Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
One side note - if this feature is added please make sure this feature
is "configurable" so we can disable it if we choose (which I would). I
have customers who "hold" all spam for a certain period of time and than
we delete. If anything needs to be returned to the queue it is scanned
manually or returned to the proc for reprocessing. Virus scanning on
all messages held would defeat the whole purpose of AVAFTERJM for their
implementation.
Darrell
--
Check out http://www.invariantsystems.com for utilities for Declude,
Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring,
SURBL/URI integration, MRTG Integration, and Log Parsers.
Bonno Bloksma wrote:
Hi,
(Open mail request)
Dear Declude people.
I have asked this before and with the current spam levels kan we PLEASE
have this feature now ASAP? We all want to use AVAFTERJM but could you
PLEASE make it scan all mail which is not deleted?
If that is a to big step at first becasue of all the possible copy,
routeto, etc statements can we at least have it for the HOLD action asap?
Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer
tio hogeschool hospitality en toerisme
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> / www.tio.nl
<http://www.tio.nl>
- Original Message -
*From:* Kevin Bilbee <mailto:[EMAIL PROTECTED]>
*To:* declude.virus@declude.com <mailto:declude.virus@declude.com>
*Sent:* Friday, June 13, 2008 5:25 PM
*Subject:* RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
Be careful with this setting. If a message gets held as spam it will
not be
virus scanned. Make sure you scan any message moved back into the
delivery
queue for viruses before placing it in the delivery queue folder.
Kevin Bilbee
> -Original Message-
> From: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
[mailto:[EMAIL PROTECTED] On Behalf Of
> Darin Cox
> Sent: Friday, June 13, 2008 6:10 AM
> To: declude.virus@declude.com <mailto:declude.virus@declude.com>
> Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
>
> AVAFTERJM has been around a long time. I don't remember what
version,
> but
> it was a 1.x version.
>
> Are you familiar with the setting? It tells Declude to run
Anti-Virus
> after
> Junkmail. It then only runs AV after checking to see if the
message is
> spam. With the spam load these days, I would expect that to be the
> desired
> config, resulting in AV scanning on only about 10% of incoming mail
> instead
> of 100%. However, it is not the default setting, which runs AV
first,
> then
> Junkmail.
>
> That could easily account for yours and Kathy's 70-100% CPU.
>
> Darin.
>
>
> - Original Message -
> From: "Brian Lin" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
> To: mailto:declude.virus@declude.com>>
> Sent: Friday, June 13, 2008 8:55 AM
> Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
>
>
> No, I am still using antique version declude and
> imail.
>
> - Original Message -
> From: "Darin Cox" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
> To: mailto:declude.virus@declude.com>>
> Sent: Friday, June 13, 2008 8:07 PM
> Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
>
>
> > Interesting that you are also seeing the 70-100% CPU with F-Prot 6,
> where
> > we
> > are not.
> >
> > Are you running AVAFTERJM?
> >
> > Darin.
> >
> >
> > - Original Message -
> > From: "Brian Lin" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
> > To: mailto:declude.virus@declude.com>>
> > Sent: Friday, June 13, 2008 5:23 AM
> > Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
> >
> >
> > I just terminate my F-Prot 6, and installed ClamAV SOSDG
> >
> > Before that, my CPU usage is always run to skyhigh,
> > at around 70%-100%, now using ClamAV, reduce
> > to 5%-20%, still catching all the testing virus.
> >
> > F-prot 6 do not provide option like noboot, nomem,
> > I guess these become the default setting, and cause
> > very high CPU and harddisk usage.
> >
> > Alex instruction dated at 6 June 2008 for ClamAV installation
>
[Declude.Virus] CLAMD - clamav-0.92.1-2a
I just did an upgrade for a client to the latest version of clamd (clamav-0.92.1-2a) from http://www.sosdg.org/clamav-win32. They are using the clamd wrapper. After the install I went to start the service and received the following error. 04-04-2008 10:32:56 SERVICE_START_PENDING 04-04-2008 10:32:56Status: 4 04-04-2008 10:33:07 startfailed 0 The clamd wrapper shields many of the errors that will cause a "startfailed" condition. if you manually run clamd you can get a bit more verbose info. Example: C:\clamav-devel\bin>clamd.exe ERROR: Parse error at line 246: Unknown option ArchiveMaxFileSize. ERROR: Can't open/parse the config file /cygdrive/c/clamav-devel/etc/clamd.conf C:\clamav-devel\bin>clamd.exe ERROR: Parse error at line 253: Unknown option ArchiveMaxRecursion. ERROR: Can't open/parse the config file /cygdrive/c/clamav-devel/etc/clamd.conf C:\clamav-devel\bin>clamd.exe ERROR: Parse error at line 258: Unknown option ArchiveMaxFiles. ERROR: Can't open/parse the config file /cygdrive/c/clamav-devel/etc/clamd.conf C:\clamav-devel\bin>clamd.exe ERROR: Parse error at line 264: Unknown option ArchiveMaxCompressionRatio. ERROR: Can't open/parse the config file /cygdrive/c/clamav-devel/etc/clamd.conf After fixing those issues - everything ran as expected. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] extracting base64 encoded files
Bonno, This should do the trick. http://www.fourmilab.ch/webtools/base64/ Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, I had some valentine mail come through which was caught as suspicious. However, in the end it was reported ans Unknow virus in Unknow File. I now want to have a better look at the enclose base64 encoded card.zip. But... what tool to use to extract that zip file without sending it to my mail program. I used to be able to extract uuencoded stukk with my zip archive tool but... What to use for base64 encoded stuff? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> / www.tio.nl <http://www.tio.nl> --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] IMmail 2006.23 release notes
Bonno, After Declude finishes scanning the message it passes it off to smtp32.exe for delivery. I can't think of any instance where declude will use the imail.exe utility. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, In the IMail 2006.23 release notes it states: The "IMail.exe" Client provided in the IMail Server contained a vulnerability due to a boundary error when processing emails with multipart MIME data, which could potentially compromise a user's system. "IMail.exe" will no longer be delivered during installation. Caution: It is recommended that existing installations remove "IMail.exe from the IMail directory. It has been determined that utilizing this feature could potentially corrupt mailboxes. I seem to remember Declude used this (IMail.exe) as part of it's mail delivery. Is that still true with the 4.x versions I use it to send myself mails when something happens like a sniffer update. But that is just one script which I can change. Is there something similar that we can use? p.s. I assume they mean IMail1 as there is no IMail.exe in the IMail directory. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> / www.tio.nl <http://www.tio.nl/> - Original Message - *From:* Tom Lewis <mailto:[EMAIL PROTECTED]> *To:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> *Sent:* Monday, December 10, 2007 2:28 PM *Subject:* RE: [IMail Forum] apimmdd.txt files The api/mmdd/.txt files are new in 9.23. There is informational logging taking place that is creating these logs. They can be used by tech support for diagnosing problems in the web client if they were to occur. You can get to the release notes here: http://docs.ipswitch.com/IMail2006.23/ImailRelNotes/index.htm Tom Lewis *Ipswitch, Inc.* Development Manager - Messaging Products 706-312-3573 -------- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Bonno Bloksma *Sent:* Monday, December 10, 2007 7:27 AM *To:* [EMAIL PROTECTED] *Subject:* [IMail Forum] apimmdd.txt files Hi, As of IMail 2006.23 I have apimmdd.txt logfiles. However I cannot find what these are for. Is this the new extra debugging for the webmail? There seem to be no release notes for 2006.23, at least I cannot find them. Appart from that, everything seems to be working ok. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> / www.tio.nl <http://www.tio.nl> --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Re: [Declude.Virus] IMmail 2006.23 release notes
Bonno, After Declude finishes scanning the message it passes it off to smtp32.exe for delivery. I can't think of any instance where declude will use the imail.exe utility. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, In the IMail 2006.23 release notes it states: The "IMail.exe" Client provided in the IMail Server contained a vulnerability due to a boundary error when processing emails with multipart MIME data, which could potentially compromise a user's system. "IMail.exe" will no longer be delivered during installation. Caution: It is recommended that existing installations remove "IMail.exe from the IMail directory. It has been determined that utilizing this feature could potentially corrupt mailboxes. I seem to remember Declude used this (IMail.exe) as part of it's mail delivery. Is that still true with the 4.x versions I use it to send myself mails when something happens like a sniffer update. But that is just one script which I can change. Is there something similar that we can use? p.s. I assume they mean IMail1 as there is no IMail.exe in the IMail directory. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> / www.tio.nl <http://www.tio.nl/> - Original Message - *From:* Tom Lewis <mailto:[EMAIL PROTECTED]> *To:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> *Sent:* Monday, December 10, 2007 2:28 PM *Subject:* RE: [IMail Forum] apimmdd.txt files The api/mmdd/.txt files are new in 9.23. There is informational logging taking place that is creating these logs. They can be used by tech support for diagnosing problems in the web client if they were to occur. You can get to the release notes here: http://docs.ipswitch.com/IMail2006.23/ImailRelNotes/index.htm Tom Lewis *Ipswitch, Inc.* Development Manager - Messaging Products 706-312-3573 -------- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Bonno Bloksma *Sent:* Monday, December 10, 2007 7:27 AM *To:* [EMAIL PROTECTED] *Subject:* [IMail Forum] apimmdd.txt files Hi, As of IMail 2006.23 I have apimmdd.txt logfiles. However I cannot find what these are for. Is this the new extra debugging for the webmail? There seem to be no release notes for 2006.23, at least I cannot find them. Appart from that, everything seems to be working ok. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> / www.tio.nl <http://www.tio.nl> --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] False Positive ClamAV
Are you sure CLAMAV is hitting on this or is this a hit from the SANE phish database being used with CLAM? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bonno Bloksma To: Declude.Virus@declude.com Sent: Monday, May 21, 2007 7:09 AM Subject: [Declude.Virus] False Positive ClamAV Hi, Some of our mail is getting caught bij ClamAV. I've had two reports on two completely unrelated mails. Body of message generated response: 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it as a false positive report. When I hit Submit I get an error stating this virus is already known and I should fix something in the submission. :-( Can anyone tell me: 1) Whether this is normail behaviour for that page? 2) Where I can report this bug in the webpage? It's not a bug in the program so I don't think the Bugzilla page is the right place. If I need to report it via a mailing list, which one? 3) How I can check whether my report was received? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV lstat() failed. ERROR
Gary, In order to scan the file I am sure Declude has to append the path to the files to scan otherwise how would the virus scanner know what to scan? It needs some type of path. Unless possibly it sets a working directory and expects the scanner to scan all the files in the working directory. I suspect it gets a path much like it calls an external application. Flip your logs to debug what does it show? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Gary Steiner" <[EMAIL PROTECTED]> To: Sent: Wednesday, April 25, 2007 6:39 PM Subject: [Declude.Virus] ClamAV lstat() failed. ERROR In pursuing the problem of the new worm with a password-protected RAR file, I found a problem with ClamAV. I'm running the SOSDG ClamAV Windows port version 0.90.2-2 (along with runclamd and runclamscan). Declude uses the following string: C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt If I try to use it at a command prompt, I get the lstat() failed error. If I type in the full path for my command string, such as C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt C:\temp\123456789.eml it works. The problem is that Declude scans a file in a different directory each time, so the path changes. So for Declude to work now, it would require a significant change in Declude. But ClamAV worked before. What changed? Can it be changed back? Is this a problem with ClamAV in general, or just with the SOSDG Windows port? Do the other ClamAV ports have this problem? Any suggestions you might have are greatly appreciated. Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVG Virus updates - No updates from declude since 4/7/7
Honestly, I am not sure what all the individual files are, but here are my dates incavi.avm - 4/15/2007 microavi.avg - 4/5/2007 miniavg.avg - 2/16/2007 avi7.avg - 2/21/2007 Howard - you can try this post from David from the Archive- http://www.mail-archive.com/declude.virus@declude.com/msg13473.html Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Howard Smith (N.O.R.A.D.) To: declude.virus@declude.com Cc: [EMAIL PROTECTED] ; 'David Barker' Sent: Monday, April 16, 2007 6:28 AM Subject: [Declude.Virus] AVG Virus updates - No updates from declude since 4/7/7 I have not had a virus update from decludes AVG builtin scanner since 4/6/7 , has any one received any later updates , or suggestions to fix problem Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] virus via e-mail getting rare
All and all it has been way down for me as well. In mid 2005 I was averging around 100K-200K viruses a month (with AVAFTERJM). That has been dropping and dropping. In 2006 the highest for any give month I had was 22K. This year I have had nothing over 2,500. With running AVAFTERJM a lot of viruses also get tagged as spam. In 2003 we averaged around 400K+ viruses per month (which dropped by more than half when AVAFTERJM was enabled). Other things like greylisitng also helps twart viruses. Come to think about it I can't remember the last major virus trying to come in (mydoom?) that we had to deal with. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bonno Bloksma To: Declude.Virus@declude.com Sent: Monday, March 26, 2007 8:37 AM Subject: [Declude.Virus] virus via e-mail getting rare Hi, Is "virus via e-mail" a dying breed? There are days where I barely get any virusses via e-mail. Most of what get's caught is malfomed mail, 99% spam. I just did a test to see if my virusscanners are still working correctly, eicar is still being caught by both F-prot and Sophos so all seems to be woking. Both scanners are also correctly updating their database. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble
Bill, The Imail\Declude folder is the one that matters. What are you getting in your logs? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Bill Green dfn Systems" <[EMAIL PROTECTED]> To: Sent: Thursday, March 22, 2007 9:21 PM Subject: Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble Thanks Darrell, I put it in both declude.cfg files. I now have two. One in the IMail\Decude Folder, and one in the Program Files\Declude Folder. I'm not sure which one is working right now. Bill Green dfn Systems - Original Message ----- From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> To: Sent: Thursday, March 22, 2007 6:55 PM Subject: Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble > Bill, > > It's > > CODE [PLACE YOUR DECLUDE CODE HERE] > > Darrell > > > Check out http://www.invariantsystems.com for utilities for Declude And > Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, > MRTG > Integration, and Log Parsers. > - Original Message - > From: "Bill Green dfn Systems" <[EMAIL PROTECTED]> > To: > Sent: Thursday, March 22, 2007 8:31 PM > Subject: [Declude.Virus] Declude Upgrade on IMail - Key Trouble > > > I've just upgraded to the 4.x suite from 3.0. I'm getting the Invalid Key > message. According to the Archives, I need to put the Key in the > declude.cfg > file, but what is the correct syntax? > > License Key (KEY#) ? > or > Product Key (Key#) ? > or just > Key # ? > > Bill Green > dfn Systems > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail scanned for viruses by Declude EVA] > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble
Bill, Do you have a declude.exe and a decludeproc in your imail folder? Do you have the decludeproc service in services? Do you also have a "proc" folder off of imail\spool (i.e. imail\spool\proc). Are files starting to be deposited into the proc folder? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Bill Green dfn Systems" <[EMAIL PROTECTED]> To: Sent: Thursday, March 22, 2007 9:14 PM Subject: Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble Is there an actual set of instructions for a Declude Upgrade for IMail? The Declude site lists Installation Instructions, but they are for SmarterMail. The Knowledge Base is no help. Declude Support has gone Home. My Upgrade has gone horribly wrong and I now seem to have a hybrid monster. Bill Green dfn Systems - Original Message - From: "Bill Green dfn Systems" <[EMAIL PROTECTED]> To: Sent: Thursday, March 22, 2007 6:31 PM Subject: [Declude.Virus] Declude Upgrade on IMail - Key Trouble > I've just upgraded to the 4.x suite from 3.0. I'm getting the Invalid Key > message. According to the Archives, I need to put the Key in the > declude.cfg file, but what is the correct syntax? > > License Key (KEY#) ? > or > Product Key (Key#) ? > or just > Key # ? > > Bill Green > dfn Systems > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Upgrade on IMail - Key Trouble
Bill, It's CODE [PLACE YOUR DECLUDE CODE HERE] Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Bill Green dfn Systems" <[EMAIL PROTECTED]> To: Sent: Thursday, March 22, 2007 8:31 PM Subject: [Declude.Virus] Declude Upgrade on IMail - Key Trouble I've just upgraded to the 4.x suite from 3.0. I'm getting the Invalid Key message. According to the Archives, I need to put the Key in the declude.cfg file, but what is the correct syntax? License Key (KEY#) ? or Product Key (Key#) ? or just Key # ? Bill Green dfn Systems --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] DLAnalyzer 5.2.1 Released
DLAnalyzer 5.2.0 has been released. DLAnalyzer is a comprehensive reporting tool that integrates both Junkmail and Virus statistics into one report. Some of the features require the Enterprise or Standard version, but we also have a FREE LITE version available. Report Samples: http://www.invariantsystems.com/dlanalyzer/reportsamples.htm Release Notes: http://www.invariantsystems.com/download/current/readme.txt Download: http://www.invariantsystems.com/dlanalyzer/download.aspx Any questions let me know, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.Virus] DLAnalyzer 5.2.1 Released
DLAnalyzer 5.2.0 has been released. DLAnalyzer is a comprehensive reporting tool that integrates both Junkmail and Virus statistics into one report. Some of the features require the Enterprise or Standard version, but we also have a FREE LITE version available. Report Samples: http://www.invariantsystems.com/dlanalyzer/reportsamples.htm Release Notes: http://www.invariantsystems.com/download/current/readme.txt Download: http://www.invariantsystems.com/dlanalyzer/download.aspx Any questions let me know, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Clam AV vs. AVG vs. McAfee
Wolf, I use McAfee, CLAM, Internal AVG, and at one time (before licensing changes) F-Prot all at the same time. If you have extra CPU there is no reason not to use multiple scanners. One thing though when I switched to processing AV last I seen a dramatic drop in viruses due to them being caught as spam. 50-60K a month down to less than 2K. FWIW - I have McAfee as my last scanner and every now and than I see it grab a few viruses that the others miss. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Wolf Tombe To: declude.virus@declude.com Sent: Tuesday, March 06, 2007 10:16 AM Subject: [Declude.Virus] Clam AV vs. AVG vs. McAfee The discussion on the current version of Clam AV and Clam being able to detect some image spam got me thinking. Prior to Declude version 4.0, I always used McAfee AV to scan all incoming messages. When I upgraded to Declude 4 I decided to try it's built in AV which seems to work fine. I'm curious though as to the opinions of others on this list as to the merits of using Clam or other anti-virus scanners either in place of the Declude built in AV or in addition to it. Any opinions people would like to share will be appreciated. Thanks! Wolf --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Current Version of Clam AV
In my normal maintenance window (once a week) all services are stopped and I
clean out the work, error, proc, spool, and review folders. Since I stop
CLAMAV as well I am able to delete those directories.
Darrell
Check out http://www.invariantsystems.com for utilities for Declude And Imail.
IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG
Integration, and Log Parsers.
- Original Message -
From: Stephan
To: declude.virus@declude.com
Sent: Tuesday, February 27, 2007 11:22 AM
Subject: Re: [Declude.Virus] Current Version of Clam AV
Thanks for responding. I can't delete them until I restart the ClamAV
service. Do you have a way of automatically deleting them, or do you schedule a
task to restart ClamAV and then delete them? I tried using a schedule task but
for some reason they still don't get deleted (but it's possible to do it
manually.)
-Original Message-
From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]>
Sent 2/27/2007 10:17:46 AM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] Current Version of Clam AV
FWIW - I have always had left over directories from .84 on up.
Darrell
Check out http://www.invariantsystems.com for utilities for Declude And
Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG
Integration, and Log Parsers.
- Original Message -
From: Stephan
To: declude.virus@declude.com
Sent: Tuesday, February 27, 2007 8:41 AM
Subject: Re: [Declude.Virus] Current Version of Clam AV
I am also running the 0.90-1, and it's working fine, except I still get
leftover .vir directories inside the declude/proc dir. The error in the clamav
log shows:
-> d:\imail\spool\proc\work\d716a0~1.vir\/0: Unable to create temporary
directory ERROR
I've tried checking permissions, and made sure I have the clamav tmpdir
variable set to my clamav tmp dir (which fixed a similar error that stopped the
clamav service from starting.) But I haven't been able to fix this one. Anyone
know how to fix this error?
Thanks.
-Original Message-
From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]>
Sent 2/26/2007 1:30:43 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] Current Version of Clam AV
Gary,
I upgraded on Friday and have not ran into any issues.
Darrell
Check out http://www.invariantsystems.com for utilities for Declude And
Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG
Integration, and Log Parsers.
----- Original Message -
From: "Gary Steiner" <[EMAIL PROTECTED]>
To:
Sent: Monday, February 26, 2007 1:01 PM
Subject: RE: [Declude.Virus] Current Version of Clam AV
I see that SOSDG released a new version (0.90-1) of their Windows port of
ClamAV on 02-22-2007.
http://www.sosdg.org/clamav-win32/
Has anyone upgraded to it yet? Any problems?
Gary Steiner
Original Message
> From: "Mark Reimer" <[EMAIL PROTECTED]>
> Sent: Friday, February 16, 2007 2:04 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] Current Version of Clam AV
>
> Clam AV releases prior to 0.90 have Dos issues I believe. Is their a 0.90
> release for windows?
>
>
>
> Mark Reimer
>
> IT System Admin
>
> American CareSource
>
> 972-308-6887
>
>
>
> _
>
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark
> Reimer
> Sent: Friday, February 16, 2007 10:06 AM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] Current Version of Clam AV
>
>
>
> What is the current release of Clam AV for windows? I saw 0.90 stable is
> out
> now.
>
>
>
> Mark Reimer
>
> IT System Admin
>
> American CareSource
>
> 972-308-6887
>
>
>
>
>
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsu
Re: [Declude.Virus] Current Version of Clam AV
FWIW - I have always had left over directories from .84 on up. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Stephan To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 8:41 AM Subject: Re: [Declude.Virus] Current Version of Clam AV I am also running the 0.90-1, and it's working fine, except I still get leftover .vir directories inside the declude/proc dir. The error in the clamav log shows: -> d:\imail\spool\proc\work\d716a0~1.vir\/0: Unable to create temporary directory ERROR I've tried checking permissions, and made sure I have the clamav tmpdir variable set to my clamav tmp dir (which fixed a similar error that stopped the clamav service from starting.) But I haven't been able to fix this one. Anyone know how to fix this error? Thanks. -Original Message- From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> Sent 2/26/2007 1:30:43 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV Gary, I upgraded on Friday and have not ran into any issues. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message ----- From: "Gary Steiner" <[EMAIL PROTECTED]> To: Sent: Monday, February 26, 2007 1:01 PM Subject: RE: [Declude.Virus] Current Version of Clam AV I see that SOSDG released a new version (0.90-1) of their Windows port of ClamAV on 02-22-2007. http://www.sosdg.org/clamav-win32/ Has anyone upgraded to it yet? Any problems? Gary Steiner Original Message > From: "Mark Reimer" <[EMAIL PROTECTED]> > Sent: Friday, February 16, 2007 2:04 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] Current Version of Clam AV > > Clam AV releases prior to 0.90 have Dos issues I believe. Is their a 0.90 > release for windows? > > > > Mark Reimer > > IT System Admin > > American CareSource > > 972-308-6887 > > > > _ > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark > Reimer > Sent: Friday, February 16, 2007 10:06 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] Current Version of Clam AV > > > > What is the current release of Clam AV for windows? I saw 0.90 stable is > out > now. > > > > Mark Reimer > > IT System Admin > > American CareSource > > 972-308-6887 > > > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Current Version of Clam AV
Gary, I upgraded on Friday and have not ran into any issues. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Gary Steiner" <[EMAIL PROTECTED]> To: Sent: Monday, February 26, 2007 1:01 PM Subject: RE: [Declude.Virus] Current Version of Clam AV I see that SOSDG released a new version (0.90-1) of their Windows port of ClamAV on 02-22-2007. http://www.sosdg.org/clamav-win32/ Has anyone upgraded to it yet? Any problems? Gary Steiner Original Message > From: "Mark Reimer" <[EMAIL PROTECTED]> > Sent: Friday, February 16, 2007 2:04 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] Current Version of Clam AV > > Clam AV releases prior to 0.90 have Dos issues I believe. Is their a 0.90 > release for windows? > > > > Mark Reimer > > IT System Admin > > American CareSource > > 972-308-6887 > > > > _ > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark > Reimer > Sent: Friday, February 16, 2007 10:06 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] Current Version of Clam AV > > > > What is the current release of Clam AV for windows? I saw 0.90 stable is > out > now. > > > > Mark Reimer > > IT System Admin > > American CareSource > > 972-308-6887 > > > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t
Hi, Declude needs to remove him from the list until he gets back from where he is. Thanks, Andrew Baldwin [EMAIL PROTECTED] http://www.thumpernet.com 315-282-0020 Thursday, January 4, 2007, 4:23:45 PM, you wrote: > > I hate autoresponders...but people sometimes tell me that I am too > critical, so I guess I actually love them. > > Matt > > > > Colbeck, Andrew wrote: > > I think I received 36 of them. > Andrew. > > > -Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Craig Edmonds > Sent: Thursday, January 04, 2007 12:55 PM > To: [EMAIL PROTECTED]: RE: [Declude.Virus] I'm currently on a business trip > down south and will be returning January 5th, 2007. If t > Importance: High > > Is it me or did everyone get this autoresponder about 300 times? > Kindest Regards > Craig Edmonds > 123 Marbella Internet > W: www.123marbella.com-Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of roconnor > Sent: Thursday, January 04, 2007 9:45 PM > To: [EMAIL PROTECTED]: [Declude.Virus] I'm currently on a business trip > down south and will be returning January 5th, 2007. If t > I'm currently on a business trip down south and will be > returning January 5th, 2007. If this is an emergency please > call our office at 360.527.9111 > Thanks, > Rick > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t
Hi, AMEN to that Thanks, Andrew Baldwin [EMAIL PROTECTED] http://www.thumpernet.com 315-282-0020 Thursday, January 4, 2007, 5:42:47 PM, you wrote: > Ok, this makes it over a hundred received this afternoon. > Declude, would you kindly remove him from the list so we don't all get > inundated with more autoreplies? > Also, this is a gentle reminder to be a good list netizen and don't use > autoresponders for addresses that you use to subscribe to lists. If you > need to use autoresponders, just set up a separate email address for list > subscriptions and don't use one there. > All the best, > Darin. > - Original Message - > From: "roconnor" <[EMAIL PROTECTED]> > To: > Sent: Thursday, January 04, 2007 4:24 PM > Subject: [Declude.Virus] I'm currently on a business trip down south and > will be returning January 5th, 2007. If t > I'm currently on a business trip down south and will be returning January > 5th, 2007. If this is an emergency please call our office at 360.527.9111 > Thanks, > Rick > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t
Matt, But think of it on the brightside. At least we know where Rick is if we need to get in touch with him. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Thursday, January 04, 2007 4:23 PM Subject: Re: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t I hate autoresponders...but people sometimes tell me that I am too critical, so I guess I actually love them. Matt Colbeck, Andrew wrote: I think I received 36 of them. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, January 04, 2007 12:55 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t Importance: High Is it me or did everyone get this autoresponder about 300 times? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roconnor Sent: Thursday, January 04, 2007 9:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t I'm currently on a business trip down south and will be returning January 5th, 2007. If this is an emergency please call our office at 360.527.9111 Thanks, Rick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] How to block an IP
Joe, Just add the IP or CIDR block into the SMTP access control in Imail. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "J Porter" <[EMAIL PROTECTED]> To: Sent: Monday, December 25, 2006 11:06 PM Subject: [Declude.Virus] How to block an IP Is there a way to block an IP address before analysis by Declude's AV (Ver 1.82 - Imail 8.x)? I thought I should be able to do this with rules.ima by looking for a line in the header. So I have a line that says H~xxx\.yyy\.zz\. but it doesn't work. (In case you can't see it, the lines read \. = slash dot per Ipswitch docs) I don't think the H~ (header contains) command reads everything in the header. ~Joe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAV, BitDefender, Symantec, Trend, Sophos
FYI - List of AV Vulns that were listed in the SANS Vulnerability Alert that affect most of us one way or another. Also, there was a McAfee vulnerability but it was for thier linux based version. 06.50.31 CVE: CVE-2006-5874 Platform: Cross Platform Title: Clam Anti-Virus MIME Attachments Denial of Service Description: Clam Anti-Virus (ClamAV) is an anti-virus application for Windows and UNIX like operating systems. It is exposed to a denial of service issue because it fails to handle certain file types. Specifically, the vulnerability exists when the application processes base64-encoded MIME attachments. This results in a NULL pointer dereference crashing the affected application. ClamAV versions prior to 0.88.4-2 are affected. Ref: http://www.securityfocus.com/archive/1/453968 MODERATE: BitDefender PE File Parsing Engine Integer Overflow Affected: BitDefender Antivirus and Antivirus Plus BitDefender for ISA Server and MS Exchange BitDefender Internet Security BitDefender Mail Protection for Enterprises BitDefender Online Scanner Description: Multiple BitDefender products are vulnerable to an integer overflow in parsing packed PE (Portable Executable) files. Portable Executable files are the standard executable format on Microsoft Windows systems. Failure to properly handle certain malformed packed PE files can lead to an integer overflow and arbitrary code execution with the privileges of the scanning process. Status: BitDefender confirmed, updates available. According to BitDefender's website, the update was distributed immediately via BitDefender's automatic update system, and no user interaction is required to install the update. References: BitDefender Security Advisory http://www.bitdefender.com/KB323-en--cevakrnl.xmd-vulnerability.html (11) Symantec Antivirus Big Yellow/Sagevo Worm Description: eEye researchers have discovered a new worm that is exploiting a buffer overflow vulnerability in the Symantec Antivirus and Client Security software. The overflow being exploited by the Big Yellow/Sagevo worm was patched by Symantec in May 2006. Enterprises using Symantec AV or Client Security software should apply the patch immediately if they have not done so already. In addition, blocking access to the port 2967/tcp at the network perimeter will prevent any attacks originating from the Internet. References: eEye's Analysis of Worm Binary http://research.eeye.com/html/alerts/AL20061215.html Symantec's Worm Analysis http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-121309-3331-99&tabid=2 06.50.14 CVE: CVE-2006-5645 Platform: Third Party Windows Apps Title: Multiple Trend Micro Antivirus RAR Archive Remote Denial of Service Description: Trend Micro provides antivirus and software security applications. These applications are exposed to remote denial of service issues because they fail to properly handle file types, resulting in excessive consumption of system resources. Trend Micro Server Protect version 5.58, Trend Micro PC Cillin - Internet Security 2006 and Trend Micro Office Scan version 7.3 are affected. Ref: http://www.trendmicro.com/en/home/us/home.htm CRITICAL: Sophos Anti-Virus Multiple Vulnerabilities Affected: Sophos products with a scanning engine version prior to 2.40 Description: Sophos Anti-Virus contains multiple buffer overflows in parsing CPIO and SIT archives. CPIO is a common archive format used primarily on Unix and Unix-like systems, and SIT is a common archive format used primarily on Apple Macintosh systems. A specially-crafted CPIO or SIT archive scanned by Sophos could exploit these buffer overflows and execute arbitrary code with the privileges of the scanning process. Some technical details for these vulnerabilities are publicly available. Status: Sophos confirmed, updates available. References: Sophos Knowledge Base Article http://www.sophos.com/support/knowledgebase/article/17340.html Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] DLAnalyzer 5.2.0 Released
DLAnalyzer 5.2.0 has been released. DLAnalyzer is a comprehensive reporting tool that integrates both Junkmail and Virus statistics into one report. Some of the features require the Enterprise or Standard version, but we also have a FREE LITE version available. New: * Compatible with the log changes in Declude 4.3.x * Fully Implements Zerohour reporting (Virus and Junkmail). * Requires the .Net 2.0 Framework Report Samples: http://www.invariantsystems.com/dlanalyzer/reportsamples.htm Release Notes: http://www.invariantsystems.com/download/current/readme.txt Download: http://www.invariantsystems.com/dlanalyzer/download.aspx Any questions let me know, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] DLAnalyzer 5.2.0 Released
DLAnalyzer 5.2.0 has been released. DLAnalyzer is a comprehensive reporting tool that integrates both Junkmail and Virus statistics into one report. Some of the features require the Enterprise or Standard version, but we also have a FREE LITE version available. New: * Compatible with the log changes in Declude 4.3.x * Fully Implements Zerohour reporting (Virus and Junkmail). * Requires the .Net 2.0 Framework Report Samples: http://www.invariantsystems.com/dlanalyzer/reportsamples.htm Release Notes: http://www.invariantsystems.com/download/current/readme.txt Download: http://www.invariantsystems.com/dlanalyzer/download.aspx Any questions let me know, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin.
