender.eml, recip.eml, postmaster.eml
Are there any issues between Declude antivirus or junkmail and Imail 8.1
we need to be aware of or address if/when we choice to upgrade?
I assume not, but since Ipswitch did not invite us to the IMail v8.1 beta,
I can't answer for certain.
What is the link for the current interim Declude AV download? I know I
should know this, but I can't find it. :(( I want to upgrade to catch the
.RAR encrypted files too.
http://www.declude.com/interim .
-Scott
---
Declude JunkMail: The
since I upgraded to 8.1 I now get double enteries added to the FOOTER
botton of each incomming email
It looks like IMail may be running Declude once for each recipient (it
looks like you are using a copyall account).
Do you have the IMail and Declude log file entries for an E-mail with the
I've been testing all sorts of scanners and I couldn't get the free
versions of BitDefender to work.
We did some testing with it, and couldn't get the DOS version to even run
on NT or 2000 (it kept crashing as soon as it was started, but it would
work on other OS's). However, the Windows
Actually, I am running the newest F-Prot, and they're still slipping
through. Winzip opens these files just fine as well, and Symantec Corp
seems to be able to scan and detect the issue without any problems. They
keep rolling in, makes me a little nervous, and customers sure hate it.
Given
This happens to me too.
I am not using a copyall account.
It seems that IMail v8.1 will send forwarded mail through Declude a second
time.
We haven't confirmed this yet, and unfortunately Ipswitch hasn't provided
us with a copy of IMail v8.1 yet, so we are unable to test this yet, or
On a related topic, during my testing I found that while I was logged into
my server with pcANYWHERE instead of Terminal Services, I kept seeing CMD
windows pop up when AVG was scanning despite the /silent switch. I don't
ever recall seeing that before, but it's rare that I log in with
Since installing the 1.79 i had a lot of this messages in log file:
MIME file: =?iso-8859-1?Q?20040405-ddp_alben_=FCberarbeitung.xls?=
[base64; Length=15360 Checksum=870398]
1 [1 of 2 not deleted] files were deleted. Use ONACCESS ON if you use
an external (on access) virus scanner.
Scanned:
No, i changed nothing in the virus scanner. I do not have on access
scanning on before and not after the new declude.
I just copied the new delude.exe over the old one.
Every message has this or similar lines (1 of 2 not deleted, 2 of 3 not
deleted, 4 of 5 not deleted), except those with only
Been flipping through the manual and having a tough time finding how to
stop a message that is infected from being sent to our users by deletion.
Stopping the message isn't the tricky part (Declude Virus always block
E-mails if a virus is detected). The question is how to delete them,
rather
We have a customer who is running Veritas Backup Exec. When their backup
runs a notification is triggered by Backup Exec and we bounce that
notification through our IMail server and then on to the appropriate
parties. This notification system has been running fine for months now
using our
Sorry about that. I included the wrong message. I had 2 issues confused
with each other. Here is the one I was referring to where Declude blocks
the message...
Headers Follow:
Received: from bhfserver [68.74.44.200] by NexusTechGroup.com
(SMTPD32-6.06) id A864C60136; Fri, 02 Apr 2004
How does BANEZIPEXTS work if 2 or more files are included in the encrypted
ZIP and at least one of them is not in the BANEXT list.
With the original interim release that added the BANEZIPEXTS option, it
would only look at the first file. That was due to the speed needed to add
the feature
I am using version 1.79 Beta. I believe that the expanded feature you
mentioned is not incorporated in this 1.79 beta version then. I will run my
tests again to make sure and let you know.
That is not correct.
We only have one source code tree. That means that when a new feature is
added, any
I did some tests again, and the zips where caught. However the initial test
file I used wasn't caught. I haven't been able to reproduce the file again
in away it is not caught by declude. But I have the original file that I
tested and retested and that Declude let it pass.
I am sure that the
What happens when the 30 days is up and declude deactivates?
