RE: [Declude.Virus] AUTOFORGE
OOPS, brainfart. John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Steiner > Sent: Friday, October 27, 2006 5:07 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] AUTOFORGE > > I think you meant to say SKIPIFFORGING not SKIPIFFORGINGVIRUS. > > > Original Message > > From: "John T \(Lists\)" <[EMAIL PROTECTED]> > > Sent: Friday, October 27, 2006 7:52 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] AUTOFORGE > > > > > Also, how is FORGINGVIRUS different from SKIPIFVIRUSNAME? Do you need to > > have > > > both statements in the virus.cfg or is that redundant? > > > > FORGINGVIRUS is in the virus.cfg file and it is to list those viruses that > > forge the from address. Then, in your various eml files, you just need to > > put in SKIPIFFORGINGVIRUS instead of having list list each > > SKIPIFVIRUSNAMEHAS > > > > John T > > eServices For You > > > > "Life is a succession of lessons which must be lived to be understood." > > Ralph Waldo Emerson (1802-1882) > > > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AUTOFORGE
I think you meant to say SKIPIFFORGING not SKIPIFFORGINGVIRUS. Original Message > From: "John T \(Lists\)" <[EMAIL PROTECTED]> > Sent: Friday, October 27, 2006 7:52 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] AUTOFORGE > > > Also, how is FORGINGVIRUS different from SKIPIFVIRUSNAME? Do you need to > have > > both statements in the virus.cfg or is that redundant? > > FORGINGVIRUS is in the virus.cfg file and it is to list those viruses that > forge the from address. Then, in your various eml files, you just need to > put in SKIPIFFORGINGVIRUS instead of having list list each > SKIPIFVIRUSNAMEHAS > > John T > eServices For You > > "Life is a succession of lessons which must be lived to be understood." > Ralph Waldo Emerson (1802-1882) > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AUTOFORGE
Also can anyone supply their current list of FORGINGVIRUS Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Gary Steiner > Sent: Friday, October 27, 2006 4:19 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] AUTOFORGE > > Is the command FORGINGVIRUS still used? It doesn't seem to be > mentioned in the new manuals on the Declude web site, or in the > knowledgebase either. > > My main question is how does FORGINGVIRUS work? Is it looking for any > string within the virus name? For example, will the statement > > FORGINGVIRUS Stration > > pick up both "Worm.Stration.YY" and "I-Worm.Stration" as matches? > > Also, how is FORGINGVIRUS different from SKIPIFVIRUSNAME? Do you need > to have both statements in the virus.cfg or is that redundant? > > Thanks, > > Gary > > > Original Message > > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > > Sent: Friday, October 27, 2006 3:56 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] AUTOFORGE > > > > I suggested adding STRATION a week or more ago. > > > > Likewise, the string > > > > WAREZOV > > > > should be added to the AUTOFORGE database (or your own virus.cfg e.g. > > FORGINGVIRUS WAREZOV). There have been many interations of this > virus, > > and according to F-Secure, the creators are still pumping out new > > versions. > > > > Andrew. > > > > > > > > _ > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > > Of Andy Schmidt > > Sent: Friday, October 27, 2006 6:03 AM > > To: 'Declude Virus List' > > Subject: [Declude.Virus] AUTOFORGE > > > > > > Hi, > > > > is this still being actively maintained? > > > > If so, > > > > W32/Stration.dldr > > > > should be added as forging. Based on bounces that I'm seeing > > (from inbound-only mailboxes on our domain) it is forging the sender. > > > > Best Regards > > Andy Schmidt > > > > Phone: +1 201 934-3414 x20 (Business) > > Fax:+1 201 934-9206 > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AUTOFORGE
> Also, how is FORGINGVIRUS different from SKIPIFVIRUSNAME? Do you need to have > both statements in the virus.cfg or is that redundant? FORGINGVIRUS is in the virus.cfg file and it is to list those viruses that forge the from address. Then, in your various eml files, you just need to put in SKIPIFFORGINGVIRUS instead of having list list each SKIPIFVIRUSNAMEHAS John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AUTOFORGE
Is the command FORGINGVIRUS still used? It doesn't seem to be mentioned in the new manuals on the Declude web site, or in the knowledgebase either. My main question is how does FORGINGVIRUS work? Is it looking for any string within the virus name? For example, will the statement FORGINGVIRUS Stration pick up both "Worm.Stration.YY" and "I-Worm.Stration" as matches? Also, how is FORGINGVIRUS different from SKIPIFVIRUSNAME? Do you need to have both statements in the virus.cfg or is that redundant? Thanks, Gary Original Message > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > Sent: Friday, October 27, 2006 3:56 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] AUTOFORGE > > I suggested adding STRATION a week or more ago. > > Likewise, the string > > WAREZOV > > should be added to the AUTOFORGE database (or your own virus.cfg e.g. > FORGINGVIRUS WAREZOV). There have been many interations of this virus, > and according to F-Secure, the creators are still pumping out new > versions. > > Andrew. > > > > _ > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Andy Schmidt > Sent: Friday, October 27, 2006 6:03 AM > To: 'Declude Virus List' > Subject: [Declude.Virus] AUTOFORGE > > > Hi, > > is this still being actively maintained? > > If so, > > W32/Stration.dldr > > should be added as forging. Based on bounces that I'm seeing > (from inbound-only mailboxes on our domain) it is forging the sender. > > Best Regards > Andy Schmidt > > Phone: +1 201 934-3414 x20 (Business) > Fax:+1 201 934-9206 > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AUTOFORGE
I suggested adding STRATION a week or more ago. Likewise, the string WAREZOV should be added to the AUTOFORGE database (or your own virus.cfg e.g. FORGINGVIRUS WAREZOV). There have been many interations of this virus, and according to F-Secure, the creators are still pumping out new versions. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy SchmidtSent: Friday, October 27, 2006 6:03 AMTo: 'Declude Virus List'Subject: [Declude.Virus] AUTOFORGE Hi, is this still being actively maintained? If so, W32/Stration.dldr should be added as forging. Based on bounces that I'm seeing (from inbound-only mailboxes on our domain) it is forging the sender. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
[Declude.Virus] AUTOFORGE
Hi, is this still being actively maintained? If so, W32/Stration.dldr should be added as forging. Based on bounces that I'm seeing (from inbound-only mailboxes on our domain) it is forging the sender. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin.
Hi All, I decided to try an older build of ClamAV since my virus.cfg matches everyone elses. The difference in outputs lies in the sosdg.org ClamAV versions. The older version 0.84rc2-2 produces the proper output for DLAnalyzer. 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Virus scanner 2 reports exit code of 1 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Scanner 2: Virus= Html.Phishing.Rock.Sanesecurity.06050500 Attachment= [14] O The latest version 0.88.4-1 will produce an incorrect output that DLAnalyzer is not able to compile: 10/26/2006 12:38:28.828 q38cc128a00b2b1ba.smd Virus scanner 3 reports exit code of 1 10/26/2006 12:38:28.843 q38cc128a00b2b1ba.smd Scanner 3: Virus= Attachment= [14] O 10/26/2006 12:38:28.843 q38cc128a00b2b1ba.smd File(s) are INFECTED [ Html.Phishing.Pay.Gen358.Sanesecurity.06091502: 1] Thanks to all how provided suggestions. Eddie :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eddie Pang Sent: Wednesday, October 25, 2006 8:44 PM To: declude.virus@declude.com Subject: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin. Hi All, I am stumpted. I am trying to run ClamAV to take advantage of clamdscan.exe for speed and performance, but I am unable to gather statistics for use with DLAnalyzer. Looking closer at the logs, I find a slight variation between the 2 products. ClamWin reports the