[Declude.Virus] Proxy-Cidra
This morning I've seen several Proxy-Cidra Trojans hold on our server. The discovery date of this trojan is 12/27/2003 and so every AV engine should be able to detect it. http://vil.nai.com/vil/content/v_100939.htm All infected messages I've seen are comming from different IPs. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Proxy-Cidra forging
Ops, I forget: looks like this is a forgin virus because all warnings are comming back as NDR's Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] W32.Beagle.J@mm cannot be caught
> Please read the old posts about this problem. I STRONGLY agree!! > Short Summary: > Antivirus programs and declude can't open password protected > zip files ... Good summary, but the problem is that if people knows that there is a short summary even after an already 100 times asked and discussed question such messages wouldn't stop. It's much easier to ask, ignore all "search the archives" replies and wait for the short summary then watching this list and reading all messages to protect our customers immediatly. (and not after one week that Bagle.J is spreading around the world) Terry please excuse my offending reply but please, please try to search the archives for something that practicaly can't be new for users on this mailing list. On the other side an "important news" section on the declude website containing such short summaries would be a big help for part list members. Any subscription confirmation should contain a BIG, IMPORTANT, PLEASE READ BEFORE... link to this website. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] W32.Beagle.J@mm cannot be caught
I'm a new comer and just signed up today. How can I know somebody asked 100 times before? But it proved one thing. Even the same question has been asked for 100 times, someone that doesn't know each other still willing to give help again and again. Anyway, thank you very much your help and I've the problem fixed. From: "Markus Gufler" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: <[EMAIL PROTECTED]> Subject: RE: [Declude.Virus] [EMAIL PROTECTED] cannot be caught Date: Wed, 10 Mar 2004 09:17:37 +0100 > Please read the old posts about this problem. I STRONGLY agree!! > Short Summary: > Antivirus programs and declude can't open password protected > zip files ... Good summary, but the problem is that if people knows that there is a short summary even after an already 100 times asked and discussed question such messages wouldn't stop. It's much easier to ask, ignore all "search the archives" replies and wait for the short summary then watching this list and reading all messages to protect our customers immediatly. (and not after one week that Bagle.J is spreading around the world) Terry please excuse my offending reply but please, please try to search the archives for something that practicaly can't be new for users on this mailing list. On the other side an "important news" section on the declude website containing such short summaries would be a big help for part list members. Any subscription confirmation should contain a BIG, IMPORTANT, PLEASE READ BEFORE... link to this website. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. _ Get 10Mb extra storage for MSN Hotmail. Subscribe Now! http://join.msn.com/?pgmarket=en-hk --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] declude with mcafee virus scan 8
We have Imail 8.05, declude standard v1.75 and recently we have got mcafee virus scan8. In combination with declude and virus scan 8 on demand scanning is working fine. We have more than 20,000 users in single domain. In mcafee virus scan 8 (Active shield) we don't have option to exclude users and Imail spool folders. I would recommend contacting McAfee to see how to do it. There *must* be a way to exclude the directories -- otherwise, they are removing a very important feature. If they tell you that it can't be done with VirusScan 8, then I would recommend switching to a better AV program (such as F-Prot). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Proxy-Cidra
Actually, I think this might be a new variant. I submitted it to Mcafee last night and they sent back an extra.dat file to me. The filename is different than the one in their write-up. Also the ones we were seeing were caught by the banned extension until I copied over the extra.dat file. Ahh just went to Mcafee again... --Update Mar 10, 2004-- A new variant has been spammed to a large number of email addresses with subject similar to: This your photo? The file usb_d2.exe has been re-packed using UPX and attached as a ZIP file. This new variant will be detected by the 4336 DATS Also the file I saw were p_usb.exe in a .zip file. Don - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 2:23 AM Subject: [Declude.Virus] Proxy-Cidra > This morning I've seen several Proxy-Cidra Trojans hold on our server. The > discovery date of this trojan is 12/27/2003 and so every AV engine should be > able to detect it. > > http://vil.nai.com/vil/content/v_100939.htm > > All infected messages I've seen are comming from different IPs. > > Markus > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] declude with mcafee virus scan 8
Hi Scott, Thx for the your response. I have one more doubt, we have mcafee virus scan8 and Norton anti virus corporate edition 7.6 also. Can we install both on mail server, is it recommended to install two AV scanners on the server? If so then I will disable active shield in mcafee and will use it for declude as on-demand scanner, and Norton AV will protect the server, in this I can exclude the spool and user folders. What do you say is it better solution? At present we can not go for another AV program. Thanks in advance. Regards, Venkateswarlu Swarna Systems Engineer Intelligroup Asia Pvt. Ltd. Hyderabad - 500063 Tel: +91-040-23297487 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, March 10, 2004 6:14 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] declude with mcafee virus scan 8 >We have Imail 8.05, declude standard v1.75 and recently we have got mcafee >virus scan8. In combination with declude and virus scan 8 on demand scanning >is working fine. We have more than 20,000 users in single domain. In mcafee >virus scan 8 (Active shield) we don't have option to exclude users and Imail >spool folders. I would recommend contacting McAfee to see how to do it. There *must* be a way to exclude the directories -- otherwise, they are removing a very important feature. If they tell you that it can't be done with VirusScan 8, then I would recommend switching to a better AV program (such as F-Prot). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Anti-Virus Tool] --- [This E-mail scanned for viruses by Declude Anti-Virus Tool] -DISCLAIMER This Message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its Purpose, any dissemination or disclosure, either whole or partial, is Prohibited except formal approval. The internet cannot guarantee the integrity of this message. BSNL shall (will) not therefore be liable for the message if modified. [AUTOMATED NOTE: Your mail server [210.212.215.74] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] declude with mcafee virus scan 8
I have one more doubt, we have mcafee virus scan8 and Norton anti virus corporate edition 7.6 also. Can we install both on mail server, is it recommended to install two AV scanners on the server? If so then I will disable active shield in mcafee and will use it for declude as on-demand scanner, and Norton AV will protect the server, in this I can exclude the spool and user folders. That would work fine. It is OK to have more than 1 AV program running on the mailserver, just so long as the on-access scanner (active shield) is disabled on all but one of them. That way, they will not conflict with each other. What do you say is it better solution? At present we can not go for another AV program. Given that you cannot use another AV program, I would recommend doing what you describe. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot version
Actually, F-Prot released a new version of 3.14c (3.14c previously errored on winmail.dat files) on Monday. Haven't tried it out yet. Has anyone taken on the task of being a guinea pig...? Darin. - Original Message - From: "Robert Grosshandler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 1:51 AM Subject: RE: [Declude.Virus] [EMAIL PROTECTED] cannot be caught Also - f-prot 3.14b is the current version. It's an important upgrade if I recall correctly. terry ip wrote: > Hi All, > > Desktop Norton caught but declude didn't. I'm using Declude 1.75 + > F-prot 3.14a with the latest virus pattern. Anyone have the same > problem as I'm? or any cure on this? Thanks. > > Terry > > _ > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. _ [This E-mail virus scanned by 4C Web] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot version
Ok I took up the Guinea Pig slack, and installed the latest version of F-prot.. I have not seen the winmail.dat error since I installed it about 10 minutes ago. I have caught many viruses during that time. So far so good. Don - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 8:21 AM Subject: Re: [Declude.Virus] F-Prot version > Actually, F-Prot released a new version of 3.14c (3.14c previously errored > on winmail.dat files) on Monday. Haven't tried it out yet. Has anyone > taken on the task of being a guinea pig...? > > Darin. > > > - Original Message - > From: "Robert Grosshandler" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, March 10, 2004 1:51 AM > Subject: RE: [Declude.Virus] [EMAIL PROTECTED] cannot be caught > > > Also - f-prot 3.14b is the current version. It's an important upgrade if I > recall correctly. > > > terry ip wrote: > > > Hi All, > > > > Desktop Norton caught but declude didn't. I'm using Declude 1.75 + > > F-prot 3.14a with the latest virus pattern. Anyone have the same > > problem as I'm? or any cure on this? Thanks. > > > > Terry > > > > _ > > > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > _ > [This E-mail virus scanned by 4C Web] > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] eicar in a .zip file
Scott, Using the test virus sender on your website, the eicar plain file gets caught as a virus, where the eicar in a .zip file gets caught as a banned extension. I am running Declude 1.78i14 - I just tried 1.78.i20 also, same results.. Here is a section of the log file.. 03/10/2004 08:42:40 Q295c000501aa26d2 Banning .ZIP file with encrypted COM extension. 03/10/2004 08:42:47 Q295c000501aa26d2 Scanned: Banned file extension. [MIME: 2 889] 003/10/2004 08:42:53 Q295c000501aa26d2 From: you-declude.com To: me-knox.edu 03/10/2004 08:42:53 Q295c000501aa26d2 Subject: Test eicar.com file [eicarencodedzip] On the site is mentions it should be caught as a virus. Don --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot version
Spoke too Soon!! 03/10/2004 08:46:35 Q2a4000b700e8a069 Could not find parse string Infection: in report.txt 03/10/2004 08:46:35 Q2a4000b700e8a069 Error 5 in virus scanner 1. 03/10/2004 08:46:36 Q2a4000b700e8a069 Scanned: Error in virus scanner. [MIME: 2 4472] This is with F-Prot 3.14c that was released the other day. Don - Original Message - From: "Don Hickey" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 8:41 AM Subject: Re: [Declude.Virus] F-Prot version > Ok I took up the Guinea Pig slack, and installed the latest version of > F-prot.. > > I have not seen the winmail.dat error since I installed it about 10 minutes > ago. I have caught many viruses during that time. > > So far so good. > > Don > > > - Original Message - > From: "Darin Cox" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, March 10, 2004 8:21 AM > Subject: Re: [Declude.Virus] F-Prot version > > > > Actually, F-Prot released a new version of 3.14c (3.14c previously errored > > on winmail.dat files) on Monday. Haven't tried it out yet. Has anyone > > taken on the task of being a guinea pig...? > > > > Darin. > > > > > > - Original Message - > > From: "Robert Grosshandler" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, March 10, 2004 1:51 AM > > Subject: RE: [Declude.Virus] [EMAIL PROTECTED] cannot be caught > > > > > > Also - f-prot 3.14b is the current version. It's an important upgrade if > I > > recall correctly. > > > > > > terry ip wrote: > > > > > Hi All, > > > > > > Desktop Norton caught but declude didn't. I'm using Declude 1.75 + > > > F-prot 3.14a with the latest virus pattern. Anyone have the same > > > problem as I'm? or any cure on this? Thanks. > > > > > > Terry > > > > > > _ > > > > > > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > _ > > [This E-mail virus scanned by 4C Web] > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] eicar in a .zip file
Using the test virus sender on your website, the eicar plain file gets caught as a virus, where the eicar in a .zip file gets caught as a banned extension. That's because: 03/10/2004 08:42:40 Q295c000501aa26d2 Banning .ZIP file with encrypted COM extension. It's not a standard .ZIP file, it is an encrypted .ZIP file. On the site is mentions it should be caught as a virus. That's referring to the fact that it should be caught, not necessarily as a virus. It's good if the AV program can detect it as a virus (since it is a static encrypted .ZIP file, not a dynamic one), but it doesn't need to (since all encrypted .ZIP files should be blocked). FWIW, I'm not aware of any AV programs that detect the eicar.com file in encrypted .ZIP files yet. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] RE Maybe a Bagle got through
Scott,
I just had a user send me an email with all the signes of Bagle in it.
Password zip and all.
It came right throught to the user and then it was forwared to me.
When I try to extract the zip on a test system I get "invaild archive
format".
I am running declude 1.78i20 just updated Sophos and McAfee. I do not see
any errors in the log.
Scott do you want to look at this file?
The eicardynamicencodedzip does get caught.
This is the last bagle caught which is about the time I put 1.78i20 should I
roll back to 1.78i9? That is the last one I still have.
I am going to put BANEXTEZIP back in untill I here back.
03/10/2004 09:37:18 Q281c00850246389c Scanner 1: Virus= the W32/[EMAIL PROTECTED]
virus !!! Attachment=Attach.pif [24] I
03/10/2004 09:37:20 Q281c00850246389c Scanner 2: Virus= 'W32/Bagle-J' found
in file S:\spool\D281C0~1.VIR\\0.pif Attachment=Attach.pif [24] I
03/10/2004 09:37:20 Q281c00850246389c Invalid PIF Vulnerability
03/10/2004 09:37:20 Q281c00850246389c Found a bogus .pif file
03/10/2004 09:37:20 Q281c00850246389c File(s) are INFECTED [ the
W32/[EMAIL PROTECTED] virus !!!: 3]
03/10/2004 09:37:20 Q281c00850246389c Scanned: CONTAINS A VIRUS [MIME: 2
12781]
03/10/2004 09:37:20 Q281c00850246389c From: [Forged] To:
[EMAIL PROTECTED] [incoming from 63.115.32.27]
03/10/2004 09:37:20 Q281c00850246389c Subject: E-mail account disabling
warning.
Also this is what is in my .cfg
#
# The BANEXT option will let you ban file extensions. E-mails containing
attachments
# with these file extensions will be quarantined, and if you have a
BANnotify.EML file,
# it will be sent out. This works in the Standard and Pro versions.
#
BANZIPEXTS ON
BANEZIPEXTS ON
BANEXT asp
BANEXT ad
BANEXT adp
BANEXT asd
BANEXT bas
BANEXT bat
BANEXT com
BANEXT ceo
BANEXT cab
BANEXT chm
BANEXT cmd
BANEXT crt
BANEXT cpl
BANEXT dll
BANEXT exe
BANEXT hlp
BANEXT hta
BANEXT inf
BANEXT isp
BANEXT ins
BANEXT js
BANEXT jse
BANEXT lnk
BANEXT msi
BANEXT mst
BANEXT mdb
BANEXT mde
BANEXT msc
BANEXT msp
BANEXT nws
BANEXT ocx
BANEXT pcd
BANEXT pif
BANEXT reg
BANEXT scr
BANEXT sct
BANEXT shb
BANEXT sys
BANEXT swf
BANEXT shs
BANEXT url
BANEXT vbe
BANEXT vbs
BANEXT vb
BANEXT vbx
BANEXT wsc
BANEXT wsf
BANEXT wsh
BANEXT shs
BANEXT vsd
BANEXT vst
BANEXT vss
BANEXT vsw
BANEXT ws
BANEXT wsh
BANEXT xml
Thanks,
~Paul~
---
{This E-mail scanned for viruses by Declude Virus/McAfee}
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
Re: [Declude.Virus] declude with mcafee virus scan 8
VS8 is the Retail product. As I recall controlling the exclude directories was removed. (to simplify the product for the retail market) VS 7 retail, if you can still find it, should have that feature. Or the VS 7 Enterprise. But the plan to use just one product for on-line scan will be all the solution you need. Greg Little Venkateswarlu Swarna wrote: In mcafee virus scan 8 (Active shield) we don't have option to exclude users and Imail spool folders. --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE Maybe a Bagle got through
I just had a user send me an email with all the signes of Bagle in it. Password zip and all. It came right throught to the user and then it was forwared to me. When I try to extract the zip on a test system I get "invaild archive format". That's the problem. Most likely, it wasn't a valid .ZIP file, which prevents Declude Virus from telling that it was password protected, and prevents it from being extracted. Scott do you want to look at this file? Sure -- you can send it to the virustrap@ address at declude.com (along with the password ). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE Maybe a Bagle got through
"invalid archive format" says to me that it may be a corrupted/incomplete copy of the virus. If that's the case, inconsistent identification would be normal. Sending a copy of the zip to [EMAIL PROTECTED] would let Scott have more info. Greg Little EMail Admin wrote: Scott, I just had a user send me an email with all the signes of Bagle in it. Password zip and all. It came right throught to the user and then it was forwared to me. When I try to extract the zip on a test system I get "invaild archive format". --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE Maybe a Bagle got through
> That's the problem. Most likely, it wasn't a valid .ZIP file, which
> prevents Declude Virus from telling that it was password protected, and
> prevents it from being extracted.
Kind thought it was a "corrupted/incomplete copy of the virus" as Greg
stated or some other type of archive PicoZip can not open.
>
> >Scott do you want to look at this file?
>
> Sure -- you can send it to the virustrap@ address at declude.com (along
> with the password ).
>
Ok it is on the way. Password also LoL! I would have forgotten.
Even though I have not caught any since 09:30 do you think it is safe to
just use
BANZIPEXTS ON
BANEZIPEXTS ON
Add drop
BANEXT EZIP
I had been getting a few ever hour before this.
~Paul~
---
{This E-mail scanned for viruses by Declude Virus/McAfee}
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot version
I have moved back to F-Prot 3.14b as more of these errors started showing up. Don - Original Message - From: "Don Hickey" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 8:58 AM Subject: Re: [Declude.Virus] F-Prot version > Spoke too Soon!! > > 03/10/2004 08:46:35 Q2a4000b700e8a069 Could not find parse string Infection: > in report.txt > 03/10/2004 08:46:35 Q2a4000b700e8a069 Error 5 in virus scanner 1. > 03/10/2004 08:46:36 Q2a4000b700e8a069 Scanned: Error in virus scanner. > [MIME: 2 4472] > > This is with F-Prot 3.14c that was released the other day. > > Don > - Original Message - > From: "Don Hickey" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, March 10, 2004 8:41 AM > Subject: Re: [Declude.Virus] F-Prot version > > > > Ok I took up the Guinea Pig slack, and installed the latest version of > > F-prot.. > > > > I have not seen the winmail.dat error since I installed it about 10 > minutes > > ago. I have caught many viruses during that time. > > > > So far so good. > > > > Don > > > > > > - Original Message - > > From: "Darin Cox" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, March 10, 2004 8:21 AM > > Subject: Re: [Declude.Virus] F-Prot version > > > > > > > Actually, F-Prot released a new version of 3.14c (3.14c previously > errored > > > on winmail.dat files) on Monday. Haven't tried it out yet. Has anyone > > > taken on the task of being a guinea pig...? > > > > > > Darin. > > > > > > > > > - Original Message - > > > From: "Robert Grosshandler" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Wednesday, March 10, 2004 1:51 AM > > > Subject: RE: [Declude.Virus] [EMAIL PROTECTED] cannot be caught > > > > > > > > > Also - f-prot 3.14b is the current version. It's an important upgrade > if > > I > > > recall correctly. > > > > > > > > > terry ip wrote: > > > > > > > Hi All, > > > > > > > > Desktop Norton caught but declude didn't. I'm using Declude 1.75 + > > > > F-prot 3.14a with the latest virus pattern. Anyone have the same > > > > problem as I'm? or any cure on this? Thanks. > > > > > > > > Terry > > > > > > > > _ > > > > > > > > > > --- > > > [This E-mail scanned for viruses by Declude Virus] > > > > > > --- > > > [This E-mail was scanned for viruses by Declude Virus > > > (http://www.declude.com)] > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > > > _ > > > [This E-mail virus scanned by 4C Web] > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > --- > > > [This E-mail scanned for viruses by Declude Virus] > > > > > > > > > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE Maybe a Bagle got through
Even though I have not caught any since 09:30 do you think it is safe to just use BANZIPEXTS ON BANEZIPEXTS ON Add drop BANEXT EZIP I had been getting a few ever hour before this. It depends on what your needs are. If you are already blocking attachments based on the file extensions, then using BANZIPEXTS ON and BANEZIPEXTS ON should be fine. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE Maybe a Bagle got through
> It depends on what your needs are. If you are already blocking
attachments
> based on the file extensions, then using BANZIPEXTS ON and BANEZIPEXTS ON
> should be fine.
Thanks I will give it a try with removing BANEXT EZIP
~Paul~
---
{This E-mail scanned for viruses by Declude Virus/McAfee}
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot version
I submitted a sample winmail.dat and command line which illistrated the problem to F-prot at their request. It was probably too late to put a fix in the current version, but may be in the next one. > I have moved back to F-Prot 3.14b as more of these errors started showing > up. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Declude is blocking password protected excel files
Hi, I running declude virus Ver.1.178i9 and I'm using Sophos anti virus. In the virus.cfg I have a virus code 2 under sophos but when someone is sending a xls file with a password on it I get this error in the virus log below. 03/10/2004 15:02:03 Q743829a501eaae18 Could not find parse string >>> Virus in report.txt03/10/2004 15:02:03 Q743829a501eaae18 File(s) are INFECTED [: 2]03/10/2004 15:02:03 Q743829a501eaae18 Scanned: CONTAINS A VIRUS [MIME: 3 20071] Now if I take out the virus code 2 the email goes through fine but declude or sophos is not detecting the eicarencodedzip and eicardynamicencodedzip virus test. What can I do? Below is part of my virus.cfg. SCANFILE C:\Progra~1\Sophos~2\sav32cli.exe -ns -p=report.txt -mac -archiveVIRUSCODE 3VIRUSCODE 6VIRUSCODE 2REPORT >>> Virus ## The SKIPEXT option will let you skip scanning of certain file extensions. For# example, a GIF file can't contain a virus, so there is no need to scan it.# SKIPEXT GIFSKIPEXT JPGSKIPEXT MPGSKIPEXT PNG ## The BANEXT option will let you ban file extensions. E-mails containing attachments# with these file extensions will be quarantined, and if you have a BANnotify.EML file,# it will be sent out. This works in the Standard and Pro versions.# BANEXT SCRBANEXT PIFBANEXT CMDBANEXT BATBANEXT EXE Dave Czoper PERT Survey Research Network Administrator 2247 Babcock Blvd Pittsburgh, PA 15237 412-939-1500
Re: [Declude.Virus] Declude is blocking password protected excel files
Hi, I running declude virus Ver.1.178i9 and I'm using Sophos anti virus. In the virus.cfg I have a virus code 2 under sophos but when someone is sending a xls file with a password on it I get this error in the virus log below. 03/10/2004 15:02:03 Q743829a501eaae18 Could not find parse string >>> Virus in report.txt 03/10/2004 15:02:03 Q743829a501eaae18 File(s) are INFECTED [: 2] 03/10/2004 15:02:03 Q743829a501eaae18 Scanned: CONTAINS A VIRUS [MIME: 3 20071] Now if I take out the virus code 2 the email goes through fine but declude or sophos is not detecting the eicarencodedzip and eicardynamicencodedzip virus test. What can I do? Below is part of my virus.cfg. Sophos returns the exit code of 2 if an error prevents it from processing the E-mail. What I would recommend in this case is removing the "VIRUSCODE 2" line, and using the latest interim (from http://www.declude.com/interim ) and adding a line "BANEXT EZIP" to the \IMail\Declude\virus.cfg file to block all encrypted .ZIP files. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot version
I have set declude to call fprot version 3.14b and c, just in case i just moved to a new server and have plenty of unused power - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 6:40 PM Subject: Re: [Declude.Virus] F-Prot version > I submitted a sample winmail.dat and command line which illistrated the problem to F-prot at their request. It was probably too late to put a fix in the current version, but may be in the next one. > > I have moved back to F-Prot 3.14b as more of these errors started showing > > up. > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] WinZip MIME vulnerability
I see WinZip now has it's own MIME vulnerability. http://www.winzip.com/fmwz90.htm Scott Fisher Director of IT Farm Progress Companies --- [This E-mail scanned for viruses by Farm Progress Companies using Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAV settings in virus.cfg
Are the settings for ClamAV in the Declude Virus Manual complete? SCANFILE C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose --no-summary -l report.txt VIRUSCODE 1 I would have thought there would be a REPORT line. After looking at the output however, I'm at a loss to figure out what to put on the REPORT line. I don't think "REPORT :" will work and the documentation says to use the word after the file name and before the name of the virus. Scan started: Wed Mar 10 15:19:17 2004 /cygdrive/d/IMail/spool/virus/D02ae020c025e5420.SMD: Worm.SomeFool.Gen-1 FOUND /cygdrive/d/IMail/spool/virus/D033e01590032f66c.SMD: Worm.SomeFool.Gen-2 FOUND /cygdrive/d/IMail/spool/virus/D048421c300be77e3.SMD: Worm.SomeFool.Gen-1 FOUND /cygdrive/d/IMail/spool/virus/D3da3497b00be6f4b.SMD: Eicar-Test-Signature FOUND Does the REPORT syntax need to be expanded so that you somehow say the virus name is before "FOUND"? I had to put --mbox on the command line to find the viruses listed above. I assume that I don't need it in virus.cfg because Declude Virus will have already extracted everything. If you are running ClamAV successfully, could you send me your virus.cfg settings? Thanks, Brad Morgan IT Manager Horizon Interactive Inc. [EMAIL PROTECTED] 719-593-7377 x47 (Fax: 719-593-2996) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV settings in virus.cfg
Are the settings for ClamAV in the Declude Virus Manual complete? Yes, but: SCANFILE C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose --no-summary -l report.txt VIRUSCODE 1 I would have thought there would be a REPORT line. There isn't. The problem is that ClamAV doesn't report the virus name in the standard format. We are, however, looking into finding a way around this. I had to put --mbox on the command line to find the viruses listed above. I assume that I don't need it in virus.cfg because Declude Virus will have already extracted everything. Correct. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV settings in virus.cfg
> There isn't. The problem is that ClamAV doesn't report the virus name in > the standard format. We are, however, looking into finding a way > around this. There's a standard format? Can I get a copy of the standard? ClamAV is open source so it might be easier to submit a fix to the source than to work around it. Regards, Brad --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV settings in virus.cfg
> There isn't. The problem is that ClamAV doesn't report the virus name in
> the standard format. We are, however, looking into finding a way
> around this.
There's a standard format? Can I get a copy of the standard? ClamAV is
open source so it might be easier to submit a fix to the source than to work
around it.
The standard format is to include the filename, followed by an identifier
of some sort ("virus found", "infected", or anything that indicates that
the E-mail isn't clean), and then the virus name.
I believe the code that should be changed is in the checkfile( ) function
in the manager.c file, where there are two references to "%s: %s FOUND\n",
which could be changed to "%s: infected with %s\n" or "%s: FOUND
%s\n". That would do the trick.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
[Declude.Virus] what is p_usb.zip
Hey guys... What is p_usb.zip... my Norton on my computer just caught this that means declude and f-prot missed it. opps .. guess i jumped the gun... my norton says it is Trojan.Download.Inor.B. but why did declude not catch it... Bennie --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] what is p_usb.zip
I am not sure about F-prot, but Mcafee updated their definition files last night to catch this. Mcafee calls it Proxy-Cidra http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100939 Don - Original Message - From: "Bennie" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 6:32 PM Subject: [Declude.Virus] what is p_usb.zip > Hey guys... > > What is p_usb.zip... my Norton on my computer just caught this that > means declude and f-prot missed it. > > opps .. guess i jumped the gun... my norton says it is > Trojan.Download.Inor.B. but why did declude not catch it... > > > Bennie > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
