RE: [Declude.Virus] F-Prot and HTML object exploit
The sign*.def files have been updated to: 05/02/2005 11:46 PM Which I'm pretty sure is UTC. However, these still have the false-positive. As of this writing, I've received no reply to my ticket with F-Prot. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 2:03 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit F-Prot may have pulled the latest defs do to the number of complaints received, which could explain why the app reports that you have the latest version. Bill - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 1:54 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit > I also filled out the form at FProt's site. Thanks for the defs. > When I open up FProt, though, it says that my defs are up-to-date, > even though I replaced the newest ones with the ones that you sent. I > hope that that message indicates whether we've downloaded the latest - > not whether we are actually using the latest defs. > > > > Colbeck, Andrew wrote: > > >I don't think the engine version matters, just the pattern file. > > > >I've confirmed that the culprit is this, the most recent sign.def > >from > > > >05/02/2005 01:32 PM > > > >And yes, I've sent in a support request via their web page; I'd like > >to supply them with several samples. > > > >I've also played around with the switch settings and found that there > >are no relevant switches that can be used as a workaround (i.e. "/ai" > >"/noheur" and "/server" make no difference in the detection or not of > >this false-positive). > > > >All of the messages detected either had Office 10 or Office 11 > >headers or were replies to messages created with Office 10 or Office > >11. > > > >Andrew 8) > > > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler > >Sent: Monday, May 02, 2005 1:10 PM > >To: Declude.Virus@declude.com > >Subject: RE: [Declude.Virus] F-Prot and HTML object exploit > > > > > >Question: Have you all running the latest v3.16b ? > > > >I can't see any appearance of "HTML/ObjData" in the entire current > >logfile, but I've still running 3.16a > > > >Markus > > > > > > > > > >>-Original Message- > >>From: [EMAIL PROTECTED] > >>[mailto:[EMAIL PROTECTED] On Behalf Of John > >>Tolmachoff (Lists) > >>Sent: Monday, May 02, 2005 7:47 PM > >>To: Declude.Virus@declude.com > >>Subject: [Declude.Virus] F-Prot and HTML object exploit > >> > >>It appears that something has updated on F-Prot in the last hour. > >>Now, a lot of outbound HTML e-mails are being flagged by F-Prot as > >>having the HTML object exploit. Running the file on > >>www.virustotal.com shows clean. > >> > >>Any one else seeing problems? > >> > >>For now, as I am at a client, I have turned off F-Prot scanning > >>relying on AVG. > >> > >>John T > >>eServices For You > >> > >> > >> > >>--- > >>This E-mail came from the Declude.Virus mailing list. To > >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >>type "unsubscribe Declude.Virus".The archives can be found > >>at http://www.mail-archive.com. > >> > >> > >> > > > >--- > >This E-mail came from the Declude.Virus mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.Virus".The archives can be found > >at http://www.mail-archive.com. > >--- > >This E-mail came from the Declude.Virus mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.Virus".The archives can be found > >at http://www.mail-archive.com. > >--- > >[This E-mail was scanned for viruses.] > > > > > > > > > > > > --- > [This E-mail was scanned for viruses.] > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Is this sort of stuff necessary on a list?
Or even allowed on a list What many lists I belong to help avoid this is disallow any reposting of the footers. That way an automated process like this would never get through. It requires the users posting, us, to cut off the footers manually but that keeps the lists mean and lean. Initially I hated it but they are right. They do not allow HTML and they allow no footers and it works well. Jpsoft.com is one such list DFC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Stillwell Sent: Monday, May 02, 2005 2:59 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Is this sort of stuff necessary on a list? Hahaha.. Yeah, I agree. - Original Message - From: "Chuck Schick" <[EMAIL PROTECTED]> To: "Declude. Virus" Sent: Monday, May 02, 2005 2:49 PM Subject: [Declude.Virus] Is this sort of stuff necessary on a list? I posted to list about a virus problem then I get this stupid (IMHO) challenge-response stuff. If everyone did this on all the lists I belong to - I would do a posting and then spend the next 3 days answering all the challenge-responses. I think I will report this as spam. Dear Greg Hedgepath - get a clue. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com Dear Chuck, Thanks for your email, but at this point I have NOT actually received your message because I have implemented a challenge-response based anti-spam solution. Before I can receive your message you must respond in ONE of the ways outlined below. --- CLICK ON THE URL --- Visit the following URL and follow the simple instructions. When you do this I will receive the message you sent and ALL future messages. http://spambot.ahphosting.net/?key=6811e93e.42766ac2.5a637c50 If the above URL does not appear all on one line, copy and paste it into your browser's address bar. PLEASE NOTE: If you receive an error message when attempting to visit the above URL, it is very likely that your network is not allowing you to visit my confirmation page. If this is the case, contact your network administrator for help, or contact me by telephone. You will not have to do this again. --- REPLY TO THIS MESSAGE --- Simply reply to this email message ensuring the subject of your reply contains the subject of this message. When your reply arrives I will receive your ORIGINAL message and all FUTURE messages. Or as an alternate method follow these instructions: If you do not respond within 7 days, your message will be DELETED and I will not be able to receive messages from you in the future. I apologize for this small one-time inconvenience, but I have been forced to implement this challenge-response based anti-spam solution to eliminate 100% of the spam I receive, and it really works! To learn more about the software I am using to stop spam, please visit http://www.Zaep.com/. Zaep has stopped 100% of all the spam messages I was receiving every day. Thank you, Greg Hedgepath --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Alternative
> We have been running F-prot as the virus scanner with Declude for > over a year but lately it seems to have more and more bugs in it. > What do others recommend as low-cost scanners to work with declude? I've been finding BitDefender to have a very reliable auto-updater, which is obviously not the case with F-Prot, and its catch rate is slightly better. Using Bill Landry's virus.cfg hints, I recently switched all of our managed boxes to at least BitDefender (BitDefender + F-Prot if running Pro). However, BDC.EXE is very CPU-hungry -- I won't deny it. I have the luxury of multiproc boxes, lots of links in the SMTP chain, etc. If you're running everything on a single box, or have endangered resources, be careful. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Viruses appearing to be getting through...
I also started catching them at 16:21 Eastern Time Scanner 1 is FPROT 05/02/2005 16:21:48 Q8BBB4614012AF05F Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=account_info.zip [2] O 05/02/2005 16:21:49 Q8BBB4614012AF05F Scanner 2: Virus= the W32/[EMAIL PROTECTED] Attachment=account_info.zip [2] O I have the same defs as Bonno > SIGN.DEF 2-may-2005, 13:32 > SIGN2.DEF 2-may-2005, 16:46 > Using f-prot 3.16b Goran Jovanovic The LAN Shoppe > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > [EMAIL PROTECTED] On Behalf Of Chuck Schick > Sent: Monday, May 02, 2005 3:36 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Viruses appearing to be getting through... > > F-Prot Seems to be catching it now as > > X-Declude-Virus: Detected W32/[EMAIL PROTECTED] > > Chuck Schick > Warp 8, Inc. > (303)-421-5140 > www.warp8.com > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff > (Lists) > Sent: Monday, May 02, 2005 12:55 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Viruses appearing to be getting through... > > > Mine has the 01:32 PM time stamp and the last update time was at 10:00 AM > which is after when I saw the problem, so I would have to say the 01:32 > time > stamp is the problem one. > > John T > eServices For You > > > > -Original Message- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > On Behalf Of Colbeck, Andrew > > Sent: Monday, May 02, 2005 11:38 AM > > To: Declude.Virus@declude.com > > Subject: RE: [Declude.Virus] Viruses appearing to be getting > > through... > > > > F-Prot may have already fixed their pattern file. My current sign.def > > is timestamped: > > > > 05/02/2005 03:53 AM > > > > and checking their website and downloading the current version > > manually shows that the current version is: > > > > 05/02/2005 01:32 PM > > > > Can anybody with the issue confirm which pattern file they are using > > that has the problem? > > > > Andrew 8) > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry > > Sent: Monday, May 02, 2005 11:20 AM > > To: Declude.Virus@declude.com > > Subject: Re: [Declude.Virus] Viruses appearing to be getting > > through... > > > > > > Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV > > (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot > > (although I have F-Prot updates disabled for now, until they get there > > problem with > > HTML/[EMAIL PROTECTED] fixed). > > > > Bill > > - Original Message - > > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > > To: > > Sent: Monday, May 02, 2005 11:11 AM > > Subject: RE: [Declude.Virus] Viruses appearing to be getting > > through... > > > > > > >I saw a big bunch about 2 hours ago that were stopped by banned zip > > >extensions. > > > > > > John T > > > eServices For You > > > > > > > > >> -Original Message- > > >> From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] > > >> On Behalf Of Chuck Schick > > >> Sent: Monday, May 02, 2005 10:58 AM > > >> To: Declude. Virus > > >> Subject: [Declude.Virus] Viruses appearing to be getting through... > > >> > > >> I am seeing several files getting through that appear to have > > >> viruses > > > > >> attached as zip files. I am running Declude with F-Prot. We ban > > > encrypted > > >> zips and I have error code 8 included. Anyone else seeing this > > >> behavior? Here is part of the log. > > >> > > >> > > >> 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip > > >> [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 > > >> Q568a382 > > >> Scanned: Virus Free [MIME: 2 53979] > > >> > > >> Chuck Schick > > >> Warp 8, Inc. > > >> (303)-421-5140 > > >> www.warp8.com > > >> > > >> --- > > >> This E-mail came from the Declude.Virus mailing list. To > > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > >> type "unsubscribe Declude.Virus".The archives can be found > > >> at http://www.mail-archive.com. > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, > > > > > just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > --- > > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just > send an E-mail to [EMAIL PROTECTED], and
Re: [Declude.Virus] F-Prot Alternative
I've found several bugs in the win32 implementations of ClamAV (some really ugly stuff), but none that really effect the scanning of viruses. Since that post was made, I think it's safe to say that ClamAV has made a bit of headway on performance. I'd be interested in seeing a head to head comparison again, but my light testing now showed it to scan a 0.10MB file in about 0.52seconds. I do like the fact that it has a nice, clean, fast updater as well .. no goofy stuff to work around, and no need to hack out a script. Jonathan Matt wrote: Chuck, Search the archives for "scanner efficiency olympics". It's a year old now, and I was primarily focused on performance instead of accuracy. F-Prot is the king of speed, however it seems to have several hiccups each year, and there seems to be a slew of different things happening lately. I think it is good to pair F-Prot with another scanner, but that requires Declude Virus Pro. If I was going to choose one scanner and had plenty of spare CPU, I would probably choose McAfee based on accuracy and speed combined, but as Nick indicated, it is hard to purchase unless you want a full network installation. Matt Colbeck, Andrew wrote: Matt posted the authoritative roundup in a head to head comparison when he revamped his Declude Virus setup. Unless he chimes in here with an updated answer, the answer is somewhere in the archives. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 2:03 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot Alternative We have been running F-prot as the virus scanner with Declude for over a year but lately it seems to have more and more bugs in it. What do others recommend as low-cost scanners to work with declude? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Viruses appearing to be getting through...
