RE: [Declude.Virus] F-PROT 6
Speaking of Kaspersky, anyone know of the configuration string for the latest version of Kaspersky? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, June 03, 2008 12:57 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] F-PROT 6 Excellent response thanks Darin. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, June 03, 2008 2:39 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 Yes. It's expensive, but is still a good and efficient scanner. Kaspersky and AVG combined may be a good way to go for lower cost if you can afford the CPU of two scanners, or perhaps just Kaspersky. Not sure if anyone has good stats on the performance, completeness of rulebases, and time from initial reports to detection of a virus for the various scanners, but from what information I was able to find, Kaspersky looked good and wasn't too expensive, and AVG is inexpensive though may be lacking as a single scanner. Darin. - Original Message - From: SJ Stanaitis [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, June 03, 2008 1:09 PM Subject: RE: [Declude.Virus] F-PROT 6 You've got to buy the server product now. I don't think the cheap version works anymore with Declude. --SJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, June 03, 2008 11:47 AM To: declude.virus@declude.com Subject: [Declude.Virus] F-PROT 6 Can anyone provide a SCANFILE line that they know works with F-PROT 6 ? Thanks David B --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] OT - Server Room Temperature
Title: Message Interesting observation I have made over the last few years, specifically on Dell servers is that the hotswap backplanesdo not tolerate rapid and frequent temperature changes.We have observedserverrooms thatremain at a constant temperature over a few degrees, and even if the temp is always 93 F, no backplane issues. However, in smaller rooms with less thermal mass and withnot enough thermostat hesteresis(too wide of a trigger range), the temperaturecan vary by 10 degrees over 10 minutes. This can causeodd random backplane connectivity issues, where drivesseem to 'shake' off of the array. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug TraylorSent: Friday, August 12, 2005 12:03 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] OT - Server Room Temperature I agree that the room should be much cooler, I hatecoming in on the weekends here,but the management has an "if it ain't broke don't fix it" attitude and point out that we have had no significant problems over 5 years so why change things now. We have had a few drives (4 out of 20)fail over the years, some internal, some in a Powervault,but nothing that seems out of the ordinary for 5 year old 10k rpm drives that are always on. Since they are all raided, it has not caused us any trouble yet and we simply replace the drive under our sevice contract. I always look at it as an opportunity to get more drive space as they don't make drives that small anymore. Upgrading our drives one at a time. :o) 4 failures out of 20 drives over 5 years. Does that seem too high a failure rate or about average? If it could be proven that the high temps are causing drive failures the management might be a bit more interested in upgrading the AC system in the computer room. Doug - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Friday, August 12, 2005 11:30 AM Subject: Re: [Declude.Virus] OT - Server Room Temperature Doug,Hard drives are probably the most sensitive components that you have in your servers, and I am not aware of any hard drives that should be run above 50C/122F. My server runs about 35F hotter for the system temp than the environment and about 40F hotter for the CPU's than the environment. Note that these readings are under normal load, but when the server redlines, the CPU's increase by about 15F and the system by about 5F. Considering that the hard drives create heat themselves and their much lower tolerance for heat in comparison to solid state components, it would seem that going over 30C/85F for the ambient temperature would be very dangerous as far as the hard drives go in an active server. Hard drives will likely go over their operating temperature long before the system or the processors unless you have a broken fan or bad connection with a heat sync. My system is spec'd at 15C/27F over the hard drive's tolerance, and my CPU's at 27C/50F over.IMO, 66F is the proper server room temperature, and it gives some leeway for adding more equipment and other issues that can crop up such as A/C failures. 72F would be the high end normal temp that I would want to see. If my colo was over 75F, I would definitely complain. The guy next to me with 25 TB's of 15,000 RPM SCSI drives would probably complain louder :)MattDoug Traylor wrote: We just looked at the operating spec of our servers from the Manufacturer's (Dell) website. The max is listed as 95* F and we run around 80* F during the day on weekdays and up to 92* F on the weekends when they turn off the AC in the plant. We have our own AC which runs 24/7 in the computer room/closet. So far we have not had any noticeable system problems in the five years we have been operating this way. When we had a large IBM mainframe with all the dressing, we kept it in a large computer room that was kept at a chilly 66* F. I was a computer operator then and worked in there for 8-12 hours a day. I would wear two shirts and longs sleeves to work,even when it was 110* F outside - Texas. Doug - Original Message - From: Jeff To: Declude.Virus@declude.com Sent: Thursday, August 11, 2005 8:58 AM Subject: [Declude.Virus] OT - Server Room Temperature Can someone point me to a source of information regarding what temperaturea server room should be at ? Thank you.
RE: [Declude.Virus] MS05-16 Exploit
Good point. What version of Declude introduced the 'BANCSLID ON' feature? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, May 31, 2005 2:21 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] MS05-16 Exploit This is the one that Andy pointed out: Microsoft Windows Shell Remote Code Execution Vulnerability http://www.securityfocus.com/bid/13132/discussion/ Microsoft Windows is prone to a vulnerability that may allow remote attackers to execute code through the Windows Shell. The cause of the vulnerability is related to how the operating system handles unregistered file types. The specific issue is that files with an unknown extension may be opened with the application specified in the embedded CLSID. The victim of the attack would be required to open a malicious file, possibly hosted on a Web site or sent through email. Social engineering would generally be required to entice the victim into opening the file. I can't say whether or not it is a broad enough threat to be exploited in a mass-mailing virus. Declude defaults to BANCSLID ON which may or may not protect from such an attack. Some CSLID calls are entire valid and normal for Outlook/Office generated E-mails, and I'm not totally sure what Declude considers to be good to ban with this switch. Andrew previously indicated that he had never seen it triggered. Anyway, these things pop up about once a month and most are never exploited in E-mail viruses, so there is probably no reason to not treat all of them the same. I see no reason why virus scanners wouldn't detect the infected attachments once they were updated with definitions for known threats. Matt John Tolmachoff (Lists) wrote: Since I am pressed for time and am presently unable to completely digest what the vulnerability is and how to stop it, how can we configure our Declude installs to protect/find/stop these messages? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Tuesday, May 31, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] MS05-16 Exploit Hi, Enclosed a notice for the MS05-16 Exploit. For the record: I'm actually in favor of using STRICT interpretation of vulnerabilities - no matter how seldom one might actually occur. Whether a violation of standards is due to an actual virus - or just a poor mass-mailer application, I gladly use the reason of vulnerability of a potential virus to reject these messages early. As far as some features suggested here: - I do agree that it might be helpful for some people not to scan for viruses, if a vulnerability is found (to conserve CPU). - I do agree that there is little reason (other than statistics) to run the second scanner after the first scanner already found a virus. - I do agree that it is desirable for some people, if there was an option that would delete vulnerabilities rather than isolate them in the Virus folder. - I do NOT agree that Declude should NOT detect certain vulerabilities, just because they only occur very rarely. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: Nick FitzGerald [mailto:[EMAIL PROTECTED] Sent: Sunday, May 29, 2005 9:31 AM To: Bugtraq@securityfocus.com Subject: Spam exploiting MS05-016 Yesterday at least two of my spam-traps received the following message (I've elided the MIME boundary values just in case...): Subject: We make a business offer to you MIME-Version: 1.0 Content-type: multipart/mixed; boundary=[...] [...] Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: 8bit Hello! It is not spam, so don't delete this message. We have a business offer to you. Read our offer. You can increase the business in 1,5 times. We hope you do not miss this information. Best regards, Keith [...] Content-type: application/octet-stream; name=agreement.zip Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=agreement.zip encoded ZIP file data There are a few trivial differences between the messages to the different addresses I checked, so don't anyone try to turn the above into a totally literal filtering rule... Anyway, the agreement.zip attachment held only one file, apparently called agreement.txt, but on closer inspection it turned out the file was called agreement.txt where the apparent trailing space was actually a 0xFF character. This pseudo-TXT file was, in fact, an OLE2 format file (originally a Word document file) with the OLE2 Root Entry CLSID set to that of the Microsoft HTML Application Host (MSHTA). This was all done as per the description in the iDEFENSE advisory announcing this vulnerability:
RE: [Declude.Virus] MS05-16 Exploit
Title: Message Perhaps a new feature in Declude that can be implemented during an outbreak(before the slow AV guys create defs)which reverses the logic of the BAN module,making it an ALLOW module. For instance, ban all extensions except those specifically allowed-this creates its own problems such as forcing users to conform to renaming files in a specific way to get them through, but may solve part of the CLSID issue. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of NIck HayerSent: Tuesday, May 31, 2005 2:55 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] MS05-16 ExploitHi Andy,Colbeck, Andrew wrote: Declude Virus will *not* detect abuse of MS05-16 with the Declude CLSID vulnerability detector. They are entirely different animals, which happen to have CLSID at their heart. You are sure up to date with this stuff! The only way to attack MS05-16 abuse with Declude Virus is with a) keep your virus scanner up to date, This is good news. That can be easily accomplished - and/or b) to watch for virus news and ban extensions that are deliberately crafted as bogus, e.g. .d0c or .doc_ instead of .docWell this won't be effective becase folks now rename extensions as a matter of course to get clean files through eg - .exe .e_x_e :) Leave it up to your antivirus scanner. Perfect and thanks for the insight.-Nick
RE: [Declude.Virus] w32/Sober.O virus
Are you running the fpcmd.exe version of the fprot scanner? If not, you will see these sorts of delays. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Tuesday, May 03, 2005 6:00 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] w32/Sober.O virus FYI: Today we were flooded with a massive incoming emails containing Sober.O (f-prot) virus. We receive aprox 15% of viruses out of all the emails we process. Today the figure raised to almost 40%. It fulfilled the overflow folder and there were delays of about 2 to 5 hours to deliver non-virus emails We received the first email with virus at 12 (noon) may 2. Our f-prot signature files were not updated -we update every 4 hours- and we let 27 emails with viruses passed through. There was nothing we could do about it. The virus was discovered the same day by Symantec, F-prot and others. Our F-prot received signature files at 1:30 pm and from that time on we have catched about 9000 emails out 30,000 The folder is full with 3000 emails and is not able to be handled as fast as we would want with declude/f-prot. Q: Is there something we can do to avoid such delays delivering emails other than use Imail Kill list, catching the computers delivering the viruses and moving to a strongest server. Bye -Luis Arango __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Title: RE: [Declude.Virus] Fprot GDI Scanner lines. Same here. Is there a way to make f-prot w\Declude catch these? -Original Message- From: Keith Johnson [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, September 27, 2004 12:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Nevermind, found a copy of it, just had trouble with the German. It seems my Inoc caught it correctly, however, the Fprot didn't, gave me error. Q6f7408d2006085b0 Scanner 1 reported error code #8, which is listed as OK 09/27/2004 15:52:20 Q6f7408d2006085b0 Scanner 2: Virus= JPEG.MS04-028.Exploit.Trojan Attachment=jpegcompoc.zip.ZIP [1] I 09/27/2004 15:52:20 Q6f7408d2006085b0 File(s) are INFECTED [ JPEG.MS04-028.Exploit.Trojan: 101] Keith -Original Message- From: Keith Johnsonon behalf ofKeith Johnson Sent: Mon 9/27/2004 3:02 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Mark, What did you use to generate the GDI Exploit test file? Thanks Keith -Original Message- From: [EMAIL PROTECTED]on behalf ofMark Smith Sent: Mon 9/27/2004 1:55 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Send a GDI Exploit test file through. You'll get the error Can't Parse Virus type in the Declude Virus log. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bill Landry Sent: Saturday, September 25, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Fprot GDI Scanner lines. - Original Message - From: Mark Smith [EMAIL PROTECTED] Actually this breaks Declude because Declude Virus can't look for multiple REPORT lines. Scott, How can we setup Declude Virus to look for multiple lines in the report.txt file? I've been running F-Prot Version 3.15b since it was released yesterday and have not had to make any changes to my virus config to support the new version. It has been running exactly the way it always has. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot/GDI+ FYI
Odd. My experience with the BANEXT command is that it caused the entire email be deleted, not just the banned extension. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith Sent: Friday, September 24, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-Prot/GDI+ FYI Dave, BANEXT JPG Scott, Here's the information about how to track the malformed header using SNORT. http://isc.sans.org/diary.php?date=2004-09-23 Also some utilities on scanning your PC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Marchette Sent: Friday, September 24, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-Prot/GDI+ FYI That being the case, can you outline for us the simplest way to strip JPEGs out of a message yet still send the rest of the message through? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, September 24, 2004 8:52 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] F-Prot/GDI+ FYI Scott, is there anything recommend that we can do strictly from Declude Virus to protect against this until the virus scanners can pick it up? Without blocking all .JPG files, nothing. The problem is that there is a lack of information on how to detect such .JPG's. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Bounces to encrypted zips
Agreed. This is a big deal for us as well. We too have been asking for a few months for a solution. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 02, 2004 9:41 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Bounces to encrypted zips Yesterday my postmaster account got 32 NDR's from my system and others, and 1 auto-reply. 31 of these 33 messages were from ZIP-EXE's and RAR-EXE's. I have no clue as to how many of these bounces are for ZIP-EXE's that are accepted because my log doesn't provide enough information for me to tell, but I suspect that the real number is one to two times more than what's getting bounced back at me, though I could be way off. The messages that are getting bounced back/NDR'd are generally to addresses that are parsed incorrectly by the virus, such as the ones that Netsky rips from Message-ID's. Here's the worst part of this all...18 of the 33 messages were received from NDR's to domains belonging to my own customers (or close approximations there of), and one was from one of my own customer's auto-replies. I again have no clue as to how many actually got delivered, but this is definitely a big problem and it causes confusion. Yesterday was if anything, a below normal day for NDR's to my postmaster account. Please, please, please...I need a solution to this. I don't know what to do apart from possibly creating a program alias that parses BanNotify.eml bounce and then creates a new bounce message, but this level of programming is beyond my immediate skill. IMail rules don't work because of the way these messages are hooked into the system. All I really want to do is turn bounces for encrypted archives off (both ZIP's and RAR's). I've been asking for three months now, and I need to know if this is going to be resolved soon or if I am going to have to get someone to program this for me. I view this as a very serious problem and it's bad enough that I already receive 1.5% of my total traffic from Joe-Job and AV NDR's without contributing to it with my own system. Thanks, Matt -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
RE: [Declude.Virus] OBJECT DATA Vulnerability Caught but not Reported?
Assuming you are running the correct Declude version, you probably are skipping the notification in your eml file. If you have the line 'SKIPIFVIRUSNAMEHAS Vulnerability' you may not see the notification of the test. -Original Message- From: Dan Star [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 9:44 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] OBJECT DATA Vulnerability Caught but not Reported? I tested the Declude OBJECT DATA Vulnerability send and the email didn't come thru but it wasn't reported as a virus. Is this a known issue with this test? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] So Big E detection
[EMAIL PROTECTED] guess: Mcafee\Declude is not config'ed to scan through ZIPS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 27, 2003 7:13 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] So Big E detection Hello. Welcome to the weekend. The weather is fantastic here in Columbus. I have two scanners running, McAfee and F-Prot. On the McAfee side, I believe I'm running the 4.2.60 engine and the 4273 DAT file, but I'm not at the shop where I can triple check. F-Prot is catching these So-Big-E [name munged to protect the guilty] viruses like a champion, but the McAfee side hasn't detected a single one. Before I panic [panic requires a drive in at midnight that I'm not up for tonight], have any other McAfee users noticed anything dysfunctional about So Big E detection? Have I mentioned lately how GREAT it is having redundant scanning? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] stopping alerts to non-local users
Is there a way to force Declude to not send alerts out to non-local users if the virus originated from a local address? Maybe an imail rule set would work but perhaps there is an easier way... Dave This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .