RE: [Declude.Virus] OBJECT DATA Vulnerability Caught but not Reported?
Assuming you are running the correct Declude version, you probably are skipping the notification in your eml file. If you have the line 'SKIPIFVIRUSNAMEHAS Vulnerability' you may not see the notification of the test. -Original Message- From: Dan Star [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 9:44 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] OBJECT DATA Vulnerability Caught but not Reported? I tested the Declude OBJECT DATA Vulnerability send and the email didn't come thru but it wasn't reported as a virus. Is this a known issue with this test? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OBJECT DATA Vulnerability Caught but not Reported?
I am seeing this same thing, it seems that the test virus email does not get delivered but does not generate any notification message like the other vulnerabilities do. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 23, 2004 9:53 AM Subject: Re: [Declude.Virus] OBJECT DATA Vulnerability Caught but not Reported? > > >I tested the Declude OBJECT DATA Vulnerability send and the email didn't > >come thru but it wasn't reported as a virus. Is this a known issue with > >this test? > > Are you running the latest interim? > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > since 2000. > Declude Virus: Ultra reliable virus detection and the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] OBJECT DATA Vulnerability Caught but not Reported?
I tested the Declude OBJECT DATA Vulnerability send and the email didn't come thru but it wasn't reported as a virus. Is this a known issue with this test? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OBJECT DATA Vulnerability Caught but not Reported?
I tested the Declude OBJECT DATA Vulnerability send and the email didn't come thru but it wasn't reported as a virus. Is this a known issue with this test? Are you running the latest interim? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus option question
Would it be possible to add an option to the per user setting in Declude virus to A) allow the vulnerabilities test to be skipped per user while maintaining all other defined virus scanning or B) to override the virus.cfg defined virus action for email failing "vulnerabilities" test. We might, but are very hesitant to do so, especially after Bagle. The problem is adding such a feature just encourages people to continue sending out dangerous E-mail, which causes viruses to spread faster. People that send out dangerous E-mail must fix the problem. Doing something that makes it easier for them to ignore the problem just makes the virus problem worse. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Virus option question
Scott, Would it be possible to add an option to the per user setting in Declude virus to A) allow the vulnerabilities test to be skipped per user while maintaining all other defined virus scanning or B) to override the virus.cfg defined virus action for email failing "vulnerabilities" test. like [EMAIL PROTECTED] BANCRVIRUSES OFF or [EMAIL PROTECTED] BANCRVIRUSES NOACTION In the past this was mostly a now and then issue. However lately this has come up more often. Luck of the draw I guess. Just asking Stu - CSOnline Technical Support Normal hours - Monday thru Saturday 8am - 12pm CSOnline Technical Support Numbers Seneca814-677-2447 Clarion 814-227-3638 Cochranton 814-425-1696 Parker724-399-1158 GremLan 814-337-7060 http://www.csonline.net http://www.cshowcase.com http://www.learncenter.com http://www.gremlan.org - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How do we block the next Bagle?
