Re: [Declude.Virus] clamwin second scanner error
Here's a couple of parameters I personally use for Clam-AV: --max-ratio 0 --max-space 1M max ratio sets a maximum ratio for compressed files. I've had zip files that contained txt files get false positives. Setting it to 0 disables this test. max space sets the maximum amount of megabytes to extract for a compressed file. I figured no need to over scan compressed files especially with more than one scanner. - Original Message - From: Harry Vanderzand To: Declude.Virus@declude.com Sent: Friday, March 03, 2006 4:15 PM Subject: [Declude.Virus] clamwin second scanner error I added clamav as a second scanner to my virus.cfg file as follows: SCANFILE C:\F-Prot\fpcmd.exe -TYPE -SILENT -NOMEM -ARCHIVE=5 -DUMB -NOBOOT -REPORT=report.txtVIRUSCODE 3VIRUSCODE 6VIRUSCODE 8REPORT Infection: SCANFILE C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE 1 Now I get the folowing error in the virus log: 03/03/2006 17:11:59.307 qbf26019990d6.smd Vulnerability flags = 86203/03/2006 17:12:09.448 qbf26019990d6.smd Could not find parse string Infection: in report.txt03/03/2006 17:12:09.448 qbf26019990d6.smd Error 50 in virus scanner 1.03/03/2006 17:12:09.448 qbf26019990d6.smd Your virus scanner DOES NOT EXIST (at D:\IMail\spool\proc\work\DBF260~1.VIR\); NOT SCANNING ATTACHMENTS! [2] Error String: [The system cannot find the file specified.]03/03/2006 17:12:09.448 qbf26019990d6.smd Scanned: Error starting scanner Any idea what I did wrong? thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2519-741-1222
RE: [Declude.Virus] clamwin second scanner error
Hi, I get a similar error and my virus.cfg file contains this entry SCANFILE C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE 1 (I only use clam so VIRUSCODE will be 1) I geta similar error. this is an example ofone log entry . 03/04/2006 10:55:18.528 q640402a300d0f29e.smd Vulnerability flags = 003/04/2006 10:55:18.538 q640402a300d0f29e.smd MIME file: [text/html][quoted-printable; Length=867 Checksum=69427]03/04/2006 10:55:18.769 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 5003/04/2006 10:55:20.932 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 5003/04/2006 10:55:23.586 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 5003/04/2006 10:55:25.799 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 5003/04/2006 10:55:28.433 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 50 but here is another...(note is says "contains a virus") 03/04/2006 10:55:39.268 q64142ab20086f2a4.smd Vulnerability flags = 003/04/2006 10:55:39.278 q64142ab20086f2a4.smd Outlook 'CR' vulnerability [Subject: Y] in line 603/04/2006 10:55:39.368 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:41.451 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 5003/04/2006 10:55:44.015 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:46.108 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:48.181 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:50.184 q64142ab20086f2a4.smd File(s) are INFECTED [[Outlook 'CR' Vulnerability]: 50] 03/04/2006 10:56:11.334 q64142ab20086f2a4.smd Scanned: CONTAINS A VIRUS 03/04/2006 10:56:11.334 q64142ab20086f2a4.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 213.199.252.61]03/04/2006 10:56:11.334 q64142ab20086f2a4.smd Subject: Your sex popularity is in your hands and in the hands of Ultra Allure Pheromones. Based on these two different files and log entrie, is CLAM working correctly or not? (Windows 2003, Declude 3.05, CLam AV - up to date latest version.) Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]Marbella Guide Web PortalW: www.marbellaguide.comE: [EMAIL PROTECTED] DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir, copiar de ninguna forma, ni emprender ninguna accion en relacion con ella.= From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry VanderzandSent: Saturday, March 04, 2006 5:07 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] clamwin second scanner error thank you George I made the change but now get a different error: 03/03/2006 23:04:41.708 q11c601a3eb87.smd Error 50 in virus scanner 2.03/03/2006 23:04:41.708 q11c601a3eb87.smd Scanned: Error in virus scanner. Do you know what that is about? Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of george kulmanSent: Friday, March 03, 2006 6:15 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] clamwin second scanner error Harry, For the second scanner you need to have a 2 after SCANFILE and VIRUSCODE SCANFILE2 C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE2 1 George From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry VanderzandSent: Friday, March 03, 2006 5:16 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] clamwin second scanner error I added clamav as a second scanner to my virus.cfg file as follows: SCANFILE C:\F-Prot\fpcmd.exe -TYPE -SILENT -NOMEM -ARCHIVE=5 -DUMB -NOBOOT -REPORT=report.txtVIRUSCODE 3VIRUSCODE 6VIRUSCODE 8REPORT Infection: SCANFILE C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE 1 Now I get the folowing error in the virus log: 03/03/2006 17:11:59.307 qbf26019990d6.smd Vulnerability flags = 86203/03/
RE: [Declude.Virus] clamwin second scanner error
Craig, You seem to be using the command lines for Clamav and not ClamWn in your virus.cfg. The following id for a default installation of ClamWin. Also, be sure that you have a C:\Temp directory set up. SCANFILE C:\Progra~1\clamwin\bin\clamscan.exe --verbose --database=C:\Docume~1\Alluse~1\.clamwin\db --tempdir=c:\Temp --no-summary -l report.txt VIRUSCODE 1 REPORT FOUND George From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Saturday, March 04, 2006 5:05 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] clamwin second scanner error Importance: High Hi, I get a similar error and my virus.cfg file contains this entry SCANFILE C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE 1 (I only use clam so VIRUSCODE will be 1) I geta similar error. this is an example ofone log entry . 03/04/2006 10:55:18.528 q640402a300d0f29e.smd Vulnerability flags = 0 03/04/2006 10:55:18.538 q640402a300d0f29e.smd MIME file: [text/html][quoted-printable; Length=867 Checksum=69427] 03/04/2006 10:55:18.769 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:20.932 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:23.586 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:25.799 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:28.433 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 50 but here is another...(note is says contains a virus) 03/04/2006 10:55:39.268 q64142ab20086f2a4.smd Vulnerability flags = 0 03/04/2006 10:55:39.278 q64142ab20086f2a4.smd Outlook 'CR' vulnerability [Subject: Y] in line 6 03/04/2006 10:55:39.368 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:41.451 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:44.015 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:46.108 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:48.181 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:50.184 q64142ab20086f2a4.smd File(s) are INFECTED [[Outlook 'CR' Vulnerability]: 50] 03/04/2006 10:56:11.334 q64142ab20086f2a4.smd Scanned: CONTAINS A VIRUS 03/04/2006 10:56:11.334 q64142ab20086f2a4.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 213.199.252.61] 03/04/2006 10:56:11.334 q64142ab20086f2a4.smd Subject: Your sex popularity is in your hands and in the hands of Ultra Allure Pheromones. Based on these two different files and log entrie, is CLAM working correctly or not? (Windows 2003, Declude 3.05, CLam AV - up to date latest version.) Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] Marbella Guide Web Portal W: www.marbellaguide.com E: [EMAIL PROTECTED] DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir, copiar de ninguna forma, ni emprender ninguna accion en relacion con ella. = From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Saturday, March 04, 2006 5:07 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] clamwin second scanner error thank you George I made the change but now get a different error: 03/03/2006 23:04:41.708 q11c601a3eb87.smd Error 50 in virus scanner 2. 03/03/2006 23:04:41.708 q11c601a3eb87.smd Scanned: Error in virus scanner. Do you know what that is about? Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of george kulman Sent: Friday, March 03, 2006 6:15 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] clamwin second scanner error Harry, For the second scanner you need to have a 2 after SCANFILE and VIRUSCODE SCANFILE2 C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE2 1 George From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 03, 2006 5:16 PM
RE: [Declude.Virus] clamwin second scanner error
Thanks George, that seemed to worked. Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]Marbella Guide Web PortalW: www.marbellaguide.comE: [EMAIL PROTECTED] DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir, copiar de ninguna forma, ni emprender ninguna accion en relacion con ella.= From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of george kulmanSent: Saturday, March 04, 2006 1:04 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] clamwin second scanner error Craig, You seem to be using the command lines for Clamav and not ClamWn in your virus.cfg. The following id for a default installation of ClamWin. Also, be sure that you have a C:\Temp directory set up. SCANFILE C:\Progra~1\clamwin\bin\clamscan.exe --verbose --database="C:\Docume~1\Alluse~1\.clamwin\db" --tempdir="c:\Temp" --no-summary -l report.txt VIRUSCODE 1 REPORT FOUND George From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig EdmondsSent: Saturday, March 04, 2006 5:05 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] clamwin second scanner errorImportance: High Hi, I get a similar error and my virus.cfg file contains this entry SCANFILE C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE 1 (I only use clam so VIRUSCODE will be 1) I geta similar error. this is an example ofone log entry . 03/04/2006 10:55:18.528 q640402a300d0f29e.smd Vulnerability flags = 003/04/2006 10:55:18.538 q640402a300d0f29e.smd MIME file: [text/html][quoted-printable; Length=867 Checksum=69427]03/04/2006 10:55:18.769 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 5003/04/2006 10:55:20.932 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 5003/04/2006 10:55:23.586 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 5003/04/2006 10:55:25.799 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 5003/04/2006 10:55:28.433 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 50 but here is another...(note is says "contains a virus") 03/04/2006 10:55:39.268 q64142ab20086f2a4.smd Vulnerability flags = 003/04/2006 10:55:39.278 q64142ab20086f2a4.smd Outlook 'CR' vulnerability [Subject: Y] in line 603/04/2006 10:55:39.368 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:41.451 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 5003/04/2006 10:55:44.015 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:46.108 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:48.181 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:50.184 q64142ab20086f2a4.smd File(s) are INFECTED [[Outlook 'CR' Vulnerability]: 50] 03/04/2006 10:56:11.334 q64142ab20086f2a4.smd Scanned: CONTAINS A VIRUS 03/04/2006 10:56:11.334 q64142ab20086f2a4.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 213.199.252.61]03/04/2006 10:56:11.334 q64142ab20086f2a4.smd Subject: Your sex popularity is in your hands and in the hands of Ultra Allure Pheromones. Based on these two different files and log entrie, is CLAM working correctly or not? (Windows 2003, Declude 3.05, CLam AV - up to date latest version.) Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]Marbella Guide Web PortalW: www.marbellaguide.comE: [EMAIL PROTECTED] DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comun
RE: [Declude.Virus] clamwin second scanner error
thank you George. I appreciate the help It is running well now Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of george kulmanSent: Saturday, March 04, 2006 7:04 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] clamwin second scanner error Craig, You seem to be using the command lines for Clamav and not ClamWn in your virus.cfg. The following id for a default installation of ClamWin. Also, be sure that you have a C:\Temp directory set up. SCANFILE C:\Progra~1\clamwin\bin\clamscan.exe --verbose --database="C:\Docume~1\Alluse~1\.clamwin\db" --tempdir="c:\Temp" --no-summary -l report.txt VIRUSCODE 1 REPORT FOUND George From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig EdmondsSent: Saturday, March 04, 2006 5:05 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] clamwin second scanner errorImportance: High Hi, I get a similar error and my virus.cfg file contains this entry SCANFILE C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE 1 (I only use clam so VIRUSCODE will be 1) I geta similar error. this is an example ofone log entry . 03/04/2006 10:55:18.528 q640402a300d0f29e.smd Vulnerability flags = 003/04/2006 10:55:18.538 q640402a300d0f29e.smd MIME file: [text/html][quoted-printable; Length=867 Checksum=69427]03/04/2006 10:55:18.769 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 5003/04/2006 10:55:20.932 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 5003/04/2006 10:55:23.586 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 5003/04/2006 10:55:25.799 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 5003/04/2006 10:55:28.433 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 50 but here is another...(note is says "contains a virus") 03/04/2006 10:55:39.268 q64142ab20086f2a4.smd Vulnerability flags = 003/04/2006 10:55:39.278 q64142ab20086f2a4.smd Outlook 'CR' vulnerability [Subject: Y] in line 603/04/2006 10:55:39.368 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:41.451 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 5003/04/2006 10:55:44.015 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:46.108 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:48.181 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:50.184 q64142ab20086f2a4.smd File(s) are INFECTED [[Outlook 'CR' Vulnerability]: 50] 03/04/2006 10:56:11.334 q64142ab20086f2a4.smd Scanned: CONTAINS A VIRUS 03/04/2006 10:56:11.334 q64142ab20086f2a4.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 213.199.252.61]03/04/2006 10:56:11.334 q64142ab20086f2a4.smd Subject: Your sex popularity is in your hands and in the hands of Ultra Allure Pheromones. Based on these two different files and log entrie, is CLAM working correctly or not? (Windows 2003, Declude 3.05, CLam AV - up to date latest version.) Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]Marbella Guide Web PortalW: www.marbellaguide.comE: [EMAIL PROTECTED] DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir, copiar de ninguna forma, ni emprender ninguna accion en relacion con ella.= From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry VanderzandSent: Saturday, March 04, 2006 5:07 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] clamwin second scanner error thank you George I made the change but now get a different error: 03/03/2006 23:04:41.708 q11c601a3eb87.smd Error 50 in virus scanner 2.03/03/2006 23:04:41.708 q11c601a3eb87.smd Scanned: Error in virus scanner. Do you know what that is a
RE: [Declude.Virus] clamwin second scanner error
Glad to hear it. G -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Saturday, March 04, 2006 10:17 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] clamwin second scanner error thank you George. I appreciate the help It is running well now Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of george kulman Sent: Saturday, March 04, 2006 7:04 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] clamwin second scanner error Craig, You seem to be using the command lines for Clamav and not ClamWn in your virus.cfg. The following id for a default installation of ClamWin. Also, be sure that you have a C:\Temp directory set up. SCANFILE C:\Progra~1\clamwin\bin\clamscan.exe --verbose -- database=C:\Docume~1\Alluse~1\.clamwin\db --tempdir=c:\Temp --no- summary -l report.txt VIRUSCODE 1 REPORT FOUND George From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Saturday, March 04, 2006 5:05 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] clamwin second scanner error Importance: High Hi, I get a similar error and my virus.cfg file contains this entry SCANFILE C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE 1 (I only use clam so VIRUSCODE will be 1) I get a similar error. this is an example of one log entry . 03/04/2006 10:55:18.528 q640402a300d0f29e.smd Vulnerability flags = 0 03/04/2006 10:55:18.538 q640402a300d0f29e.smd MIME file: [text/html][quoted-printable; Length=867 Checksum=69427] 03/04/2006 10:55:18.769 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:20.932 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:23.586 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:25.799 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:28.433 q640402a300d0f29e.smd Virus scanner 1 reports exit code of 50 but here is another...(note is says contains a virus) 03/04/2006 10:55:39.268 q64142ab20086f2a4.smd Vulnerability flags = 0 03/04/2006 10:55:39.278 q64142ab20086f2a4.smd Outlook 'CR' vulnerability [Subject: Y] in line 6 03/04/2006 10:55:39.368 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:41.451 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:44.015 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:46.108 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:48.181 q64142ab20086f2a4.smd Virus scanner 1 reports exit code of 50 03/04/2006 10:55:50.184 q64142ab20086f2a4.smd File(s) are INFECTED [[Outlook 'CR' Vulnerability]: 50] 03/04/2006 10:56:11.334 q64142ab20086f2a4.smd Scanned: CONTAINS A VIRUS 03/04/2006 10:56:11.334 q64142ab20086f2a4.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 213.199.252.61] 03/04/2006 10:56:11.334 q64142ab20086f2a4.smd Subject: Your sex popularity is in your hands and in the hands of Ultra Allure Pheromones. Based on these two different files and log entrie, is CLAM working correctly or not? (Windows 2003, Declude 3.05, CLam AV - up to date latest version.) Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com http://www.123marbella.com/ E : [EMAIL PROTECTED] Marbella Guide Web Portal W: www.marbellaguide.com http://www.marbellaguide.com/ E: [EMAIL PROTECTED] DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir
RE: [Declude.Virus] clamwin second scanner error
Harry, For the second scanner you need to have a 2 after SCANFILE and VIRUSCODE SCANFILE2 C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE2 1 George From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 03, 2006 5:16 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] clamwin second scanner error I added clamav as a second scanner to my virus.cfg file as follows: SCANFILE C:\F-Prot\fpcmd.exe -TYPE -SILENT -NOMEM -ARCHIVE=5 -DUMB -NOBOOT -REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 REPORT Infection: SCANFILE C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE 1 Now I get the folowing error in the virus log: 03/03/2006 17:11:59.307 qbf26019990d6.smd Vulnerability flags = 862 03/03/2006 17:12:09.448 qbf26019990d6.smd Could not find parse string Infection: in report.txt 03/03/2006 17:12:09.448 qbf26019990d6.smd Error 50 in virus scanner 1. 03/03/2006 17:12:09.448 qbf26019990d6.smd Your virus scanner DOES NOT EXIST (at D:\IMail\spool\proc\work\DBF260~1.VIR\); NOT SCANNING ATTACHMENTS! [2] Error String: [The system cannot find the file specified.] 03/03/2006 17:12:09.448 qbf26019990d6.smd Scanned: Error starting scanner Any idea what I did wrong? thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222
RE: [Declude.Virus] clamwin second scanner error
thank you George I made the change but now get a different error: 03/03/2006 23:04:41.708 q11c601a3eb87.smd Error 50 in virus scanner 2.03/03/2006 23:04:41.708 q11c601a3eb87.smd Scanned: Error in virus scanner. Do you know what that is about? Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of george kulmanSent: Friday, March 03, 2006 6:15 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] clamwin second scanner error Harry, For the second scanner you need to have a 2 after SCANFILE and VIRUSCODE SCANFILE2 C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE2 1 George From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry VanderzandSent: Friday, March 03, 2006 5:16 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] clamwin second scanner error I added clamav as a second scanner to my virus.cfg file as follows: SCANFILE C:\F-Prot\fpcmd.exe -TYPE -SILENT -NOMEM -ARCHIVE=5 -DUMB -NOBOOT -REPORT=report.txtVIRUSCODE 3VIRUSCODE 6VIRUSCODE 8REPORT Infection: SCANFILE C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE 1 Now I get the folowing error in the virus log: 03/03/2006 17:11:59.307 qbf26019990d6.smd Vulnerability flags = 86203/03/2006 17:12:09.448 qbf26019990d6.smd Could not find parse string Infection: in report.txt03/03/2006 17:12:09.448 qbf26019990d6.smd Error 50 in virus scanner 1.03/03/2006 17:12:09.448 qbf26019990d6.smd Your virus scanner DOES NOT EXIST (at D:\IMail\spool\proc\work\DBF260~1.VIR\); NOT SCANNING ATTACHMENTS! [2] Error String: [The system cannot find the file specified.]03/03/2006 17:12:09.448 qbf26019990d6.smd Scanned: Error starting scanner Any idea what I did wrong? thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2519-741-1222
RE: [Declude.Virus] clamwin second scanner error
thanks again, I think I figured it out. A reboot of the server solved it Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry VanderzandSent: Friday, March 03, 2006 11:07 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] clamwin second scanner error thank you George I made the change but now get a different error: 03/03/2006 23:04:41.708 q11c601a3eb87.smd Error 50 in virus scanner 2.03/03/2006 23:04:41.708 q11c601a3eb87.smd Scanned: Error in virus scanner. Do you know what that is about? Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of george kulmanSent: Friday, March 03, 2006 6:15 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] clamwin second scanner error Harry, For the second scanner you need to have a 2 after SCANFILE and VIRUSCODE SCANFILE2 C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE2 1 George From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry VanderzandSent: Friday, March 03, 2006 5:16 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] clamwin second scanner error I added clamav as a second scanner to my virus.cfg file as follows: SCANFILE C:\F-Prot\fpcmd.exe -TYPE -SILENT -NOMEM -ARCHIVE=5 -DUMB -NOBOOT -REPORT=report.txtVIRUSCODE 3VIRUSCODE 6VIRUSCODE 8REPORT Infection: SCANFILE C:\progra~1\clamwin\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE 1 Now I get the folowing error in the virus log: 03/03/2006 17:11:59.307 qbf26019990d6.smd Vulnerability flags = 86203/03/2006 17:12:09.448 qbf26019990d6.smd Could not find parse string Infection: in report.txt03/03/2006 17:12:09.448 qbf26019990d6.smd Error 50 in virus scanner 1.03/03/2006 17:12:09.448 qbf26019990d6.smd Your virus scanner DOES NOT EXIST (at D:\IMail\spool\proc\work\DBF260~1.VIR\); NOT SCANNING ATTACHMENTS! [2] Error String: [The system cannot find the file specified.]03/03/2006 17:12:09.448 qbf26019990d6.smd Scanned: Error starting scanner Any idea what I did wrong? thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2519-741-1222
Re: [Declude.Virus] ClamWin
I use this version of clamav: http://www.sosdg.org/clamav-win32/index.php with this wrapper to get virus names: http://www.smartbusiness.com/imail/declude/ My global.cfg lines: SCANFILE2 d:\imail\declude\runclamscan.exe log=0 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt VIRUSCODE2 1 REPORT2 FOUND If you have Declude Pro and you can afford to turn off Prescan, CLAMav will catch phish for you. - Original Message - From: John Carter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 8:15 AM Subject: [Declude.Virus] ClamWin Has anyone else installed the GUI version of ClamAV? I got a successful install using the default settings (C:\Program Files\ClamWin\). Now I am getting an error code 50 in the Declude log. Plus the Declude manual says nothing about a REPORT line in the virus cfg for ClamAV, but a reply in the list archives says to use REPORT FOUND. Tried it both ways without success. What do I use? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamWin
I did as Scott recommended and turned off prescan; but afterwards I noticed in the clam logs that ClamAV had caught phish previously with prescasn ON sooo why would you think that is so? eg - I guess what I'm asking is will ClamAV reliably anti-phish to its capability with prescan on? PRESCAN ON (which works with Declude Virus Pro) saves CPU resources by not calling the AV scanner when an E-mail arrives that contains one or more HTML segments, if [1] there are no other segments except text and/or HTML segments, and [2] the HTML doesn't contain any code that Declude Virus identifies as potentially dangerous. In other words, since most E-mail these days has HTML (by default, most mail clients send HTML E-mail, even if you just say hi in normal text), PRESCAN ON is able to save a lot of CPU time by not scanning those E-mails (while still catching the few E-mails that contain viruses/worms in HTML, such as kak.worm). The drawback here to PRESCAN ON is that phishing attacks won't get sent to the virus scanner, so a virus scanner that is looking for them won't find them. What you are probably seeing is an E-mail with a phishing attack that *does* contain potentially dangerous code. For example, if it contains any JavaScript -- even safe JavaScript code -- it would be sent to the virus scanner. So you may see the virus scanner detecting some phishing attacks even with PRESCAN ON. But to catch them all, you would need PRESCAN OFF. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamWin
Maybe the new MyDoom virus suggests a change in the way that PRESCAN qualifies messages? These messages don't contain any exploitable code, however it is likely that these viruses will all be linked by way of an IP. So maybe sending messages to the virus scanner when they contain an IP would be wise? I am of course guessing that some virus scanners are detecting this just like they detect the phishes. As Andrew pointed out in the other forum, it wouldn't be a surprise to see these messages use a standard port, or even exclude the port and default to 80, and if they did that, we would be hard pressed to detect all of these viruses since it would mean that content patterns alone would be the deciding factor in detection and they can be variable enough for individual administrators to not be able to handle, while the AV companies consider this type of thing to be their job. Matt R. Scott Perry wrote: I did as Scott recommended and turned off prescan; but afterwards I noticed in the clam logs that ClamAV had caught phish previously with prescasn ON sooo why would you think that is so? eg - I guess what I'm asking is will ClamAV reliably anti-phish to its capability with prescan on? PRESCAN ON (which works with Declude Virus Pro) saves CPU resources by not calling the AV scanner when an E-mail arrives that contains one or more HTML segments, if [1] there are no other segments except text and/or HTML segments, and [2] the HTML doesn't contain any code that Declude Virus identifies as potentially dangerous. In other words, since most E-mail these days has HTML (by default, most mail clients send HTML E-mail, even if you just say hi in normal text), PRESCAN ON is able to save a lot of CPU time by not scanning those E-mails (while still catching the few E-mails that contain viruses/worms in HTML, such as kak.worm). The drawback here to PRESCAN ON is that phishing attacks won't get sent to the virus scanner, so a virus scanner that is looking for them won't find them. What you are probably seeing is an E-mail with a phishing attack that *does* contain potentially dangerous code. For example, if it contains any JavaScript -- even safe JavaScript code -- it would be sent to the virus scanner. So you may see the virus scanner detecting some phishing attacks even with PRESCAN ON. But to catch them all, you would need PRESCAN OFF. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamWin
Thanks. Since I didn't really need the GUI, I uninstalled it, went with the other version, and used your virus.cfg lines. It seems to be happy now. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, November 10, 2004 9:14 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] ClamWin I use this version of clamav: http://www.sosdg.org/clamav-win32/index.php with this wrapper to get virus names: http://www.smartbusiness.com/imail/declude/ My global.cfg lines: SCANFILE2 d:\imail\declude\runclamscan.exe log=0 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt VIRUSCODE2 1 REPORT2 FOUND If you have Declude Pro and you can afford to turn off Prescan, CLAMav will catch phish for you. - Original Message - From: John Carter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 8:15 AM Subject: [Declude.Virus] ClamWin Has anyone else installed the GUI version of ClamAV? I got a successful install using the default settings (C:\Program Files\ClamWin\). Now I am getting an error code 50 in the Declude log. Plus the Declude manual says nothing about a REPORT line in the virus cfg for ClamAV, but a reply in the list archives says to use REPORT FOUND. Tried it both ways without success. What do I use? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamWin
We are on exactly the same track. If this kind of attack catches on, and the e-mail can look like almost anything. Passing everything to the more CPU consuming AV engine may be needed. This attack will work just fine in a plain text (non-HTLM) e-mail. (Will the link work easy?) Greg Matt wrote: Maybe the new MyDoom virus suggests a change in the way that PRESCAN qualifies messages? --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
