RE: [Declude.Virus] Netsky.P Occasionally Slips through?
Just add the VIRUSCODE 8 to the config files. Note that it may have some false positives, but we are OK with that. Would rather that than a possible virus getting thru. Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Douglas Cohn Sent: Tuesday, March 30, 2004 9:57 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Netsky.P Occasionally Slips through? If F-prot notes a file as suspicious is it stopped by declude or passed. Can this be a setting possibly? IE if F-prot notes it as suspicious allow declude to block it. DC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, March 29, 2004 8:52 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Netsky.P Occasionally Slips through? F-Prot's manual scan results: C:\eudora\ATTACH\document_all02c.zip-document.txt a security risk or a backdoor program That sounds like an exit code of 8, meaning that F-Prot detected a suspicious file, but not a virus. Would it be possible to E-mail the .ZIP file to the declude.com virustrap@ address, so we can analyze it? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-prot passing Netsky.P or variant?
I had one slip thru to me this morning also... McAfee detected it on my system as the W32/Netsky.b.eml!zip virus. Not sure as to where it quarantined the file too, but I was surprised my banext's did not catch it also. Sincerely,Grant Griffith, Vice PresidentEI8HT LEGS Web Management Co., Inc.http://www.getafreewebsite.com877-483-3393 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Darin CoxSent: Thursday, March 25, 2004 10:17 AMTo: [EMAIL PROTECTED]Subject: [Declude.Virus] F-prot passing Netsky.P or variant? Anyone else having trouble with a lot of new viruses slipping through? I submitted two to F-Prot earlier this morning, but they are claiming that the attachments were Netsky.P. However, I have the latest virus defs from them and the virus logs clearly show them being scanned and virus free. I'm betting it's a new, fast-spreading variant or Netsky, but am curious as to what others are seeing.. Darin.
[Declude.Virus] SKIPIFFORGING ?
Hello, Does the SKIPIFFORGING include the Vulnerabilities? I was just looking into why I was not receiving Vulnerability notifications and it appears the SKIPIFFORGING is stopping these from being sent. As an administrator, I would like to receive those in case it might be a legit message. Is there a way I can allow these notifications sent out while leaving the SKIPIFFORGING in place? Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Log error with latest interim release
I just upgraded to version 3 and am still seeing this. I will contact F-Prot to see if they can give me some insight on this. Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Thursday, March 18, 2004 12:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Log error with latest interim release 03/18/2004 11:20:01 Qcc24005d0536a2e6 Error 128 in virus scanner 1. 03/18/2004 11:21:09 Qcc661aa8032aa581 Error 128 in virus scanner 1. F-Prot doesn't define an exit code of 128 -- I would recommend reinstalling F-Prot and/or moving to the latest version of F-Prot. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Log error with latest interim release
Meant version E. Sorry, been a long day. Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Grant Griffith - Declude Virus Sent: Thursday, March 18, 2004 12:35 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Log error with latest interim release I just upgraded to version 3 and am still seeing this. I will contact F-Prot to see if they can give me some insight on this. Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Thursday, March 18, 2004 12:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Log error with latest interim release 03/18/2004 11:20:01 Qcc24005d0536a2e6 Error 128 in virus scanner 1. 03/18/2004 11:21:09 Qcc661aa8032aa581 Error 128 in virus scanner 1. F-Prot doesn't define an exit code of 128 -- I would recommend reinstalling F-Prot and/or moving to the latest version of F-Prot. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Question: Do the new zip commands reject the file extension and not pass the file to the virus scanner
