[Declude.Virus] Magistr.32678
Has anybody seen Magistr.32768@mm get through lately? We have a user that got infected today and transmitted it to another user. My F-Prot defs were 1.7.02 but this one is much older. This brings me to an important question... Does Declude catch messages that go between users on the same domain? All three involved here were on the same domain. Thanks David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Magistr.32678
That's it, I was running 3.10c. Would be nice if they could auto update their .exe when you update defs, or at least warn you. Do they send out notifications about program updates? BTW - I thought you couldn't have an on-access scanner running on the machine with Declude and the command line scanner. To make Declude work we had to uninstall F-prot and reinstall it without the on-access option. Thanks David - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 11, 2002 5:41 PM Subject: Re: [Declude.Virus] Magistr.32678 Has anybody seen Magistr.32768@mm get through lately? We have a user that got infected today and transmitted it to another user. My F-Prot defs were 1.7.02 but this one is much older. This brings me to an important question... F-Prot will catch Magistr.32768@mm, but it requires that you be running a recent version of F-Prot (3.11 or higher I think). Does Declude catch messages that go between users on the same domain? All three involved here were on the same domain. It does, unless they are sent through web messaging (in which case you can have an on-access scanner set to scan the \IMail\spool directory, but not the subdirectories off of it). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Magistr.32678
One more thing... It does, unless they are sent through web messaging (in which case you can have an on-access scanner set to scan the \IMail\spool directory, but not the subdirectories off of it). -Scott This would require a user to manually send a file with a virus (knowingly or unknowingly) correct? There aren't any known worms that spread using the Imail web client's address book, are there?? Thanks David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Magistr.32678
Scott, It seems that this file is in constant request. Perhaps you could host it on the declude/tools page. -Jerry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bob McGregor Sent: Friday, January 11, 2002 3:01 PM To: [EMAIL PROTECTED] Subject: MISSING_REVERSE_DNS:Re: [Declude.Virus] Magistr.32678 There has been a bat file floating around that does just what you describe. It gets the zip of the program via ftp. I use it here, works great. At least it did when they updated to the 3.11 version. I schedule the batch file nightly. I can't remember who originally created it but thanks for doing it!!! I modified slightly so I can tell in an e-mail sent to me if the def files were updated. If you want it let me know, I'll send it to you... bob On Friday, January 11, 2002 3:55 PM, David Setzer [EMAIL PROTECTED] wrote: That's it, I was running 3.10c. Would be nice if they could auto update their .exe when you update defs, or at least warn you. Do they send out notifications about program updates? BTW - I thought you couldn't have an on-access scanner running on the machine with Declude and the command line scanner. To make Declude work we had to uninstall F-prot and reinstall it without the on-access option. Thanks David - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 11, 2002 5:41 PM Subject: Re: [Declude.Virus] Magistr.32678 Has anybody seen Magistr.32768@mm get through lately? We have a user that got infected today and transmitted it to another user. My F-Prot defs were 1.7.02 but this one is much older. This brings me to an important question... F-Prot will catch Magistr.32768@mm, but it requires that you be running a recent version of F-Prot (3.11 or higher I think). Does Declude catch messages that go between users on the same domain? All three involved here were on the same domain. It does, unless they are sent through web messaging (in which case you can have an on-access scanner set to scan the \IMail\spool directory, but not the subdirectories off of it). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . smime.p7s Description: application/pkcs7-signature
Re: [Declude.Virus] Magistr.32678
They do have an e-mail autonotification of updates. I just signed up for it a couple of days ago. I can't find my notes right now but I did send a verification of subscription request to [EMAIL PROTECTED] John Olden - Systems Administrator Champaign Park District - Original Message - From: David Setzer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 11, 2002 4:55 PM Subject: Re: [Declude.Virus] Magistr.32678 That's it, I was running 3.10c. Would be nice if they could auto update their .exe when you update defs, or at least warn you. Do they send out notifications about program updates? BTW - I thought you couldn't have an on-access scanner running on the machine with Declude and the command line scanner. To make Declude work we had to uninstall F-prot and reinstall it without the on-access option. Thanks David - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 11, 2002 5:41 PM Subject: Re: [Declude.Virus] Magistr.32678 Has anybody seen Magistr.32768@mm get through lately? We have a user that got infected today and transmitted it to another user. My F-Prot defs were 1.7.02 but this one is much older. This brings me to an important question... F-Prot will catch Magistr.32768@mm, but it requires that you be running a recent version of F-Prot (3.11 or higher I think). Does Declude catch messages that go between users on the same domain? All three involved here were on the same domain. It does, unless they are sent through web messaging (in which case you can have an on-access scanner set to scan the \IMail\spool directory, but not the subdirectories off of it). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Magistr.32678
So is it safe to upgrade an NT4 machine to the 3.11b version of F-prot thats currently on their site? I had seen some issues on here before, but didnt really pay attention until now (since we need to upgrade the engine now). Thanks, Jonathan At 05:16 PM 1/11/2002 -0600, you wrote: They do have an e-mail autonotification of updates. I just signed up for it a couple of days ago. I can't find my notes right now but I did send a verification of subscription request to [EMAIL PROTECTED] John Olden - Systems Administrator Champaign Park District - Original Message - From: David Setzer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 11, 2002 4:55 PM Subject: Re: [Declude.Virus] Magistr.32678 That's it, I was running 3.10c. Would be nice if they could auto update their .exe when you update defs, or at least warn you. Do they send out notifications about program updates? BTW - I thought you couldn't have an on-access scanner running on the machine with Declude and the command line scanner. To make Declude work we had to uninstall F-prot and reinstall it without the on-access option. Thanks David - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 11, 2002 5:41 PM Subject: Re: [Declude.Virus] Magistr.32678 Has anybody seen Magistr.32768@mm get through lately? We have a user that got infected today and transmitted it to another user. My F-Prot defs were 1.7.02 but this one is much older. This brings me to an important question... F-Prot will catch Magistr.32768@mm, but it requires that you be running a recent version of F-Prot (3.11 or higher I think). Does Declude catch messages that go between users on the same domain? All three involved here were on the same domain. It does, unless they are sent through web messaging (in which case you can have an on-access scanner set to scan the \IMail\spool directory, but not the subdirectories off of it). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Magistr.32678
It does, unless they are sent through web messaging (in which case you can have an on-access scanner set to scan the \IMail\spool directory, but not the subdirectories off of it). This would require a user to manually send a file with a virus (knowingly or unknowingly) correct? There aren't any known worms that spread using the Imail web client's address book, are there?? That's correct. It should be extremely rare for a virus to be passed through web messaging. First, all the incoming mail that a web messaging user receives is scanned by Declude, so it they likely won't be getting a virus through E-mail. It's possible, though, that they could receive a virus from another mail server or via FTP or from a web site. If they do manage to get a virus, most recent viruses simply try to spread immediately via E-mail or HTTP or IRC. Those viruses won't be able to spread via web messaging. The only way a virus can be spread via web messaging is if a user [1] gets a virus, [2] attaches a file to the E-mail they are sending via web messaging, and [3] the virus attached itself to that specific file. If any of those conditions aren't met, it shouldn't be possible for a virus to spread via web messaging. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Magistr.32678
It seems that this file is in constant request. Perhaps you could host it on the declude/tools page. Yes. Someone else had made a similar suggestion recently. We've already started adding a section to the Tools page for Declude addons. It will at first link to E-mails in the archive ( http://www.mail-archive.com ) that contain the programs or information about them, and the URLs will be changed for any programs that have their own URL. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Magistr.32678
1-If I set netshield to scan \spool, it will not interfere with declude ? the recieved files/emails are directly created in subdirectories, and declude will scan and send notification before netshield delete the files? 2- We can set netshield to scan \spool but not its subdirectories ? how ? 3- is it a good idea to do have netshield monitor \spool, do you recommend it ? (I curently have netshield monitoring the server but exclude \spool) 4- How do I find what version of Fprot dos engine I have ? I already contacted their support 3 times, but never got an answer, even about the 3.11b problem. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, January 12, 2002 12:46 AM Subject: Re: [Declude.Virus] Magistr.32678 BTW - I thought you couldn't have an on-access scanner running on the machine with Declude and the command line scanner. To make Declude work we had to uninstall F-prot and reinstall it without the on-access option. Here's the story about on-access scanners and Declude: As you probably know, Declude works with a command line scanner. If you run an on-access scanner, it will delete files as soon as Declude creates them (if they contain a virus). When Declude calls the command line scanner, the command line scanner reports that no virus was found (since the file was deleted, so was the virus). That's why running an on-access scanner can be a problem. However, you can either set up the on-access scanner not to scan the subdirectories off of \IMail\Spool (where Declude processes the attachments), or you can change the ONACCESS OFF line in the \IMail\Declude\virus.cfg file to ONACCESS ON, which will tell Declude to check to see if the file was deleted (and if so, assume a virus was found). The problem with F-Prot is that it can't be set up to exclude the subdirectories off of \IMail\spool, and their on-access scanner conflicts with Declude. You *can* set it up using the ONACCESS ON setting, but there's a chance that it will interfere. I don't recall exactly what happens, but essentially there's a chance that either viruses could occasionally be delivered, or non-viruses could get caught. I believe it's a file locking issue. The Windows version of F-Prot is fairly new, from what I understand, so this may change as the program evolves. So what can you do? You can have F-Prot's command line scanner hooked up to Declude, while having another product (such as McAfee) scanning the \IMail\spool directory. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] Magistr.32678
1-If I set netshield to scan \spool, it will not interfere with declude ? If you set it to scan *just* the spool directory (not any subdirectories off of the spool directory), there will be no problem. Otherwise, you will need to use the ONACCESS ON setting in the virus.cfg file. the recieved files/emails are directly created in subdirectories, and declude will scan and send notification before netshield delete the files? If you use the ONACCESS ON setting, Declude will detect that the files were deleted, and will know that a virus was detected. 2- We can set netshield to scan \spool but not its subdirectories ? how ? I don't know how to do that with NetShield, but I understand that it is possible. 3- is it a good idea to do have netshield monitor \spool, do you recommend it ? (I curently have netshield monitoring the server but exclude \spool) That's up to you to decide. It will use a lot more CPU time, since all the files that come into the spool will need to be scanned, and it doesn't offer much more protection. But if you need that extra layer of protection, then it would be a good idea. 4- How do I find what version of Fprot dos engine I have ? If you type just F-Prot from a command line, the interactive version will start; you can find the version there. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .