RE: [Declude.Virus] re: [1EE-0F3A4F36-9FAD] You do not have permission to post to the declude.virus@declude.com list
Will you morons please remove me from your spam list? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, February 04, 2008 10:33 PM To: declude.virus@declude.com Subject: [Declude.Virus] re: [1EE-0F3A4F36-9FAD] You do not have permission to post to the declude.virus@declude.com list Thank you for submitting a ticket to support. Your ticket number is [1EE-0F3A4F36-9FAD]. Please keep this ticket number for your records and include it in the subject (including brackets) of all future emails regarding this issue. The response time during business hours is usually within 24 hours, if you have had no response in this time please do not hesitate to call our support number 1-866-332-5833 Thank You. Declude Technical Support view http://support.declude.com/customer/viewticket.aspx?email=declude.virus%40d eclude.comticketnum=1EE-0F3A4F36-9FAD this ticket online --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] re: [072-0DC11263-CB79] You do not have permission to post to the declude.virus@declude.com list
I didn't file a ticket.. what is this? Rick _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 24, 2007 7:09 PM - MGMT To: declude.virus@declude.com Subject: [Declude.Virus] re: [072-0DC11263-CB79] You do not have permission to post to the declude.virus@declude.com list Thank you for submitting a ticket to support. Your ticket number is [072-0DC11263-CB79]. Please keep this ticket number for your records and include it in the subject (including brackets) of all future emails regarding this issue. The response time during business hours is usually within 24 hours, if you have had no response in this time please do not hesitate to call our support number 1-866-332-5833 Thank You. Declude Technical Support view http://support.declude.com/customer/viewticket.aspx?email=declude.virus%40d eclude.comticketnum=072-0DC11263-CB79 this ticket online --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Current Version of Clam AV
http://www.asspsmtp.org/wiki/ClamAV_Win32 Try that.. Maybe it will work better with Declude? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, March 01, 2007 2:05 PM - MGMT To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV I definitely still getting them with Clam .90 They only happen here when I run clamav as a service. When I run it as a non-service (which is CPU foolish), I don't get these. I also use the clamscan wrapper (runclamscan.exe), so that might be in the mix. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, March 01, 2007 11:57 AM Subject: Re: [Declude.Virus] Current Version of Clam AV Does anyone want to comment on what might be causing the error? Is this a ClamAV problem or a Declude problem? It seems that the normal mechanism for deleting those files is somehow interrupted. Is there a way in Declude to increase the time allocated to each antivirus process? Though since I upgraded to SOSDG's version 0.90-1, I haven't seen any leftover .vir directories. Original Message From: Brian T. [EMAIL PROTECTED] Sent: Thursday, March 01, 2007 11:53 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV Does anyone know of a way to fix this problem with the leftover .vir directories? I was thinking about switching to ClamAV from F-Prot but don't want to constantly be cleaning up leftover files. Thanks, Brian - Original Message - From: Darrell ([EMAIL PROTECTED]) To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 11:44 AM Subject: Re: [Declude.Virus] Current Version of Clam AV In my normal maintenance window (once a week) all services are stopped and I clean out the work, error, proc, spool, and review folders. Since I stop CLAMAV as well I am able to delete those directories. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Stephan To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 11:22 AM Subject: Re: [Declude.Virus] Current Version of Clam AV Thanks for responding. I can't delete them until I restart the ClamAV service. Do you have a way of automatically deleting them, or do you schedule a task to restart ClamAV and then delete them? I tried using a schedule task but for some reason they still don't get deleted (but it's possible to do it manually.) -Original Message- From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] Sent 2/27/2007 10:17:46 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV ? FWIW - I have always had left over directories from .84 on up. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Stephan To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 8:41 AM Subject: Re: [Declude.Virus] Current Version of Clam AV I am also running the 0.90-1, and it's working fine, except I still get leftover .vir directories inside the declude/proc dir. The error in the clamav log shows: - d:\imail\spool\proc\work\d716a0~1.vir\/0: Unable to create temporary directory ERROR I've tried checking permissions, and made sure I have the clamav tmpdir variable set to my clamav tmp dir (which fixed a similar error that stopped the clamav service from starting.) But I haven't been able to fix this one. Anyone know how to fix this error? Thanks. -Original Message- From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] Sent 2/26/2007 1:30:43 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV Gary, I upgraded on Friday and have not ran into any issues. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To:
RE: [Declude.Virus] F-Prot down?
