Re: [Declude.Virus] Virus name reported as different than what scanner detected.
Yep, I'm seeing the same thing with Version 3.0.5.12: = 10/28/2005 10:56:04.343 q662b02abbeb9.smd Vulnerability flags = 0 10/28/2005 10:56:04.343 q662b02abbeb9.smd MIME file: [text/html][7bit; Length=714 Checksum=63910] 10/28/2005 10:56:04.390 q662b02abbeb9.smd MIME file: email-details.zip [base64; Length=93976 Checksum=11204045] 10/28/2005 10:56:04.390 q662b02abbeb9.smd Banning .ZIP file with scr extension. 10/28/2005 10:56:06.156 q662b02abbeb9.smd Virus scanner 1 reports exit code of 3 10/28/2005 10:56:06.171 q662b02abbeb9.smd Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=email-details.zip [16] I 10/28/2005 10:56:07.109 q662b02abbeb9.smd Virus scanner 2 reports exit code of 1 10/28/2005 10:56:07.109 q662b02abbeb9.smd Scanner 2: Virus= [ WORM_MYTOB.LV](1) in M:\IMail\spool\proc\work\D662B0~1.VIR\0.zip,(email-details.htm .scr) Attachment=email-details.zip [16] I 10/28/2005 10:56:07.109 q662b02abbeb9.smd File(s) are INFECTED [ [ TROJ_GOLDUN.G](1) in M:\IMail\spool\proc\work\D644C0~1.VIR\0.rar,(MsWindowsUpdate.exe): 1] 10/28/2005 10:56:07.109 q662b02abbeb9.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 2 94832] 10/28/2005 10:56:07.109 q662b02abbeb9.smd From: xxx To: xxx [incoming from xxx] 10/28/2005 10:56:07.109 q662b02abbeb9.smd Subject: Important Notification = 10/28/2005 10:56:22.171 q664302abbecd.smd Vulnerability flags = 0 10/28/2005 10:56:23.750 q664302abbecd.smd Virus scanner 1 reports exit code of 3 10/28/2005 10:56:23.750 q664302abbecd.smd Scanner 1: Virus= HTML/[EMAIL PROTECTED] Attachment= [16] I 10/28/2005 10:56:24.625 q664302abbecd.smd Virus scanner 2 reports exit code of 1 10/28/2005 10:56:24.625 q664302abbecd.smd Scanner 2: Virus= [ HTML_Netsky.P](1) in M:\IMail\spool\proc\work\D66430~1.VIR\0,(NONAMEFL) Attachment= [16] I 10/28/2005 10:56:24.625 q664302abbecd.smd File(s) are INFECTED [ [ TROJ_GOLDUN.G](1) in M:\IMail\spool\proc\work\D644C0~1.VIR\0.rar,(MsWindowsUpdate.exe): 1] 10/28/2005 10:56:24.625 q664302abbecd.smd Scanned: CONTAINS A VIRUS 10/28/2005 10:56:24.625 q664302abbecd.smd From: xxx To: xxx [incoming from xxx] 10/28/2005 10:56:24.625 q664302abbecd.smd Subject: Mail delivery failed: returning message to sender = Bill - Original Message - From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> To: Sent: Friday, October 28, 2005 9:37 AM Subject: [Declude.Virus] Virus name reported as different than what scanner detected. Anyone seen this before? The message (attachment) have the W97M/Thus Virus and is detected by McAfee as having such, but the final virus string somehow ends up at Netsky? Darrell x:\imail\spool>grep -i q41c378d5099ed6c9.smd vir1028.log 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd Vulnerability flags = 0 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd MIME file: HD New Look list.doc [base64; Length=59 904 Checksum=2996157] 10/28/2005 11:21:10.750 q41c378d5099ed6c9.smd Virus scanner 1 reports exit code of 0 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Virus scanner 2 reports exit code of 13 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Scanner 2: Virus= the W97M/Thus.gen Attachment=HD New Look List.doc [11] I 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 13] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Scanned: CONTAINS A VIRUS [MIME: 2 60102] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [ incoming from 64.207.161.182] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Subject: Here we go Again - Proposal Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Update on Upgrade
What specific 3.x version did you upgrade to? The latest is 3.0.5.18. Bill - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: Sent: Saturday, November 05, 2005 11:04 AM Subject: [Declude.Virus] Update on Upgrade It appears it is generating out the messages, but the messages are being held as GSE and GSC files, and then taking a long time to process, where it used to be instant before ??? David - Internet Dental Forum www.internetdentalforum.org Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.Virus] Update on Upgrade
Strange, what do the IMail logs says about these particular messages? Bill - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: "Bill Landry" Sent: Saturday, November 05, 2005 11:36 AM Subject: Re[2]: [Declude.Virus] Update on Upgrade What specific 3.x version did you upgrade to? The latest is 3.0.5.18. Yes, I am at 3.0.5.18 just downloaded this morning from the website. Bill - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: Sent: Saturday, November 05, 2005 11:04 AM Subject: [Declude.Virus] Update on Upgrade It appears it is generating out the messages, but the messages are being held as GSE and GSC files, and then taking a long time to process, where it used to be instant before ??? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: Re[4]: [Declude.Virus] Update on Upgrade
Those are just the receipt log entries, where are the delivery log entries? Search the log file for 25FB0282. Bill - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: "Bill Landry" Sent: Saturday, November 05, 2005 12:18 PM Subject: Re[4]: [Declude.Virus] Update on Upgrade Saturday, November 5, 2005, 12:50:59 PM, Bill Landry wrote: Strange, what do the IMail logs says about these particular messages? Yep, it is strange .. it is taking about 20 to 30 minutes from once the message is scanned till the Email message is being generated. The log looks normal, but don't know why they are being generated out by the postmaster account as GSC files? 20051105 110625 127.0.0.1 SMTPD (25FB0282)[63.246.13.85] MAIL FROM: <[EMAIL PROTECTED]> 20051105 110625 127.0.0.1 SMTPD (25FB0282)[63.246.13.85] RCPT TO: <[EMAIL PROTECTED]> 20051105 110625 127.0.0.1 SMTPD (25FB0282)[63.246.13.85] c:\IMail\spool\Df4a125fb0282f87e.SMD 1593 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
My virus caught messages are being delivered right away with version 3.0.5.18. Bill - Original Message - From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> To: Sent: Saturday, November 05, 2005 1:13 PM Subject: Re: Re[2]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today I caught that in the later thread. On my system I see the same behavior where the gsc/gse will get processed by the next queue run as well. I do seem to remember in older versions that they were tried to be delivered right away. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: "Darrell ([EMAIL PROTECTED])" Sent: Saturday, November 05, 2005 3:59 PM Subject: Re[2]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today Saturday, November 5, 2005, 1:43:11 PM, Darrell ([EMAIL PROTECTED]) wrote: When you say messages are getting stuck in the spool do you mean after they are processed by Declude? When you upgraded to Declude 3.x did you replace the declude.exe file? As I mentioned in another post, it appears that the Postmaster generated messages are sitting in the \imail\spool directory, but with a GSE or GSC extension instead of SMD ... and are eventually processed within 20 or 30 minutes, I'm assuming being caught by the queue being reprocessed in that time period?? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: Re[4]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today
I am running IMail 8.21/Declude 3.0.5.18. My queue retry timer is set to 30 minutes. And both postmaster and recipient virus notifications are being delivered immediately. Bill - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: "Bill Landry" Sent: Saturday, November 05, 2005 2:38 PM Subject: Re[4]: [Declude.Virus] Help! Upgraded from 1.82 to 3. today My virus caught messages are being delivered right away with version 3.0.5.18. Bill, are you using Imail? If so, how fast is your queue being retried since it appears to be tied to that --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Sober to be released Nov-15-2005 ?
Seeing them here, as well. So far, the virus is only being detected by NAI (New Malware.n) and ClamAV (Worm.Mytob.T-2). However, TrendMicro, AVG, BitDefender, Sophos, and F-Prot are not yet detecting this new virus. Bill - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, November 14, 2005 4:57 PM Subject: RE: [Declude.Virus] New Sober to be released Nov-15-2005 ? Well, I am not sure about tomorrow, but in the last hour I have started to see some messages being caught with banned ZIP-EXE with a subject line of Thanks for your registration and a file name of reg_text.zip and a D file size of 184 Kb that I have not seen before. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, November 14, 2005 3:36 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Sober to be released Nov-15-2005 ? Hmmm, now that's interesting. http://www.f-secure.com/weblog/#0705 Andrew. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude virus notification
We had the same problem, at least with v3.0.5.20, which was not sending notification for all virus caught. We are running a patched version of v3.0.5.20 now (v3.0.5.20.DF3) and that has resolved the issue. Don't know when Declude plans to make it's next release, but you might request the pre-release if you need to have the notifications. Bill - Original Message - From: "Gary Steiner" <[EMAIL PROTECTED]> To: Sent: Tuesday, November 22, 2005 2:14 PM Subject: [Declude.Virus] Declude virus notification I've been running with 3.x for over a month, but I just now realized that since I upgraded I am no longer receiving the "Declude Virus caught a virus" messages. Declude is catching viruses, I'm just not receiving email notification. I don't believe I changed anything in the virus.cfg file that would account for this. What other possible causes could there be? Gary --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Where to send exe's to check if they are a virus?
Hmmm, maybe try switching that from "totalvirus" to "virustotal". Bill - Original Message - From: "Goran Jovanovic" <[EMAIL PROTECTED]> To: Sent: Thursday, December 15, 2005 7:53 AM Subject: RE: [Declude.Virus] Where to send exe's to check if they are a virus? I tried www.totalvirus.com and it is an ad site. Thank you Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Thursday, December 15, 2005 10:45 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Where to send exe's to check if they are a virus? www.virustotal.com (se me previous posting for results) At the moment i consider blocking at least temporaly eye in zips and update the virus definitions Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic > Sent: Thursday, December 15, 2005 4:26 PM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] Where to send exe's to check if they > are a virus? > > Hi, > > I am getting a bunch of exe in zip files being banned right > now. I have grabbed one of them it is called marie.zip and > has a single exe in it called s3700020.exe and when you put > it on your desktop is has the standard jpeg icon associated with it. > > My F-Prot, McAfee and Symantec scanners are not finding a > virus. Where is the place that you can send it to and have it > checked out by a ton of virus scanners? > > Thanx > > Goran Jovanovic > Omega Network Solutions > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [IMail Forum] Realistic virus threat?
I reported this issue quite some time ago, when Scott was still running the show, and never got a satisfactory answer. You can scan the raw d*.smd file with f-prot and it will detect the virus, but run it through Declude Virus, and the virus goes though undetected. After pestering and prodding for several days, I finally gave up on getting a response that made sense. But it must have something to do with the way Declude Virus is stripping off the mime encapsulation before calling f-prot to scan the message. I have copied this to the Declude Virus list, as well, since it really belongs there rather than on the IMail list. Bill - Original Message - From: Michael Graveen To: Imail_Forum@list.ipswitch.com Sent: Thursday, February 02, 2006 1:15 PM Subject: RE: [IMail Forum] Realistic virus threat? I've had F-Prot miss this virus on the mail server (being called from Declude). But it's caught coming to my desktop, with the same virus scanner. Is anyone else seeing this?MikeAt 02:25 PM 2/2/2006, you wrote: I believe F-Prot calls it W32/[EMAIL PROTECTED] From: Stephen Guluk [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 02, 2006 2:19 PM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] Realistic virus threat? Off topic but still related to email... Had a couple clients that called concerned about this virus that is said to open and do it's damage tomorrow: [EMAIL PROTECTED] Win32.Nyxem.e I run F-prot on my mail server and their list of virus definitions shows nothing pertaining to this virus name. I wrote them but expect that they are sleeping since they are in Iceland. Anyone else running F-prot and know any more info on it this is a real threat? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [Declude.Virus] [IMail Forum] Realistic virus threat?
Andrew, I already have PRESCAN set to off and use the /server switch with F-Prot, so those were not the issue that was causing this behavior for me. From my virus.cfg: # F-ProtSCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT -REPORT=report.txtVIRUSCODE1 3VIRUSCODE1 6VIRUSCODE1 8VIRUSCODE1 9VIRUSCODE1 10REPORT1 Infection: PRESCAN OFF Bill - Original Message - From: Colbeck, Andrew To: Declude.Virus@declude.com Cc: [EMAIL PROTECTED] Sent: Thursday, February 02, 2006 2:09 PM Subject: RE: [Declude.Virus] [IMail Forum] Realistic virus threat? My raw speculation: 1) It is missed because the virus.cfg is using the "PRESCAN ON" switch (the default, I believe) and the declude.exe application does not decode the MIME or other coding as flexibly as a mail client would, or makes an uninformed decision about what is an object worth scanning. ANSWER: use PRESCAN OFF instead. This will incur more CPU time as the selected antivirus scanner(s) will be scanning all objects. 2) For F-Prot specifically, the /server switch is not being used and therefore F-Prot is not doing the message format decoding. If Declude did a perfect job, this setting would be irrelevant. ANSWER: use the /server switch in your SCANFILE definition. This would cause more CPU time on the few messages that appear as nested message encoding; it is intended for scanning servers with multiple mailbox formats and nested messages. I follow my own advice on these two points and do not have a problem with F-Prot under Declude EVA missing known viruses. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, February 02, 2006 1:47 PMTo: Imail_Forum@list.ipswitch.com; Declude.Virus@declude.comSubject: Re: [Declude.Virus] [IMail Forum] Realistic virus threat? I reported this issue quite some time ago, when Scott was still running the show, and never got a satisfactory answer. You can scan the raw d*.smd file with f-prot and it will detect the virus, but run it through Declude Virus, and the virus goes though undetected. After pestering and prodding for several days, I finally gave up on getting a response that made sense. But it must have something to do with the way Declude Virus is stripping off the mime encapsulation before calling f-prot to scan the message. I have copied this to the Declude Virus list, as well, since it really belongs there rather than on the IMail list. Bill - Original Message - From: Michael Graveen To: Imail_Forum@list.ipswitch.com Sent: Thursday, February 02, 2006 1:15 PM Subject: RE: [IMail Forum] Realistic virus threat? I've had F-Prot miss this virus on the mail server (being called from Declude). But it's caught coming to my desktop, with the same virus scanner. Is anyone else seeing this?MikeAt 02:25 PM 2/2/2006, you wrote: I believe F-Prot calls it W32/[EMAIL PROTECTED] From: Stephen Guluk [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 02, 2006 2:19 PM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] Realistic virus threat? Off topic but still related to email... Had a couple clients that called concerned about this virus that is said to open and do it's damage tomorrow: [EMAIL PROTECTED] Win32.Nyxem.e I run F-prot on my mail server and their list of virus definitions shows nothing pertaining to this virus name. I wrote them but expect that they are sleeping since they are in Iceland. Anyone else running F-prot and know any more info on it this is a real threat? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [Declude.Virus] [IMail Forum] Realistic virus threat?
