Re: [Declude.Virus] url file extensions
ClamAV can be configured to scan URLs, if so desired. Bill - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, April 11, 2006 12:40 PM Subject: RE: [Declude.Virus] url file extensions You nor I nor Declude nor any one knows where that leads too. You can not scan the destination for a url. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, April 11, 2006 12:10 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] url file extensions I been asked to remove the block I have on these - and since I have forgotten why I am blocking them Is there a valid reason to block these? Thanks in advance -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] url file extensions
Nick, it's advised not to use it because it take additional time to process e-mails with embedded or attached URLs, since it has to simulate a user and access the URL in order to scan it. If you already have a heavily utilized system, then you would be wise not to enable this feature. However, if you have available resources, you should be fine. Also, at least on Linux, you need to have curl installed and compile with libcurl support: Optional Packages: --with-PACKAGE[=ARG]use PACKAGE [ARG=yes] --with-libcurl support URLs downloading with libcurl (default=no) However, I don't know if this is the case with the Windows version of ClamAV, since I have never actually run it on Windows. We have been running with this feature enabled on our two Linux gateways for about a year now and thus far have had no problems with it. Bill - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, April 11, 2006 1:30 PM Subject: Re: [Declude.Virus] url file extensions Bill, Will you kindly elaborate? :) I see in clamd.conf the MailFollowURLs but the advice is not to use it - -Nick Bill Landry wrote: ClamAV can be configured to scan URLs, if so desired. Bill - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, April 11, 2006 12:40 PM Subject: RE: [Declude.Virus] url file extensions You nor I nor Declude nor any one knows where that leads too. You can not scan the destination for a url. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, April 11, 2006 12:10 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] url file extensions I been asked to remove the block I have on these - and since I have forgotten why I am blocking them Is there a valid reason to block these? Thanks in advance -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Running declude 4.x
Title: Message The was definitely a change between Declude Version 3.0.5.23 and Version 3.0.5.26 in its handling of header processing. We had to roll back to .23 because .26 was causing strange behavior with certain mime encapsulated messages. I sent evidence to David Franco-Rocha off-line on 2/10, but have yet to hear anything back. Bill - Original Message - From: Kevin Bilbee To: Declude.Virus@declude.com Sent: Sunday, February 19, 2006 1:10 PM Subject: RE: [Declude.Virus] Running declude 4.x I guess Declude needs to standup and answer this thread. It is there software. I can repeate the issue by sending a message from our Copier. With the 3.x version we were running it worked fine as soon as I upgraded to 4.0.8 I had complaints from my users. On the copier emails it happens when there is notext after the SUBJECT: header. If we include a subject then declude handles the message properly. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Sunday, February 19, 2006 9:27 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Running declude 4.xThis is also affecting Nick Hayer's posts, and seemed to start when Declude started using 4.0.8 for this list. Based on the headers that are being shown in the body, it appears that this is Decldue 4.0.8 that is pushing some of the existing headers into the body.For those with headers in the body using prior versions of Declude, this may be due to the header formating of the sending software and not necessarily Declude. That is a known issue, and it really has to do with Declude needing to do some error correction if I understand the conditions properly.These two things appear to be from different causes.MattKaj Søndergaard Laursen wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kevin Bilbee Sent: 19. februar 2006 08:33 To: Declude.Virus@declude.com Subject: [Declude.Virus] Running declude 4.x I am wondering if the headers showing in the body of this message was intentional. If not then there is a bug in declude 4.x. I'm also seeing this with Declude 3.0.5.26. Some mails, like the "Oxygen" mail-list from Panda consistently shows up with some headers shown in the mail. I'm using Outlook 2003. Regards, Kaj --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [IMail Forum] Realistic virus threat?
I reported this issue quite some time ago, when Scott was still running the show, and never got a satisfactory answer. You can scan the raw d*.smd file with f-prot and it will detect the virus, but run it through Declude Virus, and the virus goes though undetected. After pestering and prodding for several days, I finally gave up on getting a response that made sense. But it must have something to do with the way Declude Virus is stripping off the mime encapsulation before calling f-prot to scan the message. I have copied this to the Declude Virus list, as well, since it really belongs there rather than on the IMail list. Bill - Original Message - From: Michael Graveen To: Imail_Forum@list.ipswitch.com Sent: Thursday, February 02, 2006 1:15 PM Subject: RE: [IMail Forum] Realistic virus threat? I've had F-Prot miss this virus on the mail server (being called from Declude). But it's caught coming to my desktop, with the same virus scanner. Is anyone else seeing this?MikeAt 02:25 PM 2/2/2006, you wrote: I believe F-Prot calls it W32/[EMAIL PROTECTED] From: Stephen Guluk [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 02, 2006 2:19 PM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] Realistic virus threat? Off topic but still related to email... Had a couple clients that called concerned about this virus that is said to open and do it's damage tomorrow: [EMAIL PROTECTED] Win32.Nyxem.e I run F-prot on my mail server and their list of virus definitions shows nothing pertaining to this virus name. I wrote them but expect that they are sleeping since they are in Iceland. Anyone else running F-prot and know any more info on it this is a real threat? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [Declude.Virus] [IMail Forum] Realistic virus threat?
Andrew, I already have PRESCAN set to off and use the /server switch with F-Prot, so those were not the issue that was causing this behavior for me. From my virus.cfg: # F-ProtSCANFILE1C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT -REPORT=report.txtVIRUSCODE13VIRUSCODE16VIRUSCODE18VIRUSCODE19VIRUSCODE110REPORT1Infection: PRESCANOFF Bill - Original Message - From: Colbeck, Andrew To: Declude.Virus@declude.com Cc: [EMAIL PROTECTED] Sent: Thursday, February 02, 2006 2:09 PM Subject: RE: [Declude.Virus] [IMail Forum] Realistic virus threat? My raw speculation: 1) It is missed because the virus.cfg is using the "PRESCANON" switch (the default, I believe) and the declude.exe application does not decode the MIME or other coding as flexibly as a mail client would, or makes an uninformed decision about what is an object worth scanning. ANSWER: use PRESCAN OFF instead. This will incur more CPU time as the selected antivirus scanner(s) will be scanning all objects. 2) For F-Prot specifically, the /server switch is not being used and therefore F-Prot is not doing the message format decoding. If Declude did a perfect job, this setting would be irrelevant. ANSWER: use the /server switch in your SCANFILE definition. This would cause more CPU time on the few messages that appear as nested message encoding; it is intended for scanning servers with multiple mailbox formats and nested messages. I follow my own advice on these two points and do not have a problem with F-Prot under Declude EVA missing known viruses. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, February 02, 2006 1:47 PMTo: Imail_Forum@list.ipswitch.com; Declude.Virus@declude.comSubject: Re: [Declude.Virus] [IMail Forum] Realistic virus threat? I reported this issue quite some time ago, when Scott was still running the show, and never got a satisfactory answer. You can scan the raw d*.smd file with f-prot and it will detect the virus, but run it through Declude Virus, and the virus goes though undetected. After pestering and prodding for several days, I finally gave up on getting a response that made sense. But it must have something to do with the way Declude Virus is stripping off the mime encapsulation before calling f-prot to scan the message. I have copied this to the Declude Virus list, as well, since it really belongs there rather than on the IMail list. Bill - Original Message - From: Michael Graveen To: Imail_Forum@list.ipswitch.com Sent: Thursday, February 02, 2006 1:15 PM Subject: RE: [IMail Forum] Realistic virus threat? I've had F-Prot miss this virus on the mail server (being called from Declude). But it's caught coming to my desktop, with the same virus scanner. Is anyone else seeing this?MikeAt 02:25 PM 2/2/2006, you wrote: I believe F-Prot calls it W32/[EMAIL PROTECTED] From: Stephen Guluk [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 02, 2006 2:19 PM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] Realistic virus threat? Off topic but still related to email... Had a couple clients that called concerned about this virus that is said to open and do it's damage tomorrow: [EMAIL PROTECTED] Win32.Nyxem.e I run F-prot on my mail server and their list of virus definitions shows nothing pertaining to this virus name. I wrote them but expect that they are sleeping since they are in Iceland. Anyone else running F-prot and know any more info on it this is a real threat? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [Declude.Virus] [IMail Forum] Realistic virus threat?
Scan timeouts were not the issue either, since my secondary Declude Virus scanner (TrendMicro) would catch the virus fine, and the logs would show the scanning to be taking a mere second or two. Bill - Original Message - From: Colbeck, Andrew To: Declude.Virus@declude.com Sent: Thursday, February 02, 2006 2:34 PM Subject: RE: [Declude.Virus] [IMail Forum] Realistic virus threat? 3) On a very busy server, Declude may be aborting the scan because it is taking too long. The default is 60 seconds. ANSWER: Use SCANNERTIMEOUT90 in the virus.cfg or some other time value of your choosing. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, February 02, 2006 2:10 PMTo: Declude.Virus@declude.comCc: [EMAIL PROTECTED]Subject: RE: [Declude.Virus] [IMail Forum] Realistic virus threat? My raw speculation: 1) It is missed because the virus.cfg is using the "PRESCANON" switch (the default, I believe) and the declude.exe application does not decode the MIME or other coding as flexibly as a mail client would, or makes an uninformed decision about what is an object worth scanning. ANSWER: use PRESCAN OFF instead. This will incur more CPU time as the selected antivirus scanner(s) will be scanning all objects. 2) For F-Prot specifically, the /server switch is not being used and therefore F-Prot is not doing the message format decoding. If Declude did a perfect job, this setting would be irrelevant. ANSWER: use the /server switch in your SCANFILE definition. This would cause more CPU time on the few messages that appear as nested message encoding; it is intended for scanning servers with multiple mailbox formats and nested messages. I follow my own advice on these two points and do not have a problem with F-Prot under Declude EVA missing known viruses. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, February 02, 2006 1:47 PMTo: Imail_Forum@list.ipswitch.com; Declude.Virus@declude.comSubject: Re: [Declude.Virus] [IMail Forum] Realistic virus threat? I reported this issue quite some time ago, when Scott was still running the show, and never got a satisfactory answer. You can scan the raw d*.smd file with f-prot and it will detect the virus, but run it through Declude Virus, and the virus goes though undetected. After pestering and prodding for several days, I finally gave up on getting a response that made sense. But it must have something to do with the way Declude Virus is stripping off the mime encapsulation before calling f-prot to scan the message. I have copied this to the Declude Virus list, as well, since it really belongs there rather than on the IMail list. Bill - Original Message - From: Michael Graveen To: Imail_Forum@list.ipswitch.com Sent: Thursday, February 02, 2006 1:15 PM Subject: RE: [IMail Forum] Realistic virus threat? I've had F-Prot miss this virus on the mail server (being called from Declude). But it's caught coming to my desktop, with the same virus scanner. Is anyone else seeing this?MikeAt 02:25 PM 2/2/2006, you wrote: I believe F-Prot calls it W32/[EMAIL PROTECTED] From: Stephen Guluk [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 02, 2006 2:19 PM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] Realistic virus threat? Off topic but still related to email... Had a couple clients that called concerned about this virus that is said to open and do it's damage tomorrow: [EMAIL PROTECTED] Win32.Nyxem.e I run F-prot on my mail server and their list of virus definitions shows nothing pertaining to this virus name. I wrote them but expect that they are sleeping since they are in Iceland. Anyone else running F-prot and know any more info on it this is a real threat? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [Declude.Virus] Where to send exe's to check if they are a virus?
Hmmm, maybe try switching that from totalvirus to virustotal. Bill - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, December 15, 2005 7:53 AM Subject: RE: [Declude.Virus] Where to send exe's to check if they are a virus? I tried www.totalvirus.com and it is an ad site. Thank you Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Thursday, December 15, 2005 10:45 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Where to send exe's to check if they are a virus? www.virustotal.com (se me previous posting for results) At the moment i consider blocking at least temporaly eye in zips and update the virus definitions Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, December 15, 2005 4:26 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Where to send exe's to check if they are a virus? Hi, I am getting a bunch of exe in zip files being banned right now. I have grabbed one of them it is called marie.zip and has a single exe in it called s3700020.exe and when you put it on your desktop is has the standard jpeg icon associated with it. My F-Prot, McAfee and Symantec scanners are not finding a virus. Where is the place that you can send it to and have it checked out by a ton of virus scanners? Thanx Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Sober to be released Nov-15-2005 ?
Seeing them here, as well. So far, the virus is only being detected by NAI (New Malware.n) and ClamAV (Worm.Mytob.T-2). However, TrendMicro, AVG, BitDefender, Sophos, and F-Prot are not yet detecting this new virus. Bill - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 14, 2005 4:57 PM Subject: RE: [Declude.Virus] New Sober to be released Nov-15-2005 ? Well, I am not sure about tomorrow, but in the last hour I have started to see some messages being caught with banned ZIP-EXE with a subject line of Thanks for your registration and a file name of reg_text.zip and a D file size of 184 Kb that I have not seen before. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, November 14, 2005 3:36 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Sober to be released Nov-15-2005 ? Hmmm, now that's interesting. http://www.f-secure.com/weblog/#0705 Andrew. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Update on Upgrade
What specific 3.x version did you upgrade to? The latest is 3.0.5.18. Bill - Original Message - From: David Dodell [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Saturday, November 05, 2005 11:04 AM Subject: [Declude.Virus] Update on Upgrade It appears it is generating out the messages, but the messages are being held as GSE and GSC files, and then taking a long time to process, where it used to be instant before ??? David - Internet Dental Forum www.internetdentalforum.org Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[4]: [Declude.Virus] Update on Upgrade
Those are just the receipt log entries, where are the delivery log entries? Search the log file for 25FB0282. Bill - Original Message - From: David Dodell [EMAIL PROTECTED] To: Bill Landry Declude.Virus@declude.com Sent: Saturday, November 05, 2005 12:18 PM Subject: Re[4]: [Declude.Virus] Update on Upgrade Saturday, November 5, 2005, 12:50:59 PM, Bill Landry wrote: Strange, what do the IMail logs says about these particular messages? Yep, it is strange .. it is taking about 20 to 30 minutes from once the message is scanned till the Email message is being generated. The log looks normal, but don't know why they are being generated out by the postmaster account as GSC files? 20051105 110625 127.0.0.1 SMTPD (25FB0282)[63.246.13.85] MAIL FROM: [EMAIL PROTECTED] 20051105 110625 127.0.0.1 SMTPD (25FB0282)[63.246.13.85] RCPT TO: [EMAIL PROTECTED] 20051105 110625 127.0.0.1 SMTPD (25FB0282)[63.246.13.85] c:\IMail\spool\Df4a125fb0282f87e.SMD 1593 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
My virus caught messages are being delivered right away with version 3.0.5.18. Bill - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Saturday, November 05, 2005 1:13 PM Subject: Re: Re[2]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today I caught that in the later thread. On my system I see the same behavior where the gsc/gse will get processed by the next queue run as well. I do seem to remember in older versions that they were tried to be delivered right away. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: David Dodell [EMAIL PROTECTED] To: Darrell ([EMAIL PROTECTED]) Declude.Virus@declude.com Sent: Saturday, November 05, 2005 3:59 PM Subject: Re[2]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today Saturday, November 5, 2005, 1:43:11 PM, Darrell ([EMAIL PROTECTED]) wrote: When you say messages are getting stuck in the spool do you mean after they are processed by Declude? When you upgraded to Declude 3.x did you replace the declude.exe file? As I mentioned in another post, it appears that the Postmaster generated messages are sitting in the \imail\spool directory, but with a GSE or GSC extension instead of SMD ... and are eventually processed within 20 or 30 minutes, I'm assuming being caught by the queue being reprocessed in that time period?? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[4]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
I am running IMail 8.21/Declude 3.0.5.18. My queue retry timer is set to 30 minutes. And both postmaster and recipient virus notifications are being delivered immediately. Bill - Original Message - From: David Dodell [EMAIL PROTECTED] To: Bill Landry Declude.Virus@declude.com Sent: Saturday, November 05, 2005 2:38 PM Subject: Re[4]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today My virus caught messages are being delivered right away with version 3.0.5.18. Bill, are you using Imail? If so, how fast is your queue being retried since it appears to be tied to that --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude using CBL to block users sending mail?????
- Original Message - From: Matt So it would be possibly useful in this case, but again, solving the issue that created the CBL listing is the most direct route, and less dependencyon any particular test by adding something like Sniffer and reducing weights on such things I think is still the best overall solution. Not to mention that anything done to reduce the weight of messages into you own system does nothing to control how others may be using CBL to weight or block spam coming into their systems. So as Matt said, the best thing to do is correct whatever issue got you listed in the first place, and then focus your efforts on getting the listing removed. Bill --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] f-prot update script
My wget script for updating F-Prot has been working just fine for a few years now, and still continues to function properly. Bill - Original Message - From: Douglas Cohn [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, May 04, 2005 8:13 AM Subject: RE: [Declude.Virus] f-prot update script This update is the worst method IMO (The one referenced in the link here). I used to update every hour and using this I would find the machine with the updater hung on the screen timed out at least once a week. W2K Server SP4. What OS are you using it on where it does NOT create issues? I started writing a simple updater using 4NT copy /u which copies across anonymous ftp and http links and only copies new files. Perfect but then I read somewhere that fprot has no FTP updates available anymore so I rewrote the one for Mcafee command line instead since I do not have the full version installed on this machine and do not want to install the full version. The script pulls the superdat expands it and then the daily dat. I could not get the wget Mcafee script from the Declude links to work for long either. Wget got corrupted after 2 days saying it was not a valid win32 application. Those links on the Declude site should be removed as that stuff does not work anymore. 4NT from Jpsoft is simply the best tool for the job anyway. That and unzip from infozip and it is done. DC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, May 02, 2005 11:21 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] f-prot update script Daniel, Give this a try: http://www.f-prot.com/support/windows/fpwin_faq/88.html -Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ivey Sent: Monday, May 02, 2005 11:06 AM To: 'Declude.Virus@declude.com' Subject: RE: [Declude.Virus] f-prot update script I have tried using this script. I keep getting an error referring to wget.exe and it doesn't update F-Prot. Daniel === Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] -Original Message- From: Goran Jovanovic [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 11:02 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] f-prot update script Take a look at: http://www.declude.com/Articles.asp?ID=100 F-Prot for DOS updater - A batch file that automatically updates F-Prot and its virus definitions (old version here), and a Cygwin version, and a complete .ZIPed version. Finally, a Simple version! Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Daniel Ivey Sent: Monday, May 02, 2005 9:52 AM To: 'Declude.Virus@declude.com' Subject: [Declude.Virus] f-prot update script Does anyone have an f-prot update script that they wouldn't mind sharing? I have tried one that I found, but never could get it to work. Any help is appreciated. Thanks, Daniel === Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
Yes, this is a problem! I rolled back to my latest defs prior to the last update and all is well again. I disabled my updates for a while to see if F-Prot fixes this issue. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 10:46 AM Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Viruses appearing to be getting through...
Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot (although I have F-Prot updates disabled for now, until they get there problem with HTML/[EMAIL PROTECTED] fixed). Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 11:11 AM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... I saw a big bunch about 2 hours ago that were stopped by banned zip extensions. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 10:58 AM To: Declude. Virus Subject: [Declude.Virus] Viruses appearing to be getting through... I am seeing several files getting through that appear to have viruses attached as zip files. I am running Declude with F-Prot. We ban encrypted zips and I have error code 8 included. Anyone else seeing this behavior? Here is part of the log. 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 Scanned: Virus Free [MIME: 2 53979] Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
Depends on how you execute your updates. I use a script that saves a copy of the previous defs to a backup directory. I can zip and send the previous defs to you if you do not have copies of them. Bill - Original Message - From: Jeff [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 11:50 AM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit How can I roll back ?? - Original Message - From: Bill Landry [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 2:12 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit Yes, this is a problem! I rolled back to my latest defs prior to the last update and all is well again. I disabled my updates for a while to see if F-Prot fixes this issue. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 10:46 AM Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
I e-mailed you the latest, non-affected defs, offline. I run 3.16b and it has the same problem (since it's a detection issue with the virus definition, not the application), but I would still upgrade to the latest version. Bill - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 1:36 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I've been running 3.15b - I'm downloading the latest version now. Should I install? or will this have no effect on this particular issue? And what about the previous defs - anyone out there want to email me a previous def file as a work around?? Thanks Kevin Markus Gufler wrote: Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
F-Prot may have pulled the latest defs do to the number of complaints received, which could explain why the app reports that you have the latest version. Bill - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 1:54 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I also filled out the form at FProt's site. Thanks for the defs. When I open up FProt, though, it says that my defs are up-to-date, even though I replaced the newest ones with the ones that you sent. I hope that that message indicates whether we've downloaded the latest - not whether we are actually using the latest defs. Colbeck, Andrew wrote: I don't think the engine version matters, just the pattern file. I've confirmed that the culprit is this, the most recent sign.def from 05/02/2005 01:32 PM And yes, I've sent in a support request via their web page; I'd like to supply them with several samples. I've also played around with the switch settings and found that there are no relevant switches that can be used as a workaround (i.e. /ai /noheur and /server make no difference in the detection or not of this false-positive). All of the messages detected either had Office 10 or Office 11 headers or were replies to messages created with Office 10 or Office 11. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, May 02, 2005 1:10 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] High CPU F-Prot
Matt, I searched 2 weeks of logs on both of my servers (both of which run F-Prot and TrendMicro) and could only find 4 instances of "Could not find parse string Infection", and they were found on the server that is very heavily loaded. I use the following F-Prot strings in my virus.cfg: # F-ProtSCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT -REPORT=report.txtVIRUSCODE1 3VIRUSCODE1 6VIRUSCODE1 8VIRUSCODE1 9VIRUSCODE1 10REPORT1 Infection: Here is a sample of what I find if I parse for 5 lines before and after the target Q-ID: 04/20/2005 11:53:22 Qa51de08d00e25919 Scanned: Virus Free [MIME: 3 36875]04/20/2005 11:53:25 Qa523e08f00e25924 MIME file: [text/html][quoted-printable; Length=10177 Checksum=774898]04/20/2005 11:53:26 Qa523e08f00e25924 Scanned: Virus Free [MIME: 2 11904]04/20/2005 11:53:27 Qa510a96d00c4590a MIME file: [text/html][quoted-printable; Length=11036 Checksum=792412]04/20/2005 11:53:28 Qa510a96d00c4590a Scanned: Virus Free [MIME: 2 14609]04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: [text/html][7bit; Length=52 Checksum=3520]04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: 5.zip [base64; Length=19404 Checksum=2507990]04/20/2005 11:53:29 Qa51fa9a300ec591e Could not find parse string Infection: in report.txt04/20/2005 11:53:30 Qa51fa9a300ec591e File(s) are INFECTED [: 0]04/20/2005 11:53:30 Qa51fa9a300ec591e Scanned: CONTAINS A VIRUS [MIME: 2 19522]04/20/2005 11:53:30 Qa51fa9a300ec591e From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 165.165.221.208]04/20/2005 11:53:30 Qa51fa9a300ec591e Subject:04/20/2005 11:53:32 Qa52aa9a400ec592a Scanned: Virus Free [MIME: 1 2087]04/20/2005 11:53:34 Qa52b4d30fdb9 Scanned: Virus Free [MIME: 1 672]04/20/2005 11:53:35 Qa52c4f880105 Scanned: Virus Free [MIME: 1 752]04/20/2005 11:53:35 Qa52ea9ab00ec592c MIME file: [text/html][8bit; Length=8334 Checksum=681405]04/20/2005 11:53:37 Qa52ea9ab00ec592c Scanned: Virus Free [MIME: 2 13549] I didn't find a time gap in any of the "Could not find parse string Infection" log entries I found. Bill - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Thursday, April 28, 2005 10:58 AM Subject: Re: [Declude.Virus] High CPU F-Prot Andrew,If you are only using F-Prot, you should be able to find evidence of at least the delays by searching for "Could not find parse string Infection" and then checking for a gap above that point to where the message began to be scanned.If I'm correct about this, and it seems that I am, F-Prot has been missing a fair number of viruses every day at least going back to April 11th. Their new scan engine, 3.16b was released back on March 7th and this may be related, but I don't have logs going back past April to confirm.F-Prot users should all probably pay very close attention to this. I haven't yet contacted F-Prot because I'm busy at this moment and this was only just confirmed by someone else. I would have to say that Scott would be quite useful in a situation like this because it appeared that he had a line of contact with them (Scott, are you out there?).MattColbeck, Andrew wrote: The "could not parse" string occurs whenever F-Prot returns a result that *isn't* equal to 3. Only return code 3 provides a string in the result file that says "Infection: " followed by the virus name. I'd like to help you out with this Matt, but with only one antivirus scanner, I don't see the evidence of a space gap. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Sent: Thursday, April 28, 2005 10:29 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot On 28 Apr 2005 at 12:57, Matt wrote: Matt - If this becomes a real problem that you see and can monitor I would revert back to an older scan.exe to eliminate the issue of versions. This is a possible clue: " Could not find parse string Infection: in report.txt" What does this mean? Your virus.cfg needs a different setup parameter or report.txt cannot be found? -Nick 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. --- 6 second gap where F-Prot scans message --- 04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt 04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus!
Re: [Declude.Virus] F-Prot 3.16b
It's not all that new, we have been running it since early March without issue. Bill - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, April 11, 2005 12:36 PM Subject: [Declude.Virus] F-Prot 3.16b Hi, Anyone know anything about the new version that just came out? Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] McAfee and POP3 service crash
Although I cannot explain the cause of the issues you've seen, I would suggest that you upgrade your scan engine: http://www.mcafeesecurity.com/us/downloads/default.asp?wt.mc_n=us_updateswt.mc_t=ext_li_concid=10373. Download and run the SuperDat, file which contains the latest dat and engine updates (version 4400\4426). Bill - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, February 07, 2005 6:27 AM Subject: [Declude.Virus] McAfee and POP3 service crash I've never seen this before, but beginning on Saturday morning, I started getting appearances of Application Error in my Event Log about McAfee: Faulting application Scan.exe, version 4.3.2.0, faulting module mcscan32.dll, version 4.3.2.0, fault address 0x0001cfd0. Then this morning the POP3 service started also giving errors in addition to McAfee: Faulting application POP3d32.exe, version 12.11.9.8, faulting module POP3d32.exe, version 12.11.9.8, fault address 0x00010bcb. The POP3 service had in fact crashed and it needed to be restarted (I rebooted just to be safe). I believe that this is the first time that I have ever seen the POP3 service crash. Although I don't believe that POP3 has anything direct relationship to McAfee on my server since that app is only used as a command line scanner, I'm quite suspicious of this causing the issue. Has anyone else seen either one of these errors on their systems? Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RAR Support - why not?
- Original Message - From: Andy Schmidt [EMAIL PROTECTED] Now we just need McAfee to scan inside RAR files G Indeed! Even F-Prot scans inside of .rar files: = cat report.txt Virus scanning report - 27 January 2005 @ 16:46 F-PROT ANTIVIRUS Program version: 3.16a Engine version: 3.16.2 VIRUS SIGNATURE FILES SIGN.DEF created 27 January 2005 SIGN2.DEF created 27 January 2005 MACRO.DEF created 27 January 2005 Search: MsWindowsUpdate.rar Action: Report only Files: Dumb scan of all files Switches: /ARCHIVE /PACKED /SERVER /REPORT=report.txt Memory was not scanned. Hard disk boot sectors were not scanned. F:\Virus-Test\MsWindowsUpdate.rar-MsWindowsUpdate.exe is a dropper for W32/[EMAIL PROTECTED] = Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FW: MS Windows/Critical Error
- Original Message - From: Andy Schmidt [EMAIL PROTECTED] Just got that one - attached was a WindowsUpdate.rar, 43 KB. On a Linux test server we run, I tested one of these messages and of the 7 virus scanners we have running on this test server (AVG, Sophos, TrendMicro, McAfee, F-Prot, ClamAV, and Bitdefender - all of which update hourly), only ClamAV-clamd (Trojan.LdPinch.JM1-3) and BitDefender (Trojan.Dropper.Microjoin.J) are currently detecting the virus in the MsWindowsUpdate.rar file. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] FW: MS Windows/Critical Error
- Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] So, if I am banning ZIPEXT, this should be caught since rar is treated same as zip in Declude, correct? Don't know... What is the file in the rar? The MsWindowsUpdate.rar archive contains a single file called MsWindowsUpdate.exe. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] PB installing 2.0B
- Original Message - From: Serge [EMAIL PROTECTED] you are probably right we use to have the same issue with manual install However, the full install notes specificaly say that no service need to be stoped when upgrading So they need get their act together, or give us back our old manual install I agree, the old manual download/install should at least be an option. I don't like downloading 6.66mb file, just to get a 500kb declude.exe file. Especially when that 6mb install file takes over 3.5 minutes to complete its installation process, and then changes my config files in the process without warning (as Kami noted, it changes the .eml files - did the same thing here), and then did not install properly. After running the install, which completed without error, I ended up with a 288kb declude.exe file that did not work - I had to revert back to version 1.81 to get Declude JunkMail Virus to function again. What size declude.exe file have others that successfully installed 2.0B ended up with? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] PB installing 2.0B
Yep, always installed on a test server before moving into production. Bill - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, December 21, 2004 10:25 AM Subject: RE: [Declude.Virus] PB installing 2.0B Hey, Declude Support, I'm interested in a manual installation, too! ... Now, I don't want to sound like I'm shooting the messenger, but I hope you guys aren't doing this on your production server. Since I'm interested in the manual installation, I'll install it on the development server, note the changes, and then after testing, bring it over to the live server. Which is the same as I've done the last few times. If you're going to implement beta software, it's worth the effort. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Tuesday, December 21, 2004 7:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] PB installing 2.0B - Original Message - From: Serge [EMAIL PROTECTED] you are probably right we use to have the same issue with manual install However, the full install notes specificaly say that no service need to be stoped when upgrading So they need get their act together, or give us back our old manual install I agree, the old manual download/install should at least be an option. I don't like downloading 6.66mb file, just to get a 500kb declude.exe file. Especially when that 6mb install file takes over 3.5 minutes to complete its installation process, and then changes my config files in the process without warning (as Kami noted, it changes the .eml files - did the same thing here), and then did not install properly. After running the install, which completed without error, I ended up with a 288kb declude.exe file that did not work - I had to revert back to version 1.81 to get Declude JunkMail Virus to function again. What size declude.exe file have others that successfully installed 2.0B ended up with? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Fw: Declude 2.0b Install
Nice to know that Declude is listening to our requests. Thanks Ralph! Bill - Original Message - From: Ralph Krausse To: [EMAIL PROTECTED] Sent: Tuesday, December 21, 2004 10:57 AM Subject: Declude 2.0b Install Hello Bill, I wanted to let you know that I was monitoring the email thread on the Declude forums. I will add an option to the install (and all future installs) to be able to do a manual install where it will prompt you for a folder where the install will just copy the files into that folder and exit. Then you will be able to do the upgrades you are used to. We are trying to make installs and upgrades easier for users but I realize that some customers do like the hand on approach. I will try to accommodate everyone. Thank you, Ralph Krausse
Re: Re[6]: [Declude.Virus] testvirus.org #22
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] This is exactly why Scott and I had that whole e-mail exchange a few weeks ago. I have found a few viruses now that are not caught when decoded by Declude but when the D*.SMD files is scanned manually at the command line by the same scanners with the same switches used in the virus.cfg file, the virus will be detected. I thought this was an issue, but Scott thought otherwise... And there's a good reason why I thought it was not an issue (assuming you're referring to the HTML_BOFRA thread). In that thread, I believe there were two issues: [1] Phishing E-mails were sometimes not getting caught. This is beyond the scope of Declude Virus, as those are spam, not viruses. However, if your AV program can detect phishing E-mails, you can easily get it to work with Declude Virus by making sure not to use the PRESCAN ON option in Declude Virus. I had PRESCAN OFF in my virus.cfg. Not caught when scanned via Declude - caught when the raw D*.SMD file was manually scanned via the command prompt using the same switches that were in the virus.cfg file. [2] Spam with links to viruses were not getting caught. Again, this is technically beyond the scope of Declude Virus, as no viruses are passing through the mailserver. The reason for this is that Declude Virus does not send the headers of the E-mails to the virus scanner (as there is no need for it to see the headers in order to determine if a virus is present). Again, this is an issue of an AV program doing more than what AV programs traditionally do. Same as above. So there is still no indication that a virus can get through a mailserver protected by Declude Virus. Maybe/maybe not - see William Stillwell's earlier message. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[8]: [Declude.Virus] testvirus.org #22
- Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, December 20, 2004 1:57 PM Subject: RE: Re[8]: [Declude.Virus] testvirus.org #22 Ditto. I thought Declude called the scanner(s) on the d*.smd, plus extracted all the segments out and scanned those too. Is that incorrect? This is actually what I was requesting that Scott have Declude do (same as what amavisd-new recently enabled mail admins to do), set a switch to enable scanning of the decoded parts as well as the message in it's entirety, if desired. However, there would be a trade-off here in that scanning would take a bit longer to complete, but it would be up to each individual mail admin to decide whether to enable the switch or not. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[6]: [Declude.Virus] testvirus.org #17
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] So Declude doesn't actually Send the SMD file to the Scanner.. Correct. It takes the Message Body, wirtes it to a Tmp File, and then scans it? Why not just scan the SMD file , Headers and All ? Because very few AV programs can read a .SMD file. They make their big bucks by selling mailserver virus scanners ($1,000s), as opposed to desktop scanners ($10s), so they don't want the deskstop scanners to scan .SMD files. Many, if not most, desktop command-line scanners today have support for mail/mime encoded files: === F-Prot: -server Turns on heuristics that are suitable when scanning mail messages on a mail server. McAfee: --mime Option tells the VirusScan Command Line application to detect infections within archives converted to UUEncode, XXEncode, Base64, and BinHex formats. ClamAV: ScanMail Enable internal e-mail scanner (Default: enabled) BitDefender: --mail Scan mail databases Sophos: -mime Scan files encoded in MIME format === Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ping
Yeah, I'm sorry to say, the list is definitely down. I am just sending you this reply to let you know that I didn't get your test message - well, because the list is down... ;-) - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 09, 2004 4:49 PM Subject: [Declude.Virus] ping The usual new subscriber test. Sorry for the inconvenience, this list seems pretty quiet! Andrew Colbeck Technical Specialist Bentall Capital LP [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] (604) 661-5047 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] log file grepping
- Original Message -
From: Nick [EMAIL PROTECTED]
Total messages scanned for the day and the total number of viruses
found for that day (not count of individual virus)?
Correct.I have no interest in this case of an indv virus count. Just
totals. That is what I want to feed to mrtg to get realtine graphs.
As you probably are aware mrtg likes 2 values to graph so in this
case I'm looking for total scanned vs virus found. [For total virus's
I think it would have to be by individual scanner so could see how
each AV program compares. An overall total would be helpful as well
if possible.]
Well, here is a bit a trickery to make it a single liner:
egrep File\(|Scanned: (Virus|Error)|Skipping l:\virus\vir1201.log | gawk
{print $1,$4,$5,$6} | sed s/\/2004 / TOTAL\n/g | egrep File|TOTAL |
gawk {print $(NF-0)} | usort | uniq -c
Which will give you an output like:
735 INFECTED
37023 TOTAL
You will need to adjust the path info to you log files, and can manipulate
the output to your liking, but this should give you a starting point to work
with...
Bill
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
Re: [Declude.Virus] log file grepping
- Original Message - From: Nick [EMAIL PROTECTED] Bill?.. or anyone :) Is there a way in a single line to use grep or a similar tool on a virus log file and have it return 2 values: total_scanned and viruses found? Total messages scanned for the day and the total number of viruses found for that day (not count of individual virus)? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Hmmm, I thought that since Declude Virus does the decoding and scanner calls, that you might be interested it testing this yourself... Yes. That's why I tested it, and found that Declude Virus is decoding the attachments properly, and found a very plausible explanation as to why ClamAV isn't catching these. Might you consider such an option with Declude Virus? The problem is that it would be quite a bit of extra work to add such a feature, and there isn't any indication that it would improve AV detection in any way. Phishing attacks are bad, but beyond the scope of AV software, especially when it comes to a workaround to deal with a bug in a third-party program. Okay, enough said. Thanks, Scott, for taking the time to indulge me on this one. With some phishing filter work that Kami sent me off-list, I was able to put together a single phishing filter that is sending these uncaught phishing e-mails over my delete weight, so that will work for us. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Reported virus infected file name
I thought that this got fixed many versions ago, but it appears to be back again (Declude 1.81), where the virus name is taken from Scanner 1, but the file name is taken from the last scanner listed in the virus.cfg. Snippet from the postmaster e-mail: = Declude Antivirus v1.81 caught the W32/[EMAIL PROTECTED] virus in [HTML segment] from [Forged] to: [EMAIL PROTECTED] Date: 29 Nov 2004 12:01:27 Subject:Re: Hi Spool File: D80156bde012ce82c.SMD Remote IP: 67.114.195.162 = Snippet from virus log for this message: = 11/29/2004 12:01:27 Q80156bde012ce82c Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=Joke.cpl [16] I 11/29/2004 12:01:27 Q80156bde012ce82c Scanner 2: Virus= [ WORM_BAGLE.AT](1) in M:\IMail\spool\D80156~1.VIR\1.cpl Attachment=[HTML segment] [16] I 11/29/2004 12:01:27 Q80156bde012ce82c File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] = Shouldn't this notification read: Declude Antivirus v1.81 caught the W32/[EMAIL PROTECTED] virus in Joke.cpl rather than what is shown above in the postmaster e-mail? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Nope, in my testing of three command-line scanners, the attached test.txt file contains the minimum needed to detect the file as containing a virus (copied your virustrap address, as well, in case this gets blocked to the list). It certainly does. The question is whether the AV program is expecting the headers. There were no message headers included in the test.txt file I sent, and three virus scanners still detected it as a virus. If there is not a fix coming for this, would you consider sending the entire message file to the scanner? There isn't any known bug here. This would be considered a very low priority, as it does not affect AV scanning, except that we need to be sure that there isn't a problem where actual viruses would not be properly detected. Maybe an unknown bug then? ;-) If TrendMicro can detect the virus when scanning the raw D*.SMD file, but not when spawned by Declude Virus, does that not point to a possible issue? The test.txt file you sent does *not* match the actual HTML of the original E-mail. The CR/LFs were off, and there was a part at the end that was missing. And, the length of the HTML segment that was decoded (per the log files) doesn't match the length of the HTML segment in the E-mail you sent. I viewed the source of the message in Outlook Express, and then kept triming parts of the source file (from the top and bottom) until I found the minimum part of the resulting message needed for all three scanners to still detect the file as a virus when manually scanned from the command-line. I suppose I could do the same thing with the raw D*.SMD file, it you think that would prove something other than what I have already shown. After further analysis, it seems that the problem is with the AV software. Specifically, the E-mail you sent was using quoted-printable encoding, yet the body of the E-mail wasn't encoded using quoted-printable encoding. So when it had a line: alink=#99 Declude Virus decoded it to something like: alink#99 The AV software was probably looking for the way that you (incorrectly) decoded it. Again, all I did was view the source of the message as it appeared in Outlook Express. And all I was attempting to show what that the message headers were not necessary for the file to be detected as a virus. If the virus scanner were at fault (because of a decoding issue) then I have to ask again, why can TrendMicro detect the virus when scanning the raw D*.SMD file, but not when sent to it by Declude Virus? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus
- Original Message - From: Matt [EMAIL PROTECTED] I believe that Declude creates a directory for all attachments in each message, and then Declude calls the scanner to scan the entire directory. I believe that for inline content such as text/plain and text/html, these files will be saved in those directories according to the MIME boundaries. For you to properly replicate the circumstances, it would be a good idea to save an HTML file (example.html) with the body content of this message in a directory with nothing else in it, and then call trend to scan the directory and not specifically the file. Matt, that's a good idea. Can you tell me if I have the correct html segments in the test.txt file I sent? If I simply change the extension of this file to .html and place it in a directory by itself and then scan the directory, would that be an adequate test? One possibility here is that TrendMicro doesn't detect this as a virus when it is called to scan the directory like Declude does, and the above should expose whether or not this is the case. Yep, I'll try it and report back the results. Another alternative is that the message is malformed or Declude has a parsing issue that is preventing it from being successfully scanned. That would be difficult to prove unless your Debug log has more information such as the file names created and the sizes of each file, and this exposed a flaw. Don't have that kind of detail in the debug logs, that why I offered to send Scott the raw QD files for analysis. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] If the virus scanner were at fault (because of a decoding issue) then I have to ask again, why can TrendMicro detect the virus when scanning the raw D*.SMD file, but not when sent to it by Declude Virus? You would have to ask them. Declude Virus is decoding the E-mail properly. Hmmm, I thought that since Declude Virus does the decoding and scanner calls, that you might be interested it testing this yourself... My guess is that they are *not* doing any decoding (which would make sense, as that is the responsibility of the mailserver AV program). Therefore, because the spam is malformed (saying that it is encoded, when it is actually not), they are seeing what the spammer intended to be seen (the actual spam). However, when decoding is done, they see a malformed E-mail. I had reported the same kind of issue with amavisd-new (which does much the same as Declude) almost a year ago (see http://sourceforge.net/mailarchive/message.php?msg_id=6775949), and Mark Martinec (the developer) eventually decided to provide a configuration option that allows mail admins the ability to send not only the decoded message segments to the scanners, but also the raw message, as well (see http://sourceforge.net/mailarchive/message.php?msg_id=7146161). Here is the most recent config option in amavisd-new: @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking (can be slow) qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, qr'^Zip archive data', )); Might you consider such an option with Declude Virus? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus
- Original Message - From: Matt [EMAIL PROTECTED] I believe that Declude creates a directory for all attachments in each message, and then Declude calls the scanner to scan the entire directory. I believe that for inline content such as text/plain and text/html, these files will be saved in those directories according to the MIME boundaries. For you to properly replicate the circumstances, it would be a good idea to save an HTML file (example.html) with the body content of this message in a directory with nothing else in it, and then call trend to scan the directory and not specifically the file. One possibility here is that TrendMicro doesn't detect this as a virus when it is called to scan the directory like Declude does, and the above should expose whether or not this is the case. Okay, here is what I did. Created a directory called test and copied the test.txt file into this directory as test.html. I opened the test.html file with Internet Explorer and the page looks just like the received e-mail (yellow background, italicized test, and a hypertext link). I then call TrendMicro to scan the directory as: = M:\tempC:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /VSTEMP=m:\temp\ /LR=report.txt m:\temp\test\*.* And it came back with: = 1 files have been checked. Found 1 files containing viruses. = Here is the report.txt file: = Copyright (c) 1990 - 2004 Trend Micro Inc. Report Date : 11/28/2004 17:20:08 VSAPI Engine Version : 7.000-1004 VSCANTM Version : 1.1-1001 Virus Pattern Version : 265 (76358 Patterns) (2004/11/26) (226500) Command Line: C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /VSTEMP=m:\temp\ /LR=report.txt m:\temp\test\*.* Found [HTML_BOFRA.B](1) in m:\temp\test\test.html 1 files have been read. 1 files have been checked. 1 files have been scanned. 1 files have been scanned. (including files in archived) 1 files containing viruses. Found 1 viruses totally. Maybe 0 viruses totally. Stop At : 11/28/2004 17:20:09 0.00 seconds has elapsed. = Thoughts? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Scott, attached is the raw source of this BOFRA.B message, it looks like HTML to me. In fact, when I scan the D*.SMD file from the command-line, TrendMicro identifies the file as HTML_BOFRA.B and ClamAV as HTML.Mydoom.email-gen-1. What does the Declude Virus log file show for this E-mail? Declude Virus definitely should have sent the HTML segment to the virus scanner (except if PRESCAN ON is being used). Oh, and we have PRESCAN OFF in our virus.cfg. Here is a sampling of other HTML messages that Declude Virus is tagging: Declude AntiVirus caught HTML_MYDOOM.AH Declude AntiVirus caught HTML/[EMAIL PROTECTED] Declude AntiVirus caught HTML/[EMAIL PROTECTED] Declude AntiVirus caught HTML_SUNFRAUD.B Declude AntiVirus caught HTML_BOFRA.B Note that even BOFRA is caught sometimes, but mostly it's not. Again, I can send you QD files for these caught and uncaught BOFRA messages, if that would help any. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus
Scott, we have the following entry in our virus.cfg files on both of our IMail/Declude servers: SCANFILE2C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /VSTEMP=m:\temp\ /LR=report.txtVIRUSCODE21REPORT2Found I also have: PRESCANOFF However, this particularPayPal phishing message is not getting caught by Declude Virus.If I run the following from the command-line: C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /VSTEMP=m:\temp\ /LR=report.txt m:\imail\spool\spam\D3774526500d65bc6.SMD The report file shows: == Copyright (c) 1990 - 2004 Trend Micro Inc.Report Date : 11/26/2004 00:03:19VSAPI Engine Version : 7.000-1004VSCANTM Version : 1.1-1001Virus Pattern Version : 263 (76319 Patterns) (2004/11/25) (226300)Command Line: C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /VSTEMP=m:\temp\ /LR=report.txt m:\imail\spool\spam\D3774526500d65bc6.SMD Undet [ ]( ) in m:\imail\spool\spam\D3774526500d65bc6.SMD,(NONAMEFL)Found [ HTML_BOFRA.B]( 1) in m:\imail\spool\spam\D3774526500d65bc6.SMD,(NONAMEFL)1 files have been read.1 files have been checked.1 files have been scanned.2 files have been scanned. (including files in archived)1 files containing viruses.Found 1 viruses totally.Maybe 0 viruses totally.Stop At : 11/26/2004 00:03:19 0.02 seconds has elapsed. == Are these not getting tagged by Declude Virus because of the "Undet [ ]( )" line that is listed just before the "Found [ HTML_BOFRA.B]( 1)" line in the report file? If so, is there a way to fix this? Shouldn't Declude Virus be looking for the word "Found" in the report file? We are running Declude v1.81. Let me know if you would like me to forward you the D*Q files. BTW, this e-mail is detected as W32/Mydoom.gen!eml by UVScan and as HTML.Mydoom.email-gen-1 by ClamAV on our Postfix gateways (F-Prot does not detect it). Bill
Re: [Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Scott, we have the following entry in our virus.cfg files on both of our IMail/Declude servers: SCANFILE2 C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /VSTEMP=m:\temp\ /LR=report.txt VIRUSCODE2 1 REPORT2 Found I also have: PRESCAN OFF However, this particular PayPal phishing message is not getting caught by Declude Virus. If I run the following from the command-line: This is almost certainly because your AV program is reporting a different error code when it finds a phishing message than it does when it finds a virus. If you check the log file, you should see the code that they return when they detect a phishing message. Here is the debug output from one of these BOFRA.B messages: = Scanning files (2 scanners) Starting scanner #1: M:\FSI\F-Prot\fpcmd.exe /AI /ARCHIVE=5 /DUMB /NOBOOT /NOBREAK /NOMEM /PACKED /PARANOID /SAFEREMOVE /SERVER /SILENT /TYPE /REPORT=report.txt M:\IMail\spool\D74D13~1.VIR\ Scanner to start immediately, no need to wait for others to end. Virus Scanner Started: M:\FSI\F-Prot\fpcmd.exe /AI /ARCHIVE=5 /DUMB /NOBOOT /NOBREAK /NOMEM /PACKED /PARANOID /SAFEREMOVE /SERVER /SILENT /TYPE /REPORT=report.txt M:\IMail\spool\D74D13~1.VIR\ Process Time: 140ms [kernel=15 user=125] Virus scanner 1 reports exit code of 0 Starting scanner #2: C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /VSTEMP=m:\temp\ /LR=report.txt M:\IMail\spool\D74D13~1.VIR\ Scanner to start immediately, no need to wait for others to end. Virus Scanner Started: C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /VSTEMP=m:\temp\ /LR=report.txt M:\IMail\spool\D74D13~1.VIR\ Process Time: 453ms [kernel=156 user=296] Virus scanner 2 reports exit code of 0 = As you can see, Declude is seeing the exit code as 0 from both scanners. How is the file changed when scanned by Declude Virus versus when scanned manually by TrendMicro that would cause TrendMicro to report the file differently? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: F-prot 3.16 real time protector (was: RE: [Declude.Virus] Not detecting viruses)
- Original Message - From: Jim Nitterauer [EMAIL PROTECTED] I will try that. Yes, I checked to make sure. I also looked at the supported options for fpcmd.exe The following are not supported: /nomem /noboot /nofloppy Are these soemthing that you have indluced within Declude? We know that the /nofloppy switch is not supported with fpcmd. And it appears that the /nomem switch is irrelevant as memory is not scanned whether the switch is used or not (but does not complain if used). However, the /noboot switch is still supported and needed in order to not scan the boot sectors with each message scanned. Here is the proof: With /noboot switch: == Search: message.zip Action: Report only Files: Attempt to identify files Switches: /ARCHIVE /PACKED /SERVER /REPORT=report.txt /NOBREAK /SILENT /NOBOOT /NOMEM /AI /PARANOID /SAFEREMOVE Memory was not scanned. Hard disk boot sectors were not scanned. Without /noboot switch: == Search: message.zip Action: Report only Files: Attempt to identify files Switches: /ARCHIVE /PACKED /SERVER /REPORT=report.txt /NOBREAK /SILENT /AI /PARANOID /SAFEREMOVE Memory was not scanned. No viruses were found in MBRs or hard disk boot sectors. Notice the last line of each scan report. If you do not use the /noboot switch, the boot sectors will be scanned with each message that is scanned - probably not what you want. In both cases, with and without the /nomem switch, it says the Memory was not scanned. However, it does not complain that the switch is used, so I would continue to use it. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Issues with F-prot 3.16 or not?
The updated version is there now. I sent F-Prot support an e-mail asking why they would send out an update notification before they actually posted the updated version for download - got a canned auto-reply... Bill - Original Message - From: Rodney Bertsch [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 1:44 PM Subject: RE: [Declude.Virus] Issues with F-prot 3.16 or not? I've tried the link several times and don't seem to be getting anywhere. The news release about 3.16a comes up, directs you to the Updates page, but when I log in the updates page only offers 3.16 dated November 17th. Anyone have a direct link to the update? Thanks, Rodney Bertsch IS Coordinator Kirk NationaLease Co. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Douglas Cohn Sent: Wednesday, November 24, 2004 1:18 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Issues with F-prot 3.16 or not? OOOPs Just got this. FRISK Software has released version 3.16a of F Prot Antivirus for Windows. More information on this release can be found on our website: http://www.f-prot.com/news/gen_news/041124_release_win316a.html We recommend that users of F-Prot Antivirus for Windows update their programs to version 3.16a as soon as possible == I see a lot of posts surrounding F-prot 3.16. I have not updated my server yet. Is there an issue with it and declude? Should the fpcmd.exe line be changed from prior to 3.16? (Scott?) One thing I do notice when using the desktop scanner version of 3.16. It detects Word macros as viruses much more frequently. It also detects several utility programs as viruses that neither previous versions of F-prot nor Norton Corp 8.0 were detecting before. Zebra's printer driver--- C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\K52VK16B\ZNetUtil.zip could be an archive bomb MSDN downloads D:\CD Flat\msdn-extract\sms20sp3enu.exe-SP3enuCD/SMSSETUP/NETMON/ALPHA/McSvcps.dl l could be a corrupted executable file D:\CD Flat\W2K Server Reskit\W2KRESKIT\APPS\CRYSTAL\DISK12\CRWEXE.00_-(PackWord) could be a corrupted executable file D:\CD Flat\W2K Server Reskit\W2KRESKIT\APPS\CRYSTAL\DISK4\CRPEDLL.00_-(PackWord) could be a corrupted executable file Scan settings: Safe tools. E:\storage\Foundstone\udpflood.zip-udpflood.exe is a destructive program Virus-infected files in archives cannot be disinfected. E:\storage\InfoZip\Wiz.exe could be a corrupted executable file The scanning was aborted by the user, with infected or suspicious --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus.Cfg settings for BitDefender
- Original Message - From: Alan Walters [EMAIL PROTECTED] I recently added BitDefender Free Edition v7.2 as a second scanner. This is for testing purposes in anticipation of purchasing a more suitable Server Class version. I attempted to search the archives for information on this setup, but couldn't find any. Since I spent a little time developing the magic incantations, I thought I might save somebody else the trouble if they ever wanted to use this inexpensive antivirus solution. Hmmm, see: http://www.mail-archive.com/declude.virus@declude.com/msg09896.html In VIRUS.CFG the following appears to work well (assuming default installation directories): SCANFILE2 C:\PROGRA~1\COMMON~1\Softwin\BITDEF~1\BDC.Exe /Log=report.txt /NoClean /Noc /All /Files VIRUSCODE2 1 REPORT2 Infected: I think you are missing some important switches (/a /r /i /W /alev=5 /flev=3), and you don't need /Files with /All, since the /Files switch is for selecting specific types of files to scan. Hope this helps somebody save a little time. Maybe Computerized Horizons could add these settings to their list of scanners? Don't know why they haven't added it yet, as you can see I reported a working config back in June. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus.Cfg settings for BitDefender
- Original Message - From: Alan Walters [EMAIL PROTECTED] As to your comments about my config having extraneous settings (/Files), I'll agree - but for a different reason. The /Files is used to specify the PATH, not the type of files to scan. After reviewing http://www.bitdefender.com/support/files/bdc.chm I've concluded that /Files is already set by default and thus unnecessary. Whatever, like I said, it's unnecassary. As far as missing some important settings, I'll disagree completely. The above link shows that /r is to specifically scan Archives, the /i is to specifically scan Mail (whatever that means). I believe since I'm using /All that /r and /i would be redundant. I'm not sure why you would want to suppress warnings with /W? I took that to mean suspicious files, which I do want to be warned about. The /alev= and /flev= default to infinity so shouldn't need to be specified at all. Take a look at all of the other virus configs in the manual, all have the flag set to scan archives. If you don't set this flag (/r), then BitDefender will not unarchive the file before attempting to scan. The /w flag is enable because it does not hurt anything to have it set and will be able to scan inside MIME, UUE, XXE and BinHex files, if they are possibly not decoded properly by Declude. The /W switch prevents console or other NetBIOS warning from poping up, and has absolutly nothing to do with the information that Declude uses in the report file. The /alev= /flev= settings and you will be setting yourself up for zip bombs (search on Zip of Death), that is, files that are zipped hundred or thousands of times, eating up all of your systems resources while trying to unarchive the file. See: http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html Again, take a look at the manual and you will see that all of the other virus scanners that support notification suppression, archive scanning, mail file scanning, and archive depth scanning controls, they are used. But it's you system, and if you want to blindly compromies it instead of learning from someone that has been doing this for a long time, that's your progative. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] PRESCAN
Matt, thanks for the analysis. I would very much like to know what the additional load is on your server by setting PRESCAN to OFF. Please do post your results if you test this. I have had PRESCAN OFF for a few weeks now, and have not noticed much of an increase on my servers, but I was not near capacity anyway. Bill - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 11:41 AM Subject: Re: [Declude.Virus] PRESCAN Greg, Plain text E-mail will not link in Outlook unless it appears as a URL that begins with www, and that means that it is very unlikely that a successful exploit could be constructed in plain text as the infected computers won't have A records pointing at them that begin with www. As far as links go of this variety, they would need to be embedded in text/html segments, and they would almost definitely come by way of a linked IP instead of using the FQDN of the exploited machine since many reverse DNS entries won't resolve to A records, and many computers don't have reverse DNS entries (primarily in other areas of the world). It is unfortunately possible that someone might get creative and use some reverse DNS entries, but that would be unnecessary if they are successful at this form of exploit by using just an IP. It seems like it would therefore be safe and prudent to simply expand PRESCAN to include messages that are linked with IP's, regardless of also having a port since that isn't necessary. This would only add a modicum of overhead related to the additional messages that might be sent to the virus scanner, and it would enable many of the phish attempts to be scanned as well without needing to scan everything since most phishing attempts make use of IP's in links these days (domains are generally quickly killed when used for phishing, but the IP will live as long as the host allows it). This is actually the second virus to have tried linking to the exploit that I am aware of. The first one was a Bagel variant if I recall correctly, but it used a known universe of about 500 hosts that were 99% removed by the various ISP's within 12 hours of the virus being detected, so this method was ineffective. It also was making use of an exploit that had been patched for almost a year, so it went nowhere. This virus was easy for me to block, though I might cause some false positives on discussions of the virus. If it came as an IP link, but without the fixed ports, I would have had to spend a lot more time coding something up to protect from this based on content, and as things stand, this will probably have to remain on my system for more than a year, and with other variants likely to come still. My second scanner is McAfee though, and turning PRESCAN OFF might soon become my only realistic choice. I'm going to guess that this might remove more than 25% of my system's capacity however, and that gets costly. Matt Greg Little wrote: We are on exactly the same track. If this kind of attack catches on, and the e-mail can look like almost anything. Passing everything to the more CPU consuming AV engine may be needed. This attack will work just fine in a plain text (non-HTLM) e-mail. (Will the link work easy?) Greg Matt wrote: Maybe the new MyDoom virus suggests a change in the way that PRESCAN qualifies messages? --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] PRESCAN
Wow, that is quite a jump in processor utilization. I also run two scanners (TrendMicro F-Prot), but I might not have noticed as much of an increase because I am running on dual-processor systems. When I get a minute I will throw up a monitor and check to see how the PRESCAN ON/OFF actually affects my systems. Bill - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 1:33 PM Subject: Re: [Declude.Virus] PRESCAN Bill Landry wrote: Matt, thanks for the analysis. I would very much like to know what the additional load is on your server by setting PRESCAN to OFF. Please do post your results if you test this. I have had PRESCAN OFF for a few weeks now, and have not noticed much of an increase on my servers, but I was not near capacity anyway.Bill,I've got a handy app from Passler that provides me with nice graphs including processor utilization that I am sampling every minute (minute averages). I just turned PRESCAN OFF a short while ago and it's actually a bit worse than a 25% relative increase on my system. My hourly average went directly from 33% to 46% with PRESCAN OFF, which is a 39% increase. I've attached an image of the minute averages with a green line marking the point when I turned PRESCAN OFF. Take note that I run both F-Prot and McAfee on my system, so systems with only one virus scanner won't see the same degree of a jump, though it should be rather large. On systems with plenty of capacity, this is not a concern and the increase would be not very noticeable despite being relatively high, but I would like to fill this box to capacity and add more, but not before I have to.Matt-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] Spam Link with 1639 port web link, possibly malicious?
