RE: [Declude.Virus] NAV 2003 catches passworded virus??
They could easily look for any email with a encrypted zip attachment, and the word password followed on the same line by a CID sourced image in the body and very safely assume it is the virus. It should have a negligible false positive rate, how likely is this to be a standard practice? Thinking about it, how many people would bother to encrypt a zip file for security, then send it along with the password negating that security? Thanks, Chuck Frolick ArgoLink.net From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of marc catuognoSent: Tuesday, March 16, 2004 4:20 PMTo: [EMAIL PROTECTED]Subject: [Declude.Virus] NAV 2003 catches passworded virus?? Sorry, I know I’ve brought this up before but I’m befuddled as to how plan old Norton Antivirus 2003 on my XP desktop using outlook 2002 can pick up this virus within a passworded file without the password. This was held in the virus directory by Declude and I released it to see if it would be caught, and it was - before it was opened. Again, this isn’t really important, but I’d like to know how it is happening. Any theories??? Marc -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 2:54 PMTo: [EMAIL PROTECTED]Subject: Re: Document Your file is attached.Password - This was the replacement attachment: Norton AntiVirus removed the attachment: Info.zip. The attachment was infected with the [EMAIL PROTECTED] virus. <>
RE: [Declude.Virus] Fpcmd command line switches (3.14e)
It sounds like the AV companies are starting to add full MIME support with message body scanning to combat the virus variants. Thanks, Chuck Frolick ArgoLink.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Wednesday, March 17, 2004 8:31 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Fpcmd command line switches (3.14e) I asked f-prot support about this and all they've told me so far is: "This option was added to counteract the flow of worms inside password protected zip archives." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fritz Squib Sent: Tuesday, March 16, 2004 10:07 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Fpcmd command line switches (3.14e) Has anyone tried the " -server Activate mail filter heuristics." switch yet ? Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fpcmd command line switches (3.14e)
I asked f-prot support about this and all they've told me so far is: "This option was added to counteract the flow of worms inside password protected zip archives." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fritz Squib Sent: Tuesday, March 16, 2004 10:07 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Fpcmd command line switches (3.14e) Has anyone tried the " -server Activate mail filter heuristics." switch yet ? Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-prot 3.14e
I am running it locally on W2K Pro without rebooting and did get some error recently but was with the On demand Scanner which is not used. But it clearly stated reboot required. I will test on W2K Server and will soon know. The real issue is if it saus reboot do I need to. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Wednesday, March 17, 2004 8:44 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-prot 3.14e We always thought that it depended on whether Real-Time protector and/or Scheduler was updated. Guess some more experimentation is called for, although we're scanning on an NT4 server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Tuesday, March 16, 2004 11:03 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-prot 3.14e If you run W2K professional usually f-prot asks you to reboot after the upgrade. Running W2K Server it shouldn't ask you for any reboot at all... at least that has been my experience. So.. you don't have to worry about rebooting. Regards Luis Arango -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn Sent: Tuesday, March 16, 2004 8:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-prot 3.14e Being new to Declude/F-prot I was testing an install. Running W2K I updated F-Prot from 3.14C to 3.14E and restarted everything without rebooting. Seems to be working fine on my desktop. Is this safe on my mail server as well? I am not very comfortable rebooting that often. Thanks DC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Tuesday, March 16, 2004 5:32 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-prot 3.14e I didn't have 3.14d loaded in production long enough to form an opinion, but 3.14e seems to be working perfectly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Tuesday, March 16, 2004 12:12 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] F-prot 3.14e Appears to be out today. -- John Shacklett [EMAIL PROTECTED] [EMAIL PROTECTED] www.continentaloffice.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] [AUTOMATED NOTE: Your mail server [129.250.225.148] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-prot 3.14e
Thanks. The mail server is W2K server. Appreciate the input. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Tuesday, March 16, 2004 11:03 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-prot 3.14e If you run W2K professional usually f-prot asks you to reboot after the upgrade. Running W2K Server it shouldn't ask you for any reboot at all... at least that has been my experience. So.. you don't have to worry about rebooting. Regards Luis Arango -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn Sent: Tuesday, March 16, 2004 8:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-prot 3.14e Being new to Declude/F-prot I was testing an install. Running W2K I updated F-Prot from 3.14C to 3.14E and restarted everything without rebooting. Seems to be working fine on my desktop. Is this safe on my mail server as well? I am not very comfortable rebooting that often. Thanks DC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Tuesday, March 16, 2004 5:32 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-prot 3.14e I didn't have 3.14d loaded in production long enough to form an opinion, but 3.14e seems to be working perfectly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Tuesday, March 16, 2004 12:12 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] F-prot 3.14e Appears to be out today. -- John Shacklett [EMAIL PROTECTED] [EMAIL PROTECTED] www.continentaloffice.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] [AUTOMATED NOTE: Your mail server [129.250.225.148] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-prot 3.14e
We always thought that it depended on whether Real-Time protector and/or Scheduler was updated. Guess some more experimentation is called for, although we're scanning on an NT4 server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Tuesday, March 16, 2004 11:03 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-prot 3.14e If you run W2K professional usually f-prot asks you to reboot after the upgrade. Running W2K Server it shouldn't ask you for any reboot at all... at least that has been my experience. So.. you don't have to worry about rebooting. Regards Luis Arango -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn Sent: Tuesday, March 16, 2004 8:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-prot 3.14e Being new to Declude/F-prot I was testing an install. Running W2K I updated F-Prot from 3.14C to 3.14E and restarted everything without rebooting. Seems to be working fine on my desktop. Is this safe on my mail server as well? I am not very comfortable rebooting that often. Thanks DC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Tuesday, March 16, 2004 5:32 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-prot 3.14e I didn't have 3.14d loaded in production long enough to form an opinion, but 3.14e seems to be working perfectly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Tuesday, March 16, 2004 12:12 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] F-prot 3.14e Appears to be out today. -- John Shacklett [EMAIL PROTECTED] [EMAIL PROTECTED] www.continentaloffice.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] [AUTOMATED NOTE: Your mail server [129.250.225.148] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Question about virus log entries
Scott, I am see a bunch on the following type entries in my virus logs: Found potentially dangerous stuff in M:\IMail\spool\Dc62d3de40042810d.vir\0.! I see that these messages do get held, but rather get delivered. However, Declude is holding viruses. Is this something I should be concerned about? No, you don't need to worry about that. That will occur with Declude Virus Pro on LOGLEVEL HIGH when prescanning is used, and just indicates that the prescanning determined that an HTML E-mail needs to be sent to the virus scanner (because it contains JavaScript, Active-X, or other "potentially dangerous stuff"). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Question about virus log entries
Oops, may to say "do NOT get held." Bill - Original Message - From: "Bill Landry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 16, 2004 10:42 PM Subject: [Declude.Virus] Question about virus log entries > Scott, I am see a bunch on the following type entries in my virus logs: > > Found potentially dangerous stuff in > M:\IMail\spool\Dc62d3de40042810d.vir\0.! > Found potentially dangerous stuff in > M:\IMail\spool\Dc800179a006ca25f.vir\0.htm! > Found potentially dangerous stuff in > M:\IMail\spool\Dc943102d00909026.vir\0.! > > I see that these messages do get held, but rather get delivered. However, > Declude is holding viruses. Is this something I should be concerned about? > > Bill > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.