RE: [Declude.Virus] Imail Queue Manager/SMTP at 100% after declude f-prot updates
The server is a Compaq Proliant with Dual Piii 800's, RAID 5 (I know - RAID 1,0 is better - it's on the schedule to be re-config'd), 1GB RAM, defragged by diskkeeper every nite We run IMAIL program on C: and spool mailboxes on D: I identified the outside hit increase as coming from an outside address sending mail in; have blocked te address and all is running smooth again Sincerely, Randy Armbrecht Global Web SolutionsR, Inc. 804-346-5300 ext. 1 877-800-GLOBAL (4562) ext. 1 http://globalweb.net Richmond's Internet Source since 1996! WEB HOSTING including EMAIL beginning at $29/month! Non-Profits - receive a 25% discount! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, March 19, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Imail Queue Manager/SMTP at 100% after declude f-prot updates We have been running Declude JM Pro and Declude Virus Standard for almost 2 years now; it wasn't until shortly afer the updates to both Declude and F-Prot yesterday that this occurred...The CPU with all services running is sustained normally between the 20%-50% range with peaks to 75% We generally average about: LocalDeliver29000 RemoteDeliver9500 If you have a single 500MHz CPU, you'll likely see the CPU usage you describe. A dual 2GHz CPU server, though, should not. However, in the daily report we generate overnight that I got this a.m., the RemoteDeliver from yesterday was up to 22,000. I am looking into where these extra messages were generated from right now. [I am still a little concerned as to why the server was pegged at 100% for a double increase in usage; it seems to me the server should be able to handle much more than that.] If the server has an older CPU, or if the server is doing other tasks (SQL, web, etc.), that would explain the problem. When the server is at 100% CPU, when you use Task Manager, click on the Processes tab, and then click on the CPU button, what process(es) are closest to the top (using the most CPU)? One process at near 100% CPU usage? Several processes that together use up close to 100% CPU? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This message was Virus Scanned by GlobalWeb.net] --- [This message was Virus Scanned by GlobalWeb.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Are ActiveX controls considered viruses?
How about putting the interim release number on the interim release page? That is something that we have considered, but we will likely not be doing (due to the extra work involved). Or when you do announce interim releases to the list including the interim release number. That way everyone would know it before installing and running -diag to find out what version they are running. This we try to do when we first announce a new interim. However, once we come out with the new interim and announce it, we stop referring to the specific interim, as new interims may have come out since. That way, there is a record of important changes in interims, while minimizing confusion. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] whitelisting?
Hi, I have a customer that is insisting I let .zip files through (I have them banned right now). Is there any way to allow email to a single address to go through? If I do a whitelist entry for this one email address in the global.cfg, will that work? Thanks, andy thumpernet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] whitelisting?
I have a customer that is insisting I let .zip files through (I have them banned right now). Is there any way to allow email to a single address to go through? If I do a whitelist entry for this one email address in the global.cfg, will that work? You could disable virus scanning for that one customer (if you are using Declude Virus Pro). But it is not possible to set the banned file extensions or vulnerability detect on a per-user or per-domain basis. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] whitelisting?
I agree with your customer. Why do you ban all zip files? How are they expected to conduct business if their business requires transferring files? My customers required that I create a way for them to retrieve the infected files for them. You could simply do that. Allow the customer to retrieve the infected files if desired by creating a link and script to copy them into the spool dir. Blocking encrypted zips is one thing but why all zip files? Doug -- Original Message -- From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 19 Mar 2004 12:44:15 -0500 Hi, I have a customer that is insisting I let .zip files through (I have them banned right now). Is there any way to allow email to a single address to go through? If I do a whitelist entry for this one email address in the global.cfg, will that work? Thanks, andy thumpernet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] whitelisting?
Because I am dealing with unsophisticated uses that click on anything attached. There was so much confusion on the list at the time that I just banned all zip files, better safe than sorry. I would now need to go back and try to figure out exactly what settings I need to stop the bad stuff and allow the good stuff. I know, I know, go search the archives.. That is exactly why it is the way it is. I'm one of those people that believe telling people to go search the archives is a waste of time. Everytime I search the archives, I never find what I need and I end up asking anywayor I ask Scott off list so I don't get ridiculed for asking (that's why I pay for a support contract, to get support). If things have settled down enough now so that it is OK to allow certain zip files to go through, I'd be happy to do that if I knew concisely how. Thanks, andy - Original Message - From: Douglas Cohn [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 1:14 PM Subject: Re: [Declude.Virus] whitelisting? I agree with your customer. Why do you ban all zip files? How are they expected to conduct business if their business requires transferring files? My customers required that I create a way for them to retrieve the infected files for them. You could simply do that. Allow the customer to retrieve the infected files if desired by creating a link and script to copy them into the spool dir. Blocking encrypted zips is one thing but why all zip files? Doug -- Original Message -- From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 19 Mar 2004 12:44:15 -0500 Hi, I have a customer that is insisting I let .zip files through (I have them banned right now). Is there any way to allow email to a single address to go through? If I do a whitelist entry for this one email address in the global.cfg, will that work? Thanks, andy thumpernet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] whitelisting?
I have the pro version syntax please Thanks, andy - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 1:13 PM Subject: Re: [Declude.Virus] whitelisting? I have a customer that is insisting I let .zip files through (I have them banned right now). Is there any way to allow email to a single address to go through? If I do a whitelist entry for this one email address in the global.cfg, will that work? You could disable virus scanning for that one customer (if you are using Declude Virus Pro). But it is not possible to set the banned file extensions or vulnerability detect on a per-user or per-domain basis. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] whitelisting?
You could disable virus scanning for that one customer (if you are using Declude Virus Pro). But it is not possible to set the banned file extensions or vulnerability detect on a per-user or per-domain basis. I have the pro version syntax please You can add a line [EMAIL PROTECTED]OFF to the \IMail\Declude\virus_users.txt file (if that file doesn't exist, you can just create one, with that one line in it -- making sure that the cursor can go to the line below it). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] whitelisting?
I would now need to go back and try to figure out exactly what settings I need to stop the bad stuff and allow the good stuff. FYI, the latest advice is: [1] Run the latest interim of Declude Virus (1.78i27 or later), and [2] Block all encrypted .ZIP files by adding a line BANEXT EZIP to the \IMail\Declude\virus.cfg file. That shuold block all known viruses. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] whitelisting?
Try just banning encrypted zips and allowing your virus scanner to handle issues with non-encrypted zips. Darin. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 1:35 PM Subject: Re: [Declude.Virus] whitelisting? Because I am dealing with unsophisticated uses that click on anything attached. There was so much confusion on the list at the time that I just banned all zip files, better safe than sorry. I would now need to go back and try to figure out exactly what settings I need to stop the bad stuff and allow the good stuff. I know, I know, go search the archives.. That is exactly why it is the way it is. I'm one of those people that believe telling people to go search the archives is a waste of time. Everytime I search the archives, I never find what I need and I end up asking anywayor I ask Scott off list so I don't get ridiculed for asking (that's why I pay for a support contract, to get support). If things have settled down enough now so that it is OK to allow certain zip files to go through, I'd be happy to do that if I knew concisely how. Thanks, andy - Original Message - From: Douglas Cohn [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 1:14 PM Subject: Re: [Declude.Virus] whitelisting? I agree with your customer. Why do you ban all zip files? How are they expected to conduct business if their business requires transferring files? My customers required that I create a way for them to retrieve the infected files for them. You could simply do that. Allow the customer to retrieve the infected files if desired by creating a link and script to copy them into the spool dir. Blocking encrypted zips is one thing but why all zip files? Doug -- Original Message -- From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 19 Mar 2004 12:44:15 -0500 Hi, I have a customer that is insisting I let .zip files through (I have them banned right now). Is there any way to allow email to a single address to go through? If I do a whitelist entry for this one email address in the global.cfg, will that work? Thanks, andy thumpernet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. _ [This E-mail virus scanned by 4C Web] _ [This E-mail virus scanned by 4C Web] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] whitelisting?
Thanks Scott, Best money I ever spent - Declude. Can't say enough how much your efforts are appreciated. :) Andy Thumpernet - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 1:41 PM Subject: Re: [Declude.Virus] whitelisting? I would now need to go back and try to figure out exactly what settings I need to stop the bad stuff and allow the good stuff. FYI, the latest advice is: [1] Run the latest interim of Declude Virus (1.78i27 or later), and [2] Block all encrypted .ZIP files by adding a line BANEXT EZIP to the \IMail\Declude\virus.cfg file. That shuold block all known viruses. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] whitelisting?
and BANEZIPEXTS ON is no longer needed, correct? Thanks, Andy - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 1:41 PM Subject: Re: [Declude.Virus] whitelisting? I would now need to go back and try to figure out exactly what settings I need to stop the bad stuff and allow the good stuff. FYI, the latest advice is: [1] Run the latest interim of Declude Virus (1.78i27 or later), and [2] Block all encrypted .ZIP files by adding a line BANEXT EZIP to the \IMail\Declude\virus.cfg file. That shuold block all known viruses. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] whitelisting?
