Re: [Declude.Virus] hmmm... F-prot error 8?
I've seen this with F-prot on: 1. New viruses in which F-prot spots suspicious characteristics but doesn't match any signature because the definition file is not yet updated. 2.) An impotent KAK signature - the object ID is in the HTML message, but no payload. The sender removed most, but not all the KAK infection on the computer. The message has no virus and can be released and/or the sender notified. 3.) Known "Joke programs" which large company network admins don't want in their network - after all, who wants their users in the habit of running .EXEs they receive from others? They are considered safe, and residential class internet users may expect to receive these. - Original Message - From: "Bill B" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 13, 2002 7:04 PM Subject: Re: [Declude.Virus] hmmm... F-prot error 8? > What types of files would get identified as "suspicious" with this option? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] hmmm... F-prot error 8?
What types of files would get identified as "suspicious" with this option? You would have to check with F-Prot to be sure. The only case I know about was actually a mistake, where there was a new virus that they added to the virus definitions, but it was marked as a suspicious file instead of a virus. With a suspicious file, F-Prot doesn't know the name of it, so it must look for patterns that are common in other viruses. -Scott --- Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for IMail. http://www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] hmmm... F-prot error 8?
What types of files would get identified as "suspicious" with this option? Bill -Original Message- From: "R. Scott Perry" Sent: Wed, 13 Nov 2002 14:00:35 -0500 Subject: Re: [Declude.Virus] hmmm... F-prot error 8? >After setting my Log to MID, I was going through it to see what is being >caught, here is a piece of the log, what does this mean? >11/13/2002 13:10:34 Q92091be000fa9508 Could not find parse string >Infection: in report.txt >11/13/2002 13:10:34 Q92091be000fa9508 Error 8 in virus scanner. >11/13/2002 13:10:34 Q92091be000fa9508 Scanned: Error in virus scanner. >[MIME: 2 9829] That actually isn't related to the LOGLEVEL MID. It means that your virus scanner returned an exit code of 8, which doesn't mean that the E-mail has a virus, and doesn't mean that it is virus free. Declude Virus will deliver such E-mails, assuming that the virus scanner reported an unknown error. In the case of F-Prot, this is a "suspicious file". If you want to treat suspicious files as viruses (and are using F-Prot), you can add a line "VIRUSCODE 8" to the \IMail\Declude\virus.cfg file. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Current Version of Declude
LOL! you kill me. i think he got the pointhopefully - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 13, 2002 12:50 PM Subject: RE: [Declude.Virus] Current Version of Declude > > >Not to beat a dead horse to death but what is the current version? > > The dead horse can be found at http://www.declude.com/virus/manual.htm > . You may want to bookmark that URL. :) > > >What changes have been made since 1.53 ... > > http://www.declude.com/virus/manual.htm has a link to the release notes, at > http://www.declude.com/relnotes.htm . > > >and where can I get it? > > http://www.declude.com/virus/manual.htm. > > >Is there a magic link? > > Yes -- http://www.declude.com/virus/manual.htm . :) > -Scott > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by our Stealth Virus Detector] > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Current Version of Declude
Scott you are Awesome! One of the many reasons why our company enjoys doing business with you and Declude. Thanks! ~Rick > -Original Message- > From: [EMAIL PROTECTED] > [mailto:Declude.Virus-owner@;declude.com]On Behalf Of R. Scott Perry > Sent: Wednesday, November 13, 2002 2:50 PM - MGMT > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] Current Version of Declude > > > > >Not to beat a dead horse to death but what is the current version? > > The dead horse can be found at http://www.declude.com/virus/manual.htm > . You may want to bookmark that URL. :) > > >What changes have been made since 1.53 ... > > http://www.declude.com/virus/manual.htm has a link to the release > notes, at > http://www.declude.com/relnotes.htm . > > >and where can I get it? > > http://www.declude.com/virus/manual.htm. > > >Is there a magic link? > > Yes -- http://www.declude.com/virus/manual.htm . :) > -Scott > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > ___ > Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. > > ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Computer hackers mass-mailing trojans
Also, I started catching "Outlook 'MIME segment in MIME Preamble' Vulnerability" messages overnight, so this trojan may be getting caught by that also. Scott, yes/no? It's quite possible. I haven't seen any samples of these yet, so I can't say for certain. If you want, you can send one of the messages that was caught to [EMAIL PROTECTED], and I can take a look at it. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-prot question
Is the ability there for F-prot to give you the NAME of the virus in the log? instead of "Infected with a virus."? We have the Windows version running. If you use "LOGLEVEL MID" (in the \IMail\Declude\virus.cfg file), Declude will report the virus name in the log file. Does F-Prot keep a log of useage by Declude with infections? I'd like to get some feel for what is coming in. Unfortunately, that isn't possible. The problem is that F-Prot does record a log file, but Declude Virus needs the information from it, which means that it has to be saved in the temporary directory that Declude scans in. Once Declude is finished scanning the E-mail, the temporary files are deleted. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Computer hackers mass-mailing trojans
Also, I started catching "Outlook 'MIME segment in MIME Preamble' Vulnerability" messages overnight, so this trojan may be getting caught by that also. Scott, yes/no? This is also known as Troj/Dloader-BO. http://www.sophos.com/virusinfo/analyses/trojdloaderbo.html John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Computer hackers mass-mailing trojans
It was posted on the Imail list also. The payload is in an .exe attachment. Thus, every one is safe until all the AV companies come out with updated definitions because we all block unsafe attachments, right? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Computer hackers mass-mailing trojans
Title: Message Hi; Has anyone seen this? http://www.messagelabs.com/viewNewsPR.asp?id=109&cmd=PR MessageLabs is currently intercepting hackers who are mass-mailing trojans to unsuspecting users. The spread of this new threat suggests that infected machines could potentially be used in some kind of large-scale coordinated Internet hacking activity The details of the trojan are as follows: Trojan name: Maz Aliases: W32/Maz.A, Downloader-BO Number of copies seen so far: 615 Time & Date first Captured: 10 Nov 2002, 14:58 GMT Origin of first intercepted copy: UK Number of countries seen active: 32 Top five most active countries: United States 60.7%Canada 9.3%Korea (South)5.0%Great Britain3.2%Mexico 2.1% = Regards, Kami
RE: [Declude.Virus] Current Version of Declude
Running 1.62i beta interm here. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-prot question
Scott, Is the ability there for F-prot to give you the NAME of the virus in the log? instead of "Infected with a virus."? We have the Windows version running. Does F-Prot keep a log of useage by Declude with infections? I'd like to get some feel for what is coming in. Thanks! Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Log Files
Great tip Scott. Thanks, Doug -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus-owner@;declude.com] On Behalf Of R. Scott Perry Sent: Wednesday, November 13, 2002 7:22 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Log Files >I have my logging set to LOW but my log files are still about 40-50Mb >per day. We do process about 100K emails. >What is the appropriate way to handle such a volume of info and not >spend all day doing it? One option would be to use the "LOG_OK NONE" option -- if you add that line to the \IMail\Declude\virus.cfg file, it will prevent log file entries from occurring on E-mail that is virus-free. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Log Files
I have my logging set to LOW but my log files are still about 40-50Mb per day. We do process about 100K emails. What is the appropriate way to handle such a volume of info and not spend all day doing it? One option would be to use the "LOG_OK NONE" option -- if you add that line to the \IMail\Declude\virus.cfg file, it will prevent log file entries from occurring on E-mail that is virus-free. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Log Files
I have my logging set to LOW but my log files are still about 40-50Mb per day. We do process about 100K emails. What is the appropriate way to handle such a volume of info and not spend all day doing it? Thanks, Doug --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
