from:"Gary Steiner"

[Declude.Virus] ClamAv / ClamWin with Declude

2010-11-24 Thread Gary Steiner

What version or port of ClamAV are you using with Declude?  I've been 
reading on the SmarterTools forums about the problems with ClamWin, and was 
wondering if the majority are using this port or a different one?

SmarterTools has been referring people to this link:
http://www.h-online.com/open/news/item/Free-ClamWin-virus-scanner-moves-most
-of-Windows-into-quarantine-1139430.html


Which port of ClamAV does Declude recommend?




---
[This E-mail was scanned by Declude]


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Parsing of Report.txt

2009-02-05 Thread Gary Steiner

David,

If 4.4.25 "is available to all with service agreements", where is it?  
Declude's main download page shows 4.4.0, and the interim page shows 
versions 4.4.23 and 4.4.24.

And, as your readme.txt file in your interim directory says, "Interim 
releases are versions of Declude that are released between betas (some 
software companies refer to these as "alphas"). They have one major 
advantage to betas and released versions: they allow our customers to get 
fixes and new features very, very quickly. We can often have a fix in less 
than an hour.  However, there are a number of drawbacks..."

Interim releases are not production releases.  You cannot substitute a 
production release with an interim release.  And trying to equate an 
interim release with an "official" production release is disingenuous.

If there is a stable release with significant bug fixes (such as deleting 
the .txt files being left in the work directory by AVG), then why has it 
taken this long for Declude to release it "officially"?  Declude's answer 
for a problem should not be to tell me to install an alpha or beta version 
of their product on my production server.

Gary Steiner



 Original Message 
> From: "David Barker" 
> Sent: Thursday, February 05, 2009 11:03 AM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] Parsing of Report.txt
> 
> Scott I got that point. There have been interims throughout the year we 
are
> now on 4.4.25 which is available to all with service agreements. I can 
roll
> this up into an official release.
> 
> 
> David B
> 
>  
> 
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of 
Scott
> Fisher
> Sent: Thursday, February 05, 2009 1:24 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] Parsing of Report.txt
> Sensitivity: Personal
> 
>  
> 
> I think you missed the real point of Andy's email.
> 
>  
> 
> The last official Declude release was 4.4.0 on 3/17/2008. It's already
> Febuary 2009, so it's about a year with no with no official releases. 
That
> doesn't make me feel like I'm getting much out of my maintenance renewal
> money.
> 
>  
> 
>  
> 
>  
> 
>  
> 
>   
> 
> Scott Fisher
> Director of IT
> Farm Progress Companies
> 255 38th Avenue, Suite P
> St. Charles IL 60174-5410
> 630/462-2323
> fax 630/462-2957
> sfis...@farmprogress.com 
> www.farmprogress.com <http://www.farmprogress.com/>
> 
> This email message, including any attachments, is for the sole use of 
the
> intended recipient(s) and may contain confidential and privileged
> information. Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please contact the 
sender
> by reply email and destroy all copies of the original message. Although 
Farm
> Progress Companies has taken reasonable precautions to ensure no viruses 
are
> present in this email, the company cannot accept responsibility for any 
loss
> or damage arising from the use of this email or attachments. 
> 
> -Original Message-
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of 
David
> Barker
> Sent: Thursday, February 05, 2009 12:02 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] Parsing of Report.txt
> Sensitivity: Personal
> 
>  
> 
> Hi Andy we will certainly look at this, although to be clear, it is very
> presumptions to say that adding this will only be 2 min work.  Please be
> careful when making statements like this because it raises a false
> expectation for others. You have no idea about the complexity of the 
code,
> other items being worked on, priorities, resource allocation, support,
> issues, costs or time available.
> 
> Thanks
> 
> David Barker
> VP Operations Declude
> Your Email security is our business
> 978.499.2933 office
> 978.988.1311 fax
>  <mailto:dbar...@declude.com> dbar...@declude.com
> 
>  
> 
>  
> 
>  
> 
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
> Schmidt
> Sent: Thursday, February 05, 2009 12:44 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] Parsing of Report.txt
> Sensitivity: Personal
> 
>  
> 
> Hi,
> 
>  
> 
> With the ability of ClamD to run at lightning speed as a native Windows
> service (e.g., http://oss.netfarm.it/clamav, without CygWin), offering
> frequent updates during the day (quite contrary to the internal scanner 
that
> often lags days behind) and has acceptable licensing terms - it certainly 
is
> a highly attractive external scanner that should be fully supported by
>

RE: [Declude.Virus] ClamAv with Declude

2009-01-02 Thread Gary Steiner

Here is a comment by the SOSDG ClamAV author on the SmarterMail forum:

http://www.smartertools.com/forums/p/22257/59718.aspx#59718



 Original Message 
> From: "Gary Steiner" 
> Sent: Monday, December 29, 2008 3:20 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] ClamAv with Declude
> 
> There is an announcement on the SOSDG web site saying they will no longer 

> support their version of ClamAV.
> 
> http://www.sosdg.org/clamav-win32
> 
> Is anyone using a different port of ClamAV with Declude?  Has anyone had 

> success with http://www.clamwin.com/  ?
> 
> 
> 
> 
>  Original Message 
> > From: "Scott Fisher" 
> > Sent: Monday, December 29, 2008 7:39 AM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] ClamAv with Declude
> > 
> > I use the runclamscan program to call clamav. Here's my virus.cfg 
lines
> > 
> > SCANFILE1 c:\clamav\runclamscan.exe log=1 C:\clamav\clamdscan.exe 
--quiet 
> -l
> > report.txt
> > VIRUSCODE1 1
> > REPORT1 FOUND
> > 
> > -Original Message-
> > From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of 
> David
> > Dodell
> > Sent: Sunday, December 28, 2008 11:29 AM
> > To: declude.virus@declude.com
> > Subject: [Declude.Virus] ClamAv with Declude
> > 
> > 
> > On Dec 28, 2008, at 8:36 AM, Hirthe, Alexander wrote:
> > 
> > > http://www.mail-archive.com/declude.virus@declude.com/msg14082.html
> > 
> > Ok, thanks for the excellent beginning ... I'm using the Clamav-win32  

> > from sosdg.org
> > 
> > Freshclam installed all the latest files just fine
> > 
> > Got it all installed ...  but something still not working:
> > 
> > (1) I got clamd installed as a service
> > 
> > (2) In my virus.cfg I have
> > 
> > scanfile c:\imail\declude\clamav\clamdscan.exe --quiet -l report.txt
> > viruscode 1
> > report FOUND
> > 
> > 
> > (3) In my logs it reports
> > 
> > Could Not Parse String FOUND in report.txt
> > Error 2 in virus scanner 1
> > Scanned: Error in Virus scanner [MIME: 1 991]
> > 
> > -
> > 
> > So I'm assuming I need another type code or way for freshclam to exit  

> > cleanly if it doesn't find a virus?
> > 
> > David
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to imail...@declude.com, and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> > 
> > 
> > 
> > 
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to imail...@declude.com, and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com. 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] ClamAv with Declude

2008-12-29 Thread Gary Steiner

There is an announcement on the SOSDG web site saying they will no longer 
support their version of ClamAV.

http://www.sosdg.org/clamav-win32

Is anyone using a different port of ClamAV with Declude?  Has anyone had 
success with http://www.clamwin.com/  ?




 Original Message 
> From: "Scott Fisher" 
> Sent: Monday, December 29, 2008 7:39 AM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] ClamAv with Declude
> 
> I use the runclamscan program to call clamav. Here's my virus.cfg lines
> 
> SCANFILE1 c:\clamav\runclamscan.exe log=1 C:\clamav\clamdscan.exe --quiet 
-l
> report.txt
> VIRUSCODE1 1
> REPORT1 FOUND
> 
> -Original Message-
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of 
David
> Dodell
> Sent: Sunday, December 28, 2008 11:29 AM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] ClamAv with Declude
> 
> 
> On Dec 28, 2008, at 8:36 AM, Hirthe, Alexander wrote:
> 
> > http://www.mail-archive.com/declude.virus@declude.com/msg14082.html
> 
> Ok, thanks for the excellent beginning ... I'm using the Clamav-win32  
> from sosdg.org
> 
> Freshclam installed all the latest files just fine
> 
> Got it all installed ...  but something still not working:
> 
> (1) I got clamd installed as a service
> 
> (2) In my virus.cfg I have
> 
> scanfile c:\imail\declude\clamav\clamdscan.exe --quiet -l report.txt
> viruscode 1
> report FOUND
> 
> 
> (3) In my logs it reports
> 
> Could Not Parse String FOUND in report.txt
> Error 2 in virus scanner 1
> Scanned: Error in Virus scanner [MIME: 1 991]
> 
> -
> 
> So I'm assuming I need another type code or way for freshclam to exit  
> cleanly if it doesn't find a virus?
> 
> David
> 
> 
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

re: [Declude.Virus] ClamAV

2008-06-06 Thread Gary Steiner

I've been using the SOSDG version of ClamAV (http://www.sosdg.org/clamav-win32) 
with no problem.  The is the same version/port of ClamAV that SmarterMail ships 
with their product.

The trick is setting it up to run as a service with runclamscan and runclamd.  
These are included with ClamAV in the "thirdparty" directory.

This is what I have in virus.cfg:

SCANFILE1 C:\clamav-devel\thirdparty\runclamscan\runclamscan.exe log=2 
C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt
VIRUSCODE1 1
REPORT1 FOUND




 Original Message 
> From: "Bonno Bloksma" <[EMAIL PROTECTED]>
> Sent: Thursday, June 05, 2008 1:45 PM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] ClamAV
> 
> Hi,
> 
> Been using the old F-prot v3 as a second scanner but I disabled it today. As 
> the new F-prot 6 scanner is not allowed with Declude, well sort of but I 
> don't want to pay that mucht ;-) I wanted to use ClamAV asn an extra scanner.
> 
> In the past it was a bit dificult I seem to remember but Is it realy as 
> easy as 1-2-3 today?
> Go to http://w32.clamav.net/ and download
> - The Windows msi file
> - The initial virus sigantures
> - Pthreads (I seem to need it).
> Install the msi
> Copy the initial signature files to C:\Program Files\clamAV\data or something 
> like it.
> 
> But then
> Make sure the sig files are updated... but how?
> 
> Let Declude (according to http://www.declude.com/searchresults.asp?Cat=124) 
> call ClamAV using:
>  SCANFILE [Drive:]\[Path]\bin\clamscan.exe --quiet --log-verbose --no-summary 
> --max-ratio 0  -l report.txt
> Which would probably translate to
>  SCANFILE C:\Program Files\bin\clamscan.exe --quiet --log-verbose 
> --no-summary --max-ratio 0  -l report.txt
> or would
>  SCANFILE C:\IMail\Declude\Scanners\clamscan.exe --quiet --log-verbose 
> --no-summary --max-ratio 0  -l report.txt
> be a better solution.
> 
> There is also a clamscam.txt file in the C:\IMail\declude\scanners\ClamAV 
> directory that seems to suggest something else.
> 
> So where is a HOWTO to get it up and running with Declude? I'm sure I'm not 
> the first to look at the combination, so how dit YOU do it. :-)
> 
> 
> 
> 
> Met vriendelijke groet,
> Bonno Bloksma
> hoofd systeembeheer
> 
> 
> 
> tio hogeschool hospitality en toerisme 
> begijnenhof 8-12 / 5611 el eindhoven
> t 040 296 28 28 / f 040 237 35 20
> [EMAIL PROTECTED]  / www.tio.nl 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

re: [Declude.Virus] bit OT: RunClamD on 64 Bit Windows 2003?

2008-03-20 Thread Gary Steiner

Don't know if this relates to your situation, but hope it helps. I ran into a 
problem similar to this, but on a 32-bit machine.  It was caused when the 
software was installed with an account that had administrator privileges, but 
not THE Administrator account.  So possibly you are looking at some type of 
permissions problem.

Gary


 Original Message 
> From: "Hirthe, Alexander" <[EMAIL PROTECTED]>
> Sent: Thursday, March 20, 2008 3:42 AM
> To: "declude.virus@declude.com" 
> Subject: [Declude.Virus] bit OT: RunClamD on 64 Bit Windows 2003?
> 
> Hello,
> 
> has anyone tried runclamd on 64 Bit Windows 2003?
> 
> I can't get it to work :-/
> ---
> 03-20-2008 11:15:39Status: 2
> 03-20-2008 11:15:39 SERVICE_START_PENDING
> 03-20-2008 11:15:39Status: 4
> 03-20-2008 11:15:39 startfailed 0
> ---
> 
> That's the only "error" I'm getting. Nothing in /log, nothing in the 
> eventlog, just this "startfailed".
> The Service RunClamD is running, but ClamD does not work (no log and 
> clamdscan says "can't connect to ClamD")
> 
> I tried the one I got from my IMail / Declude installation (on 32 Bit 2003 
> Server), I tried the one from ClamAV 
> (\clamav-devel\thirdparty\runclamd\runclamd.exe)
> 
> Same error. It's running on the 32 Bit machines, so I think (hope :) it could 
> be the 64 Bit OS and not me :))
> 
> If I start ClamD from the command line it works. Path is correct, Logfile 
> could be written, Security is ok.
> 
> I don't know, what else it should be.
> 
> Alex
> 
> 
> 
> 
> Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn
> Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi
> Aufsichtsratsvorsitzender: Armin Sohler
> Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

re: [Declude.Virus] ClamAV with a strong aroma

2007-06-26 Thread Gary Steiner

I'm using the SOSDG port which is currently at version 0.90.3-3c and have not 
encountered the problem you describe.  Then again, I'm also using SmarterMail, 
so don't know if this may be an IMail compatibility problem.


 Original Message 
> From: "John Shacklett" <[EMAIL PROTECTED]>
> Sent: Tuesday, June 26, 2007 8:25 AM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] ClamAV with a strong aroma
> 
> Is anyone using ClamWin 0.90.2.1 with Declude AV? I was, using the following
> line from the virus.cfg:
>  
> SCANFILE4 C:\Progra~1\ClamWin\bin\clamscan.exe --verbose
> --database=C:\Docume~1\AllUse~1\.clamwin\db
> --tempdir=C:\PROGRA~1\IPSWITCH\IMAIL\Declude\Scanners\ClamAV --no-summary -l
> report.txt
> 
> All of a sudden last week, it started filling my
> C:\PROGRA~1\IPSWITCH\IMAIL\Declude\Scanners\ClamAV folder with *.clamtmp
> folders that wouldn't clear [and chewed up 100GB of free space in a couple
> of days], and I also started getting "did not finish in time" messages in
> the vir.logs, and it threw my CPU usage to 100% constantly. I commented
> clam back out and the performance went right back to normal.
>  
> Has anyone else seen anything unusual with clamav performance recently?
>  
>  
> John S.
> 
> 
> 




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] OT: Prevx and malware detection

2007-05-08 Thread Gary Steiner

Does anyone have any experience with Prevx for malware detection?  I've been 
looking at different products and after googling this one seems to be well 
recommended.

I was playing around with WIndows Defender, but since it is a beta, I'm not 
sure how serious Microsoft is taking it at this point.

Gary Steiner






---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures

2007-05-07 Thread Gary Steiner

I received a message over the weekend from Declude stating that my ticket on 
this issue has been closed.  When I read it, I assumed this meant that Declude 
has fixed the bug and has released a version that is now able to detect 
encrypted RAR files.  When will we be able to download this newly fixed version?

Gary Steiner



 Original Message 
> From: "David Barker" <[EMAIL PROTECTED]>
> Sent: Wednesday, May 02, 2007 4:19 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude 
> failures
> 
> Yes I apologize I only realized the next day (Saturday) that this would not
> work because the message will be scanned if it is under a HOLD or DELETE
> threshold.
> 
> David 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
> Steiner
> Sent: Wednesday, May 02, 2007 4:03 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude
> failures
> 
> I am confused as to how this would work, as BANEXT RAR in EVA will hold
> those files regardless of the weight.
> 
> Has anyone worked out a way to ban small RAR files that would contain the
> virus, and pass large RAR files that most likely would not?
> 
> I'm trying to find a work around until Declude figures out how to detect
> encrypted RAR files.  Right now I'm banning all RAR files, then have to go
> in and manually re-submit the legitimate RAR files that my customers are
> sending.
> 
> Gary
> 
> 
> 
>  Original Message 
> > From: "David Barker" <[EMAIL PROTECTED]>
> > Sent: Friday, April 27, 2007 5:52 PM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] More info about encrypted RAR virus and 
> > Declude failures
> > 
> > You may be able to do something with the MSGSIZE test in conjunction 
> > with AVAFTERJM ON eg.
> > 
> > SIZE-10MB   msgsize 10240   x   -50 0
> > 
> > David Barker
> > VP Operations  |  Declude
> > Your Email Security is our business
> > O: 978.499.2933  x7007
> > F: 978.988.1311   
> > E: [EMAIL PROTECTED]
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Gary Steiner
> > Sent: Friday, April 27, 2007 4:25 PM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] More info about encrypted RAR virus and 
> > Declude failures
> > 
> > It's not that difficult.  The legitimate messages with rar attachments 
> > are big (usually 10MB and up) so it's not hard to separate them from 
> > the image spam and common viruses being held in the virus directory.
> > 
> > As mentioned by Craig in an earlier post, it would be nice if Declude 
> > added the capability to skip banning on files of large size.
> > 
> > 
> > 
> >  Original Message 
> > > From: "John T \(lists\)" <[EMAIL PROTECTED]>
> > > Sent: Friday, April 27, 2007 3:56 PM
> > > To: declude.virus@declude.com
> > > Subject: RE: [Declude.Virus] More info about encrypted RAR virus and 
> > > Declude failures
> > > 
> > > > Until Declude resolves the issue with BANEXT EZIP, I've had to ban 
> > > > all rar files.  Unfortunately some of my customers regularly send 
> > > > rar attachments, so I've had to check the virus hold directory on 
> > > > a regular basis and manually resubmit any false positives there.
> > > > 
> > > > Gary
> > > 
> > > Instead of manually checking for legit files, use the BANEXT.eml 
> > > file to send a postmaster message that you get and/or the recipient 
> > > and/or sender get and that notice can be reviewed a lot easier than 
> > > manually checking the hold directory.
> > > 
> > > John T
> > > 
> > > 
> > > 
> > > 
> > > ---
> > > This E-mail came from the Declude.Virus mailing list.  To 
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.Virus".The archives can be found
> > > at http://www.mail-archive.com. 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
> > just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found

RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures

2007-05-02 Thread Gary Steiner

I am confused as to how this would work, as BANEXT RAR in EVA will hold those 
files regardless of the weight.

Has anyone worked out a way to ban small RAR files that would contain the 
virus, and pass large RAR files that most likely would not?

I'm trying to find a work around until Declude figures out how to detect 
encrypted RAR files.  Right now I'm banning all RAR files, then have to go in 
and manually re-submit the legitimate RAR files that my customers are sending.

Gary



 Original Message 
> From: "David Barker" <[EMAIL PROTECTED]>
> Sent: Friday, April 27, 2007 5:52 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude 
> failures
> 
> You may be able to do something with the MSGSIZE test in conjunction with
> AVAFTERJM ON eg.
> 
> SIZE-10MB msgsize 10240   x   -50 0
> 
> David Barker
> VP Operations  |  Declude
> Your Email Security is our business
> O: 978.499.2933  x7007
> F: 978.988.1311   
> E: [EMAIL PROTECTED]
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
> Steiner
> Sent: Friday, April 27, 2007 4:25 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude
> failures
> 
> It's not that difficult.  The legitimate messages with rar attachments are
> big (usually 10MB and up) so it's not hard to separate them from the image
> spam and common viruses being held in the virus directory.
> 
> As mentioned by Craig in an earlier post, it would be nice if Declude added
> the capability to skip banning on files of large size.
> 
> 
> 
>  Original Message 
> > From: "John T \(lists\)" <[EMAIL PROTECTED]>
> > Sent: Friday, April 27, 2007 3:56 PM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] More info about encrypted RAR virus and 
> > Declude failures
> > 
> > > Until Declude resolves the issue with BANEXT EZIP, I've had to ban 
> > > all rar files.  Unfortunately some of my customers regularly send 
> > > rar attachments, so I've had to check the virus hold directory on a 
> > > regular basis and manually resubmit any false positives there.
> > > 
> > > Gary
> > 
> > Instead of manually checking for legit files, use the BANEXT.eml file 
> > to send a postmaster message that you get and/or the recipient and/or 
> > sender get and that notice can be reviewed a lot easier than manually 
> > checking the hold directory.
> > 
> > John T
> > 
> > 
> > 
> > 
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
> > just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com. 
> 
> 
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
> send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] re: new virus with .rar attachment

2007-05-02 Thread Gary Steiner

So, how's the investigation going?


 Original Message 
> From: "David Barker" <[EMAIL PROTECTED]>
> Sent: Wednesday, April 25, 2007 6:43 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] re: new virus with .rar attachment
> 
> Not sure if it is a bug just yet, I have submitted it for investigation.
> 
> David Barker
> VP Operations  |  Declude
> Your Email Security is our business
> O: 978.499.2933  x7007
> F: 978.988.1311   
> E: [EMAIL PROTECTED]
>  
> 
> -Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
> Steiner
> Sent: Wednesday, April 25, 2007 6:28 PM
> To: declude.virus@declude.com
> Subject: Re: [Declude.Virus] re: new virus with .rar attachment
> 
> Yes, junkmail is scanning before virus. 
> 
> I was referring to
> http://manuals.declude.com/proconlinehelp/eva_4.0.8_automatically_banning_al
> l_encrypted_archive_files.htm
> According to the manual, BANEXT EZIP should also pick up password protected
> RAR files.
> 
> I've just been told by Declude support that the failure to pick up the
> password-protected RAR file is a bug, and that they are working on fixing
> it.
> 
> 
> 
>  Original Message 
> > From: "John T" <[EMAIL PROTECTED]>
> > Sent: Wednesday, April 25, 2007 5:41 PM
> > To: declude.virus@declude.com
> > Subject: Re:  [Declude.Virus] re: new virus with .rar attachment
> > 
> > Only if you also have BANEXT rar.
> > 
> > Do you have junkmail scanning before virus?
> > 
> > John T
> > 
> > -Original Message-
> > From: "Gary Steiner" <[EMAIL PROTECTED]> Sent 4/25/2007 
> > 10:44:37 AM
> > To: declude.virus@declude.com
> > Subject: [Declude.Virus] re: new virus with .rar attachment
> > 
> > As a followup to this, in my virus.cfg I have BANEXT EZIP. Shouldn't 
> > this  have caught the password-protected .rar file? Declude passed the 
> > message  to SmarterMail without holding it. I'm running Declude 4.3.46.
> > 
> >  Original Message 
> > > From: "Gary Steiner" <[EMAIL PROTECTED]>
> > > Sent: Wednesday, April 25, 2007 1:31 PM
> > > To: declude.virus@declude.com
> > > Subject: new virus with .rar attachment
> > > 
> > > I started getting some messages today that were picked up as spam, 
> > > but we
> > re not being identified as viruses.  They looked suspicious, having 
> > subject  lines of
> > > 
> > > Virus Activity Detected!
> > > Spyware Alert!
> > > 
> > > It containes a .gif message that tells the user to open the .rar 
> > > file and
> >  run the patch there to protect them from the virus/spyware.
> > > 
> > > I ran it on www.virustotal.com, and the only scanner that picked it 
> > > up wa
> > s McAfee, and it identified it as "W32/[EMAIL PROTECTED]".
> > > 
> > > http://vil.nai.com/vil/content/v_142094.htm
> > > 
> > > Since this a password protected .rar file, should we now be blocking 
> > > thes
> > e? 
> > 
> > ---
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
> send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

re: [Declude.Virus] Interesting notes on recent virus activity from Kaspersky

2007-05-01 Thread Gary Steiner

Or does this show that there are too many people out there who don't have 
anti-virus software on their computers?


 Original Message 
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> Sent: Tuesday, May 01, 2007 1:11 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] Interesting notes on recent virus activity from 
> Kaspersky
> 
> http://www.viruslist.com/en/weblog?calendar=2007-04
>  
>  
> For example, here is point 8 of 10:
>  
> * Most Common Malicious Program in Email Traffic -
> Email-Worm.Win32.NetSky.q
>  , which
> has been around for years, but still managed to account for 14% of all
> malicious email traffic in March, which just goes to show that the older
> malware is still going strong.
>  
>  
> Andrew.
>  
>  
>  
>  
>  
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures

2007-04-27 Thread Gary Steiner

It's not that difficult.  The legitimate messages with rar attachments are big 
(usually 10MB and up) so it's not hard to separate them from the image spam and 
common viruses being held in the virus directory.

As mentioned by Craig in an earlier post, it would be nice if Declude added the 
capability to skip banning on files of large size.



 Original Message 
> From: "John T \(lists\)" <[EMAIL PROTECTED]>
> Sent: Friday, April 27, 2007 3:56 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude 
> failures
> 
> > Until Declude resolves the issue with BANEXT EZIP, I've had to ban all
> > rar files.  Unfortunately some of my customers regularly send rar
> > attachments, so I've had to check the virus hold directory on a regular
> > basis and manually resubmit any false positives there.
> > 
> > Gary
> 
> Instead of manually checking for legit files, use the BANEXT.eml file to
> send a postmaster message that you get and/or the recipient and/or sender
> get and that notice can be reviewed a lot easier than manually checking the
> hold directory.
> 
> John T
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 







---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] More info about encrypted RAR virus and Declude failures

2007-04-27 Thread Gary Steiner

Until Declude resolves the issue with BANEXT EZIP, I've had to ban all rar 
files.  Unfortunately some of my customers regularly send rar attachments, so 
I've had to check the virus hold directory on a regular basis and manually 
resubmit any false positives there.

Gary


 Original Message 
> From: Matt <[EMAIL PROTECTED]>
> Sent: Friday, April 27, 2007 11:25 AM
> To: declude.virus@declude.com
> Subject: Re: [Declude.Virus] More info about encrypted RAR virus and Declude 
> failures
> 
> BANEXT RAR will block all RAR files, encrypted or not.  That wasn't the 
> issue at hand here.  It was related to BANEZIPEXTSON (in my case) 
> and possibly BANEZIPON.
> 
> Matt
> 
> 
> Dan Shadix wrote:
> >
> > BANEXT rar has been working great for me.
> >
> >  
> >
> > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of 
> > *Matt
> > *Sent:* Thursday, April 26, 2007 11:36 PM
> > *To:* declude.virus@declude.com
> > *Subject:* [Declude.Virus] More info about encrypted RAR virus and 
> > Declude failures
> >
> >  
> >
> > I have downloaded a copy of the virus and inspected it.  The file is a 
> > functional encrypted RAR with an EXE inside of the same file name.  I 
> > also researched why Declude might not be catching this and I believe 
> > that I know why.
> >
> > Declude will properly detect an executable within a RAR file and the 
> > fact that the file is encrypted.  I verified this with my own test on 
> > a file that I encrypted.  The problem however is the fact that you can 
> > also encrypt the file name within a RAR and not just the file.  The 
> > virus that was being spammed encrypted both the file name and the 
> > file, so Declude likely got hung up on trying to extract the name from 
> > the RAR.
> >
> > Note to Dave.  This took me all of 30 minutes to figure out.  
> > Unfortunately there is somewhat of a conundrum here as you will need 
> > to introduce new functionality in order to handle this appropriately.  
> > While I don't expect that RAR files will be commonly used for viruses 
> > due to the rarity of the client, it is definitely necessary to allow 
> > users to block encrypted RAR's when the file names are not 
> > extractable.  I have a recommendation for how to handle this which 
> > would be quite consistent with current behavior and possibly help with 
> > unexpected conditions with ZIP's too:
> >
> > For both encrypted ZIP's and encrypted RAR's where the file names 
> > can't be extracted, assume that it contains an EXE.  This will allow 
> > for those that want to block all encrypted files and those that only 
> > want to block them when there is an executable inside to maintain 
> > proper levels of protection.
> >
> >
> > Let me know if you would like some more feedback or information.
> >
> > Thanks,
> >
> > Matt
> >
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list. To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus". The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> > 
> > The information contained in this communication is privileged and 
> > confidential. If you have received this communication in error, please 
> > forward back to the sender and delete your copy immediately. You are 
> > hereby notified that any dissemination, distribution or copying of 
> > this communication is strictly prohibited.
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list. To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus". The archives can be found
> > at http://www.mail-archive.com. 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] new virus with .rar attachment

2007-04-26 Thread Gary Steiner

Basically that is what ClamAV is doing.  It detects it as a phishing spam.


 Original Message 
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> Sent: Thursday, April 26, 2007 6:11 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] new virus with .rar attachment
> 
> Gary, you beat them by a day with your own assessment, but Symantec
> blogged about this virus twice today:
> 
> http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam
> _attack_rared_trojan.html
> 
> An interesting point is that they have blocked 1.2 million messages by
> tackling the text of the message as spam.
> 
> Andrew.
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> > Behalf Of Gary Steiner
> > Sent: Wednesday, April 25, 2007 10:31 AM
> > To: declude.virus@declude.com
> > Subject: [Declude.Virus] new virus with .rar attachment
> > 
> > I started getting some messages today that were picked up as 
> > spam, but were not being identified as viruses.  They looked 
> > suspicious, having subject lines of
> > 
> > Virus Activity Detected!
> > Spyware Alert!
> > 
> > It containes a .gif message that tells the user to open the 
> > .rar file and run the patch there to protect them from the 
> > virus/spyware.
> > 
> > I ran it on www.virustotal.com, and the only scanner that 
> > picked it up was McAfee, and it identified it as "W32/[EMAIL PROTECTED]".
> > 
> > http://vil.nai.com/vil/content/v_142094.htm
> > 
> > Since this a password protected .rar file, should we now be 
> > blocking these?
> > 
> > 
> > 
> > 
> > 
> > 
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To 
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> > 
> > 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] ClamAV lstat() failed. ERROR

2007-04-25 Thread Gary Steiner

I'll try to be more specific.

What I have in my virus.cfg file is essentially what has been posted here on 
the list by several different people as the accepted info to put in the file.

SCANFILE1 C:\clamav-devel\thirdparty\runclamscan\runclamscan.exe log=2 
C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt
VIRUSCODE1 1
REPORT1 FOUND

So I should be able to type the following at a command prompt and have it work:

C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt 123456789.eml

It used to work, but now it doesn't.  It generates the lstat error.  After some 
experimentation, I found that typing the following does work:

C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt 
C:\temp\123456789.eml

and so does this:

C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt C:\temp\123456789.eml

In setting virus.cfg to DEBUG, it shows Declude creating the long pathname.  
But since it deletes the report.txt file, I can't see what is being generated.  
When I reprocess the new RAR file worm, the Declude log lines show ClamAV 
giving a return code of zero.  When I do it from the command prompt, ClamAV 
says Email.Phishing.RB-686 FOUND.

When I test another message that is an image spam that is picked up by the 
Sanesecurity phishing files, Declude finds it with ClamAV, and ClamAV finds it 
using the command prompt.

So maybe this problem and the lstat error are unrelated.


 Original Message 
> From: "Andy Schmidt" <[EMAIL PROTECTED]>
> Sent: Wednesday, April 25, 2007 8:33 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] ClamAV lstat() failed. ERROR
> 
> Gary,
> 
> I'm not sure I understand your point.
> 
> What you define in Virus.cfg, e.g.:
> 
>   SCANFILEC:\Progra~1\Common~1\Networ~1\Engine\SCAN.EXE /LOAD
> D:\IMAIL\Declude\SCAN.CFG
> 
> is only the START of the command line, to which Declude appends the full
> path for the file it tries to scan.
> 
> So, if you defined:
> 
>   SCANFILEC:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt
> 
> and the Declude is processing the file c:\temp\123456789.eml then it would
> issue the command
> 
>   c:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt
> c:\temp\123456789.eml
> 
> 
> I recommend you turn on the debug mode for Declude virus and then inspect
> the relevant lines of the log (or send them to the list so that we can take
> a look at it). Obviously, you'd also need to share your virus.cfg
> configuration so that we understand the context.
> 
> Best Regards,
> Andy
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
> Steiner
> Sent: Wednesday, April 25, 2007 6:39 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] ClamAV lstat() failed. ERROR
> 
> In pursuing the problem of the new worm with a password-protected RAR file,
> I found a problem with ClamAV.
> 
> I'm running the SOSDG ClamAV Windows port version 0.90.2-2 (along with
> runclamd and runclamscan).
> 
> Declude uses the following string:
> C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt
> 
> If I try to use it at a command prompt, I get the lstat() failed error. If I
> type in the full path for my command string, such as 
> C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt
> C:\temp\123456789.eml
> 
> it works. The problem is that Declude scans a file in a different directory
> each time, so the path changes. So for Declude to work now, it would require
> a significant change in Declude.
> 
> But ClamAV worked before. What changed? Can it be changed back? Is this a
> problem with ClamAV in general, or just with the SOSDG Windows port? Do the
> other ClamAV ports have this problem?
> 
> Any suggestions you might have are greatly appreciated.
> 
> Gary Steiner
> 
> 
> 
> 
> 
> 
> 
> 
> 




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] ClamAV lstat() failed. ERROR

2007-04-25 Thread Gary Steiner

In pursuing the problem of the new worm with a password-protected RAR file, I 
found a problem with ClamAV.

