Re: [Declude.Virus] Declude v1.29 beta released

[R. Scott Perry]

>Clarification please on DELETEVIRUSES.  I assume it doesn't try to remove the
>attachment, but deletes the queue files.

That's correct.  It deletes the queue files, but does not attempt to remove 
the attachment.
   -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

Re: [Declude.Virus] Declude v1.29 beta released

[R. Scott Perry]

>Any chance of a way to filter who doens't get virus notifications yet? I 
>still want it to scan everything, just not send the notifications out to 
>mailing lists.  It'd be nice if we could add a list of addresses not to 
>notify.  I know that checking if it's a list or not would get messy, as 
>it'd have to scan the registry or odbc source for imail info .. or check 
>headers for bulk precedence I guess..which wouldn't be reliable anyway.

That's something that we will be looking into (it's in our suggestion 
database), but I can't say yet whether or not it will get added.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

Re: [Declude.Virus] Declude v1.29 beta released

[Jerry Murdock]

Wow, a lot of stuff for a .01 rev.  Sounds great.

Clarification please on DELETEVIRUSES.  I assume it doesn't try to remove the
attachment, but deletes the queue files.

Jerry


- Original Message -
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 06, 2001 8:08 PM
Subject: [Declude.Virus] Declude v1.29 beta released


> We have just released Declude Virus v1.29.
>
> Notable new features include:
>
> o The ability to send a "bounce" message to people sending banned files
> (BANEXT),
> o A new DELETEVIRUSES configuration option to delete viruses rather than
> quarantine them,
> o A FOOTER option to add a footer to the bottom of scan E-mails
> o TNEF support has been added
> o A new BANCLSID option has been added to ban CLSID file extensions
>
> You can download the new beta from http://www.declude.com/virus/manual.htm .
>  -Scott
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".  You can E-mail
> [EMAIL PROTECTED] for assistance.  You can visit our web
> site at http://www.declude.com .
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

Re: [Declude.Virus] Declude v1.29 beta released

[Jonathan]

Great .. lookin' good Scott.

Any chance of a way to filter who doens't get virus notifications yet? I 
still want it to scan everything, just not send the notifications out to 
mailing lists.  It'd be nice if we could add a list of addresses not to 
notify.  I know that checking if it's a list or not would get messy, as 
it'd have to scan the registry or odbc source for imail info .. or check 
headers for bulk precedence I guess..which wouldn't be reliable anyway.

For the time being, I suppose I could change the virus notification to come 
from someone other than root, and add them to the kill lists on each list. 
. messy, but it'd work ..

Jonathan



At 08:08 PM 12/6/2001 -0500, you wrote:
>We have just released Declude Virus v1.29.
>
>Notable new features include:
>
>o The ability to send a "bounce" message to people sending banned files 
>(BANEXT),
>o A new DELETEVIRUSES configuration option to delete viruses rather than 
>quarantine them,
>o A FOOTER option to add a footer to the bottom of scan E-mails
>o TNEF support has been added
>o A new BANCLSID option has been added to ban CLSID file extensions
>
>You can download the new beta from http://www.declude.com/virus/manual.htm .
> -Scott
>
>---
>[This E-mail was scanned for viruses by Declude Virus 
>(http://www.declude.com)]
>
>This E-mail came from the Declude.Virus mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.Virus".  You can E-mail
>[EMAIL PROTECTED] for assistance.  You can visit our web
>site at http://www.declude.com .
>---
>[This E-mail was scanned for viruses by Declude Virus 
>(http://www.declude.com)]
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RE: [Declude.Virus] MISSING_REVERSE_DNS:Imail/declude log parser...

[Jerod M. Bennett]

Could you repost the file, but zip it up first?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Jeff Pitoniak
Sent: Thursday, December 06, 2001 2:15 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] MISSING_REVERSE_DNS:Imail/declude log
parser...



Put this usage.cmd in c:\tools (or modify paths in the scipt to match
where you put it)

Put domain.exe in the Imail spool directory. (available on the Imail
website under free tools)

Create a d:\logs directory for these usage logs or create your own and
update the "log" variable in usage.cmd

And finally, I installed Imail on the D:\ drive so make sure your paths
match the script file's.

Make sure that the "Task Scheduler" is set to automatic in the services
control panel and paste this ito a command prompt to automate usage.cmd.

AT 02:30 /EVERY:M,T,W,Th,F,S,Su "c:\winnt\system32\cmd.exe /c
c:\tools\usage.cmd"

(note: if you put usage.cmd somewhere else chang the AT command above to
reflect this)

Good luck.

