Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, Can I have a million dollars??? :) R. Scott Perry wrote: We now have a new interim release 1.78i8 of Declude Virus Pro at http://www.declude.com/interim that will look for invalid .bat, .com, .pif, and .scr files, and will treat them as vulnerabilities. It is expected that this will cut down significantly on the impact of future viruses in the time before new virus definitions are available. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Title: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files If we are already blocking those extensions, how would that help? > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry > Sent: Tuesday, March 02, 2004 6:40 PM > To: [EMAIL PROTECTED] > Subject: [Declude.Virus] New interim Declude Virus Pro to block bogus > .bat, .com, .pif, and .scr files > > > We now have a new interim release 1.78i8 of Declude Virus Pro at > http://www.declude.com/interim that will look for invalid > .bat, .com, .pif, > and .scr files, and will treat them as vulnerabilities. It > is expected > that this will cut down significantly on the impact of future > viruses in > the time before new virus definitions are available. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail > mailservers > since 2000. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. >
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Title: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files It blocks them _inside_ of a zip file, as opposed to regular attachments. Darin. - Original Message - From: Donn Bly To: [EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 6:57 PM Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files If we are already blocking those extensions, how would that help? > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry > Sent: Tuesday, March 02, 2004 6:40 PM > To: [EMAIL PROTECTED] > Subject: [Declude.Virus] New interim Declude Virus Pro to block bogus > .bat, .com, .pif, and .scr files > > > We now have a new interim release 1.78i8 of Declude Virus Pro at > http://www.declude.com/interim that will look for invalid > .bat, .com, .pif, > and .scr files, and will treat them as vulnerabilities. It > is expected > that this will cut down significantly on the impact of future > viruses in > the time before new virus definitions are available. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail > mailservers > since 2000. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. >
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
If we are already blocking those extensions, how would that help? If you are already blocking .bat, .com, .pif, and .scr files, the new interim release won't help. However, if you are not blocking all those files (most of our customers are not), it will help. It can also be used if you want to allow the good files through. For example, if people have a legitimate need to send .PIF files through, the new blocking of bogus .PIF files should prevent any viruses from getting through with .PIF extensions. .bat/.com/.scr have holes that would allow viruses through, but it's unlikely that any viruses would take advantage of those holes (there are other holes that they can use more easily and gain more from). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I switched from i5 to i8 6 hours ago. Until now I can see two empty vir directories. Before I've had one undeleted vir directory per month. (5000 to 7000 msgs / day) What is in those files? Have you checked the Declude Virus log file to see the log file entries for those E-mails? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I switched from i5 to i8 6 hours ago. Until now I can see two empty vir directories. Before I've had one undeleted vir directory per month. (5000 to 7000 msgs / day) I'm using BANEZIPEXTS ON BANEXT (file extensions) Markus _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Wednesday, March 03, 2004 1:56 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Matt, Thanks, I don't have the old format listed BANEXT EZIP, I pulled it out and only list the two: BANEZIPEXTS ON BANZIPEXTS ON BANEXT (FILE EXT) Not sure where to go from here, but I had over 200 vir directories this morning when I checked, thus I know i7 is working. Thanks, Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Matt Sent: Wed 3/3/2004 2:08 AM To: [EMAIL PROTECTED] Cc: Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Keith, I'm not sure about your config, but we did detect an executable within a password protected file (identified by the text of the captured file) and blocked it according to our config settings. I did remove the BANEXT EZIP setting, maybe if you have both the new and the old format, this will create issues??? Anyway, this is working for me I think: - Virus.cfg - BANEZIPEXTSON BANEXTBAS BANEXTBAT BANEXTCMD BANEXTCOM BANEXTEXE BANEXTMSI BANEXTMSP BANEXTMST BANEXTPIF BANEXTREG BANEXTSCR BANEXTSCT BANEXTVB BANEXTVBE BANEXTVBS BANEXTWSC BANEXTWSF BANEXTWSH - Log File - 03/03/2004 01:12:04 Q77320ad90180418d MIME file: Information.zip [base64; Length=12424 Checksum=1573366] 03/03/2004 01:12:04 Q77320ad90180418d Banning .ZIP file with EXE extension. 