Eddie, You do not need to run clamav twice to detect both phish and viruses. If you put the phish.ndb into the same directory as the clam db it will also use that. Also, for me to get the virus name I had to use the wrapper. This snippett below is from Scott Fisher who helped me get mine going. I use this version of the cygwin clam http://www.sosdg.org/clamav-win32/index.php I use Terri Fitts's runclamscan wrapper and runclamd service: http://www.smartbusiness.com/imail/declude/ Here is my virus.cfg entry # # Clam A/V # # Runclamscan log levels # log=0 (no logging) # log=1 (minimal logging only date, time, elapsed times, viruses) # log=2 (log all messages same as 1) # log=3 (debug log - whole bunch of stuff - multiple lines) # SCANFILE2 d:\imail\declude\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Hope this helps, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Eddie Pang" <[EMAIL PROTECTED]> To: Sent: Thursday, October 26, 2006 2:43 AM Subject: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin. Hi All, I am stumpted. I am trying to run ClamAV to take advantage of clamdscan.exe for speed and performance, but I am unable to gather statistics for use with DLAnalyzer. Looking closer at the logs, I find a slight variation between the 2 products. ClamWin reports the phish/virus on the same line as virus=. However with ClamAV, the Virus= is blank, and the phish/virus is on the next line. ClamAV is from www.sosdg.org version 0.88.4-1, and ClamWin is from www.clamwin.net version 0.88.5. Any suggestions to ClamAV (Scanner3) would be greatly appreciated. Sincerely, Eddie. = SCANFILE2 C:\imail\declude\runclamscan.exe log=2 c:\Progra~1\clamwin\bin\clamscan.exe --verbose --database="C:\Docume~1\Alluse~1\.clamwin\db" --tempdir="c:\temp" --no-summary --max-ratio 0 -l report.txt VIRUSCODE2 1 REPORT2 FOUND # SCANFILE3 C:\imail\declude\runclamscan.exe log=2 C:\clamav-devel\bin\clamdscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE3 1 REPORT3 FOUND == 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Virus scanner 2 reports exit code of 1 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Scanner 2: Virus= Html.Phishing.Rock.Sanesecurity.06050500 Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Virus scanner 3 reports exit code of 1 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Scanner 3: Virus= Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd File(s) are INFECTED [ Html.Phishing.Rock.Sanesecurity.06050500: 1] == --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam
Matt, I agree with everyone of your points - My intent was to bring it up that I had reported this issue up a long time ago as I also thought that what was happening was undesirable. However, at the time Scott did not feel this was a bug. However, times change and back scatter is a huge issue. Maybe thats enough now to convince for an alteration of behavior. As my preference would be to handle mismatched exe's as its own class of which I would not send bannotify messages for. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Sunday, October 01, 2006 8:24 PM Subject: Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam Darrell,I'm sure that it is desirable to block (when the detection isn't erroring), however having this handled as if it was an EXE when it comes to the bannotify.eml is problematic. Backscatter can get you blacklisted, not to mention it is annoying to get such things for forged E-mail.I have Virus running after JunkMail and still I have bounced a dozen of these today alone (which excludes messages that reached my DELETE weight). For those that run JunkMail before Virus (the default), that number could be in the hundreds or thousands depending on volume since this comes from a major zombie spammer. I'm guessing that most are bouncing EXE's that aren't detected as viruses.To check this, just search your Virus log for "mismatched.exe".The behavior needs to be changed so that this doesn't trigger bannotify.eml bounces. I am testing using "SKIPIFEXT mismatched.exe" in my bannotify.eml to see if that helps, but this should not bounce such messages by default as if they were EXE's. It makes sense to give it a unique extension for these conditions and let us determine what to do with them instead of lumping it together with actions for EXE's.MattDarrell ([EMAIL PROTECTED]) wrote: I brought this up to Scott several years ago - and he said this is not a bug but a by design issue. He explained a scenario why this was important and I understood based on the explantion but for the life of me I can't remember the scenario. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Sunday, October 01, 2006 3:33 PM Subject: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam I just found this bug. Essentially, if the MIME headers for an attachment are mismatched, Declude "assumes" that it is an EXE for virus scanning purposes, and this causes EXE triggers such as bannotify.eml to be triggered. This is especially bad since it is happening fairly commonly on zombie spam.For example, here are the MIME headers from the spam sample: Content-Type: image/jpeg; name="smoky.1.jpg"Content-Transfer-Encoding: base64Content-ID: <[EMAIL PROTECTED]>Content-Disposition: inline; filename="smoky.1.gi"You will note the Content-Type being image/jpeg and the file extension being "gi". Here is what Declude Virus finds: 10/01/2006 14:03:44.656 q02f8014a9ecc.smd Vulnerability flags = 86310/01/2006 14:03:44.671 q02f8014a9ecc.smd MIME file: [text/html][7bit; Length=590 Checksum=51800]10/01/2006 14:03:44.671 q02f8014a9ecc.smd Found file with mismatched extensions [smoky.1.jpg-smoky.1.gi]; assuming .exe10/01/2006 14:03:44.671 q02f8014a9ecc.smd MIME file: mismatched.exe [base64; Length=25644 Checksum=3233585]10/01/2006 14:03:44.671 q02f8014a9ecc.smd Banning file with EXE extension [image/jpeg].10/01/2006 14:03:44.890 q02f8014a9ecc.smd Virus scanner 1 reports exit code of 010/01/2006 14:03:45.421 q02f8014a9ecc.smd Virus scanner 2 reports exit code of 010/01/2006 14:03:45.421 q02f8014a9ecc.smd Scanned: Banned file extension. [Prescan OK][MIME: 2 26380]10/01/2006 14:03:45.437 q02f8014a9ecc.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 62.161.108.7]10/01/2006 14:03:45.437 q02f8014a9ecc.smd Subject: Re:
Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam
I brought this up to Scott several years ago - and he said this is not a bug but a by design issue. He explained a scenario why this was important and I understood based on the explantion but for the life of me I can't remember the scenario. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Sunday, October 01, 2006 3:33 PM Subject: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam I just found this bug. Essentially, if the MIME headers for an attachment are mismatched, Declude "assumes" that it is an EXE for virus scanning purposes, and this causes EXE triggers such as bannotify.eml to be triggered. This is especially bad since it is happening fairly commonly on zombie spam.For example, here are the MIME headers from the spam sample: Content-Type: image/jpeg; name="smoky.1.jpg"Content-Transfer-Encoding: base64Content-ID: <[EMAIL PROTECTED]>Content-Disposition: inline; filename="smoky.1.gi"You will note the Content-Type being image/jpeg and the file extension being "gi". Here is what Declude Virus finds: 10/01/2006 14:03:44.656 q02f8014a9ecc.smd Vulnerability flags = 86310/01/2006 14:03:44.671 q02f8014a9ecc.smd MIME file: [text/html][7bit; Length=590 Checksum=51800]10/01/2006 14:03:44.671 q02f8014a9ecc.smd Found file with mismatched extensions [smoky.1.jpg-smoky.1.gi]; assuming .exe10/01/2006 14:03:44.671 q02f8014a9ecc.smd MIME file: mismatched.exe [base64; Length=25644 Checksum=3233585]10/01/2006 14:03:44.671 q02f8014a9ecc.smd Banning file with EXE extension [image/jpeg].10/01/2006 14:03:44.890 q02f8014a9ecc.smd Virus scanner 1 reports exit code of 010/01/2006 14:03:45.421 q02f8014a9ecc.smd Virus scanner 2 reports exit code of 010/01/2006 14:03:45.421 q02f8014a9ecc.smd Scanned: Banned file extension. [Prescan OK][MIME: 2 26380]10/01/2006 14:03:45.437 q02f8014a9ecc.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 62.161.108.7]10/01/2006 14:03:45.437 q02f8014a9ecc.smd Subject: Re: diagnostician dullThis is clearly not desirable behavior, and I have run into a related bug previously (that was previously reported) where a filename that spans two lines (which is RFC compliant when 'folded') will be treated as an EXE and bounced if you are bouncing non-virus EXE's.It is absolutely necessary to allow for bannotify.eml bouncing of messages with EXE extensions because they are commonly received legitimately regardless of whether they are allowed or not, but to have EXE be the assumed extension at the same time causes a lot of different issues. Because of this, I would strongly suggest that Declude assume a different extension when necessary, such as "unknown" so that we can configure Declude Virus to handle "unknown" files in a different way. We could choose for instance to block them, but not bounce them.Thanks,Matt---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
[Declude.Virus] Fw: A secret e-card has been sent fot you!!
Pretty nice peice of social engineering below - how many of your users will click on this tomorrow :) Who can resist the temptation of a "secret" greeting card. The link actually takes you to http://www.lkkm.cz/help/postcard.gif.exe Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: e-greetings.com To: [EMAIL PROTECTED] Sent: Thursday, September 28, 2006 10:20 PM Subject: A secret e-card has been sent fot you!! Hello friend !A friend has sent you an ecard from e-greetings.comSend free ecards from e-greetings.com with your choice of colors, words and music.Your ecard will be available with us for the next 10 days. If you wish to keep the greeting longer, you may save it on your computer or take a print.To view your ecard, click on the following Internet address.http://www.e-greetings.com/view.php?&sid=1246 Hope you will visit us,e-greetings.com ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
[Declude.Virus] CLAMAV - 88.3-1 - 7/11/2006 Release
I noticed a new build from the SOSDG group has been released (88.3-1). http://www.sosdg.org/clamav-win32/index.php Anyone running it yet? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Invalid file types triggering on an invalid file type
What version are you running Matt in version 3.0.5.20 they fixed a ms-tnef issue with winmail.dat. This might be the issue you are seeing. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Tuesday, July 18, 2006 7:48 PM Subject: [Declude.Virus] Invalid file types triggering on an invalid file type I found a message blocked for an "Invalid ZIP Vulnerability", but it doesn't have a zip attachment. The only attachment on this message is a winmail.dat. While that winmail.dat file clearly contains data of some sort, I am pretty certain that it is triggering vulnerabilities inappropriately, and I am positive that this message was not a virus.My Declude Virus logs are showing both the Invalid ZIP Vulnerability and a bogus .jpg file. I would like to turn this detection off. Is there a switch to turn off this detection?Detail follows: HEADERS FROM THE SINGLE ATTACHMENT=--=_NextPart_000_0056_01C6A9CF.4BDDA860Content-Type: application/ms-tnef; name="winmail.dat"Content-Transfer-Encoding: base64Content-Disposition: attachment; filename="winmail.dat"VIRUS LOG ENTRIES=07/17/2006 06:32:40.488 q674000a2e465.smd Vulnerability flags = 86207/17/2006 06:32:40.566 q674000a2e465.smd MIME file: winmail.dat [base64; Length=2312012 Checksum=33270092]07/17/2006 06:32:40.800 q674000a2e465.smd Virus scanner 1 reports exit code of 007/17/2006 06:32:41.253 q674000a2e465.smd Virus scanner 2 reports exit code of 007/17/2006 06:32:41.253 q674000a2e465.smd Found a bogus .jpg file07/17/2006 06:32:41.253 q674000a2e465.smd Invalid ZIP Vulnerability07/17/2006 06:32:41.253 q674000a2e465.smd Found a bogus .Zip file07/17/2006 06:32:41.253 q674000a2e465.smd File(s) are INFECTED [[Invalid ZIP Vulnerability]: 0]07/17/2006 06:32:41.253 q674000a2e465.smd Scanned: CONTAINS A VIRUS [MIME: 7 2314810]07/17/2006 06:32:41.269 q674000a2e465.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from ##.##.48.210]07/17/2006 06:32:41.269 q674000a2e465.smd Subject: FW: M341092022 / M341092023Thanks,Matt---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] 4.2.20 Missing File Error in Log
After testing with AVG off it appears that the error about the missing file only occurs when AVG is on. With AVG disabled I get no error messages. Here is the relevant log info. I have confirmed this is an AVG issue. With AVG on I get the error with AVG off I do not get the error. Darrell WITHOUT AVG ON F:\Logs\Virus>grep -i q4ae100a56d71.smd vir0713.log 07/13/2006 09:30:16.468 q4ae100a56d71.smd Vulnerability flags = 0 07/13/2006 09:30:16.468 q4ae100a56d71.smd MIME file: [text/html][7bit; Length=126 Checksum=10064] 07/13/2006 09:30:16.468 q4ae100a56d71.smd MIME file: tyjguozxgx.gif [base64; Length=1137 Checksum=127847] 07/13/2006 09:30:16.484 q4ae100a56d71.smd MIME file: Dorothy.zip [base64; Length=84731 Checksum=10789144] 07/13/2006 09:30:16.484 q4ae100a56d71.smd Found encrypted .ZIP file 07/13/2006 09:30:16.484 q4ae100a56d71.smd Banning .ZIP file with encrypted exe extension. 07/13/2006 09:30:16.703 q4ae100a56d71.smd Virus scanner 1 reports exit code of 8 07/13/2006 09:30:16.703 q4ae100a56d71.smd Could not find parse string Infection: in report.txt 07/13/2006 09:30:16.703 q4ae100a56d71.smd File(s) are INFECTED [: 8] 07/13/2006 09:30:16.703 q4ae100a56d71.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 86092] WITH AVG ON: F:\Logs\Virus>grep -i q11e2008d1156.smd vir0713.log 07/13/2006 05:27:06.312 q11e2008d1156.smd Vulnerability flags = 0 07/13/2006 05:27:06.312 q11e2008d1156.smd MIME file: [text/html][7bit; Length=414 Checksum=37647] 07/13/2006 05:27:06.312 q11e2008d1156.smd MIME file: account-details.zip [base64; Length=108316 Checksum=1 3182509] 07/13/2006 05:27:06.828 q11e2008d1156.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/13/2006 05:27:06.828 q11e2008d1156.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/13/2006 05:27:06.859 q11e2008d1156.smd 1 [1 of 2 not deleted] files were deleted. You should not use a n on-access virus scanner that scans the \IMail directory or sub-directories. 07/13/2006 05:27:06.859 q11e2008d1156.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 2 108872] Darrell Darrell ([EMAIL PROTECTED]) writes: Andy, Besides AVG I have 3 scanners: listed in order (F-Prot, Clam AV, McAfee). I do think its an AVG issue like you suggested. I am trying to find a way to disable the built in AVG virus scanner to see if this message goes away. Darrell Andy Schmidt writes: Do you have a second/external scanner defined. May be the internal scanner (AVG) deletes an attachment and then Declude complains that its gone when it tries to launch the secondary? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, July 12, 2006 05:46 PM To: declude.virus@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.Virus] 4.2.20 Error in Log Since upgrading to 4.2.20 I started seeing the following error: 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 This only happens when AVG catches a virus. It did not get logged under 3.x version. Nor do I have an On Access Virus Scanner. Anyone else seeing this? Darrell See the log snippet below. 07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, m
Re: [Declude.Virus] 4.2.20 Error in Log
Andy, Besides AVG I have 3 scanners: listed in order (F-Prot, Clam AV, McAfee). I do think its an AVG issue like you suggested. I am trying to find a way to disable the built in AVG virus scanner to see if this message goes away. Darrell Andy Schmidt writes: Do you have a second/external scanner defined. May be the internal scanner (AVG) deletes an attachment and then Declude complains that its gone when it tries to launch the secondary? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, July 12, 2006 05:46 PM To: declude.virus@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.Virus] 4.2.20 Error in Log Since upgrading to 4.2.20 I started seeing the following error: 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 This only happens when AVG catches a virus. It did not get logged under 3.x version. Nor do I have an On Access Virus Scanner. Anyone else seeing this? Darrell See the log snippet below. 07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] 4.2.20 Error in Log
Since upgrading to 4.2.20 I started seeing the following error: 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 This only happens when AVG catches a virus. It did not get logged under 3.x version. Nor do I have an On Access Virus Scanner. Anyone else seeing this? Darrell See the log snippet below. 07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories.07/12/2006 00:34:41.328 q7bca020f6715.smd Vulnerability flags = 0 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: [text/html][7bit; Length=733 Checksum=67160] 07/12/2006 00:34:41.328 q7bca020f6715.smd MIME file: email-details.zip [base64; Length=108312 Checksum=13182423] 07/12/2006 00:34:41.781 q7bca020f6715.smd AVG Reports VIRUS: IRC/BackDoor.SdBot.PMS 07/12/2006 00:34:41.781 q7bca020f6715.smd File(s) are INFECTED [IRC/BackDoor.SdBot.PMS: 7] 07/12/2006 00:34:41.812 q7bca020f6715.smd 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 4.2.3 Built-in scanner
John, What problems are you having with scan.exe? A lot of us use McAfee and have no issues. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. John Shacklett writes: After loading 4.2.20 this afternoon, my AVG scanner is now finally detecting viruses. Oh happy day. Now if I can just get scan.exe to work, I'll have a full house. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Thursday, 11 May 2006 11:44 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner "Declude 4.2.3 Diagnostics" right on the top line. -Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Thursday, 11 May 2006 9:30 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Just curious, what does your diags.txt? Did 4.2.3 in fact get fully installed and running? John C -Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Thursday, May 11, 2006 6:56 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner I guess I should have been more dramatic. What I intended this to mean was that I still don't see any evidence that AVG is working at all. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Tuesday, 09 May 2006 3:04 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Just for fun, I completely commented out the three scanners in my virus.cfg and resent the eicar plain test file, and it made it to my Inbox. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Tuesday, 09 May 2006 9:58 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Forget my last post, I have different problems. Sorry. I followed John C's suggestion and sent myself a standard base64 MIME encoded eicar.com file [which should have occurred to me earlier], and I ended up with the following lines in the debug output: 05/09/2006 09:50:57.007 q9e3d01cb331c.smd AVG Reports No Virus 05/09/2006 09:50:57.178 q9e3d01cb331c.smd Virus scanner 1 reports exit code of 3 05/09/2006 09:50:58.444 q9e3d01cb331c.smd Virus scanner 2 reports exit code of 0 05/09/2006 09:50:58.616 q9e3d01cb331c.smd Virus scanner 3 reports exit code of 0 -Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Tuesday, 09 May 2006 9:41 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner Temporarily go to LOGLEVEL DEBUG and use the test virus sender. It should show AVG working. MID and HIGH levels didn't show which scanner caught EICAR, but DEBUG did. John C 05/09/2006 08:34:55.687 q9a7b016d30e4.smd AVG Virus detected. Not continuing with any remaining scanners. 05/09/2006 08:34:55.687 q9a7b016d30e4.smd AVG Reports VIRUS: EICAR_Test 05/09/2006 08:34:55.687 q9a7b016d30e4.smd AVG Reports Not Healable -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, May 09, 2006 8:13 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] 4.2.3 Built-in scanner 1. Use the test virus sender http://www.declude.com/Articles.asp?ID=99 2. Check your virus logs 3. Declude\Scanners\AVG\DB 4. Check the date on the database files David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Tuesday, May 09, 2006 8:45 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] 4.2.3 Built-in scanner How do I determine if the built-in scanner is working? Where do the virus signature files live? How do I tell if those files are being updated? -- John S --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EM
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
John, CLAMAV is catching it on my systems. Darrell --- fpReview - Review held mail easily and quickly. http://www.invariantsystems.com John T (Lists) writes: Back to the matter indicated in the subject line, how are others dealing with this? Is F-Prot and AVG and others catching this now? Which AV scanners are indeed catching it? Now for the bigger question: How do we combat this and future such versions without outright blocking of the file extension? We all know that relaying on users to not open attachments is problematic. John T eServices For You "Seek, and ye shall find!" --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Actually, it is CLAMAV catching it. Not sure about McAfee as I stop on first virus. F-Prot is def. not catching it though. Darrell Darrell ([EMAIL PROTECTED]) writes: Mcafee is catching these Trojan.Myno on my systems. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Markus Gufler writes: Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named "my_notebook.doc" Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found "WM97/Kukudro-A" UNA has found a "Macro Virus" No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Mcafee is catching these Trojan.Myno on my systems. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Markus Gufler writes: Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named "my_notebook.doc" Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found "WM97/Kukudro-A" UNA has found a "Macro Virus" No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] fpReview Released - Easily Review Held Messages
fpReview is a utility that allows you to easily review held mail on your Imail or SmarterMail system. With fpReview you can review messages and return them back to the queue for delivery or rescanning by Declude. Besides being able to return the message to the queue for delivery many other options are available such as delete, move, copy, etc. Another useful feature is the ability to report false positives or spam to 3rd parties by using the integrated email function. fpReview is an intelligent application that will adapt to your workflow. It will remember email addresses and subjects to streamline future reporting of messages. In addition fpReview will import your configured Declude filters from your Declude global.cfg. This allows you to create custom Declude rules on the fly through our custom interface. Screen Captures: http://www.invariantsystems.com/fpreview/screencaptures.htm Download: http://www.invariantsystems.com/fpreview/default.htm Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] reque slips by Declude?
With older versions of Declude and Smartermail you used to have to do the "X" rename to skip Declude processing. If you left the "X" off it would be rescanned by Declude. However, now that Declude is intergrated into Smartermail v3 what is the correct requeing process? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Dean Lawrence" <[EMAIL PROTECTED]> To: Sent: Thursday, May 18, 2006 7:48 AM Subject: Re: [Declude.Virus] reque slips by Declude? Gary, I do believe that messages that have been re-queued do not get scanned a second time. If they did, you would never be able to re-queue anything since it would be continually caught. Dean On 5/18/06, Gary Steiner <[EMAIL PROTECTED]> wrote: Back on May 9 my server was hit by the Feebs virus. I am using F-Prot, which did not detect it. But I am using "BANEXT hta" which caught it. Two days ago I upgraded to SmarterMail 3.1 and Declude 4.2.3. Among other things, I've been looking at the addition of AVG to Declude. I noticed that F-Prot still doesn't detect that version of the Feebs virus, but AVG does. So I thought I would test it. I still have a copy of the virus I received on May 9, so I requed it unchanged and unrenamed to let it got through the new Declude to see what would happen. To my surprise it was delivered! No new Declude headers were added to the message. Though SmarterMail did modify it because it detected it as spam. I checked the virus logs (LOGLEVEL set to HIGH) and there was no listing at all for this message. Naturally I am now quite nervous. Why did this happen? Have any other Feebs viruses slipped through? Unfortunately the eicar tests don't have an hta to use, so the only way I have to test this is with a live virus. The Feebs virus isn't one of the more common ones, but all it takes is one to get through to spoil the day of one of my customers. Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] (re)Installing Declude v1.65 on Imail 8.22?
The activation code goes into the virus.cfg file. Did your official hostname change (assuming your running imail) if so contact declude support to resolve this issue. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Eric Mamet To: Declude.Virus@declude.com Sent: Monday, May 08, 2006 8:51 AM Subject: RE: [Declude.Virus] (re)Installing Declude v1.65 on Imail 8.22? You might have put the finger on it Found this in the log 05/08/2006 14:40:27 Q3c3b0eecfd47 Declude Virus NOT running due to invalid activation code. 05/08/2006 14:40:27 Q3c3b0eecfd47 Error: Invalid Declude Virus activation code for open-resources.co.uk. The activation code in the Virus.Cfg file is the one I have in my original email from declude. Our main domain name may not have been the same at the time. Where does it gets this open-resources.co.uk from? Is this what I should change? Thanks Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED])Sent: 08 May 2006 13:34To: Declude.Virus@declude.comSubject: Re: [Declude.Virus] (re)Installing Declude v1.65 on Imail 8.22? Eric, Are you only using Declude Virus? If not are there other Declude headers in the message? In the Virus logs does this message exist? Is there virus logs (virMMdd.log). Did you uninstall Declude because of this issue or is this a new server? If this is a new server did you double click on the declude.exe first? In the Imail SMTP tab for the delivery application does it specific declude.exe? If yes, is the path correct? 2 things to note - [1] there have been reports of folks having to click the declude.exe multiple times for it to reinstall for some reason and [2] there are some issues with the old declude architecture under imail 8.2x the new version 3.x / 4.x fixes those issues. The issue is related to imail's multithreaded smtp engine. I never had the issue, but a lot of folks did. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Eric Mamet To: declude.virus@declude.com Sent: Monday, May 08, 2006 8:16 AM Subject: [Declude.Virus] (re)Installing Declude v1.65 on Imail 8.22? I am trying to re-install Declude v1.65 onto Imail 8.22. I tried to send an eicarplain pseudo virus (http://www.declude.com/Articles.asp?ID=99) and it went right through to my inbox! It look s like Declude is not involved at all Has anybody tried that? Eric PS: I am using F-Prot anti-virus
Re: [Declude.Virus] (re)Installing Declude v1.65 on Imail 8.22?
Eric, Are you only using Declude Virus? If not are there other Declude headers in the message? In the Virus logs does this message exist? Is there virus logs (virMMdd.log). Did you uninstall Declude because of this issue or is this a new server? If this is a new server did you double click on the declude.exe first? In the Imail SMTP tab for the delivery application does it specific declude.exe? If yes, is the path correct? 2 things to note - [1] there have been reports of folks having to click the declude.exe multiple times for it to reinstall for some reason and [2] there are some issues with the old declude architecture under imail 8.2x the new version 3.x / 4.x fixes those issues. The issue is related to imail's multithreaded smtp engine. I never had the issue, but a lot of folks did. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Eric Mamet To: declude.virus@declude.com Sent: Monday, May 08, 2006 8:16 AM Subject: [Declude.Virus] (re)Installing Declude v1.65 on Imail 8.22? I am trying to re-install Declude v1.65 onto Imail 8.22. I tried to send an eicarplain pseudo virus (http://www.declude.com/Articles.asp?ID=99) and it went right through to my inbox! It look s like Declude is not involved at all Has anybody tried that? Eric PS: I am using F-Prot anti-virus
[Declude.Virus] DLAnalyzer 5.0 Released
DLAnalyzer 5.0 has been released. DLAnalyzer is a comprehensive reporting tool that integrates both Junkmail and Virus statistics into one report. Some of the features require the Enterprise or Standard version, but we also have a FREE LITE version available. With version 5.0 we have added many new features including new reports like: Recipient Based Spam Reports, Test Quality Report that evaluates how effective the configured tests are on your system, Domain Executive Reports, and Domain Recipient Reports. In addition we have also added a new level of customization of the reports allowing you to change the look and feel of the report through the use of cascading style sheets. Report Samples: http://www.invariantsystems.com/dlanalyzer/reportsamples.htm Release Notes: http://www.invariantsystems.com/download/current/readme.txt Download: http://www.invariantsystems.com/dlanalyzer/download.asp Any questions let me know, Darrell --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Declude Mailing Lists - Etiquette - A gentle reminder
Proper etiquette when posting to a list or forum! When posting to our lists or forums, please comply with the following "rules:" 1. Turn off Return Receipt Requests. 2. Please search the archives and FAQ. 3. Do not add attachments unless specifically asked to do so. 4. Only add .zip or .txt attachments. Others waste bandwidth and are not necessary. 5. Do not post in html format. The size of a message in HTML is a lot larger than that of plain text. This is a problem for those on dial-up and those with PDAs. 6. Delete unnecessary text when quoting or replying to a post. Just include/keep the information relative to your response. This way, others do not have to wade through unnecessary information, only that needed to understand the post. 7. Do not use a "DIGITAL SECURITY Signature". It wastes bandwidth and causes problems to some users, like those with PDAs. 8. Please use a subject line that will attract attention to your problem and offers an insight of what asking about. (Example, a subject line of "Help" will be ignored.) 9. If you change the topic or direction thereof, change the subject line. 10. If you want a good answer, provide good details. 11. Please allow time for people to respond to your post. We are working too. Plus, some lists are known to be slow to post. 12. Please do not include lines of company/private legal disclaimer. You are sending to a list. It is going to be resent to everyone on that list. This translates into no longer being a private or confidential message. Also, some lists are archived and have been known to show up on Google searches. 13. Do not include any line as part of a message "signature" like, "If you have received this communication in error..." 14. If your post is criticized, please reread your original post you sent along with the reply and take a few minutes to think about them before snapping out your reply. 15. Do not initiate a flame against others. It is improper to do so on a list. Take it off list. Also, 9 times out of 10 you will be proven wrong. Please note: This list is a collaborative effort and will be changed upon valid suggestions. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Updates from Declude
Product Naming After considering all the choices we have decided to rename the new product "Declude Security Suite". I will be notifying the winner(s) of the competition shortly. Declude Security Suite for IMail We have now released additional versions of the software for different levels of IMail and these can be found at http://www.declude.com//Purchase.asp?cat=13 As usual if anyone has questions please contact me and we will do our best to answer. Barry [EMAIL PROTECTED] Office: (978) 499-2933 Cell: (978) 853-9593
[Declude.Virus] Win a FREE copy of ?
