RE: [Declude.Virus] Feature request: DELETEVIRUSNAME

Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior

RE: [Declude.Virus] Feature request: DELETEVIRUSNAME

--- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes

RE: [Declude.Virus] Feature request: DELETEVIRUSNAME

Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday,

RE: [Declude.Virus] Declude and IMail 2006

David, If you don't mind, what is the latest revision of Declude? I know there has been several 'hot fixes', just want to make sure I have the latest. Thanks again, Keith From: [EMAIL PROTECTED] on behalf of David Barker Sent: Wed 11/30/2005 9:33 AM

RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted

David, Are these to be used to correct issues with Dual-proc, or is that still an ongoing issue still be looking at? Thanks for the time. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, September 22, 2005 11:41

RE: [Declude.Virus] Sudden Internet Slowdown

I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject:

RE: [Declude.Virus] f-prot update script

Daniel, Give this a try: http://www.f-prot.com/support/windows/fpwin_faq/88.html -Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ivey Sent: Monday, May 02, 2005 11:06 AM To: 'Declude.Virus@declude.com' Subject: RE:

RE: [Declude.Virus] OT: Installing Sophos/Anti Virus

Aaron, I have tried F-prot (www.f-prot.com)? It is very fast and not very expensive, and the reliability is outstanding. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Moreau-Cook Sent: Wednesday, April 20, 2005 1:37 PM To:

[Declude.Virus] Issues

The past few days I am occuring a lot of these type errors in the virus log: 02/18/2005 06:03:21 Qcb35092800dc91ac Couldn't open headers datafile 02/18/2005 06:03:21 Qcb35092800dc91ac ERROR: Could not move virus-infected E-mail2! Code: 2 0 F:\IMail\spool\Qcb35092800dc91ac.SMD

RE: [Declude.Virus] Issues

Scott, We are not running on access scanners (very careful about that), we are running Imail 8.15. I didn't even install the Realtime Scanner in f-prot and have CA Realtime disabled as a service.Anything else that I can look at? Keith -Original Message-

RE: [Declude.Virus] Issues

ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:13 Q1b38021800b8504b ERROR: Could not open recip file F:\IMail\spool\_1b38021800b8504b.~MD [2] Any ideas or suggestions? Keith From: Keith Johnson [mailto:[EMAIL PROTECTED] On Behalf Of Keith JohnsonSent

[Declude.Virus] Error on Scanners

What would the following indicate: 01/21/2005 15:04:06 Q5df1239b014af8b3 Error 183 creating temp directory F:\IMail\spool\D5df1239b014af8b3.vir\. 01/21/2005 15:04:06 Q5df1239b014af8b3 Scanned: Error starting scanner Thanks for the aid. Keith --- [This E-mail was scanned for viruses by Declude

RE: [Declude.Virus] Declude Licensing codes

Andy, Upon your phone call with Barry, should we as Declude Users (4 lic. in my case), contact Barry directly before upgrading or should we await for a post on this forum for new procedures? I too have a cold spare, however, Declude is not loaded there until necessary and upon written

[Declude.Virus] What are these

Q06634053002e6803 Error 183 creating temp directory F:\IMail\spool\D06634053002e6803.vir\. 10/25/2004 10:26:26 Q06634053002e6803 Scanned: Error starting scanner Thanks for the aid, running 1.81 --- Keith Johnson Senior Network Engineer Network Advocates, Inc. 9001

RE: [Declude.Virus] What are these

Also, ERROR: Could not open recip file F:\IMail\spool\_08dc4c3a0030129f.~MD [2] Please advise to what this is, thanks, Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, October 25, 2004 10:24 AM To: [EMAIL PROTECTED

RE: [Declude.Virus] What are these

Also getting: Q08b8153d00e2843a Couldn't rename SMD to SM$ [32]. Priority back to 32. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, October 25, 2004 10:24 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] What

RE: [Declude.Virus] What are these

: [Declude.Virus] What are these Do you have an on-access scanner running? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, October 25, 2004 7:38 AM To: [EMAIL

RE: [Declude.Virus] What are these

Scott, We are backing up in our Queue of about 8000 emails and we started seeing the below messages as well: Q08b8153d00e2843a Couldn't rename SMD to SM$ [32]. Priority back to 32. ERROR: Could not open recip file F:\IMail\spool\_08dc4c3a0030129f.~MD [2] Are these related? Keith

RE: [Declude.Virus] Fprot GDI Scanner lines.