At that point, mail will be handled almost exactly the same as it was
before Declude was installed (the core Declude code will still run, but
E-mail will be delivered exactly as it had before).
What happens when the 30 days is up and declude deactivates?
At that point, mail will be handled almost exactly the same as it was
before Declude was installed (the core Declude code will still run, but
E-mail will be delivered exactly as it had before).
Are the virus's passed on to the users?
I was wondering if someone could point out the advantages/disadvantages
between using the F-Prot updater and the F-Prot for DOS updater from
declude.com/tools. I only run 1 IMail Server.
I spoke to F-Prot Support and they confirmed that their updater renews both
the win32 and DOS definitions.
I
I would like to be able to use wildcards in the SKIPIFRECIP command.
More specifically, I would like to be able to used one SKIPIFRECIP line
for a user and all of his sub-mailboxes.
This has been added to the suggestion database, and will be considered for
upcoming releases.
I'm looking for info on Worm.SomeFool.P
Anyone know where I can find out about this one?
I believe that is the name that ClamAV uses for Netsky.P
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
While I have your attention, what do you use to generate this report from
your log files?
Each month, we go through our spamtraps (E-mail addresses
designed to collect spam), to find out which spam tests
were most effective at catching spam. snip
WEIGHT1099.48%
...
We actually
The new site looks good.
Thank you. :)
But where can I find the interim releases now?
The new location is http://www.declude.com/version/interim .
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
04/13/2004 11:21:23 Qb1072b82012a066d Could not find parse string
Infection in report.txt
04/13/2004 11:21:23 Qb1072b82012a066d Error 8 in virus scanner 1.
04/13/2004 11:21:23 Qb1072b82012a066d Scanned: Error in virus scanner.
[MIME: 2 270831]
the mail with attachment are being hold
Its a
SCANFILEC:\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOBOOT
/DUMB /REPORT=report.txt
This is indeed the standard F-Prot configuration. I can't explain why it
is returning the exit code of 8, unless F-Prot switched to have that on by
default (which could be the case).
Since you
I have a customer who is trying to send out Midi files as an attachment and
his email is getting held because of the mime headers vulnerability. He is
using Entourage as his mail client. Is it something about the way he is
attaching the Midi file that is causing the issue? Or is it just because
Will someone explain what this log entry from my vir log
means. Particularly the [MIME: 11 271688] part.
The client is claiming the attachment is a .doc which I do not block.
Most likely, it is using malformed headers (so it appears as both a .doc
and other file extension), in which case
If you are using Fprot and have configured it exactly as you recommend on
the WEBSITE will an Excel file with a dangerous Macro be detected?
It will not. But this recent development shows that the latest version of
F-Prot may return an exit code of 8, whether or not you have requested it
to.
I've been looking through the per user settings for declude virus. Is it
possible to have a default config file with a footer and selected users
not have the footer? We still want them to scan for viruses, just not have
a footer.
That is not currently possible. The per-user settings only
Can I put it in for a future request
It's already there. :)
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
How does one send a virus to a antivirus company when Declude catches all
virusses? Is there a way to tell declude *not* to scan a certain mail?
If not, how dou you guys/galls solve this?
One option that is currently available is that you can .ZIP the file, and
then rename it to use a different
Are you sure that you were running v1.79 at the time the E-mail was
received? What does your Declude Virus log file show for the E-mail?
I've found the problem.
It turns out that somehow the encrypted .RAR blocking was only added to the
Pro version. This will be fixed for the next interim
Shouldn't BANEXT EZIP stop this before the scanner gets to it?
No.
Whenever there is any type of vulnerability detected, or banned files, the
virus scanner will still be called. The reason for this is that many of
our customers would prefer for the virus name to appear if a virus is
Declude Virus will handle this automatically. If you are using both F-Prot
(which reports the virus name) and Sophos (which does not report the virus
name), and both catch a virus, Declude Virus will automatically use the
virus name that F-Prot reports.
I was thinking (but did not write it
Should Declude be catching a ByteVerify exploit?
This came through Declude/F-Prot/Trend::
NetShield-4.6.0: The file CACHE1:\ETC\PROXY\CACHE\1B\8FCC389B.AAJ\bb.class
was infected with
Exploit-ByteVerify . The file was successfully cleaned with Scan engine
version 4.2.40 DAT version 4.0.4350.
RSP Is it possible that that wasn't from an E-mail that came through Declude?
Unfortunately no, going through Imail/Declude is the only path this
mail server can receive email from.
Do you have IE running on the machine? The reason I ask is the path that
McAfee found it in:
I believe both messages came from the same person and I could add a filter
to capture subsequent attempts and probably have a copy for you in a week
or so unless someone else can come up with one sooner.
That would probably be very helpful.
BTW, I am blocking EXE files, so somehow this appears
Are there any issues with using version 8.1 with Declude? I am thinking
of upgrading our servers to 8.1. We are running declude 1.79. Any thoughts?
There are no known issues running IMail v8.1 with 1.79 (there is a minor
issue with Declude v1.75 and earlier, where IMail v8.1 would cause some
This morning when receiving message from our spam account (I hold
everything instead of deleting then review), I received a message and
attachment that Norton AV on my local machine caught as a Netsky.Q virus.
This would have been delivered to the client had it not failed the spam
tests.
Yes, so far this is the only copy that has come through. I haven't
heard from any of my clients of them saying the virus has come through.
OK, so that means that F-Prot is able to catch them.
I didn't even think about EZIP. That didn't catch it either when
it should have,
I attempted to resend the virus again and it bounced (Unknown user:...
You'll need to check your IMail log file to see why IMail couldn't deliver
the E-mail (we have no record of any E-mail from you to that address
today). The address you sent it to was correct. Note that we rarely give
out
I was able to send the virus to that account (at 1300).. I checked our logs
and it went through and got a response e-mail.. The message below got
caught up in queue.. Was messing with our DNS servers trying to fix the
timeout problems we've been having lately..
It did arrive.
This one has a
Have a quick question for everyone. Recently we have been getting virus
files (.SMD) showing up in our root of our e-mail server (C:/) When we run
a virus scan on the drive, it picks it up as various virus's, such as the
Netsky and Beagle virus. We delete them, but they keep popping back up. I
In the Virus.cfg, it is pointing to the default, E:/IMail/Spool/Virus. We
currently have it commented out (with a #), so nothing is getting sent to
that folder. I'm assuming it is just deleting them. Could that be the
problem?
That is the problem. Without letting Declude Virus know where to
No, -diag shows Standard (see first post for -diag output).
In that case, would it be possible to send the D1266200a01083fb8.SMD file
to our virustrap@ address, so we can run some tests on it here?
-Scott
---
Declude JunkMail: The advanced
Not sure if that was what happened, but I went ahead and sent it via my
yahoo account, so look for it (texastoast78 is my yahoo email).
It came through. There are two reasons why it was not caught.
The real reason why it was not caught is that it did not contain any
attachments. Specifically,
We are getting hammered with zip files that are not encrypted that our virus
protection is not picking up (CA Inoculate) Any remedy for this as I would
like to slow these things down some.
Are you using inocucmd.exe (which may not support archived files), or
inocmd32.exe (which definitely does
Using inocmd32.exe and I have the /ARC in the line
I have a couple of errors at about the time that I sent the email
Error 100 in virus scanner 0
Ah, if you add a line VIRUSCODE 100 to your \IMail\Declude\virus.cfg
file, it should take care of the problem.
When I saw this I decided to use the DELETEVIRUSES ON option because I
just want to keep the vulnerabilities and e-mails with banned
attachments, to be safe as you well said. After I changed the setting I
found that e-mails with banned files are kept but the ones with
vulnerabilities are deleted.
