AW: [Declude.Virus] Newbie question
hi darin, we use AVAFTERJM ON with Declude 2.0.6.14 and it works like we need it. mfg i.a. gez. markus guhl *** lds nrw ref. 241 tel.: 0211 9449 2578 fax.: 0211 9449 8344 mailto:[EMAIL PROTECTED] *** -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Darin Cox Gesendet: Sonntag, 5. Juni 2005 23:02 An: Declude.Virus@declude.com Betreff: Re: [Declude.Virus] Newbie question I don't know if it still exists since it is not in the current manual, but there was an option in previous versions of AV called AVAFTERJM that allowed JunkMail to run first. Otherwise you are correct that AV would run first. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, June 05, 2005 3:17 PM Subject: Re: [Declude.Virus] Newbie question Thanks for the quick response. Yes, I have the Pro versions for both AV and Junkmail. Darin Cox wrote: Do you have the Pro version of Declude Junkmail? You have to have pro to use filters and outbound scanning. The fromfile filter I mentioned will work in the standard version, though. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, June 05, 2005 2:56 PM Subject: Re: [Declude.Virus] Newbie question I changed it to HEADERS and still I am receiving emails from these addresses (got 4 of them personally yesterday). My virus scanner is now updated every four hours, so F-Prot caught these viruses, but I still am receiving the virus notifications. Perhaps the scanning takes place (and the notifications are sent out) before my filter is called? This is what my filter file contains: HEADERS0CONTAINS[EMAIL PROTECTED] HEADERS0CONTAINS[EMAIL PROTECTED] etc. This is what I have in my global.cfg MYFILTERfilterC:\Imail\Declude\Filter.txtx200 This is in my $default$.junkmail file WEIGHT20HOLD What am I missing? Thanks. Scott Fisher wrote: The MAILFROM filter test is seperate from anything in the headers. It is the envelope sender. If you want to test on the header from (I call it display from because that's what Outlook displays), you need to check the HEADERS. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, June 03, 2005 3:26 AM Subject: Re: [Declude.Virus] Newbie question Great. Exactly what I needed. I was also confused about the MAILFROM. Does MAILFROM mean what is displayed as the FROM: in the headers or what it says in the X-Note: This E-mail was sent from 206-72-95-86.wi.skypipeline.com ([206.72.95.86]) or in the X-Declude-Sender field? Maybe I should just use the HEADERS 0 CONTAINS instead. Thanks again. Scott Fisher wrote: One caveat. The MAILFROM uses the envelope mailfrom, which is different than the ones displayed in the headers. If the below doesn't stop it, add HEADERS 0 CONTAINS [EMAIL PROTECTED] HEADERS 0 CONTAINS [EMAIL PROTECTED] - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 10:37 PM Subject: Re: [Declude.Virus] Newbie question I looked up the filter section at the manual. This is what I did. I made a file called filter.txt. This contains: MAILFROM0CONTAINS[EMAIL PROTECTED] MAILFROM 0CONTAINS[EMAIL PROTECTED] etc. I then added this line in global.cfg: MYFILTERfilterC:\Imail\Declude\filter.txtx200 In my $default$.junkmail file there was already this line: WEIGHT20HOLD Do I need to do anything else to the junkmail file to reference MYFILTER or does the WEIGHT20 take care of everything? Thanks. Kevin Darin Cox wrote: Nope... add a filter test and put those lines in it. The same thing I mentioned without pro applies here for adding test names to the global.cfg and $default$.junkmail. The manual at http://declude.com/junkmail/manual.htm decribes adding filter files pretty well. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 7:09 PM Subject: Re: [Declude.Virus] Newbie question I have pro. How do I add filters? Should I add that line MAILFROM10 CONTAINS [EMAIL PROTECTED] in virus.cfg or global.cfg? Do I need to use another file? If I use the HEADERS option HEADERS 10 CONTAINS [EMAIL PROTECTED] - where would I put that? Sorry for the newbie questions. Kevin Scott Fisher wrote: If you've got pro, you could add a filter: MAILFROM10 CONTAINS [EMAIL PROTECTED] that will check the envelope mailfrom. To check for those addresses in the headers: HEADERS 10 CONTAINS [EMAIL PROTECTED] Another option is to update your virus software more often to minimize the opportunity window for the virus. - Original Message - From: Kevin Rogers [EMAIL
Re: [Declude.Virus] Second Scanner
At one point on each machine started getting these errors in the Declude Virus file: 06/04/2005 14:06:54 Qed820cb43917 ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 06/04/2005 14:06:54 Qed820cb43917 WARNING: Couldn't remove .vir directory o:\spool\Ded820cb43917.vir\: SHARING VIOLATION. 06/04/2005 14:06:54 Qed820cb43917 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. we had this happen this morning. I think it has to do with the number of processes at one time. I'm taking a look at it today. --- Terry --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Banned Extensions Still Getting Through?
Need some help for a part time sys admin! Declude Virus/Junkmail Standard 2.0.6.16/F-prot. We have very limited bandwidth so have expanded the banned extensions list in virus.cfg to include .mpg, .mpeg, .wmv, etc. This works well but there seems to be some that are still slipping through? The only thing I have noticed is that in every instance the banned extension is not the only attachment and it has some extra characters in the file extension as reported by Declude. The attachment appears as normal in the email client. Example shown below- When it does work (in every test that I do) Declude inserts MM/DD/2005 HH:MM:SS Q1BA800E400B8C964 Banning file with mpg extension [video/mpg] before the virus scanner line. Any ideas as to why Declude is trapping some and not others? vir0606.log 06/06/2005 10:00:54 Q109E001900B2AC5A Vulnerability flags = 0 06/06/2005 10:00:54 Q109E001900B2AC5A MIME file: pic09894.jpg [base64; Length=1577 Checksum=178405] 06/06/2005 10:00:55 Q109E001900B2AC5A MIME file: =?ISO-8859-1?Q?POWERLEAGUE_HAMSTER=2Empg?= [base64; Length=1435545 Checksum=172528633] 06/06/2005 10:00:55 Q109E001900B2AC5A Virus scanner 1 reports exit code of 0 06/06/2005 10:00:55 Q109E001900B2AC5A Scanned: Virus Free [MIME: 3 1438701] dec0606.log 06/06/2005 10:01:13 Q109E001900B2AC5A CMDSPACE:8 . Total weight = 8. 06/06/2005 10:01:13 Q109E001900B2AC5A Tests failed [weight=8]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=IGNORE[0] IPNOTINMX=IGNORE[0] CMDSPACE=IGNORE[8] 06/06/2005 10:01:13 Q109E001900B2AC5A Msg failed CMDSPACE (Space found in RCPT TO: command.). Action=""> 06/06/2005 10:01:13 Q109E001900B2AC5A R1 Message OK 06/06/2005 10:01:13 Q109E001900B2AC5A Subject: FW: FW: hamster[Scanned By NHC] 06/06/2005 10:01:13 Q109E001900B2AC5A From: [EMAIL PROTECTED] To: IP: 195.11.194.53 ID: 2005060609594485-37998 06/06/2005 10:01:13 Q109E001900B2AC5A Action(s) taken for [copyall_account] = IGNORE [LAST ACTION=""> 06/06/2005 10:01:13 Q109E001900B2AC5A Using [incoming] CFG file C:\IMail\Declude\$default$.junkmail. 06/06/2005 10:01:13 Q109E001900B2AC5A Tests failed [weight=8]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=IGNORE[0] IPNOTINMX=IGNORE[0] CMDSPACE=WARN[8] 06/06/2005 10:01:13 Q109E001900B2AC5A Msg failed CMDSPACE (Space found in RCPT TO: command.). Action=""> 06/06/2005 10:01:13 Q109E001900B2AC5A L2 Message OK 06/06/2005 10:01:13 Q109E001900B2AC5A Subject: FW: FW: hamster[Scanned By NHC] 06/06/2005 10:01:13 Q109E001900B2AC5A From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 195.11.194.53 ID: 2005060609594485-37998 06/06/2005 10:01:13 Q109E001900B2AC5A Action(s) taken for [EMAIL PROTECTED] = IGNORE WARN [LAST ACTION=""> 06/06/2005 10:01:13 Q109E001900B2AC5A Cumulative action(s) taken on this email = IGNORE WARN [LAST ACTION=""> Paul Crouch Technical Manager Marble Building Products Ltd Tel: 01759 373352 Fax: 01759 373394 Email: [EMAIL PROTECTED]
Re: [Declude.Virus] Newbie question
Great... Could the Declude staff have this added to the manual? Darin. - Original Message - From: Guhl, Markus (LDS) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, June 06, 2005 4:28 AM Subject: AW: [Declude.Virus] Newbie question hi darin, we use AVAFTERJM ON with Declude 2.0.6.14 and it works like we need it. mfg i.a. gez. markus guhl *** lds nrw ref. 241 tel.: 0211 9449 2578 fax.: 0211 9449 8344 mailto:[EMAIL PROTECTED] *** -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Darin Cox Gesendet: Sonntag, 5. Juni 2005 23:02 An: Declude.Virus@declude.com Betreff: Re: [Declude.Virus] Newbie question I don't know if it still exists since it is not in the current manual, but there was an option in previous versions of AV called AVAFTERJM that allowed JunkMail to run first. Otherwise you are correct that AV would run first. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, June 05, 2005 3:17 PM Subject: Re: [Declude.Virus] Newbie question Thanks for the quick response. Yes, I have the Pro versions for both AV and Junkmail. Darin Cox wrote: Do you have the Pro version of Declude Junkmail? You have to have pro to use filters and outbound scanning. The fromfile filter I mentioned will work in the standard version, though. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, June 05, 2005 2:56 PM Subject: Re: [Declude.Virus] Newbie question I changed it to HEADERS and still I am receiving emails from these addresses (got 4 of them personally yesterday). My virus scanner is now updated every four hours, so F-Prot caught these viruses, but I still am receiving the virus notifications. Perhaps the scanning takes place (and the notifications are sent out) before my filter is called? This is what my filter file contains: HEADERS0CONTAINS[EMAIL PROTECTED] HEADERS0CONTAINS[EMAIL PROTECTED] etc. This is what I have in my global.cfg MYFILTERfilterC:\Imail\Declude\Filter.txtx200 This is in my $default$.junkmail file WEIGHT20HOLD What am I missing? Thanks. Scott Fisher wrote: The MAILFROM filter test is seperate from anything in the headers. It is the envelope sender. If you want to test on the header from (I call it display from because that's what Outlook displays), you need to check the HEADERS. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, June 03, 2005 3:26 AM Subject: Re: [Declude.Virus] Newbie question Great. Exactly what I needed. I was also confused about the MAILFROM. Does MAILFROM mean what is displayed as the FROM: in the headers or what it says in the X-Note: This E-mail was sent from 206-72-95-86.wi.skypipeline.com ([206.72.95.86]) or in the X-Declude-Sender field? Maybe I should just use the HEADERS 0 CONTAINS instead. Thanks again. Scott Fisher wrote: One caveat. The MAILFROM uses the envelope mailfrom, which is different than the ones displayed in the headers. If the below doesn't stop it, add HEADERS 0 CONTAINS [EMAIL PROTECTED] HEADERS 0 CONTAINS [EMAIL PROTECTED] - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 10:37 PM Subject: Re: [Declude.Virus] Newbie question I looked up the filter section at the manual. This is what I did. I made a file called filter.txt. This contains: MAILFROM0CONTAINS[EMAIL PROTECTED] MAILFROM 0CONTAINS[EMAIL PROTECTED] etc. I then added this line in global.cfg: MYFILTERfilterC:\Imail\Declude\filter.txtx200 In my $default$.junkmail file there was already this line: WEIGHT20HOLD Do I need to do anything else to the junkmail file to reference MYFILTER or does the WEIGHT20 take care of everything? Thanks. Kevin Darin Cox wrote: Nope... add a filter test and put those lines in it. The same thing I mentioned without pro applies here for adding test names to the global.cfg and $default$.junkmail. The manual at http://declude.com/junkmail/manual.htm decribes adding filter files pretty well. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, June 02, 2005 7:09 PM Subject: Re: [Declude.Virus] Newbie question I have pro. How do I add filters? Should I add that line MAILFROM10 CONTAINS [EMAIL PROTECTED] in virus.cfg or global.cfg? Do I need to use another file? If I use the HEADERS option HEADERS 10 CONTAINS [EMAIL PROTECTED] - where would I put that? Sorry for the newbie questions. Kevin Scott Fisher wrote: If you've got pro, you could add a filter: MAILFROM10 CONTAINS [EMAIL PROTECTED] that will check the envelope
Re: [Declude.Virus] Banned Extensions Still Getting Through?
It looks like the file name is in the MIME segment headers in quoted-printable format (=?ISO-8859-1?Q?). I am going to assume that Declude isn't parsing quoted printable in the file names based on your log line. I would report this to Declude support as this would definitely be a shortcoming. All encoding of file names should be decoded before any checks for extensions are made. Matt Paul Crouch wrote: Need some help for a part time sys admin! Declude Virus/Junkmail Standard 2.0.6.16/F-prot. We have very limited bandwidth so have expanded the banned extensions list in virus.cfg to include .mpg, .mpeg, .wmv, etc. This works well but there seems to be some that are still slipping through? The only thing I have noticed is that in every instance the banned extension is not the only attachment and it has some extra characters in the file extension as reported by Declude. The attachment appears as normal in the email client. Example shown below- When it does work (in every test that I do) Declude inserts MM/DD/2005 HH:MM:SS Q1BA800E400B8C964 Banning file with mpg extension [video/mpg] before the virus scanner line. Any ideas as to why Declude is trapping some and not others? vir0606.log 06/06/2005 10:00:54 Q109E001900B2AC5A Vulnerability flags = 0 06/06/2005 10:00:54 Q109E001900B2AC5A MIME file: pic09894.jpg [base64; Length=1577 Checksum=178405] 06/06/2005 10:00:55 Q109E001900B2AC5A MIME file: =?ISO-8859-1?Q?POWERLEAGUE_HAMSTER=2Empg?= [base64; Length=1435545 Checksum=172528633] 06/06/2005 10:00:55 Q109E001900B2AC5A Virus scanner 1 reports exit code of 0 06/06/2005 10:00:55 Q109E001900B2AC5A Scanned: Virus Free [MIME: 3 1438701] dec0606.log 06/06/2005 10:01:13 Q109E001900B2AC5A CMDSPACE:8 . Total weight = 8. 06/06/2005 10:01:13 Q109E001900B2AC5A Tests failed [weight=8]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=IGNORE[0] IPNOTINMX=IGNORE[0] CMDSPACE=IGNORE[8] 06/06/2005 10:01:13 Q109E001900B2AC5A Msg failed CMDSPACE (Space found in RCPT TO: command.). Action=""> 06/06/2005 10:01:13 Q109E001900B2AC5A R1 Message OK 06/06/2005 10:01:13 Q109E001900B2AC5A Subject: FW: FW: hamster[Scanned By NHC] 06/06/2005 10:01:13 Q109E001900B2AC5A From: [EMAIL PROTECTED] To: IP: 195.11.194.53 ID: 2005060609594485-37998 06/06/2005 10:01:13 Q109E001900B2AC5A Action(s) taken for [copyall_account] = IGNORE [LAST ACTION=""> 06/06/2005 10:01:13 Q109E001900B2AC5A Using [incoming] CFG file C:\IMail\Declude\$default$.junkmail. 06/06/2005 10:01:13 Q109E001900B2AC5A Tests failed [weight=8]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=IGNORE[0] IPNOTINMX=IGNORE[0] CMDSPACE=WARN[8] 06/06/2005 10:01:13 Q109E001900B2AC5A Msg failed CMDSPACE (Space found in RCPT TO: command.). Action=""> 06/06/2005 10:01:13 Q109E001900B2AC5A L2 Message OK 06/06/2005 10:01:13 Q109E001900B2AC5A Subject: FW: FW: hamster[Scanned By NHC] 06/06/2005 10:01:13 Q109E001900B2AC5A From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 195.11.194.53 ID: 2005060609594485-37998 06/06/2005 10:01:13 Q109E001900B2AC5A Action(s) taken for [[EMAIL PROTECTED]] = IGNORE WARN [LAST ACTION=""> 06/06/2005 10:01:13 Q109E001900B2AC5A Cumulative action(s) taken on this email = IGNORE WARN [LAST ACTION=""> Paul Crouch Technical Manager Marble Building Products Ltd Tel: 01759 373352 Fax: 01759 373394 Email: [EMAIL PROTECTED] -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re[2]: [Declude.Virus] Second Scanner
Hello Terry, Sunday, June 5, 2005, 8:14:04 AM, you wrote: It took a reboot of both machines to fix the problem. On one I had 288 process running which fouls everything else up. Clam is SCANNER2 Any ideas? TF What did the runclamscan log report if anything? What kind of times TF are you seeing in it for the actual scanning? Nothing. Just shows the last virus that was caught right before the problem: 06-03-2005 23:44:37 0.2030,0.141,0.062 Worm.Mytob.CK 83 D23a50548011c8e81.SMD 73391 06-04-2005 00:44:08 0.1410,0.078,0.063 Worm.Mytob.BZ 83 D319849a0009e0bb9.SMD 69975 Scan times look very low, comparable to F-Prot. TF The only time I've had anything similar happen had to do with TF ownership of the files and folders. It seems to me I may have had to TF change the ownership of the virus folder but I don't recall now. The very first error in the Declude virus log indicates that clam didn't finish after 60 seconds so Declude is terminating. Then the other errors about renaming/moving files start showing up. Plus more timeout errors. On a side note, during this whole process I had a Sniffer update that failed to copy to my P:/ Drive. Clam is running on C:\, Spool is running on O:\ and runclamscan/runclamd are on P:\ The two machines that this happened on are very different. One Win2k vs. Win2k3, Imail 7.13 vs. Imail 8.15, both Declude 1.82 I can't find anything in the event or application logs that looks bad around this time either. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.Virus] Second Scanner