Scan timeouts were not the issue either, since my secondary Declude Virus scanner (TrendMicro) would catch the virus fine, and the logs would show the scanning to be taking a mere second or two. Bill - Original Message - From: Colbeck, Andrew To: Declude.Virus@declude.com Sent: Thursday, February 02, 2006 2:34 PM Subject: RE: [Declude.Virus] [IMail Forum] Realistic virus threat? 3) On a very busy server, Declude may be aborting the scan because it is taking too long. The default is 60 seconds. ANSWER: Use SCANNERTIMEOUT 90 in the virus.cfg or some other time value of your choosing. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, February 02, 2006 2:10 PMTo: Declude.Virus@declude.comCc: [EMAIL PROTECTED]Subject: RE: [Declude.Virus] [IMail Forum] Realistic virus threat? My raw speculation: 1) It is missed because the virus.cfg is using the "PRESCAN ON" switch (the default, I believe) and the declude.exe application does not decode the MIME or other coding as flexibly as a mail client would, or makes an uninformed decision about what is an object worth scanning. ANSWER: use PRESCAN OFF instead. This will incur more CPU time as the selected antivirus scanner(s) will be scanning all objects. 2) For F-Prot specifically, the /server switch is not being used and therefore F-Prot is not doing the message format decoding. If Declude did a perfect job, this setting would be irrelevant. ANSWER: use the /server switch in your SCANFILE definition. This would cause more CPU time on the few messages that appear as nested message encoding; it is intended for scanning servers with multiple mailbox formats and nested messages. I follow my own advice on these two points and do not have a problem with F-Prot under Declude EVA missing known viruses. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, February 02, 2006 1:47 PMTo: Imail_Forum@list.ipswitch.com; Declude.Virus@declude.comSubject: Re: [Declude.Virus] [IMail Forum] Realistic virus threat? I reported this issue quite some time ago, when Scott was still running the show, and never got a satisfactory answer. You can scan the raw d*.smd file with f-prot and it will detect the virus, but run it through Declude Virus, and the virus goes though undetected. After pestering and prodding for several days, I finally gave up on getting a response that made sense. But it must have something to do with the way Declude Virus is stripping off the mime encapsulation before calling f-prot to scan the message. I have copied this to the Declude Virus list, as well, since it really belongs there rather than on the IMail list. Bill - Original Message - From: Michael Graveen To: Imail_Forum@list.ipswitch.com Sent: Thursday, February 02, 2006 1:15 PM Subject: RE: [IMail Forum] Realistic virus threat? I've had F-Prot miss this virus on the mail server (being called from Declude). But it's caught coming to my desktop, with the same virus scanner. Is anyone else seeing this?MikeAt 02:25 PM 2/2/2006, you wrote: I believe F-Prot calls it W32/[EMAIL PROTECTED] From: Stephen Guluk [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 02, 2006 2:19 PM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] Realistic virus threat? Off topic but still related to email... Had a couple clients that called concerned about this virus that is said to open and do it's damage tomorrow: [EMAIL PROTECTED] Win32.Nyxem.e I run F-prot on my mail server and their list of virus definitions shows nothing pertaining to this virus name. I wrote them but expect that they are sleeping since they are in Iceland. Anyone else running F-prot and know any more info on it this is a real threat? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [Declude.Virus] Running declude 4.x
Title: Message The was definitely a change between Declude Version 3.0.5.23 and Version 3.0.5.26 in its handling of header processing. We had to roll back to .23 because .26 was causing strange behavior with certain mime encapsulated messages. I sent evidence to David Franco-Rocha off-line on 2/10, but have yet to hear anything back. Bill - Original Message - From: Kevin Bilbee To: Declude.Virus@declude.com Sent: Sunday, February 19, 2006 1:10 PM Subject: RE: [Declude.Virus] Running declude 4.x I guess Declude needs to standup and answer this thread. It is there software. I can repeate the issue by sending a message from our Copier. With the 3.x version we were running it worked fine as soon as I upgraded to 4.0.8 I had complaints from my users. On the copier emails it happens when there is no text after the SUBJECT: header. If we include a subject then declude handles the message properly. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Sunday, February 19, 2006 9:27 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Running declude 4.xThis is also affecting Nick Hayer's posts, and seemed to start when Declude started using 4.0.8 for this list. Based on the headers that are being shown in the body, it appears that this is Decldue 4.0.8 that is pushing some of the existing headers into the body.For those with headers in the body using prior versions of Declude, this may be due to the header formating of the sending software and not necessarily Declude. That is a known issue, and it really has to do with Declude needing to do some error correction if I understand the conditions properly.These two things appear to be from different causes.MattKaj Søndergaard Laursen wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kevin Bilbee Sent: 19. februar 2006 08:33 To: Declude.Virus@declude.com Subject: [Declude.Virus] Running declude 4.x I am wondering if the headers showing in the body of this message was intentional. If not then there is a bug in declude 4.x. I'm also seeing this with Declude 3.0.5.26. Some mails, like the "Oxygen" mail-list from Panda consistently shows up with some headers shown in the mail. I'm using Outlook 2003. Regards, Kaj --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] url file extensions
ClamAV can be configured to scan URLs, if so desired. Bill - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: Sent: Tuesday, April 11, 2006 12:40 PM Subject: RE: [Declude.Virus] url file extensions You nor I nor Declude nor any one knows where that leads too. You can not scan the destination for a url. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, April 11, 2006 12:10 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] url file extensions I been asked to remove the block I have on these - and since I have forgotten why I am blocking them Is there a valid reason to block these? Thanks in advance -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] url file extensions
Nick, it's advised not to use it because it take additional time to process e-mails with embedded or attached URLs, since it has to simulate a user and access the URL in order to scan it. If you already have a heavily utilized system, then you would be wise not to enable this feature. However, if you have available resources, you should be fine. Also, at least on Linux, you need to have curl installed and compile with libcurl support: Optional Packages: --with-PACKAGE[=ARG]use PACKAGE [ARG=yes] --with-libcurl support URLs downloading with libcurl (default=no) However, I don't know if this is the case with the Windows version of ClamAV, since I have never actually run it on Windows. We have been running with this feature enabled on our two Linux gateways for about a year now and thus far have had no problems with it. Bill - Original Message - From: "Nick Hayer" <[EMAIL PROTECTED]> To: Sent: Tuesday, April 11, 2006 1:30 PM Subject: Re: [Declude.Virus] url file extensions Bill, Will you kindly elaborate? :) I see in clamd.conf the "MailFollowURLs" but the advice is not to use it - -Nick Bill Landry wrote: ClamAV can be configured to scan URLs, if so desired. Bill - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: Sent: Tuesday, April 11, 2006 12:40 PM Subject: RE: [Declude.Virus] url file extensions You nor I nor Declude nor any one knows where that leads too. You can not scan the destination for a url. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, April 11, 2006 12:10 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] url file extensions I been asked to remove the block I have on these - and since I have forgotten why I am blocking them Is there a valid reason to block these? Thanks in advance -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV error
Only if he is running an older version of Declude, which does not include the built-in AVG scanner, which runs as scanner 0. Bill - Original Message - From: "Goran Jovanovic" <[EMAIL PROTECTED]> To: Sent: Friday, July 14, 2006 12:13 PM Subject: RE: [Declude.Virus] ClamAV error Gary, You said CLAM was your third AV yet your config shows it is your second one SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Change the SCANFILE2, VIRUSCODE2, REPORT2 to 3. That might help Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, July 14, 2006 1:16 PM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV error I recently installed ClamAv as my third scanner after AVG and F-Prot. For some reason it indicates an error related to the attachment when it detects a virus (Attachment=[Unknown: Err]). Here is an example from the Declude virus log file: 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; Length=17424 Checksum=1974090] 07/13/2006 19:32:18.843 366626185 Banning file with pif extension [application/octet-stream]. 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D: 7] 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=your_letter.pif [1] I 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 (366626185.eml,366626) 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D Attachment=[Unknown: Err] [1] I 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 17604] 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 72.82.177.22] 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter It doesn't seem to matter what kind of virus is involved. Even when it detects a phishing attempt you still see the same error. Here is what I have in the virus.cfg: SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Is anyone else experiencing this, or have any ideas? Thanks, Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] DSN:Signatures
Hmmm, this from someone that sent his signature to the list... -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED]] Sent: Friday, December 07, 2001 6:37 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Declude.Virus] DSN:Signatures Importance: High To Andy and all others, please stop using signatures when sending to a list. As the list service adds to the body and changes the to and from, you signature becomes invalid and causes delays. John Tolmachoff, Network Engineer 211 E. Imperial Hwy., Suite 106 Fullerton, CA 92835 714-578-7999, ext. 104 [EMAIL PROTECTED] [EMAIL PROTECTED] www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
RE: [Declude.Virus] Mail relaying
Wouldn't that skew some of the spam tests, since there would be one extra hop when the secondary receives the mail and forwards it on to the primary? Bill -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 04, 2002 8:24 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Mail relaying >no what i want is that if the primary mailserver are busy it will deliver >on the secondary Ah, I see. That sounds like a standard backup mailserver, where your MX records will point to both the primary mailserver and the secondary mailserver, but with different preferences, so that mail should only get delivered to the secondary if the primary is not reachable. In that case, you can just have Declude running on the primary mailserver. Mail that gets to the secondary mailserver will get scanned on the primary mailserver, when it arrives there. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] First post
If your mail can get to you IMail server now, nothing will change by adding Declude JunkMail. Bill -Original Message-From: Serge [mailto:[EMAIL PROTECTED]]Sent: Sunday, May 12, 2002 6:59 PMTo: [EMAIL PROTECTED]Subject: [Declude.Virus] First post Hi scott, considering adding junkmail to virus my first question is DNS queries I have 2 satellite connection, sometimes one can be down so any dns query (or ip/tc/udp connection) need to try both routes this is achieved by changing source ip adress is that possible with junkmail ?
RE: [Declude.Virus] OT McAfee RealTime AV scanner
Disable it where? Did you set the McAfee (or Network Associates) services to manual in Control Panel\Services? Bill -Original Message- From: Craig Gittens [mailto:[EMAIL PROTECTED]] Sent: Sunday, May 19, 2002 2:37 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] OT McAfee RealTime AV scanner My McAfee scanner starts up whenever the server is rebooted and it causes various services to crash if it keeps running. I have disabled it and it still starts. I have to remember to stop it when I reboot the machine. I was wondering if anyone knows of a way to disable it once and for all? I have exempted c:\imail and the user directories from being scanned. Craig. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] Which F-Prot scanner to call?
I followed a thread on the IMail list today where a Declude AV user upgraded to F-Prot 3.12a and apparently the F-Prot.exe file disappeared. So he updated his virus.config file to use the FPcmd.exe file instead, and he says it's working fine. I was wondering if anyone knows what the difference is between the two files and which one would be the preferred one to use with Declude? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Which F-Prot scanner to call?
Well, I guess that answers my question. Thanks Sheldon! Bill -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 29, 2002 5:09 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Which F-Prot scanner to call? > I followed a thread on the IMail list today where a Declude AV user upgraded > to F-Prot 3.12a and apparently the F-Prot.exe file disappeared. So he > updated his virus.config file to use the FPcmd.exe file instead, and he says > it's working fine. I tried that and it does NOT work fine. The test file from declude will pass right through! At least that was what I found here. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications360-457-9023 Nationwide access with neighborhood support! "Whenever you find yourself on the side of the majority, it's time to pause and reflect." Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This e-mail was scanned for viruses by Pointshare's Virus Scanning Service] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Which F-Prot scanner to call?
