Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
One side note - if this feature is added please make sure this feature is configurable so we can disable it if we choose (which I would). I have customers who hold all spam for a certain period of time and than we delete. If anything needs to be returned to the queue it is scanned manually or returned to the proc for reprocessing. Virus scanning on all messages held would defeat the whole purpose of AVAFTERJM for their implementation. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, (Open mail request) Dear Declude people. I have asked this before and with the current spam levels kan we PLEASE have this feature now ASAP? We all want to use AVAFTERJM but could you PLEASE make it scan all mail which is not deleted? If that is a to big step at first becasue of all the possible copy, routeto, etc statements can we at least have it for the HOLD action asap? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl - Original Message - *From:* Kevin Bilbee mailto:[EMAIL PROTECTED] *To:* declude.virus@declude.com mailto:declude.virus@declude.com *Sent:* Friday, June 13, 2008 5:25 PM *Subject:* RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Be careful with this setting. If a message gets held as spam it will not be virus scanned. Make sure you scan any message moved back into the delivery queue for viruses before placing it in the delivery queue folder. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, June 13, 2008 6:10 AM To: declude.virus@declude.com mailto:declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG AVAFTERJM has been around a long time. I don't remember what version, but it was a 1.x version. Are you familiar with the setting? It tells Declude to run Anti-Virus after Junkmail. It then only runs AV after checking to see if the message is spam. With the spam load these days, I would expect that to be the desired config, resulting in AV scanning on only about 10% of incoming mail instead of 100%. However, it is not the default setting, which runs AV first, then Junkmail. That could easily account for yours and Kathy's 70-100% CPU. Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: declude.virus@declude.com mailto:declude.virus@declude.com Sent: Friday, June 13, 2008 8:55 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG No, I am still using antique version declude and imail. - Original Message - From: Darin Cox [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: declude.virus@declude.com mailto:declude.virus@declude.com Sent: Friday, June 13, 2008 8:07 PM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Interesting that you are also seeing the 70-100% CPU with F-Prot 6, where we are not. Are you running AVAFTERJM? Darin. - Original Message - From: Brian Lin [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: declude.virus@declude.com mailto:declude.virus@declude.com Sent: Friday, June 13, 2008 5:23 AM Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG I just terminate my F-Prot 6, and installed ClamAV SOSDG Before that, my CPU usage is always run to skyhigh, at around 70%-100%, now using ClamAV, reduce to 5%-20%, still catching all the testing virus. F-prot 6 do not provide option like noboot, nomem, I guess these become the default setting, and cause very high CPU and harddisk usage. Alex instruction dated at 6 June 2008 for ClamAV installation is very helpful, thanks! The main tricks in clamav are: 1: need to install the contributors' tools, then get two dedicated tools for declude, can run the clamdscan as service. 2: need to remove --mbox, if this is there, it will not function. Brian - Original Message - From: Brian Lin [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: declude.virus@declude.com mailto:declude.virus@declude.com Sent: Friday,
Re: [Declude.Virus] extracting base64 encoded files
Bonno, This should do the trick. http://www.fourmilab.ch/webtools/base64/ Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, I had some valentine mail come through which was caught as suspicious. However, in the end it was reported ans Unknow virus in Unknow File. I now want to have a better look at the enclose base64 encoded card.zip. But... what tool to use to extract that zip file without sending it to my mail program. I used to be able to extract uuencoded stukk with my zip archive tool but... What to use for base64 encoded stuff? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Re: [Declude.Virus] IMmail 2006.23 release notes
Bonno, After Declude finishes scanning the message it passes it off to smtp32.exe for delivery. I can't think of any instance where declude will use the imail.exe utility. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, In the IMail 2006.23 release notes it states: --Quote-- The IMail.exe Client provided in the IMail Server contained a vulnerability due to a boundary error when processing emails with multipart MIME data, which could potentially compromise a user's system. IMail.exe will no longer be delivered during installation. Caution: It is recommended that existing installations remove IMail.exe from the IMail directory. It has been determined that utilizing this feature could potentially corrupt mailboxes. --Quote-- I seem to remember Declude used this (IMail.exe) as part of it's mail delivery. Is that still true with the 4.x versions I use it to send myself mails when something happens like a sniffer update. But that is just one script which I can change. Is there something similar that we can use? p.s. I assume they mean IMail1 as there is no IMail.exe in the IMail directory. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl/ - Original Message - *From:* Tom Lewis mailto:[EMAIL PROTECTED] *To:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Sent:* Monday, December 10, 2007 2:28 PM *Subject:* RE: [IMail Forum] apimmdd.txt files The api/mmdd/.txt files are new in 9.23. There is informational logging taking place that is creating these logs. They can be used by tech support for diagnosing problems in the web client if they were to occur. You can get to the release notes here: http://docs.ipswitch.com/IMail2006.23/ImailRelNotes/index.htm Tom Lewis *Ipswitch, Inc.* Development Manager - Messaging Products 706-312-3573 *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Bonno Bloksma *Sent:* Monday, December 10, 2007 7:27 AM *To:* [EMAIL PROTECTED] *Subject:* [IMail Forum] apimmdd.txt files Hi, As of IMail 2006.23 I have apimmdd.txt logfiles. However I cannot find what these are for. Is this the new extra debugging for the webmail? There seem to be no release notes for 2006.23, at least I cannot find them. Appart from that, everything seems to be working ok. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] IMmail 2006.23 release notes
Bonno, After Declude finishes scanning the message it passes it off to smtp32.exe for delivery. I can't think of any instance where declude will use the imail.exe utility. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, In the IMail 2006.23 release notes it states: --Quote-- The IMail.exe Client provided in the IMail Server contained a vulnerability due to a boundary error when processing emails with multipart MIME data, which could potentially compromise a user's system. IMail.exe will no longer be delivered during installation. Caution: It is recommended that existing installations remove IMail.exe from the IMail directory. It has been determined that utilizing this feature could potentially corrupt mailboxes. --Quote-- I seem to remember Declude used this (IMail.exe) as part of it's mail delivery. Is that still true with the 4.x versions I use it to send myself mails when something happens like a sniffer update. But that is just one script which I can change. Is there something similar that we can use? p.s. I assume they mean IMail1 as there is no IMail.exe in the IMail directory. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl/ - Original Message - *From:* Tom Lewis mailto:[EMAIL PROTECTED] *To:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Sent:* Monday, December 10, 2007 2:28 PM *Subject:* RE: [IMail Forum] apimmdd.txt files The api/mmdd/.txt files are new in 9.23. There is informational logging taking place that is creating these logs. They can be used by tech support for diagnosing problems in the web client if they were to occur. You can get to the release notes here: http://docs.ipswitch.com/IMail2006.23/ImailRelNotes/index.htm Tom Lewis *Ipswitch, Inc.* Development Manager - Messaging Products 706-312-3573 *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Bonno Bloksma *Sent:* Monday, December 10, 2007 7:27 AM *To:* [EMAIL PROTECTED] *Subject:* [IMail Forum] apimmdd.txt files Hi, As of IMail 2006.23 I have apimmdd.txt logfiles. However I cannot find what these are for. Is this the new extra debugging for the webmail? There seem to be no release notes for 2006.23, at least I cannot find them. Appart from that, everything seems to be working ok. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] False Positive ClamAV
Are you sure CLAMAV is hitting on this or is this a hit from the SANE phish database being used with CLAM? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bonno Bloksma To: Declude.Virus@declude.com Sent: Monday, May 21, 2007 7:09 AM Subject: [Declude.Virus] False Positive ClamAV Hi, Some of our mail is getting caught bij ClamAV. I've had two reports on two completely unrelated mails. Body of message generated response: 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it as a false positive report. When I hit Submit I get an error stating this virus is already known and I should fix something in the submission. :-( Can anyone tell me: 1) Whether this is normail behaviour for that page? 2) Where I can report this bug in the webpage? It's not a bug in the program so I don't think the Bugzilla page is the right place. If I need to report it via a mailing list, which one? 3) How I can check whether my report was received? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV lstat() failed. ERROR
Gary, In order to scan the file I am sure Declude has to append the path to the files to scan otherwise how would the virus scanner know what to scan? It needs some type of path. Unless possibly it sets a working directory and expects the scanner to scan all the files in the working directory. I suspect it gets a path much like it calls an external application. Flip your logs to debug what does it show? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, April 25, 2007 6:39 PM Subject: [Declude.Virus] ClamAV lstat() failed. ERROR In pursuing the problem of the new worm with a password-protected RAR file, I found a problem with ClamAV. I'm running the SOSDG ClamAV Windows port version 0.90.2-2 (along with runclamd and runclamscan). Declude uses the following string: C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt If I try to use it at a command prompt, I get the lstat() failed error. If I type in the full path for my command string, such as C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt C:\temp\123456789.eml it works. The problem is that Declude scans a file in a different directory each time, so the path changes. So for Declude to work now, it would require a significant change in Declude. But ClamAV worked before. What changed? Can it be changed back? Is this a problem with ClamAV in general, or just with the SOSDG Windows port? Do the other ClamAV ports have this problem? Any suggestions you might have are greatly appreciated. Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVG Virus updates - No updates from declude since 4/7/7
Honestly, I am not sure what all the individual files are, but here are my dates incavi.avm - 4/15/2007 microavi.avg - 4/5/2007 miniavg.avg - 2/16/2007 avi7.avg - 2/21/2007 Howard - you can try this post from David from the Archive- http://www.mail-archive.com/declude.virus@declude.com/msg13473.html Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Howard Smith (N.O.R.A.D.) To: declude.virus@declude.com Cc: [EMAIL PROTECTED] ; 'David Barker' Sent: Monday, April 16, 2007 6:28 AM Subject: [Declude.Virus] AVG Virus updates - No updates from declude since 4/7/7 I have not had a virus update from decludes AVG builtin scanner since 4/6/7 , has any one received any later updates , or suggestions to fix problem Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] virus via e-mail getting rare
All and all it has been way down for me as well. In mid 2005 I was averging around 100K-200K viruses a month (with AVAFTERJM). That has been dropping and dropping. In 2006 the highest for any give month I had was 22K. This year I have had nothing over 2,500. With running AVAFTERJM a lot of viruses also get tagged as spam. In 2003 we averaged around 400K+ viruses per month (which dropped by more than half when AVAFTERJM was enabled). Other things like greylisitng also helps twart viruses. Come to think about it I can't remember the last major virus trying to come in (mydoom?) that we had to deal with. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bonno Bloksma To: Declude.Virus@declude.com Sent: Monday, March 26, 2007 8:37 AM Subject: [Declude.Virus] virus via e-mail getting rare Hi, Is virus via e-mail a dying breed? There are days where I barely get any virusses via e-mail. Most of what get's caught is malfomed mail, 99% spam. I just did a test to see if my virusscanners are still working correctly, eicar is still being caught by both F-prot and Sophos so all seems to be woking. Both scanners are also correctly updating their database. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble
Bill, It's CODE [PLACE YOUR DECLUDE CODE HERE] Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bill Green dfn Systems [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, March 22, 2007 8:31 PM Subject: [Declude.Virus] Declude Upgrade on IMail - Key Trouble I've just upgraded to the 4.x suite from 3.0. I'm getting the Invalid Key message. According to the Archives, I need to put the Key in the declude.cfg file, but what is the correct syntax? License Key (KEY#) ? or Product Key (Key#) ? or just Key # ? Bill Green dfn Systems --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble
Bill, Do you have a declude.exe and a decludeproc in your imail folder? Do you have the decludeproc service in services? Do you also have a proc folder off of imail\spool (i.e. imail\spool\proc). Are files starting to be deposited into the proc folder? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bill Green dfn Systems [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, March 22, 2007 9:14 PM Subject: Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble Is there an actual set of instructions for a Declude Upgrade for IMail? The Declude site lists Installation Instructions, but they are for SmarterMail. The Knowledge Base is no help. Declude Support has gone Home. My Upgrade has gone horribly wrong and I now seem to have a hybrid monster. Bill Green dfn Systems - Original Message - From: Bill Green dfn Systems [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, March 22, 2007 6:31 PM Subject: [Declude.Virus] Declude Upgrade on IMail - Key Trouble I've just upgraded to the 4.x suite from 3.0. I'm getting the Invalid Key message. According to the Archives, I need to put the Key in the declude.cfg file, but what is the correct syntax? License Key (KEY#) ? or Product Key (Key#) ? or just Key # ? Bill Green dfn Systems --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble
Bill, The Imail\Declude folder is the one that matters. What are you getting in your logs? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bill Green dfn Systems [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, March 22, 2007 9:21 PM Subject: Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble Thanks Darrell, I put it in both declude.cfg files. I now have two. One in the IMail\Decude Folder, and one in the Program Files\Declude Folder. I'm not sure which one is working right now. Bill Green dfn Systems - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, March 22, 2007 6:55 PM Subject: Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble Bill, It's CODE [PLACE YOUR DECLUDE CODE HERE] Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bill Green dfn Systems [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, March 22, 2007 8:31 PM Subject: [Declude.Virus] Declude Upgrade on IMail - Key Trouble I've just upgraded to the 4.x suite from 3.0. I'm getting the Invalid Key message. According to the Archives, I need to put the Key in the declude.cfg file, but what is the correct syntax? License Key (KEY#) ? or Product Key (Key#) ? or just Key # ? Bill Green dfn Systems --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] DLAnalyzer 5.2.1 Released
DLAnalyzer 5.2.0 has been released. DLAnalyzer is a comprehensive reporting tool that integrates both Junkmail and Virus statistics into one report. Some of the features require the Enterprise or Standard version, but we also have a FREE LITE version available. Report Samples: http://www.invariantsystems.com/dlanalyzer/reportsamples.htm Release Notes: http://www.invariantsystems.com/download/current/readme.txt Download: http://www.invariantsystems.com/dlanalyzer/download.aspx Any questions let me know, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] DLAnalyzer 5.2.1 Released
DLAnalyzer 5.2.0 has been released. DLAnalyzer is a comprehensive reporting tool that integrates both Junkmail and Virus statistics into one report. Some of the features require the Enterprise or Standard version, but we also have a FREE LITE version available. Report Samples: http://www.invariantsystems.com/dlanalyzer/reportsamples.htm Release Notes: http://www.invariantsystems.com/download/current/readme.txt Download: http://www.invariantsystems.com/dlanalyzer/download.aspx Any questions let me know, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Clam AV vs. AVG vs. McAfee
Wolf, I use McAfee, CLAM, Internal AVG, and at one time (before licensing changes) F-Prot all at the same time. If you have extra CPU there is no reason not to use multiple scanners. One thing though when I switched to processing AV last I seen a dramatic drop in viruses due to them being caught as spam. 50-60K a month down to less than 2K. FWIW - I have McAfee as my last scanner and every now and than I see it grab a few viruses that the others miss. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Wolf Tombe To: declude.virus@declude.com Sent: Tuesday, March 06, 2007 10:16 AM Subject: [Declude.Virus] Clam AV vs. AVG vs. McAfee The discussion on the current version of Clam AV and Clam being able to detect some image spam got me thinking. Prior to Declude version 4.0, I always used McAfee AV to scan all incoming messages. When I upgraded to Declude 4 I decided to try it's built in AV which seems to work fine. I'm curious though as to the opinions of others on this list as to the merits of using Clam or other anti-virus scanners either in place of the Declude built in AV or in addition to it. Any opinions people would like to share will be appreciated. Thanks! Wolf --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Current Version of Clam AV
In my normal maintenance window (once a week) all services are stopped and I clean out the work, error, proc, spool, and review folders. Since I stop CLAMAV as well I am able to delete those directories. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Stephan To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 11:22 AM Subject: Re: [Declude.Virus] Current Version of Clam AV Thanks for responding. I can't delete them until I restart the ClamAV service. Do you have a way of automatically deleting them, or do you schedule a task to restart ClamAV and then delete them? I tried using a schedule task but for some reason they still don't get deleted (but it's possible to do it manually.) -Original Message- From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] Sent 2/27/2007 10:17:46 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV FWIW - I have always had left over directories from .84 on up. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Stephan To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 8:41 AM Subject: Re: [Declude.Virus] Current Version of Clam AV I am also running the 0.90-1, and it's working fine, except I still get leftover .vir directories inside the declude/proc dir. The error in the clamav log shows: - d:\imail\spool\proc\work\d716a0~1.vir\/0: Unable to create temporary directory ERROR I've tried checking permissions, and made sure I have the clamav tmpdir variable set to my clamav tmp dir (which fixed a similar error that stopped the clamav service from starting.) But I haven't been able to fix this one. Anyone know how to fix this error? Thanks. -Original Message- From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] Sent 2/26/2007 1:30:43 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV Gary, I upgraded on Friday and have not ran into any issues. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, February 26, 2007 1:01 PM Subject: RE: [Declude.Virus] Current Version of Clam AV I see that SOSDG released a new version (0.90-1) of their Windows port of ClamAV on 02-22-2007. http://www.sosdg.org/clamav-win32/ Has anyone upgraded to it yet? Any problems? Gary Steiner Original Message From: Mark Reimer [EMAIL PROTECTED] Sent: Friday, February 16, 2007 2:04 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Current Version of Clam AV Clam AV releases prior to 0.90 have Dos issues I believe. Is their a 0.90 release for windows? Mark Reimer IT System Admin American CareSource 972-308-6887 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Friday, February 16, 2007 10:06 AM To: declude.virus@declude.com Subject: [Declude.Virus] Current Version of Clam AV What is the current release of Clam AV for windows? I saw 0.90 stable is out now. Mark Reimer IT System Admin American CareSource 972-308-6887 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus
Re: [Declude.Virus] Current Version of Clam AV
Gary, I upgraded on Friday and have not ran into any issues. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, February 26, 2007 1:01 PM Subject: RE: [Declude.Virus] Current Version of Clam AV I see that SOSDG released a new version (0.90-1) of their Windows port of ClamAV on 02-22-2007. http://www.sosdg.org/clamav-win32/ Has anyone upgraded to it yet? Any problems? Gary Steiner Original Message From: Mark Reimer [EMAIL PROTECTED] Sent: Friday, February 16, 2007 2:04 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Current Version of Clam AV Clam AV releases prior to 0.90 have Dos issues I believe. Is their a 0.90 release for windows? Mark Reimer IT System Admin American CareSource 972-308-6887 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Friday, February 16, 2007 10:06 AM To: declude.virus@declude.com Subject: [Declude.Virus] Current Version of Clam AV What is the current release of Clam AV for windows? I saw 0.90 stable is out now. Mark Reimer IT System Admin American CareSource 972-308-6887 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] How to block an IP
Joe, Just add the IP or CIDR block into the SMTP access control in Imail. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: J Porter [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, December 25, 2006 11:06 PM Subject: [Declude.Virus] How to block an IP Is there a way to block an IP address before analysis by Declude's AV (Ver 1.82 - Imail 8.x)? I thought I should be able to do this with rules.ima by looking for a line in the header. So I have a line that says H~xxx\.yyy\.zz\. but it doesn't work. (In case you can't see it, the lines read \. = slash dot per Ipswitch docs) I don't think the H~ (header contains) command reads everything in the header. ~Joe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAV, BitDefender, Symantec, Trend, Sophos
FYI - List of AV Vulns that were listed in the SANS Vulnerability Alert that affect most of us one way or another. Also, there was a McAfee vulnerability but it was for thier linux based version. 06.50.31 CVE: CVE-2006-5874 Platform: Cross Platform Title: Clam Anti-Virus MIME Attachments Denial of Service Description: Clam Anti-Virus (ClamAV) is an anti-virus application for Windows and UNIX like operating systems. It is exposed to a denial of service issue because it fails to handle certain file types. Specifically, the vulnerability exists when the application processes base64-encoded MIME attachments. This results in a NULL pointer dereference crashing the affected application. ClamAV versions prior to 0.88.4-2 are affected. Ref: http://www.securityfocus.com/archive/1/453968 MODERATE: BitDefender PE File Parsing Engine Integer Overflow Affected: BitDefender Antivirus and Antivirus Plus BitDefender for ISA Server and MS Exchange BitDefender Internet Security BitDefender Mail Protection for Enterprises BitDefender Online Scanner Description: Multiple BitDefender products are vulnerable to an integer overflow in parsing packed PE (Portable Executable) files. Portable Executable files are the standard executable format on Microsoft Windows systems. Failure to properly handle certain malformed packed PE files can lead to an integer overflow and arbitrary code execution with the privileges of the scanning process. Status: BitDefender confirmed, updates available. According to BitDefender's website, the update was distributed immediately via BitDefender's automatic update system, and no user interaction is required to install the update. References: BitDefender Security Advisory http://www.bitdefender.com/KB323-en--cevakrnl.xmd-vulnerability.html (11) Symantec Antivirus Big Yellow/Sagevo Worm Description: eEye researchers have discovered a new worm that is exploiting a buffer overflow vulnerability in the Symantec Antivirus and Client Security software. The overflow being exploited by the Big Yellow/Sagevo worm was patched by Symantec in May 2006. Enterprises using Symantec AV or Client Security software should apply the patch immediately if they have not done so already. In addition, blocking access to the port 2967/tcp at the network perimeter will prevent any attacks originating from the Internet. References: eEye's Analysis of Worm Binary http://research.eeye.com/html/alerts/AL20061215.html Symantec's Worm Analysis http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-121309-3331-99tabid=2 06.50.14 CVE: CVE-2006-5645 Platform: Third Party Windows Apps Title: Multiple Trend Micro Antivirus RAR Archive Remote Denial of Service Description: Trend Micro provides antivirus and software security applications. These applications are exposed to remote denial of service issues because they fail to properly handle file types, resulting in excessive consumption of system resources. Trend Micro Server Protect version 5.58, Trend Micro PC Cillin - Internet Security 2006 and Trend Micro Office Scan version 7.3 are affected. Ref: http://www.trendmicro.com/en/home/us/home.htm CRITICAL: Sophos Anti-Virus Multiple Vulnerabilities Affected: Sophos products with a scanning engine version prior to 2.40 Description: Sophos Anti-Virus contains multiple buffer overflows in parsing CPIO and SIT archives. CPIO is a common archive format used primarily on Unix and Unix-like systems, and SIT is a common archive format used primarily on Apple Macintosh systems. A specially-crafted CPIO or SIT archive scanned by Sophos could exploit these buffer overflows and execute arbitrary code with the privileges of the scanning process. Some technical details for these vulnerabilities are publicly available. Status: Sophos confirmed, updates available. References: Sophos Knowledge Base Article http://www.sophos.com/support/knowledgebase/article/17340.html Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] DLAnalyzer 5.2.0 Released
DLAnalyzer 5.2.0 has been released. DLAnalyzer is a comprehensive reporting tool that integrates both Junkmail and Virus statistics into one report. Some of the features require the Enterprise or Standard version, but we also have a FREE LITE version available. New: * Compatible with the log changes in Declude 4.3.x * Fully Implements Zerohour reporting (Virus and Junkmail). * Requires the .Net 2.0 Framework Report Samples: http://www.invariantsystems.com/dlanalyzer/reportsamples.htm Release Notes: http://www.invariantsystems.com/download/current/readme.txt Download: http://www.invariantsystems.com/dlanalyzer/download.aspx Any questions let me know, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] DLAnalyzer 5.2.0 Released
DLAnalyzer 5.2.0 has been released. DLAnalyzer is a comprehensive reporting tool that integrates both Junkmail and Virus statistics into one report. Some of the features require the Enterprise or Standard version, but we also have a FREE LITE version available. New: * Compatible with the log changes in Declude 4.3.x * Fully Implements Zerohour reporting (Virus and Junkmail). * Requires the .Net 2.0 Framework Report Samples: http://www.invariantsystems.com/dlanalyzer/reportsamples.htm Release Notes: http://www.invariantsystems.com/download/current/readme.txt Download: http://www.invariantsystems.com/dlanalyzer/download.aspx Any questions let me know, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin.
Eddie, You do not need to run clamav twice to detect both phish and viruses. If you put the phish.ndb into the same directory as the clam db it will also use that. Also, for me to get the virus name I had to use the wrapper. This snippett below is from Scott Fisher who helped me get mine going. I use this version of the cygwin clam http://www.sosdg.org/clamav-win32/index.php I use Terri Fitts's runclamscan wrapper and runclamd service: http://www.smartbusiness.com/imail/declude/ Here is my virus.cfg entry # # Clam A/V # # Runclamscan log levels # log=0 (no logging) # log=1 (minimal logging only date, time, elapsed times, viruses) # log=2 (log all messages same as 1) # log=3 (debug log - whole bunch of stuff - multiple lines) # SCANFILE2 d:\imail\declude\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Hope this helps, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Eddie Pang [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, October 26, 2006 2:43 AM Subject: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin. Hi All, I am stumpted. I am trying to run ClamAV to take advantage of clamdscan.exe for speed and performance, but I am unable to gather statistics for use with DLAnalyzer. Looking closer at the logs, I find a slight variation between the 2 products. ClamWin reports the phish/virus on the same line as virus=. However with ClamAV, the Virus= is blank, and the phish/virus is on the next line. ClamAV is from www.sosdg.org version 0.88.4-1, and ClamWin is from www.clamwin.net version 0.88.5. Any suggestions to ClamAV (Scanner3) would be greatly appreciated. Sincerely, Eddie. = SCANFILE2 C:\imail\declude\runclamscan.exe log=2 c:\Progra~1\clamwin\bin\clamscan.exe --verbose --database=C:\Docume~1\Alluse~1\.clamwin\db --tempdir=c:\temp --no-summary --max-ratio 0 -l report.txt VIRUSCODE2 1 REPORT2 FOUND # SCANFILE3 C:\imail\declude\runclamscan.exe log=2 C:\clamav-devel\bin\clamdscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE3 1 REPORT3 FOUND == 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Virus scanner 2 reports exit code of 1 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Scanner 2: Virus= Html.Phishing.Rock.Sanesecurity.06050500 Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Virus scanner 3 reports exit code of 1 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Scanner 3: Virus= Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd File(s) are INFECTED [ Html.Phishing.Rock.Sanesecurity.06050500: 1] == --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam
Matt, I agree with everyone of your points - My intent was to bring it up that I had reported this issue up a long time ago as I also thought that what was happening was undesirable. However, at the time Scott did not feel this was a bug. However, times change and back scatter is a huge issue. Maybe thats enough now to convince for an alteration of behavior. As my preference would be to handle mismatched exe's as its own class of which I would not send bannotify messages for. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Sunday, October 01, 2006 8:24 PM Subject: Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam Darrell,I'm sure that it is desirable to block (when the detection isn't erroring), however having this handled as if it was an EXE when it comes to the bannotify.eml is problematic. Backscatter can get you blacklisted, not to mention it is annoying to get such things for forged E-mail.I have Virus running after JunkMail and still I have bounced a dozen of these today alone (which excludes messages that reached my DELETE weight). For those that run JunkMail before Virus (the default), that number could be in the hundreds or thousands depending on volume since this comes from a major zombie spammer. I'm guessing that most are bouncing EXE's that aren't detected as viruses.To check this, just search your Virus log for "mismatched.exe".The behavior needs to be changed so that this doesn't trigger bannotify.eml bounces. I am testing using "SKIPIFEXT mismatched.exe" in my bannotify.eml to see if that helps, but this should not bounce such messages by default as if they were EXE's. It makes sense to give it a unique extension for these conditions and let us determine what to do with them instead of lumping it together with actions for EXE's.MattDarrell ([EMAIL PROTECTED]) wrote: I brought this up to Scott several years ago - and he said this is not a bug but a by design issue.He explained a scenario why this was important and I understood based on the explantion but for the life of me I can't remember the scenario. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Sunday, October 01, 2006 3:33 PM Subject: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam I just found this bug. Essentially, if the MIME headers for an attachment are mismatched, Declude "assumes" that it is an EXE for virus scanning purposes, and this causes EXE triggers such as bannotify.eml to be triggered. This is especially bad since it is happening fairly commonly on zombie spam.For example, here are the MIME headers from the spam sample: Content-Type: image/jpeg;name="smoky.1.jpg"Content-Transfer-Encoding: base64Content-ID: [EMAIL PROTECTED]Content-Disposition: inline;filename="smoky.1.gi"You will note the Content-Type being image/jpeg and the file extension being "gi". Here is what Declude Virus finds: 10/01/2006 14:03:44.656 q02f8014a9ecc.smd Vulnerability flags = 86310/01/2006 14:03:44.671 q02f8014a9ecc.smd MIME file: [text/html][7bit; Length=590 Checksum=51800]10/01/2006 14:03:44.671 q02f8014a9ecc.smd Found file with mismatched extensions [smoky.1.jpg-smoky.1.gi]; assuming .exe10/01/2006 14:03:44.671 q02f8014a9ecc.smd MIME file: mismatched.exe [base64; Length=25644 Checksum=3233585]10/01/2006 14:03:44.671 q02f8014a9ecc.smd Banning file with EXE extension [image/jpeg].10/01/2006 14:03:44.890 q02f8014a9ecc.smd Virus scanner 1 reports exit code of 010/01/2006 14:03:45.421 q02f8014a9ecc.smd Virus scanner 2 reports exit code of 010/01/2006 14:03:45.421 q02f8014a9ecc.smd Scanned: Banned file extension. [Prescan OK][MIME: 2 26380]10/01/2006 14:03:45.437 q02f8014a9ecc.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 62.161.108.7]10/01/2006 14:03:45.437 q02f8014a9ecc.smd Subject: Re: diagnostician dullThis is clearly not desirable behavior, and I have run into a related bug previously (that was previously
Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam
I brought this up to Scott several years ago - and he said this is not a bug but a by design issue.He explained a scenario why this was important and I understood based on the explantion but for the life of me I can't remember the scenario. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Sunday, October 01, 2006 3:33 PM Subject: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam I just found this bug. Essentially, if the MIME headers for an attachment are mismatched, Declude "assumes" that it is an EXE for virus scanning purposes, and this causes EXE triggers such as bannotify.eml to be triggered. This is especially bad since it is happening fairly commonly on zombie spam.For example, here are the MIME headers from the spam sample: Content-Type: image/jpeg;name="smoky.1.jpg"Content-Transfer-Encoding: base64Content-ID: [EMAIL PROTECTED]Content-Disposition: inline;filename="smoky.1.gi"You will note the Content-Type being image/jpeg and the file extension being "gi". Here is what Declude Virus finds: 10/01/2006 14:03:44.656 q02f8014a9ecc.smd Vulnerability flags = 86310/01/2006 14:03:44.671 q02f8014a9ecc.smd MIME file: [text/html][7bit; Length=590 Checksum=51800]10/01/2006 14:03:44.671 q02f8014a9ecc.smd Found file with mismatched extensions [smoky.1.jpg-smoky.1.gi]; assuming .exe10/01/2006 14:03:44.671 q02f8014a9ecc.smd MIME file: mismatched.exe [base64; Length=25644 Checksum=3233585]10/01/2006 14:03:44.671 q02f8014a9ecc.smd Banning file with EXE extension [image/jpeg].10/01/2006 14:03:44.890 q02f8014a9ecc.smd Virus scanner 1 reports exit code of 010/01/2006 14:03:45.421 q02f8014a9ecc.smd Virus scanner 2 reports exit code of 010/01/2006 14:03:45.421 q02f8014a9ecc.smd Scanned: Banned file extension. [Prescan OK][MIME: 2 26380]10/01/2006 14:03:45.437 q02f8014a9ecc.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 62.161.108.7]10/01/2006 14:03:45.437 q02f8014a9ecc.smd Subject: Re: diagnostician dullThis is clearly not desirable behavior, and I have run into a related bug previously (that was previously reported) where a filename that spans two lines (which is RFC compliant when 'folded') will be treated as an EXE and bounced if you are bouncing non-virus EXE's.It is absolutely necessary to allow for bannotify.eml bouncing of messages with EXE extensions because they are commonly received legitimately regardless of whether they are allowed or not, but to have EXE be the assumed extension at the same time causes a lot of different issues. Because of this, I would strongly suggest that Declude assume a different extension when necessary, such as "unknown" so that we can configure Declude Virus to handle "unknown" files in a different way. We could choose for instance to block them, but not bounce them.Thanks,Matt---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
[Declude.Virus] Fw: A secret e-card has been sent fot you!!