Replying to try and help Scott out... A New Interim release of 1.78i9 is there that checks for viruses first in this case... version i8 blocked by extension first... Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Darrell LaRock Sent: Wednesday, March 03, 2004 11:52 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Question: Do the new zip commands reject the file extension and not pass the file to the virus scanner Running 1.78i8 on Declude Virus Pro. Have both the BANEXT EZIP and BANEZIPEXTS ON in virus.cfg Question: Currently does the BANEXT EZIP and BANEZIPEXTS ON commands block the mail based on the file extension and not scan the email with the configured virus scanner (See snippet #1 below) i.e. the virus scanner is not called or doesn't appear to be? When checking the file which was banned it does contain a virus (Bagle/h pwd) which was being detected fine prior to the new zip features (see snippet #2)? Issue: Currently the files which should be caught by the virus scanner are not being caught by the scanner BUT being rejected due to the file extension which than generates the bannotify.eml (as you can see from below we now have that turned off right now). Previously (prior to the new zip features) banned extensions (see snippet #3) would appear to be scanned by the scanner and if a virus was found it would not generate the bannotify.eml. Snippet #1 03/03/2004 11:04:16 Q01fea15f01b20d9a MIME file: Letter.zip [base64; Length=20780 Checksum=2629640] 03/03/2004 11:04:16 Q01fea15f01b20d9a Banning .ZIP file with exe extension. 03/03/2004 11:04:16 Q01fea15f01b20d9a Scanned: Banned file extension. [MIME: 2 20916] 03/03/2004 11:04:16 Q01fea15f01b20d9a Couldn't open E-mail file e:\imail\Declude\BANnotify.eml. 03/03/2004 11:04:16 Q01fea15f01b20d9a From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 03/03/2004 11:04:16 Q01fea15f01b20d9a Subject: ^_^ meay-meay! Snippet #2 03/02/2004 15:30:25 Qeede7761020e584c MIME file: Letter.zip [base64; Length=20859 Checksum=2628208] 03/02/2004 15:30:25 Qeede7761020e584c Scanner 1: Virus= the W32/Bagle.gen!pwdzip (ED) virus !!! Attachment=Letter.zip [10] O 03/02/2004 15:30:25 Qeede7761020e584c File(s) are INFECTED [ the W32/Bagle.gen!pwdzip (ED) virus !!!: 13] 03/02/2004 15:30:25 Qeede7761020e584c Scanned: CONTAINS A VIRUS [MIME: 2 20975] 03/02/2004 15:30:25 Qeede7761020e584c From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 66.188.246.138] 03/02/2004 15:30:25 Qeede7761020e584c Subject: Hey, ya! =)) Snippet #3 02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file: [text/html][quoted-printable; Length=5254 Checksum=412704] 02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file: [image/gif][base64; Length=3639 Checksum=424621] 02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file: [image/gif][base64; Length=359 Checksum=35758] 02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file: Update28.exe [base64; Length=106496 Checksum=9386997] 02/25/2004 00:03:52 Q2cb6170b005aec2b Banning file with exe extension [application/x-msdownload]. 02/25/2004 00:03:53 Q2cb6170b005aec2b Scanner 1: Virus= the W32/[EMAIL PROTECTED] virus !!! Attachment=Update28.exe [10] O 02/25/2004 00:03:53 Q2cb6170b005aec2b File(s) are INFECTED [ the W32/[EMAIL PROTECTED] virus !!!: 13] 02/25/2004 00:03:53 Q2cb6170b005aec2b Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 5 117540] 02/25/2004 00:03:53 Q2cb6170b005aec2b From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 210.150.150.240] 02/25/2004 00:03:53 Q2cb6170b005aec2b Subject: New Net Patch -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 03, 2004 11:00 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Summary of new options With the latest interim release, you can use: BANEXT EZIP - This line will ban all .ZIP files with an encrypted file in them BANZIPEXTS ON - This line (Pro version only) will ban all file extensions listed in BANEXT lines, if they appear in non-encrypted .ZIP files BANEZIPEXTS ON - This line (Pro version only) will ban all file extensions listed in BANEXT lines, if they appear in encrypted .ZIP files Also, the latest interim (with the Pro version only) will detect bogus .BAT/.COM/.PIF/.SCR files (automatically as vulnerabilities, with no need for config file entries). If you are having any troubles with these, please re-read the information on them, and then be very clear what is happening. There are a lot of possibilities here. You'll need to specify [1] Whether you are using BANZIPEXTS ON or BANEZIPEXTS ON (or the not-recommended-but-still-useful BANEXT EZIP), [2] Whether you have a BANEXT line to block the appropriate file (BANEXT com, for example), [3] What type of file you are sending through (.com? .com within a .zip?), [4] If it is a .ZIP file, is the file inside it