I don't have any samples of the latest Sober, but *if* you're using the penultimate pattern file for F-Prot and have your auto-update disabled, then according to the writeups, either of these two techniques in your virus.cfg will keep this specific virus out of your user's mailboxes: BANEXT PIF BANZIPEXTS ON or BANNAME account_info.zip BANNAME autoemail-text.zip BANNAME LOL.zip BANNAME Fifa_Info-Text.zip BANNAME mail_info.zip BANNAME okTicket-info.zip BANNAME our_secret.zip BANNAME _PassWort-Info.zip Andrew 8) p.s. Now, back to the day job, already! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, May 02, 2005 2:20 PM To: Declude.Virus@declude.com Subject: Fw: [Declude.Virus] Viruses appearing to be getting through... Hi, Oops, correct that. F-prot is catching it as Sober.O, Sophos is still not catching it. :-( Sure glad I'm using two scanners. ;-) > As of now I'm still getting hit by a virus with attachments like our _ > secret . zip which Sophos catches as Sober.O. > > Ff-prot is still nopt catching them and there is as of yet no update. > Just > did a manual update and no new version. I'm at: > SIGN.DEF 2-may-2005, 13:32 CET > SIGN2.DEF 2-may-2005, 16:46 CET > Using f-prot 3.16b Groetjes, Bonno Bloksma > - Original Message - > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > To: > Sent: Monday, May 02, 2005 8:37 PM > Subject: RE: [Declude.Virus] Viruses appearing to be getting through... > > > F-Prot may have already fixed their pattern file. My current sign.def > is timestamped: > > 05/02/2005 03:53 AM > > and checking their website and downloading the current version > manually shows that the current version is: > > 05/02/2005 01:32 PM > > Can anybody with the issue confirm which pattern file they are using > that has the problem? > > Andrew 8) > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry > Sent: Monday, May 02, 2005 11:20 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Viruses appearing to be getting > through... > > > Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV > (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot > (although I have F-Prot updates disabled for now, until they get there > problem with > HTML/[EMAIL PROTECTED] fixed). > > Bill > - Original Message - > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Monday, May 02, 2005 11:11 AM > Subject: RE: [Declude.Virus] Viruses appearing to be getting through... > > >>I saw a big bunch about 2 hours ago that were stopped by banned zip >>extensions. >> >> John T >> eServices For You >> >> >>> -Original Message- >>> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] >>> On Behalf Of Chuck Schick >>> Sent: Monday, May 02, 2005 10:58 AM >>> To: Declude. Virus >>> Subject: [Declude.Virus] Viruses appearing to be getting through... >>> >>> I am seeing several files getting through that appear to have >>> viruses > >>> attached as zip files. I am running Declude with F-Prot. We ban >> encrypted >>> zips and I have error code 8 included. Anyone else seeing this >>> behavior? Here is part of the log. >>> >>> >>> 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip >>> [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 >>> Scanned: Virus Free [MIME: 2 53979] >>> >>> Chuck Schick >>> Warp 8, Inc. >>> (303)-421-5140 >>> www.warp8.com >>> >>> --- >>> This E-mail came from the Declude.Virus mailing list. To >>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>> type "unsubscribe Declude.Virus".The archives can be found >>> at http://www.mail-archive.com. >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, > >> just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [E-mail scanned at tio.nl for viruses by Declude Virus] > > --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archive
Re: [Declude.Virus] F-Prot Alternative
Chuck, Search the archives for "scanner efficiency olympics". It's a year old now, and I was primarily focused on performance instead of accuracy. F-Prot is the king of speed, however it seems to have several hiccups each year, and there seems to be a slew of different things happening lately. I think it is good to pair F-Prot with another scanner, but that requires Declude Virus Pro. If I was going to choose one scanner and had plenty of spare CPU, I would probably choose McAfee based on accuracy and speed combined, but as Nick indicated, it is hard to purchase unless you want a full network installation. Matt Colbeck, Andrew wrote: Matt posted the authoritative roundup in a head to head comparison when he revamped his Declude Virus setup. Unless he chimes in here with an updated answer, the answer is somewhere in the archives. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 2:03 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot Alternative We have been running F-prot as the virus scanner with Declude for over a year but lately it seems to have more and more bugs in it. What do others recommend as low-cost scanners to work with declude? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] AVERT Medium Threat Advisory for Home Users Only: W32/Sober.p@MM
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 04:36 PM Subject: AVERT Medium Threat Advisory for Home Users Only: W32/[EMAIL PROTECTED] Advisory This is a Medium Threat Advisory for W32/[EMAIL PROTECTED] for Home Users Only. Justification W32/[EMAIL PROTECTED] has been deemed Medium due to prevalence. Read About It Information about W32/[EMAIL PROTECTED] is located on VIL at: http://vil.mcafeesecurity.com/vil/content/v_133409.htm Detection W32/[EMAIL PROTECTED] was first discovered on 05/02/2005 and has been proactively detected since at least DAT version 4443. Specific detection and improved repair will be added to the 4482 dat files (Release Date: 05/02/2005). EXTRA.DATs are not necessary to be protected from this threat. If you suspect you have W32/[EMAIL PROTECTED], please submit a sample to http://www.webimmune.net. Risk Assessment Definition For further information on the Risk Assessment and AVERT Recommended Actions please see: http://www.mcafeesecurity.com/us/security/resources/risk_assessment.htm --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Fw: [Declude.Virus] Viruses appearing to be getting through...
Hi, Oops, correct that. F-prot is catching it as Sober.O, Sophos is still not catching it. :-( Sure glad I'm using two scanners. ;-) As of now I'm still getting hit by a virus with attachments like our _ secret . zip which Sophos catches as Sober.O. Ff-prot is still nopt catching them and there is as of yet no update. Just did a manual update and no new version. I'm at: SIGN.DEF 2-may-2005, 13:32 CET SIGN2.DEF 2-may-2005, 16:46 CET Using f-prot 3.16b Groetjes, Bonno Bloksma - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 8:37 PM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... F-Prot may have already fixed their pattern file. My current sign.def is timestamped: 05/02/2005 03:53 AM and checking their website and downloading the current version manually shows that the current version is: 05/02/2005 01:32 PM Can anybody with the issue confirm which pattern file they are using that has the problem? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 11:20 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Viruses appearing to be getting through... Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot (although I have F-Prot updates disabled for now, until they get there problem with HTML/[EMAIL PROTECTED] fixed). Bill - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 11:11 AM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... I saw a big bunch about 2 hours ago that were stopped by banned zip extensions. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 10:58 AM To: Declude. Virus Subject: [Declude.Virus] Viruses appearing to be getting through... I am seeing several files getting through that appear to have viruses attached as zip files. I am running Declude with F-Prot. We ban encrypted zips and I have error code 8 included. Anyone else seeing this behavior? Here is part of the log. 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 Scanned: Virus Free [MIME: 2 53979] Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Viruses appearing to be getting through...
Hi, As of now I'm still getting hit by a virus with attachments like our _ secret . zip which Sophos catches as Sober.O. Ff-prot is still nopt catching them and there is as of yet no update. Just did a manual update and no new version. I'm at: SIGN.DEF 2-may-2005, 13:32 CET SIGN2.DEF 2-may-2005, 16:46 CET Using f-prot 3.16b Groetjes, Bonno Bloksma - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 8:37 PM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... F-Prot may have already fixed their pattern file. My current sign.def is timestamped: 05/02/2005 03:53 AM and checking their website and downloading the current version manually shows that the current version is: 05/02/2005 01:32 PM Can anybody with the issue confirm which pattern file they are using that has the problem? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 11:20 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Viruses appearing to be getting through... Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot (although I have F-Prot updates disabled for now, until they get there problem with HTML/[EMAIL PROTECTED] fixed). Bill - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 11:11 AM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... I saw a big bunch about 2 hours ago that were stopped by banned zip extensions. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 10:58 AM To: Declude. Virus Subject: [Declude.Virus] Viruses appearing to be getting through... I am seeing several files getting through that appear to have viruses attached as zip files. I am running Declude with F-Prot. We ban encrypted zips and I have error code 8 included. Anyone else seeing this behavior? Here is part of the log. 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 Scanned: Virus Free [MIME: 2 53979] Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot Alternative
Matt posted the authoritative roundup in a head to head comparison when he revamped his Declude Virus setup. Unless he chimes in here with an updated answer, the answer is somewhere in the archives. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 2:03 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot Alternative We have been running F-prot as the virus scanner with Declude for over a year but lately it seems to have more and more bugs in it. What do others recommend as low-cost scanners to work with declude? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Alternative
On 2 May 2005 at 15:02, Chuck Schick wrote: > We have been running F-prot as the virus scanner with Declude for over > a year but lately it seems to have more and more bugs in it. What do > others recommend as low-cost scanners to work with declude? Hi Chuck - Well Mcafee is hard to beat for their command line scanner [scan.exe] @ $11 but the real trick is finding a source to purchase it from. I got mine through my day job via government purchasing. -Nick > Chuck Schick > Warp 8, Inc. > (303)-421-5140 > www.warp8.com > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
F-Prot may have pulled the latest defs do to the number of complaints received, which could explain why the app reports that you have the latest version. Bill - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 1:54 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit > I also filled out the form at FProt's site. Thanks for the defs. When > I open up FProt, though, it says that my defs are up-to-date, even > though I replaced the newest ones with the ones that you sent. I hope > that that message indicates whether we've downloaded the latest - not > whether we are actually using the latest defs. > > > > Colbeck, Andrew wrote: > > >I don't think the engine version matters, just the pattern file. > > > >I've confirmed that the culprit is this, the most recent sign.def from > > > >05/02/2005 01:32 PM > > > >And yes, I've sent in a support request via their web page; I'd like to > >supply them with several samples. > > > >I've also played around with the switch settings and found that there > >are no relevant switches that can be used as a workaround (i.e. "/ai" > >"/noheur" and "/server" make no difference in the detection or not of > >this false-positive). > > > >All of the messages detected either had Office 10 or Office 11 headers > >or were replies to messages created with Office 10 or Office 11. > > > >Andrew 8) > > > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler > >Sent: Monday, May 02, 2005 1:10 PM > >To: Declude.Virus@declude.com > >Subject: RE: [Declude.Virus] F-Prot and HTML object exploit > > > > > >Question: Have you all running the latest v3.16b ? > > > >I can't see any appearance of "HTML/ObjData" in the entire current > >logfile, but I've still running 3.16a > > > >Markus > > > > > > > > > >>-Original Message- > >>From: [EMAIL PROTECTED] > >>[mailto:[EMAIL PROTECTED] On Behalf Of John > >>Tolmachoff (Lists) > >>Sent: Monday, May 02, 2005 7:47 PM > >>To: Declude.Virus@declude.com > >>Subject: [Declude.Virus] F-Prot and HTML object exploit > >> > >>It appears that something has updated on F-Prot in the last > >>hour. Now, a lot of outbound HTML e-mails are being flagged > >>by F-Prot as having the HTML object exploit. Running the file > >>on www.virustotal.com shows clean. > >> > >>Any one else seeing problems? > >> > >>For now, as I am at a client, I have turned off F-Prot > >>scanning relying on AVG. > >> > >>John T > >>eServices For You > >> > >> > >> > >>--- > >>This E-mail came from the Declude.Virus mailing list. To > >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >>type "unsubscribe Declude.Virus".The archives can be found > >>at http://www.mail-archive.com. > >> > >> > >> > > > >--- > >This E-mail came from the Declude.Virus mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.Virus".The archives can be found > >at http://www.mail-archive.com. > >--- > >This E-mail came from the Declude.Virus mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.Virus".The archives can be found > >at http://www.mail-archive.com. > >--- > >[This E-mail was scanned for viruses.] > > > > > > > > > > > > --- > [This E-mail was scanned for viruses.] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot Alternative
We have been running F-prot as the virus scanner with Declude for over a year but lately it seems to have more and more bugs in it. What do others recommend as low-cost scanners to work with declude? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot and HTML object exploit
Well, what matters is that you have the correct (older) *.def files, not whether the GUI says you're up to date. As far as it knows, you are. Remember to temporarily disable your updater, or correct (older) *.def files will just get overwritten again when the auto-updater kicks in. Andrew 8) p.s. Once I received the automated confirmation message from F-Prot, I replied to it with the full information we've discussed here, and supplied 10 sample false-positives. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Monday, May 02, 2005 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I also filled out the form at FProt's site. Thanks for the defs. When I open up FProt, though, it says that my defs are up-to-date, even though I replaced the newest ones with the ones that you sent. I hope that that message indicates whether we've downloaded the latest - not whether we are actually using the latest defs. Colbeck, Andrew wrote: >I don't think the engine version matters, just the pattern file. > >I've confirmed that the culprit is this, the most recent sign.def from > >05/02/2005 01:32 PM > >And yes, I've sent in a support request via their web page; I'd like to >supply them with several samples. > >I've also played around with the switch settings and found that there >are no relevant switches that can be used as a workaround (i.e. "/ai" >"/noheur" and "/server" make no difference in the detection or not of >this false-positive). > >All of the messages detected either had Office 10 or Office 11 headers >or were replies to messages created with Office 10 or Office 11. > >Andrew 8) > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler >Sent: Monday, May 02, 2005 1:10 PM >To: Declude.Virus@declude.com >Subject: RE: [Declude.Virus] F-Prot and HTML object exploit > > >Question: Have you all running the latest v3.16b ? > >I can't see any appearance of "HTML/ObjData" in the entire current >logfile, but I've still running 3.16a > >Markus > > > > >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff >>(Lists) >>Sent: Monday, May 02, 2005 7:47 PM >>To: Declude.Virus@declude.com >>Subject: [Declude.Virus] F-Prot and HTML object exploit >> >>It appears that something has updated on F-Prot in the last hour. Now, >>a lot of outbound HTML e-mails are being flagged >>by F-Prot as having the HTML object exploit. Running the file >>on www.virustotal.com shows clean. >> >>Any one else seeing problems? >> >>For now, as I am at a client, I have turned off F-Prot scanning >>relying on AVG. >> >>John T >>eServices For You >> >> >> >>--- >>This E-mail came from the Declude.Virus mailing list. To unsubscribe, >>just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.Virus".The archives can be found >>at http://www.mail-archive.com. >> >> >> > >--- >This E-mail came from the Declude.Virus mailing list. To unsubscribe, >just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. >--- >This E-mail came from the Declude.Virus mailing list. To unsubscribe, >just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. >--- >[This E-mail was scanned for viruses.] > > > > > --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Viruses appearing to be getting through...