Pretty nice peice of social engineering below - how many of your users will click on this tomorrow :) Who can resist the temptation of a "secret" greeting card. The link actually takes you to http://www.lkkm.cz/help/postcard.gif.exe Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: e-greetings.com To: [EMAIL PROTECTED] Sent: Thursday, September 28, 2006 10:20 PM Subject: A secret e-card has been sent fot you!! Hello friend !A friend has sent you an ecard from e-greetings.comSend free ecards from e-greetings.com with your choice of colors, words and music.Your ecard will be available with us for the next 10 days. If you wish to keep the greeting longer, you may save it on your computer or take a print.To view your ecard, click on the following Internet address.http://www.e-greetings.com/view.php?sid=1246 Hope you will visit us,e-greetings.com ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
[Declude.Virus] CLAMAV - 88.3-1 - 7/11/2006 Release
I noticed a new build from the SOSDG group has been released (88.3-1). http://www.sosdg.org/clamav-win32/index.php Anyone running it yet? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Invalid file types triggering on an invalid file type
What version are you running Matt in version 3.0.5.20they fixed a ms-tnef issue with winmail.dat. This might be the issue you are seeing. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Tuesday, July 18, 2006 7:48 PM Subject: [Declude.Virus] Invalid file types triggering on an invalid file type I found a message blocked for an "Invalid ZIP Vulnerability", but it doesn't have a zip attachment. The only attachment on this message is a winmail.dat. While that winmail.dat file clearly contains data of some sort, I am pretty certain that it is triggering vulnerabilities inappropriately, and I am positive that this message was not a virus.My Declude Virus logs are showing both the Invalid ZIP Vulnerability and a bogus .jpg file. I would like to turn this detection off. Is there a switch to turn off this detection?Detail follows: HEADERS FROM THE SINGLE ATTACHMENT=--=_NextPart_000_0056_01C6A9CF.4BDDA860Content-Type: application/ms-tnef; name="winmail.dat"Content-Transfer-Encoding: base64Content-Disposition: attachment; filename="winmail.dat"VIRUS LOG ENTRIES=07/17/2006 06:32:40.488 q674000a2e465.smd Vulnerability flags = 86207/17/2006 06:32:40.566 q674000a2e465.smd MIME file: winmail.dat [base64; Length=2312012 Checksum=33270092]07/17/2006 06:32:40.800 q674000a2e465.smd Virus scanner 1 reports exit code of 007/17/2006 06:32:41.253 q674000a2e465.smd Virus scanner 2 reports exit code of 007/17/2006 06:32:41.253 q674000a2e465.smd Found a bogus .jpg file07/17/2006 06:32:41.253 q674000a2e465.smd Invalid ZIP Vulnerability07/17/2006 06:32:41.253 q674000a2e465.smd Found a bogus .Zip file07/17/2006 06:32:41.253 q674000a2e465.smd File(s) are INFECTED [[Invalid ZIP Vulnerability]: 0]07/17/2006 06:32:41.253 q674000a2e465.smd Scanned: CONTAINS A VIRUS [MIME: 7 2314810]07/17/2006 06:32:41.269 q674000a2e465.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from ##.##.48.210]07/17/2006 06:32:41.269 q674000a2e465.smd Subject: FW: M341092022 / M341092023Thanks,Matt---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] 4.2.20 Error in Log
Andy, Besides AVG I have 3 scanners: listed in order (F-Prot, Clam AV, McAfee). I do think its an AVG issue like you suggested. I am trying to find a way to disable the built in AVG virus scanner to see if this message goes away. Darrell Andy Schmidt writes: Do you have a second/external scanner defined. May be the internal scanner (AVG) deletes an attachment and then Declude complains that its gone when it tries to launch the secondary? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, July 12, 2006 05:46 PM To: declude.virus@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.Virus] 4.2.20 Error in Log Since upgrading to 4.2.20 I started seeing the following error: 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 This only happens when AVG catches a virus. It did not get logged under 3.x version. Nor do I have an On Access Virus Scanner. Anyone else seeing this? Darrell See the log snippet below. 07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 4.2.20 Missing File Error in Log
After testing with AVG off it appears that the error about the missing file only occurs when AVG is on. With AVG disabled I get no error messages. Here is the relevant log info. I have confirmed this is an AVG issue. With AVG on I get the error with AVG off I do not get the error. Darrell WITHOUT AVG ON F:\Logs\Virusgrep -i q4ae100a56d71.smd vir0713.log 07/13/2006 09:30:16.468 q4ae100a56d71.smd Vulnerability flags = 0 07/13/2006 09:30:16.468 q4ae100a56d71.smd MIME file: [text/html][7bit; Length=126 Checksum=10064] 07/13/2006 09:30:16.468 q4ae100a56d71.smd MIME file: tyjguozxgx.gif [base64; Length=1137 Checksum=127847] 07/13/2006 09:30:16.484 q4ae100a56d71.smd MIME file: Dorothy.zip [base64; Length=84731 Checksum=10789144] 07/13/2006 09:30:16.484 q4ae100a56d71.smd Found encrypted .ZIP file 07/13/2006 09:30:16.484 q4ae100a56d71.smd Banning .ZIP file with encrypted exe extension. 07/13/2006 09:30:16.703 q4ae100a56d71.smd Virus scanner 1 reports exit code of 8 07/13/2006 09:30:16.703 q4ae100a56d71.smd Could not find parse string Infection: in report.txt 07/13/2006 09:30:16.703 q4ae100a56d71.smd File(s) are INFECTED [: 8] 07/13/2006 09:30:16.703 q4ae100a56d71.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 86092] WITH AVG ON: F:\Logs\Virusgrep -i q11e2008d1156.smd vir0713.log 07/13/2006 05:27:06.312 q11e2008d1156.smd Vulnerability flags = 0 07/13/2006 05:27:06.312 q11e2008d1156.smd MIME file: [text/html][7bit; Length=414 Checksum=37647] 07/13/2006 05:27:06.312 q11e2008d1156.smd MIME file: account-details.zip [base64; Length=108316 Checksum=1 3182509] 07/13/2006 05:27:06.828 q11e2008d1156.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/13/2006 05:27:06.828 q11e2008d1156.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/13/2006 05:27:06.859 q11e2008d1156.smd 1 [1 of 2 not deleted] files were deleted. You should not use a n on-access virus scanner that scans the \IMail directory or sub-directories. 07/13/2006 05:27:06.859 q11e2008d1156.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 2 108872] Darrell Darrell ([EMAIL PROTECTED]) writes: Andy, Besides AVG I have 3 scanners: listed in order (F-Prot, Clam AV, McAfee). I do think its an AVG issue like you suggested. I am trying to find a way to disable the built in AVG virus scanner to see if this message goes away. Darrell Andy Schmidt writes: Do you have a second/external scanner defined. May be the internal scanner (AVG) deletes an attachment and then Declude complains that its gone when it tries to launch the secondary? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, July 12, 2006 05:46 PM To: declude.virus@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.Virus] 4.2.20 Error in Log Since upgrading to 4.2.20 I started seeing the following error: 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 This only happens when AVG catches a virus. It did not get logged under 3.x version. Nor do I have an On Access Virus Scanner. Anyone else seeing this? Darrell See the log snippet below. 07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard
[Declude.Virus] 4.2.20 Error in Log
Since upgrading to 4.2.20 I started seeing the following error: 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 This only happens when AVG catches a virus. It did not get logged under 3.x version. Nor do I have an On Access Virus Scanner. Anyone else seeing this? Darrell See the log snippet below. 07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 4.2.3 Built-in scanner
John, What problems are you having with scan.exe? A lot of us use McAfee and have no issues. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. John Shacklett writes: After loading 4.2.20 this afternoon, my AVG scanner is now finally detecting viruses. Oh happy day. Now if I can just get scan.exe to work, I'll have a full house. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Thursday, 11 May 2006 11:44 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Declude 4.2.3 Diagnostics right on the top line. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Thursday, 11 May 2006 9:30 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Just curious, what does your diags.txt? Did 4.2.3 in fact get fully installed and running? John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Thursday, May 11, 2006 6:56 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner I guess I should have been more dramatic. What I intended this to mean was that I still don't see any evidence that AVG is working at all. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Tuesday, 09 May 2006 3:04 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Just for fun, I completely commented out the three scanners in my virus.cfg and resent the eicar plain test file, and it made it to my Inbox. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Tuesday, 09 May 2006 9:58 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Forget my last post, I have different problems. Sorry. I followed John C's suggestion and sent myself a standard base64 MIME encoded eicar.com file [which should have occurred to me earlier], and I ended up with the following lines in the debug output: 05/09/2006 09:50:57.007 q9e3d01cb331c.smd AVG Reports No Virus 05/09/2006 09:50:57.178 q9e3d01cb331c.smd Virus scanner 1 reports exit code of 3 05/09/2006 09:50:58.444 q9e3d01cb331c.smd Virus scanner 2 reports exit code of 0 05/09/2006 09:50:58.616 q9e3d01cb331c.smd Virus scanner 3 reports exit code of 0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Tuesday, 09 May 2006 9:41 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Temporarily go to LOGLEVEL DEBUG and use the test virus sender. It should show AVG working. MID and HIGH levels didn't show which scanner caught EICAR, but DEBUG did. John C 05/09/2006 08:34:55.687 q9a7b016d30e4.smd AVG Virus detected. Not continuing with any remaining scanners. 05/09/2006 08:34:55.687 q9a7b016d30e4.smd AVG Reports VIRUS: EICAR_Test 05/09/2006 08:34:55.687 q9a7b016d30e4.smd AVG Reports Not Healable -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, May 09, 2006 8:13 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner 1. Use the test virus sender http://www.declude.com/Articles.asp?ID=99 2. Check your virus logs 3. Declude\Scanners\AVG\DB 4. Check the date on the database files David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Tuesday, May 09, 2006 8:45 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] 4.2.3 Built-in scanner How do I determine if the built-in scanner is working? Where do the virus signature files live? How do I tell if those files are being updated? -- John S --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Mcafee is catching these Trojan.Myno on my systems. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Markus Gufler writes: Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Actually, it is CLAMAV catching it. Not sure about McAfee as I stop on first virus. F-Prot is def. not catching it though. Darrell Darrell ([EMAIL PROTECTED]) writes: Mcafee is catching these Trojan.Myno on my systems. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Markus Gufler writes: Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] fpReview Released - Easily Review Held Messages
fpReview is a utility that allows you to easily review held mail on your Imail or SmarterMail system. With fpReview you can review messages and return them back to the queue for delivery or rescanning by Declude. Besides being able to return the message to the queue for delivery many other options are available such as delete, move, copy, etc. Another useful feature is the ability to report false positives or spam to 3rd parties by using the integrated email function. fpReview is an intelligent application that will adapt to your workflow. It will remember email addresses and subjects to streamline future reporting of messages. In addition fpReview will import your configured Declude filters from your Declude global.cfg. This allows you to create custom Declude rules on the fly through our custom interface. Screen Captures: http://www.invariantsystems.com/fpreview/screencaptures.htm Download: http://www.invariantsystems.com/fpreview/default.htm Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] reque slips by Declude?
With older versions of Declude and Smartermail you used to have to do the X rename to skip Declude processing. If you left the X off it would be rescanned by Declude. However, now that Declude is intergrated into Smartermail v3 what is the correct requeing process? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Dean Lawrence [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, May 18, 2006 7:48 AM Subject: Re: [Declude.Virus] reque slips by Declude? Gary, I do believe that messages that have been re-queued do not get scanned a second time. If they did, you would never be able to re-queue anything since it would be continually caught. Dean On 5/18/06, Gary Steiner [EMAIL PROTECTED] wrote: Back on May 9 my server was hit by the Feebs virus. I am using F-Prot, which did not detect it. But I am using BANEXT hta which caught it. Two days ago I upgraded to SmarterMail 3.1 and Declude 4.2.3. Among other things, I've been looking at the addition of AVG to Declude. I noticed that F-Prot still doesn't detect that version of the Feebs virus, but AVG does. So I thought I would test it. I still have a copy of the virus I received on May 9, so I requed it unchanged and unrenamed to let it got through the new Declude to see what would happen. To my surprise it was delivered! No new Declude headers were added to the message. Though SmarterMail did modify it because it detected it as spam. I checked the virus logs (LOGLEVEL set to HIGH) and there was no listing at all for this message. Naturally I am now quite nervous. Why did this happen? Have any other Feebs viruses slipped through? Unfortunately the eicar tests don't have an hta to use, so the only way I have to test this is with a live virus. The Feebs virus isn't one of the more common ones, but all it takes is one to get through to spoil the day of one of my customers. Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] (re)Installing Declude v1.65 on Imail 8.22?
The activation code goes into the virus.cfg file. Did your official hostname change (assuming your running imail) if so contact declude support to resolve this issue. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Eric Mamet To: Declude.Virus@declude.com Sent: Monday, May 08, 2006 8:51 AM Subject: RE: [Declude.Virus] (re)Installing Declude v1.65 on Imail 8.22? You might have put the finger on it Found this in the log 05/08/2006 14:40:27 Q3c3b0eecfd47 Declude Virus NOT running due to invalid activation code. 05/08/2006 14:40:27 Q3c3b0eecfd47 Error: Invalid Declude Virus activation code for open-resources.co.uk. The activation code in the Virus.Cfg file is the one I have in my original email from declude. Our main domain name may not have been the same at the time. Where does it gets this open-resources.co.uk from? Is this what I should change? Thanks Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED])Sent: 08 May 2006 13:34To: Declude.Virus@declude.comSubject: Re: [Declude.Virus] (re)Installing Declude v1.65 on Imail 8.22? Eric, Are you only using Declude Virus? If not are there other Declude headers in the message? In the Virus logs does this message exist? Is there virus logs (virMMdd.log). Did you uninstall Declude because of this issue or is this a new server? If this is a new server did you double click on the declude.exe first? In the Imail SMTP tab for the delivery application does it specific declude.exe? If yes, is the path correct? 2 things to note - [1] there have been reports of folks having to click the declude.exe multiple times for it to reinstall for some reason and [2] there are some issues with the old declude architecture under imail 8.2x the new version 3.x / 4.x fixes those issues. The issue is related to imail's multithreaded smtp engine. I never had the issue, but a lot of folks did. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Eric Mamet To: declude.virus@declude.com Sent: Monday, May 08, 2006 8:16 AM Subject: [Declude.Virus] (re)Installing Declude v1.65 on Imail 8.22? I am trying to re-install Declude v1.65 onto Imail 8.22. I tried to send an eicarplain pseudo virus (http://www.declude.com/Articles.asp?ID=99) and it went right through to my inbox! It look s like Declude is not involved at all Has anybody tried that? Eric PS: I am using F-Prot anti-virus
[Declude.Virus] DLAnalyzer 5.0 Released
DLAnalyzer 5.0 has been released. DLAnalyzer is a comprehensive reporting tool that integrates both Junkmail and Virus statistics into one report. Some of the features require the Enterprise or Standard version, but we also have a FREE LITE version available. With version 5.0 we have added many new features including new reports like: Recipient Based Spam Reports, Test Quality Report that evaluates how effective the configured tests are on your system, Domain Executive Reports, and Domain Recipient Reports. In addition we have also added a new level of customization of the reports allowing you to change the look and feel of the report through the use of cascading style sheets. Report Samples: http://www.invariantsystems.com/dlanalyzer/reportsamples.htm Release Notes: http://www.invariantsystems.com/download/current/readme.txt Download: http://www.invariantsystems.com/dlanalyzer/download.asp Any questions let me know, Darrell --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Under specific conditions, action not as specified
Michael,
Can you post some log snippet's from your junkmail logs showing this going
through junkmail and the corresponding AV log entries. I run this exact
same configuration and do not have this issue.
Darrell
Check out http://www.invariantsystems.com for utilities for Declude And
Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG
Integration, and Log Parsers.
- Original Message -
From: Michael Thomas - Mathbox [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Sunday, February 12, 2006 7:01 PM
Subject: [Declude.Virus] Under specific conditions, action not as specified
Declude Version: 3.0.5.23
In GLOBAL.CFG
STOPPROCESSINGONFIRSTDELETE ON
In JunkMail, a message scores more than enough points to be DELETED.
In VIRUS.CFG
AVAFTERJM ON
DELETEVULNERABILITIES OFF
The result is that the message is moved to the /sppol/virus folder. It
should have been deleted
Michael Thomas
Mathbox
978-683-6718
1-877-MATHBOX (Toll Free)
N¬f¢-¬±Æ§ç_¢»â®ë
±¼fyÉnuá
0uç%¹×o¢dáSÁj)\jgY®?.àÞr[yX«ºÉsSX§,X¬µ:.z˱Êâmèî²Û
Ö§f¢-ÚT¨¥²»ÝyÉnuç(T©Ý·*^º{.nÇ+?·fyÉnuåb®ë.æ«r¯zÇ
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Keith, It still gets virus scanned. I have tons of viruses in my virus drop point for ROUTETO accounts. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Keith, We don't ROUTETO all of our mail. We hold and delete on a bunch. In this case 95% of mail is not virus scanned. If you routeto everything than I suspect you will not save any cycles. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Keith Johnson writes: Darrell, I guess my question then is what advantage is it to have it run prior to Virus if the Virus Scanner still scans it, won't it still use the same CPU cycles? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:43 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME Keith, It still gets virus scanned. I have tons of viruses in my virus drop point for ROUTETO accounts. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Don, Messages that are HOLD or DELETE are not virus scanned. ROUTETO gets virus scanned. In summary you have to look at your situation and if it makes sense for you. We don't do much ROUTETO so it makes sense for us and saves a signifigant amount of CPU. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Don Brown writes: Your first and second message seem to be contradictory or I'm dense. #1 The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. #2 It still gets virus scanned. So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). If that is so, then how does it cut down on machine resources? Friday, January 27, 2006, 9:43:19 AM, Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] wrote: Dsic Keith, Dsic It still gets virus scanned. I have tons of viruses in my virus drop point Dsic for ROUTETO accounts. Dsic Darrell Dsic --- Dsic Check out http://www.invariantsystems.com for utilities for Declude, Imail, Dsic mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI Dsic integration, MRTG Integration, and Log Parsers. Dsic Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Dsic Dsic --- Dsic [This E-mail was scanned for viruses by Declude EVA www.declude.com] Dsic --- Dsic This E-mail came from the Declude.Virus mailing list. To Dsic unsubscribe, just send an E-mail to [EMAIL PROTECTED], and Dsic type unsubscribe Declude.Virus.The archives can be found Dsic at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] My quick and dirty virus stats
If you don't want to bother learning or using perl I suggest you look at DLAnalyzer. It can do Junkmail reporting and Virus reporting for Declude integrated into one Windows based application. There is a functional free version (lite). Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Imail To: Declude.Virus@declude.com Sent: Friday, January 27, 2006 3:55 PM Subject: RE: [Declude.Virus] My quick and dirty virus stats I don't know PERL and with being in the middle of a cluster project along with an open source photo gallery project along with... etc... I'm up to my eyeballs in technical learning right now. I would REALLY appreciate the script. If you get time just email it to this address [EMAIL PROTECTED] and I'll get it going...Thanks...MarkAt 02:21 PM 1/27/2006, you wrote: I use PERL for most of this stuff. Easy enough to learn, or I could send you the script off-line.Karl Drugge-Original Message-From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]] On Behalf Of ImailSent: Friday, January 27, 2006 2:37 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] My quick and dirty virus statsAndrew,What are you using to compile these numbers?MarkAt 12:48 PM 1/27/2006, you wrote:Just because it's easy to produce...This is from the viruses that get caught as spam from Dec 01 2005 through yesterday: 13 Suspicious program in Archive 1 Suspicious program 5 Unknown Virus 57 W32/Bagle 1 W32/Banker 13 W32/Brepibot 28 W32/Kapser 33 W32/Klez 108 W32/Mitglieder 13 W32/Mydoom 665 W32/Mytob 1,124 W32/Netsky 5,607 W32/Sober 1 W32/Torvil 5 W32/ZafiAndrew 8)No virus found in this incoming message.Checked by AVG Anti-Virus.Version: 7.1.375 / Virus Database: 267.14.23/243 - Release Date: 1/27/2006--PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.No virus found in this incoming message.Checked by AVG Anti-Virus.Version: 7.1.375 / Virus Database: 267.14.23/243 - Release Date: 1/27/2006 No virus found in this outgoing message.Checked by AVG Anti-Virus.Version: 7.1.375 / Virus Database: 267.14.23/243 - Release Date: 1/27/2006
Re: [Declude.Virus] Declude Hardware Issue
FYI - For the other affected by this I put 3.0.5.22 back on and everything is flying along with no issues. Processing messages as fast as could be. FWIW - My issues started on December 24th at approximatly - 2:10pm EST. I will follow-up with Declude tomorrow to determine why my version decided to downgrade itself. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: David Franco-Rocha To: Declude.JunkMail@declude.com Cc: Declude.Virus@declude.com Sent: Monday, December 26, 2005 4:00 PM Subject: [Declude.Virus] Declude Hardware Issue Please note that the hardware issue preventing communication with Declude has been resolved. Key authentication has resumed as normal. There appear to be some misconceptions on the lists regarding the key authentication system. In the event that your key cannot be authenticated (either due to communication failure or because the key was never issued): A) Your software will continue to function B) Your software is NEVER downgraded for any reason, either automatically or otherwise We have had a few reports from customers who have licensed versions of Pro, saying that they are receiving messages in their log files that they do not have the Pro version. We will identify the source of that issue tomorrow when the office reopens and will resolve it. It does not have any relation to the key authentication mechanism with the server, since the actual authentication with IMail versions of Declude continues to be via the old codes entered into the configuration files. David Franco-Rocha Declude Technical / Engineering
[Declude.Virus] Sober Virus - Secret Code.
http://www.pcworld.com/news/article/0,aid,123876,00.asp Key paragraph - //begin Security firm iDefense said it broke the encrypted code in a Sober variant discovered in November and found that it is designed to download the unknown code from various Web addresses on January 5, 2006. Millions of zombie computers may already be infected with the variant, the company said. The date coincides with the 87th anniversary of the founding of the Nazi Party. The release of worms has been tied to political events in the past, iDefense noted, in a kind of hactivisim designed to distribute propaganda. //end ugh - I suspect more german pro-nazi spam... Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude and IMail 2006
Knowing that there are issues with 1.x and 2.x with Imail 8.2x and 2006 extends from 8.2x I would suspect that you may have issues. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. J Porter writes: Does Declude (Virus and JM Pro) 1.82 work with Imail 2006?? Call me chicken... lol... but I really don't have the guts to do both upgrades at the same time... :) There are entirely t many instances of sober and mytob hitting us daily. Thanks ~Joe --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] how is Declude 3.x?
I run 3.0.5.20 DFx - I think 1 or 2. It has a few extra fixes for me the dnsbl issue is the ket one. I run it on two servers (imail) volume on server 1 - 150K and volume on server 2 - 100K. External tests: invURIBL Sniffer Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Sanford Whiteman writes: 3.0.5y.20 on Imail running fine here. I think it would be helpful if 3.0.x adopters could mention IMail/SmarterMail version, Windows OS version, msgs/day, and which (publicly available) external tests they're running. I honestly thought, after the rash of buggy releases and seemingly insufficent internal testing, that I would not deploy 3.0.x for several months, if ever. I'm sure I'm not alone. --Sandy -- Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. mailto:[EMAIL PROTECTED] -- --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] how is Declude 3.x?
I understand what everyone is saying, beleive me I do. What I can tell you is that 3.x is much better than 2.x. Especially, since it fixes the issues I had where 100's of declude processes would unexpectantly launch and would hose the server. I have found the later versions to be very stable and fast. The big issues I am seeing with the new version is variables that were not per thread. I can tell you everyone of my issues that my twin (inside joke on the twin) or I have reported has been taken very seriously. I can tell you that David Franco-Rocha has been very aggressive working a lot of these issues. You know they are on the right track when you get builds to fix issues at 3am in the morning.. Hang in there its all starting to come together and I think when you ready to dive into 3.x you will be very happy... Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Darin Cox writes: Totally agree with you there, Sandy. We're trying to decide whether to renew the service agreement. We paid for a year and haven't upgraded at all due to the stability problems and bugs with 2.x and 3.x, though we are considering upgrading to IMail 2006 and 3.0 soon. Things seem to have settled down a bit. What are you running? 2.06 with IMail 8.15? We're still running IMail 8.05 and 1.82 currently. Darin. - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, November 24, 2005 3:23 PM Subject: Re: [Declude.Virus] how is Declude 3.x? 3.0.5y.20 on Imail running fine here. I think it would be helpful if 3.0.x adopters could mention IMail/SmarterMail version, Windows OS version, msgs/day, and which (publicly available) external tests they're running. I honestly thought, after the rash of buggy releases and seemingly insufficent internal testing, that I would not deploy 3.0.x for several months, if ever. I'm sure I'm not alone. --Sandy -- Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. mailto:[EMAIL PROTECTED] -- --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Sober to be released, possible variation?