Okay, it's time for all of us at Declude to face the facts: naming products is not our strength and naming our latest release Version 4 showed both a lack of imagination and an ability to cause confusion. After all, we wouldn't name our latest child Version 2! At least most of us wouldn't Realizing that we are pretty good at designing software and pretty bad at naming it, we thought we would let you have a go at naming this latest release. Please, nothing provocative or off-color, unless it's particularly good. In any case, don't be afraid to let imagination run rampant. We need your suggestions no later than 5pm Eastern Time on Wednesday, February 15th. At that point we will have a run off vote that will end this Friday, February 17th. The winning name will receive a free copy of ? (Currently known as Version 4) and a free one year service agreement on your current software. All names should be submitted by email to [EMAIL PROTECTED] The back of napkins, prescription pads, Dunkin' Donuts cups, bar coasters and Subway sandwich wraps will not be accepted as valid entries. All employees of Declude and their families are ineligible. Good luck! --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Under specific conditions, action not as specified
Michael,
Can you post some log snippet's from your junkmail logs showing this going
through junkmail and the corresponding AV log entries. I run this exact
same configuration and do not have this issue.
Darrell
Check out http://www.invariantsystems.com for utilities for Declude And
Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG
Integration, and Log Parsers.
- Original Message -
From: "Michael Thomas - Mathbox" <[EMAIL PROTECTED]>
To:
Sent: Sunday, February 12, 2006 7:01 PM
Subject: [Declude.Virus] Under specific conditions, action not as specified
Declude Version: 3.0.5.23
In GLOBAL.CFG
STOPPROCESSINGONFIRSTDELETE ON
In JunkMail, a message scores more than enough points to be DELETED.
In VIRUS.CFG
AVAFTERJM ON
DELETEVULNERABILITIES OFF
The result is that the message is moved to the /sppol/virus folder. It
should have been deleted
Michael Thomas
Mathbox
978-683-6718
1-877-MATHBOX (Toll Free)
N¬f¢-¬±Æ§ç_¢»â®ë
±¼fyÉnuá
0uç%¹×o¢dáSÁ&j)\jgY®?.àÞr[yX«ºÉsSX§,X¬µ:.zË>±Êâmèî²Û
Ö§f¢-Ú"T¨¥²»ÝyÉnuç(T©Ý·*^º{.nÇ+?·fyÉnuåb®ë.æ«r¯zÇ
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
[Declude.Virus] Changes @ Declude
In the last 10 days we have received a number of inquiries to the email sent to every customer explaining the changes that are happening here at Declude. To summarize the answers to those questions: * No existing customer is required to move to the new annual pricing. * Our current customers can continue to pay the annual Service Agreements. * No customer is required to move to 4.0 Over and above that we are continuing to enhance and support both 3.0 and 4.0 and we have provided great deals for customers wishing to move to the 4.0 version and also committed to keeping them on Service Agreements. I have responded to each and every customer who has contacted me since the email was sent out and if any one has any further questions they can contact me either by email or telephone (978) 499-2933. Barry
[Declude.Virus] Declude V4.0
Details of V4.0 and release notes coming soon. Barry
Re: [Declude.Virus] My quick and dirty virus stats
If you don't want to bother learning or using perl I suggest you look at DLAnalyzer. It can do Junkmail reporting and Virus reporting for Declude integrated into one Windows based application. There is a functional free version (lite). Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Imail To: Declude.Virus@declude.com Sent: Friday, January 27, 2006 3:55 PM Subject: RE: [Declude.Virus] My quick and dirty virus stats I don't know PERL and with being in the middle of a cluster project along with an open source photo gallery project along with... etc... I'm up to my eyeballs in technical learning right now. I would REALLY appreciate the script. If you get time just email it to this address [EMAIL PROTECTED] and I'll get it going...Thanks...MarkAt 02:21 PM 1/27/2006, you wrote: I use PERL for most of this stuff. Easy enough to learn, or I could send you the script off-line. Karl Drugge -Original Message-----From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]] On Behalf Of ImailSent: Friday, January 27, 2006 2:37 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] My quick and dirty virus stats Andrew,What are you using to compile these numbers?MarkAt 12:48 PM 1/27/2006, you wrote:Just because it's easy to produce... This is from the viruses that get caught as spam from Dec 01 2005 through yesterday: 13 Suspicious program in Archive 1 Suspicious program 5 Unknown Virus 57 W32/Bagle 1 W32/Banker 13 W32/Brepibot 28 W32/Kapser 33 W32/Klez 108 W32/Mitglieder 13 W32/Mydoom 665 W32/Mytob 1,124 W32/Netsky 5,607 W32/Sober 1 W32/Torvil 5 W32/Zafi Andrew 8) No virus found in this incoming message.Checked by AVG Anti-Virus.Version: 7.1.375 / Virus Database: 267.14.23/243 - Release Date: 1/27/2006--PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.No virus found in this incoming message.Checked by AVG Anti-Virus.Version: 7.1.375 / Virus Database: 267.14.23/243 - Release Date: 1/27/2006 No virus found in this outgoing message.Checked by AVG Anti-Virus.Version: 7.1.375 / Virus Database: 267.14.23/243 - Release Date: 1/27/2006
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy >50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Don, Messages that are "HOLD" or "DELETE" are not virus scanned. ROUTETO gets virus scanned. In summary you have to look at your situation and if it makes sense for you. We don't do much ROUTETO so it makes sense for us and saves a signifigant amount of CPU. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Don Brown writes: Your first and second message seem to be contradictory or I'm dense. #1 "The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources." #2 "It still gets virus scanned." So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). If that is so, then how does it cut down on machine resources? Friday, January 27, 2006, 9:43:19 AM, Darrell ([EMAIL PROTECTED]) <[EMAIL PROTECTED]> wrote: Dsic> Keith, Dsic> It still gets virus scanned. I have tons of viruses in my virus drop point Dsic> for ROUTETO accounts. Dsic> Darrell Dsic> --- Dsic> Check out http://www.invariantsystems.com for utilities for Declude, Imail, Dsic> mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI Dsic> integration, MRTG Integration, and Log Parsers. Dsic> Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. Dsic> Dsic> --- Dsic> [This E-mail was scanned for viruses by Declude EVA www.declude.com] Dsic> --- Dsic> This E-mail came from the Declude.Virus mailing list. To Dsic> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and Dsic> type "unsubscribe Declude.Virus".The archives can be found Dsic> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Keith, We don't ROUTETO all of our mail. We hold and delete on a bunch. In this case 95% of mail is not virus scanned. If you routeto everything than I suspect you will not save any cycles. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Keith Johnson writes: Darrell, I guess my question then is what advantage is it to have it run prior to Virus if the Virus Scanner still scans it, won't it still use the same CPU cycles? Keith -Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:43 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME Keith, It still gets virus scanned. I have tons of viruses in my virus drop point for ROUTETO accounts. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
Keith, It still gets virus scanned. I have tons of viruses in my virus drop point for ROUTETO accounts. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Keith Johnson writes: Darrell, What happens in this scenario. Virus file comes in, AVAFTERJM is turned on, thus Declude scans it for spam content, lets say it is spam, thus ROUTETO sends it to a specific mailbox for customer to review for certain amount of days. Does Declude Virus still run against it prior to ROUTETO? My fear is that the virus file will land in their spam box untouched and the user will fire the virus off by looking at file. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Feature request: DELETEVIRUSNAME
How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The main benefit is that it cuts down on the amount of messages virus scanned thus saving resources. It has been a MAJOR help for me. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] JunkMail and Virus Mailing List Etiquette
We have refrained from setting rules on our mailing lists but the time has come to remind subscribers of a few basics. The mailing lists are designed to provide a forum for all of us to better learn and understand issues that are being faced by the community • Do try to think about the message content before you send it out. • Do make sure that the content is relevant to the recipients. Nobody likes to receive junk email. • Do be polite. Constructive criticism is usually welcome but blatant abuse is not. • Do trim any quoted message down as much as possible. • Do ensure that you have a relevant "Subject" line. • Do include a brief signature on your email messages to help the recipient understand who it is from, especially if you are dealing with someone you do not know very well. • Do be careful when replying to mailing list messages. Are you sure you want to reply to the whole list? • Do remember to delete anything that isn't needed or is trivial. • Do remember to post bug reports to [EMAIL PROTECTED] where they will be logged and tracked. • Don't conduct arguments on the mailing list. • Don't make personal remarks about third parties. There have been some recent comments about advertising third party applications on the mailing lists and the rule that should apply is: “If the product being discussed is not a competitor to Declude, SmarterMail or IMail and can enhance the effectiveness of our users then it is an appropriate topic. This includes such applications as Sniffer, DL Analyzer and iPlus Info Browser.” Barry -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.23/240 - Release Date: 1/25/2006 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Release 3.0.5.23
No, the Confirm issue is on the development schedule. Barry From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant GriffithSent: Thursday, December 29, 2005 4:45 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Declude Release 3.0.5.23 Barry, Does this happen to fix the Confirm issue of looking at the wrong location for the D or Q files??? Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, December 29, 2005 2:32 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Declude Release 3.0.5.23 There has been an intermittent bug in Declude that reported certain features in the Pro version were not available. There is no function within Declude to downgrade functionality other than by changing the key in the configuration file which is under the control of our customers. There is no remote capability for anyone at Declude to change the contents of a customer’s configuration file. The latest release posted today 3.0.5.23 contains a fix for this bug. We recognize that some customers had issues with our licensing software over the last weekend. We had thoroughly tested this when we first released this version of the licensing software, including turning off of the server and we were confident that this type of issue would not arise. It seems however that with the communications failure (Verizon) a problem arose for a limited number of our customers. We analyzed the code this week and thanks to customers who worked with us on this and the problem has now been resolved. The fix is in 3.0.5.23 We have designed a new, simplified licensing application that will be released with Declude 4.0 and we will post more details closer to the time. Barry --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005 --No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005
[Declude.Virus] Declude Release 3.0.5.23
There has been an intermittent bug in Declude that reported certain features in the Pro version were not available. There is no function within Declude to downgrade functionality other than by changing the key in the configuration file which is under the control of our customers. There is no remote capability for anyone at Declude to change the contents of a customer’s configuration file. The latest release posted today 3.0.5.23 contains a fix for this bug. We recognize that some customers had issues with our licensing software over the last weekend. We had thoroughly tested this when we first released this version of the licensing software, including turning off of the server and we were confident that this type of issue would not arise. It seems however that with the communications failure (Verizon) a problem arose for a limited number of our customers. We analyzed the code this week and thanks to customers who worked with us on this and the problem has now been resolved. The fix is in 3.0.5.23 We have designed a new, simplified licensing application that will be released with Declude 4.0 and we will post more details closer to the time. Barry -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005
Re: [Declude.Virus] Declude Hardware Issue
FYI - For the other affected by this I put 3.0.5.22 back on and everything is flying along with no issues. Processing messages as fast as could be. FWIW - My issues started on December 24th at approximatly - 2:10pm EST. I will follow-up with Declude tomorrow to determine why my version decided to downgrade itself. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: David Franco-Rocha To: Declude.JunkMail@declude.com Cc: Declude.Virus@declude.com Sent: Monday, December 26, 2005 4:00 PM Subject: [Declude.Virus] Declude Hardware Issue Please note that the hardware issue preventing communication with Declude has been resolved. Key authentication has resumed as normal. There appear to be some misconceptions on the lists regarding the key authentication system. In the event that your key cannot be authenticated (either due to communication failure or because the key was never issued): A) Your software will continue to function B) Your software is NEVER downgraded for any reason, either automatically or otherwise We have had a few reports from customers who have licensed versions of Pro, saying that they are receiving messages in their log files that they do not have the Pro version. We will identify the source of that issue tomorrow when the office reopens and will resolve it. It does not have any relation to the key authentication mechanism with the server, since the actual authentication with IMail versions of Declude continues to be via the old codes entered into the configuration files. David Franco-Rocha Declude Technical / Engineering
Re: [Declude.Virus] Another round of Bagle?
Filenames? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Goran Jovanovic writes: I am getting a ton of ZIP-EXE being banned. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Thursday, December 22, 2005 11:25 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Another round of Bagle? Looks like another round of Bagle is starting? John T eServices For You --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Sober Virus - Secret Code.
http://www.pcworld.com/news/article/0,aid,123876,00.asp Key paragraph - //begin Security firm iDefense said it broke the encrypted code in a Sober variant discovered in November and found that it is designed to download the unknown code from various Web addresses on January 5, 2006. Millions of "zombie" computers may already be infected with the variant, the company said. The date coincides with the 87th anniversary of the founding of the Nazi Party. The release of worms has been tied to political events in the past, iDefense noted, in a kind of "hactivisim" designed to distribute propaganda. //end ugh - I suspect more german pro-nazi spam... Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude and IMail 2006
Knowing that there are issues with 1.x and 2.x with Imail 8.2x and 2006 extends from 8.2x I would suspect that you may have issues. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. J Porter writes: Does Declude (Virus and JM Pro) 1.82 work with Imail 2006?? Call me "chicken"... lol... but I really don't have the guts to do both upgrades at the same time... :) There are entirely t many instances of sober and mytob hitting us daily. Thanks ~Joe --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] how is Declude 3.x?
I understand what everyone is saying, beleive me I do. What I can tell you is that 3.x is much better than 2.x. Especially, since it fixes the issues I had where 100's of declude processes would unexpectantly launch and would hose the server. I have found the later versions to be very stable and fast. The big issues I am seeing with the new version is variables that were not per thread. I can tell you everyone of my issues that my twin (inside joke on the twin) or I have reported has been taken very seriously. I can tell you that David Franco-Rocha has been very aggressive working a lot of these issues. You know they are on the right track when you get builds to fix issues at 3am in the morning.. Hang in there its all starting to come together and I think when you ready to dive into 3.x you will be very happy... Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Darin Cox writes: Totally agree with you there, Sandy. We're trying to decide whether to renew the service agreement. We paid for a year and haven't upgraded at all due to the stability problems and bugs with 2.x and 3.x, though we are considering upgrading to IMail 2006 and 3.0 soon. Things seem to have settled down a bit. What are you running? 2.06 with IMail 8.15? We're still running IMail 8.05 and 1.82 currently. Darin. - Original Message - From: "Sanford Whiteman" <[EMAIL PROTECTED]> To: Sent: Thursday, November 24, 2005 3:23 PM Subject: Re: [Declude.Virus] how is Declude 3.x? 3.0.5y.20 on Imail running fine here. I think it would be helpful if 3.0.x adopters could mention IMail/SmarterMail version, Windows OS version, msgs/day, and which (publicly available) external tests they're running. I honestly thought, after the rash of buggy releases and seemingly insufficent internal testing, that I would not deploy 3.0.x for several months, if ever. I'm sure I'm not alone. --Sandy -- Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. mailto:[EMAIL PROTECTED] -- --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] how is Declude 3.x?
