OK I think I have figured out what is happenning on the CC: issue. The CC
emails are only occurring on one domain - creative-color.com. So the -c in
the domain name must be causing the CC emails.
FYI, this will be taken care of in v1.15, which should be out by the end of
the week.
What happens on the Imail1.exe popup if no one is logged in?
I'm not sure. G Under normal circumstances, it shouldn't pop up at
all. It should only appear if there is an error of some sort that needs to
be fixed. My guess would be that the window would not pop up (or at least
not be
When Declude experiences problems it completely halts all mail going in or
out of the mail server.
Actually, Declude is designed so that when there is a problem it can't
handle, the mail WILL go through. For example, if there is a crash, you
won't get that "An application error occurred..."
FYI, we have just had a report from people using v1.15 that E-mail
notifications are sometimes being sent out to/from the incorrect domain
(the %LOCALHOST% and %REMOTEHOST% variables are being switched). This is
something that we are looking into; I will post here when we find out what
the
... on a test system I un-mimed about 150 virused
e-mails, scanned them and discovered a pattern.
Given the selected output below, the only reliable
setting you should use in your config file is
"REPORT Found" (without the quotes).
Good job! It's too bad that McAfee doesn't keep things the
I'm not happy unless I'm tinkering with something, is there any way I could
get a list of all the config settings for v1.17?
You should find them all either at http://www.declude.com/virus/install.htm
, or http://www.declude.com/relnotes.htm (which has a few extra options not
yet listed in
When I run the scan.exe from a DOS prompt over the Imail\Spool folder, I get
a could not be opened - permission denied message. Do I have to grant
some autority to the spool folder?
You shouldn't normally need to grant any special permissions (unless you
had previously set permissions on the
if one of my customers has an email contaning virus and he still want it how
can i find this message in virus directory... so htat i dont have o get all
back in the spool directory again
One way is to search the Declude or IMail logs to find the spool file name
(Q1234567.SMD and D1234567.SMD,
Have been out of town lately. What is the latest version of declude virus?
Also,
where is the download site?
The latest version is 1.20 (there's a beta version 1.23, with 1.24 on the
way soon). You can always find the latest version at
http://www.declude.com/virus/manual.htm .
Next Question? I am using F-Prot. How do I get the virus name to show up? I am
using the following switch line. I have it below.
C:\f_prot\f-prot.exe /NOBO /NOME /AR /DU /P /C /AU /DEL
/AP /REPORT=report.txt
Now you just need to add a line REPORT Infection, that will let Declude
know to
With the increase in virus activity during the last week maybe we reached
the MAXATONCE 4 and it didn't 'wait' for the 5th?
That wouldn't be it. With the MAXATONCE setting, Declude will wait for
other scanner processes to finish, and then it will scan the E-mail. You
can check to see
I had the postmaster of an ISP request the headers of the virus. I
was able to get them, but thought it might be nice if Declude could do
it automatically.
Is it possible to have Declude automatically be able to send all the
header info?
That isn't possible currently, but I have added that to
With Declude I keep on getting mails from Postmaster saying
Invalid final delivery userid: info@localhost
Any explanation for this?
Have you made changes to your \IMail\Declude\*.eml files? It's possible
that if a mistake was made in one of them, E-mail could be addressed to
Please forgive me for being stupid, but in the manual on the Declude
website, it said something about making sure that Netshield is
creating/saving a report file in the same directory as the scanner is
operating from? Does it do that by default?
Sorry for the confusion. The /REPORT report.txt
The messages from this mailing list include a header
line that says:
X-Note: This E-mail was scanned for viruses by Declude (www.declude.com)
Is this a configurable setting on the virus.cfg file ?
Checked on www.declude.com/virus/manual.htm but found
no references to it.
We cheated,
revdns is added to the subject on some folks (like mine) replies and posts -
I assume that is a result of a test of some sort - does that mean I need to
work on my mail servers dns?
Yes, that means that our server wasn't able to find a reverse DNS entry for
your mail server. It's rumored that
At 11:38 AM 8/7/01 -0500, you wrote:
ow .. :(
This is something you really should have listed on your pre-sales
information pages ... I would have been very interested in knowing this
before purchasing the product.
We are planning to update our web site to make this clearer. However, you
can
One simple question.
I have just installed declude virus. If the sender is a user from my
organization I only want to notify the sender, and not the recipient (I do
not want that somebody out of my company knows that we have a virus), but
when the virus is send by somebody out of my office I
Do you think it will be possible in near future ? I think it's an important
feature to protect the prestige of the company and not only notify to a
customer (out going messages) that our virus protection system has detected
the virus and not send the e-mail, but to hide that the company have a
We have just released Declude Virus v1.24 (beta). It includes the
following changes:
o Previous versions could send out E-mails from Declude JunkMail or Declude
Confirm; fixed.
o %LOCALHOST% will return the master host name in remote-to-remote E-mails
o You can now ban certain file
Does anything happen to these BANNED files? And are any alerts to anyone
made?
With v1.24, no notifications are made; the files are just quarantined. We
are considering whether or not to add support for E-mail notifications for
the banned files.
oh, man - what is the cost going to be for the pro version...by domain - I
was really waiting for that one???
I should have more information later tonight or tomorrow, but I'm guessing
nobody will be too disappointed.
-Scott
This E-mail came
Hopefully it is a corrupted non voltile strain??? Don't want my 20 bucks for
20 users to go to waste :)
I just had it tested in our virus lab, and when we try to run it (on NT) a
pop-up windows appears that says that it is not a valid Windows NT
application. Nor did it change the registry
Is this at new version of SirCam
came with this subject: homepage
and this text Hi!
You've got to see this page! It's really cool ;O)
and an attachnebt called homepage.htm.zlv with an icon showing a letter and
a lock on top of it ???
That sounds like the HomePage virus. If you go to
Has this been announced yet? Didn't see it on the site.
We made the decision to make it a free upgrade for existing users, as a way
of saying Thanks to our customers.
Are the per domian/user settings the only addition, or are more planned?
Right now, it's just the per-domain and per-user
How did you get all that info in the email from Declude? Mine only states
the following:
Declude Virus caught a virus with the subject Snowhite and the Seven
Dwarfs - The REAL story!
from to: [EMAIL PROTECTED]
The spool file name is Daf9d0f8.SMD.
The E-mail template files are fully
I get that. But why did Imail drop the email into [EMAIL PROTECTED] account
which is the only domain on the server? Why did it not send it off to the
correct place?
The %LOCALHOST% variable will return the domain of the local user (the one
on your domain). If the person is relaying their mail
Can someone post a working recip.eml that uses the ONLYSENDIFREMOTESENDER
option?
I can't seem to get it working as expected. The recip.eml always goes out.
You just add ONLYSENDIFREMOTESENDER on a line by itself to the recip.eml
file (preferably the first line).
Also, what is determining
Can you take a look at the attached files? The zip contains the queue files
of the test message, my recip.eml, debug log output for the message, and the
generated recipient notification.
The problem is that you are running an older version of Declude (1.14
through 1.16). If you upgrade to
I have been unsuccessful at locating a list of the variables for customizing
the email template for Delude's warning email. Can anyone point me in the
right direction? Thanks in advance.
http://www.declude.com/virus/manual.htm , look at the E-mail
notifications section.
08/22/2001 15:50:18 ERROR: SCANFILE option must not have any spaces in the
pathname
My SCANFILE line is:
SCANFILEtabd:\imail\declude\FullScan.Batcr/lf
Everything works. It is still calling the scanner successfully.
We added that test to help people who are initially installing Declude
I get a console screen of the virus scanning popping up whenever I am logged
into the server.
Are you using LOGLEVEL DEBUG in the virus.cfg file? That would cause this.
I added CONSOLE OFF to the virus .cfg and get 08/22/2001 16:37:39 Console
turned OFF in the log file.
That's different,
I saved an email message infected with Sircam virus as a .eml file, and
tried to scan it with different AV programs.
of all what I used (Fprot, Mcafee, Sophos, Norton), only norton detected
the virus.
That's because the .eml file you saved isn't a virus, it's an E-mail. An
E-mail can
LOGLEVELhigh
LOG_OK NONE
Are you getting the Virus Free messages in the log, or are you getting
other ones? It may be that some of the LOGLEVEL HIGH messages will get
recorded whether or not the E-mail has a virus in it.
What kind of load can I expect to put on my server when using declude. I
have a PII with 256ram running 650 email accounts and a web server.
The most important factor is the number of E-mails scanned per day. With
650 E-mail accounts, unless you do a much higher than average volume, I
In my virus log I see this error:
Waring: Virus Scanner reported an error #8.
F-Prot will return a #8 code if it finds a suspicious file. You may want
to try adding /NOHEUR to the SCANFILE line in \IMail\Declude\virus.cfg
to prevent F-Prot from running its heuristics test, which could be
Which runs first on the Imail machine
when an email comes in: Declude or
the kill.lst and rules.ima?
First (when the E-mail is being received), the kill.lst and access control
(IP list) are run.
Next, Declude is called.
Finally, during the delivery, the rules.ima is used.
I sent a message to [EMAIL PROTECTED] about needing to know what would be
needed to re-install in the event of a reconstruction of a server
Normally, all you need to do for a re-install is follow the same procedure
as during the original installation ( at
I received an email this AM containing a new virus which got through our
IMail server running Declude with FPROT.
Anyone else seen this?? My antivirus data files should be current.
This is the new Nimda virus, that appears to be related to...
We're also being pounded by systems infected with
Is it possible to get the virus name listed in the virus.log ?
If you set the the LOGLEVEL config option to MID or HIGH, it will record
the virus name and attachment name in the log file.
-Scott
This E-mail came from the Declude.Virus mailing
What is the relation between www.frisk.is and http://www.datafellows.com/ ?
They both have a product called f-prot and their dos version is 3.10c. As
far as I can tell, they are the same product Are they the same company?
If I understand correctly, Frisk develops F-Prot and licenses the
The only files being saved are filenames like 0.htm etc.
Kaspersky is scanning the files fine now, but the deletion of the vir
directories is not happening.
Do you have an on-access scanner running? It could be locking the files
when Declude tries to delete them.
So I just put in the fprot scanner and am still having these errors in the
log file:
10/03/2001 17:11:57 Q9b36446 Could not find parse string found in report.txt
REPORTInfection
I also have this at the end of the virus.cfg:
REPORT Found
The problem is that you have the REPORT line
Scott, any chance of getting declude to support two scanners natively
without using a batch file?
Sure would be nice :-)
It's in the suggestion database. It's not requested that often, but I do
think that it would be a nice feature to have built-in support for.
When using declude, can we still use an externel filter program as in
http://support.ipswitch.com/kb/IM-2517-DM01.htm ???
Yes. However, that external program will need to call declude.exe instead
of smtp32.exe. If it does that, then the external program and Declude will
be able to work
can someone tell me what this means too ...
VIRUSCODE 3
VIRUSCODE 6
in the virus.cfg file...
Command line virus scanners (the type that work with Declude) are able to
return an exit code (also sometimes called return code or error
code). A virus scanner will return an exit code of 0
By the way... you told me to use the white list so that no mail coming from my
server is bounced for bad headers etc but doesn't that essentially mean
that it is disabled or not!
Using the WHITELIST feature (part of Declude JunkMail) will prevent a
specific IP or E-mail address from
We plan on *enforcing* virus checking for all users.
In that case, Declude Virus Standard should meet your needs.
I believe I saw somewhere that only the Pro
version checks outbound mail. Is this correct?
Declude Virus Standard will scan all incoming and outgoing SMTP E-mail.
Declude
I have gotten many notifications as postmaster with Snow White and Magistr
and I know that at least some of our users have gotten notifications. Is it
possible that only certain variants of these viruses do this?
You will get the postmaster notifications.
The problem is that these viruses
What's the command I can add to /virlist to write the list of viruses
protected against to a file?
F-Prot /virlist virlist.txt
-Scott
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL
Would there be someway I could get a report on how many viruses were caught
(incoming and outgoing) on a per domain basis and possibly on a per user
basis? Similar to the Imail log files that tell me how many e-mails a
domain and user sends and receives in a day.
The log files only report a
Any word on when the full release of 1.28 will happen?
v1.28 has been released, and is a beta version.
The way our releases work is that we come out with new releases typically
every few weeks on average, and either label them as betas or public releases.
Sometimes, after a beta version has
Does 1.28 include the option to only send to local rcpt ? Where do I get the
info / instructions ?
Yes, actually, it does. You can add ONLYSENDIFLOCALRECIPIENT as the
first line on any of the .eml files, and Declude will only send the
notification if the recipient is a local user of yours.
We just ran a test with the Test eicar.com file [eicarinline] and it
was received. Should this file been blocked?
Yes, it should be caught (all the encoding methods used on that page should
be caught).
That ones uses a .zl6 extension, which may be the problem. If you are
using F-Prot, you
Does Imail 7.04 Hotfix 2 affect Declude in any way? We are
preparing to apply the patch today.
It should not affect Declude in any way.
The only catch is that there is a chance that it could overwrite the
registry entry that Declude uses to interface with IMail. To be safe,
after
We've been having a few issues with those comctl32 crashes, especially
when large mailing lists are posted to. We've gone through the steps
noted in the KB, as well as updating IE (which they say updates the
comctl32), however are still having the issues.
Is it a .DLL initialization failure
Will Declude be affected by the new release of I-Mail's Anti-Virus software?
Yes, but it's too early to say how it will affect Declude. I don't see it
affecting Declude in a negative way. Usually, extra competition benefits
the customers.
We've had a couple weeks now since we first found
Will this also work with .scr files?
Is that the exact syntax?
Yes, it will work with any file extension. Just add:
BANEXT PIF
BANEXT SCR
to your \IMail\Declude\virus.cfg file, and Declude Virus will quarantine
all E-mail with .PIF and .SCR extensions. Note that it will
Where can I get the DOS virus scanner to use with Declude Virus? I just
purchased this and need to get the scanner now. From what I recall it was
like $20 or something like that.
There are several URLs; the one we use is http://www.frisk.is (or
http://www.f-prot.com/f-prot/download/ to
11/29/2001 09:55:55 Q76a92be 1 [1 of 2 not deleted] files were deleted. Use
ONACCESS ON if you use an external (on access) virus scanner.
That would happen if you already have a REPORT Found line in your config
file, along with the /REPORT c:\imail\spool\virus\report.txt in the
SCANFILE
At the moment, Declude moves my viruses into the imail/spool/virus
subdirectory
Anyway to just have declude delete everything ... I have no desire to
store the messages especially if they are infected.
There is no way to have Declude automatically delete them. That's mainly a
safety feature,
There is no way to have Declude automatically delete them. That's mainly a
safety feature, in case of problems with the virus scanner (if it starts
reporting that all files have viruses, for example).
Would you consider adding a switch for the config file to do this in
the next version
Attached is the Imail Mailbox with a virus tha got thru today
This may be the corrupted version of Magistr, that some AV programs detect
and others do not. I tried F-Prot with the latest definitions, and McAfee,
and neither caught it. The corrupt version of Magistr does not do any
damage
I received this message with several attached files, .mbx .srt .iud. So
either they aren't infected, or Fprot also let them through here.
Since the .mbx file was sent, it may or may not get caught by a virus
scanner (since the file is encoded within the .mbx file).
Beside, I did state the attachement contain a virus, and all you need to do
is not open it, I hope for your sake you know that, If you don't know that,
you probably don't belong on this list.
The problem is that some viruses will load automatically under some
circumstances (such as using
I just installed netshield on my Imail server machine
It considerably slows POP performance, even though I exluded the spool
directory, the Imail users mailboxes directory, and later tried to exclude
the complete Imail drive. still POP3 very slow.
It may not really be excluding those
Scott would it be possible to get a SENDONLYIFLOCALRECIPIENT feature soon
please?
That should make it to 1.27a, which may be released within the next few
days (or possibly sometime next week).
-Scott
This E-mail came from the
In the declude.cfg look for;
SCANNERTIMEOUT 60
I think 60 is the default so if you increase this your scanner is allowed
more time to scan big files and thus eliminate your problem.
Actually, his problem is with the scanner itself, when it is not being used
with Declude.
The SCANNERTIMEOUT
forwarded email from aol (.eml files) have gotten through declude and
f-prot. users are returning messages to our users that those emails have a
virus. i need to include eml file attachments in scanning.
Declude with F-Prot should catch those. When the E-mail is forwarded as an
.eml file,
I exluded all imail directories (spool, domaines, users, ...) and the
subdirectories from netshield scanning, but it is still trying to scan the
spool (see below).
Anyone run into this problem before ? please help !
12/10/01 06:32 Cleaned AUTORITE NT\SYSTEM
Declude Queue is a new piece that we are adding to Declude. It is designed
to help improve the speed of delivery of overflow messages (when E-mail
is received, but there aren't any spare SMTP processes to send it), as well
as minimizing the chance of bumping into Microsoft's nasty mystery
I see this type of log entry in my declude logs about 2 or 3 times a day.
Can someone shed some light on it for me?
11/30/2001 10:55:36 Qba0820e Warning: EOF in middle of MIME segment []
[--2108ef124501dfae7a3ee072572b7fcf]
That occurs when there is a malformed E-mail.
I have been trying to get the Log File Analyzer to work and after sending a
copy of a log file to Stu, have determined that my version of Declude isn't
putting the : after the phrase Virus=. Is it possible that I have an
older version of Declude that generated this text in the log files? Is it
Is there a way to kill all incoming .scr attachments? using declude or
something else?
You can add a line BANEXT scr to your \IMail\Deculde\virus.cfg file,
which will ban files with .scr attachments. Note, however, that no
notifications will go out if you do this.
what version do i have to be running to use this feature?
It is in v1.24 and higher (you can type Declude -diag from a command
prompt to see the version number).
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
This
and will it scan first and if no virus isfound will it then ban it? thereby
sending the notification if it is known to be infected?
That is correct -- the E-mail will still be scanned, and the notifications
will be sent out if it contains a virus.
Does anyone know if McAfee is catching the w32/Goner-A virus?
Yes. McAfee, F-Prot, Sophos, and others have new virus definitions that
are catching it.
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
This E-mail
So if you use the banext, the mail is not delivered if the attachment
matches the extension but there is no notification at all?
That is correct. The E-mail will be quarantined, but no virus
notifications will go out.
example
banext scr
I get a message that has an scr attachment but not a
We're having trouble recently with virus scanning with Declude. Several
times lately the *.vir directories that Declude creates as temporary scan
areas will fill up in our imail\spool folder. These directories contain a
simple report.txt file saying no virus's had been found, but the
Anyone still getting the Goner virus alot? That first day I got a bunch but
now I'm not. I'm worried they are getting through but maybe they just died
down.
It seems to be almost gone. It was well named!
-Scott
---
[This E-mail was scanned for viruses by
I have a client who just said they received the Goner yesterday. When I do a
F-Prot /virlist | find goner /i
it does show the goner. I looked up the email message the client said they
got the virus from and it showed no virus.
I wonder if I need to re-install F-PROT. I show I have not caught
We have just released Declude Virus v1.29.
Notable new features include:
o The ability to send a bounce message to people sending banned files
(BANEXT),
o A new DELETEVIRUSES configuration option to delete viruses rather than
quarantine them,
o A FOOTER option to add a footer to the bottom of
Clarification please on DELETEVIRUSES. I assume it doesn't try to remove the
attachment, but deletes the queue files.
That's correct. It deletes the queue files, but does not attempt to remove
the attachment.
-Scott
---
[This E-mail was scanned for viruses
If the attachment has a banned extension and a virus, which email
notification will be sent? Thanks.
Good question!
In that case, the virus notifications will go out, and the ban notification
will not go out.
For example, if you have BANEXT com, and send the eicar.com file, the
virus
If I send a message via the IMail web messaging way with an infected
attachment from my school account to an outside account it goes through -
declude doesn't catch it.
IMail often uses an internal mechanism to deliver E-mail sent from web
messaging, which can bypass Declude. Few viruses are
Whoops, I didn't mean to send to the whole list! Sorry, I'm REALLY new at
this.
Don't worry about it -- a lot of people join the list so that they can find
out all the intricate details of Declude.
-Scott
---
[This E-mail was scanned for viruses by Declude
Does BANnotify.EML get sent to the intended recipients or to the sender.
The default one will get sent to the sender. But, you can change that if
you like.
The example of BANnotify.EML doesn't show a from or to address. Are these
addresses configurable, like with the other templates?
If
Hey it doe work. All get same message but that's ok. This is what I did
To: %ALLRECIPS%,%MAILFROM%,[EMAIL PROTECTED]
Good work -- I didn't realize that could be done.
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
Am I missing something? In the past I thought that the
vir.log actually listed the names of the viruses found - but I
am not seeing this. All I am seeing are generic messages such
as '12/09/2001 21:57:49 Q249e036 File(s) are INFECTED [3]'
Is this a result of using the PRESCAN, or is it
With PRESCAN it runs without a hitch (have only had to restart and
clean up once). With PRESCAN off, then we have a problem coping
with the load. I'm ranging about 0.7% of messages infected
compared to some higher figures I have seen by others - Perhaps
the prescanning feature cuts down on the
Hm, I feel just the opposite. I feel guilty about getting top support, a
great tools web-site and an ever-expanding product and NOT paying an annual
upgrade fee to pay for all that development effort.
FYI, something else I should mention. Now that Declude has been out for
over a year (about
Well, while they're debating business ethics, I'll bite:
How do I configure multiple virus scanning?
Good question!
You can have up to 5 different virus scanners. You add them by adding the
same SCANFILE, VIRUSCODE, REPORT and OKCODE lines that you would
normally add, except there will be
That would have been true if everyone had to pay for a new feature.
but the fact that the pro version get the new feature free, and the standard
version do not is not right.
Does that mean we should offer two identical products with different names,
and charge different for them? :)
But this
Another quick question without actually reading the instruction pagewhat
is the logic of the multiple virus scanners? Will it pass the scan onto the
next scanner if a virus is found?
Yes. All the virus scanners will always be called. Although there is a
small amount of extra CPU time
I was looking at logfile entries more closely than usual after popping 1.30ß
in after lunch, and I found these three lines. Is this something new, or
have I just not been paying attention?
12/18/2001 13:11:28 Q86cf106 Found a bogus .url file
This is part of a new feature that is in
What is the advantage, if any, of specifying a Temporary directory for AV
to scan files? They're are scanned in the spool directory by default,
aren't they?
Declude needs somewhere to temporarily store the files that need to be
scanned. By default, Declude uses temporary directories off of
I am using McAfee with no problems but I have the Pro
AntiVirus version of Declude and Frisk F-Protect. I have
McAfee loaded and monitoring files outside of Imail but
I am wondering how others install multiple antivirus without
problems. Do I disable Netshield all together and install
F-Protect?
have a huge ramdisk... ?!?!
How big is big enough ?
10M ? 50M? 100M ?
If it is just used for Declude's scanning, it should be large enough to
handle ( (n * max) + overhead ) bytes, where n is the maximum number of
E-mails that could be scanned simultaneously (which should be either 30, or
Will MAXATONCE also help limit it, or does Declude go ahead and decode
everything before the prior instances have finished?
No, that won't limit it. The MAXATONCE only limits the number of scanner
processes that can be running at the same time. Declude decodes the files
first, and then
I just completed an Imail upgrade from version 6.06 to 7.0, =
but my Declude virus checker stopped working. I used the test eicar =
from the declude site and it got through. Was there something that I was =
also supposed to do for Declude?? Any help would be greatly appreciated. =
1 - 100 of 1188 matches
Mail list logo