Mark, In general for these types of viruses yes you are ok as long as the extensions in the zips are ones that you are blocking. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Mark Reimer writes: If we are banning extensions within zip files we should be ok right? Mark Reimer IT Project Manager American CareSource 800-370-5994 ext. 267 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John T (Lists) Sent: Tuesday, November 15, 2005 2:30 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Sober to be released, possible variation? And another: BANNAME packed-password_text.zip John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 10:16 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Another one to block... BANNAME Accept_e-Text.zip The list so far is # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME Accept_e-Text.zip BANNAME email_photo.zip BANNAME excel_table.zip BANNAME foto.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip BANNAME word-text.zip As mentioned before, we keep these in place even after the virus definitions are catching them. That way new variants that use the names are caught before definitions are available. Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 11:57 AM Subject: RE: [Declude.Virus] New Sober to be released, possible variation? There are very interesting details in Trend Micro's writeup. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS OBER%2EADVSect=T i.e. it uses its own SMTP server plus a hardcoded list of accounts and IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious Software Removal Tool. It may be worth mentioning that the BANNAME list that Darin provided will be useful for those of us using F-Prot only, as they are still not detecting the variant I've been receiving since this thread started. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 6:05 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Most the new Sober variants are expected to be low volume, so I'm not surprised that Netsky.P continues to outstrip them. Security vendors are varying as to what they are detecting with 6 new Sober variants yesterday and today. Best bet is to ban the files at least until virus definition files have caught up. We keep the bans in place for the usual overlap in new variants. Darin. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:44 AM Subject: RE: [Declude.Virus] New Sober to be released, possible variation? Thank you Darin. just curious after watching our virus logfiles today Anyone else can confirm that there are only a few of the today new virus and far more netsky (most .p variant) showing up in the logfiles? Today I've had some reports that certain varaints of the new virus slipped trough while it was definitively catching some others. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 2:33 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? I just went through all of the reports. Here's a list of new filenames to ban: # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME email_photo.zip BANNAME excel_table.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip Darin. - Original Message - From: Doug Anderson [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:24 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Looks like varying attachment names. I got one thats excel_table.zip - Original Message - From: David Dodell [EMAIL PROTECTED] To: John T (Lists) Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 6:50 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote: Sophos is now calling it Sober-R. Possible variation received this morning ... the text discussed
Re: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
Also, in the Command AVAFTERJM OFF I assume this means it SCANS viruses first, then the junkmail? No it actually scans for viruses after junkmail. Darrell --- invURIBL - Intelligent URI Filtering. Stops SPAM by focusing on the spamvertised link. More effective than traditional RBL's. Download a copy today - http://www.invariantsystems.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
David, When you say messages are getting stuck in the spool do you mean after they are processed by Declude? When you upgraded to Declude 3.x did you replace the declude.exe file? Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: David Dodell [EMAIL PROTECTED] To: David Dodell Declude.Virus@declude.com Sent: Saturday, November 05, 2005 1:27 PM Subject: Re: [Declude.Virus] Help! Upgraded from 1.82 to 3. today I noticed that my virus scanner is no longer sending me notices when it intercepts a virus ... before I used to get email notice from declude that a virus, and/or spam was intercepted, but now that seemed to have stopped ... is there a switch I need to turn on / off? It appears messages are getting stuck in my spool ... I see messages addressed from [EMAIL PROTECTED] to david david (same user twice) Any ideas? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
David, Sorry I did not read far enough to the OFF part. If set to off Viruses are scanned for first which is the default setting. Normally you do not see someone have that in their config unless they are going to set it to ON which scans for viruses after JM. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: David Dodell [EMAIL PROTECTED] To: Darrell ([EMAIL PROTECTED]) Declude.Virus@declude.com Sent: Saturday, November 05, 2005 3:57 PM Subject: Re[2]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today Saturday, November 5, 2005, 1:42:02 PM, Darrell ([EMAIL PROTECTED]) wrote: Also, in the Command AVAFTERJM OFF I assume this means it SCANS viruses first, then the junkmail? No it actually scans for viruses after junkmail. Ok, I turned it on since I want it to scan for viruses BEFORE junkmail. Doesn't make sense to me, I read it as: AV (Virus) AFTER JM (Junkmail) and if ON would mail Virus After Junkmail and OFF would mean Virus BEFORE Junkmail --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
I caught that in the later thread. On my system I see the same behavior where the gsc/gse will get processed by the next queue run as well. I do seem to remember in older versions that they were tried to be delivered right away. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: David Dodell [EMAIL PROTECTED] To: Darrell ([EMAIL PROTECTED]) Declude.Virus@declude.com Sent: Saturday, November 05, 2005 3:59 PM Subject: Re[2]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today Saturday, November 5, 2005, 1:43:11 PM, Darrell ([EMAIL PROTECTED]) wrote: When you say messages are getting stuck in the spool do you mean after they are processed by Declude? When you upgraded to Declude 3.x did you replace the declude.exe file? As I mentioned in another post, it appears that the Postmaster generated messages are sitting in the \imail\spool directory, but with a GSE or GSC extension instead of SMD ... and are eventually processed within 20 or 30 minutes, I'm assuming being caught by the queue being reprocessed in that time period?? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second scanner
I use Mcafee and it has been great they tend to be amoung the top for getting updates out quick. However, it is very resource intensive. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Declude Log Parsers. David Dodell writes: After many years of using Virus Standard, I upgraded to Virus Pro to take advantage of a second scanner. I've scanned the previous threads on what others like for a second scanner to F-Prot, but can't seem to find any common thread ... So I would appreciate what seems to be the next most popular virus scanner to run as a secondary scanner to F-Prot? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Multiple Anti-virus Vendor Detection Bypass
(4) MODERATE: Multiple Anti-virus Vendor Detection Bypass Affected: Multiple AV vendors including McAfee, Trend Micro, Kaspersky, Sophos, CA, Panda. Description: Multiple anti-virus engines reportedly contain a vulnerability that can lead to bypassing detection of malware in .bat, .html and .eml files. The problem occurs because the detection engines stop processing these files if they are tagged with a fake executable file header. Note that with the increase in client-side attacks, bypassing malicious HTML detection may lead to spread of spyware and other malware on desktop systems. Multiple proof of concept examples have been posted. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Virus name reported as different than what scanner detected.
Anyone seen this before? The message (attachment) have the W97M/Thus Virus and is detected by McAfee as having such, but the final virus string somehow ends up at Netsky? Darrell x:\imail\spoolgrep -i q41c378d5099ed6c9.smd vir1028.log 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd Vulnerability flags = 0 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd MIME file: HD New Look list.doc [base64; Length=59 904 Checksum=2996157] 10/28/2005 11:21:10.750 q41c378d5099ed6c9.smd Virus scanner 1 reports exit code of 0 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Virus scanner 2 reports exit code of 13 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Scanner 2: Virus= the W97M/Thus.gen Attachment=HD New Look List.doc [11] I 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 13] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Scanned: CONTAINS A VIRUS [MIME: 2 60102] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [ incoming from 64.207.161.182] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Subject: Here we go Again - Proposal Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus name reported as different than what scanner detected.
A little more checking and this seems to be happening on any message infected with a virus Possible bug... Running 3.x, AVAFTERJM, with EXITSCANONVIRUSDETECT ON 10/28/2005 00:39:56.359 qab8ff7a40618ffdf.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] 10/28/2005 00:41:47.968 qabfaf7c50618004e.smd Virus scanner 1 reports exit code of 3 10/28/2005 00:41:47.968 qabfaf7c50618004e.smd Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=email-details.zip [11] O 10/28/2005 00:41:47.984 qabfaf7c50618004e.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] 10/28/2005 00:56:05.015 qaf506d06099e03ac.smd Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=email-password.zip [11] O 10/28/2005 00:56:05.015 qaf506d06099e03ac.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] Darrell ([EMAIL PROTECTED]) writes: Anyone seen this before? The message (attachment) have the W97M/Thus Virus and is detected by McAfee as having such, but the final virus string somehow ends up at Netsky? Darrell x:\imail\spoolgrep -i q41c378d5099ed6c9.smd vir1028.log 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd Vulnerability flags = 0 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd MIME file: HD New Look list.doc [base64; Length=59 904 Checksum=2996157] 10/28/2005 11:21:10.750 q41c378d5099ed6c9.smd Virus scanner 1 reports exit code of 0 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Virus scanner 2 reports exit code of 13 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Scanner 2: Virus= the W97M/Thus.gen Attachment=HD New Look List.doc [11] I 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 13] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Scanned: CONTAINS A VIRUS [MIME: 2 60102] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [ incoming from 64.207.161.182] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Subject: Here we go Again - Proposal Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus name reported as different than what scanner detected.
That's good to hear that others are seeing this as well... Hopefully, we will have a fix soon. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bill Landry writes: Yep, I'm seeing the same thing with Version 3.0.5.12: = 10/28/2005 10:56:04.343 q662b02abbeb9.smd Vulnerability flags = 0 10/28/2005 10:56:04.343 q662b02abbeb9.smd MIME file: [text/html][7bit; Length=714 Checksum=63910] 10/28/2005 10:56:04.390 q662b02abbeb9.smd MIME file: email-details.zip [base64; Length=93976 Checksum=11204045] 10/28/2005 10:56:04.390 q662b02abbeb9.smd Banning .ZIP file with scr extension. 10/28/2005 10:56:06.156 q662b02abbeb9.smd Virus scanner 1 reports exit code of 3 10/28/2005 10:56:06.171 q662b02abbeb9.smd Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=email-details.zip [16] I 10/28/2005 10:56:07.109 q662b02abbeb9.smd Virus scanner 2 reports exit code of 1 10/28/2005 10:56:07.109 q662b02abbeb9.smd Scanner 2: Virus= [ WORM_MYTOB.LV](1) in M:\IMail\spool\proc\work\D662B0~1.VIR\0.zip,(email-details.htm .scr) Attachment=email-details.zip [16] I 10/28/2005 10:56:07.109 q662b02abbeb9.smd File(s) are INFECTED [ [ TROJ_GOLDUN.G](1) in M:\IMail\spool\proc\work\D644C0~1.VIR\0.rar,(MsWindowsUpdate.exe): 1] 10/28/2005 10:56:07.109 q662b02abbeb9.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 2 94832] 10/28/2005 10:56:07.109 q662b02abbeb9.smd From: xxx To: xxx [incoming from xxx] 10/28/2005 10:56:07.109 q662b02abbeb9.smd Subject: Important Notification = 10/28/2005 10:56:22.171 q664302abbecd.smd Vulnerability flags = 0 10/28/2005 10:56:23.750 q664302abbecd.smd Virus scanner 1 reports exit code of 3 10/28/2005 10:56:23.750 q664302abbecd.smd Scanner 1: Virus= HTML/[EMAIL PROTECTED] Attachment= [16] I 10/28/2005 10:56:24.625 q664302abbecd.smd Virus scanner 2 reports exit code of 1 10/28/2005 10:56:24.625 q664302abbecd.smd Scanner 2: Virus= [ HTML_Netsky.P](1) in M:\IMail\spool\proc\work\D66430~1.VIR\0,(NONAMEFL) Attachment= [16] I 10/28/2005 10:56:24.625 q664302abbecd.smd File(s) are INFECTED [ [ TROJ_GOLDUN.G](1) in M:\IMail\spool\proc\work\D644C0~1.VIR\0.rar,(MsWindowsUpdate.exe): 1] 10/28/2005 10:56:24.625 q664302abbecd.smd Scanned: CONTAINS A VIRUS 10/28/2005 10:56:24.625 q664302abbecd.smd From: xxx To: xxx [incoming from xxx] 10/28/2005 10:56:24.625 q664302abbecd.smd Subject: Mail delivery failed: returning message to sender = Bill - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, October 28, 2005 9:37 AM Subject: [Declude.Virus] Virus name reported as different than what scanner detected. Anyone seen this before? The message (attachment) have the W97M/Thus Virus and is detected by McAfee as having such, but the final virus string somehow ends up at Netsky? Darrell x:\imail\spoolgrep -i q41c378d5099ed6c9.smd vir1028.log 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd Vulnerability flags = 0 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd MIME file: HD New Look list.doc [base64; Length=59 904 Checksum=2996157] 10/28/2005 11:21:10.750 q41c378d5099ed6c9.smd Virus scanner 1 reports exit code of 0 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Virus scanner 2 reports exit code of 13 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Scanner 2: Virus= the W97M/Thus.gen Attachment=HD New Look List.doc [11] I 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 13] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Scanned: CONTAINS A VIRUS [MIME: 2 60102] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [ incoming from 64.207.161.182] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Subject: Here we go Again - Proposal Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content
Kevin, I thought PGP had a desktop version that integrates directly with outlook? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Kevin Rogers writes: We're looking for a simple way to opportunistically allow our users to encrypt or password-protect certain emails and/or their attachments that contain sensitive data. We're running Declude Pro and have banned EZIP extensions (the highly recommended suggestion from several people on this forum), so that kinda rules out PKZIP and any kind of ZIP program (because as soon as you password-protect a ZIP file, it becomes an EZIP file). We looked at PGP, but it seems very complex and seems to require a hardware proxy in between our mail server and the Net. Is there a simple and effective way to encrypt or password protect documents for email transmission that doesn't cause problems with Imail or Declude and doesn't require software to be installed on the recipient's end? Thanks. Kevin --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content
Please no talk about sharp objects - I just had a vasectomy a couple of hours ago - oh the pain... Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 5:00 PM Subject: RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content What is wrong with sharp objects? They make nice clean cuts. Now, it's the blunt ones that I worry about. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, October 11, 2005 1:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content I block all encrypted zips based on the fact that I can't virus scan them. But then again I'm slightly paranoid and should not be trusted with sharp objects. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 3:08 PM Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content So it's this forum's consensus that if I have PRO I should not block all EZIPs - I should just block the other extensions even if they are found within ZIP files? I do send out notices when a file gets blocked, but I don't have a requeue script in place. I'll search for one and see what I can do. Thanks. Darin Cox wrote: If you have Declude Virus/EVA Pro you can switch to banning extensions within zips. With Standard, you may want to continue to ban encrypted zips. In either case, you will probably want to send out notices for banned files, notifying the intended recipient that a file sent to them was blocked. Include a link in the notification for them to requeue the message if it was legit and they want to receive it. Scripts to requeue messages have been posted to the list in the past, but they are very simple to create by just moving the Q and D files back to the spool directory... possibly going as far as launching the SMTP32 process to immediately send the message if you don't want your user to wait for the next queue run. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 1:26 AM Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content We're looking for a simple way to opportunistically allow our users to encrypt or password-protect certain emails and/or their attachments that contain sensitive data. We're running Declude Pro and have banned EZIP extensions (the highly recommended suggestion from several people on this forum), so that kinda rules out PKZIP and any kind of ZIP program (because as soon as you password-protect a ZIP file, it becomes an EZIP file). We looked at PGP, but it seems very complex and seems to require a hardware proxy in between our mail server and the Net. Is there a simple and effective way to encrypt or password protect documents for email transmission that doesn't cause problems with Imail or Declude and doesn't require software to be installed on the recipient's end? Thanks. Kevin --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Bitdefender Vulnerability