Hmmm, so it does work then...? Thanks, Jerry, I'll do some testing, as well. Scott, has Declude tested both and which one is "officially" recommended? Thanks, Bill -Original Message- From: Jerry Murdock [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 29, 2002 5:20 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Which F-Prot scanner to call? Fpcmd is a Win32 console application, command-line only. F-prot is the DOS command line app, with a DOS user interface(if called with no parameters). My testing shows a very small (<10%) performance benefit when using fpcmd. Either should be OK, but fpcmd is not "officially" supported, unless they've changed policy recently. I chose to stay with f-prot for now because of the ease of updating the .exe using my existing scripts. Jerry ----- Original Message - From: "Bill Landry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 29, 2002 8:02 PM Subject: [Declude.Virus] Which F-Prot scanner to call? > I followed a thread on the IMail list today where a Declude AV user upgraded > to F-Prot 3.12a and apparently the F-Prot.exe file disappeared. So he > updated his virus.config file to use the FPcmd.exe file instead, and he says > it's working fine. > > I was wondering if anyone knows what the difference is between the two files > and which one would be the preferred one to use with Declude? > > Bill > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". You can E-mail > [EMAIL PROTECTED] for assistance. You can visit our web > site at http://www.declude.com . > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This e-mail was scanned for viruses by Pointshare's Virus Scanning Service] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] McAfee update
Thanks for the update, John! That was my suspicion from reading their license and speaking with our account rep, and why we opted not to use McAfee on our IMail/Declude server. Bill -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED]] Sent: Monday, July 08, 2002 1:59 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] McAfee update To those interested in the topic of virus scanner cost a few weeks ago, here is an update on my conversations with McAfee. Not Good. If we got the rate of their best client, we would pay about $2,000 per year. Any we are a small shop. :( John Tolmachoff IT Manager, Network Engineer Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This e-mail was scanned for viruses by Pointshare's Virus Scanning Service] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] Frethem Virus
That's what I'm seeing, also. However, Scott, I was wondering if they will still show up as "[Outlook 'MIME Header' Vulnerability]" once the virus vendor provides an update or will they then show up as being "Win32/Frethem.L@mm" or some such virus name? Bill -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED]] Sent: Monday, July 15, 2002 10:48 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Frethem Virus To those that may be interested, Declude is catching these as Outlook 'MIME Header' Vulnerability at least until the AV companies update their definitions. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This e-mail was scanned for viruses by Pointshare's Virus Scanning Service] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] KITHRUP:
Welcome to the list Lewis. Have you taken a look at the footer of these messages? It lists the archives at http://www.mail-archive.com. Bill -Original Message- From: Lewis [mailto:[EMAIL PROTECTED]] Sent: Friday, August 02, 2002 6:22 PM To: [EMAIL PROTECTED] Subject: KITHRUP: I am a new member. Do you have archive list to search old emails and issues ? Thanks, Lewis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This e-mail was scanned for viruses by Pointshare's Virus Scanning Service] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] KITHRUP:
I assume you are running F-Prot with Declude Antivirus and IMail? If so, take a look at the Declude Antivirus manual on the Declude download page. Bill -Original Message- From: Lewis [mailto:[EMAIL PROTECTED]] Sent: Friday, August 02, 2002 8:57 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] KITHRUP: We have just purchased the f-prot av and installed on W2k server. However the system does not prompt for action when it finds viruses. Please advice, Lewis PS; Support at f-prot replies very very slow, so I had to ask here. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This e-mail was scanned for viruses by Pointshare's Virus Scanning Service] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] E-card email
Why bother if you are adding a weight of "0"? Bill -Original Message- From: Patrick Childers [mailto:pchilders@;hgbd.com] Sent: Monday, November 11, 2002 9:33 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] E-card email > I tried your "body" test and it did NOT catch that email! May be it will > catch the redistribution mails that are sent after a machine has > caught the > worm. > > Best Regards > Andy Schmidt I filtered on F r i e n d - g r e e t i n g s . c o m (without the spaces) because of the copy of this e-mail that was posted to the Imail forum on friday 11/08/02. http://www.mail-archive.com/imail_forum@;list.ipswitch.com/msg60464.html Since your post, I checked other examples of the message - those examples do not have the hyphen in the domain name. So, my frndgrt.txt looks like this now: - BODY 0 CONTAINSF r i e n d - G r e e t i n g s . c o m (without the spaces) BODY 0 CONTAINSF r i e n d G r e e t i n g s . c o m (without the spaces) Sorry about that! Patrick --- [This E-mail scanned for viruses by Declude/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This e-mail was scanned for viruses by Pointshare's Virus Scanning Service] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] bogus entries in virus log files
Why does Declude Virus report that files are bogus in the virus log files? For example: 11/19/2002 05:57:31 Q434ad6a500904e8f Found a bogus .jpg file 11/19/2002 05:57:31 Q434ad6a500904e8f Found a bogus .jpg file 11/19/2002 05:57:31 Q434ad6a500904e8f Found a bogus .jpg file 11/19/2002 05:57:31 Q434ad6a500904e8f Found a bogus .jpg file 11/19/2002 05:57:31 Q434ad6a500904e8f Scanned: Virus Free [Prescan OK][MIME: 9 90022] & 11/19/2002 06:48:17 Q4f2e9f5000aec074 Found a bogus .ZIP file 11/19/2002 06:48:17 Q4f2e9f5000aec074 Scanned: Virus Free [MIME: 2 11580] Especially when they are found to be virus free. Bill Landry Director, Network Operations Pointshare Division Now Part of Siemens Medical Solutions Health Services Corporation DID 425-468-0301 Fax 425-635-0301 [EMAIL PROTECTED] www.pointshare.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] A Couple of Declude Questions
Dan, have you taken a look at the Declude web site yet (www.declude.com)? See additional comments below: - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, February 07, 2003 4:21 PM Subject: [Declude.Virus] A Couple of Declude Questions > Hello, All, > I have a couple of questions about Declude; one regarding their Virus > product and another regarding their Spam product. > > #1) Regarding Declude Virus > ... > I am trying to figure out how IMail calls Declude to help it scan for > viruses. Is this some sort of setting in IMail? Where is it located in the > IMail administration screens? Is there any documentation which comes with > Declude Virus? When you execute Declude for the first time it will install the necessary registry keys to enable IMail to hand-off messages to Declude for processing. Declude Virus: www.declude.com/virus/manual.htm > #2) Regarding Declude Spam > > How do I get a trial copy of Declude Spam to try out? Is it's installation > affected by having Declude Virus already on the server? Declude Virus and JunkMail will both run using the same instance of Declude, you just need to have a license key for each application in order to enable them (the key is placed into the appropriate configuration file). Declude JunkMail: www.declude.com/junkmail/manual.htm HTH, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] A Couple of Declude Questions
Dan, have you taken a look at the Declude web site yet (www.declude.com)? See additional comments below: - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, February 07, 2003 4:21 PM Subject: [Declude.Virus] A Couple of Declude Questions > Hello, All, > I have a couple of questions about Declude; one regarding their Virus > product and another regarding their Spam product. > > #1) Regarding Declude Virus > ... > I am trying to figure out how IMail calls Declude to help it scan for > viruses. Is this some sort of setting in IMail? Where is it located in the > IMail administration screens? Is there any documentation which comes with > Declude Virus? When you execute Declude for the first time it will install the necessary registry keys to enable IMail to hand-off messages to Declude for processing. Declude Virus: www.declude.com/virus/manual.htm > #2) Regarding Declude Spam > > How do I get a trial copy of Declude Spam to try out? Is it's installation > affected by having Declude Virus already on the server? Declude Virus and JunkMail will both run using the same instance of Declude, you just need to have a license key for each application in order to enable them (the key is placed into the appropriate configuration file). Declude JunkMail: www.declude.com/junkmail/manual.htm HTH, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] high virus traffic today?
Markus, are you sure that there is a "C" variant out now? Both RAV and F-Prot released updates to catch the new "B" variant: == VIRUS ALERT! Win32/[EMAIL PROTECTED] June 5, 2003 - RAV AntiVirus Team is alerting all computer users that a dangerous Internet worm, called Win32/[EMAIL PROTECTED], is reported to have a high infection level in the last 24 hours. This worm is classified as "Potentially destructive" by RAV Team. == Bill - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 05, 2003 6:00 AM Subject: RE: [Declude.Virus] high virus traffic today? > > > Sophos and McAfee just minutes ago announced a new variant of > > Bugbear, > > which apparently started spreading yesterday. They both have > > reported that > > it is spreading fast. > > It's 3:00 PM now here, and we are already on more then 300% of a > "normal" day. > Strange: The new version is Bugbear.C > We catch here only Bugbear.B but have running definitely the latest > definitions. > > Markus > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bugbear getting through
Have you tried sending a copy of the virus' that are passing by F-Prot to FSI for review? Bill - Original Message - From: "Robert Grosshandler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 10, 2003 8:56 PM Subject: RE: [Declude.Virus] Bugbear getting through > One more bit of info - using Virus Lite, which I just learned will not ban > extensions. > > > Hi > > The bugbear virus is getting through f-prot / declude virus. Not always, > but more than once. It's being caught by Norton AV on my desktop. Here's > the latest: > > F-prot is up to date. I use fpcmd. > Virus log shows it being scanned. > The attachment had the name AAL benefit.doc.scr > I have BANEXT scr in my virus.cfg > I'm running declude 1.70i2 > > What else can I provide? > > Rob > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Finding SPAM Messages
Depending on how your virus scanner is configured, some will simply reject archives they cannot scan. That's the default behavior for McAfee's VirusShield for Exchange. Bill - Original Message - From: "Joshua Levitsky" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 24, 2003 9:28 AM Subject: Re: [Declude.Virus] Finding SPAM Messages > > Just password protect the Zip. AntiVirus can't scan a password protected > Zip. > > -Josh > > > From: "adrian.wells" <[EMAIL PROTECTED]> > > Organization: Sidcot School > > Reply-To: [EMAIL PROTECTED] > > Date: Tue, 24 Jun 2003 12:45:11 +0100 > > To: <[EMAIL PROTECTED]> > > Subject: Re: [Declude.Virus] Finding SPAM Messages > > > > Would nesting it several zips deep work? > > > > i.e. zip the file, then zip the zip, and then zip that zip etc. > > > > Kind regards > > Adrian Wells > > > > - Original Message - > > From: Serge <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, June 23, 2003 7:29 PM > > Subject: Re: [Declude.Virus] Finding SPAM Messages > > > > > >> ok, scott > >> every time i try to send mbx (zipped, renamed, ), it is now getting > >> caught > >> how can i send it ? > >> and how did it get into my mailbox in the first place ? > >> > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Spoolviewer
Check netstat -n to see how may established SMTP connections you have to and from your server. Bill - Original Message - From: "Avolve Support" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, June 28, 2003 6:41 PM Subject: RE: [Declude.Virus] Spoolviewer > 700 emails being received though ? Now that is a lot of email to be received, we don't have that many customers to warrant that. Imail v8.0 is not being kind to my server for some odd reason. > > -- Original Message -- > From: "John Tolmachoff \(Lists\)" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Sat, 28 Jun 2003 18:27:35 -0700 > > >> Does anyone know what the information means that this program outputs ? It > >says > >> at this time I have over 700 emails being received and over 800 orphaned > >emails ! > > > >Those are most likely D files without a related Q file. That can happen for > >different reasons, such as loops where Imail will finally delete the Q file. > > > >John Tolmachoff MCSE CSSA > >Engineer/Consultant > >eServices For You > >www.eservicesforyou.com > > > > > >--- > >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.Virus mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.Virus".The archives can be found > >at http://www.mail-archive.com. > >--- > >[This E-mail scanned for viruses by Declude Virus By Avolve.net] > > > > > > -- > Avolve Support > Get High Speed Internet - Go Wireless ! > http://www.avolvewireless.net > -- > --- > [This E-mail scanned for viruses by Declude Virus By Avolve.net] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Forging Viruses
Hey Scott, I started to send out this advice, as well. However, it appears that there is a problem with all of the .eml links. They are showing up like: mhtml:http://www.declude.com/Release/170/sender.eml and even removing the "mhtml:" at the beginning of the URL does not fix it, it just comes right back. Bill - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 02, 2003 3:29 PM Subject: Re: [Declude.Virus] Forging Viruses > > >Does anyone have a semi-current list of forging viruses? I'd appreciate if > >someone could just paste me that block of their config - I haven't been > >keeping up on the forging ones. > > You can find the latest ones that we know of by going to > http://www.declude.com/virus/manual.htm and looking at the sender.eml or > otherpostmaster.eml files. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you have been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Forging Viruses
Well imaging that... ;-) I just figure that since it was a plain text file, that it would also display in the browser. Thanks, Bill - Original Message - From: "Jonathan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 02, 2003 7:00 PM Subject: Re: [Declude.Virus] Forging Viruses > right-click the link, save-as.. :) > > Jonathan > > At 05:14 PM 7/2/2003 -0700, you wrote: > >Hey Scott, I started to send out this advice, as well. However, it appears > >that there is a problem with all of the .eml links. They are showing up > >like: > > > > mhtml:http://www.declude.com/Release/170/sender.eml > > > >and even removing the "mhtml:" at the beginning of the URL does not fix it, > >it just comes right back. > > > >Bill > >- Original Message - > >From: "R. Scott Perry" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Wednesday, July 02, 2003 3:29 PM > >Subject: Re: [Declude.Virus] Forging Viruses > > > > > > > > > > >Does anyone have a semi-current list of forging viruses? I'd appreciate > >if > > > >someone could just paste me that block of their config - I haven't been > > > >keeping up on the forging ones. > > > > > > You can find the latest ones that we know of by going to > > > http://www.declude.com/virus/manual.htm and looking at the sender.eml or > > > otherpostmaster.eml files. > > > > > > -Scott > > > --- > > > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > > > Declude Virus: Catches known viruses and is the leader in mailserver > > > vulnerability detection. > > > Find out what you have been missing: Ask for a free 30-day evaluation. > > > > > > --- > > > [This E-mail was scanned for viruses by Declude Virus > >(http://www.declude.com)] > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > > > >--- > >[This E-mail was scanned for viruses by Declude Virus > >(http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.Virus mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.Virus".The archives can be found > >at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] "Could not find report file"
I baffled as to why Declude Virus Pro is suddenly not able to find the report file. Nothing has changed from earlier this morning till now. The last F-Prot update was yesterday afternoon and Declude has not been updated today. Any ideas why Declude might be having this problem? This one was detected by both scanners and Declude was able to find the report file: === 07/16/2003 04:13:29 Q3358a1be0040c3f6 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=setup.exe [9] I 07/16/2003 04:13:30 Q3358a1be0040c3f6 Scanner 2: Virus= the W32/[EMAIL PROTECTED] virus !!! Attachment=setup.exe [9] I 07/16/2003 04:13:30 Q3358a1be0040c3f6 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 13] 07/16/2003 04:13:30 Q3358a1be0040c3f6 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 4 115376] 07/16/2003 04:13:30 Q3358a1be0040c3f6 From: [Forged] To: [EMAIL PROTECTED] [incoming from 204.189.38.4] 07/16/2003 04:13:30 Q3358a1be0040c3f6 Subject: W32.Klez.E removal tools First failure: === 07/16/2003 11:10:41 Q95219cd50150bc24 Outlook 'MIME Header' Vulnerability: type=audio/x-midi, name=CLASS.exe. 07/16/2003 11:10:52 Q95219cd50150bc24 Could not find report file M:\IMail\spool\D95219cd50150bc24.vir\report.txt. 07/16/2003 11:10:54 Q95219cd50150bc24 Scanner 2: Virus= the W32/[EMAIL PROTECTED] virus !!! Attachment=CLASS.exe [9] I 07/16/2003 11:10:54 Q95219cd50150bc24 File(s) are INFECTED [ the W32/[EMAIL PROTECTED] virus !!!: 13] 07/16/2003 11:10:54 Q95219cd50150bc24 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 4 98118] 07/16/2003 11:10:54 Q95219cd50150bc24 From: [Forged] To: [EMAIL PROTECTED] [incoming from 204.189.38.3] 07/16/2003 11:10:54 Q95219cd50150bc24 Subject: HYDRANGEA DUET Second failure: === 07/16/2003 13:04:00 Qafa67c3b013a53eb Could not find report file M:\IMail\spool\Dafa67c3b013a53eb.vir\report.txt. 07/16/2003 13:04:00 Qafa67c3b013a53eb Error 1 in virus scanner 0. 07/16/2003 13:04:01 Qafa67c3b013a53eb Scanner 2: Virus= the W32/[EMAIL PROTECTED] virus !!! Attachment=VALIGN.scr [9] I 07/16/2003 13:04:01 Qafa67c3b013a53eb File(s) are INFECTED [ the W32/[EMAIL PROTECTED] virus !!!: 13] 07/16/2003 13:04:01 Qafa67c3b013a53eb Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 4 104684] 07/16/2003 13:04:01 Qafa67c3b013a53eb From: [Forged] To: [EMAIL PROTECTED] [incoming from 204.189.38.3] 07/16/2003 13:04:01 Qafa67c3b013a53eb Subject: Worm Klez.E immunity === Logging is currently set to MID. I can set it to DEBUG if requested. Thanks for any feedback! Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] "Could not find report file"
Diagnostics ON (Declude v1.70i20). Declude JunkMail: Config file found (M:\IMail\Declude\global.CFG). Declude Virus: Config file found (M:\IMail\Declude\Virus.CFG). Declude Hijack:Not installed (no M:\IMail\Declude\Hijack.CFG file). Declude Confirm: Not installed (no M:\IMail\Declude\Confirm.CFG file). Declude JunkMail Status: PRO version registered. Declude Virus Status:Pro Version Registered. Declude Hijack Status: NOT REGISTERED: No activation code. - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 16, 2003 3:52 PM Subject: Re: [Declude.Virus] "Could not find report file" > > >I baffled as to why Declude Virus Pro is suddenly not able to find the > >report file. Nothing has changed from earlier this morning till now. The > >last F-Prot update was yesterday afternoon and Declude has not been updated > >today. Any ideas why Declude might be having this problem? > > What version of Declude are you running? > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you have been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] "Could not find report file"
Strange, we found a couple of .tmp files that could not be deleted in the F-Prot\update directory, which was causing the associated .def files to become corrupted during the definition download and update process. Taking ownership of the .tmp files and then deleting them resolved the problem. Bill - Original Message - From: "Bill Landry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 16, 2003 4:47 PM Subject: Re: [Declude.Virus] "Could not find report file" > Diagnostics ON (Declude v1.70i20). > > Declude JunkMail: Config file found (M:\IMail\Declude\global.CFG). > Declude Virus: Config file found (M:\IMail\Declude\Virus.CFG). > Declude Hijack:Not installed (no M:\IMail\Declude\Hijack.CFG file). > Declude Confirm: Not installed (no M:\IMail\Declude\Confirm.CFG file). > > Declude JunkMail Status: PRO version registered. > Declude Virus Status:Pro Version Registered. > Declude Hijack Status: NOT REGISTERED: No activation code. > > - Original Message - > From: "R. Scott Perry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, July 16, 2003 3:52 PM > Subject: Re: [Declude.Virus] "Could not find report file" > > > > > > >I baffled as to why Declude Virus Pro is suddenly not able to find the > > >report file. Nothing has changed from earlier this morning till now. > The > > >last F-Prot update was yesterday afternoon and Declude has not been > updated > > >today. Any ideas why Declude might be having this problem? > > > > What version of Declude are you running? > > > > -Scott > > --- > > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > > Declude Virus: Catches known viruses and is the leader in mailserver > > vulnerability detection. > > Find out what you have been missing: Ask for a free 30-day evaluation. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] SoBig.E
Virus scanners will scan inside of compressed and archived files (if configured to do so), so I don't see how this should be an issue. The default configurations that Scott has set for the different Declude Virus supported virus scanners are setup to scan inside of these types of files. Did you find a virus (SoBig.E) that was inside a zip file that made it past Declude Virus? Bill - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 21, 2003 5:59 PM Subject: [Declude.Virus] SoBig.E Now that the first virus has come out in a zip file, the question arises on how to protect against this during the time that the virus first appears and when the AV companies come out with updated definitions and when we get those definitions. While it is true that the user first has to open and unzip the file for the virus to attack, I imagine many users out there feel if they get a zipped file, it must be ok. Comments/ideas? (Other than user education which we know works so well.) John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. .com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] SoBig.E
Ah yes, thanks for the clarification, I misread John's e-mail. Hmmm, that is an interesting issue. Might possibly help to enable AI/Heuristics in the virus config's command line options. I did this a while back with F-Prot (-AI) and McAfee (/ANALYZE), so hopefully that will add a little bit of added capabilities for capturing these new viruses and variants before the new definitions are released. Otherwise, like you stated, it may require holding messages containing zip files so they can be reviewed before being sent back to the queue for delivery. Bill - Original Message - From: "Joshua Levitsky" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 21, 2003 6:57 PM Subject: Re: [Declude.Virus] SoBig.E > > - Original Message - > From: "Bill Landry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, July 21, 2003 9:27 PM > Subject: Re: [Declude.Virus] SoBig.E > > > > Virus scanners will scan inside of compressed and archived files (if > > configured to do so), so I don't see how this should be an issue. The > > default configurations that Scott has set for the different Declude Virus > > supported virus scanners are setup to scan inside of these types of files. > > > > Did you find a virus (SoBig.E) that was inside a zip file that made it > past > > Declude Virus? > > I think the point was that there is a window between a virus existing and > definitions being available. In the past we could rest easy knowing viruses > couldn't zip themselves so if you ban all the exe's and such then you would > protect your users even during that window. Unfortunately now that viruses > can zip themselves there is a window of potential for exposure. I get pages > from Symantec when nasties come out because I have platinum support. When I > hear of a virus that will mail itself as a zip, but there are no defs yet > then the action I am going to take is to put all the subject lines and such > that it does in a filter so it will be banned by Declude JunkMail with high > enough value that it won't bounce, but will be held. Usually www.sarc.com > (symantec) is good about documenting them. > > -Josh > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] SoBig.E
Scott, you may want to add a switch to your default virus config settings for F-Prot when using the 32bit version scanner (fpcmd). You currently have: -archive(Scan inside .ZIP and .ARJ files) But you may want to add: -packed (Unpack compressed executables) Bill - Original Message - From: "Bill Landry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 21, 2003 7:21 PM Subject: Re: [Declude.Virus] SoBig.E > Ah yes, thanks for the clarification, I misread John's e-mail. Hmmm, that > is an interesting issue. Might possibly help to enable AI/Heuristics in the > virus config's command line options. I did this a while back with F-Prot > (-AI) and McAfee (/ANALYZE), so hopefully that will add a little bit of > added capabilities for capturing these new viruses and variants before the > new definitions are released. > > Otherwise, like you stated, it may require holding messages containing zip > files so they can be reviewed before being sent back to the queue for > delivery. > > Bill > - Original Message - > From: "Joshua Levitsky" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, July 21, 2003 6:57 PM > Subject: Re: [Declude.Virus] SoBig.E > > > > > > - Original Message - > > From: "Bill Landry" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, July 21, 2003 9:27 PM > > Subject: Re: [Declude.Virus] SoBig.E > > > > > > > Virus scanners will scan inside of compressed and archived files (if > > > configured to do so), so I don't see how this should be an issue. The > > > default configurations that Scott has set for the different Declude > Virus > > > supported virus scanners are setup to scan inside of these types of > files. > > > > > > Did you find a virus (SoBig.E) that was inside a zip file that made it > > past > > > Declude Virus? > > > > I think the point was that there is a window between a virus existing and > > definitions being available. In the past we could rest easy knowing > viruses > > couldn't zip themselves so if you ban all the exe's and such then you > would > > protect your users even during that window. Unfortunately now that viruses > > can zip themselves there is a window of potential for exposure. I get > pages > > from Symantec when nasties come out because I have platinum support. When > I > > hear of a virus that will mail itself as a zip, but there are no defs yet > > then the action I am going to take is to put all the subject lines and > such > > that it does in a filter so it will be banned by Declude JunkMail with > high > > enough value that it won't bounce, but will be held. Usually www.sarc.com > > (symantec) is good about documenting them. > > > > -Josh > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVG - Grisoft
From: "R. Scott Perry" <[EMAIL PROTECTED]> > This is a rare occurrence -- but one that seems completely unacceptable, > especially given how widespread this virus was. The strange thing is that F-Prot has release three updates since Mimail hit (including one today) and none have resolved the failure of their virus scanner to catch this one. I even sent them a copy of the message.zip file and asked for an update, and have yet to hear back from them. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] W32.Mimail.A@mm Virus Fprot Definitions??
That's not what I'm seeing. My defs get updated hourly, and the only update I have seen today was for the macro.def, which did not do anything to help F-Prot catch Mimail on my system, especially since this virus is not a macro virus. Have you actually seen proof that F-Prot caught this virus on your system? If so, where are you updating your defs from? Bill - Original Message - From: "LCasey" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 04, 2003 6:14 PM Subject: RE: [Declude.Virus] [EMAIL PROTECTED] Virus Fprot Definitions?? > Frisk finally released F-Prot defs for [EMAIL PROTECTED] this afternoon. > > LCasey > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff > (Lists) > Sent: Monday, August 04, 2003 7:20 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] [EMAIL PROTECTED] Virus Fprot Definitions?? > > > You should have set up a special hold filter to hold these. > > John Tolmachoff MCSE CSSA > Engineer/Consultant > eServices For You > www.eservicesforyou.com > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > > [EMAIL PROTECTED] On Behalf Of Jim Matuska > > Sent: Monday, August 04, 2003 4:24 PM > > To: [EMAIL PROTECTED] > > Subject: [Declude.Virus] [EMAIL PROTECTED] Virus Fprot Definitions?? > > > > Does anyone have any idea when F-Prot will have definitions for the > > [EMAIL PROTECTED] virus? I am starting to see a couple of these slip > through > > and even though they are setting off declude junkmail they are only being > > marked as spam by our Junkmail policies and still could be opened by end > > users, especially since it seems to be forging an address from our own > > domain. Does anyone have any idea when F-Prot will get definitions for > this > > one? > > > > Jim Matuska Jr. > > Computer Tech II > > CCNA > > Nez Perce Tribe > > Information Systems > > [EMAIL PROTECTED] > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail message was scanned for viruses by the mailservers at > http://www.ucdlink.com.] > > > --- > [This E-mail message was scanned for viruses by the mailservers at http://www.ucdlink.com.] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] W32.Mimail.A@mm Virus Fprot Definitions??
Ditto! - Original Message - From: "Fritz Squib" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 04, 2003 7:52 PM Subject: RE: [Declude.Virus] [EMAIL PROTECTED] Virus Fprot Definitions?? > Yep, I save the attachment from one that got through before. Had f-prot > scan it manually and it said it was clean. > > Fritz > > Frederick P. Squib, Jr. > Network Operations > Citizens Telephone Company of Kecksburg > Citizens Internet Services > http://www.wpa.net > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dave Marchette > Sent: Monday, August 04, 2003 10:42 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] [EMAIL PROTECTED] Virus Fprot Definitions?? > > > Has anyone bothered to try running the fprot exe scanner on the infected > file directly? It may be interesting to see if there is an odd issue with > the way Declude is pulling the mail apart before it scans the attachment. > > --- > [This E-mail scanned by Citizens Internet Services with Declude Virus.] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] W32.Mimail.A@mm Virus Fprot Definitions??
Waste of time, we've already been through this many times, it currently will not get caught by F-Prot. Bill - Original Message - From: "Dan Star" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 05, 2003 8:44 AM Subject: Re: [Declude.Virus] [EMAIL PROTECTED] Virus Fprot Definitions?? > > Here is the response I received from them this morning: > > > > The Mimail.A worm started spreading this weekend and has already gained wide > > distribution. W32/[EMAIL PROTECTED] spreads by infected attachments to e-mail > > messages disguised as being from the recipient's local administrator. > > > > W32/[EMAIL PROTECTED] is detected and prevented from running with the latest > > versions of F-Prot Antivirus (released on 2-5 August 2003) using virus > > signature files dated 2 August 2003 or later. > > > > Windows users using the RealTime Protector were not in any danger from > > W32/[EMAIL PROTECTED] as the RealTime Protector stopped it from executing. > > > > So they are trying to tell me F-Prot is catching it while I can clearly see > > with evidence it is not. What is wrong with them? > > The latest signature dates I have are app 8/2 and macro 8/4 and it says up-to-date > so there is no 8/5 updates. I am running 3.14 32-bit. Can someone send me the > virus to see if it gets through? > > -- Dan > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] followup, Mimail getting through
What's the message.zip file size? The only one's I've seen pass are corrupted, zero-byte files. Bill - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Saturday, August 16, 2003 7:19 AM Subject: [Declude.Virus] followup, Mimail getting through > Just saved the message.zip file to my local machine and ran f-prot > against it ... virus free. > > Thoughts? Maybe a new variant? Or maybe corrupted? > > > David > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.Virus] followup, Mimail getting through
BANNAMEfilename.ext Bill - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: "Bill Landry" <[EMAIL PROTECTED]> Sent: Saturday, August 16, 2003 8:05 AM Subject: Re[2]: [Declude.Virus] followup, Mimail getting through > Saturday, August 16, 2003, 7:40:00 AM, Bill Landry wrote: > > > What's the message.zip file size? The only one's I've seen pass are > > corrupted, zero-byte files. > > Well, it looks like I'm safe ... the file is zero-bytes so it was > corrupted > > > > Now, I took out the little patch Scott put in to catch the message.zip > file when F-Prot had not issue the update ... > > What is the line to catch a specific file again? > > David > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig.F
McAfee is catching it fine here. Make sure your virus definitions are at least at 4.0.4287. Bill - Original Message - From: "Bill Newberg" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 19, 2003 10:29 AM Subject: [Declude.Virus] Sobig.F F-Prot is catching Sobig.F, but McAfee is still not picking them up. Looks like a reversal of last weeks problem with F-Prot not catching the virus and McAfee catching it. I'm glad I'm running dual scanners. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig.F
Go to www.nai.com and select the "Downloads" link. Grab the latest engine update (SuperDat File (Engine + DAT)) which will upgrade your engine to 4.2.60 and the virus definitions to 4.0.4287. Bill - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 19, 2003 2:12 PM Subject: Re: [Declude.Virus] Sobig.F > Can anyone share the McAfee definition files for this? Our's is currently > at 4286 and I can't get in manually or automatically to download the current > definition files. > > Thanks, > Dan > > - Original Message - > From: "Bill Landry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, August 19, 2003 1:42 PM > Subject: Re: [Declude.Virus] Sobig.F > > > > McAfee is catching it fine here. Make sure your virus definitions are at > > least at 4.0.4287. > > > > Bill > > - Original Message - > > From: "Bill Newberg" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, August 19, 2003 10:29 AM > > Subject: [Declude.Virus] Sobig.F > > > > > > F-Prot is catching Sobig.F, but McAfee is still not picking them up. Looks > > like a reversal of last weeks problem with F-Prot not catching the virus > and > > McAfee catching it. I'm glad I'm running dual scanners. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > This E-mail is scanned and free from viruses. www.nexustechgroup.com > > > > > > > This E-mail is scanned and free from viruses. www.nexustechgroup.com > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] f-prot command line switches for updater
See http://www.f-prot.com/support/fpwin_faq/08.html Bill - Original Message - From: "Todd Holt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 21, 2003 11:51 AM Subject: [Declude.Virus] f-prot command line switches for updater > What are the command line switches to update f-prot? > > Todd Holt > Xidix Technologies, Inc > Las Vegas, NV USA > www.xidix.com > > > --- > [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig- Phase II bombardment
Thanks for the heads-up, Kris. We have applied filter rules to all of our Internet routers to block all outbound IP access to the IP addresses listed below and to block all outbound udp access to port 8998. Bill - Original Message - From: "Kris Rickerson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 22, 2003 10:33 AM Subject: RE: [Declude.Virus] Sobig- Phase II bombardment > > > > >It would seem to me that someone's decoded this encrypted list and if we > >knew what it was we could setup access lists to block connections to the > >20 machines. > > Ask, and you shall receive. > > -- > > Subject: ISS Security Brief: Sobig.F Second Phase Action > > -BEGIN PGP SIGNED MESSAGE- > > > Computers infected with the Sobig.F worm are programmed > to automatically download an executable of unknown function > from a hard-coded list of servers at 19:00 UTC (3:00pm EDT) > X-Force is recommending wholesale outbound filtering of > the following IP addresses: > > 67.73.21.6 > 68.38.159.161 > 67.9.241.67 > 66.131.207.81 > 65.177.240.194 > 65.93.81.59 > 65.95.193.138 > 65.92.186.145 > 63.250.82.87 > 65.92.80.218 > 61.38.187.59 > 24.210.182.156 > 24.202.91.43 > 24.206.75.137 > 24.197.143.132 > 12.158.102.205 > 24.33.66.38 > 218.147.164.29 > 12.232.104.221 > 68.50.208.96 > > The request method uses UDP port 8998. X-Force also > recommends that this port be filtered outbound. > > > > Kris Rickerson > Server Administrator > Middle Georgia College - Cochran, GA 31014 > [EMAIL PROTECTED] > --- > "This is the material, by the way, that has kept me virtually anonymous in > America. Meanwhile, they're draining the Pacific and putting up bench > seats for Carrot Top's next Showtime special. Carrot Top -- for people who > didn't get Gallagher. Gallagher -- the comedian who made his name by > destroying good food with a sledge hammer at the end of his show. Gee, I > wonder why we're hated the world over?" - Bill Hicks (1961-1994) > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus protection between users on same iMail server?
