RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I switched from i5 to i8 6 hours ago. Until now I can see two empty vir directories. Before I've had one undeleted vir directory per month. (5000 to 7000 msgs / day) What is in those files? Have you checked the Declude Virus log file to see the log file entries for those E-mails? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Update- New virus
Hi; Just to update my last email. The new virus is still not being caught by scanners: Norton AV McAfee F-Prot AVG None are catching this. I just updated all the AV definitions and emialed me the same virus that arrived this morning.. As of 8:31 EST We are now blocking it with the new features. Regards, Kami In case it is of interest this is what we have in our .cfg file so far virus.cfg entries: BANEXT asp BANEXT bas BANEXT bat BANEXT CEO BANEXT chm BANEXT cmd BANEXT com BANEXT exe BANEXT hlp BANEXT hta BANEXT inf BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT msi BANEXT mst BANEXT pcd BANEXT pif BANEXT reg BANEXT scr BANEXT url BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsh BANEXT ad BANEXT adp BANEXT crt BANEXT ins BANEXT mdb BANEXT mde BANEXT msc BANEXT msp BANEXT sct BANEXT shb BANEXT vb BANEXT wsc BANEXT wsf BANEXT cpl BANEXT shs BANEXT vsd BANEXT vst BANEXT vss BANEXT vsw BANEZIPEXTS ON attachment: winmail.dat
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, I believe it is only with the new encrypted (password) zip files. I saw in my log (when running i8) that my Scanners were picking up and detecting normal zip's, normal pifs, normal scr. etc. of all virus flavors (if there is such thing as normal). I believe I wouldn't see (as long as we have a sig file) any banning of normal zips (un-passworded) since the AV scanner would pick it and process it first before banning. For whatever reason, any password laid virus zip files containing com, pif, scr, exe, or others are not getting picked up on our system with i8, however, they are with i7. I hope this helps. I just used to test this was the Eicar.com virus zipped up with WinZip with an applied password. Ran it through both to an address on the system and also to another Declude protected Imail system, both came straight through. Keith I'm not clear on exactly what is happening. Is the problem *only* with .ZIP files, or is it also occurring with other types of files? -Scott winmail.dat
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I also forwarded the original message to your email addresswith .zip attached. Thanks, Andy - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 7:51 AM Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Matt, that's how I have it setup, and one got through. What is one? A .ZIP file with a banned encrypted file extension? A .ZIP file with a banned non-encrypted file extension? A .ZIP file with an encrypted file that does not have a banned file extension? Something else? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Update- New virus
None are catching this. I just updated all the AV definitions and emialed me the same virus that arrived this morning.. This new one -- (Dear user of your_domain.com e-mail server gateway...) likely is not going to get caught by any virus scanners. The only information that an AV program has about an encrypted .ZIP file is the filename, the size, and the CRC (a fingerprint of the file). This virus (Bagle.J) make the filename, size, and CRC random, so it will be nearly impossible for an AV program to detect it. We are now recommending that people block encrypted .ZIP files. You can do this by addding a line BANEXT EZIP in the \IMail\Declude\virus.cfg file if you are using the latest interim release at http://www.declude.com/interim . -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Update- New virus
1.78i8 === X-Note: This E-mail was scanned filtered by Declude [1.78i8] for SPAM virus. === Kami _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Wednesday, March 03, 2004 8:46 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Update- New virus Kami, What verison of Declude are you running (1.78i7 or 1.78i8)? Thanks, Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Kami Razvan Sent: Wed 3/3/2004 8:32 AM To: [EMAIL PROTECTED] Cc: Subject: [Declude.Virus] Update- New virus Hi; Just to update my last email. The new virus is still not being caught by scanners: Norton AV McAfee F-Prot AVG None are catching this. I just updated all the AV definitions and emialed me the same virus that arrived this morning.. As of 8:31 EST We are now blocking it with the new features. Regards, Kami In case it is of interest this is what we have in our .cfg file so far virus.cfg entries: BANEXT asp BANEXT bas BANEXT bat BANEXT CEO BANEXT chm BANEXT cmd BANEXT com BANEXT exe BANEXT hlp BANEXT hta BANEXT inf BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT msi BANEXT mst BANEXT pcd BANEXT pif BANEXT reg BANEXT scr BANEXT url BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsh BANEXT ad BANEXT adp BANEXT crt BANEXT ins BANEXT mdb BANEXT mde BANEXT msc BANEXT msp BANEXT sct BANEXT shb BANEXT vb BANEXT wsc BANEXT wsf BANEXT cpl BANEXT shs BANEXT vsd BANEXT vst BANEXT vss BANEXT vsw BANEZIPEXTS ON attachment: winmail.dat
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I also forwarded the original message to your email addresswith .zip attached. No, no, NO. NEVER send a virus or any file that you think may be malicious to ANY E-mail address that is not expecting it. We have one and only one E-mail address that viruses or suspicious files may be sent to (the declude.com virustrap address). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Update- New virus
R. Scott Perry wrote: None are catching this. I just updated all the AV definitions and emialed me the same virus that arrived this morning.. This new one -- (Dear user of your_domain.com e-mail server gateway...) likely is not going to get caught by any virus scanners. The only information that an AV program has about an encrypted .ZIP file is the filename, the size, and the CRC (a fingerprint of the file). This virus (Bagle.J) make the filename, size, and CRC random, so it will be nearly impossible for an AV program to detect it. Running McAfee WebShield 4.5 MR1a on a mailrelay before my mailserver (with Declude) with with Scan engine version 4.3.20 DAT version 4.3.4332 and it's detecting W32/[EMAIL PROTECTED] Erminio --- [This E-mail has been scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Update- New virus
I didn't see your last e-mail? What virus? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Wednesday, March 03, 2004 8:32 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Update- New virus Hi; Just to update my last email. The new virus is still not being caught by scanners: Norton AV McAfee F-Prot AVG None are catching this. I just updated all the AV definitions and emialed me the same virus that arrived this morning.. As of 8:31 EST We are now blocking it with the new features. Regards, Kami In case it is of interest this is what we have in our .cfg file so far virus.cfg entries: BANEXT asp BANEXT bas BANEXT bat BANEXT CEO BANEXT chm BANEXT cmd BANEXT com BANEXT exe BANEXT hlp BANEXT hta BANEXT inf BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT msi BANEXT mst BANEXT pcd BANEXT pif BANEXT reg BANEXT scr BANEXT url BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsh BANEXT ad BANEXT adp BANEXT crt BANEXT ins BANEXT mdb BANEXT mde BANEXT msc BANEXT msp BANEXT sct BANEXT shb BANEXT vb BANEXT wsc BANEXT wsf BANEXT cpl BANEXT shs BANEXT vsd BANEXT vst BANEXT vss BANEXT vsw BANEZIPEXTS ON attachment: winmail.dat
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, I am not using BANEXT EZIP with i7 nor i8 per your instructions to remove it in place of the new commands: BANEZIPEXTS and BANZIPEXTS ON I used that encoded file to test it under i8 first and it went straight through, that is what tipped me off that something was not right. I then turned around and made my own test from eicar.com and it went through. I just tested it under i7 and it got caught. I am unsure where to turn as our .vir directories are off the charts. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of R. Scott Perry Sent: Wed 3/3/2004 9:01 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files For whatever reason, any password laid virus zip files containing com, pif, scr, exe, or others are not getting picked up on our system with i8, however, they are with i7. I hope this helps. I assume you are using BANEXT EZIP with i7. Are you using it with i8 as well? Do you have BANEXT com, BANEXT pif, etc. in your virus.cfg file? I just used to test this was the Eicar.com virus zipped up with WinZip with an applied password. Ran it through both to an address on the system and also to another Declude protected Imail system, both came straight through. Do the eicarencodedzip E-mail from the Test Virus Sender at http://www.declude.com/tools/ get caught? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, This is my top portion of my virus.cfg file under i7 and i8. Keith -Original Message- From: Keith Johnson on behalf of Keith Johnson Sent: Wed 3/3/2004 8:10 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Scott, This is a 'top' sample of what I have listed in my Virus.CFG file: BANEZIPEXTS ON BANZIPEXTS ON BANEXT exe BANEXT ex_ BANEXT pif BANEXT pi_ BANEXT scr BANEXT sc_ BANEXT bat BANEXT ba_ BANEXT com BANEXT co_ Since we modify extensions at our Firewall, you see the different alternate extensions above. I made no modifications to the above moving to i8. I noticed in my log (tried MID and HIGH) after moving to i8 that I no longer saw any Banning extension with (EXT) lines. Thus, I got concerned. On average, we get a virus every few seconds, and moving back to i7, within a minute, I was catching the banned extension inside of zip's again. When I was on i8, I did a simple test of zipping an Eicar .com virus and password protecting it. I ran it through and it went straight to my inbox. I then dropped back to i7 and ran the same file through and it was picked up and logged, however, the directory couldn't be removed. Thus, this morning I had well over 200 plus .vir directories to delete. Any thoughts? Thanks for the aid. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of R. Scott Perry Sent: Wed 3/3/2004 7:57 AM To: [EMAIL PROTECTED] Cc: Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files I'll second that. Running 1.78i8, with BANZIPEXTS and BANEZIPEXTS ON, the encoded zip eicar test passes through. The regular zip version of the eicar test is caught. Just to clarify, this IS the expected behavior with 1.78i18. BANZIPEXTS ON and BANEZIPEXTS ON will *only* block .ZIP files *if* they contain files that have a banned file extension. So unless you also have a line BANEXT com in the virus.cfg file, an encrypted eicar.com file won't get caught. For others having issues with these new features, please be very clear what is happening. There are a lot of possibilities here. You'll need to specify [1] Whether you are using BANZIPEXTS ON or BANEZIPEXTS ON (or the not-recommended-but-still-useful BANEXT EZIP), [2] Whether you have a BANEXT line to block the appropriate file (BANEXT com, for example), [3] What type of file you are sending through (.com? .com within a .zip?), [4] If it is a .ZIP file, is the file inside it encrypted? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
[Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Title: New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files hi scott, i know, that right now it is more important to fight this new virii, but i might have a small problem with 1.78i8. i am using 1.78i8 (with BANZIPEXTS ON and BANEZIPEXTS ON and no BANEXT EZIP) and some lines like the following are in my viruslog: 03/03/2004 10:19:17 Qa313025b008ed2a1 Invalid COM Vulnerability 03/03/2004 10:19:17 Qa313025b008ed2a1 File(s) are INFECTED [: W32/[EMAIL PROTECTED]: 3] 03/03/2004 10:19:17 Qa313025b008ed2a1 Scanned: CONTAINS A VIRUS [MIME: 2 22057] does this mean that the COM Vulnerability and the virus was discovered? what was the value of %VIRUSNAME% in this case? i use SKIPIFVIRUSNAMEHAS to switch between different emls for normal virii and vulnerabilitys. mfg i.a. gez. markus guhl *** lds nrw dez. 235 tel.: 0211 9449 2578 fax.: 0211 9449 8344 mailto:[EMAIL PROTECTED] ***
RE: [Declude.Virus] Update- New virus
Erminio: I have a copy of this virus.. I don't think it is J. We have virus that is caught as J but this one that I have is not being caught. I can gladly send it to you off list to test.. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of E. Ballerini Sent: Wednesday, March 03, 2004 9:16 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Update- New virus R. Scott Perry wrote: None are catching this. I just updated all the AV definitions and emialed me the same virus that arrived this morning.. This new one -- (Dear user of your_domain.com e-mail server gateway...) likely is not going to get caught by any virus scanners. The only information that an AV program has about an encrypted .ZIP file is the filename, the size, and the CRC (a fingerprint of the file). This virus (Bagle.J) make the filename, size, and CRC random, so it will be nearly impossible for an AV program to detect it. Running McAfee WebShield 4.5 MR1a on a mailrelay before my mailserver (with Declude) with with Scan engine version 4.3.20 DAT version 4.3.4332 and it's detecting W32/[EMAIL PROTECTED] Erminio --- [This E-mail has been scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Update- New virus
Running McAfee WebShield 4.5 MR1a on a mailrelay before my mailserver (with Declude) with with Scan engine version 4.3.20 DAT version 4.3.4332 and it's detecting W32/[EMAIL PROTECTED] Is it detecting the one with Dear user of your_domain.com e-mail server gateway... (or similar text)? Is it detecting them in an encrypted file? It may be that the virus is spreading in non-encrypted .ZIP files as well. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Update- New virus
Scott: I guess considering the concept is forging does not apply to blocking the zip files we should STOP sending banned extension notifications. True? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 03, 2004 9:05 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Update- New virus None are catching this. I just updated all the AV definitions and emialed me the same virus that arrived this morning.. This new one -- (Dear user of your_domain.com e-mail server gateway...) likely is not going to get caught by any virus scanners. The only information that an AV program has about an encrypted .ZIP file is the filename, the size, and the CRC (a fingerprint of the file). This virus (Bagle.J) make the filename, size, and CRC random, so it will be nearly impossible for an AV program to detect it. We are now recommending that people block encrypted .ZIP files. You can do this by addding a line BANEXT EZIP in the \IMail\Declude\virus.cfg file if you are using the latest interim release at http://www.declude.com/interim . -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Update- New virus
At one point, only Declude Virus Pro included this new functionality of detecting virii in encoded zip files. Is that still the case? Actually, Declude Virus never had the ability to detect viruses in encoded .ZIP files (unless the AV program used with it could). The new feature (BANEXT EZIP) to block all encrypted .ZIP files works with all versions of Declude Virus (and always has). The new BANZIPEXTS and BANEZIPEXTS features (which block file extensions within .ZIP or encoded .ZIP files) currently only works with the Pro version, and the new bogus .BAT/.COM/.PIF/.SCR detection only works with the Pro version. In general, any feature that is required to catch viruses (such as BANEXT EZIP) is available in all versions; any features designed to detect new viruses that are not yet detectable with virus definitions are in the Pro version. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [IMail Forum] New virus Bagle.J can't be caught by standard virus scanners
-Scott I'm in favor you competing the programming around the BANEXT EZIP line to include all files within the .zip file. I know I would like to from this point forward block encrypted zip files until there is a business reason for my company not to. If my virus scanners cannot scan the encrypted files for viruses this remains a risk. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 03/03/04 08:08AM FYI, there is a new virus that came out yesterday, Bagle.J. It spreads in an encrypted .ZIP File. While an AV program can detect a normal virus in an encrypted .ZIP file (by the name, file length, or CRC (the fingerprint of the file)), Bagle.J uses random file names, random file sizes, and random CRCs. So it is unlikely that AV programs will be able to detect it. As a result, we are recommending that users of Declude Virus ban all .ZIP files that contain encrypted files. To do this, you need to be running the latest interim release, and add a line BANEXT EZIP to your virus.cfg file (it can go anywhere in the file). To get the latest interim release, you must be covered by a Service Agreement; you can download it from http://www.declude.com/interim . -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ --- [This E-mail scanned for viruses by Farm Progress Companies using Declude Virus] --- [This E-mail scanned for viruses by Farm Progress Companies using Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
03/03/2004 10:19:17 Qa313025b008ed2a1 Invalid COM Vulnerability 03/03/2004 10:19:17 Qa313025b008ed2a1 File(s) are INFECTED [: W32/[EMAIL PROTECTED]: 3] does this mean that the COM Vulnerability and the virus was discovered? Correct. v1.78i9 fixes this, so that the Invalid COM Vulnerability will not be used when a virus scanner detects a virus (so users will see W32/Netsky.B in their notifications, rather than Invalid COM Vulnerability). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Scott, I don't know that our firewall is the issue due to it working under i7 and all prior Declude versions. The Firewall only modifies the extension, it does not in anyway alter the file. When you wrote that i7 will not block encrypted zips without the BANEXT EZIP line, it was my understanding if you have the following: BANEZIPEXTS ON BANEXT com then it will block encrypted zip files containg .com files? Am I wrong? Do I need to have all the following lines in there? BANEZIPEXTS ON BANEXT EZIP BANEXT com I thought you mentioned that BANEXT EZIP was 'undesireable' and using the first example above was ideal? Version i7 is causing the .vir directories and the lines in the log that indicate Declude could not remove the .vir directory. Inside those directories are files called 0.zi and 1.zi It was my understanding that i8 fixed this issue with the .vir directory and also added new features for attacking .bat, .scr. Etc. I am currently on i7, due to i8 not catching encrypted .zip files with extensions in my BANEXT listing. This was tested from the encoded zip file as well as an eicar.com file zipped and password protected. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 03, 2004 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files I am not using BANEXT EZIP with i7 nor i8 per your instructions to remove it in place of the new commands: In that case, i7 will *not* block any encrypted .ZIP files. BANEZIPEXTS and BANZIPEXTS ON I used that encoded file to test it under i8 first and it went straight through, that is what tipped me off that something was not right. What extension does the attachment in your mail client show? I'm thinking that the firewall is mucking things up (if it renames the .ZIP to .ZI or .ZI_, for example, Declude Virus won't look at it). I am unsure where to turn as our .vir directories are off the charts. Unfortunately, this isn't useful information without knowing which version(s) caused them, and preferably the log file entries for them as well. There was an old interim that could cause this, but the latest should not. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Update- New virus
This brings back my question (I know you are extremely busy) about adding the option of using something like BanZIPNotify.eml for zips. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 03, 2004 7:29 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Update- New virus I guess considering the concept is forging does not apply to blocking the zip files we should STOP sending banned extension notifications. That is probably a good idea. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Passworded zip files still getting through!
F.Y.I. I am running the latest interim release: 1.78i.8 and have BANEZIPEXTS ON In my config file but several people have complained to me that they are still getting the zipped files. I have added BANEXT EZIP In the hopes of stopping them all now. Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Clam deny vir folder deletion
The undeleted .vir folders are not caused by the new interim releases. Anyone who has added shortly ClamAV as second or third AV engine should check his virus logfiles for the following lines: ERROR: Virus scanner 3 didn't finish after 30 seconds; terminating. WARNING: Couldn't remove .vir directory C:\IMail\spool\De5d0077b008439bf.vir\: SHARING VIOLATION. Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. For any temporary vir folder that can't be removed there should be such a entry in your logfile. At the moment I can see 4 such folders for the last 10 hours. In the meantime we've processed around 3500 messages. All 4 folders are empty and the virus logfiles shows anything special. So I asume ClamAV has problems to check empty folders. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim release to ban extensions in .ZIP files
Hi, I've got BANEZIPEXTS ON And the file got through (encrypeted zip with password in the body of the email) ver 1.78i7 There is so much info floating around...what version do I need to block this, and what exactley do I need in the config files?? Scott, can you please list the recommended config, the ver, and what each config line does? Thanks, Andy - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 6:17 PM Subject: Re: [Declude.Virus] New interim release to ban extensions in .ZIP files I am trying to understand this, but the reality doesn't work like I think you are saying it should. If I have the following in my virus.cfg file: BANEXT EZIP Note that BANEXT EZIP is the original quickly-implemented format that may have problems. with or without: BANZIPEXTS ON BANEZIPEXTS ON These lines will ban file extensions that appear in .ZIP files (both un-encrypted and encrypted files). Any BANEXT lines will be used to determine whether files within .ZIP files should be banned. I catch the encrypted/password protected virus files. However, if I use just: BANZIPEXTS ON BANEZIPEXTS ON the virus files pass right through declude, reporting that the file is virus free. Am I simply not understanding how this is supposed to work. I though we no longer needed to use BANEXT EZIP. Please enlighten me on the error of my ways... :-) The old format (which I won't repeat, just because the more it gets repeated the more likely people will try to use it) would block any .ZIP file if the first file in it was encrypted (even if it was a .TXT file). The new format will ban the same extensions that you are already banning, but will do so in .ZIP files. The BANZIPEXTS ON option will ban the files if they are un-encrypted, the BANEZIPEXTS ON will ban the files if they are encrypted. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Passworded zip files still getting through!
Sorry for my incomplete message what I meant to say is that they are still getting PASSWORDED zip files. Even with the addition of BANEXT EZIP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 03, 2004 10:48 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Passworded zip files still getting through! F.Y.I. I am running the latest interim release: 1.78i.8 and have BANEZIPEXTS ON In my config file but several people have complained to me that they are still getting the zipped files. Please read the information on the list very, very carefully. That is the expected behavior. BANEZIPEXTS ON will *not* block .ZIP files, it will not block encrypted .ZIP files. Previous posts cover both this and the information you must include before we can assist with any issues related to these new features. I apologize for my tone, but there is an incredible amount of work that needs to be done here, and a high volume of unnecessary posts that are going to cause people to leave the list that need the good information from this list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Matt, I had a space in mine, not a tab. For what it is worth. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, March 03, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Here's a thought. Since this is working in some cases and not in others, maybe there is a syntax bug. I have the following: BANEZIPEXTStabON BANEXTtabEXE BANEXTtabCOM etc. What if someone had spaces, multiple spaces or multiple tabs? How about a space or tab following one of the lines? Maybe Declude isn't parsing this correctly from the config file??? I think it's worth a quick look. Matt R. Scott Perry wrote: I apologize for the flood of emails to you as I know your time is precious. However, I pulled the following that BANZIPEXTS and BANEZIPEXTS was added in i7: Sorry, my mistake. I am unsure on the .zip to .zi_ as I have no issues with Declude with versions 1.78i7 and prior. It was only with i8 that Declude was not seeing the zip with hiding file extensions any longer. Unfortunately, I'm not sure what you are referring to regarding the hiding file extensions. Again, it is vital that people be very clear in their posts. I'm very close to turning this into a moderated list until this all blows over. What we are looking for is to get as much information about bugs in the new interim as quickly as possible on this list, while at the same time minimizing the amount of posts to this list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Passworded zip files still getting through!
Confirmed. I commented out # BANEZIPEXTSON I left in: BANEXT EZIP And resent myself the virus and it was blocked. Good catch. :) I'll be investigating this to see why that is happening. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Passworded zip files still getting through!
Confirmed. I commented out # BANEZIPEXTSON I left in: BANEXT EZIP And resent myself the virus and it was blocked. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Ryan Sent: Wednesday, March 03, 2004 11:18 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Passworded zip files still getting through! Scott, I think there may still be a problem with this. Hear me out I've been running 1.75 waiting until the next full release. This morning, I downloaded 1.78i8 (and declude.exe -diag verifies this) to try to catch these ezip viruses. My virus.cfg previously had this (along with others BANEXT entries): BANEXTscr BANEXTpif BANEXTvbs BANEXTbat BANEXTCEO BANEXTEXE BANEXTCOM BANEXTCMD I updated it to this: BANEZIPEXTSON BANEXTscr BANEXTpif BANEXTvbs BANEXTbat BANEXTCEO BANEXTEXE BANEXTCOM BANEXTCMD . I sent myself a zip with a password protected .exe in it from a yahoo account. It came through. I then tried your eicarencodedzip file from the web site and it too came through. The virus log shows this entry for the one I sent from yahoo: 03/03/2004 11:06:49 Q029800550082312d Scanned: Virus Free [MIME: 2 147788] And this for the one from your site: 03/03/2004 11:07:51 Q02d7003600222735 Scanned: Virus Free [MIME: 2 983] I then remove the BANEZIPEXTS ON line and replaced it with BANEXT EZIP just so I could stop these things (I know this also now blocks EZIPs with non-BANned extensions inside). It now blocks both attachments I tested earlier and my yahoo account gets my virus.eml message correctly. So I think there IS a problem with BANEZIPEXTS ON *and* extensions that have BANEXT type entries. Anything I can do to help diagnose this? Just ask! --Todd. R. Scott Perry wrote: F.Y.I. I am running the latest interim release: 1.78i.8 and have BANEZIPEXTS ON In my config file but several people have complained to me that they are still getting the zipped files. Please read the information on the list very, very carefully. That is the expected behavior. BANEZIPEXTS ON will *not* block .ZIP files, it will not block encrypted .ZIP files. Previous posts cover both this and the information you must include before we can assist with any issues related to these new features. I apologize for my tone, but there is an incredible amount of work that needs to be done here, and a high volume of unnecessary posts that are going to cause people to leave the list that need the good information from this list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Matt, Is yours working with the TAB, I'll try anything? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, March 03, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Here's a thought. Since this is working in some cases and not in others, maybe there is a syntax bug. I have the following: BANEZIPEXTStabON BANEXTtabEXE BANEXTtabCOM etc. What if someone had spaces, multiple spaces or multiple tabs? How about a space or tab following one of the lines? Maybe Declude isn't parsing this correctly from the config file??? I think it's worth a quick look. Matt R. Scott Perry wrote: I apologize for the flood of emails to you as I know your time is precious. However, I pulled the following that BANZIPEXTS and BANEZIPEXTS was added in i7: Sorry, my mistake. I am unsure on the .zip to .zi_ as I have no issues with Declude with versions 1.78i7 and prior. It was only with i8 that Declude was not seeing the zip with hiding file extensions any longer. Unfortunately, I'm not sure what you are referring to regarding the hiding file extensions. Again, it is vital that people be very clear in their posts. I'm very close to turning this into a moderated list until this all blows over. What we are looking for is to get as much information about bugs in the new interim as quickly as possible on this list, while at the same time minimizing the amount of posts to this list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Again, it is vital that people be very clear in their posts. I'm very close to turning this into a moderated list until this all blows over. Scott, I can certainly sympathize with what you are going through there. You do an OUTSTANDING job for us and I rank Declude as #1 in my book in all areas. I for one would GLADLY want you to turn this into a moderated list. My inbox is flooded as it is by virus notifications, add to the immense amount of posts on the declude list and it's all I can do to just wade through my e-mail. I subscribe to the declude list to keep up on all the latest virus info, not to read a hundred posts asking the same question over and over again. PLEASE go to a moderated list! Rodney Bertsch IS Coordinator Kirk NationaLease Co. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
Here's a thought. Since this is working in some cases and not in others, maybe there is a syntax bug. I have the following: BANEZIPEXTStabON BANEXTtabEXE BANEXTtabCOM etc. What if someone had spaces, multiple spaces or multiple tabs? How about a space or tab following one of the lines? Maybe Declude isn't parsing this correctly from the config file??? I think it's worth a quick look. Matt R. Scott Perry wrote: I apologize for the flood of emails to you as I know your time is precious. However, I pulled the following that BANZIPEXTS and BANEZIPEXTS was added in i7: Sorry, my mistake. I am unsure on the .zip to .zi_ as I have no issues with Declude with versions 1.78i7 and prior. It was only with i8 that Declude was not seeing the zip with hiding file extensions any longer. Unfortunately, I'm not sure what you are referring to regarding the hiding file extensions. Again, it is vital that people be very clear in their posts. I'm very close to turning this into a moderated list until this all blows over. What we are looking for is to get as much information about bugs in the new interim as quickly as possible on this list, while at the same time minimizing the amount of posts to this list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Question: Do the new zip commands reject the file extension and not pass the file to the virus scanner
Replying to try and help Scott out... A New Interim release of 1.78i9 is there that checks for viruses first in this case... version i8 blocked by extension first... Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Darrell LaRock Sent: Wednesday, March 03, 2004 11:52 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Question: Do the new zip commands reject the file extension and not pass the file to the virus scanner Running 1.78i8 on Declude Virus Pro. Have both the BANEXT EZIP and BANEZIPEXTS ON in virus.cfg Question: Currently does the BANEXT EZIP and BANEZIPEXTS ON commands block the mail based on the file extension and not scan the email with the configured virus scanner (See snippet #1 below) i.e. the virus scanner is not called or doesn't appear to be? When checking the file which was banned it does contain a virus (Bagle/h pwd) which was being detected fine prior to the new zip features (see snippet #2)? Issue: Currently the files which should be caught by the virus scanner are not being caught by the scanner BUT being rejected due to the file extension which than generates the bannotify.eml (as you can see from below we now have that turned off right now). Previously (prior to the new zip features) banned extensions (see snippet #3) would appear to be scanned by the scanner and if a virus was found it would not generate the bannotify.eml. Snippet #1 03/03/2004 11:04:16 Q01fea15f01b20d9a MIME file: Letter.zip [base64; Length=20780 Checksum=2629640] 03/03/2004 11:04:16 Q01fea15f01b20d9a Banning .ZIP file with exe extension. 03/03/2004 11:04:16 Q01fea15f01b20d9a Scanned: Banned file extension. [MIME: 2 20916] 03/03/2004 11:04:16 Q01fea15f01b20d9a Couldn't open E-mail file e:\imail\Declude\BANnotify.eml. 03/03/2004 11:04:16 Q01fea15f01b20d9a From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 03/03/2004 11:04:16 Q01fea15f01b20d9a Subject: ^_^ meay-meay! Snippet #2 03/02/2004 15:30:25 Qeede7761020e584c MIME file: Letter.zip [base64; Length=20859 Checksum=2628208] 03/02/2004 15:30:25 Qeede7761020e584c Scanner 1: Virus= the W32/Bagle.gen!pwdzip (ED) virus !!! Attachment=Letter.zip [10] O 03/02/2004 15:30:25 Qeede7761020e584c File(s) are INFECTED [ the W32/Bagle.gen!pwdzip (ED) virus !!!: 13] 03/02/2004 15:30:25 Qeede7761020e584c Scanned: CONTAINS A VIRUS [MIME: 2 20975] 03/02/2004 15:30:25 Qeede7761020e584c From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 66.188.246.138] 03/02/2004 15:30:25 Qeede7761020e584c Subject: Hey, ya! =)) Snippet #3 02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file: [text/html][quoted-printable; Length=5254 Checksum=412704] 02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file: [image/gif][base64; Length=3639 Checksum=424621] 02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file: [image/gif][base64; Length=359 Checksum=35758] 02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file: Update28.exe [base64; Length=106496 Checksum=9386997] 02/25/2004 00:03:52 Q2cb6170b005aec2b Banning file with exe extension [application/x-msdownload]. 02/25/2004 00:03:53 Q2cb6170b005aec2b Scanner 1: Virus= the W32/[EMAIL PROTECTED] virus !!! Attachment=Update28.exe [10] O 02/25/2004 00:03:53 Q2cb6170b005aec2b File(s) are INFECTED [ the W32/[EMAIL PROTECTED] virus !!!: 13] 02/25/2004 00:03:53 Q2cb6170b005aec2b Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 5 117540] 02/25/2004 00:03:53 Q2cb6170b005aec2b From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 210.150.150.240] 02/25/2004 00:03:53 Q2cb6170b005aec2b Subject: New Net Patch -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 03, 2004 11:00 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Summary of new options With the latest interim release, you can use: BANEXT EZIP - This line will ban all .ZIP files with an encrypted file in them BANZIPEXTS ON - This line (Pro version only) will ban all file extensions listed in BANEXT lines, if they appear in non-encrypted .ZIP files BANEZIPEXTS ON - This line (Pro version only) will ban all file extensions listed in BANEXT lines, if they appear in encrypted .ZIP files Also, the latest interim (with the Pro version only) will detect bogus .BAT/.COM/.PIF/.SCR files (automatically as vulnerabilities, with no need for config file entries). If you are having any troubles with these, please re-read the information on them, and then be very clear what is happening. There are a lot of possibilities here. You'll need to specify [1] Whether you are using BANZIPEXTS ON or BANEZIPEXTS ON (or the not-recommended-but-still-useful BANEXT EZIP), [2] Whether you have a BANEXT line to block the appropriate file (BANEXT com, for example), [3] What type of file you are sending through (.com? .com within a .zip?), [4] If it is a .ZIP file, is the file inside it
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
thanks, Andy - Original Message - From: John Carter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 11:37 AM Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Virustrap at the declude.com domain - Scott wisely doesn't post actual @ addresses on the list. The list archive is probably scanned for addresses just as our websites are. John -Original Message- OK... so I got a No, no, NO but what is the address!!!??? - Original Message - From: R. Scott Perry [EMAIL PROTECTED] We have one and only one E-mail address that viruses or suspicious files may be sent to (the declude.com virustrap address). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Passworded zip files still getting through!
HI, I've been using BANEXT .com I am seeing on this list that is wrong, and the *dot* should be removed...correct? Thanks, Andy Thumpernet - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 11:43 AM Subject: RE: [Declude.Virus] Passworded zip files still getting through! Confirmed. I commented out # BANEZIPEXTSON I left in: BANEXT EZIP And resent myself the virus and it was blocked. Good catch. :) I'll be investigating this to see why that is happening. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Passworded zip files still getting through!
Pls could someone post the link to the interim release... Benny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: 3. mars 2004 18:41 To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Passworded zip files still getting through! Might this be the issue with other folks reporting this problem? Quite possibly, yes, but that's why I keep saying that people need to read the information carefully before posting that it doesn't work. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Question: Do the new zip commands reject the file extension and not pass the file to the virus scanner
Currently does the BANEXT EZIP and BANEZIPEXTS ON commands block the mail based on the file extension and not scan the email with the configured virus scanner (See snippet #1 below) i.e. the virus scanner is not called or doesn't appear to be? The virus scanner will be called with the latest interim release. The older 1.78i8 would prevent the virus scanner from being run in some cases. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Passworded zip files still getting through!
Might this be the issue with other folks reporting this problem? Quite possibly, yes, but that's why I keep saying that people need to read the information carefully before posting that it doesn't work. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
on 3/3/04 12:13 PM, ISPhuset Nordic AS wrote: could you please post the link here http://www.declude.com/interim/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Passworded zip files still getting through!
I've been using BANEXT .com I am seeing on this list that is wrong, and the *dot* should be removed...correct? Correct. It must be BANEXT com. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Performance Issues
With the 1.77 and up beta/interim versions, you only need one line to do that: SKIPIFFORGING Previous versions require the method that you described. Scott added a great tool which check to see if the virus is a forging virus from a database that he maintains, and that takes the weight off of us administrators plus it stops needless notifications to and from forged addresses. Matt Gene Head wrote: Mitch, You can modify the notification emails to skipp virus' that are known to forge the senders address. In the Declude subdirectory you will find files with a .eml extension. Open those files using notepad and insert the skipifvirusnamehas (name of virus) at the top of the email. Make sure that there are no extra lines between the last skip line and the top of the email or you will get an error in the log about no recipient. Here are some of the entries that I have in mine, add and subtract as neccessary. SKIPIFVIRUSNAMEHAS Sobig SKIPIFVIRUSNAMEHAS Mimail SKIPIFVIRUSNAMEHAS Yaha SKIPIFVIRUSNAMEHAS Lentin SKIPIFVIRUSNAMEHAS Magistr SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS Bugbear SKIPIFVIRUSNAMEHAS Bridex SKIPIFVIRUSNAMEHAS Braid SKIPIFVIRUSNAMEHAS Sobig SKIPIFVIRUSNAMEHAS Palyh skipifvirusnamehas bagle From: [EMAIL PROTECTED] To: %ALLRECIPS% Hope this helps Gene -- Original Message -- From: "Mitch Hegstad" [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 3 Mar 2004 10:22:38 -0600 This is my second message on performance issues. Following is feedback I received from an administrator at our host. I simply asked for feedback on declude - Yes, it should work. Just be careful when you set it up. Alot of administrators that use Declude have it set up to send virus notifications to any sender that sent a virus. The problem is, the address of the sender is not necessarily the same address the message is sent from. Our postmaster account gets these notifications all the time, usually with some sort of snarky message about how we need to improve our virus scanner, when we actually had nothing to do with the infected message. You'll probably also see a slight increase in processing time. Usually, scanners like this run the virus scanner on each individual message that comes in. This causes a large increase in CPU usage and IO time. Normally, this isn't anything to worry about, but is still something to be aware of. When we used a similar system, our delivery times went from 1 second without scanning to as long as 1 minute. I'm concerned with the disk i/o. Although we have some spare cpu cycles, our disk use % often hovers around 40%. An increase in disk i/o could open a whole can of issues. Any feedback welcome, Mitch --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] Update- New virus
Is it detecting them in an encrypted file? It may be that the virus is spreading in non-encrypted .ZIP files as well. An email from [EMAIL PROTECTED], addressed to [EMAIL PROTECTED] , with subject E-mail account disabling warning. was infected with the virus W32/[EMAIL PROTECTED] in attachment unknown. The infected attachment has been cleaned and quarantined.(from MAILRELAY IP 192.87.68.214 user SYSTEM running WebShield 4.5 MR1a '_') Unfortunately, they aren't giving you enough information. There isn't any indication that this is one from an encrypted .ZIP file. So I would assume this is a standard Bagle.J in a non-encrypted file (such as a .PIF file). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files
I tried this with 1,2,3 spaces and tabs between the BANZIPEXTS, BANZIPEXTS and the ON. Then I send myself a compress .pif file both pw protected and not pw proteced and every single one was caught (eight total) (as banned extensions ZIP-PIF). All my BANEXT lines have one space between it and the actual extension name...example- BANEXTSPEXE #Regular Zip File BANZIPEXTS ON #Password Protected Zip File BANEZIPEXTS ON Don - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 10:30 AM Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus .bat, .com, .pif, and .scr files Here's a thought. Since this is working in some cases and not in others, maybe there is a syntax bug. I have the following: BANEZIPEXTStabON BANEXTtabEXE BANEXTtabCOM etc. What if someone had spaces, multiple spaces or multiple tabs? How about a space or tab following one of the lines? Maybe Declude isn't parsing this correctly from the config file??? I think it's worth a quick look. Matt R. Scott Perry wrote: I apologize for the flood of emails to you as I know your time is precious. However, I pulled the following that BANZIPEXTS and BANEZIPEXTS was added in i7: Sorry, my mistake. I am unsure on the .zip to .zi_ as I have no issues with Declude with versions 1.78i7 and prior. It was only with i8 that Declude was not seeing the zip with hiding file extensions any longer. Unfortunately, I'm not sure what you are referring to regarding the hiding file extensions. Again, it is vital that people be very clear in their posts. I'm very close to turning this into a moderated list until this all blows over. What we are looking for is to get as much information about bugs in the new interim as quickly as possible on this list, while at the same time minimizing the amount of posts to this list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fwd: OT: JM/Virus modules
I have no idea why I forwarded that so sloppily. Sorry. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] OT: E-Mail Policies...
Hello Everyone, Does anyone have an email policy they would be willing to share that has info on the files that they currently are banning? We are finally going to begin banning some extensions since these viruses are getting so widespread and we would like to view some polices on this to put on our website. Thanks! Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] OT: E-Mail Policies...
http://www.eservicesforyou.com/documents/emailattachments.pdf This will be updated to reflect recent changes in the next week or so. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Wednesday, March 03, 2004 12:31 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] OT: E-Mail Policies... Hello Everyone, Does anyone have an email policy they would be willing to share that has info on the files that they currently are banning? We are finally going to begin banning some extensions since these viruses are getting so widespread and we would like to view some polices on this to put on our website. Thanks! Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus]
Scott, Thanks for creating the following tool on your website, is a lot easier than creating Eicar zip encrypted test files. eicardynamicencodedzip I will be attempting to move to i9 from i7 tonight. Due to the volume of viruses today, I just couldn't chance it in full live production. I am also going to refresh my virus.cfg file, maybe there is something in it that is causing i8 and i9 problems. Thanks again, Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Declude Virus Trend Pattern File 799
Got Declude running and it is catching virus however, the Declude test isstill getting through to me.I am running with Trend's # 799 file. But Declude's Tests EICARENCODEDZIP andEICARDYNAMICENCODEDZIP and EICARZIP is too.Any help would be appreciated.Thanks
[Declude.Virus] Fwd: OT: JM/Virus modules
[Scroll down for forwarded message] -Original message text--- From: Sanford Whiteman [EMAIL PROTECTED] To: [EMAIL PROTECTED]@declude.com Date: Wednesday, March 3, 2004, 1:55:39 PM Subject: OT: JM/Virus modules [Marking this as OT to de-escalate it on such a busy day.] I just wanted to put a word in for the (far future) separation of JM and Virus interim functionality. The new anti-zip flexibility looks great, but I've read and experienced enough of the continuing adjustment to interim functionality that I really never deploy interims anymore. Like many (most?) users, the huge majority of my Declude maintenance time is on the JM side, and I need that functionality to be as stable as possible. If Declude were to become more modular, with a core DECLUDE.EXE and DECJM.DLL and DECVIRUS.DLL, mightn't it be possible to introduce _some_ cool stuff for one product without any changes to the other? Of course, many changes--logging or any other shared routines--would surely involve changes in the core module and so an overall upgrade could not be completely avoided...but _some_ product enhancements could be slipstreamed in without regression worries in the other product. I can readily imagine that this would create a giant tangle relative to the current development process--I have even worried that my _own_ modular code should be consolidated for performance, especially when I build a process-centric product like Declude and have to accept DLL loading overhead on every execution--but the end result might be a little less apprehension. Just a thought, for the far future, and surely one voiced before. :) --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ ---End original message text- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.