I too am seeing this same behavior. I am running HIGH logging and 1.80 version. All I see is my scanners detecting it, no extra lines from Declude that it stopped it, same behavior under 1.79. I also wanted to see if there would be any additional aid with F-prot not being able to report the

RE: [Declude.Virus] Fprot GDI Scanner lines.

Mark, What did you use to generate the GDI Exploit test file? Thanks Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Mark Smith Sent: Mon 9/27/2004 1:55 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus]

RE: [Declude.Virus] Fprot GDI Scanner lines.

.Exploit.Trojan Attachment=jpegcompoc.zip.ZIP [1] I 09/27/2004 15:52:20 Q6f7408d2006085b0 File(s) are INFECTED [ JPEG.MS04-028.Exploit.Trojan: 101] Keith -Original Message- From: Keith Johnson on behalf of Keith Johnson Sent: Mon 9/27/2004 3:02 PM

[Declude.Virus] Future Question

Scott, It seems that social engineering will be play a huge part in future viruses (already seen it will passwords listed in body of encrypted zips), what are your thoughts on the following: I have recently saw a bounce message that contained the recent Bagle.aq virus that contained

[Declude.Virus] Extension Modify

We modify extensions at our Firewall that changes an executable listing and removes the last character and adds an underscore (no harm to file). For example, an exe would be modified to ex_ Works great, however, it seems that Declude will not see it in our Banned Extension listing even

RE: [Declude.Virus] Extension Modify

Scott, Thanks for the email and quick follow-up. Below is the log snippet and it shows: 07/19/2004 20:21:30 Q658a1246012405b6 MIME file: happy.pi_ [base64; Length=80 Checksum=8732] 07/19/2004 20:21:30.546 Q658a1246012405b6 Comparing |pi| to SKIPEXTs and BANEXTs 07/19/2004 20:21:31.171

RE: [Declude.Virus] Extension Modify

Scott, Is there a limit on the BANEXT? I thought I read somewhere it was 100? Thanks again for your time. Just need a few more entries to over the _ character. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of R. Scott Perry Sent: Mon

RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files

Scott, I believe it is only with the new encrypted (password) zip files. I saw in my log (when running i8) that my Scanners were picking up and detecting normal zip's, normal pifs, normal scr. etc. of all virus flavors (if there is such thing as normal). I believe I wouldn't see (as

RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files

Scott, I am not using BANEXT EZIP with i7 nor i8 per your instructions to remove it in place of the new commands: BANEZIPEXTS and BANZIPEXTS ON I used that encoded file to test it under i8 first and it went straight through, that is what tipped me off that something was not

RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files

Scott, This is my top portion of my virus.cfg file under i7 and i8. Keith -Original Message- From: Keith Johnson on behalf of Keith Johnson Sent: Wed 3/3/2004 8:10 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus

RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files

Scott, I don't know that our firewall is the issue due to it working under i7 and all prior Declude versions. The Firewall only modifies the extension, it does not in anyway alter the file. When you wrote that i7 will not block encrypted zips without the BANEXT EZIP line, it was my

RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files

Matt, I had a space in mine, not a tab. For what it is worth. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, March 03, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] New interim Declude Virus Pro

RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files

Matt, Is yours working with the TAB, I'll try anything? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, March 03, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block

[Declude.Virus]

Scott, Thanks for creating the following tool on your website, is a lot easier than creating Eicar zip encrypted test files. eicardynamicencodedzip I will be attempting to move to i9 from i7 tonight. Due to the volume of viruses today, I just couldn't chance it in

[Declude.Virus] Scan Password Protected Zip's

I know this has been touched on a few times, however, I just needed some clarification. I just got a note from CA that informed me that their engine was unable to scan inside a password protected file. Will F-prot do this with the latest defs? I know that Scott put EZIP in place, many thanks.

RE: [Declude.Virus] Scan Password Protected Zip's

problem: Your virus scanner is leaving extra files/directories behind, so Declude can't delete the directory. Any thoughts... Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Tuesday, March 02, 2004 2:03 PM To: [EMAIL PROTECTED

RE: [Declude.Virus] Backdoor.Coreflood Virus new variant?

Paul, I think this was out awhile back... http://securityresponse.symantec.com/avcenter/venc/data/backdoor.coreflo od.html Keith -Original Message- From: paul [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 3:16 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus]

RE: [Declude.Virus] Multi-scanner Question

Scott, I have had at times, with both scanners (up to date sig files, both catching mydoom) taking a pounding (we are getting mydoom.a in 1 every second), when Scanner1 (f-prot) would pick up the virus and Scanner2 (InoculateIT) would not show anything, and at other times Scanner1 would

RE: [Declude.Virus] Offtopic question

It seems that this file maybe related to Microsoft's InstallShield erroring out. Did you install any 'major' products lately? Keith -Original Message- From: Djerr C. de Meijer [mailto:[EMAIL PROTECTED] Sent: Monday, December 15, 2003 11:01 AM To: [EMAIL PROTECTED] Subject:

[Declude.Virus] f-prot question

Does anyone know what the command line string is for scanning your sig file to see if it is catching a certain named virus file? I saw it posted over 6 months ago, however, I guess my search isn't picking it up. Thanks, Keith +,qyo r[yXm ynu(8bIWkax7^V*f)+-Nrz;uj)l^r[yjwmmr[yXy+mwZm

RE: [Declude.Virus] Scanning Question

In this case, you can use the per-user settings to turn off virus scanning completely for the recipient. Scott, Is is possible (using per user settings) to simply suspend the vulnerability scanning, yet still keep the main virus scanning on? Thanks again for your time, Keith --- [This

FW: [Declude.Virus] Suppressing Notif. to Single Domain

Just wanted to confirm, if I want to suspend virus notifications to all users on a single domain that we host, I would do the following: In the appropriate .eml files, add a line: SKIPIFRECIP @domaintoskip.com Thanks, Keith Nf_ynub! 0u%dj)\jgr[yXXX:.mfynu(*^{.n+ynubrzjm 

[Declude.Virus] Suppressing Notif. to Single Domain

Is it possible to not send out virus notifications to a specific domain that we host within Imail? For example, if we host 100 domains, and only 1 of the domains says they do not care to receive the virus notifies (i.e. recep.eml). Thanks, Keith áŠÁj)pjË

[Declude.Virus] Log File Errors

Scott, Today we had a 'horrible' thing happened with our scanner (have two in place F-Prot and InoculateIT), not sure which one had issues: 06/04/2003 14:51:29 Q3ef6000501666762 ERROR: Virus scanner didn't finish after 60 seconds; terminating. 06/04/2003 14:51:29 Q3ef6000501666762

RE: [Declude.Virus] Log File Errors

is large attachment scanning. Thanks again for being a sounding board. Keith Johnson -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Wed 6/4/2003 6:31 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [Declude.Virus] Log

[Declude.Virus] Log File

We have started to get numerous of these in our log file, do you know what these may be. 06/02/2003 09:02:09 Q4acf0c270148af58 No filename in disp Content-Disposition: attachment. 06/02/2003 09:02:09 Q4acf0c270148af58 No filename in disp Content-Disposition: attachment. 06/02/2003 09:07:09

RE: [Declude.Virus] Log File

Scott, We have had a lot of viruses get through today (new Backdoor AVF), seems McAffee is the only one that has it available (sig file). Luckily we already alter .exe files so that can't be executed. Should I be concerned with these Content-Disposition, I just started to see a lot (100's

RE: [Declude.Virus] Error in Virus Scanner

Are there any other entries for the E-mail? Here is a list of two in a row: 05/29/2003 06:26:39 Qe05301090146bcae Could not find parse string Infection: in report.txt 05/29/2003 06:26:42 Qe05301090146bcae Error 0 in virus scanner. 05/29/2003 06:26:42 Qe05301090146bcae Scanned: Error in

RE: [Declude.Virus] Error in Virus Scanner

Are you using two or more virus scanners? Yes, I am using F-prot 3.13a as my 1st scanner and InoculateIT 6.0 SP2 as my 2nd scanner There does appear to be an issue with 1.70 where this message will appear in the log file if one or more scanners report an error, but the last one does not.

[Declude.Virus] Error in Virus Scanner

upgrading to 1.69beta, thanks for the aid. Keith Johnson N¬f¢—¬±ç_¢»â®ë±¼ƒyÉnuåb®ë!¶Úÿ 0uç%¹¢dáŠÁj)\jgŸ®‰­…àÞr[yX«ºŠX§‚X¬µ:.ž±Êâmèî²Ûf¢–Ú™¨¥²»ÝyÉnuç(™©*^º{.nÇ+‰·ƒyÉnuåb®ë…æ«r¯zǝ·Ÿ¢éÝjØm¶Ÿÿà j)Z­Èb½ç(

[Declude.Virus] Log Question

. ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] Good pings come in small packets

[Declude.Virus] Efficiency

Scott, During the initial setup of Declude Virus we copied down the virus_domain.txt and the virus_users.txt file and placed them in the Declude directory. Since then, by default, we are scanning all incoming/outgoing email for all domains. Is it more efficient (hence faster scans) for

[Declude.Virus] Monitoring of Declude Virus

Title: Monitoring of Declude Virus I have downloaded and installed/tested the Virus Log Analyzer to take a look at what is being caught in the way of viruses. However, I wanted to see what others are using to 'real' time monitor the virus logs. Outside of using WinTail to watch the log

[Declude.Virus] Issues running the fpcmd.exe scanner

Title: Issues running the fpcmd.exe scanner Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe. Upon testing the f-prot.exe works great, reports in the log just fine, and sends

RE: [Declude.Virus] Issues running the fpcmd.exe scanner

Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe 12/20/2002 12:59:44 Q5a90002f0078444b Starting scanner #1: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM

RE: [Declude.Virus] Issues running the fpcmd.exe scanner

Scott, Thank you for your wisdom, you are awesome. -Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 2:03 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Issues running the fpcmd.exe scanner Reading some of the

[Declude.Virus] Treatment of double layered extension files

(i.e. shs) , as I think this maybe a dull point if they contain a virus as the scanner should catch it and thus tip Declude to quarantine it, however my thoughts were if it was not a virus file. Thanks for the info. ___ Keith Johnson, MCP Network Engineer Network Advocates

[Declude.Virus] Customized Footer for domain

? Again, thank you. ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] Good pings come in small packets

RE: [Declude.Virus] bogus files.....

I got this same bogus file showing up in the log (MID) when I sent the eicar virus (zipped format) off the eicar.com website to our server. Keith -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED]] Sent: Thu 12/19/2002 7:14 PM

[Declude.Virus] Scanning Process

)? ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] Good pings come in small packets

[Declude.Virus] Problems with catching Virus

Antivirus caught it. I checked the virxx.log file and it showed it was scanned as OK. Is there anything else I can check to see what it going on. I could increase the logging to DEBUG from MID. Thanks for the aid. ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc

[Declude.Virus] Spoofing Connecting IP Address

for your aid and knowledge!! ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] Good pings come in small packets

[Declude.Virus] Virus Scanning Question

Server (scanning wise). Thanks for the aid... ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] Good pings come in small packets

[Declude.Virus] Is this safely ignored...

Title: Is this safely ignored... In the virxxx.log, I found this error. Can this be safely ignored? Warning: EOF in middle of MIME segment [] [--- ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email

RE: [Declude.Virus] Opinion on Virus Scanner

John, Thank you for the info. With the Dos Version, how are you getting your auto sig updates and on what interval can you obtain these. -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 11:12 AM To: [EMAIL PROTECTED] Subject: