Darrell,
What happens in this scenario. Virus file comes in, AVAFTERJM
is turned on, thus Declude scans it for spam content, lets say it is
spam, thus ROUTETO sends it to a specific mailbox for customer to review
for certain amount of days. Does Declude Virus still run against it
prior
---
Check out http://www.invariantsystems.com for utilities for Declude,
Imail,
mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI
integration, MRTG Integration, and Log Parsers.
Keith Johnson writes:
Darrell,
What happens in this scenario. Virus file comes
Markus,
However, Darrell mentioned that the AV scanner still runs once
action is taking agains the SPAM message (i.e. routeto, subject, etc.).
Is this not true?
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Friday,
David,
If you don't mind, what is the latest revision of Declude? I know there
has been several 'hot fixes', just want to make sure I have the latest. Thanks
again,
Keith
From: [EMAIL PROTECTED] on behalf of David Barker
Sent: Wed 11/30/2005 9:33 AM
David,
Are these to be used to correct issues with Dual-proc, or is
that still an ongoing issue still be looking at? Thanks for the time.
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Thursday, September 22, 2005 11:41
I am seeing this as we attempting to get to certain websites and they
can't be displayed.
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch
Sent: Friday, September 09, 2005 11:30 AM
To: Declude.Virus@declude.com
Subject:
Daniel,
Give this a try:
http://www.f-prot.com/support/windows/fpwin_faq/88.html
-Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ivey
Sent: Monday, May 02, 2005 11:06 AM
To: 'Declude.Virus@declude.com'
Subject: RE:
Aaron,
I have tried F-prot (www.f-prot.com)? It is very fast and not
very expensive, and the reliability is outstanding.
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aaron Moreau-Cook
Sent: Wednesday, April 20, 2005 1:37 PM
To:
The past few days I am occuring a lot of these type errors in the virus log:
02/18/2005 06:03:21 Qcb35092800dc91ac Couldn't open headers datafile
02/18/2005 06:03:21 Qcb35092800dc91ac ERROR: Could not move virus-infected
E-mail2! Code: 2 0 F:\IMail\spool\Qcb35092800dc91ac.SMD
Scott,
We are not running on access scanners (very careful about that), we are
running Imail 8.15. I didn't even install the Realtime Scanner in f-prot and
have CA Realtime disabled as a service.Anything else that I can look at?
Keith
-Original Message-
ERROR: Could not open recip file
F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:13
Q1b38021800b8504b ERROR: Could not open recip file
F:\IMail\spool\_1b38021800b8504b.~MD [2]
Any ideas or suggestions?
Keith
From: Keith Johnson
[mailto:[EMAIL PROTECTED] On Behalf Of Keith
JohnsonSent
What would the following indicate:
01/21/2005 15:04:06 Q5df1239b014af8b3 Error 183 creating temp directory
F:\IMail\spool\D5df1239b014af8b3.vir\.
01/21/2005 15:04:06 Q5df1239b014af8b3 Scanned: Error starting scanner
Thanks for the aid.
Keith
---
[This E-mail was scanned for viruses by Declude
Andy,
Upon your phone call with Barry, should we as Declude Users (4 lic. in
my case), contact Barry directly before upgrading or should we await for a post
on this forum for new procedures? I too have a cold spare, however, Declude is
not loaded there until necessary and upon written
Q06634053002e6803 Error 183 creating temp directory
F:\IMail\spool\D06634053002e6803.vir\.
10/25/2004 10:26:26 Q06634053002e6803 Scanned: Error starting scanner
Thanks for the aid, running 1.81
---
Keith Johnson
Senior Network Engineer
Network Advocates, Inc.
9001
Also,
ERROR: Could not open recip file F:\IMail\spool\_08dc4c3a0030129f.~MD
[2]
Please advise to what this is, thanks,
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson
Sent: Monday, October 25, 2004 10:24 AM
To: [EMAIL PROTECTED
Also getting:
Q08b8153d00e2843a Couldn't rename SMD to SM$ [32]. Priority back to 32.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson
Sent: Monday, October 25, 2004 10:24 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] What
: [Declude.Virus] What are these
Do you have an on-access scanner running?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Keith Johnson
Sent: Monday, October 25, 2004 7:38 AM
To: [EMAIL
Scott,
We are backing up in our Queue of about 8000 emails and we
started seeing the below messages as well:
Q08b8153d00e2843a Couldn't rename SMD to SM$ [32]. Priority back to 32.
ERROR: Could not open recip file F:\IMail\spool\_08dc4c3a0030129f.~MD
[2]
Are these related?
Keith
I too am seeing this same behavior. I am running HIGH logging and 1.80 version. All
I see is my scanners detecting it, no extra lines from Declude that it stopped it,
same behavior under 1.79. I also wanted to see if there would be any additional aid
with F-prot not being able to report the
Mark,
What did you use to generate the GDI Exploit test file? Thanks
Keith
-Original Message-
From: [EMAIL PROTECTED] on behalf of Mark Smith
Sent: Mon 9/27/2004 1:55 PM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [Declude.Virus]
.Exploit.Trojan
Attachment=jpegcompoc.zip.ZIP [1] I
09/27/2004 15:52:20 Q6f7408d2006085b0 File(s) are INFECTED [
JPEG.MS04-028.Exploit.Trojan: 101]
Keith
-Original Message-
From: Keith Johnson on behalf of Keith Johnson
Sent: Mon 9/27/2004 3:02 PM
Scott,
It seems that social engineering will be play a huge part in
future viruses (already seen it will passwords listed in body of
encrypted zips), what are your thoughts on the following:
I have recently saw a bounce message that contained the recent
Bagle.aq virus that contained
We modify extensions at our Firewall that changes an executable listing and removes
the last character and adds an underscore (no harm to file). For example, an exe
would be modified to ex_ Works great, however, it seems that Declude will not see it
in our Banned Extension listing even
Scott,
Thanks for the email and quick follow-up. Below is the log snippet and it
shows:
07/19/2004 20:21:30 Q658a1246012405b6 MIME file: happy.pi_ [base64; Length=80
Checksum=8732]
07/19/2004 20:21:30.546 Q658a1246012405b6 Comparing |pi| to SKIPEXTs and BANEXTs
07/19/2004 20:21:31.171
Scott,
Is there a limit on the BANEXT? I thought I read somewhere it was 100?
Thanks again for your time. Just need a few more entries to over the _ character.
Keith
-Original Message-
From: [EMAIL PROTECTED] on behalf of R. Scott Perry
Sent: Mon
Scott,
I believe it is only with the new encrypted (password) zip files. I saw in
my log (when running i8) that my Scanners were picking up and detecting normal zip's,
normal pifs, normal scr. etc. of all virus flavors (if there is such thing as normal).
I believe I wouldn't see (as
Scott,
I am not using BANEXT EZIP with i7 nor i8 per your instructions to remove it
in place of the new commands:
BANEZIPEXTS and BANZIPEXTS ON
I used that encoded file to test it under i8 first and it went straight
through, that is what tipped me off that something was not
Scott,
This is my top portion of my virus.cfg file under i7 and i8.
Keith
-Original Message-
From: Keith Johnson on behalf of Keith Johnson
Sent: Wed 3/3/2004 8:10 AM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [Declude.Virus
Scott,
I don't know that our firewall is the issue due to it working
under i7 and all prior Declude versions. The Firewall only modifies the
extension, it does not in anyway alter the file. When you wrote that i7
will not block encrypted zips without the BANEXT EZIP line, it was my
Matt,
I had a space in mine, not a tab. For what it is worth.
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, March 03, 2004 11:31 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] New interim Declude Virus Pro
Matt,
Is yours working with the TAB, I'll try anything?
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, March 03, 2004 11:31 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block
Scott,
Thanks for creating the following tool on your website, is a lot
easier than creating Eicar zip encrypted test files.
eicardynamicencodedzip
I will be attempting to move to i9 from i7 tonight. Due to the
volume of viruses today, I just couldn't chance it in
I know this has been touched on a few times, however, I just needed some
clarification. I just got a note from CA that informed me that their
engine was unable to scan inside a password protected file. Will F-prot
do this with the latest defs? I know that Scott put EZIP in place, many
thanks.
problem: Your virus scanner
is leaving extra files/directories behind, so Declude can't delete the
directory.
Any thoughts...
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson
Sent: Tuesday, March 02, 2004 2:03 PM
To: [EMAIL PROTECTED
Paul,
I think this was out awhile back...
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.coreflo
od.html
Keith
-Original Message-
From: paul [mailto:[EMAIL PROTECTED]
Sent: Friday, October 24, 2003 3:16 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus]
Scott,
I have had at times, with both scanners (up to date sig files,
both catching mydoom) taking a pounding (we are getting mydoom.a in 1
every second), when Scanner1 (f-prot) would pick up the virus and
Scanner2 (InoculateIT) would not show anything, and at other times
Scanner1 would
It seems that this file maybe related to Microsoft's InstallShield
erroring out. Did you install any 'major' products lately?
Keith
-Original Message-
From: Djerr C. de Meijer [mailto:[EMAIL PROTECTED]
Sent: Monday, December 15, 2003 11:01 AM
To: [EMAIL PROTECTED]
Subject:
Does anyone know what the command line string is for scanning your sig file to see if
it is catching a certain named virus file? I saw it posted over 6 months ago,
however, I guess my search isn't picking it up. Thanks,
Keith
+,qyo r[yXm
ynu(8bIWkax7^V*f)+-Nrz;uj)l^r[yjwmmr[yXy+mwZm
In this case, you can use the per-user settings to turn off virus
scanning completely for the recipient.
Scott,
Is is possible (using per user settings) to simply suspend the
vulnerability scanning, yet still keep the main virus scanning on?
Thanks again for your time,
Keith
---
[This
Just wanted to confirm, if I want to suspend virus notifications to all users on a
single domain that we host, I would do the following:
In the appropriate .eml files, add a line:
SKIPIFRECIP @domaintoskip.com
Thanks,
Keith
Nf_ynub!
0u%dj)\jgr[yXXX:.mfynu(*^{.n+ynubrzjm
Is it possible to not send out virus notifications to a specific domain that we host
within Imail? For example, if we host 100 domains, and only 1 of the domains says
they do not care to receive the virus notifies (i.e. recep.eml). Thanks,
Keith
áÁj)pjË
Scott,
Today we had a 'horrible' thing happened with our scanner (have two in place
F-Prot and InoculateIT), not sure which one had issues:
06/04/2003 14:51:29 Q3ef6000501666762 ERROR: Virus scanner didn't finish after 60
seconds; terminating.
06/04/2003 14:51:29 Q3ef6000501666762
is large attachment scanning.
Thanks again for being a sounding board.
Keith Johnson
-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED]
Sent: Wed 6/4/2003 6:31 PM
To: [EMAIL PROTECTED]
Cc:
Subject: Re: [Declude.Virus] Log
We have started to get numerous of these in our log file, do you know what these may
be.
06/02/2003 09:02:09 Q4acf0c270148af58 No filename in disp Content-Disposition:
attachment.
06/02/2003 09:02:09 Q4acf0c270148af58 No filename in disp Content-Disposition:
attachment.
06/02/2003 09:07:09
Scott,
We have had a lot of viruses get through today (new Backdoor
AVF), seems McAffee is the only one that has it available (sig file).
Luckily we already alter .exe files so that can't be executed. Should I
be concerned with these Content-Disposition, I just started to see a lot
(100's
Are there any other entries for the E-mail?
Here is a list of two in a row:
05/29/2003 06:26:39 Qe05301090146bcae Could not find parse string Infection: in
report.txt
05/29/2003 06:26:42 Qe05301090146bcae Error 0 in virus scanner.
05/29/2003 06:26:42 Qe05301090146bcae Scanned: Error in
Are you using two or more virus scanners?
Yes, I am using F-prot 3.13a as my 1st scanner and InoculateIT 6.0 SP2 as my 2nd
scanner
There does appear to be an issue
with 1.70 where this message will appear in the log file if one or more
scanners report an error, but the last one does not.
upgrading to 1.69beta, thanks for the aid.
Keith Johnson
N¬f¢¬±ç_¢»â®ë±¼yÉnuåb®ë!¶Úÿ
0uç%¹¢dáÁj)\jg®
àÞr[yX«ºX§X¬µ:.±Êâmèî²Ûf¢Ú¨¥²»ÝyÉnuç(©*^º{.nÇ+·yÉnuåb®ë
æ«r¯zÇ·¢éÝjØm¶ÿÃ
j)ZÈb½ç(
.
___
Keith Johnson, MCP
Network Engineer
Network Advocates, Inc.
Tel: 502.412.1050
Fax: 502.412.1058
Email: [EMAIL PROTECTED]
Good pings come in small packets
Scott,
During the initial setup of Declude Virus we copied down the virus_domain.txt
and the virus_users.txt file and placed them in the Declude directory. Since then, by
default, we are scanning all incoming/outgoing email for all domains. Is it more
efficient (hence faster scans) for
Title: Monitoring of Declude Virus
I have downloaded and installed/tested the Virus Log Analyzer to take a look at what is being caught in the way of viruses. However, I wanted to see what others are using to 'real' time monitor the virus logs. Outside of using WinTail to watch the log
Title: Issues running the fpcmd.exe scanner
Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe. Upon testing the f-prot.exe works great, reports in the log just fine, and sends
Reading some of the archives suggested that if using F-Prot it was best
to
use the fpcmd.exe over the f-prot.exe due to some errors encountered
with
using f-prot.exe
12/20/2002 12:59:44 Q5a90002f0078444b Starting scanner #1:
C:\Progra~1\FSI\F-Prot\fpcmd.exe
/TYPE /SILENT /NOMEM
Scott,
Thank you for your wisdom, you are awesome.
-Keith
-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 20, 2002 2:03 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Issues running the fpcmd.exe scanner
Reading some of the
(i.e. shs) , as I think this maybe a dull point if they contain a virus as the scanner should catch it and thus tip Declude to quarantine it, however my thoughts were if it was not a virus file. Thanks for the info.
___
Keith Johnson, MCP
Network Engineer
Network Advocates
? Again, thank you.
___
Keith Johnson, MCP
Network Engineer
Network Advocates, Inc.
Tel: 502.412.1050
Fax: 502.412.1058
Email: [EMAIL PROTECTED]
Good pings come in small packets
I got this same bogus file showing up in the log (MID) when I sent the eicar virus
(zipped format) off the eicar.com website to our server.
Keith
-Original Message-
From: John Tolmachoff [mailto:[EMAIL PROTECTED]]
Sent: Thu 12/19/2002 7:14 PM
)?
___
Keith Johnson, MCP
Network Engineer
Network Advocates, Inc.
Tel: 502.412.1050
Fax: 502.412.1058
Email: [EMAIL PROTECTED]
Good pings come in small packets
Antivirus caught it. I checked the virxx.log file and it showed it was scanned as OK. Is there anything else I can check to see what it going on. I could increase the logging to DEBUG from MID. Thanks for the aid.
___
Keith Johnson, MCP
Network Engineer
Network Advocates, Inc
for your aid and knowledge!!
___
Keith Johnson, MCP
Network Engineer
Network Advocates, Inc.
Tel: 502.412.1050
Fax: 502.412.1058
Email: [EMAIL PROTECTED]
Good pings come in small packets
Server (scanning wise). Thanks for the aid...
___
Keith Johnson, MCP
Network Engineer
Network Advocates, Inc.
Tel: 502.412.1050
Fax: 502.412.1058
Email: [EMAIL PROTECTED]
Good pings come in small packets
Title: Is this safely ignored...
In the virxxx.log, I found this error. Can this be safely ignored?
Warning: EOF in middle of MIME segment [] [---
___
Keith Johnson, MCP
Network Engineer
Network Advocates, Inc.
Tel: 502.412.1050
Fax: 502.412.1058
Email
John,
Thank you for the info. With the Dos Version, how are you
getting your auto sig updates and on what interval can you obtain these.
-Original Message-
From: John Tolmachoff [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 03, 2002 11:12 AM
To: [EMAIL PROTECTED]
Subject:
63 matches
Mail list logo