Best regards,
Jeff
--
"If your only tool is a hammer, pretty soon everything starts to look
like a nail."-Dr. William Learner, Chiropractor Jeff Pitoniak - Network
Administration & Security Consultant - PCE Systems, Inc.
email: [EMAIL PROTECTED] 
Ph:(248)223-4888 ext.138  Fax:(248)223-4889



smime.p7s
Description: application/pkcs7-signature

[Declude.Virus] Declude v1.29 beta released

[R. Scott Perry]

We have just released Declude Virus v1.29.

Notable new features include:

o The ability to send a "bounce" message to people sending banned files 
(BANEXT),
o A new DELETEVIRUSES configuration option to delete viruses rather than 
quarantine them,
o A FOOTER option to add a footer to the bottom of scan E-mails
o TNEF support has been added
o A new BANCLSID option has been added to ban CLSID file extensions

You can download the new beta from http://www.declude.com/virus/manual.htm .
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RE: [Declude.Virus] MISSING_REVERSE_DNS:Imail/declude log parser...

[Grant Griffith]

I think the domain.exe is available on Declude's website.  www.declude.com
it is under Web Tools or something like that I believe.

Sincerely,
Grant Griffith, Vice President
EI8HT LEGS Web Management Co., Inc.
http://www.getafreewebsite.com
877-483-3393

||-Original Message-
||From: [EMAIL PROTECTED]
||[mailto:[EMAIL PROTECTED]]On Behalf Of Serge Dergham
||Sent: Thursday, December 06, 2001 5:57 PM
||To: [EMAIL PROTECTED]
||Subject: Re: [Declude.Virus] MISSING_REVERSE_DNS:Imail/declude log
||parser...
||
||
||thanks
||I can't find domain.exe, there is a domlist.exe, but no domain.exe
||can someone please post a download link.
||
||also, I have vir.log files in a separate directory (not the spool
||directory), should I change anything in the batch ?
||
||
||
||- Original Message -
||From: "Jeff Pitoniak" <[EMAIL PROTECTED]>
||To: <[EMAIL PROTECTED]>
||Sent: Thursday, December 06, 2001 10:15 PM
||Subject: RE: [Declude.Virus] MISSING_REVERSE_DNS:Imail/declude
||log parser...
||
||
||>
||> Put this usage.cmd in c:\tools (or modify paths in the scipt to match
||where
||> you put it)
||>
||> Put domain.exe in the Imail spool directory. (available on the Imail
||website
||> under free tools)
||>
||> Create a d:\logs directory for these usage logs or create your own and
||> update the "log" variable in usage.cmd
||>
||> And finally, I installed Imail on the D:\ drive so make sure your paths
||> match the script file's.
||>
||> Make sure that the "Task Scheduler" is set to automatic in the services
||> control panel and paste this ito a command prompt to automate usage.cmd.
||>
||> AT 02:30 /EVERY:M,T,W,Th,F,S,Su "c:\winnt\system32\cmd.exe /c
||> c:\tools\usage.cmd"
||>
||> (note: if you put usage.cmd somewhere else chang the AT command above to
||> reflect this)
||>
||> Good luck.
||>
||> Best regards,
||> Jeff
||> --
||> "If your only tool is a hammer, pretty soon everything starts
||to look like
||a
||> nail."-Dr. William Learner, Chiropractor
||> Jeff Pitoniak - Network Administration & Security Consultant - PCE
||Systems,
||> Inc.
||> email: [EMAIL PROTECTED] 
||> Ph:(248)223-4888 ext.138  Fax:(248)223-4889
||>
||
||---
||[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

Re: [Declude.Virus] MISSING_REVERSE_DNS:Imail/declude log parser...

[Serge Dergham]

thanks
I can't find domain.exe, there is a domlist.exe, but no domain.exe
can someone please post a download link.

also, I have vir.log files in a separate directory (not the spool
directory), should I change anything in the batch ?



- Original Message -
From: "Jeff Pitoniak" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 06, 2001 10:15 PM
Subject: RE: [Declude.Virus] MISSING_REVERSE_DNS:Imail/declude log parser...


