Re[2]: [Declude.Virus] AVAFTERJM ?
Thursday, September 22, 2005, 9:01:37 AM, you wrote: Dsic> "AVAFTERJM ON" goes in the virus.cfg file and it makes AV run after JM as Dsic> you suspected. Several of us run this mode for the reason you cited. The Dsic> only deal you have to remember is if something is trapped by JM and you put Dsic> it back in the queue it will not be virus scanned. This begs the follow up...if we have an automated release functionality whereby users can retrieve a held message, is there anyway to resubmit that to Declude and specify virus scanning only to be performed? This would keep users from releasing viruses to themselves. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] AVAFTERJM ?
Friday, September 23, 2005, 12:17:32 PM, you wrote: M> You could write something to the message that Declude JunkMail was set M> to whitelist, and then copy the D*.smd file to the spool and the Q*.smd That's a great idea. Something innocuous in the headers as a whitelist key. Rather than just putting it in /overflow though, couldn't I call declude.exe with the Q file name for immediate processing? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] AVAFTERJM ?
Matt, Is it possible to call declude.exe with the path to another folder containing the Q/D? M> The one issue with calling declude.exe directly is that you don't want M> the Q*.smd file to be in the spool, otherwise IMail's Queue Manager can M> steal it, though that would only cause an error in this case and the M> message would be delivered. I would recommend moving the D*.smd file M> back into the spool and then calling the Q*.smd file from where ever you M> were storing it (using the COPYFILE operative I presume). -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Virus Notification Variables No Longer Working
I'm feeling lonely here...like I'm talking to myself... Could someone PLEASE check the %RECIPHOST% and %REMOTEHOST% variables in your email notification on 3.0.6 just to make sure it's not me for some reason. You don't have to mess with your active notifications. Just put another .eml file in the Declude folder with these two variables. Thanks. -David Thursday, March 2, 2006, 12:10:55 PM, you wrote: DS> Ok, no one else has so I'll respond to my own post. 3.06 and still no DS> change. Can someone try a notification with the %RECIPHOST% and DS> %REMOTEHOST% variables and see if they work? DS> Thanks DS> -David DS> Friday, February 24, 2006, 2:39:34 PM, you wrote: DS>> Has anyone else had trouble with the RECIPIENT HOST and REMOTE HOST DS>> NAME variables in your virus notification email since going to 3.x? We DS>> send all data to a program alias for notification processing, but DS>> since December now we can't get the RECIPIENT HOST data. DS>> Below is our notify email file and below that is a slightly munged DS>> example of the output. Notice lines 11 and 12 in the output. This DS>> behavior persistent and used to work before upgrading. DS>> Anyone else experiencing this? DS>> From: [EMAIL PROTECTED] DS>> To: [EMAIL PROTECTED] DS>> Subject: Virus Notification DS>> 1 ALLRECIPS: %ALLRECIPS% DS>> 2 BANNED EXTENSION: %BANEXT% DS>> 3 DATE (mm/dd/yyy): %DATE% DS>> 4 HEADERS: %HEADERS% DS>> 5 INOROUT: %INOROUT% DS>> 6 LOCALHOST: %LOCALHOST% DS>> 7 MAILFROM: %MAILFROM% DS>> 8 MESSAGE ID: %MSGID% DS>> 9 NUMBER OF RECIPIENTS: %NRECIPS% DS>> 10 QUEUE FILE NAME: %QUEUENAME% DS>> 11 RECIPIENT HOST: %RECIPHOST% DS>> 12 REMOTE HOST NAME: %REMOTEHOST% DS>> 13 REMOTE IP: %REMOTEIP% DS>> 14 SENDER HOST: %SENDERHOST% DS>> 15 SUBJECT: %SUBJECT% DS>> 16 CURRENT TIME (hh/mm/ss): %TIME% DS>> 17 VIRUS FILE: %VIRUSFILE% DS>> 18 VIRUS NAME: %VIRUSNAME% DS>> 19 SOFTWARE VERSION: %VERSION% DS>> 1 ALLRECIPS: [EMAIL PROTECTED] DS>> 2 BANNED EXTENSION: DS>> 3 DATE (mm/dd/yyy): 24 Feb 2006 DS>> 4 HEADERS: Received: from mx1.ourpostfixserver.com [192.168.200.60] by DS>> mail5.ourimailserver.com with ESMTP DS>> (SMTPD32-8.15) id A5ADFD770080; Fri, 24 Feb 2006 12:43:09 -0500 DS>> Received: from localhost (adsl-146-64-253.mia.bellsouth.net [70.146.64.253]) DS>> by mx1.ourpostfixserver.com (Postfix) with SMTP id 4150B1464ED DS>> for <[EMAIL PROTECTED]>; Fri, 24 Feb 2006 12:45:43 + (GMT) DS>> Message-ID: <[EMAIL PROTECTED]> DS>> From: "Jay Ross" <[EMAIL PROTECTED]> DS>> To: <[EMAIL PROTECTED]> DS>> Subject: Software At Low Pr1ce DS>> Date: Fri, 24 Feb 2006 12:42:58 -0500 DS>> MIME-Version: 1.0 DS>> Content-Type: multipart/alternative; DS>> boundary="=_NextPart_000_0001_01C63993.BFF33280" DS>> X-Priority: 3 DS>> X-MSMail-Priority: Normal DS>> X-Mailer: Microsoft Outlook Express 6.00.2900.2180 DS>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 DS>> 5 INOROUT: outgoing DS>> 6 LOCALHOST: mail5.ourimailserver.com DS>> 7 MAILFROM: [EMAIL PROTECTED] DS>> 8 MESSAGE ID: <[EMAIL PROTECTED]> DS>> 9 NUMBER OF RECIPIENTS: 1 DS>> 10 QUEUE FILE NAME: D45adfd7700801edf.smd DS>> 11 RECIPIENT HOST: DS>> 12 REMOTE HOST NAME: DS>> 13 REMOTE IP: 192.168.200.60 DS>> 14 SENDER HOST: bellamorris.com DS>> 15 SUBJECT: Software At Low Pr1ce DS>> 16 CURRENT TIME (hh/mm/ss): 12:43:27 DS>> 17 VIRUS FILE: [No attachment] DS>> 18 VIRUS NAME: [Outlook 'Blank Folding' Vulnerability] DS>> 19 SOFTWARE VERSION: 3.0.5.26 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.Virus] Virus Notification Variables No Longer Working