And this just arrived from F-Prot: = New virus signature files for F-Prot Antivirus have been released. These files are dated 9 November 2004 and contain detection for W32/[EMAIL PROTECTED], W32/[EMAIL PROTECTED] and other new threats. = Bill - Original Message - From: William Stillwell [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 09, 2004 6:44 AM Subject: Re: [Declude.Virus] Spam Link with 1639 port web link, possibly malicious? MyDoom.AI From Symantec Site: The email contains a hyperlink that, when clicked on, takes the user to an .html page that exploits the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515). When this page is viewed the file http://[remote address]:1639/reactor is downloaded as %Desktop\vv.dat to the infected computer and executed. This file is detected as [EMAIL PROTECTED] http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] m.html . - Original Message - From: Jim Matuska mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Cc: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Sent: Monday, November 08, 2004 6:45 PM Subject: [Declude.Virus] Spam Link with 1639 port web link, possibly malicious? Has anyone noticed a influx of email messages with spam type content that seems to link to a 1639 port on a remote webserver. I have had several reports of these in the last half hour, some appear to be fake paypal scams, one was porn related, but both link to the same site and one user actually reported the message causing their PC to reboot. Any else seen these. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Updater timing out?
- Original Message - From: Joey Proulx [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 04, 2004 8:03 AM Subject: [Declude.Virus] F-Prot Updater timing out? I'm running Declude 1.81 with F-Prot. It's on my NT 4.0 mail server, which is one of five servers we have, running on a Hawking Technology KVM. Screen saver set to go on after 5 minutes, but no hibernation or standby. I have F-Prot set to look for updates hourly...and lately I'll check the mail server and find this: --- Updater - An Error Occurred Failed to retrieve information about available updates. System Error - the operation timed out. Please check if your internet connection is working and try again. --- This seems to happen when the KVM is set to another server (shouldn't even affect it at all) and the mail server goes without human contact for a while. If I'm sitting at the mail server doing work, I'll see the updater popup on the screen and do its thing. This concerns me. Sometimes I'll check the server and see that message, then manually go in and check for F-Prot updates, and there will be some available for download. What if I was out for the week? Who knows what would get through in that amount of time... Any ideas as to what this could be? There are no f-prot errors in the Event Viewer, and no connection lapses Disable the F-Prot updater and use one of the command line update scripts that can be found on the Declude site. Then you can schedule the updates with the Task Scheduler and not have to keep the server logged on all of the time. We have no problem get our updates this way. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BitDefender
BitDefender work fine with Declude Virus, don't know about mxGuard. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 9:27 AM Subject: RE: [Declude.Virus] BitDefender PP For those responding about ClamAV, my PPSS. I meant mxGuard. Is any one using BitDefender with either Declude or mxGuard? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, November 03, 2004 8:56 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] BitDefender Has any tried using BitDefender with Declude Virus, or ClamAV for that matter? Does it work? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BitDefender
It's the free version: BitDefender Free Edition v7. We don't have it running in production, just on a test server, but it seems to run just fine in testing - although it is the slowest of the virus scanners we have tested: McAfee, F-Prot, TrendMicro, and ClamAV. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 1:34 PM Subject: RE: [Declude.Virus] BitDefender Which BitDefender product are you using? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, November 03, 2004 9:41 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] BitDefender BitDefender work fine with Declude Virus, don't know about mxGuard. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 9:27 AM Subject: RE: [Declude.Virus] BitDefender PP For those responding about ClamAV, my PPSS. I meant mxGuard. Is any one using BitDefender with either Declude or mxGuard? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, November 03, 2004 8:56 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] BitDefender Has any tried using BitDefender with Declude Virus, or ClamAV for that matter? Does it work? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BitDefender
- Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] What I am wondering is does ICS standard include the same executable for BitDefender that your are using with your version for Declude? Don't know, but here are the details of the BitDefender command-line exe I call with Declude: 11/17/2003 03:04p 81,408 bdc.exe Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Possibly a new variant of JS/ virus in [HTML segment]
In addition to what others have been reporting here, I am also seeing F-Prot reporting these today: Declude Antivirus v1.81 caught the Possibly a new variant of JS/ virus in [HTML segment] They are coming in with subjects like: Subject:DM Direct Newsletter: October 29, 2004 Subject:Weekly Challenge: Comp Time Subject:Amazing deals on Jewelry, Diamonds and more - Bid Now However, ClamAV, McAfee, and TrendMicro are not tagging any of these messages. Anyone else seeing any of these today? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] MyDoom.o's slipping through.
- Original Message - From: Chris Patterson [EMAIL PROTECTED] Does anyone else agree using the 32 bit command line scanner is better than the dos? Absolutely! If you have it available to you (meaning you have the Windows version of F-Prot), using it will provide a nice performance boost. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] DELETEVIRUSES Not working.
- Original Message - From: Mark Smith [EMAIL PROTECTED] Any way to purge 'em all without writing a script? We're running about 200k messages per day across 4 servers and don't bother to check them all. Come on, you're talking about a 10 second script: del c:\imail\spool\virus\*.smd Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] BankFraud (phishing) e-mails
I just found that if you have PRESCAN set to on, you will not be able to catch these BankFraud/Phishing e-mails. However, if you set PRESCAN to OFF, you can catch these if your virus scanner supports it. So far I have found that ClamAV, McAfee, and TrendMicro all support detection of these BankFraud/Phishing e-mail messages. However, F-Prot and BitDefender do not detect them yet. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fprot GDI Scanner lines.
- Original Message - From: Mark Smith [EMAIL PROTECTED] Actually this breaks Declude because Declude Virus can't look for multiple REPORT lines. Scott, How can we setup Declude Virus to look for multiple lines in the report.txt file? I've been running F-Prot Version 3.15b since it was released yesterday and have not had to make any changes to my virus config to support the new version. It has been running exactly the way it always has. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] virus names for forging list question
- Original Message - From: Scott Fisher [EMAIL PROTECTED] I use three scanners. Which scanner does Declude Virus use to determine the name of the virus? Should use the first scanner's naming convention. However, there have been slip-ups in the past, so it could depend on what version or interim release of Declude Virus you are running. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] SURBL
- Original Message - From: Jeff Kratka [EMAIL PROTECTED] Does anyone have a config they want to share for Declude Junk mail and SURBL SURBL is not currently support in Decude JunkMail. However, you can download the various surbl zone files and run them as a body filter, but that can get rather expensive in CPU cycles. Probably better to setup a Linux/Postfix/SpamAssassin gateway where you can truly run the SURBL service as expected, via DNS queries. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] JS/illWill
Yep, I've seen a bunch of them this morning, as well. Here, only McAfee and BitDefender are currently catching it. I have reported the virus to ClamAV, F-Prot, and TrendMicro. Bill - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 9:22 AM Subject: [Declude.Virus] JS/illWill I've seen several JS/IllWill messages in the past 20 minutes on our system Looking at http://vil.nai.com/vil/content/v_99242.htmit's an old virus (2001) and I can't remember another one in the past. But now I can see them comming from all different IP-Adresses. Mailfrom looks like real existing adresses but are definitively forged. Markus
Re: [Declude.Virus] PRESCAN
- Original Message - From: Panda Consulting S.A. Luis Alberto Arango [EMAIL PROTECTED] What is the suggested configuration for this option? PRESCAN ON or OFF ? Comments...? thanks I have prescan on and, if you are running Virus Pro, I don't know why you wouldn't want to enable it. This from the Virus manual: == Declude Virus Pro has the option for pre-scanning E-mail, which can significantly improve performance. Since the majority of E-mails are really plaintext with a cute HTML version of the E-mail attached (that is usually identical to the plain text version), a lot of scanning may be done that isn't necessary. Plain HTML files (without any scripts or other potentially dangerous code) are safe. The pre-scanning in Declude Virus Pro will check HTML segments to see if there is any potentially dangerous code (JavaScript, Active-X, plugins, etc.). If so, it will send them to the virus scanner as they usually would be. Otherwise, it will let them pass through unscanned, which will improve performance. To turn on pre-scanning, you can change the PRESCAN OFF line in the \IMail\Declude\virus.cfg file to PRESCAN ON. == Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Another Varient??!
- Original Message - From: Jeff Maze [EMAIL PROTECTED] Anyone else see this one yet? Yep, seen lots of them, and all are being detected by McAfee, TrendMicro, F-Prot, BitDefender, and ClamAV. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-prot missing viruses
- Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] Another one is BitDefender. Their free scanner has just the right features for Declude Virus. Does not look like it can be called by command line. The following Declude Virus configuration works with the free Windows version of BitDefender: # BitDefender SCANFILE C:\PROGRA~1\COMMON~1\Softwin\BITDEF~1\bdc.exe /a /r /i /W /alev=5 /flev=3 /log=report.txt VIRUSCODE 1 REPORT infected Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus bypassing newer MX records
- Original Message - From: Russ Uhte (Lists) [EMAIL PROTECTED] At 12:17 PM 6/15/2004, Matt wrote: This domain was recently moved to our DNS and I suspect that someone at their old DNS hosting provider is infected and using their old unremoved DNS entries and that is why they are bypassing us. Note though that some spammers are definitely caching old lookups in their spamware which is why I thought it might be possible that a virus was doing this as well. I just want to interject that I'm seeing this behavior a bunch specifically with the Zafi worm. I moved to two postfix boxes to do my gatewaying many months ago, and I still occasionally get virii coming directly into my Imail box. I don't have the luxury of shutting off SMTP to my Imail box because I have some remote users that connect to it to send email. I see this with Zafi as well. This from another list regarding Zafi: = This Hungarian originated virus initiates a Dictionary attack on domain names that if finds on the infected machine. It does not use DNS to find the MX records, but instead guesses the host name (such as 'mail' or 'mx'), prepends it to the domain name, and then proceeds with it's dirty work using Hungarian sounding names. = Thus this particular virus will bypass gateway machines and send directly to the hostname A record, which is typically pointed to the IMail server so that customers can reach the IMail server via their e-mail clients. That's one of the reasons why we do virus scanning on our gateway machines and our IMail servers. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-prot missing viruses
- Original Message - From: Brad Morgan [EMAIL PROTECTED] If you are running Declude Virus Pro, then you could add one or more of the free virus scanners to your configuration. I added ClamAV after seeing an article that said it was very high on the list of who gets updates out the quickest after a new virus is found. Another one is BitDefender. Their free scanner has just the right features for Declude Virus. It doesn't appear to be free for commercial use. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-prot missing viruses
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Another one is BitDefender. Their free scanner has just the right features for Declude Virus. It doesn't appear to be free for commercial use. I was sure that it allowed commercial use (or rather commercial use was not prohibited), but after going to http://www.bitdefender.com/ (and finding that that URL is oddly no longer valid) and hunting, I found http://www.bitdefender.com/bd/site/presscenter.php?menu_id=25n_id=91 which says that 5 days ago they stopped offering the free DOS version. Even odder is that they are replacing the DOS version with a Linux version (is that a typo?). They do have a free Windows version, but I haven't checked the licensing of that, or to see if it includes a command line scanner. After looking into this a bit more, I did find the follow text at their press center (http://www.bitdefender.com/bd/site/presscenter.php?menu_id=25n_id=91): We will continue to provide antivirus freeware, as long as there is a public need for such. We believe quality antivirus should be available to one and all, as this is the only way we know of to alleviate the virus menace and reduce the impact of future virus incidents on the network at large. declared Mircea Mitu, BitDefender Business Line Manager. So maybe it is free to be used in a commercial environment, as well as for home use. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] f-prot /packed meaning
- Original Message - From: Bob McGregor [EMAIL PROTECTED] what does the /packed parameter on the scanfile line in the config file do? Is it a switch that I want on? It's not mentioned in the manual for declude virus. Bob, you don't mention which virus scanner you're using, but I'm going to assume that it's F-Prot. Here is a description of the different switches that fpcmd supports: Usage: f-prot [drive, file or directory] [options] -ai Enable neural-network virus detection. -append Append to existing report file. -archiveScan inside .ZIP and .ARJ files. -auto Automatic virus removal. -collectScan a virus collection. -delete Delete infected files. -disinf Disinfect whenever possible. -dumb Do a dumb scan of all files. -extScan only files with default extensions. -follow Follow symbolic links. -help Display this list. -list List all files checked. -nobreakDo not abort scan if ESC is pressed. -noheur Disable heuristics. -nosub Do not scan subdirectories. -oldDo not complain when using outdated DEF files. -onlyheur Only use heuristics, not normal scanning. -packed Unpack compressed executables. -page Pause after each page. -rename Rename infected COM/EXE files to VOM/VXE. Press ENTER to continue to view the command-line options. -report=Send the output to a file. -server Activate mail filter heuristics. -silent Do not generate any screen output. -type Select files by type. (default) -verno Show version information. -virlistList the known viruses. -virno Count the known viruses. -wrap Wrap text so the report fits in 78 columns. Special macro virus options: -nomacroDo not scan for macro viruses. -onlymacro Only scan for macro viruses. -removeall Remove all macros from all documents. -removenew Remove new variants of macro viruses by removing all macros from infected documents. -saferemove Remove all macros from documents, if a known virus is found. I have used the packed switch with F-Prot for about a year now. Don't know if it has helped any, but it certainly has not hurt anything. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Possible Spam: [Declude.Virus] OT - Need IP from MAC address
- Original Message - From: Jeff Pereira [EMAIL PROTECTED] Thanks for the reply, but I think you misunderstood I know the IP of my computer, I don't know the IP of a piece of equipment that I have, but I do know what the MAC address is. Ping the broadcast address for the address space the device is on, then type arp -a from the command prompt of the computer you did the broadcast ping from. That should show you the IP addresses for all devices on that logical subnet with their associated mac addresses. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Scott, what do you use to generate this report
- Original Message - From: Bill [EMAIL PROTECTED] The very last line shows the total message count including messages that did not fail any tests. My program, as it is now, does not look at any of the declude actions, just the tests failed. I primarily use it is to determine if any of the tests that I am using have quit working or how effective a new test or filter file is. Why don't you send me a .txt file of what you think that the output should be and I will consider it. Rather than total message counts, I was just looking for a total count of messages that immediately got delivered, not including messages that were held or deleted. It not a big deal, I simply added a line to my config files that adds a log entry for messages that get delivered: Global.cfg: WEIGHT-OK weightrange x x -50 15 $default$.junkmail: WEIGHT-OK LOG This accomplishes the same thing, and give me an output (sample) like the following: WEIGHT-OK 1685 21 1967 20 WEIGHT-HOLD 189 2 204 2 WEIGHT-DELETE 5663 73 7030 74 Message Count 7752 9436 But thanks for considering my request. Regards, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Scott, what do you use to generate this report
Very nice! Thanks for sharing this, Bill! Bill - Original Message - From: Bill [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:33 PM Subject: RE: [Declude.Virus] Scott, what do you use to generate this report Hi, I have a utility to do a quick analysis of my decMMDD.log file to discover test effectiveness. If anyone would like to use it, I have it available for free from my website: http://www.wamusa.com/wamtools The program is designed for LOGLEVEL MID but it may work for other levels. My system analyzed this 120Mb decMMDD.log in less than one minute. This is a sample output: Message Recipient Test Name Fail Count % Fail Count % WEIGHT10 116362 96 169684 96 SNIFFER2 114790 94 167322 95 WEIGHT15 112700 93 165299 94 WEIGHT20 108443 89 159758 91 WEIGHTDEL 108443 89 159758 91 SPAMCOP 84740 70 129602 73 SBL 52552 43 53879 30 AHBL 48506 40 57094 32 CBL 46445 38 89827 51 DSBL 39527 32 77743 44 SORBS-DUHL 29673 24 58427 33 REVDNS 28996 23 41544 23 BADHEADERS 27493 22 34922 19 SORBS-SPAM 25119 20 27995 15 NOPOSTMASTER 22488 18 46530 26 NOABUSE 21746 17 42732 24 SPAMHEADERS 19613 16 20587 11 SPAM-DOMAINS 15263 12 33776 19 ROUTING 120419 25060 14 FOREIGN 100988 163309 GIBBERISH9072799325 DSN84847 137557 SORBS-HTTP65845 124597 SORBS-SOCKS65085 126977 SPFFAIL4954465273 BLITZEDALL3350259913 BASE642252129561 MAILFROM1684128411 COMMENTS1328120561 MYFILTERFAIL1159017230 WAMO 5850 6090 MYFILTERPASS 512012390 SORBS-MISC 5040 9230 SORBS-SMTP 445011320 OBFUSCATION 3600 4570 ORDB 3160 6540 SORBS-WEB 3160 5140 SORBS-ZOMBIE 2800 2800 SPFPASS 2080 2340 BONDEDSENDER 620 620 @LINKED 100 140 HABEAS 40 40 WAMCHECK 10 20 Message Count 120934 175163 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Fuhrmeister Sent: Monday, April 12, 2004 5:11 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Scott, what do you use to generate this report Thanks Scott, While I have your attention, what do you use to generate this report from your log files? Each month, we go through our spamtraps (E-mail addresses designed to collect spam), to find out which spam tests were most effective at catching spam. snip WEIGHT1099.48% WEIGHT2095.45% NOLEGITCONTENT 95.43% SNIFFER 94.06% SPAMCHK 93.20% IPNOTINMX 90.76% SPAMCOP 79.83% CMDSPACE77.37% snip [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Scott, what do you use to generate this report
Bill, would you consider adding the OK count so that we could also see the counts and percentages of what was delivered successfully, as well. Thanks again, Bill - Original Message - From: Bill [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:33 PM Subject: RE: [Declude.Virus] Scott, what do you use to generate this report Hi, I have a utility to do a quick analysis of my decMMDD.log file to discover test effectiveness. If anyone would like to use it, I have it available for free from my website: http://www.wamusa.com/wamtools The program is designed for LOGLEVEL MID but it may work for other levels. My system analyzed this 120Mb decMMDD.log in less than one minute. This is a sample output: Message Recipient Test Name Fail Count % Fail Count % WEIGHT10 116362 96 169684 96 SNIFFER2 114790 94 167322 95 WEIGHT15 112700 93 165299 94 WEIGHT20 108443 89 159758 91 WEIGHTDEL 108443 89 159758 91 SPAMCOP 84740 70 129602 73 SBL 52552 43 53879 30 AHBL 48506 40 57094 32 CBL 46445 38 89827 51 DSBL 39527 32 77743 44 SORBS-DUHL 29673 24 58427 33 REVDNS 28996 23 41544 23 BADHEADERS 27493 22 34922 19 SORBS-SPAM 25119 20 27995 15 NOPOSTMASTER 22488 18 46530 26 NOABUSE 21746 17 42732 24 SPAMHEADERS 19613 16 20587 11 SPAM-DOMAINS 15263 12 33776 19 ROUTING 120419 25060 14 FOREIGN 100988 163309 GIBBERISH9072799325 DSN84847 137557 SORBS-HTTP65845 124597 SORBS-SOCKS65085 126977 SPFFAIL4954465273 BLITZEDALL3350259913 BASE642252129561 MAILFROM1684128411 COMMENTS1328120561 MYFILTERFAIL1159017230 WAMO 5850 6090 MYFILTERPASS 512012390 SORBS-MISC 5040 9230 SORBS-SMTP 445011320 OBFUSCATION 3600 4570 ORDB 3160 6540 SORBS-WEB 3160 5140 SORBS-ZOMBIE 2800 2800 SPFPASS 2080 2340 BONDEDSENDER 620 620 @LINKED 100 140 HABEAS 40 40 WAMCHECK 10 20 Message Count 120934 175163 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Fuhrmeister Sent: Monday, April 12, 2004 5:11 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Scott, what do you use to generate this report Thanks Scott, While I have your attention, what do you use to generate this report from your log files? Each month, we go through our spamtraps (E-mail addresses designed to collect spam), to find out which spam tests were most effective at catching spam. snip WEIGHT1099.48% WEIGHT2095.45% NOLEGITCONTENT 95.43% SNIFFER 94.06% SPAMCHK 93.20% IPNOTINMX 90.76% SPAMCOP 79.83% CMDSPACE77.37% snip [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Log error with latest interim release
- Original Message - From: Darin Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 18, 2004 8:08 AM Subject: Re: [Declude.Virus] Log error with latest interim release Scott, What are your thoughts on the /AI and /PACKED switches? Any particular reason to use or not use them? For what it worth, here is what I use: SCANFILE1 M:\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED - SAFEREMOVE -SERVER -SILENT -TYPE -REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 8 REPORT1 Infection: and I experience no error or problems. But then I like to error on the side of being too cautious. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Log error with latest interim release
My understanding is that Scott does not think they are necessary, and that may be true. However, F-Prot must have had some reason for adding those switches (especially the PACKED switch), so I use them - just to be safe... Bill - Original Message - From: Darin Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 18, 2004 9:48 AM Subject: Re: [Declude.Virus] Log error with latest interim release Hi Bill, Yeah, I had seen your configs...just wanted to get Scott's feedback on the -AI and -PACKED switches. Darin. - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 18, 2004 12:00 PM Subject: Re: [Declude.Virus] Log error with latest interim release - Original Message - From: Darin Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 18, 2004 8:08 AM Subject: Re: [Declude.Virus] Log error with latest interim release Scott, What are your thoughts on the /AI and /PACKED switches? Any particular reason to use or not use them? For what it worth, here is what I use: SCANFILE1 M:\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED - SAFEREMOVE -SERVER -SILENT -TYPE -REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 8 REPORT1 Infection: and I experience no error or problems. But then I like to error on the side of being too cautious. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. _ [This E-mail virus scanned by 4C Web] _ [This E-mail virus scanned by 4C Web] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Question about virus log entries
Oops, may to say do NOT get held. Bill - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 10:42 PM Subject: [Declude.Virus] Question about virus log entries Scott, I am see a bunch on the following type entries in my virus logs: Found potentially dangerous stuff in M:\IMail\spool\Dc62d3de40042810d.vir\0.! Found potentially dangerous stuff in M:\IMail\spool\Dc800179a006ca25f.vir\0.htm! Found potentially dangerous stuff in M:\IMail\spool\Dc943102d00909026.vir\0.! I see that these messages do get held, but rather get delivered. However, Declude is holding viruses. Is this something I should be concerned about? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Question about virus log entries
Scott, I am see a bunch on the following type entries in my virus logs: Found potentially dangerous stuff in M:\IMail\spool\Dc62d3de40042810d.vir\0.! Found potentially dangerous stuff in M:\IMail\spool\Dc800179a006ca25f.vir\0.htm! Found potentially dangerous stuff in M:\IMail\spool\Dc943102d00909026.vir\0.! I see that these messages do get held, but rather get delivered. However, Declude is holding viruses. Is this something I should be concerned about? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim release to ban extensions in .ZIP files
I am trying to understand this, but the reality doesn't work like I think you are saying it should. If I have the following in my virus.cfg file: BANEXT EZIP with or without: BANZIPEXTS ON BANEZIPEXTS ON I catch the encrypted/password protected virus files. However, if I use just: BANZIPEXTS ON BANEZIPEXTS ON the virus files pass right through declude, reporting that the file is virus free. Am I simply not understanding how this is supposed to work. I though we no longer needed to use BANEXT EZIP. Please enlighten me on the error of my ways... :-) Thanks, Bill - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 2:07 PM Subject: RE: [Declude.Virus] New interim release to ban extensions in .ZIP files Do these new features, BANZIPEXTS and BANEZIPEXTS, stop both zip files and encrypted zip files if you do not have the BANEXT ZIP setting? Yes (using BANEXT ZIP would block all .ZIP files will be banned, regardless of what file extensions they may contain). Just wondering if using the above forces us to block Zip files or not. We do not want to block Zip files, but like the idea of blocking them if they contain an extension that we do want to block. The BANZIPEXTS/BANEZIPEXTS options will allow you to allow normal .ZIP files, while blocking .ZIP files that contain certain extensions. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim release to ban extensions in .ZIP files
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] The new format will ban the same extensions that you are already banning, but will do so in .ZIP files. The BANZIPEXTS ON option will ban the files if they are un-encrypted, the BANEZIPEXTS ON will ban the files if they are encrypted. Okay, so if I want to continue to ban any zip file that is encrypted, whether I have defined the extension to be band or not, I should continue to use BANEXT EZIP, correct? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] IPBypass and notifications
That shouldn't make any difference, since virus notifications do not get sent to IP address, they get sent to the sender's e-mail address or the [EMAIL PROTECTED] Bill - Original Message - From: Russ Uhte (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 01, 2004 6:30 AM Subject: [Declude.Virus] IPBypass and notifications Just set up a gateway mailserver, and I realized that if a virus comes through the gateway, the notification that gets sent out sees the gateway mailservers IP address. Is there a way to hook the IPBypass functionality into Declude Virus? Thanks, Russ --- Russ Uhte, CCNA, MCP, A+ Network Administrator Richmond Power Light Parallax Systems Division 2000 US 27 South Richmond, IN 47374 USA Richmond: 765.973.7348 Toll-free: 888.962.3770 Cell: 765.993.3944 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Another error
- Original Message - From: Serge [EMAIL PROTECTED] just looked at the directory, and there is only scan32.exe i may need to reinstall netshield ? The files, scan32.exe and scan.exe, are not in the same directory. Scan.exe can be found in: C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx depending on the version of McAfee you are running. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-prot 3.14c Error 5
Scott, if Declude Virus encounters an Error 5 with scanner 1, does it not even attempt to run the message through the second scanner? Normal virus detected without Error 5: = 02/25/2004 05:32:05 Qa3d35c70b2d0 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=part3.zip [14] O 02/25/2004 05:32:05 Qa3d35c70b2d0 Scanner 2: Virus= [ WORM_MYDOOM.F](1) in M:\IMail\spool\DA3D35~1.VIR\0.zip,(part3.jpg.pif) Attachment=part3.zip [14] O 02/25/2004 05:32:05 Qa3d35c70b2d0 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/25/2004 05:32:05 Qa3d35c70b2d0 Scanned: CONTAINS A VIRUS [MIME: 2 35275] 02/25/2004 05:32:05 Qa3d35c70b2d0 From: [Forged] To: [EMAIL PROTECTED] [outgoing from 204.189.38.3] 02/25/2004 05:32:05 Qa3d35c70b2d0 Subject: Read now! = Virus detected with Error 5: = 02/25/2004 08:50:21 Qd23b256a001cfa29 Could not find parse string Infection: in report.txt 02/25/2004 08:50:21 Qd23b256a001cfa29 Error 5 in virus scanner 1. 02/25/2004 08:50:23 Qd23b256a001cfa29 Scanned: Error in virus scanner. [MIME: 2 5911] = The second scanner is not called? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] W32/Netsky.c@MM - new
Wow, F-Prot is johnny-on-spot and catching these with the latest definition from about an hour ago. However, RAV and TrendMicro are not catching this one yet.. Bill - Original Message - From: Patrick Childers (by way of R. Scott Perry [EMAIL PROTECTED]) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 10:06 AM Subject: [Declude.Virus] W32/[EMAIL PROTECTED] - new There's a new variant out. http://vil.nai.com/vil/content/v_101048.htm ~Patrick --- [This E-mail scanned for viruses by Declude/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Mcafee
Typically the McAfee command line scanned, scan.exe, has been located in c:\program files\common files\Network Associates\VirusScan Engine\4.0.xx, or whatever version number you are running. Here is the McAfee entry from the Declude Virus manual at http://www.declude.com/virus/manual.htm: SCANFILE C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL /NOMEM /NOBEEP /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txt VIRUSCODE 13 REPORT Found Bill - Original Message - From: Gene Head [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 24, 2004 5:14 PM Subject: [Declude.Virus] Mcafee I just purchased Mcafee to use as a third scanner. I installed it but I can't find the command line scanner. Anyone have the new Virus scan program and can share the process for getting this to work? Gene Head ACCRAM Inc. MCP,Net+,A+,CCNA,CCDA [EMAIL PROTECTED] [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Mcafee
Dunno then. You may need to put a call into McAfee. Bill - Original Message - From: Gene Head [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 24, 2004 6:48 PM Subject: RE: [Declude.Virus] Mcafee It's Mcafee Virus Scan Ver 8.0 Build 8.0.26 There isn't a scan.exe or scan32.exe on the drive. Gene Head ACCRAM Inc. MCP,Net+,A+,CCNA,CCDA [EMAIL PROTECTED] [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Tuesday, February 24, 2004 6:36 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Mcafee Typically the McAfee command line scanned, scan.exe, has been located in c:\program files\common files\Network Associates\VirusScan Engine\4.0.xx, or whatever version number you are running. Here is the McAfee entry from the Declude Virus manual at http://www.declude.com/virus/manual.htm: SCANFILE C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL /NOMEM /NOBEEP /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txt VIRUSCODE 13 REPORT Found Bill - Original Message - From: Gene Head [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 24, 2004 5:14 PM Subject: [Declude.Virus] Mcafee I just purchased Mcafee to use as a third scanner. I installed it but I can't find the command line scanner. Anyone have the new Virus scan program and can share the process for getting this to work? Gene Head ACCRAM Inc. MCP,Net+,A+,CCNA,CCDA [EMAIL PROTECTED] [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] WORM_MYDOOM.F
A new variant of W32/[EMAIL PROTECTED] that we just caught a couple of. RAV nor F-Prot caught it, but TrendMico, ClamAV (Clam id it as MyDoom.E) McAfee did. The attachments were named: object.zip hnmhjn.exe Subjects were: JPWMDWXACRNSN Fake Anyway, be on the lookout... Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude not delivering mail
Maybe a corrupted declude.exe file? Try downloading the file again from the Declude web site and see if that fixes the problem. Bill - Original Message - From: jan k wikhaug [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 19, 2004 1:14 PM Subject: [Declude.Virus] Declude not delivering mail I desperately need some help. Today at 10:55 declude stopped working adn email started to add up in the spool directory. It was my day off so I didn't notice until later and then there was 1500+ emails in the spool directory and going nowhere. I run 1.77. I put the smtp32.exe back in service and all messages was sent but without virus and junkmail scanning of course. Then i put declude back in service and all stopped and those messages kept piling up in the spool directory again. The funny thing is virus and junkmail logs stop at 10:55 and adds nothing for the rest of the day. I guess I have to put smtp32 back in service though I don't like it with the newsky activity... Jan K Wikhaug NettX Sendt via webmail på nettx.no --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVG 7.0 32-bit scanner find...extra space???
Matt, what does your report line look like? If it's: REPORT1 Infections: maybe try instead REPORT1Identified without a colon ":". Just curious if that fixes it, since the report does not contain "Infections:", but does contain "Identified". Bill - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Friday, February 06, 2004 11:38 PM Subject: [Declude.Virus] AVG 7.0 32-bit scanner find...extra space??? Ok, I've been testing things and I think I might have found why Declude can't make use of AVG 7's 32-bit scanner, avgscan.exe. In the 16-bit version, the program will report: Virus identified EICAR_TestIn the 32-bit version, there is an extra space: Virus identified EICAR_TestAside from that difference, I can't find anything else that would explain it not working. BTW, I did find that they support the /NOBOOT switch with avgscan.exe despite the lack of this appearing in the help output, and unlike avg.exe, it will by default scan the boot sectors.Scott, could you tell me if the extra space is in fact the issue at hand here? Here's the config and the output from the report.txt file with the 32-bit version: - Command Line -C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOEXPORT /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txt C:\IMail\Declude\Virus1\eicar.com- Report.txt -AVG 7.0 Anti-Virus SystemCopyright (c) GRISOFT,s.r.o. 2003Program version 7.0 Engine: 718 database version 261.8.3Command line: [/NOMEM /NOBOOT /NOHIMEM /NOEXPORT /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=C:\report.txt /SCAN C:\IMail\Declude\Virus\eicar.com]"C:\IMail\Declude\Virus\eicar.com" Virus identified EICAR_TestTest start 2/7/2004 2:24:36Elapsed time 0 sec.Scanned files : 1Scanned sectors : 0Infected files : 1Infected sectors : 0Thanks,Matt-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Would it be possible to E-mail one of the quarantined D*.SMD files to our virustrap@ account? We can then analyze it and should be able to get a better idea of why this is happening. I sent sample d*.smd virus files and postmaster and log file txt to the virustrap account. It looks like Groupshield blocked it. Perhaps you could .ZIP it in a password-protected .ZIP file, which should prevent it from getting blocked? I resent it last night from my yahoo account. Did you receive it at the virustrap address? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] I resent it last night from my yahoo account. Did you receive it at the virustrap address? No -- the only E-mail to arrive there was the one from GroupShield for Exchange. Please check the virustrap mailbox again, hopefully third attempt is a charm... Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Please check the virustrap mailbox again, hopefully third attempt is a charm... It came through -- it looks like the one from last night probably did as well, but got caught here. Are you running 3 virus scanners with Declude Virus? The only thing that I can think of that could account for this happening is if there are 3 or more virus scanners being used with Declude Virus. No, just two. We replaced McAfee with TrendMicro. Here are the actual virus scanner config entries: # F-Prot SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SILENT -TYPE -REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 8 REPORT1 Infection: # McAfee # SCANFILE2 C:\Progra~1\Common~1\Networ~1\Viruss~1\4.0.xx\scan.exe /ALL /ANALYZE /NOBEEP /NOBOOT /NOBREAK /NODDA /NOMEM /PROGRAM /SILENT /UNZIP /REPORT report.txt # VIRUSCODE2 13 # REPORT2 Found # TrendMicro SCANFILE2 C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /LR=report.txt VIRUSCODE2 1 REPORT2 Found Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] This is indeed due to an issue with Declude Virus -- it will be fixed in the next interim release. Scott, I upgraded to Declude v1.77i26 and that took care of the file name issue - thanks! However, I am now noticing that about 1 in 10 postmaster messages is displaying virus in Unknown File, even though most times the file name is correctly identified in the virus log (see attachment). What is the REPORT2 line in your \IMail\Declude\virus.cfg file? # TrendMicro SCANFILE2 C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /LR=report.txt VIRUSCODE2 1 REPORT2 Found In the line: 02/01/2004 09:32:06 Q3816855d009e4e46 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\D38168~1.VIR\1.zip,(body.txt is that appearing all on one line, or on two separate lines in the log file? All on one line. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] 02/01/2004 09:32:06 Q3816855d009e4e46 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\D38168~1.VIR\1.zip,(body.txt is that appearing all on one line, or on two separate lines in the log file? All on one line. This is strange -- Declude Virus should be using the file name that it reports in the log file. Do you have sample log file entries for an E-mail with a virus that was caught, where Unknown File was not used? Attached are 5 recent samples. Let me know if you need more. Bill Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in sfehy.zip from [Forged] to: [Removed] Date: 02/02/2004 14:40:20 Subject:Mail Transaction Failed Spool File: Dd1ce048100aec351.SMD Remote IP: 204.189.38.3 02/02/2004 14:40:19 Qd1ce048100aec351 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=sfehy.zip [13] O 02/02/2004 14:40:20 Qd1ce048100aec351 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\DD1CE0~1.VIR\0.zip,(sfehy.pif) Attachment=sfehy.zip [13] O 02/02/2004 14:40:20 Qd1ce048100aec351 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/02/2004 14:40:20 Qd1ce048100aec351 Scanned: CONTAINS A VIRUS [MIME: 2 22794] 02/02/2004 14:40:20 Qd1ce048100aec351 From: [Forged] To: [Removed] [outgoing from 204.189.38.3] 02/02/2004 14:40:20 Qd1ce048100aec351 Subject: Mail Transaction Failed --- Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in text.zip from [Forged] to: [Removed] Date: 02/02/2004 14:40:36 Subject: Spool File: Dd1df049000ae0645.SMD Remote IP: 204.189.38.4 02/02/2004 14:40:35 Qd1df049000ae0645 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=text.zip [13] O 02/02/2004 14:40:36 Qd1df049000ae0645 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\DD1DF0~1.VIR\0.zip,(text.exe) Attachment=text.zip [13] O 02/02/2004 14:40:36 Qd1df049000ae0645 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/02/2004 14:40:36 Qd1df049000ae0645 Scanned: CONTAINS A VIRUS [MIME: 2 22873] 02/02/2004 14:40:36 Qd1df049000ae0645 From: [Forged] To: [Removed] [outgoing from 204.189.38.4] 02/02/2004 14:40:36 Qd1df049000ae0645 Subject: --- Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in doc.zip from [Forged] to: [Removed] Date: 02/02/2004 14:40:52 Subject:hello Spool File: Dd1e8049500ae28e1.SMD Remote IP: 204.189.38.3 02/02/2004 14:40:51 Qd1e8049500ae28e1 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=doc.zip [13] O 02/02/2004 14:40:52 Qd1e8049500ae28e1 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\DD1E80~1.VIR\0.zip,(doc.pif) Attachment=doc.zip [13] O 02/02/2004 14:40:52 Qd1e8049500ae28e1 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/02/2004 14:40:52 Qd1e8049500ae28e1 Scanned: CONTAINS A VIRUS [MIME: 2 22871] 02/02/2004 14:40:52 Qd1e8049500ae28e1 From: [Forged] To: [Removed] [outgoing from 204.189.38.3] 02/02/2004 14:40:52 Qd1e8049500ae28e1 Subject: hello --- Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in readme.zip from [Forged] to: [Removed] Date: 02/02/2004 14:41:10 Subject:Hi Spool File: Dd1e50bb100a21fe8.SMD Remote IP: 204.189.38.3 02/02/2004 14:41:09 Qd1e50bb100a21fe8 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=readme.zip [13] O 02/02/2004 14:41:10 Qd1e50bb100a21fe8 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\DD1E50~1.VIR\0.zip,(readme.cmd) Attachment=readme.zip [13] O 02/02/2004 14:41:10 Qd1e50bb100a21fe8 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/02/2004 14:41:10 Qd1e50bb100a21fe8 Scanned: CONTAINS A VIRUS [MIME: 2 22877] 02/02/2004 14:41:10 Qd1e50bb100a21fe8 From: [Forged] To: [Removed] [outgoing from 204.189.38.3] 02/02/2004 14:41:10 Qd1e50bb100a21fe8 Subject: Hi --- Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in message.pif from [Forged] to: [Removed] Date: 02/02/2004 14:41:25 Subject:Error Spool File: Dd1cd0bac00a2c218.SMD Remote IP: 204.189.38.3 02/02/2004 14:41:24 Qd1cd0bac00a2c218 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=message.pif [13] O 02/02/2004 14:41:25 Qd1cd0bac00a2c218 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\DD1CD0~1.VIR\0.pif Attachment=message.pif [13] O 02/02/2004 14:41:25 Qd1cd0bac00a2c218 Found a bogus .pif file 02/02/2004 14:41:25 Qd1cd0bac00a2c218 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/02/2004 14:41:25 Qd1cd0bac00a2c218 Scanned: CONTAINS A VIRUS [MIME: 2 22777] 02/02/2004 14:41:25 Qd1cd0bac00a2c218 From: [Forged] To: [Removed] [outgoing from 204.189.38.3] 02/02/2004 14:41:25 Qd1cd0bac00a2c218 Subject: Error
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] This is indeed due to an issue with Declude Virus -- it will be fixed in the next interim release. Scott, I upgraded to Declude v1.77i26 and that took care of the file name issue - thanks! However, I am now noticing that about 1 in 10 postmaster messages is displaying virus in Unknown File, even though most times the file name is correctly identified in the virus log (see attachment). Not that big a deal, just an FYI... Bill Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in Unknown File from [Forged] to: [removed] Date: 02/01/2004 09:26:43 Subject:Mail System Error - Returned Mail Spool File: D36d2853b009e5f08.SMD 02/01/2004 09:26:43 Q36d2853b009e5f08 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=doc.zip [13] O 02/01/2004 09:26:43 Q36d2853b009e5f08 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\D36D28~1.VIR\1.zip,(doc.scr) Attachment= [13] O 02/01/2004 09:26:43 Q36d2853b009e5f08 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/01/2004 09:26:43 Q36d2853b009e5f08 Scanned: CONTAINS A VIRUS [MIME: 4 25840] 02/01/2004 09:26:43 Q36d2853b009e5f08 From: [Forged] To: [removed] [outgoing from 204.189.38.4] 02/01/2004 09:26:43 Q36d2853b009e5f08 Subject: Mail System Error - Returned Mail === Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in Unknown File from [Forged] to: [removed] Date: 02/01/2004 09:32:06 Subject:Delivery Status Notification (Failure) Spool File: D3816855d009e4e46.SMD 02/01/2004 09:32:06 Q3816855d009e4e46 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=body.zip [13] O 02/01/2004 09:32:06 Q3816855d009e4e46 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\D38168~1.VIR\1.zip,(body.txt 02/01/2004 09:32:06 Q3816855d009e4e46 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/01/2004 09:32:06 Q3816855d009e4e46 Scanned: CONTAINS A VIRUS [MIME: 4 25206] 02/01/2004 09:32:06 Q3816855d009e4e46 From: [Forged] To: [removed] [outgoing from 204.189.38.4] 02/01/2004 09:32:06 Q3816855d009e4e46 Subject: Delivery Status Notification (Failure) === Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in Unknown File from [Forged] to: [removed] Date: 02/01/2004 09:37:06 Subject:failure notice Spool File: D394063ce005add44.SMD 02/01/2004 09:37:05 Q394063ce005add44 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment= [13] O 02/01/2004 09:37:06 Q394063ce005add44 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\D39406~1.VIR\0,(document.htm 02/01/2004 09:37:06 Q394063ce005add44 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/01/2004 09:37:06 Q394063ce005add44 Scanned: CONTAINS A VIRUS 02/01/2004 09:37:06 Q394063ce005add44 From: [Forged] To: [removed] [outgoing from 204.189.38.4] 02/01/2004 09:37:06 Q394063ce005add44 Subject: failure notice === Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in Unknown File from [Forged] to: [removed] Date: 02/01/2004 09:44:28 Subject:Delivery Status Notification (Failure) Spool File: D3af9338a00289760.SMD 02/01/2004 09:44:27 Q3af9338a00289760 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=file.pif [13] O 02/01/2004 09:44:28 Q3af9338a00289760 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\D3AF93~1.VIR\1.pif Attachment= [13] O 02/01/2004 09:44:28 Q3af9338a00289760 Found a bogus .pif file 02/01/2004 09:44:28 Q3af9338a00289760 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/01/2004 09:44:28 Q3af9338a00289760 Scanned: CONTAINS A VIRUS [MIME: 4 2] 02/01/2004 09:44:28 Q3af9338a00289760 From: [Forged] To: [removed] [outgoing from 204.189.38.3] 02/01/2004 09:44:28 Q3af9338a00289760 Subject: Delivery Status Notification (Failure) === Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in Unknown File from [Forged] to: [removed] Date: 02/01/2004 09:45:46 Subject:Returned mail: see transcript for details Spool File: D3b499bcf0082ceb7.SMD 02/01/2004 09:45:45 Q3b499bcf0082ceb7 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=doc.zip [13] O 02/01/2004 09:45:46 Q3b499bcf0082ceb7 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\D3B499~1.VIR\1.zip,(doc.htm 02/01/2004 09:45:46 Q3b499bcf0082ceb7 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/01/2004 09:45:46 Q3b499bcf0082ceb7 Scanned: CONTAINS A VIRUS [MIME: 4 24197] 02/01/2004 09:45:46 Q3b499bcf0082ceb7 From: [Forged] To: [removed] [outgoing from 204.189.38.3] 02/01/2004 09:45:46 Q3b499bcf0082ceb7 Subject: Returned mail: see transcript for details === Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in Unknown File from [Forged] to: [removed] Date: 02/01/2004 09:51:31 Subject:Delivery Status Notification (Failure) Spool File: D3ca335a6002e14ff.SMD 02/01/2004 09:51:31 Q3ca335a6002e14ff Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=readme.zip [13] O 02/01/2004 09:51:31
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Scott, I am running Declude v1.77i24 and I am wondering why Declude Virus is using the file name from the second virus scanner instead of the first... This should only happen if the first virus scanner did not report the virus name, or if the virus name contains vulnerability in it (in which case a real virus name takes priority). F-Prot is the first virus and the log samples I provided show the F-Prot did report the virus name. In fact, the log and postmaster report both use the first scanners reported virus name (in this case F-Prot reported the virus as Mydoom) instead of the second scanner (TrendMicro, which reports the virus as WORM_MIMAIL.R). However, the report and log file show the seconds scanners file name, which is showing up missing the first letter in the file name in both, which is not missing in either as reported by the first scanner. The problem here is that the report file format is different for a .SMD file that is scanned versus an actual attachment (Declude Virus decodes the attachments). Could you send a sample file for scanning a directory with just a single eicar.com file in it? Here you go: C:\Program Files\Trend\SPROTECTvscantm.bin /NBPM /NM /NB /NC /Q /LR=report.txt L:\VirusTest 1 files have been checked. Found 1 files containing viruses. - C:\Program Files\Trend\SPROTECTcat report.txt Copyright (c) 1990 - 2002 Trend Micro Inc. Report Date : 1/29/2004 17:10:52 VSAPI Engine Version : 6.810-1005 VSCANTM Version : 1.0-1728 Virus Pattern Version : 749 (58124 Patterns) (2004/01/28) (174900) Command Line: vscantm.bin /NBPM /NM /NB /NC /Q /LR=report.txt L:\VirusTest Found [ Eicar_test_file](1) in L:\VirusTest\eicar.com 1 files have been read. 1 files have been checked. 1 files have been scanned. 1 files have been scanned. (including files in archived) 1 files containing viruses. Found 1 viruses totally. Maybe 0 viruses totally. Stop At : 1/29/2004 17:10:530.00 seconds has elapsed. -*-*-*-*-*-*-*-- ---* Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] TrendMicro Declude Virus
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] I was looking at the virus manual site and noticed that the TrendMicro config entry does not have a report line. Is this because Trend does not provide a report output the Declude can track? Just wondering because we are migrating all of our data center server to Trend. That is correct -- the last time we checked, they did not support the standard report file format. We are running a corporate enterprise edition of TrendMicro, but this is providing accurate report output for us: SCANFILE2 C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /LR=report.txt VIRUSCODE2 1 REPORT2 Found I don't know if this would work for the basic desktop version or not, since I do not have a copy to be able to test it. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Imail and Spyware Protection
Pest Patrol is a spyware application that is support by Declude Virus, at least it is shown in the manual at http://www.declude.com/virus/manual.htm. Bill - Original Message - From: Bridges, Samantha [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, January 26, 2004 7:49 AM Subject: RE: [Declude.Virus] Imail and Spyware Protection Thanks scott. I use F-Prot and I don't know if they block this. I will check it out. Samantha -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Monday, January 26, 2004 10:20 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Imail and Spyware Protection How do you know if spyware is on a PC? Does Declude or Imail identify and remove sneakly applications such as these? That is up to the AV program. Most AV programs do not attempt to detect spyware. However, if the AV program you use with Declude Virus is capable of detecting spyware, then it will get caught with Declude Virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Heads up on F-Prot configuration
Here's what I have used for over a year and recommended to the list at that time: # F-Prot SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SILENT -TYPE -REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 8 REPORT1 Infection: I include the VIRUSCODE 8 for holding suspicious files, and -AI to enable neural-network virus detection. I'm not sure why Scott did not add at least the -PACKED switch back then, figured maybe he though I was just being overly cautious. Also, I use hyphen - instead of forward slash / because that's what is shown for the switches when doing fpcmd /? from the command prompt. Probably doesn't matter since both apparently work. Bill - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, January 25, 2004 6:06 AM Subject: Re: [Declude.Virus] Heads up on F-Prot configuration I checked and it scanned the boot records without it, and didn't scan the boot records with it. I think it is undocumented. Matt R. Scott Perry wrote: I noticed while testing the command line output that the switches recommended in the manual doesn't include /NOBOOT and as a result, F-Prot will scan your boot sectors every time it is run. This would waste clock cycles. I also included the /PACK option which is said to unpack compressed executables. I'm no expert on this stuff, but I believe the 32-bit F-Prot instructions should be changed to the following: Actually, the original configuration that we suggested for fpcmd.exe was identical to F-Prot.exe, except without the /NOFLOPPY option (which would break fpcmd.exe), so we kept the /NOBOOT in there. But, someone later pointed out that fpcmd.exe doesn't support the /NOBOOT switch. I'm not sure whether they just left it out of the list of switches, or if it is left undocumented. But that's why we removed it. I'll have to check to see if they have changed this since we last checked. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Heads up on F-Prot configuration
Mike, I did some very basic testing using the - and / on different size files ranging from under 1mb to 50mb, and what I found was that the tests either ran at the same speed or the tests with the / ran a bit slower (out of ten tests I ran, 4 ran slower with the /). Here is one example: == With - == C:\Program Files\FSI\F-Protfpcmd.exe -AI -ARCHIVE -DUMB -NOBOOT -NOBREAK -NOMEM -PACKE D -SILENT -TYPE -REPORT=report.txt f:\SolarWinds-NetPerfMon-V6-AX100-Eval.zip C:\Program Files\FSI\F-Protcat report.txt Virus scanning report - 25 January 2004 @ 14:22 F-PROT ANTIVIRUS Program version: 3.14b Engine version: 3.14.7 VIRUS SIGNATURE FILES SIGN.DEF created 23 January 2004 SIGN2.DEF created 24 January 2004 MACRO.DEF created 19 January 2004 Search: -AI -ARCHIVE -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SILENT -TYPE -RE PORT=report.txt f:\SolarWinds-NetPerfMon-V6-AX100-Eval.zip Action: Report only Files: Attempt to identify files Switches: /ARCHIVE /PACKED /REPORT=report.txt /NOBREAK /SILENT /NOBOOT /NOMEM /AI Memory was not scanned. Hard disk boot sectors were not scanned. Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 2 Time: 0:14 No viruses or suspicious files/boot sectors were found. == With / == C:\Program Files\FSI\F-Protfpcmd.exe /AI /ARCHIVE /DUMB /NOBOOT /NOBREAK /NOMEM /PACKED /SILENT /TYPE /REPORT=report.txt f:\SolarWinds-NetPerfMon-V6-AX100-Eval.zip C:\Program Files\FSI\F-Protcat report.txt Virus scanning report - 25 January 2004 @ 14:22 F-PROT ANTIVIRUS Program version: 3.14b Engine version: 3.14.7 VIRUS SIGNATURE FILES SIGN.DEF created 23 January 2004 SIGN2.DEF created 24 January 2004 MACRO.DEF created 19 January 2004 Search: f:\SolarWinds-NetPerfMon-V6-AX100-Eval.zip Action: Report only Files: Attempt to identify files Switches: /ARCHIVE /PACKED /REPORT=report.txt /NOBREAK /SILENT /NOBOOT /NOMEM /AI Memory was not scanned. Hard disk boot sectors were not scanned. Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 2 Time: 0:17 No viruses or suspicious files/boot sectors were found. = Note the time difference. I would be curious to know what your results are like. Bill - Original Message - From: Mike Nice [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, January 25, 2004 12:54 PM Subject: Re: [Declude.Virus] Heads up on F-Prot configuration The Help shows the commands beginning with dashes. FPCMD.EXE recognizes the dashes as commands, however it fails to remove them from the argument list and ends up scanning for the arguments as additional file specifications. Try it both ways and note the output - it says it searches for -packed, for example. Also a test shows that the /NOBOOT command is applicable to FPCMD.exe and saves scanning the boot records. Mike Nice - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, January 25, 2004 1:35 PM Subject: Re: [Declude.Virus] Heads up on F-Prot configuration Also, I use hyphen - instead of forward slash / because that's what is shown for the switches when doing fpcmd /? from the command prompt. Probably doesn't matter since both apparently work. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Zip vulnerability
I think it depends on your virus scanner, but I believe that most virus scanners will now detect the zip of death. Bill - Original Message - From: Craig Gittens [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 11:52 AM Subject: [Declude.Virus] Zip vulnerability Does Declude recognize the zip vulnerability where a zip file contains 5 other zip files each of which contain a further 5 zip files which ALL contain 400MB files? So about 10GB of zipped files that zips down to 5kb I really don't want to test it on my live server but I have such a file. Craig. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