> F-Prot Seems to be catching it now as > > X-Declude-Virus: Detected W32/[EMAIL PROTECTED] My F-Prot is catching it for over 3 hours nou as Sober.O Previously only the second scanner Mcafee has catched is as Sober.gen for around a hour while F-prot has not detected it. In this hour there was several attempts to deliver this virus. >From around 2 hours ago Mcafee is catching it as Sober.p Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
I also filled out the form at FProt's site. Thanks for the defs. When I open up FProt, though, it says that my defs are up-to-date, even though I replaced the newest ones with the ones that you sent. I hope that that message indicates whether we've downloaded the latest - not whether we are actually using the latest defs. Colbeck, Andrew wrote: I don't think the engine version matters, just the pattern file. I've confirmed that the culprit is this, the most recent sign.def from 05/02/2005 01:32 PM And yes, I've sent in a support request via their web page; I'd like to supply them with several samples. I've also played around with the switch settings and found that there are no relevant switches that can be used as a workaround (i.e. "/ai" "/noheur" and "/server" make no difference in the detection or not of this false-positive). All of the messages detected either had Office 10 or Office 11 headers or were replies to messages created with Office 10 or Office 11. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, May 02, 2005 1:10 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of "HTML/ObjData" in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
I e-mailed you the latest, non-affected defs, offline. I run 3.16b and it has the same problem (since it's a detection issue with the virus definition, not the application), but I would still upgrade to the latest version. Bill - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 1:36 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit > I've been running 3.15b - I'm downloading the latest version now. > Should I install? or will this have no effect on this particular issue? > > And what about the previous defs - anyone out there want to email me a > previous def file as a work around?? > > Thanks > > Kevin > > > Markus Gufler wrote: > > >Question: Have you all running the latest v3.16b ? > > > >I can't see any appearance of "HTML/ObjData" in the entire current logfile, > >but I've still running 3.16a > > > >Markus > > > > > > > > > >>-Original Message- > >>From: [EMAIL PROTECTED] > >>[mailto:[EMAIL PROTECTED] On Behalf Of John > >>Tolmachoff (Lists) > >>Sent: Monday, May 02, 2005 7:47 PM > >>To: Declude.Virus@declude.com > >>Subject: [Declude.Virus] F-Prot and HTML object exploit > >> > >>It appears that something has updated on F-Prot in the last > >>hour. Now, a lot of outbound HTML e-mails are being flagged > >>by F-Prot as having the HTML object exploit. Running the file > >>on www.virustotal.com shows clean. > >> > >>Any one else seeing problems? > >> > >>For now, as I am at a client, I have turned off F-Prot > >>scanning relying on AVG. > >> > >>John T > >>eServices For You > >> > >> > >> > >>--- > >>This E-mail came from the Declude.Virus mailing list. To > >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >>type "unsubscribe Declude.Virus".The archives can be found > >>at http://www.mail-archive.com. > >> > >> > >> > > > >--- > >This E-mail came from the Declude.Virus mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.Virus".The archives can be found > >at http://www.mail-archive.com. > >--- > >[This E-mail was scanned for viruses.] > > > > > > > > > > > > --- > [This E-mail was scanned for viruses.] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot and HTML object exploit
I don't think the engine version matters, just the pattern file. I've confirmed that the culprit is this, the most recent sign.def from 05/02/2005 01:32 PM And yes, I've sent in a support request via their web page; I'd like to supply them with several samples. I've also played around with the switch settings and found that there are no relevant switches that can be used as a workaround (i.e. "/ai" "/noheur" and "/server" make no difference in the detection or not of this false-positive). All of the messages detected either had Office 10 or Office 11 headers or were replies to messages created with Office 10 or Office 11. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, May 02, 2005 1:10 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of "HTML/ObjData" in the entire current logfile, but I've still running 3.16a Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John > Tolmachoff (Lists) > Sent: Monday, May 02, 2005 7:47 PM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] F-Prot and HTML object exploit > > It appears that something has updated on F-Prot in the last > hour. Now, a lot of outbound HTML e-mails are being flagged > by F-Prot as having the HTML object exploit. Running the file > on www.virustotal.com shows clean. > > Any one else seeing problems? > > For now, as I am at a client, I have turned off F-Prot > scanning relying on AVG. > > John T > eServices For You > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
I've been running 3.15b - I'm downloading the latest version now. Should I install? or will this have no effect on this particular issue? And what about the previous defs - anyone out there want to email me a previous def file as a work around?? Thanks Kevin Markus Gufler wrote: Question: Have you all running the latest v3.16b ? I can't see any appearance of "HTML/ObjData" in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
I have not updated to 3.16b and have this problem... Don - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 3:09 PM Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of "HTML/ObjData" in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
Markus, 3.16b here, but only 3 hits so far for this on a busy server, so it's not necessarily common. I was able to capture one of these and it appears to be hitting at least E-mails generated in "Microsoft Word 11". "file:///C:\Program%20Files\Common%20Files\Microsoft%20Shared\Stationery\"> I have no clue what the pattern is that it is hitting of course, but I assume that F-Prot just simply added an overbroad rule. Most E-mail isn't constructed anything like what Microsoft Word creates. Matt Markus Gufler wrote: Question: Have you all running the latest v3.16b ? I can't see any appearance of "HTML/ObjData" in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.Virus] F-Prot and HTML object exploit
Question: Have you all running the latest v3.16b ? I can't see any appearance of "HTML/ObjData" in the entire current logfile, but I've still running 3.16a Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John > Tolmachoff (Lists) > Sent: Monday, May 02, 2005 7:47 PM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] F-Prot and HTML object exploit > > It appears that something has updated on F-Prot in the last > hour. Now, a lot of outbound HTML e-mails are being flagged > by F-Prot as having the HTML object exploit. Running the file > on www.virustotal.com shows clean. > > Any one else seeing problems? > > For now, as I am at a client, I have turned off F-Prot > scanning relying on AVG. > > John T > eServices For You > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Viruses appearing to be getting through...
F-Prot Seems to be catching it now as X-Declude-Virus: Detected W32/[EMAIL PROTECTED] Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 12:55 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Viruses appearing to be getting through... Mine has the 01:32 PM time stamp and the last update time was at 10:00 AM which is after when I saw the problem, so I would have to say the 01:32 time stamp is the problem one. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Colbeck, Andrew > Sent: Monday, May 02, 2005 11:38 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Viruses appearing to be getting > through... > > F-Prot may have already fixed their pattern file. My current sign.def > is timestamped: > > 05/02/2005 03:53 AM > > and checking their website and downloading the current version > manually shows that the current version is: > > 05/02/2005 01:32 PM > > Can anybody with the issue confirm which pattern file they are using > that has the problem? > > Andrew 8) > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry > Sent: Monday, May 02, 2005 11:20 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Viruses appearing to be getting > through... > > > Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV > (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot > (although I have F-Prot updates disabled for now, until they get there > problem with > HTML/[EMAIL PROTECTED] fixed). > > Bill > - Original Message - > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Monday, May 02, 2005 11:11 AM > Subject: RE: [Declude.Virus] Viruses appearing to be getting > through... > > > >I saw a big bunch about 2 hours ago that were stopped by banned zip > >extensions. > > > > John T > > eServices For You > > > > > >> -Original Message- > >> From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > >> On Behalf Of Chuck Schick > >> Sent: Monday, May 02, 2005 10:58 AM > >> To: Declude. Virus > >> Subject: [Declude.Virus] Viruses appearing to be getting through... > >> > >> I am seeing several files getting through that appear to have > >> viruses > > >> attached as zip files. I am running Declude with F-Prot. We ban > > encrypted > >> zips and I have error code 8 included. Anyone else seeing this > >> behavior? Here is part of the log. > >> > >> > >> 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip > >> [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 > >> Q568a382 > >> Scanned: Virus Free [MIME: 2 53979] > >> > >> Chuck Schick > >> Warp 8, Inc. > >> (303)-421-5140 > >> www.warp8.com > >> > >> --- > >> This E-mail came from the Declude.Virus mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.Virus".The archives can be found > >> at http://www.mail-archive.com. > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
sure - thanks! Has anyone let F-Prot know about this? Kevin Bill Landry wrote: Depends on how you execute your updates. I use a script that saves a copy of the previous defs to a backup directory. I can zip and send the previous defs to you if you do not have copies of them. Bill - Original Message - From: "Jeff" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 11:50 AM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit How can I roll back ?? - Original Message - From: "Bill Landry" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 2:12 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit Yes, this is a problem! I rolled back to my latest defs prior to the last update and all is well again. I disabled my updates for a while to see if F-Prot fixes this issue. Bill - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 10:46 AM Subject: [Declude.Virus] F-Prot and HTML object exploit > It appears that something has updated on F-Prot in the last hour. Now, > a > lot > of outbound HTML e-mails are being flagged by F-Prot as having the > HTML > object exploit. Running the file on www.virustotal.com shows clean. > > Any one else seeing problems? > > For now, as I am at a client, I have turned off F-Prot scanning relying on > AVG. > > John T > eServices For You > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
Depends on how you execute your updates. I use a script that saves a copy of the previous defs to a backup directory. I can zip and send the previous defs to you if you do not have copies of them. Bill - Original Message - From: "Jeff" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 11:50 AM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit How can I roll back ?? - Original Message - From: "Bill Landry" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 2:12 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit Yes, this is a problem! I rolled back to my latest defs prior to the last update and all is well again. I disabled my updates for a while to see if F-Prot fixes this issue. Bill - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 10:46 AM Subject: [Declude.Virus] F-Prot and HTML object exploit > It appears that something has updated on F-Prot in the last hour. Now, > a > lot > of outbound HTML e-mails are being flagged by F-Prot as having the > HTML > object exploit. Running the file on www.virustotal.com shows clean. > > Any one else seeing problems? > > For now, as I am at a client, I have turned off F-Prot scanning relying on > AVG. > > John T > eServices For You > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
I'm having the same problem. Again - how do you rollback the virus defs? Wind wrote: Thank you for the tip, John. I searched the logs and since the update there are legitimate E-mail, which are caught. Uwe - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 7:46 PM Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
How can I roll back ?? - Original Message - From: "Bill Landry" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 2:12 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit > Yes, this is a problem! I rolled back to my latest defs prior to the last > update and all is well again. I disabled my updates for a while to see if > F-Prot fixes this issue. > > Bill > - Original Message - > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Monday, May 02, 2005 10:46 AM > Subject: [Declude.Virus] F-Prot and HTML object exploit > > > > It appears that something has updated on F-Prot in the last hour. Now, a > > lot > > of outbound HTML e-mails are being flagged by F-Prot as having the HTML > > object exploit. Running the file on www.virustotal.com shows clean. > > > > Any one else seeing problems? > > > > For now, as I am at a client, I have turned off F-Prot scanning relying on > > AVG. > > > > John T > > eServices For You > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Is this sort of stuff necessary on a list?