Thanks to all. I have a PF gateway in front of Imail and Hop to 1 in JM so maybe that could explain why my REMOTEHOST isn't working (even though it did in 1.x-2.x) but it looks like my RECIPHOST problem is not just me...whew. Wednesday, March 8, 2006, 12:24:18 PM, you wrote: SF> Remotehost Yes. Reciphost no. SF> Declude 3.06 SF> .eml: SF> REMOTE HOST NAME: %REMOTEHOST% SF> RECIPIENT HOST: %RECIPHOST% SF> result: SF> REMOTE HOST NAME: farmprogress.com SF> RECIPIENT HOST: -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.Virus] Virus Notification Variables No Longer Working
Hello Markus, Looks like your REMOTEHOST is working to. Try your RECIPHOST. I think we saw something about 3.0.6 on the list here. Not much fanfare. -David Wednesday, March 8, 2006, 12:26:50 PM, you wrote: MG> Sorry, David hadn't had time to read latest postings on this list. MG> On my servers with 3.0.5.23 it seems working fine. MG> That's what I can see in a postmaster.eml from today: MG> Virus: Unknown Virus MG> File: Unknown File MG> From: MG> To: MG> Subject: MG> Recipients: 1 MG> Queuename: Df37a051c0088d3cf.smd MG> Date: 08 Mar 2006 MG> Time: 16:24:51 (GMT+1) MG> Remotehost: .it (82.188.97.71) MG> Localhost: xxx.it MG> D.Version: 3.0.5.23 MG> BTW: How are you guys notfied for a updated version? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.Virus] Virus Notification Variables No Longer Working
Hello Markus, LOCALHOST would be Imail's Host Name, RECIPHOST would be the domain of the recipient. -David Wednesday, March 8, 2006, 12:35:02 PM, you wrote: MG> I use %LOCALHOST% in my postmaster.eml file. As I understand this should be MG> the same, or not? MG> Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude and AVG
Hi, If anybody is using this, please reply on list. We bought AVG but haven't been able to set it up. Would appreciate any tips. Thanks David > Is anyone on the list using AVG with declude? If so I would like to know what setup you are using and are you able to get AVG to report the Virus Names to declude so that the SKIPVIRUSIFNAMEIS works properly. Also any tweaks you may have or ideas that have made things better for you with this setup , if you want email me off list. > Thanks > Allen --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] NAV Command Line Scanner 1.0 Was posted on Declude.JunkMail
Here's the link to it. They are marketing it as a separate product. Don't see why they would market a command line scanner if they didn't expect it to be used by 3rd party apps. But...againcan't find any Trialware or purchase info about it. http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=65&PI D=11223485&EID=0 David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.Virus] Declude on RAM Drive
I just noticed on Declude site that it is compatible for use on a RAM drive. Haven't used one of these since DOS but trying to squeeze every last bit of performance out of Declude. Anyone doing this or have additional perfomance tuning tips? Thanks -David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] McAfee Enterprise 7.0 not picking up Sobig.F
Hello R., Thursday, August 21, 2003, 2:59:18 PM, you wrote: >>I did that with eicar and the On-Demand Scanner picked it up. However, when >>I did it with Sobig.F, there was no attachment. Then I noticed that it was a >>bounced message from another server (not using SKIPIFVIRUSNAMEHAS). I'm now >>wondering if that is why McAfee On-Demand/Declude is not picking it up, >>because the virus is part of the bounced message and it appears to not be >>executable. However, F-Prot and McAfee On-Access both detect Sobig.F in the >>SMD file. ?? RSP> Most AV programs will not detect corrupt, non-viable variants, which often RSP> includes bounce messages (because those bounce messages are usually truncated). RSP> -Scott RSP> --- RSP> Declude JunkMail: The advanced anti-spam solution for IMail mailservers. RSP> Declude Virus: Catches known viruses and is the leader in mailserver RSP> vulnerability detection. RSP> Find out what you have been missing: Ask for a free 30-day evaluation. We started seeing something similar about 2:00 a.m. I started getting warnings Trend that it was picking up viruses in my /spam folder. Don't know how many going through because can't scan the /spool with Trend. Trying to figure out if they're non-viable. Even if they are Declude/F-prot should be stopping them though because we had a similar problem a few weeks ago and added VIRUSCODE 8 in order to stop suspicious files. -David -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] OT - Alert lists.
Hello Pete, Friday, September 12, 2003, 2:27:22 PM, you wrote: PM> * Some systems do not have server based virus scanning. Unwise but in some cases reality. PM> * We *may* be able to respond more quickly than some anti-virus PM> companies. Yep, most likely. PM> * Non-viable versions of viruses can often be caught to reduce loads. YES! But the load reduction for us would come from support having to tell these people that no, they didn't get a virus they got a damaged file that looks like one. PM> * Virus hoaxes will be caught by Message Sniffer but not most AV PM> software. That'd be nice. PM> * Every little bit helps. Yep -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Request for per-domain configuration
DC> Hmmm...I hate having to turn off the footer for everyone just because of one DC> customers. Haven't run into it yet myself, but some people on this list DC> will probably run into the problem with having to pass encrypted zips for DC> one customer while banning them for everyone else...or similar requests for DC> other files... so how about this... DC> Add support for domain-specific configuration files. This would allow not DC> only removing the footer on a domain basis, but also skipping/banning of DC> files, deletion of viruses, and potentially even virus codes (such as the DC> F-Prot virus code 8 for suspicious files) to be configurable by domain. Realize this is an old thread but thought I'd throw my $.02 in. Declude JM/AV have both been indispensable especially of late. The only gripe I have is the lack of per domain/user configurations in AV. With 600+ domains, we often have to make the decision between losing a customer or making the entire system less secure. Would really love to see more granular config options especially in the vulnerability and extension categories. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Byte Verify Exploit
Should Declude be catching a "ByteVerify" exploit? This came through Declude/F-Prot/Trend:: NetShield-4.6.0: The file CACHE1:\ETC\PROXY\CACHE\1B\8FCC389B.AAJ\bb.class was infected with Exploit-ByteVerify . The file was successfully cleaned with Scan engine version 4.2.40 DAT version 4.0.4350. (from DUSD_BM2) http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100261#indications -- Best regards, David mailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Byte Verify Exploit
Hello R., RSP> Is it possible that that wasn't from an E-mail that came through Declude? Unfortunately no, going through Imail/Declude is the only path this mail server can receive email from. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[5]: [Declude.Virus] Missed virus reports
Hello Patrick, Monday, May 3, 2004, 6:44:52 PM, you wrote: PC> Hello David, >> BANEZIPEXTS ON PC> Sorry to jump in but just a couple of thoughts. PC> Are you running the "Pro" version of Declude? I don't think BANEZIPEXTS PC> works on the "Standard" version. Secondly, I believe, in special PC> circumstances, some admins configure "Declude Junkmail" to run before PC> "Declude AV". I think this configuration could cause this behavior. Good thoughts on both of them there. Unfortunately, yes... we are running Pro and no, we haven't switched the JM/AV scanning order. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[3]: [Declude.Virus] Missed virus reports
Hello R., Friday, April 30, 2004, 9:30:44 PM, you wrote: >>RSP> Note the directory P:\SPROTECT\Virus\ -- Trend is finding a virus that >>RSP> Declude Virus already found. :) >> >>"P:\SPROTECT\Virus\" is where Trend puts a virus after it finds one. >>My default file for Declude to put viruses is L:\VirusTrap which Trend >>is set NOT to scan. RSP> Ah, OK. In that case, it's presumably finding the virus in the .SMD file RSP> in the \IMail\spool directory, which would be before Declude Virus had a RSP> chance to scan it. Not in this case. The \spool directory is excluded from virus scanning. As I mentioned, the files is getting caught by Declude JM/Sniffer. The virus is getting caught by Trend when being moved by our software from \spool\spam to our per user quarantine review folder for all email that gets JM weighted HOLD. RSP> How do you know that it was created/stored after Declude processed it? Because Trend can't get to any files that are being actively processed by Imail/Declude. (See above.) RSP> That may mean that you have a problem. Are you running v1.79 (with "BANEXT RSP> EZIP" in the virus.cfg file), the latest .exe of your virus scanner, and RSP> latest definitions? Yep, yep and yep. Declude 1.79 Beta (upgraded from the interim version), Fprot 3.14e and latest defs. Here's the appropriate lines from virus.cfg: BANEZIPEXTS ON BANEXT BAS BANEXT BAT BANEXT CMD BANEXT COM BANEXT CPL BANEXT EXE BANEXT HTA BANEXT JS BANEXT MSI BANEXT MSP BANEXT MST BANEXT PIF BANEXT REG BANEXT SCR BANEXT SCT BANEXT VB BANEXT VBE BANEXT VBS BANEXT WS BANEXT WSC BANEXT WSF BANEXT WSH -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Mime Segment in Mime Postamble
Is anyone else having a problem with this vulnerability in order confirmations from TigerDirect? If so, how are you handling it since there aren't any whitelist options for Vulnerabilities? -- Best regards, David mailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] PRESCAN