phish/virus on the same line as virus=. However with ClamAV, the Virus= is blank, and the phish/virus is on the next line. ClamAV is from www.sosdg.org version 0.88.4-1, and ClamWin is from www.clamwin.net version 0.88.5. Any suggestions to ClamAV (Scanner3) would be greatly appreciated. Sincerely, Eddie. = SCANFILE2 C:\imail\declude\runclamscan.exe log=2 c:\Progra~1\clamwin\bin\clamscan.exe --verbose --database="C:\Docume~1\Alluse~1\.clamwin\db" --tempdir="c:\temp" --no-summary --max-ratio 0 -l report.txt VIRUSCODE2 1 REPORT2 FOUND # SCANFILE3 C:\imail\declude\runclamscan.exe log=2 C:\clamav-devel\bin\clamdscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE3 1 REPORT3 FOUND == 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Virus scanner 2 reports exit code of 1 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Scanner 2: Virus= Html.Phishing.Rock.Sanesecurity.06050500 Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Virus scanner 3 reports exit code of 1 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Scanner 3: Virus= Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd File(s) are INFECTED [ Html.Phishing.Rock.Sanesecurity.06050500: 1] == --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] AUTOFORGE
Hi, is this still being actively maintained? If so, W32/Stration.dldr should be added as forging. Based on bounces that I'm seeing (from inbound-only mailboxes on our domain) it is forging the sender. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin.
Hi All, I decided to try an older build of ClamAV since my virus.cfg matches everyone elses. The difference in outputs lies in the sosdg.org ClamAV versions. The older version 0.84rc2-2 produces the proper output for DLAnalyzer. 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Virus scanner 2 reports exit code of 1 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Scanner 2: Virus= Html.Phishing.Rock.Sanesecurity.06050500 Attachment= [14] O The latest version 0.88.4-1 will produce an incorrect output that DLAnalyzer is not able to compile: 10/26/2006 12:38:28.828 q38cc128a00b2b1ba.smd Virus scanner 3 reports exit code of 1 10/26/2006 12:38:28.843 q38cc128a00b2b1ba.smd Scanner 3: Virus= Attachment= [14] O 10/26/2006 12:38:28.843 q38cc128a00b2b1ba.smd File(s) are INFECTED [ Html.Phishing.Pay.Gen358.Sanesecurity.06091502: 1] Thanks to all how provided suggestions. Eddie :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eddie Pang Sent: Wednesday, October 25, 2006 8:44 PM To: declude.virus@declude.com Subject: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin. Hi All, I am stumpted. I am trying to run ClamAV to take advantage of clamdscan.exe for speed and performance, but I am unable to gather statistics for use with DLAnalyzer. Looking closer at the logs, I find a slight variation between the 2 products. ClamWin reports the phish/virus on the same line as virus=. However with ClamAV, the Virus= is blank, and the phish/virus is on the next line. ClamAV is from www.sosdg.org version 0.88.4-1, and ClamWin is from www.clamwin.net version 0.88.5. Any suggestions to ClamAV (Scanner3) would be greatly appreciated. Sincerely, Eddie. = SCANFILE2 C:\imail\declude\runclamscan.exe log=2 c:\Progra~1\clamwin\bin\clamscan.exe --verbose --database="C:\Docume~1\Alluse~1\.clamwin\db" --tempdir="c:\temp" --no-summary --max-ratio 0 -l report.txt VIRUSCODE2 1 REPORT2 FOUND # SCANFILE3 C:\imail\declude\runclamscan.exe log=2 C:\clamav-devel\bin\clamdscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE3 1 REPORT3 FOUND == 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Virus scanner 2 reports exit code of 1 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Scanner 2: Virus= Html.Phishing.Rock.Sanesecurity.06050500 Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Virus scanner 3 reports exit code of 1 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Scanner 3: Virus= Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd File(s) are INFECTED [ Html.Phishing.Rock.Sanesecurity.06050500: 1] == --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