Hello Scott, Saturday, June 4, 2005, 7:08:02 PM, you wrote: SF I also use Terry's runclamscan with no issues. SF I have had rare email melt downs when I was running runclamd. I could never SF pin it firmly on anything. So I stopped the runclamd to see how it handles. So you're saying you use runclamscan but now you call clam directly instead of calling runclamd? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
I can't find anything in the event or application logs that looks bad around this time either. I can't either. I've switched my clamd.conf file settings to run on TCP/IP rather than local socket. In the clamd.log file there were accept() errors recorded when this occurs which is a socket command error. I don't know that running in TCP/IP will help but the conf file says it can help some stability issues on windows servers. I also see that once this starts the other scanners never get a return either - not sure why that would be. --- Terry --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
TF What did the runclamscan log report if anything? What kind of times TF are you seeing in it for the actual scanning? I do have some weird log lines on one of the machines: 06-04-2005 13:48:35 0.4840,0.015,0.469 HTML.Phishing.Pay-39 65 0 06-04-2005 13:49:02 0.2660,0.031,0.235 Worm.SomeFool.P 64 0 06-04-2005 13:49:06 0.3280,0.046,0.266 Worm.Mytob.CK 62 0 06-04-2005 13:49:07 0.4840,0.047,0.437 Worm.Mytob.CK 105 De990167cd258.GSC,De99002de00b2b55f.SMD 0 06-04-2005 13:49:20 0.3750,0.079,0.296 Worm.SomeFool.P 64 0 06-04-2005 13:49:26 0.0630,0.031,0.032 Worm.Bagle.AU 62 0 06-04-2005 13:49:59 0.3590,0.125,0.219 Worm.Mytob.BT 62 0 These are about 20 lines before it quits. Also, I do see on both machines, there are files in my folder on P:\ along with runclamscan and runclamd. They have names like: dbeaf2~1_clam.txt dbeb03~1_clam.txt There are 57 on one box and 80 on another. Every time I click on of the files, I get a simple Access Denied error even though ALL clam processes are stopped and I'm running under a Domain Admin account. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
I am not real clear on this thread - but if it has to do with clamd - it w/Declude no question has a problem in Windows. I have stopped using it - it may take a week or even a month but it will crash... -Nick Terry Fritts wrote: I can't find anything in the event or application logs that looks bad around this time either. I can't either. I've switched my clamd.conf file settings to run on TCP/IP rather than local socket. In the clamd.log file there were accept() errors recorded when this occurs which is a socket command error. I don't know that running in TCP/IP will help but the conf file says it can help some stability issues on windows servers. I also see that once this starts the other scanners never get a return either - not sure why that would be. --- Terry --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
I do have some weird log lines on one of the machines: Those look okay to me. There are 57 on one box and 80 on another. Every time I click on of the files, I get a simple Access Denied error even though ALL clam processes are stopped and I'm running under a Domain Admin account. These exist because the scanner never completed and the files are owned by SYSTEM. You'll have to select them - right click - and change the owner to your Admin account so you can then change the permissions to delete them. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
TF These exist because the scanner never completed and the files are TF owned by SYSTEM. You'll have to select them - right click - and TF change the owner to your Admin account so you can then change the TF permissions to delete them. So, it looks like the genesis of the problem is that clam started timing out. As I mentioned, a completely separate process that copies my Sniffer .snf file onto the same drive failed with a could not copy file error after this whole thing happened. Even though, it could read/delete a file on this volume. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
it looks like the genesis of the problem is that clam started timing out. It may be but I haven't been able to force it to happen so far. For me this is the first instance of this in more than one year. I am suspicious that it could be a Windows socket issue which is why I've changed the clamd.conf settings. If you also want to try this find clamd.conf (usually in C:\clamav-devel\etc) and open in an editor. Change the following in clamd.conf: Comment out with # the lines: LocalSocket /cygdrive/c/clamav-devel/clamd.sock FixStaleSocket yes Uncomment the lines: TCPSocket 3310 TCPAddr 127.0.0.1 Restart clamd by Stopping Runclamd and then restarting. Since you've had more occurrences it may be a better test. As I mentioned, a completely separate process that copies my Sniffer .snf file onto the same drive failed with a could not copy file error That's very interesting although I'm uncertain what it may mean. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Second Scanner
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry Fritts Sent: 6. juni 2005 21:40 To: David Sullivan Subject: Re: [Declude.Virus] Second Scanner If you also want to try this find clamd.conf (usually in C:\clamav-devel\etc) and open in an editor. Change the following in clamd.conf: Comment out with # the lines: LocalSocket /cygdrive/c/clamav-devel/clamd.sock FixStaleSocket yes Uncomment the lines: TCPSocket 3310 TCPAddr 127.0.0.1 In my version of clamd.conf (just downloaded and installed, thanks for the info that made me try ClamAV Terry) it says # UNCOMMENT THE FOLLOWING TWO OPTIONS IF YOU WANT # CLAMAV TO RUN IN TCP/IP MODE, WHICH MAY SOLVE SOME # STABILITY ISSUES ON SOME VERSIONS OF WINDOWS # before the TCPSocket and TCPAddr lines Regards, Kaj --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
Hello Terry, Monday, June 6, 2005, 3:39:42 PM, you wrote: it looks like the genesis of the problem is that clam started timing out. TF It may be but I haven't been able to force it to happen so far. For TF me this is the first instance of this in more than one year. TF I am suspicious that it could be a Windows socket issue which is why TF I've changed the clamd.conf settings. Now, I have had socket issues. I'm accepting at a high rate from IMGate on the front end and delivering to an outbound PF box on the backend so I tend to have lots of sockets open to one IP. Forgive me if I'm naive, but what does a local virus scanner have to do with TCP/IP? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [sniffer] New Spam/Virus?
Yes I have seen them too: email starts with: Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons. - Original Message - From: Jim Matuska To: sniffer@SortMonster.com Sent: Monday, June 06, 2005 4:13 PM Subject: [sniffer] New Spam/Virus? Is anyone else seeing a huge rash of spam/virus messages in the last hour or so? I have multiple users that are getting messages that are forging our own addresses and have a link that appears to go to our website but instead goes elsewhere with a IP address link. These do not appear to be infecting as file attachments but from the web link itself. Pete, I have forwarded a few to your spam@ address, let me know what you think. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: [Declude.Virus] what does this mean in the virus log file?
Vulnerability flags = 76 Thanks! -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
Forgive me if I'm naive, but what does a local virus scanner have to do with TCP/IP? I'll write how I understand it. In the case being discussed we have ClamD running as a service under Windows. When clamdscan is called to actually scan a file then that instance of clamdscan communicates with ClamD which is already resident. Because ClamD is running and listening then this makes the scanning process faster since some functions are already in memory awaiting service. But in order for this to occur ClamD has to be listening for a request from the calling program. Normally the service establishes a socket - meaning a hole punched through the OS - to allow such communication to occur. However, for ClamD in the configuration file there is an option to bind the service to a specific IP address and a specific port assignment. For greater security 127.0.0.1 is the default address. But the service could be bound to another IP address. I don't know why this might solve stability problems on some versions of windows but that's the message in the conf and somethng I was advised to try from my forum posting. Since the error I was seeing in the ClamD log file was an error with accept() it seemed reasonable to me to try it. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
Hello Terry, TF Normally the service establishes a socket - meaning a hole punched TF through the OS - to allow such communication to occur. However, for TF ClamD in the configuration file there is an option to bind the TF service to a specific IP address and a specific port assignment. For TF greater security 127.0.0.1 is the default address. But the service TF could be bound to another IP address. Think I get it. TF I don't know why this might solve stability problems on some TF versions of windows but that's the message in the conf and somethng TF I was advised to try from my forum posting. I have to be out of town starting Wednesday so I'm not doing anything now, but I'll try it too first thing next week. TF Since the error I was seeing in the ClamD log file was an error with TF accept() it seemed reasonable to me to try it. I took ownership of and checked the clamd log file and it looks like I have the same errors, but on both boxes it took less than 18 hours to have the problem: Jun 4 10:46:54 2005 - ERROR: accept() failed: Software caused connection abort Sat Jun 4 10:46:56 2005 - ERROR: accept() failed: Software caused connection abort Sat Jun 4 10:46:56 2005 - ERROR: accept() failed: Software caused connection abort This is exactly the time this machine blew up. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