I'm running the SOSDG ClamAV Windows port version 0.90.2-2 (along with runclamd 
and runclamscan).

Declude uses the following string:
C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt

If I try to use it at a command prompt, I get the lstat() failed error. If I 
type in the full path for my command string, such as 
C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt 
C:\temp\123456789.eml

it works. The problem is that Declude scans a file in a different directory 
each time, so the path changes. So for Declude to work now, it would require a 
significant change in Declude.

But ClamAV worked before. What changed? Can it be changed back? Is this a 
problem with ClamAV in general, or just with the SOSDG Windows port? Do the 
other ClamAV ports have this problem?

Any suggestions you might have are greatly appreciated.

Gary Steiner









---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] re: new virus with .rar attachment

2007-04-25 Thread Gary Steiner

Yes, junkmail is scanning before virus. 

I was referring to 
http://manuals.declude.com/proconlinehelp/eva_4.0.8_automatically_banning_all_encrypted_archive_files.htm
According to the manual, BANEXT EZIP should also pick up password protected RAR 
files.

I've just been told by Declude support that the failure to pick up the 
password-protected RAR file is a bug, and that they are working on fixing it.



 Original Message 
> From: "John T" <[EMAIL PROTECTED]>
> Sent: Wednesday, April 25, 2007 5:41 PM
> To: declude.virus@declude.com
> Subject: Re:  [Declude.Virus] re: new virus with .rar attachment
> 
> Only if you also have BANEXT rar.
> 
> Do you have junkmail scanning before virus?
> 
> John T
> 
> -Original Message-
> From: "Gary Steiner" <[EMAIL PROTECTED]>
> Sent 4/25/2007 10:44:37 AM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] re: new virus with .rar attachment
> 
> As a followup to this, in my virus.cfg I have BANEXT EZIP. Shouldn't this
>  have caught the password-protected .rar file? Declude passed the message
>  to SmarterMail without holding it. I'm running Declude 4.3.46.
> 
>  Original Message 
> > From: "Gary Steiner" <[EMAIL PROTECTED]>
> > Sent: Wednesday, April 25, 2007 1:31 PM
> > To: declude.virus@declude.com
> > Subject: new virus with .rar attachment
> > 
> > I started getting some messages today that were picked up as spam, but we
> re not being identified as viruses.  They looked suspicious, having subject
>  lines of
> > 
> > Virus Activity Detected!
> > Spyware Alert!
> > 
> > It containes a .gif message that tells the user to open the .rar file and
>  run the patch there to protect them from the virus/spyware.
> > 
> > I ran it on www.virustotal.com, and the only scanner that picked it up wa
> s McAfee, and it identified it as "W32/[EMAIL PROTECTED]".
> > 
> > http://vil.nai.com/vil/content/v_142094.htm
> > 
> > Since this a password protected .rar file, should we now be blocking thes
> e? 
> 
> ---





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

re: [Declude.Virus] new virus with .rar attachment

2007-04-25 Thread Gary Steiner

ClamAV is now picking this up as Email.Phishing.RB-686



 Original Message 
> From: "Gary Steiner" <[EMAIL PROTECTED]>
> Sent: Wednesday, April 25, 2007 1:48 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] new virus with .rar attachment
> 
> I started getting some messages today that were picked up as spam, but were 
> not being identified as viruses.  They looked suspicious, having subject 
> lines of
> 
> Virus Activity Detected!
> Spyware Alert!
> 
> It containes a .gif message that tells the user to open the .rar file and run 
> the patch there to protect them from the virus/spyware.
> 
> I ran it on www.virustotal.com, and the only scanner that picked it up was 
> McAfee, and it identified it as "W32/[EMAIL PROTECTED]".
> 
> http://vil.nai.com/vil/content/v_142094.htm
> 
> Since this a password protected .rar file, should we now be blocking these?
> 
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] re: new virus with .rar attachment

2007-04-25 Thread Gary Steiner

As a followup to this, in my virus.cfg I have BANEXT EZIP. Shouldn't this have 
caught the password-protected .rar file? Declude passed the message to 
SmarterMail without holding it. I'm running Declude 4.3.46.


 Original Message 
> From: "Gary Steiner" <[EMAIL PROTECTED]>
> Sent: Wednesday, April 25, 2007 1:31 PM
> To: declude.virus@declude.com
> Subject: new virus with .rar attachment
> 
> I started getting some messages today that were picked up as spam, but were 
> not being identified as viruses.  They looked suspicious, having subject 
> lines of
> 
> Virus Activity Detected!
> Spyware Alert!
> 
> It containes a .gif message that tells the user to open the .rar file and run 
> the patch there to protect them from the virus/spyware.
> 
> I ran it on www.virustotal.com, and the only scanner that picked it up was 
> McAfee, and it identified it as "W32/[EMAIL PROTECTED]".
> 
> http://vil.nai.com/vil/content/v_142094.htm
> 
> Since this a password protected .rar file, should we now be blocking these? 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] new virus with .rar attachment

2007-04-25 Thread Gary Steiner

I started getting some messages today that were picked up as spam, but were not 
being identified as viruses.  They looked suspicious, having subject lines of

Virus Activity Detected!
Spyware Alert!

It containes a .gif message that tells the user to open the .rar file and run 
the patch there to protect them from the virus/spyware.

I ran it on www.virustotal.com, and the only scanner that picked it up was 
McAfee, and it identified it as "W32/[EMAIL PROTECTED]".

http://vil.nai.com/vil/content/v_142094.htm

Since this a password protected .rar file, should we now be blocking these?






---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Temp files ClamAV Windows not deleting

2007-04-17 Thread Gary Steiner

We've always used the SOSDG port of ClamAV with little problem.  The current 
version is quite stable.  We have it on a W2K3 server using runclamd and 
runclamscan.

http://www.sosdg.org/clamav-win32

This is also the same version that SmarterMail has incorporated into their 4.x 
release.

I don't know if this is relevant or not, but a problem I ran into a while back 
was while installing the ClamAV port, it was installed from an administrator 
account that wasn't THE Administrator account.  It created some permissions 
problems that were solved by uninstalling then reinstalling using the main 
Administrator account.


 Original Message 
> From: "Jared Pickerell" <[EMAIL PROTECTED]>
> Sent: Tuesday, April 17, 2007 6:29 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] Temp files ClamAV Windows not deleting
> 
> I'm running into the same problem. I ended up with a server out of hard
> drive space before I figured out what was going on. 
> 
>  
> 
> What can you do to let Declude/ClamWin delete them in the first place?
> As the administrator I can already delete the folders/files after the
> fact, but that doesn't solve the problem. Who needs to have ownership of
> the temp directory for Declude/ClamWin  to delete these on its own?
> 
>  
> 
> Also ClamWin was using very high CPU. Is ClamWin know for high CPU
> usage? 
> 
>  
> 
>  
> 
> With the temp files not deleting and the high CPU utilization, I ended
> up just removing ClamWin as one of the scanners. When the AVG fix came
> out it wasn't really an issue, but I would like to use Clam as a
> secondary scanner if possible? Any thoughts?
> 
>  
> 
> Thanks
> 
> Jared
> 
>  
> 
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> David Barker
> Sent: Tuesday, April 17, 2007 1:58 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] Temp files ClamAV Windows not deleting
> 
>  
> 
> You need to take ownership of the files as the administrator and then
> you can delete them.
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami
> Razvan
> Sent: Tuesday, April 17, 2007 2:41 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] Temp files ClamAV Windows not deleting
> 
> Hi;
> 
>  
> 
> I am having problem with viruses not being deleted from the temp
> directory when using the ClamWin - the following is the config entries:
> 
>  
> 
> # CLAM- 1st Scanner
> 
> #SCANFILE1 C:\Progra~1\ClamWin\bin\clamscan.exe --verbose
> --database="C:\Progra~1\ClamWin\db" --tempdir="c:\Temp" --no-summary -l
> report.txt
> 
> #VIRUSCODE1 1
> 
>  
> 
> Any idea what I can do to have the virus files deleted from C:\temp?
> 
>  
> 
> Thanks
> 
> -Kami
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus". The archives can be found
> at http://www.mail-archive.com. 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus". The archives can be found
> at http://www.mail-archive.com. 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

re: [Declude.Virus] Virus notifications

2007-03-28 Thread Gary Steiner

What do you mean by "virus notifications"?  Email from some mailing list?  
Updates to your anti-virus definitions?

Gary



 Original Message 
> From: Dan Shadix <[EMAIL PROTECTED]>
> Sent: Wednesday, March 28, 2007 6:55 PM
> To: "declude.virus@declude.com" 
> Subject: [Declude.Virus] Virus notifications
> 
> Since switching to SmarterMail, I haven't been receiving virus notifications. 
>  Can someone give me a quick fix?
> 
> Thanks in advance,
> Dan
> 
> 
> 




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] ClamAV 0.90.1-2 problems

2007-03-14 Thread Gary Steiner

A new version (0.90.1-3) was posted on the SOSDG web site.

Bri Bruns told me that the --mbox parameter no longer works, so you should 
remove it from the line in your virus.cfg file before installing 0.90.1-3.

Gary



 Original Message 
> From: "Gary Steiner" <[EMAIL PROTECTED]>
> Sent: Tuesday, March 13, 2007 3:13 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] ClamAV 0.90.1-2 problems
> 
> The following was just posted to clamav-announce:
> 
> 
> 
>  Original Message 
> > From: "Bri Bruns" <[EMAIL PROTECTED]>
> > Sent: Tuesday, March 13, 2007 2:43 PM
> > To: [EMAIL PROTECTED]
> > Subject: [clamav-announce] Problems with ClamAV/SOSDG For WIndows 0.90.1-1 
> > and -2
> > 
> > Okay, been getting reports of people having problems with the 0.90.1 
> > builds of ClamAV/SOSDG For Windows I've been releasing lately.
> > 
> > Please do not use 0.90.1-1, as the clamd.exe it has is outdated, I'm not 
> > quite sure how such an old version got into the build, but it is 
> > unreliable, and you probably are getting errors if you are using it.
> > 
> > 0.90.1-2 is also having problems for some people, which I'm looking into 
> > now.  I'm not sure of the cause, but there appears to have been alot of 
> > underlying changes in ClamAV over the past few months.
> > 
> > For now, if you are having problems with -2, I suggest going back to 
> > 0.90-1, which you can grab from here:
> > 
> > http://downloads.sosdg.org/clamav/clamav-0.90-1.exe
> > 
> > And is known to work well for most people.
> > 
> > Please keep any bug reports for -2 coming in, as its helping me narrow 
> > down the cause of the issues.
> > 
> > -- 
> > Brie Bruns
> > The Summit Open Source Development Group
> > http://www.sosdg.org / http://www.ahbl.org 
> > 
> > 
> > ___
> > ClamAV For Windows Announcement Mailing List
> > http://lists.sosdg.org/mailman/listinfo/clamav-announce 
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 







---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] ClamAV 0.90.1-2 problems

2007-03-13 Thread Gary Steiner

The following was just posted to clamav-announce:



 Original Message 
> From: "Bri Bruns" <[EMAIL PROTECTED]>
> Sent: Tuesday, March 13, 2007 2:43 PM
> To: [EMAIL PROTECTED]
> Subject: [clamav-announce] Problems with ClamAV/SOSDG For WIndows 0.90.1-1 
> and -2
> 
> Okay, been getting reports of people having problems with the 0.90.1 
> builds of ClamAV/SOSDG For Windows I've been releasing lately.
> 
> Please do not use 0.90.1-1, as the clamd.exe it has is outdated, I'm not 
> quite sure how such an old version got into the build, but it is 
> unreliable, and you probably are getting errors if you are using it.
> 
> 0.90.1-2 is also having problems for some people, which I'm looking into 
> now.  I'm not sure of the cause, but there appears to have been alot of 
> underlying changes in ClamAV over the past few months.
> 
> For now, if you are having problems with -2, I suggest going back to 
> 0.90-1, which you can grab from here:
> 
> http://downloads.sosdg.org/clamav/clamav-0.90-1.exe
> 
> And is known to work well for most people.
> 
> Please keep any bug reports for -2 coming in, as its helping me narrow 
> down the cause of the issues.
> 
> -- 
> Brie Bruns
> The Summit Open Source Development Group
> http://www.sosdg.org / http://www.ahbl.org 
> 
> 
> ___
> ClamAV For Windows Announcement Mailing List
> http://lists.sosdg.org/mailman/listinfo/clamav-announce 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] ClamAV 0.90.1-2 problems

2007-03-13 Thread Gary Steiner

I uninstalled 0.90.1-2 and reinstalled 0.90.1.  It seems to be working okay.

I ran the program (0.90.1-2) but removed the --mbox parameter.  It then gave me 
an error message about --max-ratio.  I removed that one, and it then gave me an 
error about --max-space.  I removed that one as well, and it was finally able 
to run.  But there was an error in the report.txt file:

62376245.eml: lstat() failed. ERROR

For now I am just going to keep running with 0.90.1 and see how it goes.

The message I received on the clamav-announce mailing list about 0.90.1-2 
stated, "Basically, this version corrects some build problems and incorrect 
linkage to cygclamav1.dll by clamd."

Gary


 Original Message 
> From: "Mark Reimer" <[EMAIL PROTECTED]>
> Sent: Tuesday, March 13, 2007 11:21 AM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] ClamAV 0.90.1-2 problems
> 
> Gary,
> I had the same problem after upgrading to 0.90.1-2. I had to go back to
> 0.90-1. I was getting the same error code. After this upgrade if I go back
> to 0.90.1-1 I get error code 40. I have not been able to figure out what is
> going on.
> 
> Mark Reimer
> IT System Admin
> American CareSource
> 972-308-6887
>  
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick
> Hayer
> Sent: Tuesday, March 13, 2007 8:01 AM
> To: declude.virus@declude.com
> Subject: Re: [Declude.Virus] ClamAV 0.90.1-2 problems
> 
> Exit code of 2 means ClamAV had an error - Is clamd running? will 
> clamdscan.exe  work? eg no parameters?
> 
> -Nick
> 
> Gary Steiner wrote:
> > Ever since I upgraded to ClamAV 0.90.1-2 (the SOSDG windows port), I've
> been unable to get it to work.  The Declude log files show an error like
> this:
> >
> > 03/12/2007 19:17:29.359 62376245 Vulnerability flags = 861
> > 03/12/2007 19:17:29.359 62376245 MIME file: [text/html][7bit; Length=429
> Checksum=38095]
> > 03/12/2007 19:17:30.171 62376245 Virus scanner 1 reports exit code of 2
> > 03/12/2007 19:17:32.218 62376245 Virus scanner 1 reports exit code of 2
> > 03/12/2007 19:17:34.265 62376245 Virus scanner 1 reports exit code of 2
> > 03/12/2007 19:17:36.312 62376245 Virus scanner 1 reports exit code of 2
> > 03/12/2007 19:17:38.359 62376245 Virus scanner 1 reports exit code of 2
> > 03/12/2007 19:17:40.359 62376245 Could not find report file
> c:\SmarterMail\Spool\proc\work\62376245.vir\report.txt.
> > 03/12/2007 19:17:40.359 62376245 Error 2 in virus scanner 1.
> > 03/12/2007 19:17:40.562 62376245 Virus scanner 2 reports exit code of 0
> > 03/12/2007 19:17:40.562 62376245 Scanned: Error in virus scanner. [MIME: 2
> 815]
> >
> >
> > If I try to run it from the command line using the parameters from my
> virus.cfg file, I get the following:
> >
> > C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space
> 1M -l report.txt 62376245.eml
> >
> > /cygdrive/c/clamav-devel/bin/clamdscan: unrecognized option `--mbox'
> > ERROR: Unknown option passed.
> > ERROR: Can't parse the command line
> >
> >
> > Anyone else seeing anything like this?  Did something change in 0.90 to
> make these paramenters invalid?
> >
> > Thanks,
> >
> > Gary Steiner
> >
> >







---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] ClamAV 0.90.1-2 problems

2007-03-12 Thread Gary Steiner

Ever since I upgraded to ClamAV 0.90.1-2 (the SOSDG windows port), I've been 
unable to get it to work.  The Declude log files show an error like this:

03/12/2007 19:17:29.359 62376245 Vulnerability flags = 861
03/12/2007 19:17:29.359 62376245 MIME file: [text/html][7bit; Length=429 
Checksum=38095]
03/12/2007 19:17:30.171 62376245 Virus scanner 1 reports exit code of 2
03/12/2007 19:17:32.218 62376245 Virus scanner 1 reports exit code of 2
03/12/2007 19:17:34.265 62376245 Virus scanner 1 reports exit code of 2
03/12/2007 19:17:36.312 62376245 Virus scanner 1 reports exit code of 2
03/12/2007 19:17:38.359 62376245 Virus scanner 1 reports exit code of 2
03/12/2007 19:17:40.359 62376245 Could not find report file 
c:\SmarterMail\Spool\proc\work\62376245.vir\report.txt.
03/12/2007 19:17:40.359 62376245 Error 2 in virus scanner 1.
03/12/2007 19:17:40.562 62376245 Virus scanner 2 reports exit code of 0
03/12/2007 19:17:40.562 62376245 Scanned: Error in virus scanner. [MIME: 2 815]


If I try to run it from the command line using the parameters from my virus.cfg 
file, I get the following:

C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M 
-l report.txt 62376245.eml

/cygdrive/c/clamav-devel/bin/clamdscan: unrecognized option `--mbox'
ERROR: Unknown option passed.
ERROR: Can't parse the command line


Anyone else seeing anything like this?  Did something change in 0.90 to make 
these paramenters invalid?

Thanks,

Gary Steiner






---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Current Version of Clam AV

2007-03-01 Thread Gary Steiner

Does anyone want to comment on what might be causing the error?  Is this a 
ClamAV problem or a Declude problem?  It seems that the normal mechanism for 
deleting those files is somehow interrupted.  Is there a way in Declude to 
increase the time allocated to each antivirus process?

Though since I upgraded to SOSDG's version 0.90-1, I haven't seen any leftover 
.vir directories.


 Original Message 
> From: "Brian T." <[EMAIL PROTECTED]>
> Sent: Thursday, March 01, 2007 11:53 AM
> To: declude.virus@declude.com
> Subject: Re: [Declude.Virus] Current Version of Clam AV
> 
> Does anyone know of a way to fix this problem with the leftover .vir 
> directories?
> 
> I was thinking about switching to ClamAV from F-Prot but don't want to 
> constantly be cleaning up leftover files.
> 
> Thanks,
> 
> Brian 
>   - Original Message - 
>   From: Darrell ([EMAIL PROTECTED]) 
>   To: declude.virus@declude.com 
>   Sent: Tuesday, February 27, 2007 11:44 AM
>   Subject: Re: [Declude.Virus] Current Version of Clam AV
> 
> 
>   In my normal maintenance window (once a week) all services are stopped and 
> I clean out the work, error, proc, spool, and review folders.  Since I stop 
> CLAMAV as well I am able to delete those directories.
> 
>   Darrell
> 
>   
>   Check out http://www.invariantsystems.com for utilities for Declude And 
> Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG 
> Integration, and Log Parsers.
> - Original Message - 
> From: Stephan 
> To: declude.virus@declude.com 
> Sent: Tuesday, February 27, 2007 11:22 AM
> Subject: Re: [Declude.Virus] Current Version of Clam AV
> 
> 
> Thanks for responding. I can't delete them until I restart the ClamAV 
> service. Do you have a way of automatically deleting them, or do you schedule 
> a task to restart ClamAV and then delete them? I tried using a schedule task 
> but for some reason they still don't get deleted (but it's possible to do it 
> manually.)
> 
> -Original Message-
> From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]>
> Sent 2/27/2007 10:17:46 AM
> To: declude.virus@declude.com
> Subject: Re: [Declude.Virus] Current Version of Clam AV
> 
> ? 
> FWIW - I have always had left over directories from .84 on up.
> 
> Darrell
> 
> Check out http://www.invariantsystems.com for utilities for Declude And 
> Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG 
> Integration, and Log Parsers.
>   - Original Message - 
>   From: Stephan 
>   To: declude.virus@declude.com 
>   Sent: Tuesday, February 27, 2007 8:41 AM
>   Subject: Re: [Declude.Virus] Current Version of Clam AV
> 
> 
>   I am also running the 0.90-1, and it's working fine, except I still get 
> leftover .vir directories inside the declude/proc dir. The error in the 
> clamav log shows:
>   -> d:\imail\spool\proc\work\d716a0~1.vir\/0: Unable to create temporary 
> directory ERROR
>   I've tried checking permissions, and made sure I have the clamav tmpdir 
> variable set to my clamav tmp dir (which fixed a similar error that stopped 
> the clamav service from starting.) But I haven't been able to fix this one. 
> Anyone know how to fix this error?
>   Thanks.
> 
>   -Original Message-
>   From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]>
>   Sent 2/26/2007 1:30:43 PM
>   To: declude.virus@declude.com
>   Subject: Re: [Declude.Virus] Current Version of Clam AV
> 
> 
> Gary,
> 
> I upgraded on Friday and have not ran into any issues.
> 
> Darrell
> 
> 
> Check out http://www.invariantsystems.com for utilities for Declude And 
> Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG 
> Integration, and Log Parsers.
> 
> ----- Original Message - 
> From: "Gary Steiner" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, February 26, 2007 1:01 PM
> Subject: RE: [Declude.Virus] Current Version of Clam AV
> 
> 
> I see that SOSDG released a new version (0.90-1) of their Windows port of 
> ClamAV on 02-22-2007.
> 
> http://www.sosdg.org/clamav-win32/
> 
> Has anyone upgraded to it yet?  Any problems?
> 
> Gary Steiner
> 
> 
> 
>  Original Message 
> > From: "Mark Reimer"

RE: [Declude.Virus] Current Version of Clam AV

2007-02-26 Thread Gary Steiner

I see that SOSDG released a new version (0.90-1) of their Windows port of 
ClamAV on 02-22-2007.

http://www.sosdg.org/clamav-win32/

Has anyone upgraded to it yet?  Any problems?

Gary Steiner



 Original Message 
> From: "Mark Reimer" <[EMAIL PROTECTED]>
> Sent: Friday, February 16, 2007 2:04 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] Current Version of Clam AV
> 
> Clam AV releases prior to 0.90 have Dos issues I believe. Is their a 0.90
> release for windows?
> 
>  
> 
> Mark Reimer
> 
> IT System Admin
> 
> American CareSource
> 
> 972-308-6887
> 
>  
> 
>   _  
> 
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark
> Reimer
> Sent: Friday, February 16, 2007 10:06 AM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] Current Version of Clam AV
> 
>  
> 
> What is the current release of Clam AV for windows? I saw 0.90 stable is out
> now. 
> 
>  
> 
> Mark Reimer
> 
> IT System Admin
> 
> American CareSource
> 
> 972-308-6887
> 
>  
> 
> 
> 




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Exploit-Dropper.1Table

2007-02-16 Thread Gary Steiner

Here's a strange one.  Declude reports that it is detecting a virus in a file 
attachment that is a Word document.

"AVG Reports VIRUS: Exploit-Dropper.1Table"

Yet when I send that same email to VirsuTotal.com, AVG states "no virus 
detected".  And none of the other programs listed on VirusTotal.com detect 
anything either.

I guess I need to send this one to Declude support.


Gary






---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] pay-pal phishing

2007-02-15 Thread Gary Steiner

ClamAV catches a lot of them.



 Original Message 
> From: "Darin Cox" <[EMAIL PROTECTED]>
> Sent: Thursday, February 15, 2007 5:58 PM
> To: declude.virus@declude.com
> Subject: Re: [Declude.Virus] pay-pal phishing
> 
> Message Sniffer does a pretty good job.  You can also use the spamdomains
> and SPF tests, though their SPF policy is only soft fail at the moment,
> which Declude does not check.
> 
> Darin.
> 
> 
> - Original Message - 
> From: "Bob McGregor" <[EMAIL PROTECTED]>
> To: "Declude-List" 
> Sent: Thursday, February 15, 2007 5:16 PM
> Subject: [Declude.Virus] pay-pal phishing
> 
> 
> Anyone configured a way to stop some of the pay-pal scam emails?
> 
> thanks, bob
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

re: [Declude.Virus] Any one heard about or seen this one yet?

2007-01-19 Thread Gary Steiner

I was receiving copies of it yesterday (Thursday), but nothing today.  All 
messages contained a .exe attachment.  Since I'm running AVAFTERJM, all the 
messages were caught as spam.  I did not receive any that were not caught as 
spam.



 Original Message 
> From: Heimir Eidskrem <[EMAIL PROTECTED]>
> Sent: Friday, January 19, 2007 3:24 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] Any one heard about or seen this one yet?
> 
> Storm Worm Hits Computers Around the World
> By  Reuters  
> January 19, 2007
> 
> HELSINKI (Reuters)-Computer virus writers started to use raging European
> storms on Friday to attack thousands of computers in an unusual
> real-time assault, head of research at Finnish data security firm
> F-Secure told Reuters.
> 
> The virus, which the company named "Storm Worm," is sent to hundreds of
> thousands of e-mail addresses globally, with the e-mail's subject line
> saying "230 dead as storm batters Europe."
> 
> The attached file contains the so-called malware that can infiltrate
> computer systems.
> 
> "What makes this exceptional is the timely nature of the attack," Mikko
> Hypponen, head of research at F-Secure said. Hypponen said thousands of
> computers around the world, most in private use, had been affected.
> 
> He said most users would not notice the malware, or trojan, which
> creates a back door to the computer that can be exploited later to steal
> data or to use the computer to post spam
> 
> 
> 
> Regards,
> Dennis Curry
> System Administrator
> SNC-Lavalin GDS
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

re: [Declude.Virus] Sender.eml was sent even though forging virus?

2006-12-13 Thread Gary Steiner

I've seen similar behavior with viruses found by AVG.


 Original Message 
> From: "Andy Schmidt" <[EMAIL PROTECTED]>
> Sent: Wednesday, December 13, 2006 12:42 PM
> To: "'Declude Virus List'" 
> Subject: [Declude.Virus] Sender.eml was sent even though forging virus?
> 
> Hi,
> 
> My "sender.eml" has the line:
> SKIPIFFORGING
> 
> And my virus.CFG has:
> 
> AUTOFORGE ON
> 
> FORGINGVIRUS Anonymous Driver
> FORGINGVIRUS Antiman
> FORGINGVIRUS  Avril
> FORGINGVIRUS  Bagle
> 
> Yet, declude virus just sent the "sender.eml" for the following details:
>  
>   File:"Unknown File"
>   Result:  FoundI-Worm/Bagle
>   Message ID:<[EMAIL PROTECTED]>
>   Our Domain:Schmidt.AS for Schmidt.AS
>   Queue ID:  D324e0153b795.smd
> 
> Based on these headers:
> 
> -Original Message Headers-
> Received: from [62.93.44.11] [62.93.44.11] by hm-software.com with ESMTP
>   (SMTPD-9.10) id A24E331D0; Wed, 13 Dec 2006 12:03:10 -0500
> Date: Wed, 13 Dec 2006 18:03:11 +0100
> To: "Andy" <[EMAIL PROTECTED]>
> From: "Webmaster" <[EMAIL PROTECTED]>
> Subject: price 13-Dec-2006
> Message-ID: <[EMAIL PROTECTED]>
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="oibzhbgyvnajpcxfwpdt"
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Declude Security Suite 4.3.23 Released / AVG Vulnerability?

2006-12-08 Thread Gary Steiner

Good question.  David?

 Original Message 
> From: "Stephan" <[EMAIL PROTECTED]>
> Sent: Friday, December 08, 2006 12:21 AM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] Re:  [Declude.Virus] Declude Security Suite 4.3.23 
> Released / AVG Vulnerability?
> 
> Is the built-in avg version included still vulnerable? Or has it been fixed 
> already?
> Very glad to see the imail 2006 authowhite is now working.
> Thanks.
> 
> -Original Message-
> From: "David Barker" <[EMAIL PROTECTED]>
> Sent 11/24/2006 8:08:51 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] AVG Vulnerability
> 
> From AVG "the update has been released for 
> beta testing, if there are no troubles, we publish it as an official build 
> during the next week."  
>   
> David B 
> www.declude.com 
> 
> 
> 
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma
> Sent: 
> Friday, November 24, 2006 4:29 PM
> To: 
> declude.virus@declude.com
> Subject: Re: [Declude.Virus] AVG 
> Vulnerability
> 
> Hi, 
>   
> And...? 
> 
> Met vriendelijke groet,
> Bonno Bloksma
> hoofd systeembeheer
> 
> tio hogeschool hotelmanagement en toerisme 
> begijnenhof 8-12 / 5611 el eindhoven
> t 040 296 28 
> 28 / f 040 237 35 20
> [EMAIL PROTECTED]   / www.tio.nl  
> 
>   - Original Message - 
>   From: 
>   David 
>   Barker 
>   To: declude.virus@declude.com 
>   Sent: Tuesday, November 21, 2006 10:24 
>   PM
>   Subject: RE: [Declude.Virus] AVG 
>   Vulnerability
> 
> We have a request in with Grisoft remember there is a time zone 
>   difference
> as they are in CZ
> 
> David 
> 
> -Original 
>   Message-
> From: [EMAIL PROTECTED] 
>   [mailto:[EMAIL PROTECTED] On Behalf Of Mark
> Reimer
> Sent: Tuesday, 
>   November 21, 2006 4:01 PM
> To: declude.virus@declude.com
> Subject: 
>   RE: [Declude.Virus] AVG Vulnerability
> 
> Any updates on this yet? Should 
>   we be turning off AVG scanning?
> 
> Mark Reimer
> IT System 
>   Admin
> American CareSource
> 972-308-6887
>  
> -Original 
>   Message-
> From: [EMAIL PROTECTED] 
>   [mailto:[EMAIL PROTECTED] On Behalf Of David
> Barker
> Sent: Tuesday, 
>   November 21, 2006 9:24 AM
> To: declude.virus@declude.com
> Subject: 
>   RE: [Declude.Virus] AVG Vulnerability
> 
> Darrell,
> 
> We are currently 
>   looking into this new report and are contacting AVG we will
> post here as 
>   soon as we have an answer.
> 
> David Barker
> Director of Product 
>   Management
> Your Email security is our business
> 978.499.2933 
>   office
> 978.988.1311 fax
> [EMAIL PROTECTED]
>  
> 
> -Original 
>   Message-
> From: [EMAIL PROTECTED] 
>   [mailto:[EMAIL PROTECTED] On Behalf Of Darrell
> ([EMAIL PROTECTED])
> Sent: 
>   Tuesday, November 21, 2006 8:48 AM
> To: Declude.Virus@declude.com
> Subject: 
>   [Declude.Virus] AVG Vulnerability
> 
> David / Declude,
> 
> Is the 
>   integrated AVG scanner vulnerable?  How do we deterimine what 
>   version
> of AVG is embedded inside of 
>   Declude?
> 
> Darrell
> 
> MODERATE: Grisoft AVG Anti-Virus Multiple 
>   Vulnerabilities
> 
> Affected: AVG Anti-Virus versions prior to 
>   7.1.407
> 
> Description: AVG Anti-Virus, a popular anti-virus system, 
>   contains multiple
> vulnerabilities. By sending a specially-crafted file 
>   through the system, an
> attacker could exploit these vulnerabilities to 
>   execute arbitrary code with
> the privileges of the anti-virus process. No 
>   technical details for these
> vulnerabilities are currently 
>   available.
> Status: Grisoft confirmed, updates available.
> 
> Council 
>   Site Actions: The affected software and/or configuration are not 
>   in
> production or widespread use, or are not officially supported at any of 
>   the
> council sites. They reported that no action was 
>   necessary.
> 
> References:
> Grisoft Release Notes
> http://www.grisoft.com/doc/36365/lng/us/tpl/tpl01
> SecurityFocus 
>   BID
> http://www.securityfocus.com/bid/21029
> 
> 
> Check 
>   out http://www.invariantsystems.com for 
>   utilities for Declude And
> Imail.  IMail/Declude Overflow Queue 
>   Monitoring, SURBL/URI integration, MRTG
> Integration, and Log Parsers. 
> 
> ---
> This E-mail came from the Declude.Virus mailing 
>   list.  To unsubscribe, just
> send an E-mail to [EMAIL PROTECTED], and
> type 
>   "unsubscribe Declude.Virus".The archives can be found
> at 
>   http://www.mail-archive.com.
> 
> ---
> This 
>   E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
>   just
> send an E-mail to [EMAIL PROTECTED], and
> type 
>   "unsubscribe Declude.Virus".The archives can be found
> at 
>   http://www.mail-archive.com.
> 
> ---
> This 
>   E-mail came from the Declude.Virus mailing list.  To unsubscribe, 
>   just
> send an E-mail to [EMAIL PROTECTED], and
> type 
>   "unsubscribe Declude.Virus".

[Declude.Virus] runclamd and runclamscan

2006-10-30 Thread Gary Steiner

Looks like the web page for runclamd and runclamscan

http://www.smartbusiness.com/imail/declude/

has been removed.  Hopefully it will continue to be included in future releases 
of ClamAv for Windows.

Gary






---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] AUTOFORGE

2006-10-27 Thread Gary Steiner

I think you meant to say SKIPIFFORGING not SKIPIFFORGINGVIRUS.


 Original Message 
> From: "John T \(Lists\)" <[EMAIL PROTECTED]>
> Sent: Friday, October 27, 2006 7:52 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] AUTOFORGE
> 
> > Also, how is FORGINGVIRUS different from SKIPIFVIRUSNAME?  Do you need to
> have
> > both statements in the virus.cfg or is that redundant?
> 
> FORGINGVIRUS is in the virus.cfg file and it is to list those viruses that
> forge the from address. Then, in your various eml files, you just need to
> put in SKIPIFFORGINGVIRUS instead of having list list each
> SKIPIFVIRUSNAMEHAS
> 
> John T
> eServices For You
> 
> "Life is a succession of lessons which must be lived to be understood."
> Ralph Waldo Emerson (1802-1882)
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 






---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] AUTOFORGE

2006-10-27 Thread Gary Steiner

Is the command FORGINGVIRUS still used?  It doesn't seem to be mentioned in the 
new manuals on the Declude web site, or in the knowledgebase either.

My main question is how does FORGINGVIRUS work?  Is it looking for any string 
within the virus name?  For example, will the statement

FORGINGVIRUS Stration

pick up both "Worm.Stration.YY" and "I-Worm.Stration" as matches?

Also, how is FORGINGVIRUS different from SKIPIFVIRUSNAME?  Do you need to have 
both statements in the virus.cfg or is that redundant?

Thanks,

Gary


 Original Message 
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> Sent: Friday, October 27, 2006 3:56 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] AUTOFORGE
> 
> I suggested adding STRATION a week or more ago.
>  
> Likewise, the string
>  
> WAREZOV
>  
> should be added to the AUTOFORGE database (or your own virus.cfg e.g.
> FORGINGVIRUS WAREZOV).  There have been many interations of this virus,
> and according to F-Secure, the creators are still pumping out new
> versions.
>  
> Andrew.
>  
> 
> 
>   _  
> 
>   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
> Of Andy Schmidt
>   Sent: Friday, October 27, 2006 6:03 AM
>   To: 'Declude Virus List'
>   Subject: [Declude.Virus] AUTOFORGE
>
>
>   Hi,
>
>   is this still being actively maintained?
>
>   If so, 
> 
>   W32/Stration.dldr
> 
>   should be added as forging. Based on bounces that I'm seeing
> (from inbound-only mailboxes on our domain) it is forging the sender.
> 
>   Best Regards
>   Andy Schmidt
>
>   Phone:  +1 201 934-3414 x20 (Business)
>   Fax:+1 201 934-9206 
> 
>
> 
>   ---
>   This E-mail came from the Declude.Virus mailing list. To
>   unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>   type "unsubscribe Declude.Virus". The archives can be found
>   at http://www.mail-archive.com. 
>   ---
>   This E-mail came from the Declude.Virus mailing list. To
>   unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>   type "unsubscribe Declude.Virus". The archives can be found
>   at http://www.mail-archive.com. 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 






---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New Virus?

2006-10-10 Thread Gary Steiner

If you want to submit a virus, don't forget about ClamAV:

http://www.clamav.net/sendvirus.html

The nice thing about them is when they've used your sample to update their 
definitions, they will actually send you an email telling you this.



 Original Message 
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> Sent: Tuesday, October 10, 2006 1:50 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New Virus?
> 
> Sounds like a very popular eBay scam, not a virus.
> 
> Was there actually a hostile application attached?
> 
> Submit the executable to:
> 
> http://www.virustotal.com/en/indexf.html
> 
> Or:
> 
> http://virusscan.jotti.org/
> 
> I believe that both services share unknown executables with the
> antivirus vendors.
> 
> Or you directly submit the executable to your preferred antivirus
> vendor, usually through a web submission form, e.g.:
> 
> http://subwiz.trendmicro.com/SubWiz/Default.asp
> 
> Or:
> 
> http://www.f-prot.com/virusinfo/submission_form.html
> 
> But the vendor websites are notorious for hoarding information to get a
> competitive advantage (at the expense of the customers of every other
> antivirus vendor!).
> 
> Andrew 8)
>   
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> > Behalf Of Grant Griffith
> > Sent: Tuesday, October 10, 2006 10:21 AM
> > To: declude.virus@declude.com
> > Subject: [Declude.Virus] New Virus?
> > 
> > Hey All
> > 
> > Has anyone seen the email saying that you purchased a Sony 
> > VAIO for $2,500?
> > We received a bunch of these this morning in our mailboxes 
> > and am trying to figure out how they made it thru the 
> > scanners.  What is the place to send them to see if it is 
> > begin caught?
> > 
> > Thanks,
> > Grant Griffith
> > Web Application Developer
> > Enhanced Telecommunications
> > http://www.etczone.com
> > 812-932-1000
> > 
> > 
> > 
> > 
> > 
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To 
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> > 
> > 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 






---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Oversized.RAR FOUND in ClamAV

2006-09-06 Thread Gary Steiner

I have an email that was held as a virus after ClamAV was triggered with the 
result "Oversized.RAR FOUND".  I looked for an explanation but couldn't find 
anything detailed.  Apparently this is due to some type of bug in ClamAV that 
shows up with certain RAR or ZIP files.

I found one posting that suggested that the problem could be fixed by adjusting 
the max-ratio value.  The default max-ratio value for ClamAV is 250.  The 
suggested value for running it with Declude is 0.  What would be the safest 
value to run with and why?

Gary





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New feature needed

2006-08-11 Thread Gary Steiner

I'm just trying to narrow these files down.  I don't want to stick something in 
the Declude directory and have it exhibit unexpected behavior.  Also there are 
many other files in the Declude directory that are unexplained and may be left 
over from older versions, but I have no way to know if I can delete them or not.

BounceNotify.eml is there, it was installed by Declude.  Though I just tested 
it by sending myself a banned file, and it did not work, so maybe Declude 
discontinued it at some point (David?).

There is no file called Vulnerabilty.eml in the Declude directory, so I assume 
Declude does not install this by default.


 Original Message 
> From: "John T \(Lists\)" <[EMAIL PROTECTED]>
> Sent: Friday, August 11, 2006 3:56 AM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New feature needed
> 
> Sorry, forgot to make an all inclusive list:
> 
> To my knowledge, there is no BounceNotify.eml.
> 
> JunkMail uses the following eml files ONLY:
> SpamAttach.eml
> 
> Confirm uses the following eml file ONLY:
> Confirm.eml
> 
> When EVA finds a vulnerability (list in the EVA manual further down from the
> allow section) it uses the following file ONLY:
> Vulnerability.eml
> 
> When EVA finds a banned attachment and the associated email is not found to
> be virus laden or contain a vulnerability, EVA will use the following file
> ONLY:
> BanNotify.eml
> 
> ANY OTHER eml file contained in the \declude directory will be used by EVA
> when a virus is found according to parameters within each file. So, if you
> have 50 eml files aside from the above specifically mentioned 4, EVA will
> try to use all 50 when it finds a virus.
> 
> The reason for this along with the original 4 other eml files normally found
> (postmaster.eml, otherpostmaster.eml, sender.eml and recipient.eml) was so
> that a appropriately worded notice be set to each respective party as
> desired. However, that also allows for plenty of customization. Example, I
> have a client that the manager wants a copy of each notice sent. So I have
> created 2 specific eml files for that client, one for if the infected email
> is incoming and one for if the infected email is outgoing.
> 
> John T
> eServices For You
> 
> "Seek, and ye shall find!"
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
> > Steiner
> > Sent: Thursday, August 10, 2006 9:05 PM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] New feature needed
> > 
> > But what defines a "vulnerability"?  Are you referring to the list of
> vulnerabilities
> > associated with the ALLOWVULNERABILITY statement in the EVA manual?  I'm
> > confused by the various .eml files Declude provides and how it decides to
> use them,
> > whether EVA or Junkmail.  None of the .eml files that come with Declude
> have the
> > name of a vulnerability.
> > 
> > Here is a list of the E-mail template files that came with the Declude 4.x
> installation
> > and how I guess that they are used (since there doesn't seem to be some
> centralized
> > description/list of what these files are and how they are used):
> > 
> > spamattach.eml - Used by Junkmail when ATTACH action is implemented.
> > 
> > postmaster.eml - Used by EVA to warn the postmaster of the local machine
> that a
> > virus was detected.
> > 
> > BOUNCEnotify.eml - Used by EVA to warn the local sender that his
> (outgoing) E-mail
> > attachment contained a banned extension.
> > 
> > BANnotify.eml - Used by EVA to warn the sender that his (incoming) E-mail
> > attachment contained a banned extension.
> > 
> > otherpostmaster.eml - Used by EVA to warn the postmaster of a host that a
> virus
> > came from his server (typically not used due to virus forging).
> > 
> > sender.eml - Used by EVA to warn the sender that an E-mail sent by him was
> > detected as a virus (typically not used due to virus forging).
> > 
> > recip.eml - Used by EVA to warn the recipient that Declude detected a
> virus send to
> > him.
> > 
> > confirm.eml - Used by Declude Confirm
> > (http://www.declude.com/Articles.asp?ID=127).  Is this a discontinued
> product?  If
> > not, does it work with SmarterMail?
> > 
> > 
> > So it seems that most of the files are used by EVA, one by Junkmail and
> one by
> > Confirm.  Does that mean that Junkmail and Confirm only use their one
> specific .eml
> > file and ignore all the others?  If I create a randomly named .eml file,
> will it only be
>

RE: [Declude.Virus] New feature needed

2006-08-10 Thread Gary Steiner

But what defines a "vulnerability"?  Are you referring to the list of 
vulnerabilities associated with the ALLOWVULNERABILITY statement in the EVA 
manual?  I'm confused by the various .eml files Declude provides and how it 
decides to use them, whether EVA or Junkmail.  None of the .eml files that come 
with Declude have the name of a vulnerability.

Here is a list of the E-mail template files that came with the Declude 4.x 
installation and how I guess that they are used (since there doesn't seem to be 
some centralized description/list of what these files are and how they are 
used):

spamattach.eml - Used by Junkmail when ATTACH action is implemented.

postmaster.eml - Used by EVA to warn the postmaster of the local machine that a 
virus was detected.

BOUNCEnotify.eml - Used by EVA to warn the local sender that his (outgoing) 
E-mail attachment contained a banned extension.

BANnotify.eml - Used by EVA to warn the sender that his (incoming) E-mail 
attachment contained a banned extension.

otherpostmaster.eml - Used by EVA to warn the postmaster of a host that a virus 
came from his server (typically not used due to virus forging).

sender.eml - Used by EVA to warn the sender that an E-mail sent by him was 
detected as a virus (typically not used due to virus forging).

recip.eml - Used by EVA to warn the recipient that Declude detected a virus 
send to him.

confirm.eml - Used by Declude Confirm 
(http://www.declude.com/Articles.asp?ID=127).  Is this a discontinued product?  
If not, does it work with SmarterMail?


So it seems that most of the files are used by EVA, one by Junkmail and one by 
Confirm.  Does that mean that Junkmail and Confirm only use their one specific 
.eml file and ignore all the others?  If I create a randomly named .eml file, 
will it only be used by EVA?



 Original Message 
> From: "John T \(Lists\)" <[EMAIL PROTECTED]>
> Sent: Thursday, August 10, 2006 9:37 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New feature needed
> 
> When a vulnerability is detected, it looks for vulnerability.eml only. When
> a virus is detected, it uses any and all .eml files except for
> vulnerability.eml. 
> 
> So yes, you could do that.
> 
> John T
> eServices For You
> 
> "Seek, and ye shall find!"
> 
> > -----Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
> > Steiner
> > Sent: Thursday, August 10, 2006 4:43 PM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] New feature needed
> > 
> > I was wondering if there might be a work-around for this.  Could a
> combination of
> > multiple .eml files utilizing SKIPIFRECIP work?
> > 
> > I guess the first question is what .eml files does Declude look for when
> it detects a
> > virus?  Does EVA specifically look for a file named "recip.eml"?  Or does
> it look at all
> > the .eml files in the main Declude directory?
> > 
> > Could you have two files, one called recip-en.eml (English) and one called
> recip-
> > es.eml (Spanish), and then list in those files using SKIPIFRECIP all the
> domains that
> > want the other language?
> > 
> > Gary
> > 
> > 
> >  Original Message 
> > > From: "Goran Jovanovic" <[EMAIL PROTECTED]>
> > > Sent: Tuesday, June 20, 2006 3:57 PM
> > > To: declude.virus@declude.com
> > > Subject: RE: [Declude.Virus] New feature needed
> > >
> > > Gary,
> > >
> > > I have not even thought of something like that (since all my customers
> > > are English speaking) but you are absolutely right.
> > >
> > > So David will we be seeing this new feature next week? :)
> > >
> > > Goran Jovanovic
> > > Omega Network Solutions
> > >
> > >
> > >
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > > Gary
> > > > Steiner
> > > > Sent: Tuesday, June 20, 2006 3:24 PM
> > > > To: declude.virus@declude.com
> > > > Subject: re: [Declude.Virus] New feature needed
> > > >
> > > >
> > > > I asked about the possibility of per domain replies several months
> > > ago.  I
> > > > would hope that it has already been placed on the wish list.
> > > >
> > > > It is especially useful when you have users speaking different
> > > languages
> > > > and you want to have language specific messages linked to each domain.
> > > >
> > > > Gary
> > > >
> > > >

RE: [Declude.Virus] New feature needed

2006-08-10 Thread Gary Steiner

I was wondering if there might be a work-around for this.  Could a combination 
of multiple .eml files utilizing SKIPIFRECIP work?

I guess the first question is what .eml files does Declude look for when it 
detects a virus?  Does EVA specifically look for a file named "recip.eml"?  Or 
does it look at all the .eml files in the main Declude directory?

Could you have two files, one called recip-en.eml (English) and one called 
recip-es.eml (Spanish), and then list in those files using SKIPIFRECIP all the 
domains that want the other language?

Gary


 Original Message 
> From: "Goran Jovanovic" <[EMAIL PROTECTED]>
> Sent: Tuesday, June 20, 2006 3:57 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New feature needed
> 
> Gary,
> 
> I have not even thought of something like that (since all my customers
> are English speaking) but you are absolutely right. 
> 
> So David will we be seeing this new feature next week? :)
> 
> Goran Jovanovic
> Omega Network Solutions
> 
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Gary
> > Steiner
> > Sent: Tuesday, June 20, 2006 3:24 PM
> > To: declude.virus@declude.com
> > Subject: re: [Declude.Virus] New feature needed
> > 
> > 
> > I asked about the possibility of per domain replies several months
> ago.  I
> > would hope that it has already been placed on the wish list.
> > 
> > It is especially useful when you have users speaking different
> languages
> > and you want to have language specific messages linked to each domain.
> > 
> > Gary
> > 
> > 
> >  Original Message 
> > > From: "Goran Jovanovic" <[EMAIL PROTECTED]>
> > > Sent: Tuesday, June 20, 2006 2:30 PM
> > > To: declude.virus@declude.com
> > > Subject: [Declude.Virus] New feature needed
> > >
> > > Hi,
> > >
> > > I would like to suggest a new feature to be added to the virus
> > > notification capabilities.
> > >
> > > Right now to notify a recipient that I stopped a virus I have a
> > > recip.eml file in my main delude directory. There is another
> > > recip-vulnerability.eml file that is used if the "virus" is a
> > > vulnerability. These two files are all or nothing files. Meaning
> that
> > > all recipients for all the domains that I process are in the same
> file.
> > >
> > > I need to be able to specify a per domain recip.eml file. This way I
> can
> > > tailor the notifications to each domain as appropriate. These files
> > > should be in the domain subdirectory along with the
> $default$.junkfile
> > > etc.
> > >
> > > I am faced with the challenge right now for a single domain to send
> all
> > > virus notification to one person only or to stop all notifications
> to
> > > that domain. To the best of my knowledge I cannot redirect all the
> > > notifications to the one person for that domain and to the original
> > > recipients for all the other domains.
> > >
> > > Another feature that should be added to the *.eml files is the
> ability
> > > to do a BCC to a monitoring address. This is a good way to monitor
> what
> > > is happening with banned files, viruses or whatever notification
> > > processes we have setup.
> > >
> > > So can you please add this to the "to do" list
> > >
> > > Thank you
> > >
> > > Goran Jovanovic
> > > Omega Network Solutions
> > >
> > >
> > > ---
> > > This E-mail came from the Declude.Virus mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.Virus".The archives can be found
> > > at http://www.mail-archive.com.
> > 
> > 
> > 
> > 
> > 
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Declude error, not ClamAV error

2006-07-15 Thread Gary Steiner

Yes the command line works fine.  Nowhere in the output from the command line 
does it say anything about an attachment, nor do I see the 
"Attachment=[Unknown: Err]" statement.  That's why I believe it is something 
generated by Declude not by ClamAV.


 Original Message 
> From: "John T \(Lists\)" <[EMAIL PROTECTED]>
> Sent: Saturday, July 15, 2006 2:13 AM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] Declude error, not ClamAV error
> 
> Have you tried running the command line by itself against a file in question
> to see what the return code is?
> 
> John T
> eServices For You
> 
> "Seek, and ye shall find!"
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
> > Steiner
> > Sent: Friday, July 14, 2006 7:08 PM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] Declude error, not ClamAV error
> > 
> > I get the error no matter what the virus, Netsky, Bagle, Feebs, even when
> ClamAV
> > detects a fishing attempt the error is there.
> > 
> > 
> >  Original Message 
> > > From: "John T \(Lists\)" <[EMAIL PROTECTED]>
> > > Sent: Friday, July 14, 2006 9:46 PM
> > > To: declude.virus@declude.com
> > > Subject: RE: [Declude.Virus] Declude error, not ClamAV error
> > >
> > > In other log lines Declude states it is an invalid/bogus pif file. That
> > > might explain it.
> > >
> > > John T
> > > eServices For You
> > >
> > > "Seek, and ye shall find!"
> > >
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Gary
> > > > Steiner
> > > > Sent: Friday, July 14, 2006 2:43 PM
> > > > To: declude.virus@declude.com
> > > > Subject: [Declude.Virus] Declude error, not ClamAV error
> > > >
> > > > Upon further research, the statement "Attachment=[Unknown: Err]" is
> > > generated by
> > > > Declude, not ClamAV.  So does Declude have a problem with ClamAV?
> > > >
> > > >
> > > >  Original Message 
> > > > > From: "Gary Steiner" <[EMAIL PROTECTED]>
> > > > > Sent: Friday, July 14, 2006 1:32 PM
> > > > > To: declude.virus@declude.com
> > > > > Subject: [Declude.Virus] ClamAV error
> > > > >
> > > > > I recently installed ClamAv as my third scanner after AVG and
> F-Prot.
> > > For some
> > > > reason it indicates an error related to the attachment when it detects
> a
> > > virus
> > > > (Attachment=[Unknown: Err]).  Here is an example from the Declude
> virus
> > > log file:
> > > > >
> > > > > 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861
> > > > > 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif
> [base64;
> > > > Length=17424 Checksum=1974090]
> > > > > 07/13/2006 19:32:18.843 366626185 Banning file with pif extension
> > > > [application/octet-stream].
> > > > > 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D
> > > > > 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-
> > Worm/Netsky.D:
> > > 7]
> > > > > 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code
> of 3
> > > > > 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL 
> > > > > PROTECTED]
> > > > Attachment=your_letter.pif [1] I
> > > > > 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code
> of 1
> > > > > 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185
> > > > (366626185.eml,366626)
> > > > > 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D
> > > > Attachment=[Unknown: Err] [1] I
> > > > > 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability
> > > > > 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file
> > > > > 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2
> > > > 17604]
> > > > > 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To:
> > > > [EMAIL PROTECTED] [incoming from 72.82.177.22]
> > > > > 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter
> > > > >
> > > > > It doesn't

RE: [Declude.Virus] Declude error, not ClamAV error

2006-07-14 Thread Gary Steiner

I get the error no matter what the virus, Netsky, Bagle, Feebs, even when 
ClamAV detects a fishing attempt the error is there.


 Original Message 
> From: "John T \(Lists\)" <[EMAIL PROTECTED]>
> Sent: Friday, July 14, 2006 9:46 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] Declude error, not ClamAV error
> 
> In other log lines Declude states it is an invalid/bogus pif file. That
> might explain it.
> 
> John T
> eServices For You
> 
> "Seek, and ye shall find!"
> 
> > -Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
> > Steiner
> > Sent: Friday, July 14, 2006 2:43 PM
> > To: declude.virus@declude.com
> > Subject: [Declude.Virus] Declude error, not ClamAV error
> > 
> > Upon further research, the statement "Attachment=[Unknown: Err]" is
> generated by
> > Declude, not ClamAV.  So does Declude have a problem with ClamAV?
> > 
> > 
> >  Original Message 
> > > From: "Gary Steiner" <[EMAIL PROTECTED]>
> > > Sent: Friday, July 14, 2006 1:32 PM
> > > To: declude.virus@declude.com
> > > Subject: [Declude.Virus] ClamAV error
> > >
> > > I recently installed ClamAv as my third scanner after AVG and F-Prot.
> For some
> > reason it indicates an error related to the attachment when it detects a
> virus
> > (Attachment=[Unknown: Err]).  Here is an example from the Declude virus
> log file:
> > >
> > > 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861
> > > 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64;
> > Length=17424 Checksum=1974090]
> > > 07/13/2006 19:32:18.843 366626185 Banning file with pif extension
> > [application/octet-stream].
> > > 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D
> > > 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D:
> 7]
> > > 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3
> > > 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED]
> > Attachment=your_letter.pif [1] I
> > > 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1
> > > 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185
> > (366626185.eml,366626)
> > > 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D
> > Attachment=[Unknown: Err] [1] I
> > > 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability
> > > 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file
> > > 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2
> > 17604]
> > > 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To:
> > [EMAIL PROTECTED] [incoming from 72.82.177.22]
> > > 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter
> > >
> > > It doesn't seem to matter what kind of virus is involved.  Even when it
> detects a
> > phishing attempt you still see the same error.
> > >
> > > Here is what I have in the virus.cfg:
> > >
> > > SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1
> C:\clamav-
> > devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l
> report.txt
> > > VIRUSCODE2 1
> > > REPORT2 FOUND
> > >
> > > Is anyone else experiencing this, or have any ideas?
> > >
> > > Thanks,
> > >
> > > Gary
> > >
> > >
> > >
> > >
> > >
> > > ---
> > > This E-mail came from the Declude.Virus mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.Virus".The archives can be found
> > > at http://www.mail-archive.com.
> > 
> > 
> > 
> > 
> > 
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Declude error, not ClamAV error

2006-07-14 Thread Gary Steiner

Upon further research, the statement "Attachment=[Unknown: Err]" is generated 
by Declude, not ClamAV.  So does Declude have a problem with ClamAV?


 Original Message 
> From: "Gary Steiner" <[EMAIL PROTECTED]>
> Sent: Friday, July 14, 2006 1:32 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] ClamAV error
> 
> I recently installed ClamAv as my third scanner after AVG and F-Prot.  For 
> some reason it indicates an error related to the attachment when it detects a 
> virus (Attachment=[Unknown: Err]).  Here is an example from the Declude virus 
> log file:
> 
> 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861
> 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; 
> Length=17424 Checksum=1974090]
> 07/13/2006 19:32:18.843 366626185 Banning file with pif extension 
> [application/octet-stream].
> 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D
> 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D: 7]
> 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3
> 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED] 
> Attachment=your_letter.pif [1] I
> 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1
> 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 
> (366626185.eml,366626)
> 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D 
> Attachment=[Unknown: Err] [1] I
> 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability
> 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file
> 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 17604]
> 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: [EMAIL 
> PROTECTED] [incoming from 72.82.177.22]
> 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter
> 
> It doesn't seem to matter what kind of virus is involved.  Even when it 
> detects a phishing attempt you still see the same error.
> 
> Here is what I have in the virus.cfg:
> 
> SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 
> C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M 
> -l report.txt
> VIRUSCODE2 1
> REPORT2 FOUND
> 
> Is anyone else experiencing this, or have any ideas?
> 
> Thanks,
> 
> Gary
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] ClamAV error

2006-07-14 Thread Gary Steiner

AVG is my first one (it's everybody's first one, it's built in).


 Original Message 
> From: "Goran Jovanovic" <[EMAIL PROTECTED]>
> Sent: Friday, July 14, 2006 3:26 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] ClamAV error
> 
> Gary,
> 
> You said CLAM was your third AV yet your config shows it is your second
> one
> 
> SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1
> C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0
> --max-space 1M -l report.txt
> VIRUSCODE2 1
> REPORT2 FOUND
> 
> Change the SCANFILE2, VIRUSCODE2, REPORT2 to 3. That might help
> 
> Goran Jovanovic
> Omega Network Solutions
> 
> -----Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
> Steiner
> Sent: Friday, July 14, 2006 1:16 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] ClamAV error
> 
> 
> I recently installed ClamAv as my third scanner after AVG and F-Prot.
> For some reason it indicates an error related to the attachment when it
> detects a virus (Attachment=[Unknown: Err]).  Here is an example from
> the Declude virus log file:
> 
> 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861
> 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64;
> Length=17424 Checksum=1974090]
> 07/13/2006 19:32:18.843 366626185 Banning file with pif extension
> [application/octet-stream].
> 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D
> 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D:
> 7]
> 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3
> 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED]
> Attachment=your_letter.pif [1] I
> 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1
> 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185
> (366626185.eml,366626)
> 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D
> Attachment=[Unknown: Err] [1] I
> 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability
> 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file
> 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2
> 17604]
> 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To:
> [EMAIL PROTECTED] [incoming from 72.82.177.22]
> 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter
> 
> It doesn't seem to matter what kind of virus is involved.  Even when it
> detects a phishing attempt you still see the same error.
> 
> Here is what I have in the virus.cfg:
> 
> SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1
> C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0
> --max-space 1M -l report.txt
> VIRUSCODE2 1
> REPORT2 FOUND
> 
> Is anyone else experiencing this, or have any ideas?
> 
> Thanks,
> 
> Gary
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] ClamAV error

2006-07-14 Thread Gary Steiner

I recently installed ClamAv as my third scanner after AVG and F-Prot.  For some 
reason it indicates an error related to the attachment when it detects a virus 
(Attachment=[Unknown: Err]).  Here is an example from the Declude virus log 
file:

07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861
07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; 
Length=17424 Checksum=1974090]
07/13/2006 19:32:18.843 366626185 Banning file with pif extension 
[application/octet-stream].
07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D
07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D: 7]
07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3
07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED] 
Attachment=your_letter.pif [1] I
07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1
07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 
(366626185.eml,366626)
07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D 
Attachment=[Unknown: Err] [1] I
07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability
07/13/2006 19:32:19.718 366626185 Found a bogus .pif file
07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 17604]
07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 
[incoming from 72.82.177.22]
07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter

It doesn't seem to matter what kind of virus is involved.  Even when it detects 
a phishing attempt you still see the same error.

Here is what I have in the virus.cfg:

SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 
C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M 
-l report.txt
VIRUSCODE2 1
REPORT2 FOUND

Is anyone else experiencing this, or have any ideas?

Thanks,

Gary





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

re: [Declude.Virus] stopping Detected Outlook 'CR' Vulnerability emails

2006-07-01 Thread Gary Steiner

In your virus.cfg, make sure you have this:

BANCRVIRUSESON

and do not have this:

ALLOWVULNERABILITY  OLCR

That should do it.



 Original Message 
> From: Rick O'Connor <[EMAIL PROTECTED]>
> Sent: Saturday, July 01, 2006 1:19 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] stopping Detected Outlook 'CR' Vulnerability emails
> 
> How do you go about stopping emails that fail Outlook CR  
> Vulnerability check from being delivered?
> Any help would be much appreciated.
> 
> Thanks,
> Rick
> 
> --
> Blu Sky Web Solutions
> 1200 Harris Ave, Suite 104
> Bellingham, WA 98225
> www.bswsolutions.com
> [EMAIL PROTECTED]
> Phone: 888.7.BLUSKY
> Fax: 800.867.0473
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] another new virus

2006-06-20 Thread Gary Steiner

 
		
I just started receiving copies of a new virus that F-Prot flags, but with the descriptive label of "Unknown" (at least out of Declude).  The messages are all around 86k in size, and contain a gif and an encrypted zip file.  It pretends to be sending you a password for some unnamed account.Following is what VirusTotoal says:
		
		

		

		Antivirus
		Version
		Update
		Result

		
		

		AntiVir
		6.35.0.13
		06.20.2006 

		no virus found


		Authentium
		4.93.8
		06.20.2006
		Not scanned (encrypted)


		Avast
		4.7.844.0
		06.20.2006 

		no virus found


		AVG
		386
		06.20.2006 

		no virus found


		BitDefender
		7.2
		06.20.2006 

		no virus found


		CAT-QuickHeal
		8.00
		06.20.2006 

		no virus found


		ClamAV
		devel-20060426
		06.20.2006 

		no virus found


		DrWeb
		4.33
		06.20.2006 

		no virus found


		eTrust-InoculateIT
		23.72.43
		06.20.2006 

		no virus found


		eTrust-Vet
		12.6.2265
		06.20.2006 

		no virus found


		Ewido
		3.5
		06.20.2006 

		no virus found


		Fortinet
		2.77.0.0
		06.20.2006 

		no virus found


		F-Prot
		3.16f
		06.20.2006
		suspicious


		Ikarus
		0.2.65.0
		06.20.2006 

		no virus found


		Kaspersky
		4.0.2.24
		06.20.2006 

		no virus found


		McAfee
		4788
		06.20.2006 

		no virus found


		Microsoft
		1.1441
		06.20.2006
		password protected


		NOD32v2
		1.1611
		06.20.2006
		error - password-protected file


		Norman
		5.90.21
		06.20.2006
		Mitglied.gen


		Panda
		9.0.0.4
		06.20.2006 

		no virus found


		Sophos
		4.06.0
		06.20.2006 

		no virus found


		Symantec
		8.0
		06.20.2006 

		no virus found


		TheHacker
		5.9.8.162
		06.20.2006 

		no virus found


		UNA
		1.83
		06.20.2006 

		no virus found


		VBA32
		3.11.0
		06.20.2006 

		no virus found


		VirusBuster
		4.3.7:9
		06.20.2006
		I-Worm.Bagle.ZIP.Gen

		




		


---This E-mail came from the Declude.Virus mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.

re: [Declude.Virus] New feature needed

2006-06-20 Thread Gary Steiner

I asked about the possibility of per domain replies several months ago.  I 
would hope that it has already been placed on the wish list.

It is especially useful when you have users speaking different languages and 
you want to have language specific messages linked to each domain.

Gary


 Original Message 
> From: "Goran Jovanovic" <[EMAIL PROTECTED]>
> Sent: Tuesday, June 20, 2006 2:30 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] New feature needed
> 
> Hi,
> 
> I would like to suggest a new feature to be added to the virus
> notification capabilities.
> 
> Right now to notify a recipient that I stopped a virus I have a
> recip.eml file in my main delude directory. There is another
> recip-vulnerability.eml file that is used if the "virus" is a
> vulnerability. These two files are all or nothing files. Meaning that
> all recipients for all the domains that I process are in the same file. 
> 
> I need to be able to specify a per domain recip.eml file. This way I can
> tailor the notifications to each domain as appropriate. These files
> should be in the domain subdirectory along with the $default$.junkfile
> etc.
> 
> I am faced with the challenge right now for a single domain to send all
> virus notification to one person only or to stop all notifications to
> that domain. To the best of my knowledge I cannot redirect all the
> notifications to the one person for that domain and to the original
> recipients for all the other domains. 
> 
> Another feature that should be added to the *.eml files is the ability
> to do a BCC to a monitoring address. This is a good way to monitor what
> is happening with banned files, viruses or whatever notification
> processes we have setup.
> 
> So can you please add this to the "to do" list
> 
> Thank you
> 
> Goran Jovanovic
> Omega Network Solutions
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] reque slips by Declude?

2006-05-18 Thread Gary Steiner

So you are saying that the X is no longer needed?  You just drop stuff in the 
spool directory and Declude will ignore it?  That in order for Declude to 
rescan something it now has to be put in the proc directory?



 Original Message 
> From: "David Barker" <[EMAIL PROTECTED]>
> Sent: Thursday, May 18, 2006 8:02 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] reque slips by Declude?
> 
> I Remove the x and place the files in the \proc directory.
> 
> David B
> www.declude.com
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darrell
> ([EMAIL PROTECTED])
> Sent: Thursday, May 18, 2006 7:59 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] reque slips by Declude?
> 
> With older versions of Declude and Smartermail you used to have to do the 
> "X" rename to skip Declude processing.  If you left the "X" off it would be 
> rescanned by Declude.
> 
> However, now that Declude is intergrated into Smartermail v3 what is the 
> correct requeing process?
> 
> Darrell
> 
> Check out http://www.invariantsystems.com for utilities for Declude And 
> Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG
> 
> Integration, and Log Parsers.
> 
> 
> - Original Message - 
> From: "Dean Lawrence" <[EMAIL PROTECTED]>
> To: 
> Sent: Thursday, May 18, 2006 7:48 AM
> Subject: Re: [Declude.Virus] reque slips by Declude?
> 
> 
> Gary,
> 
> I do believe that messages that have been re-queued do not get scanned
> a second time. If they did, you would never be able to re-queue
> anything since it would be continually caught.
> 
> Dean
> 
> On 5/18/06, Gary Steiner <[EMAIL PROTECTED]> wrote:
> > Back on May 9 my server was hit by the Feebs virus.  I am using F-Prot, 
> > which did not detect it.  But I am using "BANEXT hta" which caught it.
> >
> > Two days ago I upgraded to SmarterMail 3.1 and Declude 4.2.3.  Among other
> 
> > things, I've been looking at the addition of AVG to Declude.  I noticed 
> > that F-Prot still doesn't detect that version of the Feebs virus, but AVG 
> > does.  So I thought I would test it.  I still have a copy of the virus I 
> > received on May 9, so I requed it unchanged and unrenamed to let it got 
> > through the new Declude to see what would happen.  To my surprise it was 
> > delivered!  No new Declude headers were added to the message.  Though 
> > SmarterMail did modify it because it detected it as spam.  I checked the 
> > virus logs (LOGLEVEL set to HIGH) and there was no listing at all for this
> 
> > message.
> >
> > Naturally I am now quite nervous.  Why did this happen?  Have any other 
> > Feebs viruses slipped through?  Unfortunately the eicar tests don't have 
> > an hta to use, so the only way I have to test this is with a live virus. 
> > The Feebs virus isn't one of the more common ones, but all it takes is one
> 
> > to get through to spoil the day of one of my customers.
> >
> > Gary Steiner
> >
> >
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> 
> 
> -- 
> __
> Dean Lawrence, CIO/Partner
> Internet Data Technology
> 888.GET.IDT1 ext. 701 * fax: 888.438.4381
> http://www.idatatech.com/
> Corporate Internet Development and Marketing Specialists
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] reque slips by Declude?

2006-05-18 Thread Gary Steiner

Back on May 9 my server was hit by the Feebs virus.  I am using F-Prot, which 
did not detect it.  But I am using "BANEXT hta" which caught it.

Two days ago I upgraded to SmarterMail 3.1 and Declude 4.2.3.  Among other 
things, I've been looking at the addition of AVG to Declude.  I noticed that 
F-Prot still doesn't detect that version of the Feebs virus, but AVG does.  So 
I thought I would test it.  I still have a copy of the virus I received on May 
9, so I requed it unchanged and unrenamed to let it got through the new Declude 
to see what would happen.  To my surprise it was delivered!  No new Declude 
headers were added to the message.  Though SmarterMail did modify it because it 
detected it as spam.  I checked the virus logs (LOGLEVEL set to HIGH) and there 
was no listing at all for this message.

Naturally I am now quite nervous.  Why did this happen?  Have any other Feebs 
viruses slipped through?  Unfortunately the eicar tests don't have an hta to 
use, so the only way I have to test this is with a live virus.  The Feebs virus 
isn't one of the more common ones, but all it takes is one to get through to 
spoil the day of one of my customers.

Gary Steiner



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

re: [Declude.Virus] banned file mentioned in header?

2006-04-25 Thread Gary Steiner



  Original Message 
> From: Gary Steiner <[EMAIL PROTECTED]>
> Sent: Monday, April 24, 2006 8:46 PM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] banned file mentioned in header?
> 
> Wnen Declude uses a virus scanner to detect a virus, you are able to place a 
> message in the header of the held file such as:
> 
> X-Declude-Virus: Detected  W32/[EMAIL PROTECTED] [from IP 200.52.83.152 
> (152.83.52.200.in-addr.arpa)].
> 
> However, when a banned file (such as a .exe in a .zip) is held, no message is 
> appended to the header to indicate why the file was held.  You have to go 
> back to the log file to dig out this information.  Is there any way to make 
> Declude add this information to the header of the held message?
> 
> Gary
> 
>


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] banned file mentioned in header?

2006-04-24 Thread Gary Steiner

Wnen Declude uses a virus scanner to detect a virus, you are able to place a 
message in the header of the held file such as:

X-Declude-Virus: Detected  W32/[EMAIL PROTECTED] [from IP 200.52.83.152 
(152.83.52.200.in-addr.arpa)].

However, when a banned file (such as a .exe in a .zip) is held, no message is 
appended to the header to indicate why the file was held.  You have to go back 
to the log file to dig out this information.  Is there any way to make Declude 
add this information to the header of the held message?

Gary




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot Switches

2006-03-28 Thread Gary Steiner

What is the value of the "AI" switch?  I see it (and others related) explained 
on the F-Prot web site, but I don't understand why one would use it or not use 
it.  Nor does it tell you what the default is.

/HEUR - Uses heuristic scanning of files. 
/NOHEUR - Doesn't use heuristic scanning of files.
/AI - Uses Neural network heuristic scanning of files. 
/NOAI - Doesn't use Neural network heuristic scanning of files.



  Original Message 
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> Sent: Tuesday, March 28, 2006 11:53 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] F-Prot Switches
> 
> #Dec-10-2004 AC Note that I've added 'ai' and 'packed' to the switches
> suggested in the manual.  The noboot and nomem options
> #   are not listed when you ask fpcmd.exe for help, but they
> are definitely in the logs.
> SCANFILED:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed /dumb
> /noboot /nomem /silent /report=report.txt
> 
> 
> Andrew 8)
> 
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer
> > Sent: Tuesday, March 28, 2006 8:46 AM
> > To: Declude.Virus@declude.com
> > Subject: [Declude.Virus] F-Prot Switches
> > 
> > After seeing Matt's response I'm curious what other users are 
> > using for their F-prot switches. Some of the switches Matt 
> > uses seem like they should be used but Declude does not 
> > include them in the config shown in their EVA manual. What do 
> > the majority of you all use?
> > 
> > Mark Reimer
> > IT Project Manager
> > American CareSource
> > 214-596-2464
> > 
> > 
> >


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] F-Prot Switches

2006-03-28 Thread Gary Steiner

If you take a look at the DOS version of F-Prot

ftp://ftp.f-prot.com/pub/dos/fp-316b.zip

you will find that it contains a file called COMMAND.TXT that seems to explain 
everything.  I've attached it below:


The command-line options

F-PROT.EXE is usually run without any parameters and will then enter
interactive mode, but if the /HARD option is used, or a drive, file or
directory is specified, it will enter command-line mode.

Syntax for command-line mode:  F-PROT [drive, file or directory] [options]

The available command-line options are

/APPEND
Appends the report to an existing file (Only used with /REPORT).

/ARCHIVE=n
Scans inside .ARJ, .CAB, .LZH and .ZIP archives.  F-PROT currently
supports only RAR archives created by RAR 2.5 and older - support for
RAR 3.0 will be added soon.  The parameter n specifies how many levels
(archives inside archives) to scan.

/AUTO
May be specified with /DISINF, /DELETE or /RENAME so F-PROT will not
request permission before rremoving each virus.

/BEEP
Produces an annoying beep when a virus is found.  NOT recommended when
scanning a virus collection.

/COLLECT
Assumes what is being scanned is a virus collection, where viruses might be
found in "abnormal" locations.  In particular, selecting this option will
enable detection of file images of boot sector viruses.  This switch also 
provides the same features as the old /GURU option.  Note that using /COLLECT
will slow down the scan.

/DELETE
Deletes infected files.

/DISINF
Disinfects whenever possible.  It is possible to specify the following
combinations of switches:

/DISINF /DELETE
Disinfects when possible, otherwise deletes infected files.

/DISINF /RENAME
Disinfects when possible, otherwise attempts to rename infected COM/EXE 
files to VOM/VXE.

/DISINF /RENAME /DELETE
Disinfects when possible, otherwise attempts to rename infected COM/EXE
files to VOM/VXE, but if that fails the files are deleted.

/DUMB
Does a "dumb" scan of all files.  This option is often not necessary, 
and /TYPE can be used instead.  The only cases where it might be needed are 
the following:

If you are scanning a virus collection, where infected files have
non-standard extensions, such as .VOM instead of .COM, they will not
be scanned for viruses, unless this switch is specified.

If you are cleaning up a virus infection you should use this
switch.

/EXT
By default F-PROT will open every file and try to determine its type,
so it will for example scan Word files, even if they do not use a DOC/DOT
extension.  By using /EXT the scanning can be speeded up slightly as F-PROT
will then only scan files with "default" extensions.

/FREEZE
"Freezes" the program if a virus is found anywhere.

/HARD
Scans all files on all hard disks in the computer.

/HELP
Displays the list of command-line options.

/INTER
Forces the program to enter interactive mode, even when a path, directory
or file name is given on the command line.

/LIST
Lists all files that are scanned.

/LOADDEF
Load the DEF files into memory.

/NOBOOT
Does not scan boot sectors.

/NOBREAK
Disables ESC and ^C during scanning.

/NOFILE
Does not scan files.  Only useful if you cleaning up a boot sector infection
and do not want to spend unnecessary time scanning files.

/NOFLOPPY
For use on systems without floppy drives.

/NOHEUR
Version 3 has a smaller, more reliable set of heuristics than version 2,
but they are enabled by default, unlike version 2.  This option allows
you to turn the heuristics off.

/NOMEM
Does not scan memory for viruses.  Not recommended, unless you are
absolutely certain that no viruses are present in memory.

/NOSUB
Does not scan subdirectories.

/PACKED
Scans "inside" various types of compressed executables (PKLITE for
example), by emulating the execution of the decompressor.  As this option
can slow the scan down significantly, we only recommend using it when
scanning new software before installation.

/PAGE
Pauses after each page (command-line mode only).

/REMOVEALL
Removes all macros from all documents.  Useful if you encounter a new
macro virus, and you know that the document did not contain any macros
before it got infected.

/REMOVENEW
If a new variant of a macro virus is found in a document, all macros are
removed from that particular document.

/RENAME
Renames infected COM/EXE files to VOM/VXE.  If files with those
extensions already exist, .VVV  is used instead.  Infected document files
are not renamed, as that would be pointless - they would be equally
infectious afterwards.

/REPORT=file
Sends the output to a file, in addition to displaying it on the screen.

/SAFEREMOVE
Removes all macros from documents, if a known virus is found.

/SERVER
Enable mail-server heuristics.  Will for example complain about encrypted
executables inside archives.

/SILENT
Does not generate any screen output (command-line mode only).

/TYPE
Scan every file, but skip those which do

[Declude.Virus] language specific messages

2006-02-23 Thread Gary Steiner

Can the following be done in Declude EVA?

I have customers who are english speakers, and customers who are spanish 
speakers.  When a customer is sent a virus, they receive a messsage telling 
them about the virus (recip.eml).  I want to be able to have a different 
message sent to each of my domains depending on the language of the customer 
(recip-en.eml and recip-es.eml).  I believe this can be done in Junkmail, but 
can it be done in EVA?

Thanks,

Gary Steiner



---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] ClamAV for Windows

2006-02-21 Thread Gary Steiner

Is anyone using one of the various Windows ports for ClamAV under W2K3?  If so, 
which one is best?

Thanks,

Gary Steiner




---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Outlook 'Space Gap' Vulnerability

2006-01-24 Thread Gary Steiner

One of my customers is receiving email from one of her customers that is 
getting flagged on my server by EVA with the "Outlook 'Space Gap' 
Vulnerability".  What exactly is this?  Is this a problem with the Outlook 
client, and if so, can it be fixed by changing something in the sender's 
Outlook settings?

I see in the EVA manual that I can turn this off using
ALLOWVULNERABILITY OLSPACEGAP

but do I really want to do that?

Thanks,

Gary Steiner




---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Sober.z

2006-01-07 Thread Gary Steiner

Just looking at my server stats for yesterday, there were only two Sobers 
caught by EVA as viruses.  All the rest were caught by Junkmail as spam.


  Original Message 
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> Sent: Saturday, January 07, 2006 12:11 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Sober.z
> 
> Easy way to check if your Declude Junkamil is catching your viruses.
> Check for the subject lines and see if you held those messages (or
> whatever you do with your spam).
> 
> I just sorted out the subject lines for the sober.z only messages, and
> here are the ones I received:
> 
> Paris Hilton & Nicole Richie
> You visit illegal websites
> You_visit_illegal_websites
> Your IP was logged
> Your_IP_was_logged
> 
> Andrew 8)
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
> > Sent: Friday, January 06, 2006 8:53 PM
> > To: Declude.Virus@declude.com
> > Subject: RE: [Declude.Virus] Sober.z
> > 
> > I haven't checked today's results with fpcmd 3.16f, but here 
> > are yesterday's quick stats with fpcmd 3.16e
> > 
> >   8 W32/[EMAIL PROTECTED]
> >   3 W32/[EMAIL PROTECTED]
> >  27 W32/[EMAIL PROTECTED]
> >   1 W32/[EMAIL PROTECTED]
> >  10 W32/[EMAIL PROTECTED]
> >   9 W32/[EMAIL PROTECTED]
> >  81 W32/[EMAIL PROTECTED]
> > 
> > So, yes, Sober is detected by at least 3.16f ... and going 
> > the extra mile, I've just looked up a few samples from 
> > yesterday's log and scanned those manually with fpcmd, and 
> > sure enough, 3.16f also detects them and produces the same output.
> > 
> > Perhaps you are not seeing Sober hits in Declude virus 
> > because you're using the AVAFTERJM setting and your Declude 
> > JunkMail is doing a fantastic job of catching them as spam 
> > before your Declude Virus would get called.
> > 
> > Andrew.
> > 
> > 
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED] 
> > > [mailto:[EMAIL PROTECTED] On Behalf Of J Porter
> > > Sent: Friday, January 06, 2006 7:53 PM
> > > To: Declude.Virus@declude.com
> > > Subject: Re: [Declude.Virus] Sober.z
> > > 
> > > Yep... I upgraded to FProt 3.16e and noticed the slowdown. 
> > I thought 
> > > it was a problem with that version, so I upgraded to the 
> > 3.16f which 
> > > was released today. Still no Sober viruses caught.
> > > 
> > > I'm still wondering if I should go back to 3.16d. Anyone 
> > seeing Sober 
> > > caught with these last 2 updates of F-Prot??
> > > 
> > > ~Joe
> > > 
> > > - Original Message -
> > > From: "Bruce Loughlin" <[EMAIL PROTECTED]>
> > > To: 
> > > Sent: Friday, January 06, 2006 10:03 AM
> > > Subject: [Declude.Virus] Sober.z
> > > 
> > > 
> > > > Has any one else noticed that sober.z just stopped today?
> > > >
> > > > I was getting hundreds a day and now I have 0.
> > > > Wasn't this the day it was to morph?
> > > >
> > > > Bruce L.
> > > > AFM
> > > >
> > > >


---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Stranger... about imail1.exe be hijacked.

2005-12-10 Thread Gary Steiner

Is this a Declude issue or an IMail issue?  I'm using Declude 3.0.5.22 with the 
latest version of SmarterMail, and I haven't seen this behavior at all.  Have 
any other SmarterMail users out there seen this behavior?  

Gary


  Original Message 
> From: marc <[EMAIL PROTECTED]>
> Sent: Saturday, December 10, 2005 8:33 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked.
> 
> Mike, thx for fix this problem with your suggestion adding the 
> "SKIPIFVIRUSNAMEHAS Sober" in the "recip.eml" file, this really helps!
> 
> We had the same problem excatly 1 year before, posting here this problem and 
> discuss on imailforum with no solution. Now after the new Sober flood two 
> weeks ago, again all symptoms like your description, also new users was 
> created like po, post, postma, postmaster, ... 
> 
> so i am sure this is a declude issue.
> 
> Windows 2000 Server
> Imail 8.15 HF2
> Declude Virus Standard 1.82
> F-Prot
> 
> Marc
> 
> 
> At 18:49 09.12.2005, you wrote:
> >What I think it might be is a combination of several things and here are
> >some of the common things that I have with information gathered on the
> >different lists:
> >
> >Seems to of first started with IMail 8.x
> >Running Declude Pro, Virus (f-prot), Hijack 1.82
> >Sober virus seems to trigger this event along with the recip.eml file
> >
> >IMail Client (Imail1.exe) will popup on the server with random address in
> >the To and CC field of the client. It seems that the message that is trying
> >to be sent out is the contents of the recip.eml that Declude uses.
> >
> >Will see the registry changes with the SMTPWIN entry under the Users. It
> >seems that this entry is made if you use the IMail Client on the server. In
> >our case the entries added are part of the email address used in the From
> >field of the recip.eml.
> >
> >The way we stopped this from happening was adding the "SKIPIFVIRUSNAMEHAS
> >Sober" in the "recip.eml" file.
> >
> >I'm not sure why it happens on only certain servers, but that's what we have
> >found. I haven't been convinced that the server was hacked. Rebuilding the
> >servers may of corrected the problem, but still not sure the servers are
> >being hacked.
> >
> >Does anyone have the same common items having this problem?
> >
> >Thanks,
> >Mike
> >
> >
> >
> >
> >
> >From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com
> >Sent: Friday, December 09, 2005 9:33 AM
> >To: Declude.Virus@declude.com
> >Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
> >
> >
> >Maybe, but you check the maillist history, quite a few servers have the
> >same problem in the past 1.5 years. and the problem persists, if there is 
> >any virus or trojan,  some antivirus program should can detect it now.
> > 
> >I suspect this is a issue of imail webmail,  that's why it bypass the 
> >declude.
> > 
> >
> > - Original Message - 
> > From: John T (Lists)   
> > To: Declude.Virus@declude.com 
> > Sent: Friday, December 09, 2005 4:15 PM
> > Subject: RE: [Declude.Virus] Stranger...
> >
> >
> > I do not think this is either an Imail or Declude issue, rather a
> >server security issue, or rather a comprise of server security.
> >
> > 
> >
> > Sounds like you have some type of virus or Trojan on that server.
> >
> > 
> >
> > John T
> >
> > eServices For You
> >
> > 
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com
> > Sent: Thursday, December 08, 2005 9:57 PM
> > To: Declude.Virus@declude.com
> > Subject: Re: [Declude.Virus] Stranger...
> >
> > 
> >
> > Does any body find the answer of this problem?
> >
> > After 1.5 years, this problem still remain.
> >
> > and IPSWITCH never give me a clear answer about it.
> >
> > 
> >
> > - Original Message - 
> >
> > From: serge   
> >
> > To: Declude.Virus@declude.com 
> >
> > Sent: Tuesday, June 08, 2004 7:46 AM
> >
> > Subject: Re: [Declude.Virus] Stranger...
> >
> > 
> >
> > i know imail1 is a command line mailer
> >
> > but how do i find what i causing the imail 1 window to be
> >open and filed with all these adresses ?
> >
> > see attached gif
> >
> > 
> >
> > 
> >
> > - Original Message - 
> >
> > From: Darin Cox   
> >
> > To: Declude.Virus@declude.com 
> >
> > Sent: Monday, June 07, 2004 10:21 PM
> >
> > Subject: Re: [Declude.Virus] Stranger...
> >
> > 
> >
> > Does this shed any light?
> >
> > 
> >
> >

re: [Declude.Virus] Notifications

2005-12-05 Thread Gary Steiner

I was told the 3.0.5.21 version fixes the problem in IMail but not in 
SmarterMail.

Since I'm using SmarterMail, I'm waiting for version 3.0.5.22.

Gary Steiner


  Original Message 
> From: "John Carter" <[EMAIL PROTECTED]>
> Sent: Monday, December 05, 2005 3:22 PM
> To: Declude.Virus@declude.com
> Subject: [Declude.Virus] Notifications
> 
> Imail 8.21
> Declude Pro 3.0.5.21
> 
> Is anyone else still having problems with not getting notices?  Someone
> mentioned a patched version that fixed this, but was pre-.21. I would have
> assumed that those patches would have been in .21. I have all removed except
> the BANnotify.eml (see below).  This one comes to me only, but stopped
> working before 3.0.5.20.
> 
> Thanks,
> John C
> 
> = BANnotify.eml ===
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Email delivery blocked due to file attachment
> 
> In \spool\virus directory
> 
> From: %MAILFROM%
> T0: %ALLRECIPS%
> Subject: %SUBJECT%
> Banned Extension: %BANEXT%
> 
> Queue Name: %QUEUENAME%
> 
> Headers follow:
> %HEADERS%
> 
>

---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

re: [Declude.Virus] Declude 3.0.5.21 Posted

2005-11-30 Thread Gary Steiner

Does this mean that vulnerability notifications are not available for 
SmarterMail?

Gary Steiner


  Original Message 
> From: "David Barker" <[EMAIL PROTECTED]>
> Sent: Wednesday, November 30, 2005 11:13 AM
> To: Declude.JunkMail@declude.com>,  Subject: [Declude.Virus] Declude 3.0.5.21 Posted
> 
> JM - INVITEFIXON
> Located in Declude.cfg. Some customers had issues related to Outlook meeting
> requests appearing as text only. The default for this directive is OFF.
> 
> JM - Fixed skipping of certain DNSBL tests.
> 
> JM - STOPALLTESTS is now working correctly
> 
> EVA - Incorrect log entries regarding to licensing with EVA
> 
> EVA - Vulnerability Notifications available for Imail
> 
> 
> David B
> www.declude.com
> 
>

---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Declude virus notification

2005-11-23 Thread Gary Steiner

So the implication is that Declude knows about this and it will be fixed in the 
next release, whenever that may be.


  Original Message 
> From: "Bill Landry" <[EMAIL PROTECTED]>
> Sent: Tuesday, November 22, 2005 5:36 PM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] Declude virus notification
> 
> We had the same problem, at least with v3.0.5.20, which was not sending 
> notification for all virus caught.  We are running a patched version of 
> v3.0.5.20 now (v3.0.5.20.DF3) and that has resolved the issue.  Don't know 
> when Declude plans to make it's next release, but you might request the 
> pre-release if you need to have the notifications.
> 
> Bill
> - Original Message - 
> From: "Gary Steiner" <[EMAIL PROTECTED]>
> To: 
> Sent: Tuesday, November 22, 2005 2:14 PM
> Subject: [Declude.Virus] Declude virus notification
> 
> 
> I've been running with 3.x for over a month, but I just now realized that 
> since I upgraded I am no longer receiving the "Declude Virus caught a virus" 
> messages.  Declude is catching viruses, I'm just not receiving email 
> notification.  I don't believe I changed anything in the virus.cfg file that 
> would account for this.  What other possible causes could there be?
> 
> Gary
> 
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> ---
> [This E-mail scanned for viruses by Declude Virus] 


---
[This E-mail scanned for viruses by Declude Virus]


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] Declude virus notification

2005-11-22 Thread Gary Steiner

I've been running with 3.x for over a month, but I just now realized that since 
I upgraded I am no longer receiving the "Declude Virus caught a virus" 
messages.  Declude is catching viruses, I'm just not receiving email 
notification.  I don't believe I changed anything in the virus.cfg file that 
would account for this.  What other possible causes could there be?

Gary


---
[This E-mail scanned for viruses by Declude Virus]


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Many New Bagle Variants, Spammed today

2005-09-19 Thread Gary Steiner

Noticed that F-Prot also released a second batch of updates for today.  Though 
they still haven't updated their recent threat list on their web site.


  Original Message 
> From: "John Tolmachoff \(Lists\)" <[EMAIL PROTECTED]>
> Sent: Monday, September 19, 2005 6:22 PM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] Many New Bagle Variants, Spammed today
> 
> Sophos has issued like 4 or 5 notices today of different variants of Bagle.
> 
> John T
> eServices For You
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> > On Behalf Of Greg Little
> > Sent: Monday, September 19, 2005 3:04 PM
> > To: Declude.Virus@declude.com
> > Subject: Re: [Declude.Virus] Many New Bagle Variants, Spammed today
> > 
> > McAfee just did a 2nd DAT for today.
> > With this note.
> > 
> > >Notice
> > >Due to the number of Bagle variants that have been spammed out today,
> AVERT will
> > be releasing the 4585 DAT Files early.  Though we consider all of the
> variants to be
> > Low risk we are releasing the dat files solely due to the amount of spam
> seen around
> > the seeding of these threats.
> > >
> > So whatever your favorite AV . . . Keep It CURRENT.
> > 
> > Looks like McAfee was blocking many (all?) of this batch as an "unknown
> > virus" (New Poly Win32).
> > 
> > Greg Little
> > 
> > 
> > Colbeck, Andrew wrote:
> > 
> > >Bagle usually comes in several waves of slight variations, so this is
> > >likely to be happening again.
> > >
> > >Banning the zip names is prudent.
> > >
> > >Andrew 8)
> > >
> > >

---
[This E-mail scanned for viruses by Declude Virus]


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] New Variant of Bagle?

2005-09-19 Thread Gary Steiner

I just checked my F-Prot, and it has a date of 9/19/2005 for both 
"Application/Script viruses and Trojans" and "Document/Office/Macro viruses".  
This is newer than what is on the F-Prot web site, which still says 16 Sep 2005 
for "Application/Script viruses and Trojans" and 6 Sep 2005 for 
"Document/Office/Macro viruses".

The latest virus threat they list on their site is a Zotob variant dated 16 Sep 
2005.

The latest Bagle variant they list on their site is dated 1 Aug 2005.
http://www.f-prot.com/virusinfo/descriptions/bagle_ce.html

You can always submit virus samples to them at
http://www.f-prot.com/virusinfo/submission_form.html



  Original Message 
> From: "Mario Antonio" <[EMAIL PROTECTED]>
> Sent: Monday, September 19, 2005 10:30 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] New Variant of Bagle?
> 
> Darin,
> 
> Thanks, I am running the latest def of F-prot, and banning those filenames.
> I will ban zip extensions if the thing gets nasty.
> 
> Mario Antonio
> 
> - Original Message - 
> From: "Darin Cox" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, September 19, 2005 10:11 AM
> Subject: Re: [Declude.Virus] New Variant of Bagle?
> 
> 
> > There may be a new variant of Bagle.  There was a new one just last week.
> >
> > You should make sure your FProt defs are up to date.  If it is a new
> > variant, you may want to block these files in your virus.cfg at least
> until
> > the defs have been updated to catch it.
> >
> > Darin.
> >
> >
> > - Original Message - 
> > From: "Mario Antonio" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Monday, September 19, 2005 10:01 AM
> > Subject: [Declude.Virus] New Variant of Bagle?
> >
> >
> > I see that Declude/F-PROT is not catching these virus:
> >
> > price.zip, new_price.zip, newprice.zip, price_09.zip, price2.zip,
> > new__price.zip
> >
> > I guess it could be a new variant of W32/[EMAIL PROTECTED] that was 
> > released on
> > August last year.
> >
> > or Am I missing something?
> >
> >
> > Mario Antonio
> >
> > ---
> > [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection
> > System]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> > ---
> > [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection
> System]
> >
> >
> 
> ---
> [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection 
> System]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> ---
> [This E-mail scanned for viruses by Declude Virus] 


---
[This E-mail scanned for viruses by Declude Virus]


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] McAfee DailyDAT download location change.

2005-09-12 Thread Gary Steiner

Well, there's always the Declude.Releases mailing list.  Not sure that I've 
ever received anything on that one.  Maybe they need to make another one and 
call it Declude.News.

I'd refer people to Declude's User Forums, but they seem to be extremely under 
utilized by both Declude users and Declude support.  By contrast, the 
SmarterMail user forums are extremely active, though that may be because 
SmaterMail doesn't have a mailing list equivalent to Declude.Junkmail.



  Original Message 
> From: Matt <[EMAIL PROTECTED]>
> Sent: Monday, September 12, 2005 4:27 PM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] McAfee DailyDAT download location change.
> 
> David,
> 
> Information such as this is best 'pushed' rather than 'pulled'.  Declude 
> should have a notification list that sends announcements of important 
> things concerning all products such as new interims/betas/releases, new 
> and important bugs, updates on known issues and things that can broadly 
> affect customers such as issues like this one.  I wouldn't expect more 
> than a few messages per month.  There was an earlier list that was to be 
> reserved for the absolute biggest issues that never got used, and the 
> specificity of that list was it's downfall.  I would create a list and 
> opt all customers into it but give them an opt-out message for the first 
> mailing.  Most Declude customers will never hear about things like this 
> issue with McAfee otherwise.  The site doesn't work at all for timely 
> things such as this.
> 
> BTW, I believe there are probably scripts linked to or contained on the 
> Declude site for McAfee updates.  You will want to change those before 
> anyone new adds it in to their system.
> 
> Thanks,
> 
> Matt
> 
> 
> 
> 
> 
> David Barker wrote:
> 
> > I have been monitoring everything that has been said and I agree - 
> >  there is a place I had setup on the front page for these kinds of 
> > alerts and currently working on the best way to provide this 
> > information to our customer base using that area on the website.
> >
> > David B   
> > www.declude.com 
> >
> > 
> > *From:* [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt
> > *Sent:* Monday, September 12, 2005 3:58 PM
> > *To:* Declude.Virus@declude.com
> > *Subject:* Re: [Declude.Virus] McAfee DailyDAT download location change.
> >
> > I changed the subject so that people can be alerted to this.  
> > Announcements of things like this would be useful to the entire 
> > Declude customer base.  I am afraid that we are a little over a month 
> > behind.  Those with a single scanner would be screwed.
> >
> > I adjusted my scripts to use the link that you provided and it does in 
> > fact work just great...so far :)
> >
> > Thanks,
> >
> > Matt
> >
> >
> >
> > Scott Fisher wrote:
> >
> >> Great catch Matt.
> >> Mine's gone too since August 2
> >> Thank you Declude for multiple virus scanner option.
> >>  
> >> Try:
> >> http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip
> >>  
> >> From:
> >> http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=st&q=dailydat&rnum=1&hl=en#61f1bcbcc4e71848
> >>  
> >> 
> >>  
> >>  
> >>
> >> - Original Message -
> >> *From:* Matt 
> >> *To:* Declude.Virus@declude.com 
> >> *Sent:* Monday, September 12, 2005 2:26 PM
> >> *Subject:* Re: [Declude.Virus] Seemingly bad virus this morning
> >>
> >> This is a new Bagel variant:
> >>
> >> http://vil.nai.com/vil/content/v_129588.htm
> >>
> >> I was wrong about what was detecting it first...it was F-Prot.  I
> >> just figured out that my McAfee update script is no longer
> >> working.  Does anyone have a newer link to the daily DAT's than
> >> http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.
> >>
> >> Thanks,
> >>
> >> Matt
> >>
> >>
> >>
> >> John Tolmachoff (Lists) wrote:
> >>
> >>>OK, so it is cpl file, which we should all have in our list of banned
> >>>extensions including banned if within a zip file, so we should all be safe,
> >>>correct?
> >>>
> >>>John T
> >>>eServices For You
> >>>
> >>>
> >>>  
> >>>
> -Original Message-
> From: [EMAIL PROTECTED]
> 
> 
> >>>[mailto:[EMAIL PROTECTED]
> >>>  
> >>>
> On Behalf Of Dan Geiser
> Sent: Monday, September 12, 2005 11:49 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] Seemingly bad virus this morning
> 
> I opened the zip file and it contained one file called "1.cpl" (without
> 
> 
> >>>the
> >>>  
> >>>

68 matches

Mail list logo