>
> Put this usage.cmd in c:\tools (or modify paths in the scipt to match
where
> you put it)
>
> Put domain.exe in the Imail spool directory. (available on the Imail
website
> under free tools)
>
> Create a d:\logs directory for these usage logs or create your own and
> update the "log" variable in usage.cmd
>
> And finally, I installed Imail on the D:\ drive so make sure your paths
> match the script file's.
>
> Make sure that the "Task Scheduler" is set to automatic in the services
> control panel and paste this ito a command prompt to automate usage.cmd.
>
> AT 02:30 /EVERY:M,T,W,Th,F,S,Su "c:\winnt\system32\cmd.exe /c
> c:\tools\usage.cmd"
>
> (note: if you put usage.cmd somewhere else chang the AT command above to
> reflect this)
>
> Good luck.
>
> Best regards,
> Jeff
> --
> "If your only tool is a hammer, pretty soon everything starts to look like
a
> nail."-Dr. William Learner, Chiropractor
> Jeff Pitoniak - Network Administration & Security Consultant - PCE
Systems,
> Inc.
> email: [EMAIL PROTECTED] 
> Ph:(248)223-4888 ext.138  Fax:(248)223-4889
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RE: [Declude.Virus] MISSING_REVERSE_DNS:Imail/declude log parser...

[Smart Business Lists]

Just fyi Outlook XP will not allow users to receive an attachment with a
.cmd extension.

Terry Fritts
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Jeff Pitoniak
Sent: Thursday, December 06, 2001 4:15 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] MISSING_REVERSE_DNS:Imail/declude log
parser...


Put this usage.cmd in c:\tools (or modify paths in the scipt to match
where
you put it)
...


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RE: [Declude.Virus] MISSING_REVERSE_DNS:Imail/declude log parser...

[Jeff Pitoniak]

Put this usage.cmd in c:\tools (or modify paths in the scipt to match where
you put it)

Put domain.exe in the Imail spool directory. (available on the Imail website
under free tools)

Create a d:\logs directory for these usage logs or create your own and
update the "log" variable in usage.cmd

And finally, I installed Imail on the D:\ drive so make sure your paths
match the script file's.

Make sure that the "Task Scheduler" is set to automatic in the services
control panel and paste this ito a command prompt to automate usage.cmd.

AT 02:30 /EVERY:M,T,W,Th,F,S,Su "c:\winnt\system32\cmd.exe /c
c:\tools\usage.cmd"

(note: if you put usage.cmd somewhere else chang the AT command above to
reflect this)

Good luck.

Best regards,
Jeff
--
"If your only tool is a hammer, pretty soon everything starts to look like a
nail."-Dr. William Learner, Chiropractor
Jeff Pitoniak - Network Administration & Security Consultant - PCE Systems,
Inc.
email: [EMAIL PROTECTED] 
Ph:(248)223-4888 ext.138  Fax:(248)223-4889



usage.cmd
Description: Binary data

RE: [Declude.Virus] Goner

[R. Scott Perry]

>I have a client who just said they received the Goner yesterday. When I do a
>F-Prot /virlist | find "goner" /i
>
>it does show the goner.  I looked up the email message the client said they
>got the virus from and it showed no virus.
>
>I wonder if I need to re-install F-PROT.  I show I have not caught any Goner
>viruses today.

If F-Prot has Goner listed in its /virlist, it should be catching it.  Are 
you sure that the user got the virus through an E-mail that went through 
your server?  Is there any chance they are an Outlook user that would have 
received it encoded in a TNEF file ("winmail.dat"), rather than a standard 
attachment?
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

Re: [Declude.Virus] Goner

[R. Scott Perry]

>Anyone still getting the Goner virus alot?  That first day I got a bunch but
>now I'm not.  I'm worried they are getting through but maybe they just died
>down.

It seems to be almost gone.  It was well named!
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RE: [Declude.Virus] Goner

[Danny Klopfer]

I have a client who just said they received the Goner yesterday. When I do a
F-Prot /virlist | find "goner" /i

it does show the goner.  I looked up the email message the client said they
got the virus from and it showed no virus.

I wonder if I need to re-install F-PROT.  I show I have not caught any Goner
viruses today.