Hello Matt, Wednesday, November 10, 2004, 2:41:59 PM, you wrote: M> is McAfee though, and turning PRESCAN OFF might soon become my only M> realistic choice. I'm going to guess that this might remove more than M> 25% of my system's capacity however, and that gets costly. FYI - one of our boxes is dual 2.8G Xeon that does nothing but gateway filtering. Prescan OFF took processor utilization from 45% to 65%. VERY costly. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[3]: [Declude.Virus] testvirus.org #22
Hello David, Thursday, December 16, 2004, 3:08:42 PM, you wrote: DS> Hello Jim, DS> Thursday, December 16, 2004, 2:39:22 PM, you wrote: JM>> Caught it without any issues whatsoever. I'm running 1.81 and it got through. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] testvirus.org #22
Can someone else test #22 at testvirus.org to see if it gets through. I want to make sure I don't have something misconfigured that's allowing it through. BTW - all others were stopped. Test #22: Eicar virus within zip file hidden using the "MIME Continuation Vulnerability" (attachment can be opened by all versions of Microsoft Outlook and Outlook Express) If your mail server's virus scanner did not detect this email, it allows some viruses through! Please note: This test message uses the EICAR test virus, which is completely benign and contains no viral code. For more information see: http://www.eicar.org www.testvirus.org -- Best regards, David mailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] testvirus.org #22
Hello Jim, Thursday, December 16, 2004, 2:39:22 PM, you wrote: JM> Caught it without any issues whatsoever. What version you using? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.Virus] testvirus.org #22
Hello David, Ok, back to my original problem ;-) Is test 22 getting caught for anyone else? It was the only one that slipped through my Declude setup. I'm running 1.81 with F-prot and prescan off. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[6]: [Declude.Virus] testvirus.org #22
Hello William, Monday, December 20, 2004, 9:34:55 AM, you wrote: WS> #22 was cuaght here., #17 not caught I caught 17 with no problem. But 22 is STILL getting through. What version of Declude are you running? What virus scanner? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[8]: [Declude.Virus] testvirus.org #22
Hello William, Monday, December 20, 2004, 1:39:53 PM, you wrote: WS> v1.81 WS> mcafee, Ok, that's a start. Is anyone using F-prot able to catch this one? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[8]: [Declude.Virus] testvirus.org #22
Hello Andrew, Monday, December 20, 2004, 2:23:41 PM, you wrote: CA> What happens when you set: CA> PRESCAN OFF I have PRESCAN OFF. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[8]: [Declude.Virus] testvirus.org #22
>>I turned if off and it still got through. >>Test #17: Eicar virus hidden using the "CR Vulnerability" (attachment can be >>opened by all versions of Microsoft Outlook and Outlook Express) RSP> I just checked this one, and it got through here, too. I examined the raw RSP> source of the E-mail, and there doesn't appear to be a lone CR character in RSP> it, so it doesn't appear to actually contain the Outlook "CR Vulnerability". Scott, what do you get for test #22. Some have reported it caught while others haven't. My F-Prot config is: SCANFILE P:\Progra~1\fsi\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=3 /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 REPORT Infection: -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] .tiff files
Does anyone know a reason why .tiff should not be excluded from scanning? I was going to add .tiff to my don't scan list. Didn't see any know exploits using .tiff but thought it'd be a good idea to see what everyone here thought. -- Best regards, David mailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] RAR Support - why not?
Hello R., Thursday, January 27, 2005, 6:21:06 PM, you wrote: RSP> How about 1.82? :) Is 1.82 out? If so, do we need BANERAR like BANEZIPS? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[3]: [Declude.Virus] RAR Support - why not?
Hello David, Monday, January 31, 2005, 1:17:08 PM, you wrote: DS> Hello R., DS> Thursday, January 27, 2005, 6:21:06 PM, you wrote: RSP>> How about 1.82? :) DS> Is 1.82 out? If so, do we need BANERAR like BANEZIPS? Ok, I checked the Junkmail list and it looks like Declude is at 1.82 based on the messages but I didn't see an official notice. 1.82 is not an option to download when I logon to Declude's site. Also, original question still holds. Do we need to make a change to the virus.cfg to employ blocking of executable extensions in encrypted .rar files? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.Virus] RAR Support - why not?
Hello R., Monday, January 31, 2005, 2:56:53 PM, you wrote: RSP> For some reason, it is listed as something like "SPAMHEADERS fix for RSP> v1.76+" on the website, rather than as v1.82. Ah, ok. And 2.0 is being issued to release today? >> Also, original question still holds. Do we need to make a change to >> the virus.cfg to employ blocking of executable extensions in >> encrypted .rar files? RSP> No. If .ZIP files are being handled the way you want, .RAR files will too. Great. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[5]: [Declude.Virus] RAR Support - why not?
Hello Scott, Monday, January 31, 2005, 3:18:16 PM, you wrote: SF> file. For example, if you have a line "BANEXT EXE" and "BANZIPEXTS ON", then SF> .EXE files within .ZIP files will be blocked. You can also use BANEZIPEXTS SF> ON to do the same thing, but only applying to encrypted .ZIP files. I block about 30 extensions at my inbound with IMGate but also use: BANEZIPEXTS ON Then I repeat my list of banned extensions using: BANEXT BAS BANEXT BAT etc, etc. By my understanding, this will ban these extensions by themselves, ban these extensions when found within encrypted .zip files, NOT ban these extensions from within normal .zip files and with 1.82 ban these extensions in encrypted .rar files. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[10]: [Declude.Virus] testvirus.org #22
Sorry to revive this old thread. But I just had a customer report that 22 is still getting through. Could someone that's catching this with F-prot please share your configs. I've got Declude 1.82 F-Prot 3.16 with the following virus.cfg: SCANFILE P:\Progra~1\fsi\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=3 /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 REPORT Infection: PRESCAN OFF BANCLSIDON BANPARTIAL ON DELIVERERRORS ON BANCRVIRUSESON -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[12]: [Declude.Virus] testvirus.org #22
MJ> Nice work. Thanks for the contribution. This is one of the best benefits of MJ> the list. Great comments in that virus.cfg file. Well, this took forever to extract (couldn't copy from baregrep and couldn't sort with excel) but here is the debug log from test 22. Looks like the scanner isn't even getting called. 02/02/2005 14:59:04.615 Q310830a90096022a Declude Virus Pro Registered 02/02/2005 14:59:04.615 Q310830a90096022a Starting locality check (sender=testvirus.org; nr=1 ca=off). nHas=110. 02/02/2005 14:59:04.615 Q310830a90096022a [EMAIL PROTECTED] [0-107] is local domain1 viaFM 02/02/2005 14:59:04.615 Q310830a90096022a Ending locality check (cached), sender=remote. 02/02/2005 14:59:04.615 Q310830a90096022a Local host = virtualconnect.net 02/02/2005 14:59:04.615 Q310830a90096022a [EMAIL PROTECTED] Offset=8 Flags=1 02/02/2005 14:59:04.615 Q310830a90096022a Msgid: <[EMAIL PROTECTED]> 02/02/2005 14:59:04.630 Q310830a90096022a Subject: Virus Scanner Test #22 02/02/2005 14:59:04.630 Q310830a90096022a O:\spool\Q310830a90096022a.SMD 02/02/2005 14:59:04.630 Q310830a90096022a Starting virus scanning section... 02/02/2005 14:59:04.630 Q310830a90096022a MIMELAYER=0 02/02/2005 14:59:04.630 Q310830a90096022a Exclude Default=-1 02/02/2005 14:59:04.630 Q310830a90096022a Exclude Domain=-1 02/02/2005 14:59:04.630 Q310830a90096022a Exclude peruser=-1 02/02/2005 14:59:04.630 Q310830a90096022a DoAv( O:\spool\D310830a90096022a.SMD ); 02/02/2005 14:59:04.630 Q310830a90096022a avtempdir=O:\spool 02/02/2005 14:59:04.630 Q310830a90096022a Temp dir set to: O:\spool\D310830a90096022a.vir\ 02/02/2005 14:59:04.630 Q310830a90096022a fp=4501a0 02/02/2005 14:59:04.630 Q310830a90096022a MIMELAYER++ 02/02/2005 14:59:04.630 Q310830a90096022a DOMIME START 02/02/2005 14:59:04.630 Q310830a90096022a CT: Content-Type: multipart/mixed;boundary=" 02/02/2005 14:59:04.630 Q310830a90096022a Got boundary; =--=_804689079==_. 02/02/2005 14:59:04.630 Q310830a90096022a DOMIME end-of-headers 02/02/2005 14:59:04.630 Q310830a90096022a ISMULTI 02/02/2005 14:59:04.630 Q310830a90096022a Hit boundary... Recursing... 0 (9-0-). 02/02/2005 14:59:04.630 Q310830a90096022a MIMELAYER++ 02/02/2005 14:59:04.630 Q310830a90096022a DOMIME START 02/02/2005 14:59:04.630 Q310830a90096022a CT: Content-Type: text/plain; charset="us-ascii"; format=flowed 02/02/2005 14:59:04.630 Q310830a90096022a DOMIME end-of-headers 02/02/2005 14:59:04.630 Q310830a90096022a !ISMULTI 02/02/2005 14:59:04.630 Q310830a90096022a Handling a MIME segment [Boundary=--=_804689079==_]. 02/02/2005 14:59:04.630 Q310830a90096022a Encoding type: *DEFAULT* [1/] 02/02/2005 14:59:04.630 Q310830a90096022a Starting BASE64 02/02/2005 14:59:04.630 Q310830a90096022a Hit new boundary (fseek) 02/02/2005 14:59:04.630 Q310830a90096022a curpos=1509 02/02/2005 14:59:04.646 Q310830a90096022a MIMELAYER-- 02/02/2005 14:59:04.646 Q310830a90096022a Done Recursing... 02/02/2005 14:59:04.646 Q310830a90096022a Hit boundary... Recursing... 1 (9-0-). 02/02/2005 14:59:04.646 Q310830a90096022a MIMELAYER++ 02/02/2005 14:59:04.646 Q310830a90096022a DOMIME START 02/02/2005 14:59:04.646 Q310830a90096022a DOMIME end-of-headers 02/02/2005 14:59:04.646 Q310830a90096022a !ISMULTI 02/02/2005 14:59:04.646 Q310830a90096022a Handling a MIME segment [Boundary=--=_804689079==_]. 02/02/2005 14:59:04.646 Q310830a90096022a Encoding type: *DEFAULT* [1/] 02/02/2005 14:59:04.646 Q310830a90096022a Starting BASE64 02/02/2005 14:59:04.646 Q310830a90096022a Hit new boundary (fseek) 02/02/2005 14:59:04.646 Q310830a90096022a curpos=1931 02/02/2005 14:59:04.646 Q310830a90096022a Deleting (1) plaintext segment O:\spool\D310830a90096022a.vir\0.. 02/02/2005 14:59:04.646 Q310830a90096022a MIMELAYER-- 02/02/2005 14:59:04.646 Q310830a90096022a Done Recursing... 02/02/2005 14:59:04.646 Q310830a90096022a Hit end of layer 02/02/2005 14:59:04.646 Q310830a90096022a MIMELAYER layer-- 02/02/2005 14:59:04.646 Q310830a90096022a Not starting scanner since no files to scan. 02/02/2005 14:59:04.646 Q310830a90096022a High code=0. 02/02/2005 14:59:04.646 Q310830a90096022a AV returned 0 02/02/2005 14:59:04 Q310830a90096022a Scanned: Virus Free [MIME: 2 1137] 02/02/2005 14:59:06.068 Q310830a90096022a Set process priority back to 32. 02/02/2005 14:59:06.068 Q310830a90096022a feof=16, ferr=0 02/02/2005 14:59:06.068 Q310830a90096022a About to pass off E-mail; daisychain set to smtp32.exe. 02/02/2005 14:59:06.068 Q310830a90096022a Passing to SMTP3: p:\IMail\smtp32.exe "O:\spool\Q310830a90096022a.SMD". -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[12]: [Declude.Virus] testvirus.org #22
Ok, Scott...Anybodyany idea why this one is getting through after looking at my logs? It looks like they're saying: 02/02/2005 14:59:04.646 Q310830a90096022a Not starting scanner since no files to scan. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[13]: [Declude.Virus] testvirus.org #22
Hello R., Thursday, February 3, 2005, 2:05:48 PM, you wrote: >>Ok, Scott...Anybodyany idea why this one is getting through after >>looking at my logs? It looks like they're saying: >> >>02/02/2005 14:59:04.646 Q310830a90096022a Not starting scanner since no >>files to scan. RSP> That's because the E-mail is text-only, which means that Declude Virus RSP> won't scan it, since text files can't contain viruses. But I can't figure out why Andrew catches it and I'm not. I compared the config files and the only difference is I have Prescan OFF and I let normal .zips through. Andrew, could you run Declude in Debug and send test 22 through so we could see your log file? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[15]: [Declude.Virus] testvirus.org #22
Hello Andrew, Thursday, February 3, 2005, 3:08:54 PM, you wrote: CA> No problem, happy to oblige. See attached text file. Thanks. Looks like the log file lost its formatting but best I can tell your scanner is being called and it scans the file. Scott, any idea here? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[16]: [Declude.Virus] testvirus.org #22
Hello R., Thursday, February 3, 2005, 3:45:24 PM, you wrote: RSP> As far as I can tell, Declude Virus is handling this properly. The E-mail RSP> is plain text, and therefore should not be scanned. But the exact same email is getting scanned by Andrew. Do you see any difference in the log files that would give a clue? Thanks -David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[17]: [Declude.Virus] testvirus.org #22
Hello R., Thursday, February 3, 2005, 8:24:35 PM, you wrote: RSP> Do you have a gateway in front of your mailserver? Comparing the two log RSP> file snippets, they showed the plaintext segment ending in different RSP> places, which would suggest that they were scanning two different RSP> E-mails. This could also occur if there was a gateway that might make RSP> modifications (such as a Postfix gateway). "Oh guru of computer wisdom" (http://www.illwillpress.com/tech.html) Yes, we have a PF gateway on the front end. I thought of that originally but PF doesn't do anything to modify messages that get past it's basic blocking. It looks like there aren't too many other options though. I'll do some digging there. -David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[18]: [Declude.Virus] testvirus.org #22
Hello R., Friday, February 4, 2005, 10:26:29 AM, you wrote: >>Yes, we have a PF gateway on the front end. I thought of that >>originally but PF doesn't do anything to modify messages that get past >>it's basic blocking. RSP> Are you positive? I've seen PF modify E-mail headers, such as adding a RSP> Message-ID: or Date: header if one isn't present in the original E-mail RSP> (things that are good once the E-mail is ready to be delivered, but can RSP> prevent programs from scanning the original E-mail properly). Yes, this was something we were very particular about when we set it up a few years back. We did just upgrade it though so it won't hurt to verify that. It's interesting, when I get the message in my email client from testvirus OE says there is an attachment in the summary window but doesn't show one in the preview pane and EICAR is in plain text in the body of the message. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Second Scanner
I know this comes up every now and then, but the last thread I can find is from May 2004. I was interested in what folks were using as a second scanner aside from F-Prot. I've heard AVG is good but slow, Kaspersky fast with updates but expensive, MacAfee good but hard to get a command line. I thought someone had posted some stats about this but can't find them. Any suggestions? -- Best regards, David mailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
Hello Terry, TF> ClamAV - TF> http://www.sosdg.org/clamav-win32/index.php TF> Get my utilities: runclamd, runclamdscan TF> http://www.smartbusiness.com/imail/declude/ TF> Set up a scheduled task to periodically run freshclam to keep the TF> database update. TF> Works extremely well for us. Thanks, I'll give it a try. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.Virus] Second Scanner
Looks like I have clam up and running. I'm testing it as my primary scanner to make sure it catches viruses and all looks good so far. It looks like it takes about as much CPU as FProt. I have "Rundclamd" running as a service under LocalSystem. Should I set the startup type to "Automatic" or leave it at "Manual"? If I leave it on "Manual" do I need to rerun "runclamd -start" after a reboot? JC> I use ClamAV (with Runclamscan/Runclamd) as my second scanner and it works JC> great. The only downside is it is a resource hog (but still worth it.) If JC> and when you move to AV/JM 2.0.6.16, consider using the new directive JC> EXITSCANONVIRUSDETECT. It has helped. I'm still at 1.86. Been afraid to move up until it shakes out. 2.0.6.16 considered stable now? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[5]: [Declude.Virus] Second Scanner
How can I figure out if freshclam is grabbing the latest defs? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
Hello Terry, Friday, June 3, 2005, 3:26:33 PM, you wrote: >> How can I figure out if freshclam is grabbing the latest defs? TF> I set up a scheduled task update_clamav to run every 2 hours or so: TF> start in: c:\clamav-devel\bin\ TF> run: freshclam.exe --quiet -l c:\clamav-devel\log\freshclam.log Works like a charm. TF> Then I can check the freshclam.log file. Looks good. >> I have "Rundclamd" running as a service under LocalSystem. Should I >> set the startup type to "Automatic" or leave it at "Manual"? TF> Mine is set to automatic. Done Now have clam setup as Scanner2. Am I to assume that anything showing up in the runclamscan.log is something that got by Fprot? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[3]: [Declude.Virus] Second Scanner
What happened: Everything was flowing along beautifully, then all of a sudden I got this: 06/03/2005 16:30:54 Qbdc2591500a28e52 ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 06/03/2005 16:30:54 Qbdc2591500a28e52 WARNING: Couldn't remove .vir directory O:\spool\Dbdc2591500a28e52.vir\: SHARING VIOLATION. 06/03/2005 16:30:54 Qbdc2591500a28e52 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. 06/03/2005 16:30:54 Qbdc2591500a28e52 Scanned: Virus Free I also have Trend running but it is set to exclude /Imail, /Spool and /clamav-devel -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
Hello Scott, Friday, June 3, 2005, 10:48:47 PM, you wrote: SF> One last ClamAV comment... SF> I've added the command line switch --max-ratio 0 SF> I've had some false positives on some .zip files that forced me to add the SF> switch. Thanks for the info. I've been running clam now with Terry's runclamscan since last night on 2 machines. At one point on each machine started getting these errors in the Declude Virus file: 06/04/2005 14:06:54 Qed820cb43917 ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 06/04/2005 14:06:54 Qed820cb43917 WARNING: Couldn't remove .vir directory o:\spool\Ded820cb43917.vir\: SHARING VIOLATION. 06/04/2005 14:06:54 Qed820cb43917 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. Then, they balloon to ones like this: 06/04/2005 14:07:25 Qed87026a0076c30a ERROR: Could not move virus-infected E-mail! Code: 32 0 o:\spool\Ded87026a0076c30a.SMD L:\virustrap\Ded87026a0076c30a.SMD. Re-trying. 06/04/2005 14:07:26 Qed82035200bac2f1 ERROR: Could not move virus-infected E-mail! Code: 32 0 o:\spool\Ded82035200bac2f1.SMD L:\virustrap\Ded82035200bac2f1.SMD. Re-trying. 06/04/2005 14:07:26 Qed8402890066c2fa ERROR: Could not move virus-infected E-mail! Code: 32 0 o:\spool\Ded8402890066c2fa.SMD L:\virustrap\Ded8402890066c2fa.SMD. Re-trying. It took a reboot of both machines to fix the problem. On one I had 288 process running which fouls everything else up. Clam is SCANNER2 Any ideas? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
Hello Terry, Sunday, June 5, 2005, 8:14:04 AM, you wrote: >> It took a reboot of both machines to fix the problem. On one I had 288 >> process running which fouls everything else up. Clam is SCANNER2 >> >> Any ideas? TF> What did the runclamscan log report if anything? What kind of times TF> are you seeing in it for the actual scanning? Nothing. Just shows the last virus that was caught right before the problem: 06-03-2005 23:44:37 0.2030,0.141,0.062 Worm.Mytob.CK 83 D23a50548011c8e81.SMD 73391 06-04-2005 00:44:08 0.1410,0.078,0.063 Worm.Mytob.BZ 83 D319849a0009e0bb9.SMD 69975 Scan times look very low, comparable to F-Prot. TF> The only time I've had anything similar happen had to do with TF> ownership of the files and folders. It seems to me I may have had to TF> change the ownership of the virus folder but I don't recall now. The very first error in the Declude virus log indicates that clam didn't finish after 60 seconds so Declude is terminating. Then the other errors about renaming/moving files start showing up. Plus more timeout errors. On a side note, during this whole process I had a Sniffer update that "failed to copy" to my P:/ Drive. Clam is running on C:\, Spool is running on O:\ and runclamscan/runclamd are on P:\ The two machines that this happened on are very different. One Win2k vs. Win2k3, Imail 7.13 vs. Imail 8.15, both Declude 1.82 I can't find anything in the event or application logs that looks bad around this time either. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.Virus] Second Scanner
Hello Scott, Saturday, June 4, 2005, 7:08:02 PM, you wrote: SF> I also use Terry's runclamscan with no issues. SF> I have had rare email melt downs when I was running runclamd. I could never SF> pin it firmly on anything. So I stopped the runclamd to see how it handles. So you're saying you use runclamscan but now you call clam directly instead of calling runclamd? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
TF> What did the runclamscan log report if anything? What kind of times TF> are you seeing in it for the actual scanning? I do have some weird log lines on one of the machines: 06-04-2005 13:48:35 0.4840,0.015,0.469 HTML.Phishing.Pay-39 65 0 06-04-2005 13:49:02 0.2660,0.031,0.235 Worm.SomeFool.P 64 0 06-04-2005 13:49:06 0.3280,0.046,0.266 Worm.Mytob.CK 62 0 06-04-2005 13:49:07 0.4840,0.047,0.437 Worm.Mytob.CK 105 De990167cd258.GSC,De99002de00b2b55f.SMD 0 06-04-2005 13:49:20 0.3750,0.079,0.296 Worm.SomeFool.P 64 0 06-04-2005 13:49:26 0.0630,0.031,0.032 Worm.Bagle.AU 62 0 06-04-2005 13:49:59 0.3590,0.125,0.219 Worm.Mytob.BT 62 0 These are about 20 lines before it quits. Also, I do see on both machines, there are files in my folder on P:\ along with runclamscan and runclamd. They have names like: dbeaf2~1_clam.txt dbeb03~1_clam.txt There are 57 on one box and 80 on another. Every time I click on of the files, I get a simple "Access Denied" error even though ALL clam processes are stopped and I'm running under a Domain Admin account. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
TF> These exist because the scanner never completed and the files are TF> owned by SYSTEM. You'll have to select them - right click - and TF> change the owner to your Admin account so you can then change the TF> permissions to delete them. So, it looks like the genesis of the problem is that clam started timing out. As I mentioned, a completely separate process that copies my Sniffer .snf file onto the same drive failed with a "could not copy file" error after this whole thing happened. Even though, it could read/delete a file on this volume. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
Hello Terry, Monday, June 6, 2005, 3:39:42 PM, you wrote: >> it looks like the genesis of the problem is that clam started >> timing out. TF> It may be but I haven't been able to force it to happen so far. For TF> me this is the first instance of this in more than one year. TF> I am suspicious that it could be a Windows socket issue which is why TF> I've changed the clamd.conf settings. Now, I have had socket issues. I'm accepting at a high rate from IMGate on the front end and delivering to an outbound PF box on the backend so I tend to have lots of sockets open to one IP. Forgive me if I'm naive, but what does a local virus scanner have to do with TCP/IP? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
Hello Terry, TF> Normally the service establishes a socket - meaning a hole punched TF> through the OS - to allow such communication to occur. However, for TF> ClamD in the configuration file there is an option to bind the TF> service to a specific IP address and a specific port assignment. For TF> greater security 127.0.0.1 is the default address. But the service TF> could be bound to another IP address. Think I get it. TF> I don't know why this might solve "stability problems" on some TF> versions of windows but that's the message in the conf and somethng TF> I was advised to try from my forum posting. I have to be out of town starting Wednesday so I'm not doing anything now, but I'll try it too first thing next week. TF> Since the error I was seeing in the ClamD log file was an error with TF> accept() it seemed reasonable to me to try it. I took ownership of and checked the clamd log file and it looks like I have the same errors, but on both boxes it took less than 18 hours to have the problem: Jun 4 10:46:54 2005 -> ERROR: accept() failed: Software caused connection abort Sat Jun 4 10:46:56 2005 -> ERROR: accept() failed: Software caused connection abort Sat Jun 4 10:46:56 2005 -> ERROR: accept() failed: Software caused connection abort This is exactly the time this machine blew up. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Virus log file warning
Anybody know if this is cause for concern: 06/22/2005 11:47:00 Q87f41a41009eef86 Warning: Caught a MIME boundary in a broken uuencoded segment -- Best regards, David mailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.