Thanks - I appreciate the insight into how I might use a JM Pro filter on the AV side of life. -Bill Naber -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of MattSent: Monday, March 22, 2004 4:34 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.Virus] How do we block the next Bagle?This didn't make it through the first time, so I am sending it along again without the content that probably tripped the filters.Matt Original Message Bill,IPLINKED is of course a custom filter and not a standard feature of Declude. That filter would score points on this pattern, but it wouldn't be useful in blocking these viruses on it's own because it is scored low.I haven't seen the headers for this message, but I assume there is a pattern there. The body displays the following code: http://www.auscert.org.au/render.html?it=3957 (see the body code on this page)You could pick 2 or three reliable elements and construct a combo filter using the same technique that I did with the ZOMBIE filter. In this case, you could choose "DATA="" class=moz-txt-link-rfc2396E href="http://%5B0-9%5D">"http://[0-9]" for one filter (shorthanded), and "[0-9]:81/" for the other filter, plus maybe something from the header code which I assume has some scripting embedded within it, containing code elements that you could use reliably, and a combination of all three in a combo filter would prevent you from FPing on legitimate discussions of the virus.Note that there is presently no reason to do this right now, so it's not worth it to come up with a fully functional set of filters for this example.MattBill Naber wrote: Sorry about the slip of the mouse that caused the prior reply with no new message ... My question regards the comment below: "it's easy to write a filter to block something that is IP linked to port 81". Is this referring to the IPLINKED feature in JM? If so, could you provide a brief example of how to use it in this manner? I've looked through the JM archives and haven't found anything that is clear (to me) on how to use the filtering in this manner. Thanks, -Bill Naber -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Sent: Friday, March 19, 2004 4:43 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] How do we block the next Bagle? Heuristics! This was a novel, but lame attempt at exploiting a download vulnerability. This would have been 1,000 times worse if the virus dynamically provided a list of IP's from known infected computers. This can be done, and eventually it will be done. The kid writing Bagle has shown that he has some talent for coming up with new tricks, and so far he has come up with the best human engineering attempt, and new exploits for password protected files and hiding the payload outside of the E-mail. It's clear to me that a person that knows this stuff has some experience with E-mail systems and he almost definitely works for spammers. If he was to mix some human engineering with remotely hosted code, the result could be disastrous. This attempt was lame because the exploit was old, long-past patched, easily detectable, and it relied on hard coded IP's. Pete from Sniffer has been coding up new rules for this stuff (not all of his clients use Declude Virus), and if you have JunkMail Pro, it's easy to write a filter to block something that is IP linked to port 81. In the future, there will likely be little difference between what is necessary to block spam and viruses, and I could see when it might make sense to merge functionality between Declude Virus and Declude JunkMail to achieve a higher level of heuristics. Full MIME parsing in JunkMail may very well give us many useful capabilities. For now, I don't see the need as being urgent, but I've thought that such a thing as you described was possible for some time, and I've been wondering why it didn't happen. Maybe the AV scanner companies will come out with command line functionality that includes content heuristics some time in the future. FYI, I've found Declude JunkMail on my system tends to catch most all of the undetected variants that slip through in normal ZIP files early on. Matt Greg Little wrote: How will we block a virus like Bagle.Q that does not use an "auto run" vulnerability? There's still no attachment to hand off to the mail server's virus scanner(s). If the body was VERY standard, it could be pattern matched by Declude. Add a little random action to the body (and the port used) and here we go again. The latest batch of Bagle's (Q,R,S,T) can be blocked because, while not a virus, it breaks the rules. (Auto run using a hole in MS outlook) The next version may be the same, except the user has to run it by hand. Just a 1 K e-mail with a link to a recently compromised PC. When will it end?? (or at least slow down) PS Sco
Re: [Declude.Virus] testing encrypted zips
Could you add few more options to the test virus files? As someone pointed out we would probably not block "normal" files within a ZIP but block exe/etc files within a normal zip and all zips with encrypted files. I could not find this option in the test virus menu yet. The problem is that we only want to list files on that page that need to be blocked. The problem is that a standard .exe file or .exe within a .ZIP file doesn't need to be blocked in order to block viruses. Blocking them will help prevent future viruses from getting through before virus definitions are updated, but won't be necessary once the virus definitions are in place. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Is this dangerous ?