How does declude determine the user to filter? Specifically, if an email is
addressed to [EMAIL PROTECTED] but that address is an alias for
[EMAIL PROTECTED] and you adjust the settings for [EMAIL PROTECTED] will
declude treat the alias the same as a user?
For Declude Virus, it will check both
I am using F-Prot and it is working but I keep getting these
unidentified viruses.
Unknown Virus virus in the Unknown File attachment
Can anyone shed any light on this?
Do you ever get the correct virus name (without Vulnerability in the
name)? If not, then the F-Prot settings aren't correct
I'm new to this list and to the Declude system.
Yesterday I found an unusual entry in the Declude log and was wondering if
someone could help me out deciphering what it is.
Below is an excerpt from the log
05/06/2004 03:23:17 Qe7b006a701001294 (Error 5 at 40ee76 v1.79)
05/06/2004 03:23:17
Here are some examples from the log file. Seems I do not have a virus
name in any of the log messages.
05/06/2004 00:14:48 Qbba90921010cfa85 Invalid PIF Vulnerability
These are being detected by Declude Virus (ones that F-Prot is not picking
up for some reason). I believe the latest interim
Has the domain or IP for Declude Virus changed from 24.107.232.14 to
68.186.245.124?
That is correct.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection
So if I put in a line in the virus_users.txt file like:
[EMAIL PROTECTED] OFF
That an email addressed to [EMAIL PROTECTED] would not be scanned and go
through to [EMAIL PROTECTED] even though scanning for [EMAIL PROTECTED] is
turned on.
In the case of conflicts, Declude Virus tries to make sure
Do I need to change all the similar line to just 1 space or tab,
like BANEXT EZIP, will it work if there is more than 1 space?
Only the commands in the .eml files have the one space/tab limitation.
-Scott
---
Declude JunkMail: The advanced
Nothing looks wrong, I've just had that one instance of a .cpl making it
through (and it was, of course, virus-laden).
Do you have the Declude Virus log file entries for the E-mail?
-Scott
---
Declude JunkMail: The advanced anti-spam solution for
Unfortunately, no. I'm not able to identify which e-mail it was - McAfee or
human error (I actually believe McAfee) blew the e-mail away.
In that case, I can't think of anything that you can do to track down what
happened. Without the E-mail that got through or log file entries to work
with,
Bagle.Y in a ZIP file got by our Declude scanner. Should this be caught
by Declude?
Every virus should be caught by Declude. What does your Declude Virus log
file say for the E-mail? Are your virus definitions up-to-date? Are you
running the latest beta of Declude Virus, with a line BANEXT
Im still haunted by .zip attachements with the netsky virus.
What can I do other than ban the file ext .zip to stop it at the filter side.
The latest beta of Declude Virus with the latest .exe for your virus
scanner and latest virus definitions will catch them all, if you have a
line BANEXT
Did this make it into the suggestion database?
Yes, it did. :)
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
I thought with 1.79i6 I would have gotten rid of these unkown virus in
unknow file messages.
This will be fixed in the next release (this issue just affects the
Unknown ??? file vulnerabilities when the extension that is detected is
also banned).
Could you add the link to the page explaining about the vulnerabilities (
http://www.declude.com/virus/vulnerability.htmhttp://www.declude.com/virus/vulnerability.htm
) to the virus manual page at the relevant place? I needed that link and
was unable to find it on the site via any other link.
My machine keeps sending out viruses notices for the Swen virus.
I have:
SKIPIFVIRUSNAMEHAS Swen
in the top of my otherpostmaster.eml file.
The problem is that that line can only have one space or tab on it. If you
change it to:
SKIPIFVIRUSNAMEHAS Swen
then it will work.
RSP That may mean that you have a problem. Are you running v1.79 (with
BANEXT
RSP EZIP in the virus.cfg file), the latest .exe of your virus scanner, and
RSP latest definitions?
Yep, yep and yep.
Could you E-mail one of the .smd files to our virustrap@ address? We can
then run some tests on
I just got a copy of the inevitable:
An e-mail with the zip password placed in an image. Two files attached,
the first file was a gif but the zip file was empty and not actually
encrypted so it made it to my desktop mail client since it apparently
wasn't a viable infected file.
I assume this
How do we get to the manuals for DecludeSPAM and DecludeAntiVirus?
The new web site does not make it easy.
Nor did the old one. :)
You can find them at http://www.declude.com/virus/manual.htm (Declude
Virus) and http://www.declude.com/junkmail/manual.htm (Declude JunkMail).
As Declude *does* know the name of the file it is trying to decode, maybe it
could display that name, along with the fact it caught a vulnerability and
not an unknow virus?
It does display the actual name.
Shouldn't it have reported it found: The EOF in
multipart processing vulnerability virus in
Is there a variable that I can use in my BANnotify.eml that will report
the name of the file that was banned? I'm looking form something more
than the standard %BANEXT%
No, that is not currently possible. Declude Virus only knows the
extension, which is why it is not possible to use a variable
We use the copyall feature of email to keep tabs on a few users, but since
we upgraded to Imail 8.1 all we see in Deccon is copyall_account in the
list. We only ever see one of the sender / recipient pair now.
It looks like Ipswitch made a slight change to the way that the Q*.SMD
files are set
Could MID logging have the name of the banned extension instead of the word
file in the future?
That would be difficult to change. However, the file extension will appear
at LOGLEVEL HIGH.
-Scott
---
Declude JunkMail: The advanced anti-spam
I guess take me back to Declude 101 class.
I ban numerous extensions, like many others on the list. I would like a
Bannotify.eml to out as long as it does not contain a forging virus. How
do I accomplish that?
The problem is that if your virus scanner detects a virus, the
BANnotify.eml file is
We use InoculateIT as our second scanner, for some reason it is
giving off an Error 101 when it encounters Bagle.X.Dll virus. Error 101
means it found a virus, however, action upon it was unsuccessfull.
Would it be prudent to add 101 to the list of codes taken in Declude
Virus so that if
Just wanted to write to let ya'll know about a message that I
received today (Scott, I've forwarded the original message to the virustrap
e-mail account for review). Maybe someone has already seen this, but this
is a first for me. Neither F-Prot on the server nor Norton Anti-virus 2004
seems I can't stop encrypted rar with Bagle.N.
Currently I'm using version 1.79i4 (standard) with f-prot 3.14e (latest
defs) and BANEXT EZIP in virus.cfg.
I tried upgrading from 1.79 today.
What am I missing?
I searched through the archives, souldn't it be addressed by declude
1.78i4-5 ?
There is
HUH???
The latest released version is 1.75; the latest beta is 1.75.
You meant Beta is 1.79 correct???
Yes, the latest beta is 1.79.
Also what happened to that emergency list you created. I joined it or tried
to but was never confirmed.
You have to respond to the confirmation request. If you're
I tried now with different files and found why certain files ar not
blocked with BANNAME.
At the moment it's not possible to block file attachments if the name
contains special characters.
For example Norton Antivirus gelöscht1.txt the german version of Norton
Antivirus deleted1.txt will pass
Does anyone have a good list of Virus names to put into the recip.eml file
so that I do not notify the recipient that there was a virus. I am using
F-Prot if it makes any difference.
The sample .eml files in the manual have the ones that we are aware of, so
there is no need to swap lists with
Can I still send out notifications for the Vulnerability?
It would be possible, but strongly discouraged, as you'll end up becoming
a spammer by doing so.
The only notifications that I would be sending out would be to the
recipient and not to the sender or the postmaster of the sending
901 - 1000 of 1188 matches
Mail list logo