Ditto here. Bill - Original Message - From: "Sheldon Koehler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 05, 2003 11:10 AM Subject: Re: [Declude.Virus] Virus protection between users on same iMail server? > For our own support reasons, we do not give people the option when it comes > to virus scanning. Spam filtering is an option. If we host it, we scan for > viruses. So far we have not had any complaints on this policy. > > > Sheldon > > > Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com > Ten Forward Communications 360-457-9023 > Nationwide access, neighborhood support! > > "Whenever you find yourself on the side of the majority, it's time > to pause and reflect." Mark Twain > > > - Original Message - > From: "Paul Fuhrmeister" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, September 05, 2003 10:50 AM > Subject: [Declude.Virus] Virus protection between users on same iMail > server? > > > > Real life example: > > > > There are two users, we'll call them "[EMAIL PROTECTED]" and > > "[EMAIL PROTECTED]" > > > > Both users are hosted on the same iMail server, but at different domains > > which are separate "virtual" servers. > > > > Declude virus scans all mail for all users both in and out of > > GoodDomain.com. > > > > BadDomain.com has no virus scanning. > > > > [EMAIL PROTECTED] has the sobig virus and is sending it to > > [EMAIL PROTECTED] > > > > Will Declude Virus protect [EMAIL PROTECTED] in this situation, where > > both users are on the same iMail machine? > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Fw: Latest Internet Security Upgrade
Wow, check out this latest virus attempt. This actually came from comcast, but look at how official looking the message body is. It actually contained an attachment called PACK965.exe, which was the Win32/[EMAIL PROTECTED] virus. Thankfully RAV is already catching this at our gateways already--I've noticed that F-Prot and McAfee have done dat updates today, as well. Make sure you definitions are up-to-date, we have caught about 50 of these in the last hour, so this may be the next big wave... Bill - Original Message - From: Microsoft Corporation Customer Support To: User Sent: Thursday, September 18, 2003 12:17 PM Subject: Latest Internet Security Upgrade Microsoft All Products | Support | Search | Microsoft.com Guide Microsoft Home Microsoft Userthis is the latest version of security update, the "September 2003, Cumulative Patch" update which fixes all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities. Install now to maintain the security of your computer. This update includes the functionality of all previously released patches. System requirements Windows 95/98/Me/2000/NT/XP This update applies to MS Internet Explorer, version 4.01 and laterMS Outlook, version 8.00 and laterMS Outlook Express, version 4.01 and later Recommendation Customers should install the patch at the earliest opportunity. How to install Run attached file. Choose Yes on displayed dialog box. How to use You don't need to do anything after installing this item. Microsoft Product Support Services and Knowledge Base articles can be found on the Microsoft Technical Support web site. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site, or Contact Us. Thank you for using Microsoft products.Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies. The names of the actual companies and products mentioned herein are the trademarks of their respective owners. Contact Us | Legal | TRUSTe ©2003 Microsoft Corporation. All rights reserved. Terms of Use | Privacy Statement | Accessibility
Re: [Declude.Virus] Latest Internet Security Upgrade
Well, apparently the graphics did not follow the message, but suffice it to say that this one looks very professional and very official, so I can see lots of people falling for this one. Bill- Original Message - From: Bill Landry To: [EMAIL PROTECTED] Sent: Thursday, September 18, 2003 12:34 PM Subject: Fw: Latest Internet Security Upgrade Wow, check out this latest virus attempt. This actually came from comcast, but look at how official looking the message body is. It actually contained an attachment called PACK965.exe, which was the Win32/[EMAIL PROTECTED] virus. Thankfully RAV is already catching this at our gateways already--I've noticed that F-Prot and McAfee have done dat updates today, as well. Make sure you definitions are up-to-date, we have caught about 50 of these in the last hour, so this may be the next big wave... Bill - Original Message - From: Microsoft Corporation Customer Support To: User Sent: Thursday, September 18, 2003 12:17 PM Subject: Latest Internet Security Upgrade Microsoft All Products | Support | Search | Microsoft.com Guide Microsoft Home Microsoft Userthis is the latest version of security update, the "September 2003, Cumulative Patch" update which fixes all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities. Install now to maintain the security of your computer. This update includes the functionality of all previously released patches. System requirements Windows 95/98/Me/2000/NT/XP This update applies to MS Internet Explorer, version 4.01 and laterMS Outlook, version 8.00 and laterMS Outlook Express, version 4.01 and later Recommendation Customers should install the patch at the earliest opportunity. How to install Run attached file. Choose Yes on displayed dialog box. How to use You don't need to do anything after installing this item. Microsoft Product Support Services and Knowledge Base articles can be found on the Microsoft Technical Support web site. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site, or Contact Us. Thank you for using Microsoft products.Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies. The names of the actual companies and products mentioned herein are the trademarks of their respective owners. Contact Us | Legal | TRUSTe ©2003 Microsoft Corporation. All rights reserved. Terms of Use | Privacy Statement | Accessibility
Re: [Declude.Virus] Couldn't open header datafile- Log file
Kami, I parsed files from 9/1 through today and did not find any incidence of this string in any of my virus logs. Did find a few "Error: 32 opening new datafile" in my logs from 9/3 through 9/16, but nothing since. Bill - Original Message - From: "Kami Razvan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 23, 2003 2:27 PM Subject: [Declude.Virus] Couldn't open header datafile- Log file > Hi; > > I am just curious if anyone else is seeing this in their log files: > > Couldn't open header datafile > > I noticed that today and in tracing it back it appears that this is showing > up in logs after 9/13 > > No incident of this is in any of the logs before 9/13 and after 9/13 it is > there in every log.. > > Anyone else seeing this? > > Regards, > Kami > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Is Declude Hijack run before Declude Virus - Swen virus
- Original Message - From: "Adolfo Justiniano" <[EMAIL PROTECTED]> > Scott, > > That interim version is seriously broken, none of the Declude JunkMail > tests are executed, all messages have 0 as weight, no logs are > generated... I have to go back to 1.76i2. It's working fine for me (1.76i3). Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Is Declude Hijack run before Declude Virus - Swen virus
- Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> > You are correct -- there is a new interim release v1.76i4 at the same URL > that fixes this. Strange, I have not had any problems with that interim release. What I have noticed is that all of the 1.76i* releases have a problem with creating Eicar files in the directory that you run declude -diag in, except the IMail directory. For example, if I run three times at the root "C" prompt: C:\>m:\imail\declude -diag I will find the following in the root of "C": 09/27/2003 11:54a 68 eicar.com.vir 09/27/2003 11:54a 68 eicar.com.vir1 09/27/2003 11:54a 68 eicar.com.vir2 Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Is Declude Hijack run before Declude Virus - Swen virus
- Original Message - From: "Adolfo Justiniano" <[EMAIL PROTECTED]> > If you don't have a gateway and don't use ipbypass in Declude JunkMail > you probably wouldn't have the problem. I have two Redhat/Postfix gateways sitting in front of my IMail server and therefore do use IPBYPASS with Declude JunkMail. > I don't have that problem with the Eicar files when I run declude -diag > in any directory. Hmmm, and the matter gets even stranger, since this happens on both my production IMail server and my test server, even with the latest v1.76i4 interim release... :-\ Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Is Declude Hijack run before Declude Virus - Swen virus
- Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> > That is intentional. The Declude diagnostics will create an eicar.com > file, and try to delete it. If it can't create or delete the file, it > displays a warning. This is designed for us to help discover when people > have on-access virus scanners running that they don't know about. > > In this case, your on-access virus scanner is renaming the file with the > virus in it (which prevents Declude from deleting it). But since it is not > happening in the \IMail directory (and subdirectories, presumably), it will > not interfere with Declude Virus. Makes sense, because I found that if I shut off my on-access virus scanner (which you are correct, does not scan anything in the IMail directory or sub-directories), the eicar files do not show up. Thanks for the explanation. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Zip vulnerability
I think it depends on your virus scanner, but I believe that most virus scanners will now detect the zip of death. Bill - Original Message - From: "Craig Gittens" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 28, 2003 11:52 AM Subject: [Declude.Virus] Zip vulnerability > Does Declude recognize the zip vulnerability where a zip file contains 5 > other zip files each of which contain a further 5 zip files which ALL > contain 400MB files? So about 10GB of zipped files that zips down to 5kb > > I really don't want to test it on my live server but I have such a file. > > Craig. > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Heads up on F-Prot configuration
Here's what I have used for over a year and recommended to the list at that time: # F-Prot SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SILENT -TYPE -REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 8 REPORT1 Infection: I include the "VIRUSCODE 8" for holding suspicious files, and "-AI" to enable neural-network virus detection. I'm not sure why Scott did not add at least the "-PACKED" switch back then, figured maybe he though I was just being overly cautious. Also, I use hyphen "-" instead of forward slash "/" because that's what is shown for the switches when doing "fpcmd /?" from the command prompt. Probably doesn't matter since both apparently work. Bill - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, January 25, 2004 6:06 AM Subject: Re: [Declude.Virus] Heads up on F-Prot configuration > I checked and it scanned the boot records without it, and didn't scan > the boot records with it. I think it is undocumented. > > Matt > > > > R. Scott Perry wrote: > > > > >> I noticed while testing the command line output that the switches > >> recommended in the manual doesn't include /NOBOOT and as a result, > >> F-Prot will scan your boot sectors every time it is run. This would > >> waste clock cycles. I also included the /PACK option which is said > >> to "unpack compressed executables." I'm no expert on this stuff, > >> but I believe the 32-bit F-Prot instructions should be changed to the > >> following: > > > > > > Actually, the original configuration that we suggested for fpcmd.exe > > was identical to F-Prot.exe, except without the "/NOFLOPPY" option > > (which would break fpcmd.exe), so we kept the "/NOBOOT" in there. > > But, someone later pointed out that fpcmd.exe doesn't support the > > /NOBOOT switch. I'm not sure whether they just left it out of the > > list of switches, or if it is left undocumented. But that's why we > > removed it. I'll have to check to see if they have changed this since > > we last checked. > > > >-Scott > > --- > > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > > Declude Virus: Catches known viruses and is the leader in mailserver > > vulnerability detection. > > Find out what you've been missing: Ask about our free 30-day evaluation. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > -- > = > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > = > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Heads up on F-Prot configuration
Mike, I did some very basic testing using the "-" and "/" on different size files ranging from under 1mb to 50mb, and what I found was that the tests either ran at the same speed or the tests with the "/" ran a bit slower (out of ten tests I ran, 4 ran slower with the "/"). Here is one example: == With "-" == C:\Program Files\FSI\F-Prot>fpcmd.exe -AI -ARCHIVE -DUMB -NOBOOT -NOBREAK -NOMEM -PACKE D -SILENT -TYPE -REPORT=report.txt f:\SolarWinds-NetPerfMon-V6-AX100-Eval.zip C:\Program Files\FSI\F-Prot>cat report.txt Virus scanning report - 25 January 2004 @ 14:22 F-PROT ANTIVIRUS Program version: 3.14b Engine version: 3.14.7 VIRUS SIGNATURE FILES SIGN.DEF created 23 January 2004 SIGN2.DEF created 24 January 2004 MACRO.DEF created 19 January 2004 Search: -AI -ARCHIVE -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SILENT -TYPE -RE PORT=report.txt f:\SolarWinds-NetPerfMon-V6-AX100-Eval.zip Action: Report only Files: Attempt to identify files Switches: /ARCHIVE /PACKED /REPORT=report.txt /NOBREAK /SILENT /NOBOOT /NOMEM /AI Memory was not scanned. Hard disk boot sectors were not scanned. Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 2 Time: 0:14 No viruses or suspicious files/boot sectors were found. == With "/" == C:\Program Files\FSI\F-Prot>fpcmd.exe /AI /ARCHIVE /DUMB /NOBOOT /NOBREAK /NOMEM /PACKED /SILENT /TYPE /REPORT=report.txt f:\SolarWinds-NetPerfMon-V6-AX100-Eval.zip C:\Program Files\FSI\F-Prot>cat report.txt Virus scanning report - 25 January 2004 @ 14:22 F-PROT ANTIVIRUS Program version: 3.14b Engine version: 3.14.7 VIRUS SIGNATURE FILES SIGN.DEF created 23 January 2004 SIGN2.DEF created 24 January 2004 MACRO.DEF created 19 January 2004 Search: f:\SolarWinds-NetPerfMon-V6-AX100-Eval.zip Action: Report only Files: Attempt to identify files Switches: /ARCHIVE /PACKED /REPORT=report.txt /NOBREAK /SILENT /NOBOOT /NOMEM /AI Memory was not scanned. Hard disk boot sectors were not scanned. Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 2 Time: 0:17 No viruses or suspicious files/boot sectors were found. = Note the time difference. I would be curious to know what your results are like. Bill - Original Message - From: "Mike Nice" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, January 25, 2004 12:54 PM Subject: Re: [Declude.Virus] Heads up on F-Prot configuration > The Help shows the commands beginning with > dashes. FPCMD.EXE recognizes the dashes as commands, however it fails to > remove them from the argument list and ends up scanning for the arguments as > additional file specifications. Try it both ways and note the output - it > says it searches for -packed, for example. > >Also a test shows that the /NOBOOT command is applicable to FPCMD.exe and > saves scanning the boot records. > > Mike Nice > > - Original Message - > From: "Bill Landry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Sunday, January 25, 2004 1:35 PM > Subject: Re: [Declude.Virus] Heads up on F-Prot configuration > > > > Also, I use hyphen "-" instead of forward slash "/" because that's what is > > shown for the switches when doing "fpcmd /?" from the command prompt. > > Probably doesn't matter since both apparently work. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Imail and Spyware Protection
Pest Patrol is a spyware application that is support by Declude Virus, at least it is shown in the manual at http://www.declude.com/virus/manual.htm. Bill - Original Message - From: "Bridges, Samantha" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 26, 2004 7:49 AM Subject: RE: [Declude.Virus] Imail and Spyware Protection Thanks scott. I use F-Prot and I don't know if they block this. I will check it out. Samantha -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Monday, January 26, 2004 10:20 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Imail and Spyware Protection >How do you know if spyware is on a PC? Does Declude or Imail identify >and remove sneakly applications such as these? That is up to the AV program. Most AV programs do not attempt to detect spyware. However, if the AV program you use with Declude Virus is capable of detecting spyware, then it will get caught with Declude Virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] TrendMicro & Declude Virus
I was looking at the virus manual site and noticed that the TrendMicro config entry does not have a "report" line. Is this because Trend does not provide a report output the Declude can track? Just wondering because we are migrating all of our data center server to Trend. Thanks for any feedback... Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] TrendMicro & Declude Virus
- Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> > >I was looking at the virus manual site and noticed that the TrendMicro > >config entry does not have a "report" line. Is this because Trend does not > >provide a report output the Declude can track? Just wondering because we > >are migrating all of our data center server to Trend. > > That is correct -- the last time we checked, they did not support the > standard report file format. We are running a corporate enterprise edition of TrendMicro, but this is providing accurate report output for us: SCANFILE2 C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /LR=report.txt VIRUSCODE2 1 REPORT2 Found I don't know if this would work for the basic desktop version or not, since I do not have a copy to be able to test it. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Heads up on F-Prot configuration
I don't know if you actually did any tests or not, but your theory does not prove itself in my testing. All this proves is that the output of the search string in the report files is different. Bill - Original Message - From: "Mike Nice" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, January 27, 2004 4:11 PM Subject: Re: [Declude.Virus] Heads up on F-Prot configuration > > On today's fast computers you probably won't be able to detect a time > difference. Here's what I was referring to- > > #1: > Search: -AI -ARCHIVE -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED > > -SILENT -TYPE -REPORT=report.txt > f:\SolarWinds-NetPerfMon-V6-AX100-Eval.zip > > #2: > Search: f:\SolarWinds-NetPerfMon-V6-AX100-Eval.zip > > Presumably, it actually searches for all the filespecs in the first list, > although the whole process would probably take 200 to 500 microseconds. I > like to simplify things as much as possible as well as avoid accidentally > hitting a valid file or directory specification and scanning the same file > for each E-mail message. > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> > >Scott, I am running Declude v1.77i24 and I am wondering why Declude Virus is > >using the file name from the second virus scanner instead of the first... > > This should only happen if the first virus scanner did not report the virus > name, or if the virus name contains "vulnerability" in it (in which case a > real virus name takes priority). F-Prot is the first virus and the log samples I provided show the F-Prot did report the virus name. In fact, the log and postmaster report both use the first scanners reported virus name (in this case F-Prot reported the virus as Mydoom) instead of the second scanner (TrendMicro, which reports the virus as WORM_MIMAIL.R). However, the report and log file show the seconds scanners file name, which is showing up missing the first letter in the file name in both, which is not missing in either as reported by the first scanner. > The problem here is that the report file format is different for a .SMD > file that is scanned versus an actual attachment (Declude Virus decodes the > attachments). Could you send a sample file for scanning a directory with > just a single eicar.com file in it? Here you go: C:\Program Files\Trend\SPROTECT>vscantm.bin /NBPM /NM /NB /NC /Q /LR=report.txt L:\VirusTest 1 files have been checked. Found 1 files containing viruses. - C:\Program Files\Trend\SPROTECT>cat report.txt Copyright (c) 1990 - 2002 Trend Micro Inc. Report Date : 1/29/2004 17:10:52 VSAPI Engine Version : 6.810-1005 VSCANTM Version : 1.0-1728 Virus Pattern Version : 749 (58124 Patterns) (2004/01/28) (174900) Command Line: vscantm.bin /NBPM /NM /NB /NC /Q /LR=report.txt L:\VirusTest Found [ Eicar_test_file](1) in L:\VirusTest\eicar.com 1 files have been read. 1 files have been checked. 1 files have been scanned. 1 files have been scanned. (including files in archived) 1 files containing viruses. Found 1 viruses totally. Maybe 0 viruses totally. Stop At : 1/29/2004 17:10:530.00 seconds has elapsed. -*-*-*-*-*-*-*-- ---* Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> > This is indeed due to an issue with Declude Virus -- it will be fixed in > the next interim release. Scott, I upgraded to Declude v1.77i26 and that took care of the file name issue - thanks! However, I am now noticing that about 1 in 10 postmaster messages is displaying "virus in Unknown File", even though most times the file name is correctly identified in the virus log (see attachment). Not that big a deal, just an FYI... Bill Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in Unknown File from [Forged] to: [removed] Date: 02/01/2004 09:26:43 Subject:Mail System Error - Returned Mail Spool File: D36d2853b009e5f08.SMD 02/01/2004 09:26:43 Q36d2853b009e5f08 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=doc.zip [13] O 02/01/2004 09:26:43 Q36d2853b009e5f08 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\D36D28~1.VIR\1.zip,(doc.scr) Attachment= [13] O 02/01/2004 09:26:43 Q36d2853b009e5f08 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/01/2004 09:26:43 Q36d2853b009e5f08 Scanned: CONTAINS A VIRUS [MIME: 4 25840] 02/01/2004 09:26:43 Q36d2853b009e5f08 From: [Forged] To: [removed] [outgoing from 204.189.38.4] 02/01/2004 09:26:43 Q36d2853b009e5f08 Subject: Mail System Error - Returned Mail === Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in Unknown File from [Forged] to: [removed] Date: 02/01/2004 09:32:06 Subject:Delivery Status Notification (Failure) Spool File: D3816855d009e4e46.SMD 02/01/2004 09:32:06 Q3816855d009e4e46 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=body.zip [13] O 02/01/2004 09:32:06 Q3816855d009e4e46 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\D38168~1.VIR\1.zip,(body.txt 02/01/2004 09:32:06 Q3816855d009e4e46 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/01/2004 09:32:06 Q3816855d009e4e46 Scanned: CONTAINS A VIRUS [MIME: 4 25206] 02/01/2004 09:32:06 Q3816855d009e4e46 From: [Forged] To: [removed] [outgoing from 204.189.38.4] 02/01/2004 09:32:06 Q3816855d009e4e46 Subject: Delivery Status Notification (Failure) === Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in Unknown File from [Forged] to: [removed] Date: 02/01/2004 09:37:06 Subject:failure notice Spool File: D394063ce005add44.SMD 02/01/2004 09:37:05 Q394063ce005add44 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment= [13] O 02/01/2004 09:37:06 Q394063ce005add44 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\D39406~1.VIR\0,(document.htm 02/01/2004 09:37:06 Q394063ce005add44 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/01/2004 09:37:06 Q394063ce005add44 Scanned: CONTAINS A VIRUS 02/01/2004 09:37:06 Q394063ce005add44 From: [Forged] To: [removed] [outgoing from 204.189.38.4] 02/01/2004 09:37:06 Q394063ce005add44 Subject: failure notice === Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in Unknown File from [Forged] to: [removed] Date: 02/01/2004 09:44:28 Subject:Delivery Status Notification (Failure) Spool File: D3af9338a00289760.SMD 02/01/2004 09:44:27 Q3af9338a00289760 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=file.pif [13] O 02/01/2004 09:44:28 Q3af9338a00289760 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\D3AF93~1.VIR\1.pif Attachment= [13] O 02/01/2004 09:44:28 Q3af9338a00289760 Found a bogus .pif file 02/01/2004 09:44:28 Q3af9338a00289760 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/01/2004 09:44:28 Q3af9338a00289760 Scanned: CONTAINS A VIRUS [MIME: 4 2] 02/01/2004 09:44:28 Q3af9338a00289760 From: [Forged] To: [removed] [outgoing from 204.189.38.3] 02/01/2004 09:44:28 Q3af9338a00289760 Subject: Delivery Status Notification (Failure) === Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in Unknown File from [Forged] to: [removed] Date: 02/01/2004 09:45:46 Subject:Returned mail: see transcript for details Spool File: D3b499bcf0082ceb7.SMD 02/01/2004 09:45:45 Q3b499bcf0082ceb7 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=doc.zip [13] O 02/01/2004 09:45:46 Q3b499bcf0082ceb7 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\D3B499~1.VIR\1.zip,(doc.htm 02/01/2004 09:45:46 Q3b499bcf0082ceb7 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/01/2004 09:45:46 Q3b499bcf0082ceb7 Scanned: CONTAINS A VIRUS [MIME: 4 24197] 02/01/2004 09:45:46 Q3b499bcf0082ceb7 From: [Forged] To: [removed] [outgoing from 204.189.38.3] 02/01/2004 09:45:46 Q3b499bcf0082ceb7 Subject: Returned mail: see transcript for details === Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in Unknown File from [Forged] to: [removed] Date: 02/01/2004 09:51:31 Subject:Delivery Status Notification (Failure) Spool File: D3ca335a6002e14ff.SMD 02/01/2004 09:51:31 Q3ca335a6002e14ff Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=readme.zip [13] O 02/01/2004 09
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> > > > This is indeed due to an issue with Declude Virus -- it will be fixed in > > > the next interim release. > > > >Scott, I upgraded to Declude v1.77i26 and that took care of the file name > >issue - thanks! However, I am now noticing that about 1 in 10 postmaster > >messages is displaying "virus in Unknown File", even though most times the > >file name is correctly identified in the virus log (see attachment). > > What is the REPORT2 line in your \IMail\Declude\virus.cfg file? # TrendMicro SCANFILE2 C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /LR=report.txt VIRUSCODE2 1 REPORT2 Found > In the line: > > 02/01/2004 09:32:06 Q3816855d009e4e46 Scanner 2: Virus= > [ WORM_MYDOOM.A](1) in M:\IMail\spool\D38168~1.VIR\1.zip,(body.txt > > is that appearing all on one line, or on two separate lines in the log file? All on one line. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> > > > 02/01/2004 09:32:06 Q3816855d009e4e46 Scanner 2: Virus= > > > [ WORM_MYDOOM.A](1) in M:\IMail\spool\D38168~1.VIR\1.zip,(body.txt > > > > > > is that appearing all on one line, or on two separate lines in the log > > file? > > > >All on one line. > > This is strange -- Declude Virus should be using the file name that it > reports in the log file. > > Do you have sample log file entries for an E-mail with a virus that was > caught, where "Unknown File" was not used? Attached are 5 recent samples. Let me know if you need more. Bill Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in sfehy.zip from [Forged] to: [Removed] Date: 02/02/2004 14:40:20 Subject:Mail Transaction Failed Spool File: Dd1ce048100aec351.SMD Remote IP: 204.189.38.3 02/02/2004 14:40:19 Qd1ce048100aec351 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=sfehy.zip [13] O 02/02/2004 14:40:20 Qd1ce048100aec351 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\DD1CE0~1.VIR\0.zip,(sfehy.pif) Attachment=sfehy.zip [13] O 02/02/2004 14:40:20 Qd1ce048100aec351 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/02/2004 14:40:20 Qd1ce048100aec351 Scanned: CONTAINS A VIRUS [MIME: 2 22794] 02/02/2004 14:40:20 Qd1ce048100aec351 From: [Forged] To: [Removed] [outgoing from 204.189.38.3] 02/02/2004 14:40:20 Qd1ce048100aec351 Subject: Mail Transaction Failed --- Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in text.zip from [Forged] to: [Removed] Date: 02/02/2004 14:40:36 Subject: Spool File: Dd1df049000ae0645.SMD Remote IP: 204.189.38.4 02/02/2004 14:40:35 Qd1df049000ae0645 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=text.zip [13] O 02/02/2004 14:40:36 Qd1df049000ae0645 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\DD1DF0~1.VIR\0.zip,(text.exe) Attachment=text.zip [13] O 02/02/2004 14:40:36 Qd1df049000ae0645 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/02/2004 14:40:36 Qd1df049000ae0645 Scanned: CONTAINS A VIRUS [MIME: 2 22873] 02/02/2004 14:40:36 Qd1df049000ae0645 From: [Forged] To: [Removed] [outgoing from 204.189.38.4] 02/02/2004 14:40:36 Qd1df049000ae0645 Subject: --- Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in doc.zip from [Forged] to: [Removed] Date: 02/02/2004 14:40:52 Subject:hello Spool File: Dd1e8049500ae28e1.SMD Remote IP: 204.189.38.3 02/02/2004 14:40:51 Qd1e8049500ae28e1 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=doc.zip [13] O 02/02/2004 14:40:52 Qd1e8049500ae28e1 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\DD1E80~1.VIR\0.zip,(doc.pif) Attachment=doc.zip [13] O 02/02/2004 14:40:52 Qd1e8049500ae28e1 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/02/2004 14:40:52 Qd1e8049500ae28e1 Scanned: CONTAINS A VIRUS [MIME: 2 22871] 02/02/2004 14:40:52 Qd1e8049500ae28e1 From: [Forged] To: [Removed] [outgoing from 204.189.38.3] 02/02/2004 14:40:52 Qd1e8049500ae28e1 Subject: hello --- Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in readme.zip from [Forged] to: [Removed] Date: 02/02/2004 14:41:10 Subject:Hi Spool File: Dd1e50bb100a21fe8.SMD Remote IP: 204.189.38.3 02/02/2004 14:41:09 Qd1e50bb100a21fe8 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=readme.zip [13] O 02/02/2004 14:41:10 Qd1e50bb100a21fe8 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\DD1E50~1.VIR\0.zip,(readme.cmd) Attachment=readme.zip [13] O 02/02/2004 14:41:10 Qd1e50bb100a21fe8 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/02/2004 14:41:10 Qd1e50bb100a21fe8 Scanned: CONTAINS A VIRUS [MIME: 2 22877] 02/02/2004 14:41:10 Qd1e50bb100a21fe8 From: [Forged] To: [Removed] [outgoing from 204.189.38.3] 02/02/2004 14:41:10 Qd1e50bb100a21fe8 Subject: Hi --- Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in message.pif from [Forged] to: [Removed] Date: 02/02/2004 14:41:25 Subject:Error Spool File: Dd1cd0bac00a2c218.SMD Remote IP: 204.189.38.3 02/02/2004 14:41:24 Qd1cd0bac00a2c218 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=message.pif [13] O 02/02/2004 14:41:25 Qd1cd0bac00a2c218 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\DD1CD0~1.VIR\0.pif Attachment=message.pif [13] O 02/02/2004 14:41:25 Qd1cd0bac00a2c218 Found a bogus .pif file 02/02/2004 14:41:25 Qd1cd0bac00a2c218 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/02/2004 14:41:25 Qd1cd0bac00a2c218 Scanned: CONTAINS A VIRUS [MIME: 2 22777] 02/02/2004 14:41:25 Qd1cd0bac00a2c218 From: [Forged] To: [Removed] [outgoing from 204.189.38.3] 02/02/2004 14:41:25 Qd1cd0bac00a2c218 Subject: Error
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> > Would it be possible to E-mail one of the quarantined D*.SMD files to our > virustrap@ account? We can then analyze it and should be able to get a > better idea of why this is happening. I sent sample d*.smd virus files and postmaster and log file txt to the virustrap account. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> > > > Would it be possible to E-mail one of the quarantined D*.SMD files to our > > > virustrap@ account? We can then analyze it and should be able to get a > > > better idea of why this is happening. > > > >I sent sample d*.smd virus files and postmaster and log file txt to the > >virustrap account. > > It looks like Groupshield blocked it. > > Perhaps you could .ZIP it in a password-protected .ZIP file, which should > prevent it from getting blocked? I resent it last night from my yahoo account. Did you receive it at the virustrap address? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> > >I resent it last night from my yahoo account. Did you receive it at the > >virustrap address? > > No -- the only E-mail to arrive there was the one from GroupShield for > Exchange. Please check the virustrap mailbox again, hopefully third attempt is a charm... Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> > >Please check the virustrap mailbox again, hopefully third attempt is a > >charm... > > It came through -- it looks like the one from last night probably did as > well, but got caught here. > > Are you running 3 virus scanners with Declude Virus? The only thing that I > can think of that could account for this happening is if there are 3 or > more virus scanners being used with Declude Virus. No, just two. We replaced McAfee with TrendMicro. Here are the actual virus scanner config entries: # F-Prot SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SILENT -TYPE -REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 8 REPORT1 Infection: # McAfee # SCANFILE2 C:\Progra~1\Common~1\Networ~1\Viruss~1\4.0.xx\scan.exe /ALL /ANALYZE /NOBEEP /NOBOOT /NOBREAK /NODDA /NOMEM /PROGRAM /SILENT /UNZIP /REPORT report.txt # VIRUSCODE2 13 # REPORT2 Found # TrendMicro SCANFILE2 C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /LR=report.txt VIRUSCODE2 1 REPORT2 Found Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] AVG 7.0 32-bit scanner find...extra space???
Matt, what does your report line look like? If it's: REPORT1 Infections: maybe try instead REPORT1 Identified without a colon ":". Just curious if that fixes it, since the report does not contain "Infections:", but does contain "Identified". Bill - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Friday, February 06, 2004 11:38 PM Subject: [Declude.Virus] AVG 7.0 32-bit scanner find...extra space??? Ok, I've been testing things and I think I might have found why Declude can't make use of AVG 7's 32-bit scanner, avgscan.exe. In the 16-bit version, the program will report: Virus identified EICAR_TestIn the 32-bit version, there is an extra space: Virus identified EICAR_TestAside from that difference, I can't find anything else that would explain it not working. BTW, I did find that they support the /NOBOOT switch with avgscan.exe despite the lack of this appearing in the help output, and unlike avg.exe, it will by default scan the boot sectors.Scott, could you tell me if the extra space is in fact the issue at hand here? Here's the config and the output from the report.txt file with the 32-bit version: - Command Line -C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOEXPORT /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txt C:\IMail\Declude\Virus1\eicar.com- Report.txt -AVG 7.0 Anti-Virus SystemCopyright (c) GRISOFT,s.r.o. 2003Program version 7.0 Engine: 718 database version 261.8.3Command line: [/NOMEM /NOBOOT /NOHIMEM /NOEXPORT /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=C:\report.txt /SCAN C:\IMail\Declude\Virus\eicar.com]"C:\IMail\Declude\Virus\eicar.com" Virus identified EICAR_TestTest start 2/7/2004 2:24:36Elapsed time 0 sec.Scanned files : 1Scanned sectors : 0Infected files : 1Infected sectors : 0Thanks,Matt-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] Declude not delivering mail
Maybe a corrupted declude.exe file? Try downloading the file again from the Declude web site and see if that fixes the problem. Bill - Original Message - From: "jan k wikhaug" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 19, 2004 1:14 PM Subject: [Declude.Virus] Declude not delivering mail I desperately need some help. Today at 10:55 declude stopped working adn email started to add up in the spool directory. It was my day off so I didn't notice until later and then there was 1500+ emails in the spool directory and going nowhere. I run 1.77. I put the smtp32.exe back in service and all messages was sent but without virus and junkmail scanning of course. Then i put declude back in service and all stopped and those messages kept piling up in the spool directory again. The funny thing is virus and junkmail logs stop at 10:55 and adds nothing for the rest of the day. I guess I have to put smtp32 back in service though I don't like it with the newsky activity... Jan K Wikhaug NettX Sendt via webmail på nettx.no --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] WORM_MYDOOM.F
A new variant of W32/[EMAIL PROTECTED] that we just caught a couple of. RAV nor F-Prot caught it, but TrendMico, ClamAV (Clam id it as MyDoom.E) & McAfee did. The attachments were named: object.zip & hnmhjn.exe Subjects were: JPWMDWXACRNSN & Fake Anyway, be on the lookout... Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Mcafee
Typically the McAfee command line scanned, "scan.exe", has been located in c:\program files\common files\Network Associates\VirusScan Engine\4.0.xx, or whatever version number you are running. Here is the McAfee entry from the Declude Virus manual at http://www.declude.com/virus/manual.htm: SCANFILE C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL /NOMEM /NOBEEP /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txt VIRUSCODE 13 REPORT Found Bill - Original Message - From: "Gene Head" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 24, 2004 5:14 PM Subject: [Declude.Virus] Mcafee > I just purchased Mcafee to use as a third scanner. > I installed it but I can't find the command line scanner. > > Anyone have the new Virus scan program and can share the process for > getting this to work? > > > > Gene Head > ACCRAM Inc. > MCP,Net+,A+,CCNA,CCDA > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Mcafee
Dunno then. You may need to put a call into McAfee. Bill - Original Message - From: "Gene Head" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 24, 2004 6:48 PM Subject: RE: [Declude.Virus] Mcafee > It's Mcafee Virus Scan Ver 8.0 Build 8.0.26 > > There isn't a scan.exe or scan32.exe on the drive. > > Gene Head > ACCRAM Inc. > MCP,Net+,A+,CCNA,CCDA > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry > Sent: Tuesday, February 24, 2004 6:36 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Mcafee > > Typically the McAfee command line scanned, "scan.exe", has been located > in > c:\program files\common files\Network Associates\VirusScan > Engine\4.0.xx, or > whatever version number you are running. Here is the McAfee entry from > the > Declude Virus manual at http://www.declude.com/virus/manual.htm: > > SCANFILE C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL > /NOMEM > /NOBEEP /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txt > VIRUSCODE 13 > REPORT Found > > Bill > - Original Message - > From: "Gene Head" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, February 24, 2004 5:14 PM > Subject: [Declude.Virus] Mcafee > > > > I just purchased Mcafee to use as a third scanner. > > I installed it but I can't find the command line scanner. > > > > Anyone have the new Virus scan program and can share the process for > > getting this to work? > > > > > > > > Gene Head > > ACCRAM Inc. > > MCP,Net+,A+,CCNA,CCDA > > [EMAIL PROTECTED] > > [EMAIL PROTECTED] > > > > > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-prot 3.14c Error 5
Scott, if Declude Virus encounters an Error 5 with scanner 1, does it not even attempt to run the message through the second scanner? Normal virus detected without Error 5: = 02/25/2004 05:32:05 Qa3d35c70b2d0 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=part3.zip [14] O 02/25/2004 05:32:05 Qa3d35c70b2d0 Scanner 2: Virus= [ WORM_MYDOOM.F](1) in M:\IMail\spool\DA3D35~1.VIR\0.zip,(part3.jpg.pif) Attachment=part3.zip [14] O 02/25/2004 05:32:05 Qa3d35c70b2d0 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/25/2004 05:32:05 Qa3d35c70b2d0 Scanned: CONTAINS A VIRUS [MIME: 2 35275] 02/25/2004 05:32:05 Qa3d35c70b2d0 From: [Forged] To: [EMAIL PROTECTED] [outgoing from 204.189.38.3] 02/25/2004 05:32:05 Qa3d35c70b2d0 Subject: Read now! = Virus detected with Error 5: = 02/25/2004 08:50:21 Qd23b256a001cfa29 Could not find parse string Infection: in report.txt 02/25/2004 08:50:21 Qd23b256a001cfa29 Error 5 in virus scanner 1. 02/25/2004 08:50:23 Qd23b256a001cfa29 Scanned: Error in virus scanner. [MIME: 2 5911] = The second scanner is not called? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] W32/Netsky.c@MM - new
Wow, F-Prot is johnny-on-spot and catching these with the latest definition from about an hour ago. However, RAV and TrendMicro are not catching this one yet.. Bill - Original Message - From: "Patrick Childers (by way of "R. Scott Perry" <[EMAIL PROTECTED]>)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 25, 2004 10:06 AM Subject: [Declude.Virus] W32/[EMAIL PROTECTED] - new > There's a new variant out. > > http://vil.nai.com/vil/content/v_101048.htm > > ~Patrick > > --- > [This E-mail scanned for viruses by Declude/McAfee] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Another error
- Original Message - From: "Serge" <[EMAIL PROTECTED]> > just looked at the directory, and there is only scan32.exe > i may need to reinstall netshield ? The files, scan32.exe and scan.exe, are not in the same directory. Scan.exe can be found in: C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx depending on the version of McAfee you are running. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] IPBypass and notifications
That shouldn't make any difference, since virus notifications do not get sent to IP address, they get sent to the sender's e-mail address or the [EMAIL PROTECTED] Bill - Original Message - From: "Russ Uhte (Lists)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, March 01, 2004 6:30 AM Subject: [Declude.Virus] IPBypass and notifications > Just set up a gateway mailserver, and I realized that if a virus comes > through the gateway, the notification that gets sent out sees the gateway > mailservers IP address. Is there a way to hook the IPBypass functionality > into Declude Virus? > > Thanks, > Russ > > --- > Russ Uhte, CCNA, MCP, A+ > Network Administrator > Richmond Power & Light > Parallax Systems Division > 2000 US 27 South > Richmond, IN 47374 > USA > Richmond: 765.973.7348 > Toll-free: 888.962.3770 > Cell: 765.993.3944 > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim release to ban extensions in .ZIP files
I am trying to understand this, but the reality doesn't work like I think you are saying it should. If I have the following in my virus.cfg file: BANEXT EZIP with or without: BANZIPEXTS ON BANEZIPEXTS ON I catch the encrypted/password protected virus files. However, if I use just: BANZIPEXTS ON BANEZIPEXTS ON the virus files pass right through declude, reporting that the file is virus free. Am I simply not understanding how this is supposed to work. I though we no longer needed to use BANEXT EZIP. Please enlighten me on the error of my ways... :-) Thanks, Bill - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 02, 2004 2:07 PM Subject: RE: [Declude.Virus] New interim release to ban extensions in .ZIP files > > >Do these new features, BANZIPEXTS and BANEZIPEXTS, stop both zip files and > >encrypted zip files if you do not have the BANEXT ZIP setting? > > Yes (using "BANEXT ZIP" would block all .ZIP files will be banned, > regardless of what file extensions they may contain). > > >Just wondering if using the above forces us to block Zip files or not. We > >do not > >want to block Zip files, but like the idea of blocking them if they contain > >an extension that we do want to block. > > The BANZIPEXTS/BANEZIPEXTS options will allow you to allow normal .ZIP > files, while blocking .ZIP files that contain certain extensions. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > since 2000. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New interim release to ban extensions in .ZIP files
- Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> > The new format will ban the same extensions that you are already banning, > but will do so in .ZIP files. The BANZIPEXTS ON option will ban the files > if they are un-encrypted, the BANEZIPEXTS ON will ban the files if they > are encrypted. Okay, so if I want to continue to ban any zip file that is encrypted, whether I have defined the extension to be band or not, I should continue to use BANEXT EZIP, correct? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Accepting SPAM pads spammer's success stats
Export your user addresses from your IMail server peering group every-so-many-hours and upload it to your gateway servers (see http://www.smartbusiness.net/imail/). We do this from our IMail servers to our Postfix gateways and reject everything except e-mail addresses listed in our address list. Bill - Original Message - From: "Rick Davidson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 12, 2004 2:36 PM Subject: Re: [Declude.Virus] Accepting SPAM pads spammer's success stats > I should have been more clear, I use gateways in from of Imail peer groups > neither can use the nobody alias becuase they do not know where the mail is > going to be delivered. Currently I have two gateways in front of a 7 server > peering group > > Rick Davidson > National Systems Manager > North American Title Company > 440-953-9346 - Office > 440-953-0925 - Fax > 440-487-7344 - Mobile > [EMAIL PROTECTED] > - > - Original Message - > From: "Matt" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, March 12, 2004 5:25 PM > Subject: Re: [Declude.Virus] Accepting SPAM pads spammer's success stats > > > > Remove the "nobody" alias and IMail will reject all invalid addresses > > during the SMTP envelope. > > > > Matt > > > > > > > > Rick Davidson wrote: > > > > >As a long time anti-spam combatant and Declude user I am seeing something > I > > >am interpreting as another way spammers are exploiting us. The problem > with > > >this scenario is that it is a catch22 because we cant bounce spam back to > > >the senders. I used to own an ISP but sold it a few months ago due to the > > >stiff competition and had been using Imail and Declude as spam and anti > > >virus gateways, which I am now doing for the large company I work for > now. I > > >see guys asking about server specs and high spam loads so this prompted > me > > >to share what I have seen and am now seeing in my new workplace. > > > > > >It seems that the more successful we are at stopping spam the more then > send > > >to us, not just to valid addresses and dictionary type deliveries but > large > > >volumes of spam that have no chance of being sent to a valid user for > > >example [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] and so on on > and > > >on and on and on. I have seen this in the millions of messages and I > believe > > >its because we accept the mail and delete it because its obvious spam. > The > > >spammers then can say to their customers that they delivered some huge > > >amount of their advertisements when in fact they just sent invalid > recipient > > >email to our mail vaporizers because they know we will accept it. > > > > > >The company that bought my ISP is Unix based and was able to write a > program > > >that looked at a list of valid email addresses and only accepted the > > >connection if it found a valid recipient. And then after x amount of > invalid > > >user attempts they blacklisted the IPs. We found over 30,000 spam zombies > > >were responsible for the invalid user email flood, I felt better knowing > I > > >didn't stand a chance of manually adding IPs to the Imail access control > > >lists but still made me very angry. > > > > > >So is there a way to deal with this? How can we check for valid users > before > > >we accept the SMTP connection itself when using a gateway or peering > > >configuration? Would it be possible to use the DNS blacklist concept but > > >have our users on there so it becomes a DNS whitelist? > > > > > >Bottom line is that ALOT of our spam and virus processing overhead and > could > > >be stopped at the SMTP connection level. Short of hiring hit men to thin > the > > >Rokso list what can we do? > > > > > >Scott, > > >Could you at least write a run first test to check a text file for valid > > >users and if it doesn't find one fail the message and stop all further > > >testing? If we can do this now can you provide and explanation of how? > > > > > >Comments? Ideas? > > > > > >Thanks for listening, > > >Rick Davidson > > >National Systems Manager > > >North American Title Company > > > > > >--- > > >[This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > > >--- > > >This E-mail came from the Declude.Virus mailing list. To > > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > >type "unsubscribe Declude.Virus".The archives can be found > > >at http://www.mail-archive.com. > > > > > > > > > > > > > > > > -- > > = > > MailPure custom filters for Declude JunkMail Pro. > > http://www.mailpure.com/software/ > > = > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > a
Re: [Declude.Virus] Encrypted password
- Original Message - From: "Serge" <[EMAIL PROTECTED]> > Now they have it in a BMP file so antivirus programs wont be able to find > it: > > Note: Use password cid:wjqkastket.bmp";> to open archive Yes, this is an interesting new twist. I just got one of these myself. The password is embedded in the message body as a bitmap rather than in clear text, as before. This is the new Bagle.N variant. Good thing that Declude can still block these with the BANEXT EZIP! Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Question about virus log entries
Scott, I am see a bunch on the following type entries in my virus logs: Found potentially dangerous stuff in M:\IMail\spool\Dc62d3de40042810d.vir\0.! Found potentially dangerous stuff in M:\IMail\spool\Dc800179a006ca25f.vir\0.htm! Found potentially dangerous stuff in M:\IMail\spool\Dc943102d00909026.vir\0.! I see that these messages do get held, but rather get delivered. However, Declude is holding viruses. Is this something I should be concerned about? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Question about virus log entries
Oops, may to say "do NOT get held." Bill - Original Message - From: "Bill Landry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 16, 2004 10:42 PM Subject: [Declude.Virus] Question about virus log entries > Scott, I am see a bunch on the following type entries in my virus logs: > > Found potentially dangerous stuff in > M:\IMail\spool\Dc62d3de40042810d.vir\0.! > Found potentially dangerous stuff in > M:\IMail\spool\Dc800179a006ca25f.vir\0.htm! > Found potentially dangerous stuff in > M:\IMail\spool\Dc943102d00909026.vir\0.! > > I see that these messages do get held, but rather get delivered. However, > Declude is holding viruses. Is this something I should be concerned about? > > Bill > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Log error with latest interim release
- Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 18, 2004 8:08 AM Subject: Re: [Declude.Virus] Log error with latest interim release > Scott, > > What are your thoughts on the /AI and /PACKED switches? Any particular > reason to use or not use them? For what it worth, here is what I use: SCANFILE1 M:\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED - SAFEREMOVE -SERVER -SILENT -TYPE -REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 8 REPORT1 Infection: and I experience no error or problems. But then I like to error on the side of being too cautious. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Log error with latest interim release
My understanding is that Scott does not think they are necessary, and that may be true. However, F-Prot must have had some reason for adding those switches (especially the PACKED switch), so I use them - just to be safe... Bill - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 18, 2004 9:48 AM Subject: Re: [Declude.Virus] Log error with latest interim release > Hi Bill, > > Yeah, I had seen your configs...just wanted to get Scott's feedback on > the -AI and -PACKED switches. > > Darin. > > > - Original Message - > From: "Bill Landry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, March 18, 2004 12:00 PM > Subject: Re: [Declude.Virus] Log error with latest interim release > > > - Original Message - > From: "Darin Cox" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, March 18, 2004 8:08 AM > Subject: Re: [Declude.Virus] Log error with latest interim release > > > > Scott, > > > > What are your thoughts on the /AI and /PACKED switches? Any particular > > reason to use or not use them? > > For what it worth, here is what I use: > > SCANFILE1 > M:\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED - > SAFEREMOVE -SERVER -SILENT -TYPE -REPORT=report.txt > VIRUSCODE1 3 > VIRUSCODE1 6 > VIRUSCODE1 8 > REPORT1 Infection: > > and I experience no error or problems. But then I like to error on the side > of being too cautious. > > Bill > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > _ > [This E-mail virus scanned by 4C Web] > > > > _ > [This E-mail virus scanned by 4C Web] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Scott, what do you use to generate this report
Very nice! Thanks for sharing this, Bill! Bill - Original Message - From: "Bill" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, April 13, 2004 12:33 PM Subject: RE: [Declude.Virus] Scott, what do you use to generate this report > Hi, > > I have a utility to do a quick analysis of my decMMDD.log file to > discover test effectiveness. If anyone would like to use it, I have it > available for free from my website: http://www.wamusa.com/wamtools > > The program is designed for LOGLEVEL MID but it may work for other > levels. My system analyzed this 120Mb decMMDD.log in less than one > minute. This is a sample output: > > >Message Recipient > Test Name Fail Count % Fail Count % > > WEIGHT10 116362 96 169684 96 > SNIFFER2 114790 94 167322 95 > WEIGHT15 112700 93 165299 94 > WEIGHT20 108443 89 159758 91 > WEIGHTDEL 108443 89 159758 91 > SPAMCOP 84740 70 129602 73 > SBL 52552 43 53879 30 > AHBL 48506 40 57094 32 > CBL 46445 38 89827 51 > DSBL 39527 32 77743 44 >SORBS-DUHL 29673 24 58427 33 >REVDNS 28996 23 41544 23 >BADHEADERS 27493 22 34922 19 >SORBS-SPAM 25119 20 27995 15 > NOPOSTMASTER 22488 18 46530 26 > NOABUSE 21746 17 42732 24 > SPAMHEADERS 19613 16 20587 11 > SPAM-DOMAINS 15263 12 33776 19 > ROUTING 120419 25060 14 > FOREIGN 100988 163309 > GIBBERISH9072799325 > DSN84847 137557 >SORBS-HTTP65845 124597 > SORBS-SOCKS65085 126977 > SPFFAIL4954465273 >BLITZEDALL3350259913 >BASE642252129561 > MAILFROM1684128411 > COMMENTS1328120561 > MYFILTERFAIL1159017230 > WAMO 5850 6090 > MYFILTERPASS 512012390 >SORBS-MISC 5040 9230 >SORBS-SMTP 445011320 > OBFUSCATION 3600 4570 > ORDB 3160 6540 > SORBS-WEB 3160 5140 > SORBS-ZOMBIE 2800 2800 > SPFPASS 2080 2340 > BONDEDSENDER 620 620 > @LINKED 100 140 >HABEAS 40 40 > WAMCHECK 10 20 > > Message Count 120934 175163 > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Paul Fuhrmeister > > Sent: Monday, April 12, 2004 5:11 PM > > To: [EMAIL PROTECTED] > > Subject: [Declude.Virus] Scott, what do you use to generate > > this report > > > > > > Thanks Scott, > > > > While I have your attention, what do you use to generate this > > report from your log files? > > > > > Each month, we go through our spamtraps (E-mail addresses > > > designed to collect spam), to find out which spam tests > > > were most effective at catching spam. > > > > > > > > > WEIGHT1099.48% > > > WEIGHT2095.45% > > > NOLEGITCONTENT 95.43% > > > SNIFFER 94.06% > > > SPAMCHK 93.20% > > > IPNOTINMX 90.76% > > > SPAMCOP 79.83% > > > CMDSPACE77.37% > > > > > > > > [EMAIL PROTECTED] > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Scott, what do you use to generate this report
Bill, would you consider adding the "OK" count so that we could also see the counts and percentages of what was delivered successfully, as well. Thanks again, Bill - Original Message - From: "Bill" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, April 13, 2004 12:33 PM Subject: RE: [Declude.Virus] Scott, what do you use to generate this report > Hi, > > I have a utility to do a quick analysis of my decMMDD.log file to > discover test effectiveness. If anyone would like to use it, I have it > available for free from my website: http://www.wamusa.com/wamtools > > The program is designed for LOGLEVEL MID but it may work for other > levels. My system analyzed this 120Mb decMMDD.log in less than one > minute. This is a sample output: > > >Message Recipient > Test Name Fail Count % Fail Count % > > WEIGHT10 116362 96 169684 96 > SNIFFER2 114790 94 167322 95 > WEIGHT15 112700 93 165299 94 > WEIGHT20 108443 89 159758 91 > WEIGHTDEL 108443 89 159758 91 > SPAMCOP 84740 70 129602 73 > SBL 52552 43 53879 30 > AHBL 48506 40 57094 32 > CBL 46445 38 89827 51 > DSBL 39527 32 77743 44 >SORBS-DUHL 29673 24 58427 33 >REVDNS 28996 23 41544 23 >BADHEADERS 27493 22 34922 19 >SORBS-SPAM 25119 20 27995 15 > NOPOSTMASTER 22488 18 46530 26 > NOABUSE 21746 17 42732 24 > SPAMHEADERS 19613 16 20587 11 > SPAM-DOMAINS 15263 12 33776 19 > ROUTING 120419 25060 14 > FOREIGN 100988 163309 > GIBBERISH9072799325 > DSN84847 137557 >SORBS-HTTP65845 124597 > SORBS-SOCKS65085 126977 > SPFFAIL4954465273 >BLITZEDALL3350259913 >BASE642252129561 > MAILFROM1684128411 > COMMENTS1328120561 > MYFILTERFAIL1159017230 > WAMO 5850 6090 > MYFILTERPASS 512012390 >SORBS-MISC 5040 9230 >SORBS-SMTP 445011320 > OBFUSCATION 3600 4570 > ORDB 3160 6540 > SORBS-WEB 3160 5140 > SORBS-ZOMBIE 2800 2800 > SPFPASS 2080 2340 > BONDEDSENDER 620 620 > @LINKED 100 140 >HABEAS 40 40 > WAMCHECK 10 20 > > Message Count 120934 175163 > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Paul Fuhrmeister > > Sent: Monday, April 12, 2004 5:11 PM > > To: [EMAIL PROTECTED] > > Subject: [Declude.Virus] Scott, what do you use to generate > > this report > > > > > > Thanks Scott, > > > > While I have your attention, what do you use to generate this > > report from your log files? > > > > > Each month, we go through our spamtraps (E-mail addresses > > > designed to collect spam), to find out which spam tests > > > were most effective at catching spam. > > > > > > > > > WEIGHT1099.48% > > > WEIGHT2095.45% > > > NOLEGITCONTENT 95.43% > > > SNIFFER 94.06% > > > SPAMCHK 93.20% > > > IPNOTINMX 90.76% > > > SPAMCOP 79.83% > > > CMDSPACE77.37% > > > > > > > > [EMAIL PROTECTED] > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus"
Re: [Declude.Virus] Scott, what do you use to generate this report
- Original Message - From: "Bill" <[EMAIL PROTECTED]> > The very last line shows the total message count including messages that > did not fail any tests. My program, as it is now, does not look at any > of the declude actions, just the tests failed. I primarily use it is to > determine if any of the tests that I am using have quit working or how > effective a new test or filter file is. > > Why don't you send me a .txt file of what you think that the output > should be and I will consider it. Rather than total message counts, I was just looking for a total count of messages that immediately got delivered, not including messages that were held or deleted. It not a big deal, I simply added a line to my config files that adds a log entry for messages that get delivered: Global.cfg: WEIGHT-OK weightrange x x -50 15 $default$.junkmail: WEIGHT-OK LOG This accomplishes the same thing, and give me an output (sample) like the following: WEIGHT-OK 1685 21 1967 20 WEIGHT-HOLD 189 2 204 2 WEIGHT-DELETE 5663 73 7030 74 Message Count 7752 9436 But thanks for considering my request. Regards, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: Possible Spam: [Declude.Virus] OT - Need IP from MAC address
- Original Message - From: "Jeff Pereira" <[EMAIL PROTECTED]> > Thanks for the reply, but I think you misunderstood > > I know the IP of my computer, I don't know the IP of a piece of equipment > that I have, but I do know what the MAC address is. Ping the broadcast address for the address space the device is on, then type "arp -a" from the command prompt of the computer you did the broadcast ping from. That should show you the IP addresses for all devices on that logical subnet with their associated mac addresses. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] f-prot /packed meaning
- Original Message - From: "Bob McGregor" <[EMAIL PROTECTED]> > what does the /packed parameter on the scanfile line in the config file do? > Is it a switch that I want on? It's not mentioned in the manual for declude virus. Bob, you don't mention which virus scanner you're using, but I'm going to assume that it's F-Prot. Here is a description of the different switches that fpcmd supports: Usage: f-prot [drive, file or directory] [options] -ai Enable neural-network virus detection. -append Append to existing report file. -archiveScan inside .ZIP and .ARJ files. -auto Automatic virus removal. -collectScan a virus collection. -delete Delete infected files. -disinf Disinfect whenever possible. -dumb Do a "dumb" scan of all files. -extScan only files with default extensions. -follow Follow symbolic links. -help Display this list. -list List all files checked. -nobreakDo not abort scan if ESC is pressed. -noheur Disable heuristics. -nosub Do not scan subdirectories. -oldDo not complain when using outdated DEF files. -onlyheur Only use heuristics, not "normal" scanning. -packed Unpack compressed executables. -page Pause after each page. -rename Rename infected COM/EXE files to VOM/VXE. Press to continue to view the command-line options. -report=Send the output to a file. -server Activate mail filter heuristics. -silent Do not generate any screen output. -type Select files by type. (default) -verno Show version information. -virlistList the known viruses. -virno Count the known viruses. -wrap Wrap text so the report fits in 78 columns. Special macro virus options: -nomacroDo not scan for macro viruses. -onlymacro Only scan for macro viruses. -removeall Remove all macros from all documents. -removenew Remove new variants of macro viruses by removing all macros from infected documents. -saferemove Remove all macros from documents, if a known virus is found. I have used the "packed" switch with F-Prot for about a year now. Don't know if it has helped any, but it certainly has not hurt anything. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus bypassing newer MX records
- Original Message - From: "Russ Uhte (Lists)" <[EMAIL PROTECTED]> > At 12:17 PM 6/15/2004, Matt wrote: > >This domain was recently moved to our DNS and I suspect that someone at > >their old DNS hosting provider is infected and using their old unremoved > >DNS entries and that is why they are bypassing us. Note though that some > >spammers are definitely caching old lookups in their spamware which is why > >I thought it might be possible that a virus was doing this as well. > > I just want to interject that I'm seeing this behavior a bunch specifically > with the Zafi worm. I moved to two postfix boxes to do my gatewaying many > months ago, and I still occasionally get virii coming directly into my > Imail box. I don't have the luxury of shutting off SMTP to my Imail box > because I have some remote users that connect to it to send email. I see this with Zafi as well. This from another list regarding Zafi: = This Hungarian originated virus initiates a Dictionary attack on domain names that if finds on the infected machine. It does not use DNS to find the MX records, but instead guesses the host name (such as 'mail' or 'mx'), prepends it to the domain name, and then proceeds with it's dirty work using Hungarian sounding names. = Thus this particular virus will bypass gateway machines and send directly to the hostname "A" record, which is typically pointed to the IMail server so that customers can reach the IMail server via their e-mail clients. That's one of the reasons why we do virus scanning on our gateway machines and our IMail servers. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-prot missing viruses
- Original Message - From: "Brad Morgan" <[EMAIL PROTECTED]> > If you are running Declude Virus Pro, then you could add one or more of the > free virus scanners to your configuration. I added ClamAV after seeing an > article that said it was very high on the list of who gets updates out the > quickest after a new virus is found. > > Another one is BitDefender. Their free scanner has just the right features > for Declude Virus. It doesn't appear to be free for commercial use. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