I run 3.0.5.20 DFx - I think 1 or 2. It has a few extra fixes for me the dnsbl issue is the ket one. I run it on two servers (imail) volume on server 1 - 150K and volume on server 2 - 100K. External tests: invURIBL & Sniffer Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Sanford Whiteman writes: 3.0.5y.20 on Imail running fine here. I think it would be helpful if 3.0.x adopters could mention IMail/SmarterMail version, Windows OS version, msgs/day, and which (publicly available) external tests they're running. I honestly thought, after the rash of buggy releases and seemingly insufficent internal testing, that I would not deploy 3.0.x for several months, if ever. I'm sure I'm not alone. --Sandy -- Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. mailto:[EMAIL PROTECTED] -- --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Sober to be released, possible variation?
Mark, In general for these types of viruses yes you are ok as long as the extensions in the zips are ones that you are blocking. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Mark Reimer writes: If we are banning extensions within zip files we should be ok right? Mark Reimer IT Project Manager American CareSource 800-370-5994 ext. 267 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John T (Lists) Sent: Tuesday, November 15, 2005 2:30 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Sober to be released, possible variation? And another: BANNAME packed-password_text.zip John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 10:16 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Another one to block... BANNAME Accept_e-Text.zip The list so far is # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME Accept_e-Text.zip BANNAME email_photo.zip BANNAME excel_table.zip BANNAME foto.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip BANNAME word-text.zip As mentioned before, we keep these in place even after the virus definitions are catching them. That way new variants that use the names are caught before definitions are available. Darin. - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Tuesday, November 15, 2005 11:57 AM Subject: RE: [Declude.Virus] New Sober to be released, possible variation? There are very interesting details in Trend Micro's writeup. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS OBER%2EAD&VSect=T i.e. it uses its own SMTP server plus a hardcoded list of accounts and IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious Software Removal Tool. It may be worth mentioning that the BANNAME list that Darin provided will be useful for those of us using F-Prot only, as they are still not detecting the variant I've been receiving since this thread started. Andrew 8) > -----Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > Sent: Tuesday, November 15, 2005 6:05 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] New Sober to be released, > possible variation? > > Most the new Sober variants are expected to be low volume, so > I'm not surprised that Netsky.P continues to outstrip them. > > Security vendors are varying as to what they are detecting > with 6 new Sober variants yesterday and today. Best bet is > to ban the files at least until virus definition files have > caught up. We keep the bans in place for the usual overlap > in new variants. > > Darin. > > > - Original Message - > From: "Markus Gufler" <[EMAIL PROTECTED]> > To: > Sent: Tuesday, November 15, 2005 8:44 AM > Subject: RE: [Declude.Virus] New Sober to be released, > possible variation? > > > Thank you Darin. > > just curious after watching our virus logfiles today > Anyone else can confirm that there are only a few of the > today new virus and > far more netsky (most .p variant) showing up in the logfiles? > > Today I've had some reports that certain varaints of the new > virus slipped > trough while it was definitively catching some others. > > Markus > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > > Sent: Tuesday, November 15, 2005 2:33 PM > > To: Declude.Virus@declude.com > > Subject: Re: [Declude.Virus] New Sober to be released, > > possible variation? > > > > I just went through all of the reports. Here's a list of new > > filenames to > > ban: > > > > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants > > BANNAME email_photo.zip > > BANNAME excel_table.zip > > BANNAME liste.zip > > BANNAME reg_text.zip > > BANNAME registration.zip > > BANNAME tabelle.zip > > > > > > Darin. > > > > > > - Original Message - > > From: "Doug Anderson" <[EMAIL PROTECTED]> > > To: > > Sent: Tuesday, November 15, 2005 8:24 AM > > Subject: Re: [Declude.Virus] New Sober to be released, > > possible variation? > > > > > > Looks like varying att
Re: Re[2]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
I caught that in the later thread. On my system I see the same behavior where the gsc/gse will get processed by the next queue run as well. I do seem to remember in older versions that they were tried to be delivered right away. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: "Darrell ([EMAIL PROTECTED])" Sent: Saturday, November 05, 2005 3:59 PM Subject: Re[2]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today Saturday, November 5, 2005, 1:43:11 PM, Darrell ([EMAIL PROTECTED]) wrote: When you say messages are getting stuck in the spool do you mean after they are processed by Declude? When you upgraded to Declude 3.x did you replace the declude.exe file? As I mentioned in another post, it appears that the Postmaster generated messages are sitting in the \imail\spool directory, but with a GSE or GSC extension instead of SMD ... and are eventually processed within 20 or 30 minutes, I'm assuming being caught by the queue being reprocessed in that time period?? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
David, Sorry I did not read far enough to the "OFF" part. If set to off Viruses are scanned for first which is the default setting. Normally you do not see someone have that in their config unless they are going to set it to "ON" which scans for viruses after JM. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: "Darrell ([EMAIL PROTECTED])" Sent: Saturday, November 05, 2005 3:57 PM Subject: Re[2]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today Saturday, November 5, 2005, 1:42:02 PM, Darrell ([EMAIL PROTECTED]) wrote: Also, in the Command AVAFTERJM OFF I assume this means it SCANS viruses first, then the junkmail? No it actually scans for viruses after junkmail. Ok, I turned it on since I want it to scan for viruses BEFORE junkmail. Doesn't make sense to me, I read it as: AV (Virus) AFTER JM (Junkmail) and if ON would mail Virus After Junkmail and OFF would mean Virus BEFORE Junkmail --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
David, When you say messages are getting stuck in the spool do you mean after they are processed by Declude? When you upgraded to Declude 3.x did you replace the declude.exe file? Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: "David Dodell" Sent: Saturday, November 05, 2005 1:27 PM Subject: Re: [Declude.Virus] Help! Upgraded from 1.82 to 3. today I noticed that my virus scanner is no longer sending me notices when it intercepts a virus ... before I used to get email notice from declude that a virus, and/or spam was intercepted, but now that seemed to have stopped ... is there a switch I need to turn on / off? It appears messages are getting stuck in my spool ... I see messages addressed from [EMAIL PROTECTED] to (same user twice) Any ideas? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
Also, in the Command AVAFTERJM OFF I assume this means it SCANS viruses first, then the junkmail? No it actually scans for viruses after junkmail. Darrell --- invURIBL - Intelligent URI Filtering. Stops SPAM by focusing on the spamvertised link. More effective than traditional RBL's. Download a copy today - http://www.invariantsystems.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second scanner
I use Mcafee and it has been great they tend to be amoung the top for getting updates out quick. However, it is very resource intensive. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Declude Log Parsers. David Dodell writes: After many years of using Virus Standard, I upgraded to Virus Pro to take advantage of a second scanner. I've scanned the previous threads on what others like for a second scanner to F-Prot, but can't seem to find any common thread ... So I would appreciate what seems to be the next most popular virus scanner to run as a secondary scanner to F-Prot? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Current Version 3.05.11??
David, Can you eloborate on "connectivity issues" I am trying to grasp what is meant by connectivity issues (i.e. rbl's not returning data, etc?). Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. David Franco-Rocha [ Declude ] writes: There were several customers who were having connectivity issues with 3.0.5.9. It was traced to problems within Winsock. The subsequent versions reset Winsock periodically, which has a negative effect on the processing time, but it seerms to eliminate those connectivity issues. Very shortly we will be incorporating a new directive into the configuration, so that the system administrator can elect to have Winsock do periodic resets or not. For those who did not experience problems with connectivity, turning off that option will provide the speed of 3.0.5.9, as well as the bugs that will have been fixed since that version. David Franco-Rocha Declude Technical / Engineering - Original Message - From: "Marcel Sangers" <[EMAIL PROTECTED]> To: Sent: Friday, October 28, 2005 2:27 AM Subject: RE: [Declude.Virus] Current Version 3.05.11?? We have the same problem. 3.05.9 seems to be lots faster than 3.05.11/12. We had a problem with the mailserver so Declude had to process about 2000 msgs at once. With 3.05.12 that takes way too much time, we did a rollback to 3.05.9 and the email flows very fast. How is this possible? We use Declude Spam+Virus THREADS 15 F+Prot+AVG Sniffer -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Harry Vanderzand Verzonden: vrijdag 21 oktober 2005 22:49 Aan: Declude.Virus@declude.com Onderwerp: RE: [Declude.Virus] Current Version 3.05.11?? Changing from 305.9 to 3.05.11 changed the behaviour of processing Processing slowed down With 3.05.09 my proc directory stays virtually empty whereas with 11 it did not get emptied as entries arrived. Went back to .9 My declude.cfg is: threads 20 waitformail 500 waitforthreads 1500 waitbetweenthreads 100 Harry Vanderzand inTown Internet & Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, October 21, 2005 4:23 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Current Version 3.05.11?? Hi Are there any release notes for this? It went from .09 this morning to .11 about five minutes ago. What's up? Thanks, Rob --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus name reported as different than what scanner detected.
That's good to hear that others are seeing this as well... Hopefully, we will have a fix soon. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bill Landry writes: Yep, I'm seeing the same thing with Version 3.0.5.12: = 10/28/2005 10:56:04.343 q662b02abbeb9.smd Vulnerability flags = 0 10/28/2005 10:56:04.343 q662b02abbeb9.smd MIME file: [text/html][7bit; Length=714 Checksum=63910] 10/28/2005 10:56:04.390 q662b02abbeb9.smd MIME file: email-details.zip [base64; Length=93976 Checksum=11204045] 10/28/2005 10:56:04.390 q662b02abbeb9.smd Banning .ZIP file with scr extension. 10/28/2005 10:56:06.156 q662b02abbeb9.smd Virus scanner 1 reports exit code of 3 10/28/2005 10:56:06.171 q662b02abbeb9.smd Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=email-details.zip [16] I 10/28/2005 10:56:07.109 q662b02abbeb9.smd Virus scanner 2 reports exit code of 1 10/28/2005 10:56:07.109 q662b02abbeb9.smd Scanner 2: Virus= [ WORM_MYTOB.LV](1) in M:\IMail\spool\proc\work\D662B0~1.VIR\0.zip,(email-details.htm .scr) Attachment=email-details.zip [16] I 10/28/2005 10:56:07.109 q662b02abbeb9.smd File(s) are INFECTED [ [ TROJ_GOLDUN.G](1) in M:\IMail\spool\proc\work\D644C0~1.VIR\0.rar,(MsWindowsUpdate.exe): 1] 10/28/2005 10:56:07.109 q662b02abbeb9.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 2 94832] 10/28/2005 10:56:07.109 q662b02abbeb9.smd From: xxx To: xxx [incoming from xxx] 10/28/2005 10:56:07.109 q662b02abbeb9.smd Subject: Important Notification = 10/28/2005 10:56:22.171 q664302abbecd.smd Vulnerability flags = 0 10/28/2005 10:56:23.750 q664302abbecd.smd Virus scanner 1 reports exit code of 3 10/28/2005 10:56:23.750 q664302abbecd.smd Scanner 1: Virus= HTML/[EMAIL PROTECTED] Attachment= [16] I 10/28/2005 10:56:24.625 q664302abbecd.smd Virus scanner 2 reports exit code of 1 10/28/2005 10:56:24.625 q664302abbecd.smd Scanner 2: Virus= [ HTML_Netsky.P](1) in M:\IMail\spool\proc\work\D66430~1.VIR\0,(NONAMEFL) Attachment= [16] I 10/28/2005 10:56:24.625 q664302abbecd.smd File(s) are INFECTED [ [ TROJ_GOLDUN.G](1) in M:\IMail\spool\proc\work\D644C0~1.VIR\0.rar,(MsWindowsUpdate.exe): 1] 10/28/2005 10:56:24.625 q664302abbecd.smd Scanned: CONTAINS A VIRUS 10/28/2005 10:56:24.625 q664302abbecd.smd From: xxx To: xxx [incoming from xxx] 10/28/2005 10:56:24.625 q664302abbecd.smd Subject: Mail delivery failed: returning message to sender = Bill - Original Message - From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> To: Sent: Friday, October 28, 2005 9:37 AM Subject: [Declude.Virus] Virus name reported as different than what scanner detected. Anyone seen this before? The message (attachment) have the W97M/Thus Virus and is detected by McAfee as having such, but the final virus string somehow ends up at Netsky? Darrell x:\imail\spool>grep -i q41c378d5099ed6c9.smd vir1028.log 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd Vulnerability flags = 0 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd MIME file: HD New Look list.doc [base64; Length=59 904 Checksum=2996157] 10/28/2005 11:21:10.750 q41c378d5099ed6c9.smd Virus scanner 1 reports exit code of 0 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Virus scanner 2 reports exit code of 13 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Scanner 2: Virus= the W97M/Thus.gen Attachment=HD New Look List.doc [11] I 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 13] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Scanned: CONTAINS A VIRUS [MIME: 2 60102] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [ incoming from 64.207.161.182] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Subject: Here we go Again - Proposal Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus name reported as different than what scanner detected.
A little more checking and this seems to be happening on any message infected with a virus Possible bug... Running 3.x, AVAFTERJM, with EXITSCANONVIRUSDETECT ON 10/28/2005 00:39:56.359 qab8ff7a40618ffdf.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] 10/28/2005 00:41:47.968 qabfaf7c50618004e.smd Virus scanner 1 reports exit code of 3 10/28/2005 00:41:47.968 qabfaf7c50618004e.smd Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=email-details.zip [11] O 10/28/2005 00:41:47.984 qabfaf7c50618004e.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] 10/28/2005 00:56:05.015 qaf506d06099e03ac.smd Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=email-password.zip [11] O 10/28/2005 00:56:05.015 qaf506d06099e03ac.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] Darrell ([EMAIL PROTECTED]) writes: Anyone seen this before? The message (attachment) have the W97M/Thus Virus and is detected by McAfee as having such, but the final virus string somehow ends up at Netsky? Darrell x:\imail\spool>grep -i q41c378d5099ed6c9.smd vir1028.log 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd Vulnerability flags = 0 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd MIME file: HD New Look list.doc [base64; Length=59 904 Checksum=2996157] 10/28/2005 11:21:10.750 q41c378d5099ed6c9.smd Virus scanner 1 reports exit code of 0 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Virus scanner 2 reports exit code of 13 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Scanner 2: Virus= the W97M/Thus.gen Attachment=HD New Look List.doc [11] I 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 13] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Scanned: CONTAINS A VIRUS [MIME: 2 60102] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [ incoming from 64.207.161.182] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Subject: Here we go Again - Proposal Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Virus name reported as different than what scanner detected.