Not really to do with Virus but rather interesting information provided by Scott Perry, I thought I would share it considering the thread has to do with challenge-responses. Challenge/Response systems are seriously flawed. Reasons include: [1] You end up being a spammer (the majority of spam sent to you will result in confirmation requests being sent to innocent victims) [2] Spammers now send pretend confirmation requests, presumably to make people less likely to respond to C/R requests [3] Many people respond to C/R requests that they never initiated (so you could still get spam or viruses). A number of people in the anti-spam community have said that they always respond to challenges, whether or not they initiated the E-mail. [4] C/R companies have been known to send out spam and harvest addresses of people sending to their customers, and apparently sell those addresses to spammers [5] The C/R system is patented, so most anti-spam programs using C/R have legal liabilities waiting to be ironed out [6] Confirmations sent to mailing lists won't work [7] Confirmations sent to others using C/R won't work (they send you an E-mail, your C/R system challenges them, but their C/R system challenges you, yours then challenges them, etc.). [8] People that offer a free service end up losing money (by spending time investigating and responding to C/R systems, dealing with spam received as a result, etc.) and sometimes get fed up with C/R systems and eventually stop offering free advice (never knowing how many people won't get the advice), harming everybody. [9] Legitimate E-mail from automated services won't be seen (such as when ordering products online) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, May 02, 2005 3:06 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Is this sort of stuff necessary on a list? Thanks, Chuck. I appreciate your contribution. I've added several strings from this Zaep email to my filter that blocks lousy Challenge-Response emails. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 11:49 AM To: Declude. Virus Subject: [Declude.Virus] Is this sort of stuff necessary on a list? I posted to list about a virus problem then I get this stupid (IMHO) challenge-response stuff. If everyone did this on all the lists I belong to - I would do a posting and then spend the next 3 days answering all the challenge-responses. I think I will report this as spam. Dear Greg Hedgepath - get a clue. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com Dear Chuck, Thank you, Greg Hedgepath --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. __ NOD32 1.1086 (20050502) Information __ This message was checked by NOD32 antivirus system. http://www.nod32.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Is this sort of stuff necessary on a list?
Thanks, Chuck. I appreciate your contribution. I've added several strings from this Zaep email to my filter that blocks lousy Challenge-Response emails. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 11:49 AM To: Declude. Virus Subject: [Declude.Virus] Is this sort of stuff necessary on a list? I posted to list about a virus problem then I get this stupid (IMHO) challenge-response stuff. If everyone did this on all the lists I belong to - I would do a posting and then spend the next 3 days answering all the challenge-responses. I think I will report this as spam. Dear Greg Hedgepath - get a clue. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com Dear Chuck, Thank you, Greg Hedgepath --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Is this sort of stuff necessary on a list?
Hahaha.. Yeah, I agree. - Original Message - From: "Chuck Schick" <[EMAIL PROTECTED]> To: "Declude. Virus" Sent: Monday, May 02, 2005 2:49 PM Subject: [Declude.Virus] Is this sort of stuff necessary on a list? I posted to list about a virus problem then I get this stupid (IMHO) challenge-response stuff. If everyone did this on all the lists I belong to - I would do a posting and then spend the next 3 days answering all the challenge-responses. I think I will report this as spam. Dear Greg Hedgepath - get a clue. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com Dear Chuck, Thanks for your email, but at this point I have NOT actually received your message because I have implemented a challenge-response based anti-spam solution. Before I can receive your message you must respond in ONE of the ways outlined below. --- CLICK ON THE URL --- Visit the following URL and follow the simple instructions. When you do this I will receive the message you sent and ALL future messages. http://spambot.ahphosting.net/?key=6811e93e.42766ac2.5a637c50 If the above URL does not appear all on one line, copy and paste it into your browser's address bar. PLEASE NOTE: If you receive an error message when attempting to visit the above URL, it is very likely that your network is not allowing you to visit my confirmation page. If this is the case, contact your network administrator for help, or contact me by telephone. You will not have to do this again. --- REPLY TO THIS MESSAGE --- Simply reply to this email message ensuring the subject of your reply contains the subject of this message. When your reply arrives I will receive your ORIGINAL message and all FUTURE messages. Or as an alternate method follow these instructions: If you do not respond within 7 days, your message will be DELETED and I will not be able to receive messages from you in the future. I apologize for this small one-time inconvenience, but I have been forced to implement this challenge-response based anti-spam solution to eliminate 100% of the spam I receive, and it really works! To learn more about the software I am using to stop spam, please visit http://www.Zaep.com/. Zaep has stopped 100% of all the spam messages I was receiving every day. Thank you, Greg Hedgepath --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Viruses appearing to be getting through...
Mine has the 01:32 PM time stamp and the last update time was at 10:00 AM which is after when I saw the problem, so I would have to say the 01:32 time stamp is the problem one. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Colbeck, Andrew > Sent: Monday, May 02, 2005 11:38 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Viruses appearing to be getting through... > > F-Prot may have already fixed their pattern file. My current sign.def > is timestamped: > > 05/02/2005 03:53 AM > > and checking their website and downloading the current version manually > shows that the current version is: > > 05/02/2005 01:32 PM > > Can anybody with the issue confirm which pattern file they are using > that has the problem? > > Andrew 8) > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry > Sent: Monday, May 02, 2005 11:20 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Viruses appearing to be getting through... > > > Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV > (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot > (although > I have F-Prot updates disabled for now, until they get there problem > with > HTML/[EMAIL PROTECTED] fixed). > > Bill > - Original Message - > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Monday, May 02, 2005 11:11 AM > Subject: RE: [Declude.Virus] Viruses appearing to be getting through... > > > >I saw a big bunch about 2 hours ago that were stopped by banned zip > >extensions. > > > > John T > > eServices For You > > > > > >> -Original Message- > >> From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > >> On Behalf Of Chuck Schick > >> Sent: Monday, May 02, 2005 10:58 AM > >> To: Declude. Virus > >> Subject: [Declude.Virus] Viruses appearing to be getting through... > >> > >> I am seeing several files getting through that appear to have viruses > > >> attached as zip files. I am running Declude with F-Prot. We ban > > encrypted > >> zips and I have error code 8 included. Anyone else seeing this > >> behavior? Here is part of the log. > >> > >> > >> 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip > >> [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 > >> Scanned: Virus Free [MIME: 2 53979] > >> > >> Chuck Schick > >> Warp 8, Inc. > >> (303)-421-5140 > >> www.warp8.com > >> > >> --- > >> This E-mail came from the Declude.Virus mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.Virus".The archives can be found > >> at http://www.mail-archive.com. > > > > --- > > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Is this sort of stuff necessary on a list?
I posted to list about a virus problem then I get this stupid (IMHO) challenge-response stuff. If everyone did this on all the lists I belong to - I would do a posting and then spend the next 3 days answering all the challenge-responses. I think I will report this as spam. Dear Greg Hedgepath - get a clue. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com Dear Chuck, Thanks for your email, but at this point I have NOT actually received your message because I have implemented a challenge-response based anti-spam solution. Before I can receive your message you must respond in ONE of the ways outlined below. --- CLICK ON THE URL --- Visit the following URL and follow the simple instructions. When you do this I will receive the message you sent and ALL future messages. http://spambot.ahphosting.net/?key=6811e93e.42766ac2.5a637c50 If the above URL does not appear all on one line, copy and paste it into your browser's address bar. PLEASE NOTE: If you receive an error message when attempting to visit the above URL, it is very likely that your network is not allowing you to visit my confirmation page. If this is the case, contact your network administrator for help, or contact me by telephone. You will not have to do this again. --- REPLY TO THIS MESSAGE --- Simply reply to this email message ensuring the subject of your reply contains the subject of this message. When your reply arrives I will receive your ORIGINAL message and all FUTURE messages. Or as an alternate method follow these instructions: If you do not respond within 7 days, your message will be DELETED and I will not be able to receive messages from you in the future. I apologize for this small one-time inconvenience, but I have been forced to implement this challenge-response based anti-spam solution to eliminate 100% of the spam I receive, and it really works! To learn more about the software I am using to stop spam, please visit http://www.Zaep.com/. Zaep has stopped 100% of all the spam messages I was receiving every day. Thank you, Greg Hedgepath --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Viruses appearing to be getting through...
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=133409 Mcafee Dat 4473 should detect it. - Original Message - From: "Donn Bly" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 2:28 PM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... I'm seeing it here. Neither Norton or FPROT detect it as a virus yet. The non-encrypted Zip file includes a .PIF file, but the filename seems to be mangled in some way. For now I have added BANNAME account_info.zip to my config. With your report, I have added account_info-text.zip as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chuck Schick Sent: Monday, May 02, 2005 12:58 PM To: Declude. Virus Subject: [Declude.Virus] Viruses appearing to be getting through... I am seeing several files getting through that appear to have viruses attached as zip files. I am running Declude with F-Prot. We ban encrypted zips and I have error code 8 included. Anyone else seeing this behavior? Here is part of the log. 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 Scanned: Virus Free [MIME: 2 53979] Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Viruses appearing to be getting through...
F-Prot may have already fixed their pattern file. My current sign.def is timestamped: 05/02/2005 03:53 AM and checking their website and downloading the current version manually shows that the current version is: 05/02/2005 01:32 PM Can anybody with the issue confirm which pattern file they are using that has the problem? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 11:20 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Viruses appearing to be getting through... Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot (although I have F-Prot updates disabled for now, until they get there problem with HTML/[EMAIL PROTECTED] fixed). Bill - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 11:11 AM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... >I saw a big bunch about 2 hours ago that were stopped by banned zip >extensions. > > John T > eServices For You > > >> -Original Message- >> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] >> On Behalf Of Chuck Schick >> Sent: Monday, May 02, 2005 10:58 AM >> To: Declude. Virus >> Subject: [Declude.Virus] Viruses appearing to be getting through... >> >> I am seeing several files getting through that appear to have viruses >> attached as zip files. I am running Declude with F-Prot. We ban > encrypted >> zips and I have error code 8 included. Anyone else seeing this >> behavior? Here is part of the log. >> >> >> 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip >> [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 >> Scanned: Virus Free [MIME: 2 53979] >> >> Chuck Schick >> Warp 8, Inc. >> (303)-421-5140 >> www.warp8.com >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot and HTML object exploit
I saw it start at about 10:00 AM PDT. Some one please contact F-Prot. I would but I am at a client trying to recover data from a failed hard drive. Fun. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Hickey Sent: Monday, May 02, 2005 11:14 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I am having the same problems here. It all started around 12:30 Central time... Don - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 12:56 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit John, Thanks a bunch for pointing this out. I have found two of these in the last hour that are tagging what appears to be legitimate E-mail, bother from the same person. This is gatewayed E-mail: 05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: [text/html][quoted-printable; Length=6657 Checksum=558425] 05/02/2005 13:44:21 Q66F5EF3A00E815E6 Found potentially dangerous stuff in F:\D66F5EF3A00E815E6.vir\0.! 05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: image001.jpg [base64; Length=11748 Checksum=1305364] 05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: image002.gif [base64; Length=2184 Checksum=243507] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Scanner 1: Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML segment] [0] O 05/02/2005 13:44:22 Q66F5EF3A00E815E6 File(s) are INFECTED [HTML/[EMAIL PROTECTED]: 0] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Deleting file with virus 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Deleting E-mail with virus! 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Scanned: CONTAINS A VIRUS [MIME: 4 21877] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Subject: RE: NCC Docket 2005 - 2 It looks like turning F-Prot off might be a good idea, or at least configuring it to not delete viruses. Matt John Tolmachoff (Lists) wrote: It appears that something has updated on F-Prot in the last hour. Now, a lotof outbound HTML e-mails are being flagged by F-Prot as having the HTMLobject exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying onAVG. John TeServices For You ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
RE: [Declude.Virus] Viruses appearing to be getting through...
I'm seeing it here. Neither Norton or FPROT detect it as a virus yet. The non-encrypted Zip file includes a .PIF file, but the filename seems to be mangled in some way. For now I have added BANNAME account_info.zip to my config. With your report, I have added account_info-text.zip as well. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Chuck Schick > Sent: Monday, May 02, 2005 12:58 PM > To: Declude. Virus > Subject: [Declude.Virus] Viruses appearing to be getting through... > > > I am seeing several files getting through that appear to have viruses > attached as zip files. I am running Declude with F-Prot. We > ban encrypted > zips and I have error code 8 included. Anyone else seeing > this behavior? > Here is part of the log. > > > 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip [base64; > Length=53728 Checksum=5837399] > 05/02/2005 10:34:21 Q568a382 Scanned: Virus Free [MIME: 2 53979] > > Chuck Schick > Warp 8, Inc. > (303)-421-5140 > www.warp8.com > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Viruses appearing to be getting through...
Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot (although I have F-Prot updates disabled for now, until they get there problem with HTML/[EMAIL PROTECTED] fixed). Bill - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 11:11 AM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... I saw a big bunch about 2 hours ago that were stopped by banned zip extensions. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 10:58 AM To: Declude. Virus Subject: [Declude.Virus] Viruses appearing to be getting through... I am seeing several files getting through that appear to have viruses attached as zip files. I am running Declude with F-Prot. We ban encrypted zips and I have error code 8 included. Anyone else seeing this behavior? Here is part of the log. 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 Scanned: Virus Free [MIME: 2 53979] Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
I am having the same problems here. It all started around 12:30 Central time... Don - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 12:56 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit John,Thanks a bunch for pointing this out. I have found two of these in the last hour that are tagging what appears to be legitimate E-mail, bother from the same person. This is gatewayed E-mail: 05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: [text/html][quoted-printable; Length=6657 Checksum=558425]05/02/2005 13:44:21 Q66F5EF3A00E815E6 Found potentially dangerous stuff in F:\D66F5EF3A00E815E6.vir\0.!05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: image001.jpg [base64; Length=11748 Checksum=1305364]05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: image002.gif [base64; Length=2184 Checksum=243507]05/02/2005 13:44:22 Q66F5EF3A00E815E6 Scanner 1: Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML segment] [0] O05/02/2005 13:44:22 Q66F5EF3A00E815E6 File(s) are INFECTED [HTML/[EMAIL PROTECTED]: 0]05/02/2005 13:44:22 Q66F5EF3A00E815E6 Deleting file with virus05/02/2005 13:44:22 Q66F5EF3A00E815E6 Deleting E-mail with virus!05/02/2005 13:44:22 Q66F5EF3A00E815E6 Scanned: CONTAINS A VIRUS [MIME: 4 21877]05/02/2005 13:44:22 Q66F5EF3A00E815E6 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]05/02/2005 13:44:22 Q66F5EF3A00E815E6 Subject: RE: NCC Docket 2005 - 2It looks like turning F-Prot off might be a good idea, or at least configuring it to not delete viruses.MattJohn Tolmachoff (Lists) wrote: It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] F-Prot and HTML object exploit
Yes, this is a problem! I rolled back to my latest defs prior to the last update and all is well again. I disabled my updates for a while to see if F-Prot fixes this issue. Bill - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 10:46 AM Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
Thank you for the tip, John. I searched the logs and since the update there are legitimate E-mail, which are caught. Uwe - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 7:46 PM Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Viruses appearing to be getting through...
I saw a big bunch about 2 hours ago that were stopped by banned zip extensions. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Chuck Schick > Sent: Monday, May 02, 2005 10:58 AM > To: Declude. Virus > Subject: [Declude.Virus] Viruses appearing to be getting through... > > I am seeing several files getting through that appear to have viruses > attached as zip files. I am running Declude with F-Prot. We ban encrypted > zips and I have error code 8 included. Anyone else seeing this behavior? > Here is part of the log. > > > 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip [base64; > Length=53728 Checksum=5837399] > 05/02/2005 10:34:21 Q568a382 Scanned: Virus Free [MIME: 2 53979] > > Chuck Schick > Warp 8, Inc. > (303)-421-5140 > www.warp8.com > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
John, Thanks a bunch for pointing this out. I have found two of these in the last hour that are tagging what appears to be legitimate E-mail, bother from the same person. This is gatewayed E-mail: 05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: [text/html][quoted-printable; Length=6657 Checksum=558425] 05/02/2005 13:44:21 Q66F5EF3A00E815E6 Found potentially dangerous stuff in F:\D66F5EF3A00E815E6.vir\0.! 05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: image001.jpg [base64; Length=11748 Checksum=1305364] 05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: image002.gif [base64; Length=2184 Checksum=243507] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Scanner 1: Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML segment] [0] O 05/02/2005 13:44:22 Q66F5EF3A00E815E6 File(s) are INFECTED [HTML/[EMAIL PROTECTED]: 0] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Deleting file with virus 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Deleting E-mail with virus! 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Scanned: CONTAINS A VIRUS [MIME: 4 21877] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Subject: RE: NCC Docket 2005 - 2 It looks like turning F-Prot off might be a good idea, or at least configuring it to not delete viruses. Matt John Tolmachoff (Lists) wrote: It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
[Declude.Virus] Viruses appearing to be getting through...
I am seeing several files getting through that appear to have viruses attached as zip files. I am running Declude with F-Prot. We ban encrypted zips and I have error code 8 included. Anyone else seeing this behavior? Here is part of the log. 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 Scanned: Virus Free [MIME: 2 53979] Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot and HTML object exploit
It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Who is minding the store
I sent this email because now I am not so sure. And I know others that have the same feelings. Renew or not renew. I was told the company would be run in the same high quality manner as before. Clearly that is not the case. Without knowing the coders know their stuff relating to spam it is quite risky to take the chance with such a small company. I think every company after Scott will have a problem, because Scott did a job, which no one can do a long time without heartattack ;-) I think Declude makes a good job. The new release is out and it is like in the past, no problems. When there is a problem I mail to [EMAIL PROTECTED] .com and get a fast response. That is the main thing why I pay for a service agreement. And these things have not changed in my opinion. Uwe - Original Message - From: "Nick" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 7:02 PM Subject: RE: [Declude.Virus] Who is minding the store On 2 May 2005 at 9:51, Douglas Cohn wrote: Douglas - I agree with what you are saying. And I miss Scott for his slant on techsupport and philosphy [ Remember Len & Scott dialogs? :) ] That said we need to give the new Declude a chance. [That is coming from a guy that has been posting some negativity lately]. They are learning the new turf. And they have some good email admins supporting them (for now) If Declude misses the point competition will but thenm out of business. -Nick Plus, if they actually integrate our feedback, we'll buy the support agreement in order to download the latest fruits of our labor. :) Yes that is a key point and the reason I always rushed out to renew in the past. I sent this email because now I am not so sure. And I know others that have the same feelings. Renew or not renew. I was told the company would be run in the same high quality manner as before. Clearly that is not the case. Without knowing the coders know their stuff relating to spam it is quite risky to take the chance with such a small company. We knew Scott was the best, who are the people that took over the reins and what credentials do they have. I mean Symantec cannot do it right and I should trust someone who won't participate in their own forums? If Scott would chime in here and say "DON'T worry Doug these people know their stuff, you are in good hands." I would order a renewal. But he left. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Sent: Sunday, May 01, 2005 5:59 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Who is minding the store Douglas Cohn wrote: >Using this forum for support is certainly less expensive to the >company > ... unless you're charging for support, then it could be viewed as a losing proposition to assist in free support. I fear this may be the mindset. This view, is, of course, entirely wrong; as you mentioned, our R&D feedback is very valuable-worth more than a support contract. Plus, if they actually integrate our feedback, we'll buy the support agreement in order to download the latest fruits of our labor. :) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Who is minding the store
Scott, While you have first hand knowledge of the inner-workings at Declude under the new management, many around here have no clue as to whether or not this list is even being monitored, and I think that's what is really at issue. Free and open communication is the best way to go. I think the biggest issue for those around here is the lack of public feedback, though not necessarily the lack of answers. Personally, I'm aware that it is monitored and I was already confident that the feedback here was important to the folks at Declude, but it is a little unsettling for even myself, and certainly others with even less exposure to Declude, to see discussions regarding important matters go unanswered in this forum. For instance, I have no clue as to how best to approach the F-Prot issues that we have been discussing for the last week, and it seems that Declude should have chimed in publically in the first days. Although I know they are listening, I have no clue as to what they are thinking or if any decisions have been made regarding it. For discussions that don't revolve around using the product, these lists are often the best places to discuss such things. A couple of weeks ago I posted about a multiple-processing bug that had been previously reported to Declude through the support channel. Others around here had also indicated that they had seen this, and I have a feeling that it was the combination of all of our reports that helped them conclude that this was a bug that was real and needed to be addressed. I now know that they have figured this bug out, but no one else around here does, and I think that follow up is vital. Without this list the burden falls so much more on the individual and many individuals don't have the patience or time to follow through with the data acquisition or testing required to accurately show what is going on, and of course working within a vacuum isn't the best way either. Without the follow up, it requires more work for us to keep up with what is going on and what we may consider to be important. I think you understand these things. I do realize that the new folks at Declude have taken a pounding from time to time on these lists by people that are uncomfortable with the changes. That unfortunately is a reality of such lists, and I would hope that this doesn't prevent them from participating more in public. Someone will always be unhappy, but you were able to manage this quite effectively and for the good of the product. I would hope that this reality, or other factors, aren't keeping Declude away from participating more in the lists. In the very least, they should set up a page on the site for bugs and plans for when they will be resolved, or what is being done to resolve them (not everything is a bug in Declude of course). This would be very helpful if it was in fact timely. Matt R. Scott Perry wrote: If Scott would chime in here and say "DON'T worry Doug these people know their stuff, you are in good hands." I would order a renewal. But he left. I'm not completely gone. :) Everyone does things differently, and I knew when I sold that company that the new owners wouldn't do everything exactly the way that I did. Any new way of operating has its tradeoffs. As you pointed out, one of the changes is that there isn't as much of a company presence on this mailing list as there was before. It used to be that I was a major contributor to this list. However, a lot of what I was posting was stuff that others could have posted (as they are now). What is happening, though, is that the list is being monitored. You would be surprised at how many times one of the owners would be discussing something with me, and then bring up a post from this list. And this definitely includes some "A lot of people are asking for Feature X." Right now the company is at a crucial point -- it is seeing how it can manage without my daily involvement. My personal opinion is that they are doing a good job with it. -Scott --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Who is minding the store
On 2 May 2005 at 9:51, Douglas Cohn wrote: Douglas - I agree with what you are saying. And I miss Scott for his slant on techsupport and philosphy [ Remember Len & Scott dialogs? :) ] That said we need to give the new Declude a chance. [That is coming from a guy that has been posting some negativity lately]. They are learning the new turf. And they have some good email admins supporting them (for now) If Declude misses the point competition will but thenm out of business. -Nick > Plus, if they actually integrate our feedback, we'll buy the support > agreement in order to download the latest fruits of our labor. :) > > Yes that is a key point and the reason I always rushed out to renew in > the past. > > I sent this email because now I am not so sure. And I know others > that have the same feelings. Renew or not renew. I was told the > company would be run in the same high quality manner as before. > Clearly that is not the case. Without knowing the coders know their > stuff relating to spam it is quite risky to take the chance with such > a small company. We knew Scott was the best, who are the people that > took over the reins and what credentials do they have. I mean > Symantec cannot do it right and I should trust someone who won't > participate in their own forums? > > If Scott would chime in here and say "DON'T worry Doug these people > know their stuff, you are in good hands." I would order a renewal. > But he left. > > Doug > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan > Sent: Sunday, May 01, 2005 5:59 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Who is minding the store > > Douglas Cohn wrote: > > >Using this forum for support is certainly less expensive to the > >company > > > ... unless you're charging for support, then it could be viewed as a > losing proposition to assist in free support. I fear this may be the > mindset. This view, is, of course, entirely wrong; as you mentioned, > our R&D feedback is very valuable-worth more than a support contract. > Plus, if they actually integrate our feedback, we'll buy the support > agreement in order to download the latest fruits of our labor. :) --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.Virus".The archives can be found at > http://www.mail-archive.com. --- [This E-mail scanned for viruses by > Declude Virus] > > > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Who is minding the store
If Scott would chime in here and say "DON'T worry Doug these people know their stuff, you are in good hands." I would order a renewal. But he left. I'm not completely gone. :) Everyone does things differently, and I knew when I sold that company that the new owners wouldn't do everything exactly the way that I did. Any new way of operating has its tradeoffs. As you pointed out, one of the changes is that there isn't as much of a company presence on this mailing list as there was before. It used to be that I was a major contributor to this list. However, a lot of what I was posting was stuff that others could have posted (as they are now). What is happening, though, is that the list is being monitored. You would be surprised at how many times one of the owners would be discussing something with me, and then bring up a post from this list. And this definitely includes some "A lot of people are asking for Feature X." Right now the company is at a crucial point -- it is seeing how it can manage without my daily involvement. My personal opinion is that they are doing a good job with it. -Scott --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] f-prot update script
Well, you've got two problems here, Daniel. The first is that the script depends on an external program called wget that you probably don't have installed. The second is that this script should be deprecated, because the FTP method is no longer provided by F-Prot! As Jim and Keith pointed out, following the F-Prot article is the way to go. I just implemented this last week; here's my comment: http://www.mail-archive.com/declude.virus@declude.com/msg11870.html Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ivey Sent: Monday, May 02, 2005 8:06 AM To: 'Declude.Virus@declude.com' Subject: RE: [Declude.Virus] f-prot update script I have tried using this script. I keep getting an error referring to wget.exe and it doesn't update F-Prot. Daniel === Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] -Original Message- From: Goran Jovanovic [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 11:02 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] f-prot update script Take a look at: http://www.declude.com/Articles.asp?ID=100 F-Prot for DOS updater - A batch file that automatically updates F-Prot and its virus definitions (old version here), and a Cygwin version, and a complete .ZIPed version. Finally, a Simple version! Goran Jovanovic The LAN Shoppe > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > [EMAIL PROTECTED] On Behalf Of Daniel Ivey > Sent: Monday, May 02, 2005 9:52 AM > To: 'Declude.Virus@declude.com' > Subject: [Declude.Virus] f-prot update script > > Does anyone have an f-prot update script that they wouldn't mind sharing? > I > have tried one that I found, but never could get it to work. Any help is > appreciated. > > Thanks, > Daniel > > === > Daniel Ivey > GCR Company / GCR Online > Voice: 434 - 570 - 1765 > Fax:434 - 572 - 1981 > [EMAIL PROTECTED] > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] f-prot update script
You could just go the simplistic route too and just put "C:\Program Files\FSI\F-Prot\FP-Updater\Updater.exe" /internet /hidden in your task scheduler, it is not quite as robust or foolproof as some of the other scripts, but I have yet to have an issue with it and it is way simple to setup and manage. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Daniel Ivey" <[EMAIL PROTECTED]> To: Sent: Monday, May 02, 2005 6:52 AM Subject: [Declude.Virus] f-prot update script Does anyone have an f-prot update script that they wouldn't mind sharing? I have tried one that I found, but never could get it to work. Any help is appreciated. Thanks, Daniel === Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] f-prot update script
Daniel, Give this a try: http://www.f-prot.com/support/windows/fpwin_faq/88.html -Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ivey Sent: Monday, May 02, 2005 11:06 AM To: 'Declude.Virus@declude.com' Subject: RE: [Declude.Virus] f-prot update script I have tried using this script. I keep getting an error referring to wget.exe and it doesn't update F-Prot. Daniel === Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] -Original Message- From: Goran Jovanovic [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 11:02 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] f-prot update script Take a look at: http://www.declude.com/Articles.asp?ID=100 F-Prot for DOS updater - A batch file that automatically updates F-Prot and its virus definitions (old version here), and a Cygwin version, and a complete .ZIPed version. Finally, a Simple version! Goran Jovanovic The LAN Shoppe > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > [EMAIL PROTECTED] On Behalf Of Daniel Ivey > Sent: Monday, May 02, 2005 9:52 AM > To: 'Declude.Virus@declude.com' > Subject: [Declude.Virus] f-prot update script > > Does anyone have an f-prot update script that they wouldn't mind sharing? > I > have tried one that I found, but never could get it to work. Any help is > appreciated. > > Thanks, > Daniel > > === > Daniel Ivey > GCR Company / GCR Online > Voice: 434 - 570 - 1765 > Fax:434 - 572 - 1981 > [EMAIL PROTECTED] > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] f-prot update script
I have tried using this script. I keep getting an error referring to wget.exe and it doesn't update F-Prot. Daniel === Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] -Original Message- From: Goran Jovanovic [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 11:02 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] f-prot update script Take a look at: http://www.declude.com/Articles.asp?ID=100 F-Prot for DOS updater - A batch file that automatically updates F-Prot and its virus definitions (old version here), and a Cygwin version, and a complete .ZIPed version. Finally, a Simple version! Goran Jovanovic The LAN Shoppe > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > [EMAIL PROTECTED] On Behalf Of Daniel Ivey > Sent: Monday, May 02, 2005 9:52 AM > To: 'Declude.Virus@declude.com' > Subject: [Declude.Virus] f-prot update script > > Does anyone have an f-prot update script that they wouldn't mind sharing? > I > have tried one that I found, but never could get it to work. Any help is > appreciated. > > Thanks, > Daniel > > === > Daniel Ivey > GCR Company / GCR Online > Voice: 434 - 570 - 1765 > Fax:434 - 572 - 1981 > [EMAIL PROTECTED] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] f-prot update script
Take a look at: http://www.declude.com/Articles.asp?ID=100 F-Prot for DOS updater - A batch file that automatically updates F-Prot and its virus definitions (old version here), and a Cygwin version, and a complete .ZIPed version. Finally, a Simple version! Goran Jovanovic The LAN Shoppe > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > [EMAIL PROTECTED] On Behalf Of Daniel Ivey > Sent: Monday, May 02, 2005 9:52 AM > To: 'Declude.Virus@declude.com' > Subject: [Declude.Virus] f-prot update script > > Does anyone have an f-prot update script that they wouldn't mind sharing? > I > have tried one that I found, but never could get it to work. Any help is > appreciated. > > Thanks, > Daniel > > === > Daniel Ivey > GCR Company / GCR Online > Voice: 434 - 570 - 1765 > Fax:434 - 572 - 1981 > [EMAIL PROTECTED] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] f-prot update script
Does anyone have an f-prot update script that they wouldn't mind sharing? I have tried one that I found, but never could get it to work. Any help is appreciated. Thanks, Daniel === Daniel Ivey GCR Company / GCR Online Voice: 434 - 570 - 1765 Fax:434 - 572 - 1981 [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Who is minding the store
Plus, if they actually integrate our feedback, we'll buy the support agreement in order to download the latest fruits of our labor. :) Yes that is a key point and the reason I always rushed out to renew in the past. I sent this email because now I am not so sure. And I know others that have the same feelings. Renew or not renew. I was told the company would be run in the same high quality manner as before. Clearly that is not the case. Without knowing the coders know their stuff relating to spam it is quite risky to take the chance with such a small company. We knew Scott was the best, who are the people that took over the reins and what credentials do they have. I mean Symantec cannot do it right and I should trust someone who won't participate in their own forums? If Scott would chime in here and say "DON'T worry Doug these people know their stuff, you are in good hands." I would order a renewal. But he left. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Sent: Sunday, May 01, 2005 5:59 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Who is minding the store Douglas Cohn wrote: >Using this forum for support is certainly less expensive to the company > ... unless you're charging for support, then it could be viewed as a losing proposition to assist in free support. I fear this may be the mindset. This view, is, of course, entirely wrong; as you mentioned, our R&D feedback is very valuable-worth more than a support contract. Plus, if they actually integrate our feedback, we'll buy the support agreement in order to download the latest fruits of our labor. :) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