FYI - For those using Bitdefender - 05.40.20 CVE: Not Available Platform: Cross Platform Title: BitDefender Antivirus Logging Function Format String Vulnerability Description: BitDefender Antivirus is a proprietary antivirus product for multiple platforms. It is vulnerable to a format string issue in its logging functionality. This issue is due to a failure of the application to properly sanitize user-supplied input prior to passing it as the format specifier to a formatted printing function. A remote attacker may leverage this issue to write to arbitrary process memory, facilitating code execution and privilege escalation. BitDefender versions 7.2, 8, and 9 for Windows are reported vulnerable. Other versions and platforms may also be affected. Ref: http://www.securityfocus.com/bid/14968/info Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Possible new virus
Alot got through today with that one, but its being caught by F-Prot now. 10/05/2005 22:06:18 Q86937B8E01F27E50 MIME file: pword_change.zip [base64; Length=113709 Checksum=13075286]10/05/2005 22:06:18 Q86937B8E01F27E50 Scanner 2: Virus=W32/[EMAIL PROTECTED] Attachment=pword_change.zip [12] O My first hit was at 20:02 EST tonight. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:33 PM Subject: [Declude.Virus] Possible new virus We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is"Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
Re: [Declude.Virus] Possible new virus
Mcafee released this within the last hour - Advisory This is a Medium Threat Advisory for W32/[EMAIL PROTECTED] Justification W32/[EMAIL PROTECTED] has been deemed Medium due to prevalence. Read About It Information about W32/[EMAIL PROTECTED] is located on VIL at: http://vil.nai.com/vil/content/v_136390.htm Detection W32/[EMAIL PROTECTED] was first discovered on October 5, 2005 and detection will be added to the 4598 dat files (Release Date: October 5, 2005). The EXTRA.DAT IS AVAILABLE. If you suspect you have W32/[EMAIL PROTECTED], please submit a sample to http://www.webimmune.net. Risk Assessment Definition For further information on the Risk Assessment and AVERT Recommended Actions please see: http://www.mcafeesecurity.com/us/security/resources/risk_assessment.htm Best Regards, McAfee AVERT - Anti Virus and Vulnerability Research, Analysis, and Solutions visit us at www.avertlabs.com ---DLAnalyzer - Comprehensive reporting on Declude Junkmail and Virus. Download it today - http://www.invariantsystems.com. - Original Message - From: Darrell ([EMAIL PROTECTED]) To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:46 PM Subject: Re: [Declude.Virus] Possible new virus Alot got through today with that one, but its being caught by F-Prot now. 10/05/2005 22:06:18 Q86937B8E01F27E50 MIME file: pword_change.zip [base64; Length=113709 Checksum=13075286]10/05/2005 22:06:18 Q86937B8E01F27E50 Scanner 2: Virus=W32/[EMAIL PROTECTED] Attachment=pword_change.zip [12] O My first hit was at 20:02 EST tonight. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:33 PM Subject: [Declude.Virus] Possible new virus We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is"Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
Re: [Declude.Virus] Version 3.0.5.5
Harry, The message on my system just said you need to remove the last version. Once I did that and re-ran the update all was well. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Harry Vanderzand writes: I downloaded this update stopped decludeproc ran the update got message: Another version is already running, cannot update what's up with that? Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Billman Sent: Thursday, September 29, 2005 2:53 PM To: Declude.Virus@declude.com; Declude.JunkMail@declude.com Subject: [Declude.Virus] Version 3.0.5.5 Declude Version 3.0.5.5 is available on the website for download. There are two changes from version 3.0.5.3 1. Fix for special character scanning causing abnormal termination. Special thanks to John Tolmachoff for identifying and helping us fix this nasty. 2. For SmarterMail only. Correctly handle parsing the XML file for the email installation path. SY, Bill Billman Declude -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.7/112 - Release Date: 9/26/2005 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ...Change after Upgrade in the case (upper/lower) of letters in D Q files
Jeff, Yes that is normal with the 3.0 upgrade. It is just a cosmetic change and does not really impact anything. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Jeff writes: I have no idea if this is of any importance as all appears to be working well, but after upgrading while I was reviewing messages held in my SPAM and ViRUS folders I noticed that all of the letters in the Q D files (with the exception of the D that begins a D file) are now in lower case as shown below. Has anyone else noticed this ? After Declude Upgrade D3a5001f80247.smd q3a5001f80247.smd Before D2B3A0DEC2046.SMD Q2B3A0DEC2046.SMD --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Invariant Systems MRTG Scripts Updated For Declude 3.0
Our MRTG scripts that we make available for Declude users have been updated for the new log format of Declude 3.0. The programs are provided free and as is. They can be downloaded from our site listed in the tag line. Any questions let me know. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Beta 3.0.4.4 Posted
I think it really depends on your volume if you will see this. Also, if you have already tweaked your WAITFORMAIL you may not see it as well. On my system during off peak hours I get on anverage between 75-100 messages per minute. What you will see is Declude will spawn up to 20 or so threads (I modified my threads value to keep up with volume) and process the messages. Once the decludeproc finishes processing that round of messages it will stop using any CPU time and sit idle for roughly 30 seconds. Once it sleeps for 30 seconds it will start to process messages again. See snippet of log 09/22/2005 21:38:43.703 q5c96523a026274b2.smd Successfully move [x:\IMail\spool\proc\work\q5c96523a026274b2.smd] to [x:\SPAM-HOLD\22Sep2005\q5c96523a026274b2.smd] 09/22/2005 21:39:08.968 q5c646c64029c7469.smd CFG: Set hop to 0. What occurs on my system is that the initial process completes and there is still messages in the /proc directory, but instead of grabbing more messages out of the /proc directory Declude goes to sleep. During the time it sleeps even more messages come in. Essentially what occurs is the amount of mail in the /proc folder just climbs steadily. Now I switched the WAITFORMAIL setting down to 1 second, but under those settings it appears to chew up an inordinate amount of CPU. I am still tweaking the values for a balance. The box is a Dell PowerEdge 2600 Dual Xeon with HT enabled with 4GB of RAM. Fresh install of Windows 2003 running Imail 8.15 HF 2. The box is only used for gatewaying. I guess the moral of the story is you would not really see this (if it affects you) only if the volume the box is processing is more than what the normal /work queue runs can handle. You could probably easily test this by increasing your WAITFORMAIL setting to a couple of minutes. If you are not affected by this than your system will continue to function properly and process the mail in the /proc folder as it should. If it is affected by it you would see files still in the proc folder and Declude go to sleep for that specified period of time. The key thing is that you would have to watch the proc folder since normal operation would be for the decludeproc service to go to sleep if no files existed in the folder. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Andy Schmidt writes: Hi Nick: I'm only repeating what I'm told - I don't have factual information on my own. There have been several reports on this list that describes the following problem with dual-processor systems: Declude is supposed to check the /proc folder and ONLY go to sleep (for 30 seconds), if the folder contains no messages. On systems that have that problem, Declude goes to sleep even though there ARE messages to process. The result is, that messages are queuing up and never get processed. There is a parameter to set the sleep time low (e.g. 1 second), this way, the effect of the problem is less - but now Declude does't go to sleep when it actually could - with a possible impact on resource consumption. (Of course, the question is why this appears to be related to dual-processor systems. May be one process still has an access lock against the first file in the proc folder and another process doesn't handle that error condition right - who knows.) Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Friday, September 23, 2005 08:15 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Declude Beta 3.0.4.4 Posted Hi Andy, Andy Schmidt wrote: Thanks Bill. I had gotten the impression as if everyone with dual-processor system was reporting this and that people were still seeing it with the latest version. If you will would you let me know more about this issue. I haven't been following exactly so I do not know what I should be looking for :) I have 3.0.4.4 running on my quad processor [with hyper threading] box without ant problems - at least as far as I can tell. If I'm I missing something I will revert back to 2.0.6.16 in a heartbeat! -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL
Re: [Declude.Virus] AVAFTERJM ?
Marcel, AVAFTERJM ON goes in the virus.cfg file and it makes AV run after JM as you suspected. Several of us run this mode for the reason you cited. The only deal you have to remember is if something is trapped by JM and you put it back in the queue it will not be virus scanned. Darrell invURIBL - Intelligent URI filtering plug-in for Declude. Try it today http://www.invariantsystems.com Marcel Sangers writes: Hello all, We make use of the latest Declude version (spam+virus) Pro. What does the AVAFTERJM option do? Antivirus scanning after Junkmail I suppose? What is the default? First scanning viruses followed by scanning for spam? Due to the large amounts of spam I would suggest first filtering out spam followed by possible viruses? Is that correct? Regards, Marcel --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Beta 3.0.4.4 Posted
The directives are for tuning both single and multiprocessor systems. They are not meant as a tradeoff. Some multiprocessor systems do not exhibit the reported sleep for 30 seconds behavior. We have not been able to reproduce it ourselves. I can produce it on my machine even on version 3.0.4.4. David was also provided remote access to my machine and seen this issue occur when I first reported it under the early beta. It's hard to fix something that we can't reproduce but we will keep trying. It's not even clear to me that this problem still exists in the latest version. I posted earlier (and to the [EMAIL PROTECTED]) that the problem still exists in the latest beta. Again, I can provide remote access to this machine if needed. You can mitigate the effects of this issue by adjusting the waitformail, but it seems to cause more cpu related usage. What concerns me even more than the obvious issue with multiprocessor machines is its excessive use of CPU. This is also included in my beta notes. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, September 22, 2005 7:56 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted Hi David, I can't help but ask... You are proposing options that will help with the dual processor issue. But, are you REPRODUCING the issue and fixing it? I understand that the problem is that the service goes to sleep for 30 seconds, even though there are messages in the PROC folder. Clearly that should not happen. Changing the timings will only create a trade-off by consuming extra machine-resources. Even on a dual-processor system should the service be able to determine reliably if a folder has content or not? I'm just worried that the beta is declared successful when an entire class of machines is only working with a bandage. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, September 22, 2005 12:28 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted Yes, these are to help adjust for timing with Dual-proc Different systems / configuration respond differently to these settings. In particular they to fine tune through-put with CPU utilization. 1. SLOW server that is heavily loaded You may want to try to increase WAITBETWEENTHREADS and lower THREADS. 2. FAST server Use the THREADS and WAITFORTHREADS to adjust the CPU utilization. When decludeproc first starts up it will use a lot of the CPU but after that the %CPU used by decludeproc should come way down. The %CPU of all processes running may be high depending on external tests, other processes, etc. If the system is spiking but coming down quickly that's good. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Thursday, September 22, 2005 12:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted David, Are these to be used to correct issues with Dual-proc, or is that still an ongoing issue still be looking at? Thanks for the time. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, September 22, 2005 11:41 AM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] Declude Beta 3.0.4.4 Posted 2 new Directives WAITFORTHREADS 1500 Located in the Declude.cfg - Defined in milliseconds eg. 1500 = 1.5 seconds this can be changed so that when the maximum threads are in use this time specifics the wait before checking to launch more threads. WAITBETWEENTHREADS 1 Located in the Declude.cfg - Defined in milliseconds eg. 1 = 1 millisecond The time to wait between spawning one thread and starting to process another thread. David B www.declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- No virus found in this incoming message. Checked by
Re: [Declude.Virus] blocking eml and msg attachemtns
Also, any emails that are mime/base64 encoded should be mime decoded by the AV scanner. I know mcafee has that option which we enable. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Darin Cox writes: With Declude 1.82, we haven't had any trouble with decoding and blocking viruses or banned attachments in attached .eml or .msg files. We wouldn't block them separately because of all of forwarded messages sent as attachments, both by us, AOL feedback loops, and by our users. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, September 14, 2005 1:32 PM Subject: [Declude.Virus] blocking eml and msg attachemtns What are others thoughts on blocking eml and msg attachments? If there is an eml or msg attachment which that has a executable or virus attachment, will Declude properly decode it and will it be scanned for viruses and banned attachments? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Beta 3.0.3.8 Available
David, Any progress on the issues we seen under multi-processor environments? Darrell David Barker writes: If you are running the Declude Beta please upgrade to 3.0.3.8 and send feedback to [EMAIL PROTECTED] David B www.declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Limit Size of message to be scanned?
Grant, Their is nothing native to Declude to prevent that - the only real option besides something custom is to limit the size at the imail layer. Darrell InvURIBL - Intelligent URL filtering - stops 85% of spam with the default configuration. http://www.invariantsystems.com Grant Griffith writes: Yep, we had one client send a 50+ and 45+ at the same time. That is about the same time the system locked up. It is a Dual Pentium 3.6 processors with at least 2 gig of memory. I would of hoped it could keep up, but seems to be a pattern this week whenever huge emails get sent thru the server, it locks up and needs rebooted to fix it. How does anyone else handle this? I would guess there would be a way to not scan messages over a certain size Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, July 08, 2005 2:05 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Limit Size of message to be scanned? 50 MB e-mail attachments? Youch! John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Thursday, July 07, 2005 8:36 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Limit Size of message to be scanned? Hello All, Is there a way to limit the size of the message that Declude/F-Prot can scan? We have some customers that are sending 50+ meg files and it is causing our servers to have major issues. Is there a setting to say skip anything over a certain size? Either in F-Prot or Declude? We fixed it currently by setting it to OFF for certain domains, but really want to ban extensions and vulnerabilities for those domains.. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Limit Size of message to be scanned?
Grant, What I do is set the Single Message Size under the domain. The limit I have in place for most of my sites I maintain is between 10MB - 20MB. If this is a store and forward server you can set this on the primary domain of the server and it affects all of the domains you gateway for. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Grant Griffith writes: Darrell, How can I do this on the Imail end? I can limit attachments sent thru Web Messaging, but not via Outlook or anything else. At least I can not find any settings for that. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, July 08, 2005 9:13 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Limit Size of message to be scanned? Grant, Their is nothing native to Declude to prevent that - the only real option besides something custom is to limit the size at the imail layer. Darrell InvURIBL - Intelligent URL filtering - stops 85% of spam with the default configuration. http://www.invariantsystems.com Grant Griffith writes: Yep, we had one client send a 50+ and 45+ at the same time. That is about the same time the system locked up. It is a Dual Pentium 3.6 processors with at least 2 gig of memory. I would of hoped it could keep up, but seems to be a pattern this week whenever huge emails get sent thru the server, it locks up and needs rebooted to fix it. How does anyone else handle this? I would guess there would be a way to not scan messages over a certain size Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, July 08, 2005 2:05 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Limit Size of message to be scanned? 50 MB e-mail attachments? Youch! John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Thursday, July 07, 2005 8:36 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Limit Size of message to be scanned? Hello All, Is there a way to limit the size of the message that Declude/F-Prot can scan? We have some customers that are sending 50+ meg files and it is causing our servers to have major issues. Is there a setting to say skip anything over a certain size? Either in F-Prot or Declude? We fixed it currently by setting it to OFF for certain domains, but really want to ban extensions and vulnerabilities for those domains.. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Limit Size of message to be scanned?
