Scott, I have never been able to stop ALL of the EICAR tests from the Declude site. (even with the old server), but I have looked at the -diag screen (it's showing status of 'registered'), the logs, I don't quite understand how to read. Here is a snippet:
01/20/2003 15:25:04 Q693000030158845b Outlook 'CR' vulnerability [Content-ty] 01/20/2003 15:25:05 Q693000030158845b File(s) are INFECTED [0] 01/20/2003 15:25:05 Q693000030158845b Scanned: CONTAINS A VIRUS 01/20/2003 16:32:39 Q7902000b01c0529f File(s) are INFECTED [0] 01/20/2003 16:32:39 Q7902000b01c0529f Scanned: CONTAINS A VIRUS [MIME: 3 136143] 01/20/2003 16:37:16 Q7a18001801c08e9b File(s) are INFECTED [0] 01/20/2003 16:37:16 Q7a18001801c08e9b Scanned: CONTAINS A VIRUS [MIME: 3 100115] 01/20/2003 20:38:19 Qb2970378013a3dc9 File(s) are INFECTED [0] 01/20/2003 20:38:19 Qb2970378013a3dc9 Scanned: CONTAINS A VIRUS [MIME: 3 115927] I also have this to add: When loading up the new sever, our web administration of Imail was extremely slow, after about 2 hours of checking we found out that if we disable the 'network associates McShield' service, the performance problem goes away, and using the web mail stuff is instantaneous (as it should be). After doing this, I didn't see the SCAN.exe process starting up in the task manager anymore, so I became suspicious of the whole operation. Which has led me here..... When I migrated the server over, I grabbed the declude info along with the imail directory. I double checked the url to the scan.exe file when it was on the new server... Thanks Jason -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Monday, January 20, 2003 9:07 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Viruses slipping thru after move to new server.... >This weekend we moved our mail server to a new machine and now we have >had Klez slip through our mail system (and many more I assume). > >The new box is running w2k, Imail 7.13, Declude ver 1.62, and McAfee >Netshield on the server (engine version 4.1.6 and the latest dat >files). I have duplicated the setup from the original mail server, and >can't find any anomolies, but I would appreciate it if you all could >point me in the right direction as what I should check....(by the way, >declude and scan.exe are spawning when an e-mail goes thru, but the >only admin e-mails I get from declude are the 'vulnerability' e-mails >that get >scanned.) Usually, the first things to check are [1] Whether the eicar.com file gets caught from our Test Mail Sender at http://www.declude.com/tools , [2] Checking the diagnostics ("\IMail\Declude -diag") for any problems (such as an invalid activation code), and [3] Checking the log file for any warnings/errors. But, given your information, I can guess #1 and #2, and you may have already checked the logs. Have you tried running the scan.exe program from a command prompt, to see if it catches the eicar.com file? Do you have a "VIRUSCODE 13" line in the \IMail\Declude\virus.cfg file? Is the SCANFILE line in the virus.cfg file the same as the one in the manual (a different path to scan.exe is OK)? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