Anyone seen this before? The message (attachment) have the W97M/Thus Virus and is detected by McAfee as having such, but the final virus string somehow ends up at Netsky? Darrell x:\imail\spool>grep -i q41c378d5099ed6c9.smd vir1028.log 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd Vulnerability flags = 0 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd MIME file: HD New Look list.doc [base64; Length=59 904 Checksum=2996157] 10/28/2005 11:21:10.750 q41c378d5099ed6c9.smd Virus scanner 1 reports exit code of 0 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Virus scanner 2 reports exit code of 13 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Scanner 2: Virus= the W97M/Thus.gen Attachment=HD New Look List.doc [11] I 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 13] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Scanned: CONTAINS A VIRUS [MIME: 2 60102] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [ incoming from 64.207.161.182] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Subject: Here we go Again - Proposal Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Multiple Anti-virus Vendor Detection Bypass
(4) MODERATE: Multiple Anti-virus Vendor Detection Bypass Affected: Multiple AV vendors including McAfee, Trend Micro, Kaspersky, Sophos, CA, Panda. Description: Multiple anti-virus engines reportedly contain a vulnerability that can lead to bypassing detection of malware in ".bat", ".html" and ".eml" files. The problem occurs because the detection engines stop processing these files if they are tagged with a fake executable file header. Note that with the increase in client-side attacks, bypassing malicious HTML detection may lead to spread of spyware and other malware on desktop systems. Multiple proof of concept examples have been posted. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Title: Clam Anti-Virus File Handling Denial Of Service
FYI - for those using clam... 05.42.21 CVE: Not Available Platform: Cross Platform Title: Clam Anti-Virus File Handling Denial Of Service Description: ClamAV is an anti-virus application. It is vulnerable to a denial of service issue due to a failure in the application to handle malformed OLE2 files. The problem presents itself when malformed OLE2 files (DOC files) are being scanned. Clam Anti-Virus ClamAV 0.87 -1 is vulnerable. Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=333566 Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content
Please no talk about sharp objects - I just had a vasectomy a couple of hours ago - oh the pain... Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 11, 2005 5:00 PM Subject: RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content What is wrong with sharp objects? They make nice clean cuts. Now, it's the blunt ones that I worry about. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, October 11, 2005 1:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content I block all encrypted zips based on the fact that I can't virus scan them. But then again I'm slightly paranoid and should not be trusted with sharp objects. - Original Message ----- From: "Kevin Rogers" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 11, 2005 3:08 PM Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content > So it's this forum's consensus that if I have PRO I should not block all > EZIPs - I should just block the other extensions even if they are found > within ZIP files? > > I do send out notices when a file gets blocked, but I don't have a requeue > script in place. I'll search for one and see what I can do. Thanks. > > > > Darin Cox wrote: > >>If you have Declude Virus/EVA Pro you can switch to banning extensions >>within zips. With Standard, you may want to continue to ban encrypted >>zips. >> >>In either case, you will probably want to send out notices for banned >>files, >>notifying the intended recipient that a file sent to them was blocked. >>Include a link in the notification for them to requeue the message if it >>was >>legit and they want to receive it. Scripts to requeue messages have been >>posted to the list in the past, but they are very simple to create by just >>moving the Q and D files back to the spool directory... possibly going as >>far as launching the SMTP32 process to immediately send the message if you >>don't want your user to wait for the next queue run. >> >>Darin. >> >> >>- Original Message - >>From: "Kevin Rogers" <[EMAIL PROTECTED]> >>To: >>Sent: Tuesday, October 11, 2005 1:26 AM >>Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content >> >> >>We're looking for a simple way to opportunistically allow our users to >>encrypt or password-protect certain emails and/or their attachments that >>contain sensitive data. We're running Declude Pro and have banned EZIP >>extensions (the highly recommended suggestion from several people on >>this forum), so that kinda rules out PKZIP and any kind of ZIP program >>(because as soon as you password-protect a ZIP file, it becomes an EZIP >>file). We looked at PGP, but it seems very complex and seems to require >>a hardware proxy in between our mail server and the Net. Is there a >>simple and effective way to encrypt or password protect documents for >>email transmission that doesn't cause problems with Imail or Declude and >>doesn't require software to be installed on the recipient's end? >> >>Thanks. >> >>Kevin >>--- >>[This E-mail was scanned for viruses.] >> >>--- >>This E-mail came from the Declude.Virus mailing list. To >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.Virus".The archives can be found >>at http://www.mail-archive.com. >> >>--- >>This E-mail came from the Declude.Virus mailing list. To >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.Virus".The archives can be found >>at http://www.mail-archive.com. >>--- >>[This E-mail was scanned for viruses.] >> >> >> >> > --- > [This E-mail was scanned for viruses.] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content
Kevin, I thought PGP had a desktop version that integrates directly with outlook? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Kevin Rogers writes: We're looking for a simple way to opportunistically allow our users to encrypt or password-protect certain emails and/or their attachments that contain sensitive data. We're running Declude Pro and have banned EZIP extensions (the highly recommended suggestion from several people on this forum), so that kinda rules out PKZIP and any kind of ZIP program (because as soon as you password-protect a ZIP file, it becomes an EZIP file). We looked at PGP, but it seems very complex and seems to require a hardware proxy in between our mail server and the Net. Is there a simple and effective way to encrypt or password protect documents for email transmission that doesn't cause problems with Imail or Declude and doesn't require software to be installed on the recipient's end? Thanks. Kevin --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Bitdefender Vulnerability
FYI - For those using Bitdefender - 05.40.20 CVE: Not Available Platform: Cross Platform Title: BitDefender Antivirus Logging Function Format String Vulnerability Description: BitDefender Antivirus is a proprietary antivirus product for multiple platforms. It is vulnerable to a format string issue in its logging functionality. This issue is due to a failure of the application to properly sanitize user-supplied input prior to passing it as the format specifier to a formatted printing function. A remote attacker may leverage this issue to write to arbitrary process memory, facilitating code execution and privilege escalation. BitDefender versions 7.2, 8, and 9 for Windows are reported vulnerable. Other versions and platforms may also be affected. Ref: http://www.securityfocus.com/bid/14968/info Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Possible new virus
Mcafee released this within the last hour - Advisory This is a Medium Threat Advisory for W32/[EMAIL PROTECTED] Justification W32/[EMAIL PROTECTED] has been deemed Medium due to prevalence. Read About It Information about W32/[EMAIL PROTECTED] is located on VIL at: http://vil.nai.com/vil/content/v_136390.htm Detection W32/[EMAIL PROTECTED] was first discovered on October 5, 2005 and detection will be added to the 4598 dat files (Release Date: October 5, 2005). The EXTRA.DAT IS AVAILABLE. If you suspect you have W32/[EMAIL PROTECTED], please submit a sample to http://www.webimmune.net. Risk Assessment Definition For further information on the Risk Assessment and AVERT Recommended Actions please see: http://www.mcafeesecurity.com/us/security/resources/risk_assessment.htm Best Regards, McAfee AVERT - Anti Virus and Vulnerability Research, Analysis, and Solutions visit us at www.avertlabs.com ---DLAnalyzer - Comprehensive reporting on Declude Junkmail and Virus. Download it today - http://www.invariantsystems.com. - Original Message - From: Darrell ([EMAIL PROTECTED]) To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:46 PM Subject: Re: [Declude.Virus] Possible new virus Alot got through today with that one, but its being caught by F-Prot now. 10/05/2005 22:06:18 Q86937B8E01F27E50 MIME file: pword_change.zip [base64; Length=113709 Checksum=13075286]10/05/2005 22:06:18 Q86937B8E01F27E50 Scanner 2: Virus=W32/[EMAIL PROTECTED] Attachment=pword_change.zip [12] O My first hit was at 20:02 EST tonight. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:33 PM Subject: [Declude.Virus] Possible new virus We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is "Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
Re: [Declude.Virus] Possible new virus
Alot got through today with that one, but its being caught by F-Prot now. 10/05/2005 22:06:18 Q86937B8E01F27E50 MIME file: pword_change.zip [base64; Length=113709 Checksum=13075286]10/05/2005 22:06:18 Q86937B8E01F27E50 Scanner 2: Virus=W32/[EMAIL PROTECTED] Attachment=pword_change.zip [12] O My first hit was at 20:02 EST tonight. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:33 PM Subject: [Declude.Virus] Possible new virus We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is "Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
Re: [Declude.Virus] Version 3.0.5.5
Harry, The message on my system just said you need to remove the last version. Once I did that and re-ran the update all was well. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Harry Vanderzand writes: I downloaded this update stopped decludeproc ran the update got message: Another version is already running, cannot update what's up with that? Harry Vanderzand inTown Internet & Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Billman Sent: Thursday, September 29, 2005 2:53 PM To: Declude.Virus@declude.com; Declude.JunkMail@declude.com Subject: [Declude.Virus] Version 3.0.5.5 Declude Version 3.0.5.5 is available on the website for download. There are two changes from version 3.0.5.3 1. Fix for special character scanning causing abnormal termination. Special thanks to John Tolmachoff for identifying and helping us fix this nasty. 2. For SmarterMail only. Correctly handle parsing the XML file for the email installation path. SY, Bill Billman Declude -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.7/112 - Release Date: 9/26/2005 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ...Change after Upgrade in the case (upper/lower) of letters in D & Q files
Jeff, Yes that is normal with the 3.0 upgrade. It is just a cosmetic change and does not really impact anything. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Jeff writes: I have no idea if this is of any importance as all appears to be working well, but after upgrading while I was reviewing messages held in my SPAM and ViRUS folders I noticed that all of the letters in the Q & D files (with the exception of the D that begins a D file) are now in lower case as shown below. Has anyone else noticed this ? After Declude Upgrade D3a5001f80247.smd q3a5001f80247.smd Before D2B3A0DEC2046.SMD Q2B3A0DEC2046.SMD --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Invariant Systems MRTG Scripts Updated For Declude 3.0
Our MRTG scripts that we make available for Declude users have been updated for the new log format of Declude 3.0. The programs are provided free and "as is". They can be downloaded from our site listed in the tag line. Any questions let me know. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Beta 3.0.4.4 Posted
I think it really depends on your volume if you will see this. Also, if you have already tweaked your "WAITFORMAIL" you may not see it as well. On my system during off peak hours I get on anverage between 75-100 messages per minute. What you will see is Declude will spawn up to 20 or so threads (I modified my threads value to keep up with volume) and process the messages. Once the decludeproc finishes processing that round of messages it will stop using any CPU time and sit idle for roughly 30 seconds. Once it sleeps for 30 seconds it will start to process messages again. See snippet of log 09/22/2005 21:38:43.703 q5c96523a026274b2.smd Successfully move [x:\IMail\spool\proc\work\q5c96523a026274b2.smd] to [x:\SPAM-HOLD\22Sep2005\q5c96523a026274b2.smd] 09/22/2005 21:39:08.968 q5c646c64029c7469.smd CFG: Set hop to 0. What occurs on my system is that the initial process completes and there is still messages in the /proc directory, but instead of grabbing more messages out of the /proc directory Declude goes to sleep. During the time it sleeps even more messages come in. Essentially what occurs is the amount of mail in the /proc folder just climbs steadily. Now I switched the "WAITFORMAIL" setting down to 1 second, but under those settings it appears to chew up an inordinate amount of CPU. I am still tweaking the values for a balance. The box is a Dell PowerEdge 2600 Dual Xeon with HT enabled with 4GB of RAM. Fresh install of Windows 2003 running Imail 8.15 HF 2. The box is only used for gatewaying. I guess the moral of the story is you would not really see this (if it affects you) only if the volume the box is processing is more than what the normal /work queue runs can handle. You could probably easily test this by increasing your "WAITFORMAIL" setting to a couple of minutes. If you are not affected by this than your system will continue to function properly and process the mail in the /proc folder as it should. If it is affected by it you would see files still in the proc folder and Declude go to sleep for that specified period of time. The key thing is that you would have to watch the proc folder since normal operation would be for the decludeproc service to go to sleep if no files existed in the folder. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Andy Schmidt writes: Hi Nick: I'm only repeating what I'm told - I don't have factual information on my own. There have been several reports on this list that describes the following problem with dual-processor systems: Declude is supposed to check the /proc folder and ONLY go to sleep (for 30 seconds), if the folder contains no messages. On systems that have that problem, Declude goes to sleep even though there ARE messages to process. The result is, that messages are queuing up and never get processed. There is a parameter to set the sleep time low (e.g. 1 second), this way, the effect of the problem is less - but now Declude does't go to sleep when it actually could - with a possible impact on resource consumption. (Of course, the question is why this appears to be related to dual-processor systems. May be one process still has an access lock against the first file in the "proc" folder and another process doesn't handle that error condition right - who knows.) Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Friday, September 23, 2005 08:15 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Declude Beta 3.0.4.4 Posted Hi Andy, Andy Schmidt wrote: Thanks Bill. I had gotten the impression as if everyone with dual-processor system was reporting this and that people were still seeing it with the latest version. If you will would you let me know more about this issue. I haven't been following exactly so I do not know what I should be looking for :) I have 3.0.4.4 running on my quad processor [with hyper threading] box without ant problems - at least as far as I can tell. If I'm I missing something I will revert back to 2.0.6.16 in a heartbeat! -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Beta 3.0.4.4 Posted
The directives are for tuning both single and multiprocessor systems. They are not meant as a tradeoff. Some multiprocessor systems do not exhibit the reported sleep for 30 seconds behavior. We have not been able to reproduce it ourselves. I can produce it on my machine even on version 3.0.4.4. David was also provided remote access to my machine and seen this issue occur when I first reported it under the early beta. It's hard to fix something that we can't reproduce but we will keep trying. It's not even clear to me that this problem still exists in the latest version. I posted earlier (and to the [EMAIL PROTECTED]) that the problem still exists in the latest beta. Again, I can provide remote access to this machine if needed. You can mitigate the effects of this issue by adjusting the waitformail, but it seems to cause more cpu related usage. What concerns me even more than the obvious issue with multiprocessor machines is its excessive use of CPU. This is also included in my beta notes. Darrell -Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, September 22, 2005 7:56 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted Hi David, I can't help but ask... You are proposing options that will "help" with the dual processor issue. But, are you REPRODUCING the issue and fixing it? I understand that the problem is that the service goes to sleep for 30 seconds, even though there are messages in the PROC folder. Clearly that should not happen. Changing the "timings" will only create a trade-off by consuming extra machine-resources. Even on a dual-processor system should the service be able to determine reliably if a folder has content or not? I'm just worried that the beta is declared "successful" when an entire class of machines is only working with a bandage. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, September 22, 2005 12:28 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted Yes, these are to help adjust for timing with Dual-proc Different systems / configuration respond differently to these settings. In particular they to fine tune through-put with CPU utilization. 1. SLOW server that is heavily loaded You may want to try to increase WAITBETWEENTHREADS and lower THREADS. 2. FAST server Use the THREADS and WAITFORTHREADS to adjust the CPU utilization. When decludeproc first starts up it will use a lot of the CPU but after that the %CPU used by decludeproc should come way down. The %CPU of all processes running may be high depending on external tests, other processes, etc. If the system is spiking but coming down quickly that's good. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Thursday, September 22, 2005 12:27 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Declude Beta 3.0.4.4 Posted David, Are these to be used to correct issues with Dual-proc, or is that still an ongoing issue still be looking at? Thanks for the time. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, September 22, 2005 11:41 AM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com Subject: [Declude.Virus] Declude Beta 3.0.4.4 Posted 2 new Directives WAITFORTHREADS 1500 Located in the Declude.cfg - Defined in milliseconds eg. 1500 = 1.5 seconds this can be changed so that when the maximum threads are in use this time specifics the wait before checking to launch more threads. WAITBETWEENTHREADS 1 Located in the Declude.cfg - Defined in milliseconds eg. 1 = 1 millisecond The time to wait between spawning one thread and starting to process another thread. David B www.declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus&quo
Re: [Declude.Virus] AVAFTERJM ?
Marcel, "AVAFTERJM ON" goes in the virus.cfg file and it makes AV run after JM as you suspected. Several of us run this mode for the reason you cited. The only deal you have to remember is if something is trapped by JM and you put it back in the queue it will not be virus scanned. Darrell invURIBL - Intelligent URI filtering plug-in for Declude. Try it today http://www.invariantsystems.com Marcel Sangers writes: Hello all, We make use of the latest Declude version (spam+virus) Pro. What does the AVAFTERJM option do? Antivirus scanning after Junkmail I suppose? What is the default? First scanning viruses followed by scanning for spam? Due to the large amounts of spam I would suggest first filtering out spam followed by possible viruses? Is that correct? Regards, Marcel --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Imail 8.21 with Declude Virus & Spam, Sniffer, AVG and F-Prot
* Processor load: sometimes for minutes a processor load of 100% (lots of declude.exe, avgscan.exe and like l08w987.exe (from sniffer) processes) > >a System process that fills up to 100%. In those periods there is no System Idle processor time. Does not really indicate a probelm per say. In general some options you can look at is AVAFTERJM and run Virus checking after Spam Filtering I have seen this help some servers a lot that were running multiple scanners that were very cpu intensive. What is your mail volume? This is important since you only have a P3 1GHZ. * Recv.blocking call cancelled: it seems that to particular domains we get recv.blocing call cancelled after a few minutes or MX connect failed. What could be the problem? When I do a speedtest(.nl) from this server the (upload) speed is very low compared to other servers, in the same network segment at the same backbone, behind the same firewall. This can be a whole slew of things from NIC speed/duplex settings. If you are seeing poor performance on the speed tests I would check your settings on the card and switch to make sure you are not suffering from a mismatch. * Need to upgrade declude? Current version in use is 1.79 Yes - earlier versions of Declude have issues with 8.2x. Right now 3.0 for Declude is in beta and is suppose to fix the 8.2 incompatibilities. * Need to upgrade AVG or F-Prot (7.0.344 and F-Prot 3.15) Not sure on AVG, but their are newer versions of F-Prot. * Advise to use other virusscanners in combination with Imail & Declude Virus? The two you have are fine. * Sniffer (Sortmonster) uses lots of processor load? Also at your place? It uses about 20%, but for VERY SHORT periods. Nothing out of the ordinary. Also, look into using the persistent version of sniffer this really helps out in higher volume servers. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Beta 3.0.3.8 Available
David, Any progress on the issues we seen under multi-processor environments? Darrell David Barker writes: If you are running the Declude Beta please upgrade to 3.0.3.8 and send feedback to [EMAIL PROTECTED] David B www.declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] blocking eml and msg attachemtns
Also, any emails that are mime/base64 encoded should be mime decoded by the AV scanner. I know mcafee has that option which we enable. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Darin Cox writes: With Declude 1.82, we haven't had any trouble with decoding and blocking viruses or banned attachments in attached .eml or .msg files. We wouldn't block them separately because of all of forwarded messages sent as attachments, both by us, AOL feedback loops, and by our users. Darin. - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Wednesday, September 14, 2005 1:32 PM Subject: [Declude.Virus] blocking eml and msg attachemtns What are others thoughts on blocking eml and msg attachments? If there is an eml or msg attachment which that has a executable or virus attachment, will Declude properly decode it and will it be scanned for viruses and banned attachments? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sudden Internet Slowdown
Here is the dirt: From RIPE: descr:Telefonica Wholesale International Service members: AS12956 It appears at the moment that Telefonica have advertised announcements from their customer 26210 of some /8's rather than blocked them as they should (including 12/8). Sprint and GX are propagating it because they are treating Telefonica as though it had the policies in place it should, perhaps that will change. Darrell Heimir Eidskrem writes: Maybe this might be a factor too: AT&T Network Outage <http://isc.sans.org/diary.php?storyid=658> Published: 2005-09-09, Last Updated: 2005-09-09 15:33:09 UTC by Johannes Ullrich (Version: 2(click to highlight changes) <http://isc.sans.org/diary.php?compare=1&storyid=658>) According to notes from users, and Keynote <http://scoreboard.keynote.com/scoreboard/Main.aspx?Login=Y&Username=publi c&Password=public>, AT&T is currently experiencing outages across its network. We do not have any details right now. This outage may affect the latency or reachability for a large number of sites. AT&T's own network status <http://www.renesys.com/products_services/gradus_interactive.html> page shows no problems. Colbeck, Andrew wrote: According to this: http://loadrunner.uits.iu.edu/weathermaps/abilene/ Most of the major links on the Internet are very busy. Interestingly, the Houston-Atlanta link is back up, and was hard down due to Katrina for a week. Andrew 8) -----Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 8:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Beta program Updates
For all participants of the Beta Program Regular updates regarding the Beta Program are available through the customer log in option at https://www.declude.com/myaccount.asp? Select the beta Program link. Barry --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Declude 3.0 Beta for IMail and Summer Sales Promotion
Declude 3.0 Beta for IMail - The beta software is now available through the regular log-in http://www.declude.com/myaccount.asp? And follow the link for 'Beta Program'. Please be sure to read the notes with this beta before downloading and installing the software. Declude 3.0 Beta for SmarterMail will follow shortly. Summer Sales Promotion - This will end at 12 midnight (CST) on August 31, 2005. Any orders time stamped on our server before the deadline will be eligible for the appropriate upgrade or discount. If you have any questions please call us at (866) 332-5833 between 8.00am and 5.00pm Eastern Time. Best regards Barry --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] NetSky and Sasser author sentenced, Microsoft pays up
Slap on the wrist and his friends got paid for turning him in... Looks like a win-win for all of them. Darrell John Tolmachoff (Lists) writes: So the virus writer got a slap on the wrist. Boy, that will sure send a message to would be virus writers. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, July 08, 2005 11:40 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] NetSky and Sasser author sentenced, Microsoft pays up Well, the speculation on whether Microsoft would make good on their bounty to Sven Jaschen's "friends" is over. http://www.f-secure.com/weblog/ Andrew 8) Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Limit Size of message to be scanned?
Grant, Here are the links to the messages Org - http://www.mail-archive.com/declude.junkmail@declude.com/msg24792.html Update - http://www.mail-archive.com/declude.junkmail@declude.com/msg24977.html Hope this helps Darrell --- DLAnalyzer - Comprehensive reporting on Declude Junkmail and Virus. http://www.invariantsystems.com Grant Griffith writes: Hey All, Is there a known issue with Declude 2.0.6.16 and Imail 8.2? I recall reading something a few weeks ago about a possible issue and we did just upgrade toward the end of last week. I scanned the archives, but did not find anything specific. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Friday, July 08, 2005 9:38 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Limit Size of message to be scanned? Thanks Darrell, I knew the setting was there somewhere, but kept overlooking it. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, July 08, 2005 9:34 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Limit Size of message to be scanned? Grant, What I do is set the "Single Message Size" under the domain. The limit I have in place for most of my sites I maintain is between 10MB - 20MB. If this is a store and forward server you can set this on the primary domain of the server and it affects all of the domains you gateway for. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Grant Griffith writes: Darrell, How can I do this on the Imail end? I can limit attachments sent thru Web Messaging, but not via Outlook or anything else. At least I can not find any settings for that. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 -Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, July 08, 2005 9:13 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Limit Size of message to be scanned? Grant, Their is nothing native to Declude to prevent that - the only real option besides something custom is to limit the size at the imail layer. Darrell InvURIBL - Intelligent URL filtering - stops 85% of spam with the default configuration. http://www.invariantsystems.com Grant Griffith writes: Yep, we had one client send a 50+ and 45+ at the same time. That is about the same time the system locked up. It is a Dual Pentium 3.6 processors with at least 2 gig of memory. I would of hoped it could keep up, but seems to be a pattern this week whenever huge emails get sent thru the server, it locks up and needs rebooted to fix it. How does anyone else handle this? I would guess there would be a way to not scan messages over a certain size Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, July 08, 2005 2:05 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Limit Size of message to be scanned? 50 MB e-mail attachments? Youch! John T eServices For You -Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Thursday, July 07, 2005 8:36 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Limit Size of message to be scanned? Hello All, Is there a way to limit the size of the message that Declude/F-Prot can scan? We have some customers that are sending 50+ meg files and it is causing our servers to have major issues. Is there a setting to say skip anything over a certain size? Either in F-Prot or Declude? We fixed it currently by setting it to OFF for certain domains, but really want to ban extensions and vulnerabilities for those domains.. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscri
Re: [Declude.Virus] Limit Size of message to be scanned?
Grant, What I do is set the "Single Message Size" under the domain. The limit I have in place for most of my sites I maintain is between 10MB - 20MB. If this is a store and forward server you can set this on the primary domain of the server and it affects all of the domains you gateway for. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Grant Griffith writes: Darrell, How can I do this on the Imail end? I can limit attachments sent thru Web Messaging, but not via Outlook or anything else. At least I can not find any settings for that. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 -Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, July 08, 2005 9:13 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Limit Size of message to be scanned? Grant, Their is nothing native to Declude to prevent that - the only real option besides something custom is to limit the size at the imail layer. Darrell InvURIBL - Intelligent URL filtering - stops 85% of spam with the default configuration. http://www.invariantsystems.com Grant Griffith writes: Yep, we had one client send a 50+ and 45+ at the same time. That is about the same time the system locked up. It is a Dual Pentium 3.6 processors with at least 2 gig of memory. I would of hoped it could keep up, but seems to be a pattern this week whenever huge emails get sent thru the server, it locks up and needs rebooted to fix it. How does anyone else handle this? I would guess there would be a way to not scan messages over a certain size Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, July 08, 2005 2:05 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Limit Size of message to be scanned? 50 MB e-mail attachments? Youch! John T eServices For You -Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Thursday, July 07, 2005 8:36 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Limit Size of message to be scanned? Hello All, Is there a way to limit the size of the message that Declude/F-Prot can scan? We have some customers that are sending 50+ meg files and it is causing our servers to have major issues. Is there a setting to say skip anything over a certain size? Either in F-Prot or Declude? We fixed it currently by setting it to OFF for certain domains, but really want to ban extensions and vulnerabilities for those domains.. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Limit Size of message to be scanned?
Grant, Their is nothing native to Declude to prevent that - the only real option besides something custom is to limit the size at the imail layer. Darrell InvURIBL - Intelligent URL filtering - stops 85% of spam with the default configuration. http://www.invariantsystems.com Grant Griffith writes: Yep, we had one client send a 50+ and 45+ at the same time. That is about the same time the system locked up. It is a Dual Pentium 3.6 processors with at least 2 gig of memory. I would of hoped it could keep up, but seems to be a pattern this week whenever huge emails get sent thru the server, it locks up and needs rebooted to fix it. How does anyone else handle this? I would guess there would be a way to not scan messages over a certain size Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, July 08, 2005 2:05 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Limit Size of message to be scanned? 50 MB e-mail attachments? Youch! John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Thursday, July 07, 2005 8:36 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Limit Size of message to be scanned? Hello All, Is there a way to limit the size of the message that Declude/F-Prot can scan? We have some customers that are sending 50+ meg files and it is causing our servers to have major issues. Is there a setting to say skip anything over a certain size? Either in F-Prot or Declude? We fixed it currently by setting it to OFF for certain domains, but really want to ban extensions and vulnerabilities for those domains.. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude Failed To Initialize Properly
See - http://www.mail-archive.com/declude.junkmail@declude.com/msg24938.html I posted about this issue a couple of times. We are currently waiting on a fix - but this is the cause from what I can see from the debug logs. Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: "Avolve Support" <[EMAIL PROTECTED]> To: Sent: Wednesday, July 06, 2005 5:36 PM Subject: [Declude.Virus] Declude Failed To Initialize Properly Has anyone had this message box pop up on their server and if so has anyone found a workaround for the problem ? The application failed to intialize properly (0xc142). Click on OK to terminate the application. Running Imail 8.20 - 2005.04.12.23 with hotfix 2 and the latest beta of Declude 2.0.6.16 and had 2.0.6 but it did the same thing. Running 700mhz Pentium III with 384Megs, plenty of drive space and do not receive that much email. I'm trying to play with the queue manager, but haven't found a combination yet that stops this problem. Thanks and praise for a fix, it's driving me insane. Sent via the WebMail system at avolve.net --- [This E-mail scanned for viruses by Declude Virus By Avolve.net] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAV Cabinet File Parsing Remote Denial of Service
FYI - For those who have not seen this and are running ClamAV. 05.26.8 CVE: CAN-2005-1923 Platform: Cross Platform Title: ClamAV Cabinet File Parsing Remote Denial of Service Description: ClamAV is a virus scanning utility. ClamAV is affected by a remote denial of service issue. ClamAV versions 0.85.1 and earlier are known to be vulnerable. Ref: http://www.securityfocus.com/bid/14089 Darrell --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Ignoring "Boundary Space Gap" Vulnerability
Dan, I have been running 2.0.6 with no "major" issues that plague me on a daily basis. The only issue I have encountered is when the server is under high load and Declude spawns processes until the server starts generating errors. Since I upgraded the server it doesnt happen very often. For the install you can grab the package from "your account" on the declude site. The manual install was pretty easy - just install and select manual along with a directory. The upgrade for 2.0.6.16 the last beta is just an exe download. Hope this helps, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dan Geiser writes: Hi, Again, I was able to find the "ALLOWVULNERABILITIESFROM" in the Declude Release Notes, http://www.declude.com/Articles.asp?ID=122. It looks like this feature was added in Declude 2.0. But it appears the current version of Declude 2.0.6. Since we are running 1.82 I assume that I'll have to upgrade to 2.0 at least. Is 2.0.6 a safe version to upgrade to in light of the issues people have added with bugs and the like? If so, is there a special place where I can go to get instructions on doing a Manual Upgrade to 2.0.6? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 28, 2005 3:52 PM Subject: [Declude.Virus] Ignoring "Boundary Space Gap" Vulnerability Hello, All, We are running... Declude 1.82 Declude JunkMail Status: PRO version registered. Declude Virus Status:Standard Version Registered. We have a customer who has an important e-mail which is being blocked by our virus protection with the "Outlook 'Boundary Space Gap' Vulnerability". Is there anyway that I can turn off checking for the "Outlook 'Boundary Space Gap' Vulnerability" on either a specific incoming e-mail address or a specific incoming e-mail domain? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