Thanks Scott, Best money I ever spent - Declude. Can't say enough how much your efforts are appreciated. :) Andy Thumpernet Same to me ! Thank you a lot, Scott for this great product and the excellent support! Uwe - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 1:41 PM Subject: Re: [Declude.Virus] whitelisting? I would now need to go back and try to figure out exactly what settings I need to stop the bad stuff and allow the good stuff. FYI, the latest advice is: [1] Run the latest interim of Declude Virus (1.78i27 or later), and [2] Block all encrypted .ZIP files by adding a line BANEXT EZIP to the \IMail\Declude\virus.cfg file. That shuold block all known viruses. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OBJECT CODE vulnerability - Notifications
I was wondering what if any notification are sent out when this is caught. Is there anything needed to be changed in the global or virus.cfg files? I downloaded and installed the latest interim release. These are treated exactly the same as all other vulnerabilities. You do not need to make any config files changes; the latest interim release handles it automatically. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] How do we block the next Bagle?
How will we block a virus like Bagle.Q that does not use an auto run vulnerability? There's still no attachment to hand off to the mail server's virus scanner(s). If the body was VERY standard, it could be pattern matched by Declude. Add a little random action to the body (and the port used) and here we go again. The latest batch of Bagle's (Q,R,S,T) can be blocked because, while not a virus, it breaks the rules. (Auto run using a hole in MS outlook) The next version may be the same, except the user has to run it by hand. Just a 1 K e-mail with a link to a recently compromised PC. When will it end?? (or at least slow down) PS Scott, Thanks for the recently added Vulnerability blocking. (for Q R S T) -- Greg Little --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] OBJECT CODE vulnerability - Notifications
Great.. Thanks.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, March 19, 2004 4:13 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] OBJECT CODE vulnerability - Notifications I was wondering what if any notification are sent out when this is caught. Is there anything needed to be changed in the global or virus.cfg files? I downloaded and installed the latest interim release. These are treated exactly the same as all other vulnerabilities. You do not need to make any config files changes; the latest interim release handles it automatically. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] How do we block the next Bagle?
Heuristics! This was a novel, but lame attempt at exploiting a download vulnerability. This would have been 1,000 times worse if the virus dynamically provided a list of IP's from known infected computers. This can be done, and eventually it will be done. The kid writing Bagle has shown that he has some talent for coming up with new tricks, and so far he has come up with the best human engineering attempt, and new exploits for password protected files and hiding the payload outside of the E-mail. It's clear to me that a person that knows this stuff has some experience with E-mail systems and he almost definitely works for spammers. If he was to mix some human engineering with remotely hosted code, the result could be disastrous. This attempt was lame because the exploit was old, long-past patched, easily detectable, and it relied on hard coded IP's. Pete from Sniffer has been coding up new rules for this stuff (not all of his clients use Declude Virus), and if you have JunkMail Pro, it's easy to write a filter to block something that is IP linked to port 81. In the future, there will likely be little difference between what is necessary to block spam and viruses, and I could see when it might make sense to merge functionality between Declude Virus and Declude JunkMail to achieve a higher level of heuristics. Full MIME parsing in JunkMail may very well give us many useful capabilities. For now, I don't see the need as being urgent, but I've thought that such a thing as you described was possible for some time, and I've been wondering why it didn't happen. Maybe the AV scanner companies will come out with command line functionality that includes content heuristics some time in the future. FYI, I've found Declude JunkMail on my system tends to catch most all of the undetected variants that slip through in normal ZIP files early on. Matt Greg Little wrote: How will we block a virus like Bagle.Q that does not use an auto run vulnerability? There's still no attachment to hand off to the mail server's virus scanner(s). If the body was VERY standard, it could be pattern matched by Declude. Add a little random action to the body (and the port used) and here we go again. The latest batch of Bagle's (Q,R,S,T) can be blocked because, while not a virus, it breaks the rules. (Auto run using a hole in MS outlook) The next version may be the same, except the user has to run it by hand. Just a 1 K e-mail with a link to a recently compromised PC. When will it end?? (or at least slow down) PS Scott, Thanks for the recently added Vulnerability blocking. (for Q R S T) -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] How do we block the next Bagle?
I'm a big fan of deeper categorization. I believe these are listed in the Experimental category presently, but due to some of the patterns in that rule base, I actually score it lower than the others. This change in particular though wouldn't likely affect us since Scott has been up on the issues and working around them as they appear. Matt Scott Fisher wrote: Perhaps Pete from Sniffer could assign a new Message Sniffer Result Code just for these heuristics. We could then assign a hold based on this specific result code. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 03/19/04 03:42PM Heuristics! This was a novel, but lame attempt at exploiting a download vulnerability. This would have been 1,000 times worse if the virus dynamically provided a list of IP's from known infected computers. This can be done, and eventually it will be done. The kid writing Bagle has shown that he has some talent for coming up with new tricks, and so far he has come up with the best human engineering attempt, and new exploits for password protected files and hiding the payload outside of the E-mail. It's clear to me that a person that knows this stuff has some experience with E-mail systems and he almost definitely works for spammers. If he was to mix some human engineering with remotely hosted code, the result could be disastrous. This attempt was lame because the exploit was old, long-past patched, easily detectable, and it relied on hard coded IP's. Pete from Sniffer has been coding up new rules for this stuff (not all of his clients use Declude Virus), and if you have JunkMail Pro, it's easy to write a filter to block something that is IP linked to port 81. In the future, there will likely be little difference between what is necessary to block spam and viruses, and I could see when it might make sense to merge functionality between Declude Virus and Declude JunkMail to achieve a higher level of heuristics. Full MIME parsing in JunkMail may very well give us many useful capabilities. For now, I don't see the need as being urgent, but I've thought that such a thing as you described was possible for some time, and I've been wondering why it didn't happen. Maybe the AV scanner companies will come out with command line functionality that includes content heuristics some time in the future. FYI, I've found Declude JunkMail on my system tends to catch most all of the undetected variants that slip through in normal ZIP files early on. Matt Greg Little wrote: How will we block a virus like Bagle.Q that does not use an "auto run" vulnerability? There's still no attachment to hand off to the mail server's virus scanner(s). If the body was VERY standard, it could be pattern matched by Declude. Add a little random action to the body (and the port used) and here we go again. The latest batch of Bagle's (Q,R,S,T) can be blocked because, while not a virus, it breaks the rules. (Auto run using a hole in MS outlook) The next version may be the same, except the user has to run it by hand. Just a 1 K e-mail with a link to a recently compromised PC. When will it end?? (or at least slow down) PS Scott, Thanks for the recently added Vulnerability blocking. (for Q R S T) -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] Are ActiveX controls considered viruses?
Hi Scott, and thanks for the reply. This leads to another issue: we haven't used your interim releases because these are either considered beta or alpha (according to your interim page). We normally try to use only the standard (final) releases on our production software. Following this newsgroup, it seems like your current beta/alpha versions have a lot of cool features, but they're still beta/alpha. So do we have to use beta/alpha versions to be current and safe? With other software, such as MS Windows Server 2003, it's not critical to use them right away, so we wait a while (until there's a service pack or two for MS OS software, for example), but with AV protection, as well as SPAM protection, we need to be really current. So how do we reconcile this? Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 18, 2004 9:32 PM Subject: Re: [Declude.Virus] Are ActiveX controls considered viruses? Normally, I don't see these because I set my Outlook Express security settings to refuse ActiveX objects. The question is, is this considered a virus? Should we (with Declude and F-Prot) have caught blocked it? If not, then why not? Or did I just miss something in our setup? What's your opinion of mail like this? This is one of these odd ones -- the E-mail doesn't contain a virus, but the person receiving the E-mail may receive a virus (which gets downloaded from a web site). The latest interim of Declude Virus at http://www.declude.com/interim catches this vulnerability. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Are ActiveX controls considered viruses?
Like Scott said, you have to weigh the risks. In my opinion (therefore my company's opinion) the risk of a undetectable virus getting through, as in the case of the encrypted zip viruses, far outweighs the risk of encountering an undetected Declude glitch in the alpha/betas. If mail flow were to stop because of an alpha/beta, I'd then be forced to go back to a previous release. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 03/19/04 04:21PM Hi Scott, and thanks for the reply. This leads to another issue: we haven't used your interim releases because these are either considered beta or alpha (according to your interim page). We normally try to use only the standard (final) releases on our production software. Following this newsgroup, it seems like your current beta/alpha versions have a lot of cool features, but they're still beta/alpha. So do we have to use beta/alpha versions to be current and safe? With other software, such as MS Windows Server 2003, it's not critical to use them right away, so we wait a while (until there's a service pack or two for MS OS software, for example), but with AV protection, as well as SPAM protection, we need to be really current. So how do we reconcile this? Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 18, 2004 9:32 PM Subject: Re: [Declude.Virus] Are ActiveX controls considered viruses? Normally, I don't see these because I set my Outlook Express security settings to refuse ActiveX objects. The question is, is this considered a virus? Should we (with Declude and F-Prot) have caught blocked it? If not, then why not? Or did I just miss something in our setup? What's your opinion of mail like this? This is one of these odd ones -- the E-mail doesn't contain a virus, but the person receiving the E-mail may receive a virus (which gets downloaded from a web site). The latest interim of Declude Virus at http://www.declude.com/interim catches this vulnerability. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot 3.14e Settings
Scott, What are the recommended settings for 3.14e? Should we add /ARCHIVE=5/SERVER/PARANOID? Anything else? Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Suggestion
I'm lazy (actually, just small staff, and I want to keep it that way). I would love to find a way to give Scott Co. the way to automatically force my installation to upgrade to the next interim release, if important. I understand that there is a possibility that might backfire, but I think that's less a troubling issue than letting something nasty through to users. Of course, the nasties always seem to come out on weekends, or nights, or when I'm on vacation, when I don't want to have somebody on duty to make the decision, and then do the upgrade. I'd rather the decision be Scott's, and the process be automatic. It could be as simple as a special mailbox that triggers an action on my server. If a specially formated e-mail sent by Scott reaches that mailbox, the action does the download. We use that to trigger Sniffer downloads, and it works flawlessly. I haven't seen anything like that for Declude, and I scanned the archives, but I may have missed it. If so, my apologies. Rob www.iGive.com --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot 3.14e Settings
What are the recommended settings for 3.14e? We haven't yet changed our recommended settings for F-Prot. We just don't have enough information yet -- we don't know what kind of false positives may result from any changes. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Suggestion
I would love to find a way to give Scott Co. the way to automatically force my installation to upgrade to the next interim release, if important. That is a good idea. There is a third party program that can automatically upgrade to new betas and released versions, but it doesn't handle interims, nor does it have a way that we can trigger it somehow. We will be looking into the possibility of adding an option for pushing updates to customers. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] How do we block the next Bagle?
To clarify, group 62 is experimental. Malware is in group 55. _M At 05:20 PM 3/19/2004, you wrote: I'm a big fan of deeper categorization. I believe these are listed in the Experimental category presently, but due to some of the patterns in that rule base, I actually score it lower than the others. This change in particular though wouldn't likely affect us since Scott has been up on the issues and working around them as they appear. Matt Scott Fisher wrote: Perhaps Pete from Sniffer could assign a new Message Sniffer Result Code just for these heuristics. We could then assign a hold based on this specific result code. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 03/19/04 03:42PM Heuristics! This was a novel, but lame attempt at exploiting a download vulnerability. This would have been 1,000 times worse if the virus dynamically provided a list of IP's from known infected computers. This can be done, and eventually it will be done. The kid writing Bagle has shown that he has some talent for coming up with new tricks, and so far he has come up with the best human engineering attempt, and new exploits for password protected files and hiding the payload outside of the E-mail. It's clear to me that a person that knows this stuff has some experience with E-mail systems and he almost definitely works for spammers. If he was to mix some human engineering with remotely hosted code, the result could be disastrous. This attempt was lame because the exploit was old, long-past patched, easily detectable, and it relied on hard coded IP's. Pete from Sniffer has been coding up new rules for this stuff (not all of his clients use Declude Virus), and if you have JunkMail Pro, it's easy to write a filter to block something that is IP linked to port 81. In the future, there will likely be little difference between what is necessary to block spam and viruses, and I could see when it might make sense to merge functionality between Declude Virus and Declude JunkMail to achieve a higher level of heuristics. Full MIME parsing in JunkMail may very well give us many useful capabilities. For now, I don't see the need as being urgent, but I've thought that such a thing as you described was possible for some time, and I've been wondering why it didn't happen. Maybe the AV scanner companies will come out with command line functionality that includes content heuristics some time in the future. FYI, I've found Declude JunkMail on my system tends to catch most all of the undetected variants that slip through in normal ZIP files early on. Matt Greg Little wrote: How will we block a virus like Bagle.Q that does not use an auto run vulnerability? There's still no attachment to hand off to the mail server's virus scanner(s). If the body was VERY standard, it could be pattern matched by Declude. Add a little random action to the body (and the port used) and here we go again. The latest batch of Bagle's (Q,R,S,T) can be blocked because, while not a virus, it breaks the rules. (Auto run using a hole in MS outlook) The next version may be the same, except the user has to run it by hand. Just a 1 K e-mail with a link to a recently compromised PC. When will it end?? (or at least slow down) PS Scott, Thanks for the recently added Vulnerability blocking. (for Q R S T) -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