This is the type that ask you do click and download Dangerous ? How can it be blocked ? To the internet store at: http://219.147.192.165/ee?kAgZ That URL doesn't work right now, so I can't say what it is or whether it is dangerous -- but it should be treated like *any* web site that you go to where you do not have trust in the people who run it. Note that while the URL looks weird (because of the IP rather than a domain, and the "ee?kAgZ"), there is nothing about the URL that makes it any more dangerous than http://www.example.com/index.html . So the only way to block it is to decide that URLs with that IP should be blocked and filter them. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] testing encrypted zips
Hi, > > Was wondering if there is anyway to test and make sure Declude is > >catching this? > > There is now a test file at the Test Virus Sender at > http://www.declude.com/tools that will test this vulnerability. > > -Scott Just realised I need the latest interim to check for the EZIP but Could you add few more options to the test virus files? As someone pointed out we would probably not block "normal" files within a ZIP but block exe/etc files within a normal zip and all zips with encrypted files. I could not find this option in the test virus menu yet. Of course it's quite easy to create those files myself but this would probably be another hint about the quality of Declude. Groetjes, Bonno Bloksma --- [This E-mail scanned for viruses by Declude Virus using f-prot and Sophos] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Is this dangerous ?
This is the type that ask you do click and download Dangerous ? How can it be blocked ? Received: from juengel.com [200.189.84.134] by mail.cefib.com (SMTPD32-8.05) id AA401500290; Tue, 23 Mar 2004 05:25:20 + Message-ID: <[EMAIL PROTECTED]> From: Security Fix <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Control Your PC Date: Tue, 23 Mar 2004 01:28:28 -0500 Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_245_F5DD_6071F5DD.6071F5DD" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-IMAIL-SPAM-VALFROM: (22020752) X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command . [2-39-13800] X-RBL-Warning: IPNOTINMX: [2-42-15000] X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. [2-43-15800] X-RBL-Warning: Failed Foreign Filter X-Declude-Sender: [EMAIL PROTECTED] [200.189.84.134] X-Declude-Spoolname: Dca40015002909a77.SMD Organization: CEFIB Internet (Incoming) X-CEFIB-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-CEFIB-Note: Declude version: 1.78i27 X-CEFIB-Note: Spam-Tests-Failed: CMDSPACE, IPNOTINMX, NOLEGITCONTENT, FOREIGN, CATCHALLMAILS X-CEFIB-Note: Spam-Tests-Failed: CMDSPACE [3], IPNOTINMX [0], NOLEGITCONTENT [0], FOREIGN [0], CATCHALLMAILS [0] X-CEFIB-Note: weight: 3 X-CEFIB-Note: This E-mail was sent from cnet-cable-189-84-134.canbrasnet.com.br ([200.189.84.134]). X-CEFIB-Note: Country Chain: BRAZIL->destination X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 376432172 This is a multi-part message in MIME format. --=_NextPart_245_F5DD_6071F5DD.6071F5DD Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit To the internet store at: http://219.147.192.165/ee?kAgZ gfvogyqfohiothkiablljnyeooqoxpddwascakjotrcnaoxbqjobymfodvdckifhizlkmvzf dupsssidgjdsqrxluzxehgmiszupycddwsvqkftsowngokrkmrptxdbrcwicamgwgbnthilxhygx lxhxqysqethirslrgtqmwfhfnvfwvltgkdfbbxrhtaqksbeawu szwyordlpoexyjdbncsuvvkipnmqjidejbcxvhkkvrhvamxnprimmuuciistsxxbyzzvilhdcpbd dysupajcxfgfoyygvykvzjriwynzpoevmwpczygwemdum chbmedxvluwytnnzizxadwyluezzylddsgpzjnwwjsveiidqjaqpzrcvvcvwnabigqjsffooyjug txyfapwziywdcrbsrccavlucqitounw lxwlmsmwtizvcdnvhrxccrftcyjwninyfkltczpxkqtmtihdahfeymxamhyarmawwopaneyzwtl dvvfcckcrjddqbfhpiflwuolaolzhyrmtmsxoeafnflgispyavlyrzmunxtwvklryfqmjq yxhegzuecrpckpoeelzdjjochtswelscizhoaduewkhgbvnhjmksyywftodxzvakujavmvzkhiqk efrnschq fxwtbtvwvhrehoscpcjyvteanturckvhirclnzhkgapoqhqikcgfxmhkfcdjmzswsujfurqathqk ojsala kopxvraefbweuqnbmgtpcafmrogrbizmwolrhlvontuhlkkyqepseugvlopowoauellnzibod xpihpyletsabpnsecqselysyltjphmngdvnsvbyqvbskqmpscjznirovkxktlxzpuojqpkimlaxd omwrxvefosbyrnrdnsshgdzynikakh zvcstzwanrdlktengwhpclraabnbnuhmsjelidnxwtigmowukdjoqcrtdewradfsom yrtvpofxattufzfvrimknsggtjmnzatxrougcbfcwzybadzrnncbgijbuvovvhvovpuxrabpbzrd fquufyxljhodcdyamtoklljenltommrrenmkmjxvq avravdwlnjwxnjkizwvsqbgeluplriztdqtavpllyikntuwtstlkwtoingvgouztmtthkgslocai yydtrodoiuyxcveqpfjbyeklkdybhyli odqeigoegmgbsyqxjtynelajjbshmcgcfxgqfvumjbnbbgalzayflyqublepnmrvlylrtfdciqfk wfvygvftwwqxhwnwigrueelzkqduikghsdf zmtxijurfjqqqhkwmxyypbuxobegglghyzeilzcsksiczsznrzngaieolkwrwczucdepeghryqta kunctbkwlokwzjnxlorpsxeyempeej --=_NextPart_245_F5DD_6071F5DD.6071F5DD Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Message loading http://219.147.192.165/ee?xdQay";>http://219.147.192.165/images/0/oubdwl.gif"; BORDER=0> Image not showing? See message http://219.147.192.165/ee?zMHuQms";>here. http://219.147.192.165/o/?IGVh";>Stop all announcements. 5DcDO.iM03..NXe1s.KqboL. owo ghnd, ublbq, dzky . byjj esy wlz, zqy, fdazf . cveiwq drena ttjer, djv, jfap . cuuery notsg hikbdt, urkd, fpt . eajauo sagi yqvizf, casxre, fltas . aczuqs sawqb njosus, mrn, uudnu . nwxoqp ekhc itn, hhncdb, qtpm . diu eti jpa, zevj, kdhts . wufo uamzig mzcikt, fuqce, mjyfb . dxqr nrzm hipi, xvfja, afgqr . ozuacs uhd ispp, gzogu, pxvrcb . vuy pybjr quky, bpqko, qla . kvzm hjtf kejtv, jrs, iwyygn . yaffkc ydljz rjxadu, mndwv, uwhj . hjkm mttq drx, awx, sfsgio . jkbs ezf obd, wvnbmn, mlx . eekmp ryk tgzs, qiptp, odrcqp . boihs thw ijgbpf, dxgu, vkgab . ssb gldai iems, uvfb, kzyfp . pywsi kjlq qsfral, uzzpgb, qaixr . opb asqlf ivbpp, buycup, vxa . gyqkmi tifl kuei, txau, awnqgk . hhvfai ixmsdy psrxpl, rhq, gdi . oxt vyxfsh gzhen, yeyp, vhblbh . ltein fnbkf pokysx, tewi, tryg . hwf boqfvd iltxz, xtb, mhvxfo . fuj sqqv iacll, yehzi, vmd . tygaox iiv ynwf, zhimrj, aib . fnm ikvjzs jammbz, gwkn, yen . gyrmd asplo mipvl, kmev, ahf . fluvt nhxti itg, hox, zaole . fgsmnx htsb aybiq, dws, nsq . uhc shhl uitbd, eno, pytbbs . nfnfvk xlf sqbpaw, gkx, acky . lbph wwwsg prp, mfx, iuvoes . fuufsf jozgnv tgpnv, zdj, ldxbk . mrmgw ofq fyp, ylkny, zzllb . oabys phwopk foafgf, rrtrzu, mft . wtp odmxb mlxub, zhhda, yry . hmy zuwoq tejug, heplgr, nwt . umlmwa yzg pxi, brhk, rqgcwx . jvpwp keako lxv, ufnxz, j