03/03/2004 01:12:07 Q77320ad90180418d Scanned: Banned file extension. [MIME: 2 12942] 03/03/2004 01:12:07 Q77320ad90180418d From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 03/03/2004 01:12:07 Q77320ad90180418d Subject: Warning about your e-mail account. - Source Snippet - For security purposes the attached file is password protected. Password is "24247". Matt Keith Johnson wrote: >Scott, >I dropped back to 1.78i7 and that eicar zip file test (encrypted with com file in it), got caught right away and showed up in the log, however, I am back to the directories not being removed. Any thoughts? > >I wish I had something to show you in the logs with i8, however, nothing shows up in the logs, it just passes straight through. > >Keith > > -Original Message- > From: Keith Johnson on behalf of Keith Johnson > Sent: Wed 3/3/2004 1:37 AM > To: [EMAIL PROTECTED] > Cc: > Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files > > > Scott, > I don't think 1.78i8 is working correctly. Since moving to i8 from i7, I haven't noticed any zip's with viruses in them come through the log. I thought it was me, however, I password zipped up an eicar virus (first testing it plain to ensure it was blocked), then sent it through and I got it unaltered. I haven't seen any logs (running MID) that we blocked any, and I have know we are getting hammered with them. Do you have any thoughts? I may need to fall back to i7 to ensure. Thanks, > > Keith > > -Original Message- > From: [EMAIL PROTECTED] on behalf of R. Scott Perry > Sent: Tue 3/2/2004 6:39 PM > To: [EMAIL PROTECTED] > Cc: > Subject: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files > > > > We now have a new interim release 1.78i8 of Declude Virus Pro at > http://www.declude.com/interim that will look for invalid .bat, .com, .pif, > and .scr files, and will treat them as vulnerabilities. It is expected > that this will cut down significantly on the impact of future viruses in > the time before new virus definitions are available. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > since 2000. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you'
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, I believe it is only with the new encrypted (password) zip files. I saw in my log (when running i8) that my Scanners were picking up and detecting normal zip's, normal pifs, normal scr. etc. of all virus flavors (if there is such thing as normal). I believe I wouldn't see (as long as we have a sig file) any banning of normal zips (un-passworded) since the AV scanner would pick it and process it first before banning. For whatever reason, any password laid virus zip files containing com, pif, scr, exe, or others are not getting picked up on our system with i8, however, they are with i7. I hope this helps. I just used to test this was the Eicar.com virus zipped up with WinZip with an applied password. Ran it through both to an address on the system and also to another Declude protected Imail system, both came straight through. Keith >I'm not clear on exactly what is happening. Is the problem *only* with >.ZIP files, or is it also occurring with other types of files? > >-Scott <>
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I also forwarded the original message to your email addresswith .zip attached. Thanks, Andy - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 03, 2004 7:51 AM Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files > > >Matt, that's how I have it setup, and one got through. > > What is "one"? A .ZIP file with a banned encrypted file extension? A .ZIP > file with a banned non-encrypted file extension? A .ZIP file with an > encrypted file that does not have a banned file extension? Something else? > > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > since 2000. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
For whatever reason, any password laid virus zip files containing com, pif, scr, exe, or others are not getting picked up on our system with i8, however, they are with i7. I hope this helps. I assume you are using "BANEXT EZIP" with i7. Are you using it with i8 as well? Do you have "BANEXT com", "BANEXT pif", etc. in your virus.cfg file? I just used to test this was the Eicar.com virus zipped up with WinZip with an applied password. Ran it through both to an address on the system and also to another Declude protected Imail system, both came straight through. Do the eicarencodedzip E-mail from the Test Virus Sender at http://www.declude.com/tools/ get caught? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I also forwarded the original message to your email addresswith .zip attached. No, no, NO. NEVER send a virus or any file that you think may be malicious to ANY E-mail address that is not expecting it. We have one and only one E-mail address that viruses or suspicious files may be sent to (the declude.com "virustrap" address). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, I am not using BANEXT EZIP with i7 nor i8 per your instructions to remove it in place of the new commands: BANEZIPEXTS and BANZIPEXTS ON I used that encoded file to test it under i8 first and it went straight through, that is what tipped me off that something was not right. I then turned around and made my own test from eicar.com and it went through. I just tested it under i7 and it got caught. I am unsure where to turn as our .vir directories are off the charts. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of R. Scott Perry Sent: Wed 3/3/2004 9:01 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files > For whatever reason, any password laid virus zip files > containing com, pif, scr, exe, or others are not getting picked up on our > system with i8, however, they are with i7. I hope this helps. I assume you are using "BANEXT EZIP" with i7. Are you using it with i8 as well? Do you have "BANEXT com", "BANEXT pif", etc. in your virus.cfg file? > I just used to test this was the Eicar.com virus zipped up with > WinZip with an applied password. Ran it through both to an address on > the system and also to another Declude protected Imail system, both came > straight through. Do the eicarencodedzip E-mail from the Test Virus Sender at http://www.declude.com/tools/ get caught? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. <>
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott,
This is my top portion of my virus.cfg file under i7 and i8.
Keith
-Original Message-
From: Keith Johnson on behalf of Keith Johnson
Sent: Wed 3/3/2004 8:10 AM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus
.bat, .com, .pif, and .scr files
Scott,
This is a 'top' sample of what I have listed in my Virus.CFG file:
BANEZIPEXTS ON
BANZIPEXTS ON
BANEXT exe
BANEXT ex_
BANEXT pif
BANEXT pi_
BANEXT scr
BANEXT sc_
BANEXT bat
BANEXT ba_
BANEXT com
BANEXT co_
Since we modify extensions at our Firewall, you see the different
alternate extensions above. I made no modifications to the above moving to i8. I
noticed in my log (tried MID and HIGH) after moving to i8 that I no longer saw any
Banning extension with (EXT) lines. Thus, I got concerned. On average, we get a
virus every few seconds, and moving back to i7, within a minute, I was catching the
banned extension inside of zip's again. When I was on i8, I did a simple test of
zipping an Eicar .com virus and password protecting it. I ran it through and it went
straight to my inbox. I then dropped back to i7 and ran the same file through and it
was picked up and logged, however, the directory couldn't be removed. Thus, this
morning I had well over 200 plus .vir directories to delete. Any thoughts? Thanks
for the aid.
Keith
-Original Message-
From: [EMAIL PROTECTED] on behalf of R. Scott Perry
Sent: Wed 3/3/2004 7:57 AM
To: [EMAIL PROTECTED]
Cc:
Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus
.bat, .com, .pif, and .scr files
>I'll second that. Running 1.78i8, with BANZIPEXTS and BANEZIPEXTS ON,
the
>encoded zip eicar test passes through. The regular zip version of the
eicar
>test is caught.
Just to clarify, this IS the expected behavior with 1.78i18.
BANZIPEXTS ON and BANEZIPEXTS ON will *only* block .ZIP files *if* they
contain files that have a banned file extension. So unless you also
have a
line "BANEXT com" in the virus.cfg file, an encrypted eicar.com file
won't
get caught.
For others having issues with these new features, please be very clear
what
is happening. There are a lot of possibilities here. You'll need to
specify [1] Whether you are using BANZIPEXTS ON or BANEZIPEXTS ON (or
the
not-recommended-but-still-useful BANEXT EZIP), [2] Whether you have a
BANEXT line to block the appropriate file (BANEXT com, for example),
[3]
What type of file you are sending through (.com? .com within a .zip?),
[4]
If it is a .ZIP file, is the file inside it encrypted?
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
<>
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I am not using BANEXT EZIP with i7 nor i8 per your instructions to remove it in place of the new commands: In that case, i7 will *not* block any encrypted .ZIP files. BANEZIPEXTS and BANZIPEXTS ON I used that encoded file to test it under i8 first and it went straight through, that is what tipped me off that something was not right. What extension does the attachment in your mail client show? I'm thinking that the firewall is mucking things up (if it renames the .ZIP to .ZI or .ZI_, for example, Declude Virus won't look at it). I am unsure where to turn as our .vir directories are off the charts. Unfortunately, this isn't useful information without knowing which version(s) caused them, and preferably the log file entries for them as well. There was an old interim that could cause this, but the latest should not. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
03/03/2004 10:19:17 Qa313025b008ed2a1 Invalid COM Vulnerability 03/03/2004 10:19:17 Qa313025b008ed2a1 File(s) are INFECTED [: W32/[EMAIL PROTECTED]: 3] does this mean that the "COM Vulnerability" and the virus was discovered? Correct. v1.78i9 fixes this, so that the "Invalid COM Vulnerability" will not be used when a virus scanner detects a virus (so users will see "W32/Netsky.B" in their notifications, rather than "Invalid COM Vulnerability"). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, I don't know that our firewall is the issue due to it working under i7 and all prior Declude versions. The Firewall only modifies the extension, it does not in anyway alter the file. When you wrote that i7 will not block encrypted zips without the BANEXT EZIP line, it was my understanding if you have the following: BANEZIPEXTS ON BANEXT com then it will block encrypted zip files containg .com files? Am I wrong? Do I need to have all the following lines in there? BANEZIPEXTS ON BANEXT EZIP BANEXT com I thought you mentioned that BANEXT EZIP was 'undesireable' and using the first example above was ideal? Version i7 is causing the .vir directories and the lines in the log that indicate Declude could not remove the .vir directory. Inside those directories are files called 0.zi and 1.zi It was my understanding that i8 fixed this issue with the .vir directory and also added new features for attacking .bat, .scr. Etc. I am currently on i7, due to i8 not catching encrypted .zip files with extensions in my BANEXT listing. This was tested from the encoded zip file as well as an eicar.com file zipped and password protected. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 03, 2004 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files > I am not using BANEXT EZIP with i7 nor i8 per your > instructions to remove it in place of the new commands: In that case, i7 will *not* block any encrypted .ZIP files. >BANEZIPEXTS and BANZIPEXTS ON > >I used that encoded file to test it under i8 first and it went > straight through, that is what tipped me off that something was not right. What extension does the attachment in your mail client show? I'm thinking that the firewall is mucking things up (if it renames the .ZIP to .ZI or .ZI_, for example, Declude Virus won't look at it). >I am unsure where to turn as our .vir directories are off the charts. Unfortunately, this isn't useful information without knowing which version(s) caused them, and preferably the log file entries for them as well. There was an old interim that could cause this, but the latest should not. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I don't know that our firewall is the issue due to it working under i7 and all prior Declude versions. The problem is that it CANNOT be working with previous versions. The BANZIPEXTS/BANEZIPEXTS options were just added to i8; BANEXT EZIP was just added to i7. You're going to need to detail EXACTLY what is happening (see my previous post for the minimum 4 pieces of information that are needed along with the version you are using AT THE TIME THE PROBLEM OCCURS). Time and list bandwidth is precious today. :) The Firewall only modifies the extension, it does not in anyway alter the file. Correct. If it changes ".ZIP" to ".ZI", it is no longer a .ZIP file, and the new features will not apply to the file. Problem solved. When you wrote that i7 will not block encrypted zips without the BANEXT EZIP line, it was my understanding if you have the following: BANEZIPEXTS ON BANEXT com then it will block encrypted zip files containg .com files? No. That only works with 1.78i8 and higher. Version i7 is causing ... That's not relevant now; that is an old interim release, is a known issue, and the problem was fixed in v8. Inside those directories are files called 0.zi and 1.zi Then it does sound like the firewall is altering the attachments. I'll look into why this may be happening, if it happens with the latest interim, as time allows. I am currently on i7, due to i8 not catching encrypted .zip files with extensions in my BANEXT listing. You'll have to decide whether you want to use i7 as-is, or use the latest interim in which case we can troubleshoot and fix problems. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, I apologize for the flood of emails to you as I know your time is precious. However, I pulled the following that BANZIPEXTS and BANEZIPEXTS was added in i7: >FYI, we now have a new interim release 1.78i7 (at http://www.declude.com/interim ) that will allow you to ban file >extensions within .ZIP files. >To do this, you can add either the line "BANZIPEXTS ON" to the \IMail\Declude\virus.cfg file (to ban file extensions >within .ZIP files, for files that are not encrypted) and/or "BANEZIPEXTS ON" (to ban file extensions within .ZIP files, >for files that are encrypted). They will use the same file extensions as the BANEXT option. I am unsure on the .zip to .zi_ as I have no issues with Declude with versions 1.78i7 and prior. It was only with i8 that Declude was not seeing the zip with hiding file extensions any longer. I will move forward to the latest interim and do the testing you require. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 03, 2004 10:46 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files > I don't know that our firewall is the issue due to it working >under i7 and all prior Declude versions. The problem is that it CANNOT be working with previous versions. The BANZIPEXTS/BANEZIPEXTS options were just added to i8; BANEXT EZIP was just added to i7. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
could you please post the link here just got connected to the list again and can't find anything in the archieve > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of System > Administrator > Sent: 3. mars 2004 18:11 > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] New interim Declude Virus Pro to > block bogus .bat, .com, .pif, and .scr files > > on 3/3/04 11:30 AM, Matt wrote: > > > Since this is working in some cases and not in others, > maybe there is a > > syntax bug. > > I think everyone running i7 and i8 should download version i9 > at the interim > link. I had problems with i8 and they seemed to get fixed > after installing > i9. > > Greg > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Matt, I had a space in mine, not a tab. For what it is worth. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, March 03, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Here's a thought. Since this is working in some cases and not in others, maybe there is a syntax bug. I have the following: BANEZIPEXTSON BANEXTEXE BANEXTCOM etc. What if someone had spaces, multiple spaces or multiple tabs? How about a space or tab following one of the lines? Maybe Declude isn't parsing this correctly from the config file??? I think it's worth a quick look. Matt R. Scott Perry wrote: > >> I apologize for the flood of emails to you as I know your >> time is precious. However, I pulled the following that BANZIPEXTS >> and BANEZIPEXTS was added in i7: > > > Sorry, my mistake. > >> I am unsure on the .zip to .zi_ as I have no issues with >> Declude with versions 1.78i7 and prior. It was only with i8 that >> Declude was not seeing the zip with hiding file extensions any longer. > > > Unfortunately, I'm not sure what you are referring to regarding the > hiding file extensions. > > Again, it is vital that people be very clear in their posts. I'm very > close to turning this into a moderated list until this all blows over. > > What we are looking for is to get as much information about bugs in > the new interim as quickly as possible on this list, while at the same > time minimizing the amount of posts to this list. > > >-Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail > mailservers since 2000. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Matt, Is yours working with the TAB, I'll try anything? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, March 03, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Here's a thought. Since this is working in some cases and not in others, maybe there is a syntax bug. I have the following: BANEZIPEXTSON BANEXTEXE BANEXTCOM etc. What if someone had spaces, multiple spaces or multiple tabs? How about a space or tab following one of the lines? Maybe Declude isn't parsing this correctly from the config file??? I think it's worth a quick look. Matt R. Scott Perry wrote: > >> I apologize for the flood of emails to you as I know your >> time is precious. However, I pulled the following that BANZIPEXTS >> and BANEZIPEXTS was added in i7: > > > Sorry, my mistake. > >> I am unsure on the .zip to .zi_ as I have no issues with >> Declude with versions 1.78i7 and prior. It was only with i8 that >> Declude was not seeing the zip with hiding file extensions any longer. > > > Unfortunately, I'm not sure what you are referring to regarding the > hiding file extensions. > > Again, it is vital that people be very clear in their posts. I'm very > close to turning this into a moderated list until this all blows over. > > What we are looking for is to get as much information about bugs in > the new interim as quickly as possible on this list, while at the same > time minimizing the amount of posts to this list. > > >-Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail > mailservers since 2000. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
>>Again, it is vital that people be very clear in their posts. I'm very >>close to turning this into a moderated list until this all blows over. Scott, I can certainly sympathize with what you are going through there. You do an OUTSTANDING job for us and I rank Declude as #1 in my book in all areas. I for one would GLADLY want you to turn this into a moderated list. My inbox is flooded as it is by virus notifications, add to the immense amount of posts on the declude list and it's all I can do to just wade through my e-mail. I subscribe to the declude list to keep up on all the latest virus info, not to read a hundred posts asking the same question over and over again. PLEASE go to a moderated list! Rodney Bertsch IS Coordinator Kirk NationaLease Co. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Here's a thought. Since this is working in some cases and not in others, maybe there is a syntax bug. I have the following: BANEZIPEXTSON BANEXTEXE BANEXTCOM etc. What if someone had spaces, multiple spaces or multiple tabs? How about a space or tab following one of the lines? Maybe Declude isn't parsing this correctly from the config file??? I think it's worth a quick look. Matt R. Scott Perry wrote: I apologize for the flood of emails to you as I know your time is precious. However, I pulled the following that BANZIPEXTS and BANEZIPEXTS was added in i7: Sorry, my mistake. I am unsure on the .zip to .zi_ as I have no issues with Declude with versions 1.78i7 and prior. It was only with i8 that Declude was not seeing the zip with hiding file extensions any longer. Unfortunately, I'm not sure what you are referring to regarding the hiding file extensions. Again, it is vital that people be very clear in their posts. I'm very close to turning this into a moderated list until this all blows over. What we are looking for is to get as much information about bugs in the new interim as quickly as possible on this list, while at the same time minimizing the amount of posts to this list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
thanks, Andy - Original Message - From: "John Carter" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 03, 2004 11:37 AM Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files > Virustrap at the declude.com domain - Scott wisely doesn't post actual > "@" addresses on the list. The list archive is probably scanned for > addresses just as our websites are. > > John > > -Original Message- > > OK... > > so I got a No, no, NO > > but what is the address!!!??? > > > - Original Message - > From: "R. Scott Perry" <[EMAIL PROTECTED]> > > We have one and only one E-mail address that viruses or suspicious > files > > may be sent to (the declude.com "virustrap" address). > > > > -Scott > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Is yours working with the TAB, I'll try anything? FYI, tabs/spaces should not affect anything (they are only important in .eml files, where only one space/tab per line is allowed in the commands in the headers). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
That is just wrong...the Internet is all about sharing information. Andy > PLEASE go to a moderated list! > > Rodney Bertsch > IS Coordinator > Kirk NationaLease Co. > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
on 3/3/04 12:13 PM, ISPhuset Nordic AS wrote: > could you please post the link here http://www.declude.com/interim/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
But...I'm curious as to why this new Vulnerability feature is a PRO only one. If this is truly a feature that "will cut down significantly on the impact of future viruses in the time before new virus definitions are available" that sounds like a feature that should be implemented for ALL Declude users. The reason is that this is protection that goes above and beyond what is normally expected of a virus scanner. Given that the Pro version usually costs a lot less than most other mailserver AV programs, we feel that it is reasonable to limit such features to the Pro version. However, we do continue to make sure that any basic functionality that is required of a mailserver virus scanner be available in all versions (so no virus that the AV software can detect should get through even if you are using the Lite version). We are a local government agency that has need of sending/receiving encrypted zip files (due to security reasons) but I have to block all of them due to the only option available to us standard version users. BANEXT EZIP. Along with the BANZIPEXTS and BANEZIPEXTS being Pro only, you are tying the hand of us smaller organizations that do not have the means to spend the extra $400 for the pro version. In this case, we have the "BANEXT EZIP" option available to allow blocking of the viruses that AV programs won't be able to detect. What I would recommend in your case is a new policy that encrypted .ZIP files must use an extension other than .ZIP (until viruses start asking their victims to rename the files first!). That way, you will be protected against new threats and meet your financial requirements. Are you trying to add more features to the Pro version to sweeten the deal or is this just an Interim version issue that will eventually make it into the standard version? The BANEXT EZIP will remain in all versions; the BANZIPEXTS/BANEZIPEXTS will likely stay in the Pro version (but a final decision has not yet been made). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Keith Johnson wrote: Matt, Is yours working with the TAB, I'll try anything? Yes, mine is working. It's a shot in the dark, but here's my Virus.cfg attached as a text file with the only modification being that my CODE was removed. You will definitely want to customize the settings nearer the top of the file for logging and scanners. It's best to save the attachment an then edit from that instead of copy and paste from this E-mail if the attachment displays. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = # # Declude Virus configuration file # CODE### # The "" in the LOGFILE option automatically gets replaced with the month/date LOGFILE E:\spool\virus\virus.log LOGLEVELHIGH CONSOLE OFF # # SCANFILE is the location of the command-line virus scanner. Note that it # must include the full path. VIRUSCODE is the code that scanner returns if # it finds a virus. # SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM /ARCHIVE /PACKED /DUMB /REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 REPORT1 Infection: SCANFILE2 C:\Progra~1\Grisoft\AVG7\avg.exe /NOMEM /NOSELF /ARC /REPORT=report.txt VIRUSCODE2 5 VIRUSCODE2 6 REPORT2 identified #SCANFILE2 C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOEXPORT /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txt #VIRUSCODE2 5 #VIRUSCODE2 6 #REPORT2identified # VIRDIR is the directory to move E-mails with viruses; by default, # it is set to 'virus' (\IMail\spool\virus). VIRDIR E:\spool\virus\hold # The MAXATONCE option limits the number of AV processes. For example, # MAXATONCE 1 will only allow 1 AV process to run at once (IE for licensing # purposes). A value of 0 (or commenting it out) allows unlimited processes # to run at the same time. MAXATONCE 50 # # The following options allow you to limit scanning to only incoming or outgoing # E-mail. # INCOMINGON OUTGOINGON # # The ONACCESS option should be set to OFF unless you have an on-access virus scanner # that will be deleting attachments with viruses. It is recommended NOT to have an # on-access scanner interfering, and to leave this at OFF. # ONACCESSOFF # # The SCANNERTIMEOUT option lets you choose the number of seconds that Declude will # wait for the virus scanner to finish. The minimum value is 10 seconds. Most # scanners will not need to take that long. This option is mainly to prevent # defective scanners (that never finish) from interfering with your outgoing E-mail. # Raising this will NOT help if your virus scanner always times out. # SCANNERTIMEOUT 60 # # The SKIPEXT option will let you skip scanning of certain file extensions. For # example, a GIF file can't contain a virus, so there is no need to scan it. # SKIPEXT GIF SKIPEXT TXT SKIPEXT JPG SKIPEXT MPG SKIPEXT PNG # # The BANEXT option will let you ban file extensions. E-mails containing attachments # with these file extensions will be quarantined, and if you have a BANnotify.EML file, # it will be sent out. This works in the Standard and Pro versions. # BANEZIPEXTS ON BANEXT BAS BANEXT BAT BANEXT CMD BANEXT COM BANEXT CPL BANEXT EXE BANEXT HTA BANEXT JS BANEXT MSI BANEXT MSP BANEXT MST BANEXT PIF BANEXT REG BANEXT SCR BANEXT SCT BANEXT VB BANEXT VBE BANEXT VBS BANEXT WS BANEXT WSC BANEXT WSF BANEXT WSH # # Declude Virus Pro can pre-scan HTML files. If no dangerous code is detected, the # virus scanner will not get called. This can significantly cut down on CPU usage. # PRESCAN ON # # Declude Virus can block treat files using CLSID extensions as viruses. This type of # extension will force a certain type of program to be run, while making the file appear # to be a .TXT or other safe file. There is no known legitimate reason to send this # type of file through E-mail. BANPARTIAL ON bans the Partial Vulnerability. # BANCLSIDON BANPARTIAL ON # # The FOOTER lines will add a footer to the bottom of E-mails that are scanned. This may # not be visible if you send HTML or attachments with the E-mail. # #FOOTER --- #FOOTER [This E-mail was scanned and tested clean for viruses] # # The DELETEVIRUSES option, when set to ON, will delete viruses, rather than quarantine them. # It is recommended to leave this at OFF. # DELETEVIRUSES OFF # # The DELIVERERRORS option, when set to ON, will treat errors from the virus scanner as if no # virus was found. When set to ON, this could cause viruses to
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I tried this with 1,2,3 spaces and tabs between the BANZIPEXTS, BANZIPEXTS and the ON. Then I send myself a compress .pif file both pw protected and not pw proteced and every single one was caught (eight total) (as banned extensions ZIP-PIF). All my BANEXT lines have one space between it and the actual extension name...example- BANEXTEXE #Regular Zip File BANZIPEXTS ON #Password Protected Zip File BANEZIPEXTS ON Don - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 03, 2004 10:30 AM Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files > Here's a thought. > > Since this is working in some cases and not in others, maybe there is a > syntax bug. > > I have the following: > > BANEZIPEXTSON > BANEXTEXE > BANEXTCOM > etc. > > What if someone had spaces, multiple spaces or multiple tabs? How about > a space or tab following one of the lines? Maybe Declude isn't parsing > this correctly from the config file??? > > I think it's worth a quick look. > > Matt > > > > > > > R. Scott Perry wrote: > > > > >> I apologize for the flood of emails to you as I know your time > >> is precious. However, I pulled the following that BANZIPEXTS and > >> BANEZIPEXTS was added in i7: > > > > > > Sorry, my mistake. > > > >> I am unsure on the .zip to .zi_ as I have no issues with Declude > >> with versions 1.78i7 and prior. It was only with i8 that Declude was > >> not seeing the zip with hiding file extensions any longer. > > > > > > Unfortunately, I'm not sure what you are referring to regarding the > > hiding file extensions. > > > > Again, it is vital that people be very clear in their posts. I'm very > > close to turning this into a moderated list until this all blows over. > > > > What we are looking for is to get as much information about bugs in > > the new interim as quickly as possible on this list, while at the same > > time minimizing the amount of posts to this list. > > > > > >-Scott > > --- > > Declude JunkMail: The advanced anti-spam solution for IMail > > mailservers since 2000. > > Declude Virus: Catches known viruses and is the leader in mailserver > > vulnerability detection. > > Find out what you've been missing: Ask for a free 30-day evaluation. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > -- > = > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > = > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I tried this with 1,2,3 spaces and tabs between the BANZIPEXTS, BANZIPEXTS and the ON. Just a reminder for people who didn't see it: spaces/tabs are irrelevant here (they are only relevant in .eml files). Then I send myself a compress .pif file both pw protected and not pw proteced and every single one was caught (eight total) (as banned extensions ZIP-PIF). Great. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