Grant, Here are the links to the messages Org - http://www.mail-archive.com/declude.junkmail@declude.com/msg24792.html Update - http://www.mail-archive.com/declude.junkmail@declude.com/msg24977.html Hope this helps Darrell --- DLAnalyzer - Comprehensive reporting on Declude Junkmail and Virus. http://www.invariantsystems.com Grant Griffith writes: Hey All, Is there a known issue with Declude 2.0.6.16 and Imail 8.2? I recall reading something a few weeks ago about a possible issue and we did just upgrade toward the end of last week. I scanned the archives, but did not find anything specific. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Friday, July 08, 2005 9:38 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Limit Size of message to be scanned? Thanks Darrell, I knew the setting was there somewhere, but kept overlooking it. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, July 08, 2005 9:34 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Limit Size of message to be scanned? Grant, What I do is set the Single Message Size under the domain. The limit I have in place for most of my sites I maintain is between 10MB - 20MB. If this is a store and forward server you can set this on the primary domain of the server and it affects all of the domains you gateway for. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Grant Griffith writes: Darrell, How can I do this on the Imail end? I can limit attachments sent thru Web Messaging, but not via Outlook or anything else. At least I can not find any settings for that. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, July 08, 2005 9:13 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Limit Size of message to be scanned? Grant, Their is nothing native to Declude to prevent that - the only real option besides something custom is to limit the size at the imail layer. Darrell InvURIBL - Intelligent URL filtering - stops 85% of spam with the default configuration. http://www.invariantsystems.com Grant Griffith writes: Yep, we had one client send a 50+ and 45+ at the same time. That is about the same time the system locked up. It is a Dual Pentium 3.6 processors with at least 2 gig of memory. I would of hoped it could keep up, but seems to be a pattern this week whenever huge emails get sent thru the server, it locks up and needs rebooted to fix it. How does anyone else handle this? I would guess there would be a way to not scan messages over a certain size Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, July 08, 2005 2:05 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Limit Size of message to be scanned? 50 MB e-mail attachments? Youch! John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Thursday, July 07, 2005 8:36 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Limit Size of message to be scanned? Hello All, Is there a way to limit the size of the message that Declude/F-Prot can scan? We have some customers that are sending 50+ meg files and it is causing our servers to have major issues. Is there a setting to say skip anything over a certain size? Either in F-Prot or Declude? We fixed it currently by setting it to OFF for certain domains, but really want to ban extensions and vulnerabilities for those domains.. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can
Re: [Declude.Virus] NetSky and Sasser author sentenced, Microsoft pays up
Slap on the wrist and his friends got paid for turning him in... Looks like a win-win for all of them. Darrell John Tolmachoff (Lists) writes: So the virus writer got a slap on the wrist. Boy, that will sure send a message to would be virus writers. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, July 08, 2005 11:40 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] NetSky and Sasser author sentenced, Microsoft pays up Well, the speculation on whether Microsoft would make good on their bounty to Sven Jaschen's friends is over. http://www.f-secure.com/weblog/ Andrew 8) Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Failed To Initialize Properly
See - http://www.mail-archive.com/declude.junkmail@declude.com/msg24938.html I posted about this issue a couple of times. We are currently waiting on a fix - but this is the cause from what I can see from the debug logs. Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: Avolve Support [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, July 06, 2005 5:36 PM Subject: [Declude.Virus] Declude Failed To Initialize Properly Has anyone had this message box pop up on their server and if so has anyone found a workaround for the problem ? The application failed to intialize properly (0xc142). Click on OK to terminate the application. Running Imail 8.20 - 2005.04.12.23 with hotfix 2 and the latest beta of Declude 2.0.6.16 and had 2.0.6 but it did the same thing. Running 700mhz Pentium III with 384Megs, plenty of drive space and do not receive that much email. I'm trying to play with the queue manager, but haven't found a combination yet that stops this problem. Thanks and praise for a fix, it's driving me insane. Sent via the WebMail system at avolve.net --- [This E-mail scanned for viruses by Declude Virus By Avolve.net] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAV Cabinet File Parsing Remote Denial of Service
FYI - For those who have not seen this and are running ClamAV. 05.26.8 CVE: CAN-2005-1923 Platform: Cross Platform Title: ClamAV Cabinet File Parsing Remote Denial of Service Description: ClamAV is a virus scanning utility. ClamAV is affected by a remote denial of service issue. ClamAV versions 0.85.1 and earlier are known to be vulnerable. Ref: http://www.securityfocus.com/bid/14089 Darrell --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability
Dan, I have been running 2.0.6 with no major issues that plague me on a daily basis. The only issue I have encountered is when the server is under high load and Declude spawns processes until the server starts generating errors. Since I upgraded the server it doesnt happen very often. For the install you can grab the package from your account on the declude site. The manual install was pretty easy - just install and select manual along with a directory. The upgrade for 2.0.6.16 the last beta is just an exe download. Hope this helps, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dan Geiser writes: Hi, Again, I was able to find the ALLOWVULNERABILITIESFROM in the Declude Release Notes, http://www.declude.com/Articles.asp?ID=122. It looks like this feature was added in Declude 2.0. But it appears the current version of Declude 2.0.6. Since we are running 1.82 I assume that I'll have to upgrade to 2.0 at least. Is 2.0.6 a safe version to upgrade to in light of the issues people have added with bugs and the like? If so, is there a special place where I can go to get instructions on doing a Manual Upgrade to 2.0.6? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: DECLUDE.VIRUS@DECLUDE.COM Sent: Tuesday, June 28, 2005 3:52 PM Subject: [Declude.Virus] Ignoring Boundary Space Gap Vulnerability Hello, All, We are running... Declude 1.82 Declude JunkMail Status: PRO version registered. Declude Virus Status:Standard Version Registered. We have a customer who has an important e-mail which is being blocked by our virus protection with the Outlook 'Boundary Space Gap' Vulnerability. Is there anyway that I can turn off checking for the Outlook 'Boundary Space Gap' Vulnerability on either a specific incoming e-mail address or a specific incoming e-mail domain? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] blocking by IP address
If you are using Imail just add it into the SMTP Access Control List. This will block them from connecting to them. Darrell -- DLAnalyzer - Comprehensive reporting for Declude Junkmail and SPAM. Try it today http://www.dlanalyzer.com Susan Duncan writes: I have the standard version of Declude virus and spam. I am receiving viruses every day from a particular IP address. I've contacted the admin for that IP address to no avail. I would just like to block everything from that IP so that we aren't getting messages about all the viruses we're blocking from that address. Is there an easy way to do that? Susan Duncan Web/Communications Officer / Agent des Communications/web Union of Taxation Employees / Syndicat des employées de l'Impôt Tel: 613-235-6704 ext 240 Fax: 613-234-7290 e-mail: [EMAIL PROTECTED] http://www.ute-sei.org/ --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Newbie question
Kevin, You would place that in your virus.cfg file. Darrell - DLAnalyzer - Comprehensive reporting for Declude Junkmail and Virus. Try it today - http://www.invariantsystems.com Kevin Rogers writes: Should I put AVAFTERJM ON in my global.cfg file? And does it matter where I put it inside the file? Thanks. David Franco-Rocha [ Declude ] wrote: Thanks. This will be added to the manual. David Franco-Rocha Declude Technical Support - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, June 06, 2005 10:58 AM Subject: Re: [Declude.Virus] Newbie question Great... Could the Declude staff have this added to the manual? Darin. - Original Message - From: Guhl, Markus (LDS) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, June 06, 2005 4:28 AM Subject: AW: [Declude.Virus] Newbie question hi darin, we use AVAFTERJM ON with Declude 2.0.6.14 and it works like we need it. mfg i.a. gez. markus guhl *** lds nrw ref. 241 tel.: 0211 9449 2578 fax.: 0211 9449 8344 mailto:[EMAIL PROTECTED] *** -Ursprngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Darin Cox Gesendet: Sonntag, 5. Juni 2005 23:02 An: Declude.Virus@declude.com Betreff: Re: [Declude.Virus] Newbie question I don't know if it still exists since it is not in the current manual, but there was an option in previous versions of AV called AVAFTERJM that allowed JunkMail to run first. Otherwise you are correct that AV would run first. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, June 05, 2005 3:17 PM Subject: Re: [Declude.Virus] Newbie question Thanks for the quick response. Yes, I have the Pro versions for both AV and Junkmail. Darin Cox wrote: Do you have the Pro version of Declude Junkmail? You have to have pro to use filters and outbound scanning. The fromfile filter I mentioned will work in the standard version, though. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, June 05, 2005 2:56 PM Subject: Re: [Declude.Virus] Newbie question I changed it to HEADERS and still I am receiving emails from these addresses (got 4 of them personally yesterday). My virus scanner is now updated every four hours, so F-Prot caught these viruses, but I still am receiving the virus notifications. Perhaps the scanning takes place (and the notifications are sent out) before my filter is called? This is what my filter file contains: HEADERS0CONTAINS[EMAIL PROTECTED] HEADERS0CONTAINS[EMAIL PROTECTED] etc. This is what I have in my global.cfg MYFILTERfilterC:\Imail\Declude\Filter.txtx200 This is in my $default$.junkmail file WEIGHT20HOLD What am I missing? Thanks. Scott Fisher wrote: The MAILFROM filter test is seperate from anything in the headers. It is the envelope sender. If you want to test on the header from (I call it display from because that's what Outlook displays), you need to check the HEADERS. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, June 03, 2005 3:26 AM Subject: Re: [Declude.Virus] Newbie question Great. Exactly what I needed. I was also confused about the MAILFROM. Does MAILFROM mean what is displayed as the FROM: in the headers or what it says in the X-Note: This E-mail was sent from 206-72-95-86.wi.skypipeline.com ([206.72.95.86]) or in the X-Declude-Sender field? Maybe I should just use the HEADERS 0 CONTAINS instead. Thanks again. Scott Fisher wrote: One caveat. The MAILFROM uses the envelope mailfrom, which is different than the ones displayed in the headers. If the below doesn't stop it, add HEADERS 0 CONTAINS [EMAIL PROTECTED] HEADERS 0 CONTAINS [EMAIL PROTECTED] - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 10:37 PM Subject: Re: [Declude.Virus] Newbie question I looked up the filter section at the manual. This is what I did. I made a file called filter.txt. This contains: MAILFROM0CONTAINS[EMAIL PROTECTED] MAILFROM 0CONTAINS[EMAIL PROTECTED] etc. I then added this line in global.cfg: MYFILTERfilterC:\Imail\Declude\filter.txtx200 In my $default$.junkmail file there was already this line: WEIGHT20HOLD Do I need to do anything else to the junkmail file to reference MYFILTER or does the WEIGHT20 take care of everything? Thanks. Kevin Darin Cox wrote: Nope... add a filter test and put those lines in it. The same thing I mentioned without pro applies here for adding test names to the global.cfg and $default$.junkmail. The manual at
[Declude.Virus] Another mytob variant
Another MyTob variant is out. F-Prot is catching it but Mcafee is not. Mcafee does have an extra.dat for it. The file is coming in as info-text.zip. Darrell DLAnalyzer - Comprehensive reporting on Declude Junkmail and Virus. Try it today http://www.invariantsystems.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus out?
John, What do the filenames appear to be - any pattern either filename, subject, body content etc? Darrell John Tolmachoff (Lists) writes: One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] MS05-16 Exploit
a mass-mailing virus. Declude defaults to BANCSLID ON which may or may not protect from such an attack. Some CSLID calls are entire valid and normal for Outlook/Office generated E-mails, and I'm not totally sure Plus the other question is does Declude look for the CSLID calls in files in zip's. Darrell -- DLAnalyzer - Comprehensive reporting on Declude Junkmail and Virus. Try it today - http://www.invariantsystems.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] EXITSCANONVIRUS
My thoughts are this - a virus is a virus and a vulnerability is a vulnerability. My expectation is that if a virus is detected than the other scanners will not be called. However, if a vulnerability is detected the scanners will execute until such time a virus is found. Maybe two switches - EXITSCANONVULNERABILITY... However, on the grander scale of things if nothing changed on this I would still use EXITSCANONVIRUS as long as it observes the various delivery options on vulnerabilities. Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Saturday, May 28, 2005 12:49 PM Subject: RE: [Declude.Virus] EXITSCANONVIRUS John, can you expand on that? In my implementation, there is no difference in message treatment if a vulnerability or virus is detected. Therefore, I am happy to stop the virus scanning if a vulnerability is detected. That is, as long as ALLOWVULNERABILITIESFROM is still respected. Of course, I've already found that these two had too many false positives for the safety they afford, so I've turned them off: BANPARTIAL OFF BANCRVIRUSES OFF which leaves me with BANCLSID ON which has never been triggered. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, May 28, 2005 12:34 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] EXITSCANONVIRUS Well, here is an example of what I was hoping not to see. 05/27/2005 23:35:14 Q112105DF2AB2 Vulnerability flags = 0 05/27/2005 23:35:14 Q112105DF2AB2 Outlook 'CR' vulnerability [Subject: H] in line 15 05/27/2005 23:35:15 Q112105DF2AB2 Virus scanner 1 reports exit code of 0 05/27/2005 23:35:15 Q112105DF2AB2 File(s) are INFECTED [[Outlook 'CR' Vulnerability]: 0] 05/27/2005 23:35:36 Q112105DF2AB2 Scanned: CONTAINS A VIRUS 05/27/2005 23:35:36 Q112105DF2AB2 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from x.x.x.x] 05/27/2005 23:35:36 Q112105DF2AB2 Subject: How is Rebecca doing? In this case, the subject line is the last line for the message in the Declude Virus log in HIGH and it apparently shows that scanners 2 3 were not called. If it finds a vulnerability, it still should fire the scanners to see if one of them finds an actual virus. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha [ Declude ] Sent: Friday, May 27, 2005 7:21 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] EXITSCANONVIRUS John, There is a processing loop wherein all the scanners are called in succession. It is independent of vulnerability checking. This directive merely tells Declude to break out of the external virus scanner execution loop. If you use this directive to exit the scanning loop on virus detection and (1) you have 5 scanners listed in your cfg file and (2) a virus is detected by the first scanner listed, then the effect is exactly the same in processing as if you had a single scanner listed and a virus were detected by that single scanner. David Franco-Rocha Declude Technical Support - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, May 27, 2005 2:50 AM Subject: [Declude.Virus] EXITSCANONVIRUS A question about this new feature. Am I correct in thinking that as soon as a scanner reports a virus, the next scanner(s) in line will not be called and the message will be processed accordingly, and that it will not be affected by Declude first finding a banned attachment before having it scanned by a scanner? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at
Re: [Declude.Virus] Strange behavior
Does declude virus need any modification as such? No... Darrell ---invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the defaultconfiguration. Download a copy today - http://www.invariantsystems.com
Re: [Declude.Virus] AV Gateway for external Customer
Alex, Also make sure you add their mail servers address in the relay for ip address options in smtp.. Everything else you mentioned from the Declude side is correct and what we do. Darrell - invURIBL - Intelligent URI filtering plug-in for Declude. Stops 85%+ of all SPAM with default configuration. Try it today - http://www.invariantsystems.com Hirthe, Alexander writes: Hello, I want to provide Declude Services for a customer with his own Dominio Mailserver. Do I only need the Host entry and I'm done? I found http://support.ipswitch.com/kb/IM-19980116-DM01.htm http://support.ipswitch.com/kb/IM-19980116-DM01.htm At the moment the MX records are pointing to the customer's SMTP Security Gateway. In future they will/should point to our mailserver, and I'll create a declude subdirectory for them \declude\customer.domain\$default$.JunkMail Did I forget anything? I sounds to easy :-) Alex --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] High CPU F-Prot
Matt, I am seeing the same thing - but my server (this one) is way more loaded than it should. Scanner 2 is F-Prot as you can see there is an excessive amount of time when this issue occurs. It was so bad that I ended up disabling F-Prot until I can get to the bottom of this. Darrell 04/27/2005 01:33:51 Q24299D44015460F4 MIME file: readme.zip [base64; Length=56586 Checksum=6993656] 04/27/2005 01:33:51 Q24299D44015460F4 Banning file readme.zip. 04/27/2005 01:33:51 Q24299D44015460F4 Forging virus found: Likely forged sender was [EMAIL PROTECTED] 04/27/2005 01:33:51 Q24299D44015460F4 Scanner 1: Virus= the W32/[EMAIL PROTECTED] Attachment= [12] O 04/27/2005 01:34:39 Q24299D44015460F4 Could not find parse string Infection: in report.txt 04/27/2005 01:34:39 Q24299D44015460F4 File(s) are INFECTED [ the W32/[EMAIL PROTECTED]: 8] Darrell Matt writes: After further review, I'm pretty sure that there is an F-Prot issue going on here. My server hasn't been hitting 100% yet today, and I also haven't seen any F-Prot timeouts, however I have found more compelling evidence that there is an issue with F-Prot that would probably lead to timeouts if the load was heavy while some messages were scanned. I searched my logs today for examples of where McAfee found Mytob, but F-Prot didn't detect anything. There were a fair number of examples, and in every one, F-Prot took an uncharacteristically long time to scan the file. Here are three examples that are marked with the gap corresponding to the F-Prot delays: 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. *--- 6 second gap where F-Prot scans message ---* 04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt 04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O 04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus 04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus! 04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788] 04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47] 04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED 04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; Length=55408 Checksum=6875560] *--- 4 second gap where F-Prot scans message ---* 04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string Infection: in report.txt 04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O 04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus 04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus! 04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605] 04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:09:46 QE095EDCB006E8802 Subject: hello 04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64; Length=56320 Checksum=6982245] 04/28/2005 09:47:55 QE98BF4DC00DA98FB Invalid SCR Vulnerability 04/28/2005 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension [application/octet-stream]. *--- 9 second gap where F-Prot scans message ---* 04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find parse string Infection: in report.txt 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=data.scr [0] O 04/28/2005 09:48:05 QE98BF4DC00DA98FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with virus 04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus! 04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2 56551] 04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good day I'm virtually certain that this is what was happening yesterday, but under heavier load, F-Prot was taking longer to scan the messages than the 30 seconds that I allow it to. There are no other long delays like this that I can find. F-Prot based on past testing should detect a typical virus in 100 ms on my system, but it is not only taking much more time to scan a very small file, it is also missing the virus. I suspect that this is happening on other systems, but the
Re: [Declude.Virus] F-Prot missing viruses and is slow (renamed)
Title: Message Andrew, During your test what did the CPU look like was it a solid 100%? I have not ran the test, but on my mail server when I was seeing the issue live it was 100%. Darrell ---DLAnalyzer - Comprehensive reporting for Declude Junkmail and Virus. Try it out - http://www.invariantsystems.com - Original Message - From: Colbeck, Andrew To: Declude.Virus@declude.com Sent: Thursday, April 28, 2005 8:18 PM Subject: RE: [Declude.Virus] F-Prot missing viruses and is slow (renamed) I downloaded and manually scanned the file with F-Prot and McAfee multiple times. Desktop, WXP SP2, P4, 2.8 GHz F-Prot -5 seconds McAfee -0.4 seconds Server, W2K SP4, P3, 866 Hz F-Prot -10.1 seconds McAfee -1.21 seconds F-Prot is indeed returning an errorlevel of 8 on this, and it's definitely way out of line with the scanning time on this file. I'm enclosing the batch file I use to manually scan (and not clean) files. I monkeyed with all of the documented options and could not reduce the F-Prot scanning time. On the bright side, reviewing the parameters revealed that if you're not mindful and specify both the /type and /dumb options, the last one in the line wins (oops, I did that in my virus.cfg). Also, I learned that /packed is always on. I'm going to check for a similarmalware detection, and submit it to F-Prot as a bug. I did get a reply on my previous report to them (after 6 days); they brought my request to the attention of the developers, but then reminded me that any non-zero return code is "undesirable". The request was to re-classify Mitglieder from "suspicious" to "virus" so that I could get the correct return code and thus the correct handling in my Declude Virus. Andrew 8) p.s. I use the TimeThis.exe command line utility from Microsoftto get sub-second intervals in batch files. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 3:13 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] F-Prot missing viruses and is slow (renamed) Ok, I've captured one of these files and confirmed from a manual scan that it is still taking an excessive amount of time...but wait, there's more. The report.txt file that it creates shows that it detected Mytob, but every test where I send this to myself in E-mail results in no virus detected by F-Prot using VIRUSCODE 3, 6, 8, 9 or 10. I haven't gone as far as coding something up that can capture the exit code from the command line yet, but I would be curious what if any was returned.Here's what Declude Virus shows for this file when I send it to myself: 04/28/2005 17:40:57 Q58666795008E87C7 MIME file: [text/html][7bit; Length=695 Checksum=54365]04/28/2005 17:40:57 Q58666795008E87C7 MIME file: doc.zip [base64; Length=56432 Checksum=6987426]--- 10 second gap while F-Prot scans ---04/28/2005 17:41:07 Q58666795008E87C7 Could not find parse string Infection: in report.txt04/28/2005 17:41:08 Q58666795008E87C7 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] I04/28/2005 17:41:08 Q58666795008E87C7 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 17:41:08 Q58666795008E87C7 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 57490]04/28/2005 17:41:08 Q58666795008E87C7 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 192.168.100.100]04/28/2005 17:41:08 Q58666795008E87C7 Subject: [Fwd: Mail Delivery System]Here's a link to the virus for those that might want to test it out for themselves. Turn off your real-time virus scanner, right click the file and press save as, and rename it as doc.zip (it's not really a text file). http://administration.mailpure.com/virus/doc.txtHere's the command line for F-Prot that I was using with the file located in C:\test\doc.zip: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /DUMB /REPORT=C:\test\report.txt C:\test\doc.zipHere's the output from the report.txt file when manually scanned: Virus scanning report - 28 April 2005 @ 17:45F-PROT ANTIVIRUSProgram version: 3.16bEngine version: 3.16.6VIRUS SIGNATURE FILESSIGN.DEF created 28 April 2005SIGN2.DEF created 28 April 2005MACRO.DEF created 20 April 2005Search: C:\test\doc.zipAction: Report onlyFiles: "Dumb" scan of all filesSwitches: /ARCHIVE /PACKED /SERVER /REPORT=C:\test\report.txt /SILENT /NOBOOT /NOMEMMemory was not scanned.Hard disk boot sectors were not scanned.C:\test\doc.zip-doc.scr-(Packed) is a security risk named W32/[EMAIL PROTECTED]Results of virus scanning:Files: 1MBRs: 0Boot sectors: 0Objects
[Declude.Virus] High CPU F-Prot
In the last 24 hours I have seen F-Prot start to use an excessive amount of CPU. Normally it very rarely shows up in task manager and now it has been using a considerable amount of CPU. Thoughts? Darrell Comprehensive Declude Virus and Junkmail reporting with DLAnalyzer - http://www.invariantsystems.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] High CPU F-Prot
Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O04/27/2005 15:03:38 QE1E8CDE50080D601 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/27/2005 15:03:38 QE1E8CDE50080D601 Deleting file with virus04/27/2005 15:03:38 QE1E8CDE50080D601 Deleting E-mail with virus!04/27/2005 15:03:38 QE1E8CDE50080D601 Scanned: CONTAINS A VIRUS [MIME: 2 70364]04/27/2005 15:03:38 QE1E8CDE50080D601 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]04/27/2005 15:03:38 QE1E8CDE50080D601 Subject: hello04/27/2005 17:50:01 Q08DE5B0200CC296E MIME file: test.exe [base64; Length=64512 Checksum=7880003]04/27/2005 17:50:01 Q08DE5B0200CC296E Banning file with EXE extension [application/octet-stream].04/27/2005 17:50:31 Q08DE5B0200CC296E ERROR: Virus scanner 1 didn't finish after 30 seconds; terminating.04/27/2005 17:50:32 Q08DE5B0200CC296E Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=test.exe [0] O04/27/2005 17:50:32 Q08DE5B0200CC296E File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/27/2005 17:50:32 Q08DE5B0200CC296E Deleting file with virus04/27/2005 17:50:32 Q08DE5B0200CC296E Deleting E-mail with virus!04/27/2005 17:50:32 Q08DE5B0200CC296E Scanned: CONTAINS A VIRUS [MIME: 2 64690]04/27/2005 17:50:32 Q08DE5B0200CC296E From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47]04/27/2005 17:50:32 Q08DE5B0200CC296E Subject: Hello04/27/2005 17:50:29 Q08E35B0200CC2989 MIME file: file.zip [base64; Length=64774 Checksum=7891080]04/27/2005 17:50:59 Q08E35B0200CC2989 ERROR: Virus scanner 1 didn't finish after 30 seconds; terminating.04/27/2005 17:51:01 Q08E35B0200CC2989 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O04/27/2005 17:51:01 Q08E35B0200CC2989 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/27/2005 17:51:01 Q08E35B0200CC2989 Deleting file with virus04/27/2005 17:51:01 Q08E35B0200CC2989 Deleting E-mail with virus!04/27/2005 17:51:01 Q08E35B0200CC2989 Scanned: CONTAINS A VIRUS [MIME: 2 64952]04/27/2005 17:51:01 Q08E35B0200CC2989 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47]04/27/2005 17:51:01 Q08E35B0200CC2989 Subject: VzvqvwnocdebkjMarkus Gufler wrote: 11:59pm here so it's not a good time to watch the cpu usage as most people has leaved the office some hours ago. Time to say good night for me too after haven't seen anything strange with f-prot on my server at the moment. |-) Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, April 27, 2005 11:53 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot I saw F-Prot time out 3 times today in my logs, and I can't remember that ever happening before. McAfee didn't time out once, and that's usually the first to go. Maybe this explains the issue. I think it's time to so some performance monitoring to see what is up. Matt Darrell ([EMAIL PROTECTED]) wrote: In the last 24 hours I have seen F-Prot start to use an excessive amount of CPU. Normally it very rarely shows up in task manager and now it has been using a considerable amount of CPU. Thoughts? Darrell Comprehensive Declude Virus and Junkmail reporting with DLAnalyzer - http://www.invariantsystems.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] Revisiting the McAfee command line arguments
/PANALYZE - Turn on program heuristics. I have been running this switch for a while and have not seen any issues with it. I turned it on as a result of the jpeg exploit - see http://www.mail-archive.com/declude.virus@declude.com/msg10831.html Darrell -- Comprehensive reporting on Declude Junkmail and Virus with DLAnalyzer - http://www.invariantsystems.com Darrell
Re: [Declude.Virus] Revisiting the McAfee command line arguments
improved. If a virus is found with scanner 1, I'd like an option to avoid calling later scanners. While it's good for comparison sakes, if a virus is found, I don't need 2 other programs to confirm that. I'd also like to have the PRESCAN ON/OFF setting moved within the virus scanner definitions. I could then have one of the scanners scan all of the e-mail, and the less effective scanner would run a Prescan I have to agree 100% with this. The option to bypass other scanners when a virus is found would be a great option to have. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OT: Installing Sophos/Anti Virus
Not that this solves the issue, but what if you installed Sophos first? Darrell invURIBL - Intelligent URI Filtering for Declude Junkmail. Blocks 85% of SPAM with the default configurations. Try it out - http://www.invariantsystems.com Aaron Moreau-Cook writes: All, I have a Imail Server on a Windows 2003 server with Declude Virus 1.82. We have been running with three virus scanners, McAfee VirusScan 7.1, F-Prot 3.16b, and Nod32. After having nothing but trouble with Nod32 crashing on our system we decided to replace Nod32 with another scanner. We tried to install PC-Cillian, but it won't install on a Windows 2003 Server. We tried to install Sophos, but it won't install because other Anti-Virus applications are installed. So my question is, how do I get another third party scanner installed? How has everyone else got Sophos installed on their systems? We'd like to use Sophos, but at this point I don't really care either way as long as it is reliable and doesn't crash. Thanks, Aaron --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BANnotify.eml
Without the attachments. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Robert Perez writes: I know this is a rookie question but anyway: Does BANnotify.eml file send the email with or without the attachment/s? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] DLAnalyzer 4.1.0 Released
DLAnalyzer 4.1.0 has been released. Version 4.1.0 is compatible with the enhanced logging changes introduced with Declude version 4.0.6. DLAnalyzer is a comprehensive reporting tool that integrates both Junkmail and Virus statistics into one report. Some of the features require the Enterprise or Standard version, but we also have a FREE LITE version available. Release Notes: http://www.invariantsystems.com/download/current/readme.txt Download: http://www.invariantsystems.com/dlanalyzer/download.asp We encourage all users of DLAnalyzer to upgrade to 4.1.0 as previous versions of DLAnalyzer will not work correctly with the new logging format of Declude 2.0.6. Any questions let me know, Darrell --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Update - Version 2.0.6
Mark, As one of the testers I can say 2.0.6 is for Imail as well. Darrell Mark E. Smith writes: Will this version work with iMail as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 25, 2005 9:48 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Declude Update - Version 2.0.6 We are in the final stages of getting version 2.0.6 ready for release. We are completing the: . Code reviews . Documentation . Release notes . Packaging We expect to have the software available for general release week beginning April 4. Barry Barry Simpson www.declude.com Office (866) 332-5833 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus new__price.zip
I am seeing it detected as Bagle.BL by F-Prot. It is not being detected by Mcafee right now. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Markus Gufler writes: Seems there is something going on, please check your virus logs. ... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-prot help
Title: F-prot help Mark, When you say "on access is set to on" and then below that you mentioned the realtime scanner was not installed. Do you have an on access virus scanner running? Even one other than F-Prot that may be scanning your server? Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Mark Gordon To: Declude.Virus@declude.com Sent: Friday, February 18, 2005 2:44 PM Subject: [Declude.Virus] F-prot help This has been hashed out before and I checked the archive. I cannot get my installation of declude to work. This is my config: C:\scanners\fprot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=3 /NOBOOT /DUMB REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 REPORT Infection: On access is set to On. Here is my error. I have reinstalled f-prot twice. The scheduler and realtime scanners have not been installed. 02/18/2005 14:25:30 Q412a0025005613ea 1 [1 of 2 not deleted] files were deleted; assuming external virus scanner found a virus 02/18/2005 14:25:30 Q412a0025005613ea File(s) are INFECTED [: 13] 02/18/2005 14:25:30 Q412a0025005613ea Scanned: CONTAINS A VIRUS [MIME: 1 883] 02/18/2005 14:25:30 Q412a0025005613ea From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 206.27.11.13] 02/18/2005 14:25:30 Q412a0025005613ea Subject: virustest-1 It used to give the name of the virus and now nothing.
Re: [Declude.Virus] log question
Thomas, The line you are looking for is the "Last Action" line. The line you posted means the message triggered the ipnotinmx test which normally is not used to punish messages. This message had a total weight of -5. From the information provided Declude did not toss that message. You need to now search your Imail logs and see if what happened next. If you post more log snippets it might shed some more light. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Thomas Doxtater To: declude.virus@declude.com Sent: Wednesday, January 26, 2005 6:11 PM Subject: [Declude.Virus] log question Hi all, We had some problems with a spam assassin box filling up over the past weekend and, needless to say, it caused some grief with mail delivery. The problem I'm having presently is that there are a few legitimate emails that got logged in Imail and declude, but didn't get delivered properly. Here is a snip from the declude log (I think) highlighting one of the emails. 10:53:34 Q850dc49c00d6246c Tests failed [weight=-5]: IPNOTINMX=IGNORE CATCHALLMAILS=IGNORE I'm not sure exactly what I'm looking at, or if this is the cause of why the message didn't get delivered. If I'm reading this right, it seems that the message failed the listed tests and was tossed. If that's the case, did it get put into a folder I can recover it from or no? Thanks for your help, Thomas Doxtater Systems Administrator Finishline Studios [EMAIL PROTECTED] Office: 608.253.4088
Re: [Declude.Virus] Virtual domains
Yes it does. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. Chris Hunt writes: My company is merging with another printing company (they are moving in w/us) I setup a virtual domain for their old domain and also the new domain. Email is flowing just fine. Does declude AV protect virtual domains? Chris --- [This E-mail scanned for viruses by Declude/F-Prot AV] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