Danny Klopfer
530-477-6293
http://www.ncws.com


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Sheldon Koehler
> Sent: Thursday, December 06, 2001 12:10 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] Goner
>
>
> Goner went from being number 1 on our list to number 4 yesterday.
> I hear the
> same from others.
>
>
> Sheldon
>
>
> Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
> Ten Forward Communications  E-Commerce that makes sense!
> 360-457-9023  http://www.tenforward.com/webcam
>
> "Whenever you find yourself on the side of the majority, it's time
> to pause and reflect." Mark Twain
>
>
> - Original Message -
> From: "Danny Klopfer" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, December 06, 2001 11:41 AM
> Subject: [Declude.Virus] Goner
>
>
> > Anyone still getting the Goner virus alot?  That first day I got a bunch
> but
> > now I'm not.  I'm worried they are getting through but maybe they just
> died
> > down.
> >
> > Danny Klopfer
> > 530-477-6293
> > http://www.ncws.com
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".  You can E-mail
> > [EMAIL PROTECTED] for assistance.  You can visit our web
> > site at http://www.declude.com .
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> >
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

Re: [Declude.Virus] Goner

[Sheldon Koehler]

Goner went from being number 1 on our list to number 4 yesterday. I hear the
same from others.


Sheldon


Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
Ten Forward Communications  E-Commerce that makes sense!
360-457-9023  http://www.tenforward.com/webcam

"Whenever you find yourself on the side of the majority, it's time
to pause and reflect." Mark Twain


- Original Message -
From: "Danny Klopfer" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 06, 2001 11:41 AM
Subject: [Declude.Virus] Goner


> Anyone still getting the Goner virus alot?  That first day I got a bunch
but
> now I'm not.  I'm worried they are getting through but maybe they just
died
> down.
>
> Danny Klopfer
> 530-477-6293
> http://www.ncws.com
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".  You can E-mail
> [EMAIL PROTECTED] for assistance.  You can visit our web
> site at http://www.declude.com .
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

[Declude.Virus] Goner

[Danny Klopfer]

Anyone still getting the Goner virus alot?  That first day I got a bunch but
now I'm not.  I'm worried they are getting through but maybe they just died
down.

Danny Klopfer
530-477-6293
http://www.ncws.com 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RE: [Declude.Virus] MISSING_REVERSE_DNS:Goner and/or PWS-gen.Hooker?

[Andy Schmidt]

The virus engines have updated the naming conventions to reflect the actual
payload in the BadTrans virus - there is two entirely different trojan
horses, each with a distinct name and both are equally scary in their
capabilties.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Markus
Sent: Thursday, December 06, 2001 02:20 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] MISSING_REVERSE_DNS:Goner and/or
PWS-gen.Hooker?


Hi all,

since yesterday we catch a lot of "PWS-gen.Hooker" trojans, but
absolutely no "Goner"

Our Mcafee engine version is the newest superdat-version from Dec 05:

Scan engine v4.1.60 for Win32.
Virus data file v4175 created Dec 05 2001
Scanning for 59317 viruses, trojans and variants.

(the day before we had the extra-dat-file)


In the NAI Virus lib I found under "pws-gen.hooker" :

Virus Name  Risk Assessment
W32/Badtrans@MM Medium

Questions:
Why some Badtrans-Viri a catched as "W32/Badtrans@MM" and other ones as
"PWS-gen.Hooker"?
Why my scanner does not catch the goner-virus?

Yesterday declude has found around 100 infected messages. I'cant believe
that there was no "goner"

Markus


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

[Declude.Virus] MISSING_REVERSE_DNS:Goner and/or PWS-gen.Hooker?

[Markus]

Hi all,

since yesterday we catch a lot of "PWS-gen.Hooker" trojans, but
absolutely no "Goner"

Our Mcafee engine version is the newest superdat-version from Dec 05:

Scan engine v4.1.60 for Win32.
Virus data file v4175 created Dec 05 2001
Scanning for 59317 viruses, trojans and variants.

(the day before we had the extra-dat-file)


In the NAI Virus lib I found under "pws-gen.hooker" :

Virus Name  Risk Assessment  
W32/Badtrans@MM Medium  

Questions:
Why some Badtrans-Viri a catched as "W32/Badtrans@MM" and other ones as
"PWS-gen.Hooker"?
Why my scanner does not catch the goner-virus?

Yesterday declude has found around 100 infected messages. I'cant believe
that there was no "goner"

Markus


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

Re: [Declude.Virus] Norton Antivirus Enterprise

[R. Scott Perry]

>Does anybody know if Norton Antivirus Enterprise works with Declude and are
>there any hang ups with it?

Norton AntiVirus doesn't allow their command line scanner (the piece that 
Declude uses) to be used by automated programs.  They have it set up so 
that if run in an automated environment, it will always report that no 
virus was found (even if one was found).

The type of scanner that Norton AntiVirus does have that works in an 
automated environment (an on-access scanner) will delete the file if it 
finds a virus, and Declude can then assume that that means that Norton 
found a virus.  You can set up Norton AntiVirus using this on-access 
scanner, but we haven't yet been able to do the extensive testing necessary 
to make sure it is completely reliable (although we expect that it 
is).  The problem is that there is a chance that Norton could skip a file 
if it takes too long to scan (it has a small time slice in which to scan 
the file, but we haven't been able to verify that it will prevent access to 
the file if it can't finish scanning in that time slice).

Most of our customers are using F-Prot ( http://www.f-prot.com ), which has 
proven to be very reliable, or McAfee's NetShield or VirusScan 
products.  We also have a number of customers using Sophos, Kaspersky, 
Norman, and a few others.
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

[Declude.Virus] Norton Antivirus Enterprise

[Mark Chadwick]

Does anybody know if Norton Antivirus Enterprise works with Declude and are
there any hang ups with it?

Thanks in advance (as always!)

Mark Chadwick
IT Support Engineer

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RE: [Declude.Virus] MISSING_REVERSE_DNS:Leftover files and dirs

[R. Scott Perry]

>Looks like there are d*.smd and t*.smd files.

The D*.SMD files are either E-mails waiting to go out (if there is an 
associated Q*.SMD file), or are the "leftover" E-mails that IMail couldn't 
deliver or bounce (if there is no associated Q*.SMD file).

The T*.SMD files are the E-mails that IMail is currently receiving (IE the 
TCP/IP connection is still open).  Usually you only see these for large 
files that take a while to transfer.

>The only q* files I have are q*.gse, q*.ntf, q*.gmp and q*.smp.

Then any D*.SMD files that were in the spool when you looked are the 
"leftover" E-mails that couldn't be delivered/bounced by IMail.

The GSE files are bounce messages, the NTF files are Delivery Status 
Notifications.  I don't recall off-hand what the .GMP and .SMP files are; 
the IMail Knowledge Base might have more details.

Regarding the .vir directories, after looking at your log files, it doesn't 
show that Declude is having any trouble deleting them.  The directory 
listing you sent only showed 4 .vir directories, which were dated within a 
few minutes of the current time.  That's normal -- they will "come and go" 
as E-mail is received.  If there are .vir directories that are over an hour 
old, then there may be a problem with the .vir directories not getting deleted.
   -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RE: [Declude.Virus] MISSING_REVERSE_DNS:Leftover files and dirs

[Rodney Bertsch]

Looks like there are d*.smd and t*.smd files.  The only q* files I have are
q*.gse, q*.ntf, q*.gmp and q*.smp.

I e-mailed the virus.cfg and vir*.log file.  Would a directory listing help?

- Rodney

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry
Sent: Thursday, December 06, 2001 11:40 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] MISSING_REVERSE_DNS:Leftover files and dirs



>We're having trouble recently with virus scanning with Declude.  Several
>times lately the *.vir directories that Declude creates as temporary scan
>areas will fill up in our imail\spool folder.  These directories contain a
>simple report.txt file saying no virus's had been found, but the
directories
>do not get automatically deleted.

If you E-mail me your \IMail\Declude\virus.cfg and \IMail\spool\vir.log
files, I can take a look to see why this is happening.

>Also I notice several *.smd files just floating in the imail\spool folder.
>They appear to be unsent e-mails, so I don't want to just delete them.  I
>don't know why they are hanging out there and how to get rid of them
>properly.

If there is only a D*.smd file, and not a corresponding Q*.smd file (IE you
see D1234567.SMD but not Q1234567.SMD), that's because IMail couldn't
deliver the E-mail, and couldn't send a bounce message back.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

Re: [Declude.Virus] MISSING_REVERSE_DNS:Leftover files and dirs

[R. Scott Perry]

>We're having trouble recently with virus scanning with Declude.  Several
>times lately the *.vir directories that Declude creates as temporary scan
>areas will fill up in our imail\spool folder.  These directories contain a
>simple report.txt file saying no virus's had been found, but the directories
>do not get automatically deleted.

If you E-mail me your \IMail\Declude\virus.cfg and \IMail\spool\vir.log 
files, I can take a look to see why this is happening.

>Also I notice several *.smd files just floating in the imail\spool folder.
>They appear to be unsent e-mails, so I don't want to just delete them.  I
>don't know why they are hanging out there and how to get rid of them
>properly.

If there is only a D*.smd file, and not a corresponding Q*.smd file (IE you 
see D1234567.SMD but not Q1234567.SMD), that's because IMail couldn't 
deliver the E-mail, and couldn't send a bounce message back.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]