[Declude.Virus] (OT) Second Scanner
I am thinking of adding a second virus scanner to Declude to suplement F-Prot. I am looking at AVG and was wondering which version I'd have to purchase. They have the AVG Professional Single Edition and the AVG File Server Edition. My email server is NT Server 4.0. Also, any tips on running both F-Prot and AVG on the same box? Any install tips for AVG? Thanks. Hank --- [This E-mail has been scanned for viruses.] [MGT of America, Inc.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: CBL:RE: [Declude.Virus] SKIPIFFORGING Question
Hello,
Wednesday, March 3, 2004, 11:54:36 PM, you wrote:
Do I need to do something on my end to hit this DB??
Run recent version of declude
and set AUTOFORGE ON in virus.cfg
Ok that was essy. Thanks.
--
Best regards,
~Paul~ mailto:[EMAIL PROTECTED]
---
{This E-mail scanned for viruses by Declude Virus/McAfee}
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
[Declude.Virus] Ban notice
Scott:
Is EICAR considered forged?
Using Tools page I sent myself tests for eicardynamicencodedzip and
eicarencodedzip. Both were stopped (see logs below) but no notice was
sent. Should I have gotten a notice if:
- Running i9
- VIRUS.CFG (logging MID) has BANEXT ZIP and BANEXT EZIP
- BANNOTIFY.EML has SKIPIFFORGED as first line ( no blank lines present
until after TO:, FROM:, and SUBJECT:
Log Entries (I altered declude addresses below)
03/04/2004 08:13:47 Q39990bd80066c421 Scanned: Banned file extension.
[MIME: 2 998]
03/04/2004 08:13:47 Q39990bd80066c421 From: webmaster-vir (at)
declude.com To: [EMAIL PROTECTED]
03/04/2004 08:13:47 Q39990bd80066c421 Subject: Test eicar.com file
[eicardynamicencodedzip]
03/04/2004 08:14:17 Q39b50bde006630a5 Scanned: Banned file extension.
[MIME: 2 889]
03/04/2004 08:14:17 Q39b50bde006630a5 From: webmaster-vir {at}
declude.com To: [EMAIL PROTECTED]
03/04/2004 08:14:17 Q39b50bde006630a5 Subject: Test eicar.com file
[eicarencodedzip]
Thanks,
John
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
RE: [Declude.Virus] (OT) Second Scanner
Bill: Which version of McAfee are you using? AVG sounds processor intensive if it takes 3 seconds per email. Maybe I should look at McAfee. Hank --- [This E-mail has been scanned for viruses.] [MGT of America, Inc.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Ban notice
No problem. Thanks for the help. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, March 04, 2004 9:26 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Ban notice Is EICAR considered forged? Sorry, my mistake. While the eicar.com file is not considering a forging virus, the eicarencodedzip and eicardynamicencodedzip are blocked by the BANEXT EZIP option, which won't know what the virus name is. Therefore, it is assumed to be a forging virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] (OT) Second Scanner
Hank, Regarding AVG, it doesn't seem to be extremely processor intensive, just slow in getting going and doing the scan due to the 16-bit engine, versus the 32-bit of the others. This was brought up in a previous thread. Perhaps someone else has information on when the 32-bit version will work with Declude. Bill -- Original Message -- From: Hank Townsend [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 4 Mar 2004 09:42:58 -0500 Bill: Which version of McAfee are you using? AVG sounds processor intensive if it takes 3 seconds per email. Maybe I should look at McAfee. Hank --- [This E-mail has been scanned for viruses.] [MGT of America, Inc.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bagle detected with McAfee !
I think Scott's right. If he spends the time on this, implements it, and virus writers immediately adapt as he suggested, then the effort was wasted as it has not other longer reaching benefit. I think development time should be spent on features that will have ongoing value. Otherwise we will always be reactive and never proactive... Darin. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 04, 2004 8:07 AM Subject: RE: [Declude.Virus] Bagle detected with McAfee ! Because of the amount of CPU time that may be necessary to do this. And, given the way that viruses have adapted lately, by the time we do that, the next virus will say The password is 58931 plus 3 or The password is a place that people live that rhymes with 'mouse' and begins with the letter 'h'. I'll bet that one will spread fast, because people will be so impressed that they were smart enough to crack the password that they would happily run the .exe file. Common Scott ;-) If other Email AV-Solutions maybe would add this as feature, so also we Declude-users hope to have it available soon. Otherwise if we are the only Email AV-Customers having such a feature you can be proud if there would come out a virus that will try to bypass Declude. Try to imagine the virus name: [EMAIL PROTECTED] But before this happens we are proud to have such a feature. Ok, I dont know how much work it will be to add such a feature, but the idea sounds really good. Markus ;-) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. _ [This E-mail virus scanned by 4C Web] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] SKIPIFFORGING Question
Serge, old way in order to be able to use : onlysendifsender [forged] in recpforged.eml, so we can warn the recipient whithout pointing to an innocent sender. Can I ask how you have this working? Is there something you put in the cfg file? I created this file and added the line you indicated to the top of it but my users are still receiving the regular recip.eml. TIA, John Olden - Systems Administrator Champaign Park District --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Variable in bannotify.eml
In our bannotify.eml, we display the banned extension by using the %BANEXT% variable: bannotify.eml snippet You have sent an attachment with the .%BANEXT% extension. /bannotify.eml snippet Today I received a banned attachment message and the extension name was blank: message snippet You have sent an attachment with the . extension. /message snippet This is the virus log entry for the message: 03/03/2004 21:26:47 Qbe1603a601ba8b8c Scanned: Banned file extension. [MIME: 2 12990] 03/03/2004 21:26:47 Qbe1603a601ba8b8c From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 03/03/2004 21:26:47 Qbe1603a601ba8b8c Subject: E-mail account security warning. I'm using Declude V1.78i9. Why is the variable not being set? How can I tell what is going on with this message? Todd Holt Xidix Technologies, Inc Las Vegas, NV USA 702.319.4349 www.xidix.com --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Variable in bannotify.eml
Today I received a banned attachment message and the extension name was blank: message snippet You have sent an attachment with the . extension. /message snippet Why is the variable not being set? How can I tell what is going on with this message? If you look at the D*.SMD file that was caught, that will provide some clues. You can send that file to our virustrap@ address, and we can check to see what happened. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] marking subject line
Scott - you may shoot me for suggesting this, especially if it has been suggested before. I am not a programmer so I suggest this not knowing how difficult it may be, but if both Virus and Junkmail use the declude.exe is it possible to have things like BANEZIP be defined as a test in the global file for junkmail and then have actions defined for different users/domains with different junkmail files? It does sound easy, but unfortunately is not. There are a few problems (mainly that someone using just Declude Virus won't be running the Declude JunkMail code, and vice versa). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] SKIPIFFORGING Question
This has been working quite well make sure you have no extra blank spaces or tabs in the regular recep.eml we have SKIPIFSENDER [forged] in recepforged.eml we have ONLYSENDIFSENDER [forged] Of course, the virus shoud be marked as forging in virus.cfg you can test by marking eicar as forging in virus.cfg FORGINGVIRUS Eicar Just retested, it works as expected - Original Message - From: John Olden [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 04, 2004 4:22 PM Subject: Re: [Declude.Virus] SKIPIFFORGING Question Serge, old way in order to be able to use : onlysendifsender [forged] in recpforged.eml, so we can warn the recipient whithout pointing to an innocent sender. Can I ask how you have this working? Is there something you put in the cfg file? I created this file and added the line you indicated to the top of it but my users are still receiving the regular recip.eml. TIA, John Olden - Systems Administrator Champaign Park District --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. ---BeginMessage--- Remise de message annulé: De: %MAILFROM% A: %LOCALRECIPS% le serveur de messagerie de CEFIB Internet verifie chaque message pour les virus, SPAM, et Vulnerabilités La protection de %LOCALHOST% a detecté un message qui vous était destiné, reçu de %MAILFROM%, et qui contient le virus %VIRUSNAME% dans la pièce jointe %VIRUSFILE%. Le sujet du message était %SUBJECT%. Le message contenant le virus à été envoyé à la quarantaine pour eviter tout dégat. Delivery blocked: FROM: %MAILFROM% To: %LOCALRECIPS% The mail server for CEFIB Internet scans each e-mail for Viruses, SPAM (Junk Mail) and e-mail vulnerabilities. %LOCALHOST% protection has reported that you were sent an E-mail from %MAILFROM%, containing the %VIRUSNAME% virus in the%VIRUSFILE% attachment. The subject of the E-mail was %SUBJECT%. The E-mail containing the virus has been quarantined to prevent any damage. Adresse IP: %REMOTEIP% Virus: %VIRUSNAME% Pièce jointe: %VIRUSFILE% Version Declude: %VERSION% Fichier IMAIL: %QUEUENAME% Subject: %SUBJECT% Host name of the recipient %RECIPHOST% IP address of the remote mail server %REMOTEIP% Template: recip.eml---End Message--- ---BeginMessage--- Remise de message annulé: De: Expediteur masqué par le virus De: %REMOTEIP% A: %LOCALRECIPS% le serveur de messagerie de CEFIB Internet verifie chaque message pour les virus, SPAM, et Vulnerabilités La Protection anti-virus de %LOCALHOST% a detecté un message qui vous était destiné, et qui contient le virus %VIRUSNAME% dans la pièce jointe %VIRUSFILE%. Le sujet du message était %SUBJECT%. Le message contenant le virus à été envoyé à la quarantaine pour eviter tout dégat. Delivery blocked: FROM: Sender forged by the virus FROM: %REMOTEIP% To: %LOCALRECIPS% The mail server for CEFIB Internet scans each e-mail for Viruses, SPAM (Junk Mail) and e-mail vulnerabilities. %LOCALHOST% anti-virus protection has reported that you were sent an E-mail containing the %VIRUSNAME% virus in the%VIRUSFILE% attachment. The subject of the E-mail was %SUBJECT%. The E-mail containing the virus has been quarantined to prevent any damage. Adresse IP: %REMOTEIP% Virus: %VIRUSNAME% Pièce jointe: %VIRUSFILE% Version Declude: %VERSION% Fichier IMAIL: %QUEUENAME% Subject: %SUBJECT% Host name of the recipient %RECIPHOST% IP address of the remote mail server %REMOTEIP% Template: recipfor.eml---End Message--- ---BeginMessage--- Remise de message annulé: De: %MAILFROM% AA: %LOCALRECIPS% le serveur de messagerie de CEFIB Internet verifie chaque message pour les virus, SPAM, et Vulnerabilités La protection de %LOCALHOST% a intercepté un message qui contient %VIRUSNAME%, et nous l'avons mis en quarantaine. %VIRUSNAME% est generer par un client de messagerie qui n'est pas fiable, et peut contenir des virus, ou c'est probablement du SPAM. Merci de prendre contact avec l'expediteur de votre message pour circonscrire le problème. Delivery blocked: FROM: %MAILFROM% TTo: %LOCALRECIPS% The mail server for CEFIB Internet scans each e-mail for Viruses, SPAM (Junk Mail) and e-mail vulnerabilities. %LOCALHOST% protection caught an e-mail addressed to you that contains %VIRUSNAME%, and have quarantined it for your protection, %VIRUSNAME% is generated by a broken email client, and can hide viruses, or is most certainly spam. Please contact your mail sender to resolve the problem. De: %MAILFROM% Adresse IP: %REMOTEIP% Subject: %SUBJECT% Host name of the recipient %RECIPHOST% Virus: %VIRUSNAME% Pièce jointe: %VIRUSFILE% Version Declude: %VERSION% Fichier IMAIL: %QUEUENAME% Template: recipvul.eml---End Message--- ---BeginMessage--- Delivery
Re: [Declude.Virus] marking subject line
(mainly that someone using just Declude Virus won't be running the Declude JunkMail code, and vice versa). OK, but if JM users ask for ContainEZIPatt test, why would you refuse the request :) - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 04, 2004 5:35 PM Subject: RE: [Declude.Virus] marking subject line Scott - you may shoot me for suggesting this, especially if it has been suggested before. I am not a programmer so I suggest this not knowing how difficult it may be, but if both Virus and Junkmail use the declude.exe is it possible to have things like BANEZIP be defined as a test in the global file for junkmail and then have actions defined for different users/domains with different junkmail files? It does sound easy, but unfortunately is not. There are a few problems (mainly that someone using just Declude Virus won't be running the Declude JunkMail code, and vice versa). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Doh! SpamCop Report
I just got a SpamCop report about one of my mail servers. Upon looking at the report, it appears that they are complaining about a Undeliverable Mail message. It seems that one of my domains is being dictionary attacked. The spammer did a joe-job, so some poor guy is being bombed by my server with Undeliverable Mail messages. It seems the guy being joe-jobbed is the one reporting my mail server. Anybody have any advice about what (if anything) I should do? Paul Navarre --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] BANEXT EZIP reports virus, not banned extension
Why does the BANEXT EZIP report a virus (and send the associated notifications) instead of reporting a banned extension (and send the bannotify.eml)?? Todd Holt Xidix Technologies, Inc Las Vegas, NV USA 702.319.4349 www.xidix.com --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bannotify.eml missing extension.
I just received a notification message that said: quote The mail server for continentaloffice.com does not accept E-mail with attachments that contain the extension. /quote quote --pbgivjxdscnisewbjysa Content-Type: application/octet-stream; name=Readme.zip Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Readme.zip /quote This is definitely helpful. I have the D-file, and I have the log extract What does the log file say? Which version of Declude Virus are you running? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Use Net Send to alert user of virus?
Does anyone have a way of using doing this? I mean if scumware people and pornographers can use the windows messenger service why can't I? I know it wouldn't always work, but most of the IP's I get in my virus notifications are from Road Runner or Cablevision. I'll bet more than half of those people could be reached by this method. I know that I don't have the time to contact many of them but even if I could send a message you have the netsky.d virus on your PC! go to www.sarc.com for removal instructions! maybe I can cure a few potential zombies. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 32-bit avgscan.exe does now work.
Matt, Thanks for following up. I tried AVG based on your earlier post about using the 16-bit version. There was another post stating that the 32-bit version did in fact work and that's why I asked Scott for clarification. It's good to see that the 32-bit version is viable. I plan to set it up in the morning. Bill -- Original Message -- From: Matt [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 04 Mar 2004 20:09:54 -0500 I should have read the previous message closer, so point the finger at me for jumping the gun totally. The 32-bit version of avgscan.exe does in fact now work (this definitely wasn't the case earlier). The switches for this should be modified when moving to the 32-bit version. I'm not positive that all of this is necessary, but here's what I'm using after researching what they did. SCANFILE2 C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOEXPORT /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txt VIRUSCODE25 VIRUSCODE26 REPORT2 identified If others can agree on the best switches, this should probably be added to the Declude Virus manual. Matt Matt wrote: The 32-bit version of AVG won't work because it doesn't return result codes which Declude needs to take action. I E-mailed them about a month ago asking about this and they said that they would add them, probably by the end of that month. I've been meaning to follow up with them, but I'm sure they are quite busy due to the virus storm and encrypted zip files, trying to find a solution so I will wait a little longer. The 16-bit command line scanner, avg.exe, is a dog in comparison to F-Prot, it's at least three times slower and it definitely take up much more processing power because it runs under the NTVDM. The config for AVG that was shared by Jarod should also be updated. One of the codes in there will cause Declude to treat errors as a virus. This is how it should be for a second scanner: SCANFILE2 C:\Progra~1\Grisoft\AVG7\avg.exe /NOMEM /NOSELF /ARC /REPORT=report.txt VIRUSCODE25 VIRUSCODE26 REPORT2 identified Please note that while this info may be a little obscure to find, like Markus said, there is a lot of repetition going on recently and these things have most definitely been covered recently and should be searchable in the archives. Unless you monitor this group regularly, it is good practice to search the archives before posting a new question. Understandably, the search function in the archives kind of sucks. Matt bill.maillists wrote: Scott, Can you shed some light on this? Thanks, Bill -- Original Message -- From: Jerod Bennett [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 4 Mar 2004 10:46:07 -0800 I'm confused... I keep reading reports of the 32-bit version of AVG 7.0 don't work with Declude. As far as I can tell, this just isn't true. I have been running avgscan.exe as my second scanner for quite some time now. Here is my virus.cfg setup: SCANFILE2 C:\AVG7\avgscan.exe /NOMEM /NOSELF /ARC /REPORT=report.txt VIRUSCODE2 2 VIRUSCODE2 6 REPORT2identified And here is a report sample: 03/03/2004 00:04:48 Q919d01db01841df5 Scanner 1: Virus=: W32/[EMAIL PROTECTED] Attachment=me.scr [16] I 03/03/2004 00:04:49 Q919d01db01841df5 Scanner 2: Virus= I-Worm/Netsky.B Attachment=me.scr [16] I 03/03/2004 00:04:49 Q919d01db01841df5 File(s) are INFECTED [: W32/[EMAIL PROTECTED]: 6] 03/03/2004 00:04:49 Q919d01db01841df5 Deleting file with virus 03/03/2004 00:04:49 Q919d01db01841df5 Deleting E-mail with virus! 03/03/2004 00:04:49 Q919d01db01841df5 Scanned: CONTAINS A VIRUS [MIME: 2 22067] 03/03/2004 00:04:49 Q919d01db01841df5 From: [Forged] To: [EMAIL PROTECTED] [incoming from 4.12.125.74] 03/03/2004 00:04:49 Q919d01db01841df5 Subject: information I admit there were problems with the installation. The biggest problem was avgscan doesn't run in English by default. You need to go into the GUI and set English as the default language. I hope this helps. -Jerod -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of bill.maillists Sent: Thursday, March 04, 2004 6:34 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] (OT) Second Scanner I'm running F-Prot, McAfee and as a test recently, AVG. The setup is straight forward. Do not install the real-time scanner component. As far as Declude is concerned, the instructions for adding a second scanner and AVG are in the Declude manual. Since only the 16-bit version works with Declude, it takes approximately three seconds for AVG to scan a message. That appears to be the biggest drawback. I do not know when the 32-bit version will work with Declude. I hope it is soon. Bill -- Original Message -- From: Hank Townsend [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED]
[Declude.Virus] Pls clarify new declude virus settings
I'm sorry, but I'm confused on all the settings and the release notes aren't really clear. If I want to allow all file extensions for attachments and allow all regular zip files but: 1. Ban encrypted zip files 2. Ban zip files with dangerous .bat,.com.,.pif.,.scr What are the BAN commands I should be using in the config file? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files.
Scott the minimum that would be practicaly usable for us : 1- Notifications based on banned extension: ONLYSENDIFEXT, SKIPIFEXT AND 2-BANEZIPEXT2 independant from banext, as in BANEZIPEXT2 exe BANEZIPEXT2 com BANEXT scr BANEZIPEXT ON AND 3- ONLYSENDIFFORGING Also, request for 2 cross-product features 1- REVDNS for %REMOTEIP% in virus 2- Test on attachement type in JM I know your are curently overwhelmed in this bagle issue, but at least let me know if you are willing to consider adding these features to your todo list - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 04, 2004 11:22 PM Subject: Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files. that is going to be a chalenge for scott to incorporate in declude :) It's unlikely that we will do this. It makes for a great marketing gimmick, but won't work in the long term. All it will take is for a virus to say The password is 1 2 3 4 5 or The password is 12344 plus 1, and those AV programs will quickly leave the spotlight. We are an isp, and for us blocking zips is out of the question. Remember that all AV programs can catch viruses in standard .ZIP files. It's only the encrypted .ZIP files that pose a problem, and it is recommended that people block all encrypted .ZIP files (but allow standard .ZIP files through). That way, extremely few people are inconvenienced, but it would be very hard for a virus to get through. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