Obviously not down in the upper 48's.. Working well from here ~ confirmed. Always run multiple scanners.. And then some homebrew.. ~ Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Monday, December 18, 2006 11:37 PM - MGMT To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-Prot down? On Dec 18, 2006, at 9:27 PM, Ncl Admin wrote: Down here as well on two different circuits. Tracert times out in Germany somewhere or other. Obviously a good reason to be running multiple scanners. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. _ Virus Scanned and Filtered by - http://www.FamHost.com E-Mail System. _ Virus Scanned and Filtered by - http://www.FamHost.com E-Mail System. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new Spam report from Sophos
The top 10 is: uu.net chinanet-gd kornet.net above.net chinanet-cq level3.net exodus.net hinet.net cw.net interbusiness.it http://www.theregister.co.uk/content/55/35937.html ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, March 02, 2004 2:19 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] new Spam report from Sophos Beside this Top10 list here are my comments: Can someone explain me how much spam he's blocking from the following CIDR ranges? 193.70.192.0/24 212.216.176.0/24 193.70.192.0/24 80.180.0.0/16 80.181.0.0/16 80.182.0.0/16 80.117.0.0/16 80.206.0.0/16 62.123.123.0/24 This IP-ranges (large Italian ISPs) are listed in several IP blacklists for over 6 months now. For sure they aren't spam free, but on the other side I can see a lot of spam comming from .pacbell.net networks. Beside this there is an interesting article about trojans (in this case Randex) used as spam-proxy in the latest edition of c't (german computer magazine) English translation: http://www.heise.de/english/newsticker/news/44879 In the printed version of this article there is a more detailed explanation how they've tracked down this guys. After disasembling the code they've installed it on a dedicated machine and watched the network traffic. This troyan works as a IRC-Bot and can execute nearly any command that his commander order. - Over 11000 bots under his control - possible DDOS attacks with 1,5 Gbit/s - collection of software serial numbers from infected machines. - spam proxies (zombies) - The bot is able to download new updated versions of himself. - and so on and so on... Interesting: - Autor and commander of this bot is the developer of a known IRC Server software. - It looks like AV companies like NAI have found the same informations as this student in the disasembled code but haven't forwarded any information to Scottland Yard or FBI. Symantec explained that they have a large profit from the increased security need caused by such viruses. No more comment needed. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] X-Declude-Status: Waiting for activation code
Installed newest declude file and I'm still getting (X-Declude-Status: Waiting for activation code) within the email header Anyone know of a hack or hex editor I can use to fix this? If you upgrade to the latest interim it will remove that line. Scott.. I did download and installed it.. Declude 1.78i6 (C) Copyright 2000-2004 Computerized Horizons. Is this the wrong one? ~Rick ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] X-Declude-Status: Waiting for activation code
Scott, Is this version for the declude virus our all the declude products? Thanks, ~Rick I haven't seen an answer to this thread. Ver 1.78 shows Waiting for activation code, but reinstalling 1.77 will get rid of the X-Declude-Status line. Ver 1.78 still works, but it sure is a heart-stopper to see this in a header and think your virus protection isn't working... The latest interim at http://www.declude.com/interim takes care of this. That line doesn't actually indicate a problem (so 1.78 functions properly, although if you run Declude Virus but not Declude JunkMail that line can incorrectly appear in the headers). ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus Tanx
Symantec labeled it [EMAIL PROTECTED] HA.. I just label it an exe attachment virus and carry on. Surprisingly, since I thought most email admins block exe attachments, this one is moving fast. ~Rick F-Prot calls it w32/[EMAIL PROTECTED] You mean Bagle and not Bagel ?! ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus Tanx
I chuck it with ASSP and if it makes it past that then declude should kick it via the ban extension exe. If still passes that then hopefully the F-Prot will woof it. ~Rick Using mail server mail.famhost.com.220 ict-famhost.email.system X1 HELO www.declude.com 250 hello JaRay.net MAIL FROM: 250 ok RCPT TO: 250 ok its for DATA 354 ok, send it; end with . [Body of E-mail] 500 Executable attachments are not allowed -- Compress before mailing. Sorry, an error occurred! Symantec labeled it [EMAIL PROTECTED] HA.. I just label it an exe attachment virus and carry on. Well, you can try to add FORGINGVIRUS exe attachment virus ...but I expect this will not change anything. ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Mail Freezing up...
There's also a 4th value that is used for terminal server, not to exceed 3072, ie: SharedSection=1024,3072,2048,512 ~Rick Hello, It's a very long story how I got to this answer for our mail servers, but if you do the following registry change I'll bet a cup of coffee that your problem goes away and your server has some minor increase in overall capacity. This change adjusts the size of desktop heaps created by non-interactive services. The default from Microsoft is 512. After some research and lots of testing 2048 is our magic number. This will not actually require more installed RAM on your server, but is mysteriously helpful. 2. Under the HKEY_LOCAL_MACHINE subtree, go to the following subkey: \System\CurrentControlSet\Control\Session Manager\ SubSystems\Windows The default data for this value may look something like the following (all on one line): %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 You must make the following change to this value: Scan along the line until you reach the part that defines the SharedSection values and add ,2048 after the second number. This value should now look something like the following: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,2048 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 After making this change, quit Regedt32, and then restart the server. I am assuming you are running Windows 2000 Server and have not confirmed this Windows 2003. Some of the above info is referenced in the following Microsoft article http://support.microsoft.com/default.aspx?scid=kb;EN-US;q142676 Let me know how it works for you. Troy Hey Guys, I am having a problem here... not sure if it is with declude or with f-prot. Thought I would ask here. What is happening is this. My mail will be coming in, I run task manager and see many declude.exe running. then all of a sudden mail will not come in. when I check the task manager this time.. I have many upon many smtp32.exe just sitting there. The reason I think it might be a declude/f-prot problem is a few months ago I kept getting an error message with F-Prot.exe, and I would have to reboot the machine. I then changed the config file to use fpcmd.exe. Could this be locking up now and cause declude to freeze. Bennie ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Kudos on saving me from myself
Umm.. Don't you need to delete the blank line(s), within your *.eml files, right after your SKIPIFVIRUSNAMESHAS .. ?? ~Rick I recently added a couple of new SKIPIFVIRUSNAMEHAS entries to my .eml files. Then I noticed that I was no longer receiving any notifications at all. Upon reviewing the log, I found: 02/05/2004 08:29:59 Q4557000602c0a66d ERROR: No recipients in D:\IMail\Declude\POSTMASTER.eml (is there a To: line before the first blank line?) 02/05/2004 08:29:59 Q4557000602c0a66d ERROR: No recipients in D:\IMail\Declude\RECIP.eml (is there a To: line before the first blank line?) 02/05/2004 08:29:59 Q4557000602c0a66d ERROR: No recipients in D:\IMail\Declude\SENDER.eml (is there a To: line before the first blank line?) Thanks Scott for the extra touches like this that help make our lives easier, in spite of our best efforts ;-) ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Kudos on saving me from myself
Posting to my post.. Sorry.. Something like this or is mine wrong? Ommitt the dashes - ~Rick -- SKIPIFVIRUSNAMEHAS Braid SKIPIFVIRUSNAMEHAS Bridex SKIPIFVIRUSNAMEHAS Bugbear SKIPIFVIRUSNAMEHAS Dumar SKIPIFVIRUSNAMEHAS Fizzer SKIPIFVIRUSNAMEHAS Ganda SKIPIFVIRUSNAMEHAS Holar SKIPIFVIRUSNAMEHAS Hybris SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEHAS Lentin SKIPIFVIRUSNAMEHAS Magistr SKIPIFVIRUSNAMEHAS Mimail SKIPIFVIRUSNAMEHAS Mydoom SKIPIFVIRUSNAMEHAS Palyh SKIPIFVIRUSNAMEHAS Sober SKIPIFVIRUSNAMEHAS Sobig SKIPIFVIRUSNAMEHAS Torvil SKIPIFVIRUSNAMEHAS Trojan SKIPIFVIRUSNAMEHAS Unknown SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS Yaha SKIPIFSENDER @boss.com From: [EMAIL PROTECTED] To: %MAILFROM% Subject: WARNING: YOU MAY HAVE A VIRUS The Anti Virus software on %LOCALHOST% has reported that you sent an E-mail to %ALLRECIPS%, containing the %VIRUSNAME% virus in the %VIRUSFILE% attachment. The subject of the E-mail was %SUBJECT%. The E-mail containing the virus has been quarantined to prevent further damage. There are many freely available Anti-Virus Software programs. Please navigate to ( http://www.pandasecurity.com ) to obtain free software tools to help you remove viruses on your computer. [EMAIL PROTECTED] Headers Follow: %HEADERS% Umm.. Don't you need to delete the blank line(s), within your *.eml files, right after your SKIPIFVIRUSNAMESHAS .. ?? ~Rick I recently added a couple of new SKIPIFVIRUSNAMEHAS entries to my .eml files. Then I noticed that I was no longer receiving any notifications at all. Upon reviewing the log, I found: 02/05/2004 08:29:59 Q4557000602c0a66d ERROR: No recipients in D:\IMail\Declude\POSTMASTER.eml (is there a To: line before the first blank line?) 02/05/2004 08:29:59 Q4557000602c0a66d ERROR: No recipients in D:\IMail\Declude\RECIP.eml (is there a To: line before the first blank line?) 02/05/2004 08:29:59 Q4557000602c0a66d ERROR: No recipients in D:\IMail\Declude\SENDER.eml (is there a To: line before the first blank line?) Thanks Scott for the extra touches like this that help make our lives easier, in spite of our best efforts ;-) ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] 20 FORGINGVIRUS line limit in 1.75 and earlier releases
Well Great!.. I learned something new today. Thanks Kami, ~Rick Rick: It seems like you want to skip mailing the email if the sender is forged. With the latest release you can do the following. This is our sender.eml file. Using skipifforging you don't have to keep tarck of the forging viruses. Regards, kami === SKIPIFFORGING From: [EMAIL PROTECTED] To: %MAILFROM% Subject: WARNING: YOU MAY HAVE A VIRUS Time: %TIME% The Declude Virus software on %LOCALHOST% has reported that you sent an E-mail to: Recipients: %ALLRECIPS%, containing the %VIRUSNAME% virus in the %VIRUSFILE% attachment. The subject of the E-mail was %SUBJECT%. The E-mail containing the virus has been deleted not delivered to prevent further damage. Headers Follow: %HEADERS% = ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Banned Extensions at Bechtel
We ban a lot more than that. Some files we ban, source code, is to prohibit the sending/receiving of proprietary code. Although this may help stop the theft of software/source code it's not perfect. ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Lee Heath Sent: Wednesday, January 28, 2004 6:04 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Banned Extensions at Bechtel Thought some here would find this interesting. This is the banned extensions at Bechtel.. the prominent information resource... and their responder message. File(s): document.scr Matching filename: *.scr Your attachment did not reach the intended recipient. To protect Bechtel's network from viruses or other potentially harmful files, the following types of attachments are not allowed to enter or leave the Bechtel network: . ADE Microsoft Access Project Extension . ADP Microsoft Access Project . BAS Visual Basic? Class Module . BAT Batch File . CHM Compiled HTML Help File . CMD Windows NT? Command Script . COM MS-DOS? Application . CPL Control Panel Extension . CRT Security Certificate . EXE Application . HLP Windows? Help File . HTA HTML Applications . INF Setup Information File . INS Internet Communication Settings . ISP Internet Communication Settings . JS JScript? File . JSE JScript Encoded Script File . LNK Shortcut . MSC Microsoft Common Console Document . MSI Windows Installer Package . MSP Windows Installer Patch . MST Visual Test Source File . PCD Photo CD Image . PIF Shortcut to MS-DOS Program . REG Registration Entries . SCR Screen Saver . SCT Windows Script Component . SHS Shell Scrap Object . URL Internet Shortcut (Uniform Resource Locator) . VB VBScript File . VBE VBScript Encoded Script File . VBS VBScript Script File . WSC Windows Script Component . WSF Windows Script File . WSH Windows Scripting Host Settings File To successfully send an attachment listed above to or from the Bechtel network, try one of the following options: 1.) Rename the file before attaching it to the email. For example, rename EXAMPLE.EXE to EXAMPLE_EXE. Make sure to add a note in the email to rename the extension back to .EXE when it arrives. 2.) ZIP the file and rename to a file type not listed above. Attached the ZIP file to the email. 3.) Instead of sending URL attachments, copy and paste the Web address into the email (i.e. http://www.example.com/default.htm). For further assistance within Bechtel, please contact your local helpdesk. -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com --- ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Banned Extensions at Bechtel
That's all up to your acceptable use policy concerning email and attachments. Most corps have folks zip the files.. Some lately even rename them to something else like *.duh and just have the recipient rename it back to zip and business as usual. I for one.. Send all kinds of attachments.. And it is frustrating at 1st to zip everything prior to emailing.. but renaming files now is getting hard to swallow. The only other alternative that comes to mind is ftp.. and well.. I think we all can guess where that would go.. ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, January 28, 2004 6:41 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Banned Extensions at Bechtel I'm torn between ultimate virus protection and not inhibiting users. My thoughts in blocking things like SCR and PIF files is that they are almost never set for legitimate reasons, but EXE's are. I also do Web design and have Web design clients that send things like JS files back and forth. If these start becoming common in viruses, I will ban them as well. I think the only reason why EXE's aren't as common is because so many systems block them so they go for things more obscure like PIF's and SCR's. Anything capable of auto-executing should be banned, however those issues seem to have been mostly cleaned up from Outlook. I just don't know enough to determine what exactly I should be blocking, and like you indicated, one of the entries in this list has to be compiled first. So where's the middle ground between the ultimate and enabling people to do their work without jumping through hoops? Matt Todd Holt wrote: I would suggest that you ban any extension that can either auto-execute or be executed by double-clicking on the attachment. And by executed I mean to perform an action on the system that could be used for malicious purposes. We ban .exe files because the user could execute the attachment by simply single clicking the attachment in some cases. However, an .exe file in a .zip file would require the user to accidentally click twice, once in the mail client and a second time in zip program. That protection could be taken to the point of prohibiting all .exe files, which is certainly not the intent in most cases. Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, January 28, 2004 4:18 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Banned Extensions at Bechtel This list is generated from Microsoft's default exclusions in Outlook (the $500 billion virus solution is to turn off all executable attachments...) I'm not a fan of going overboard here, especially with things that I don't understand where they might be used (and I'm well aware that others disagree). I ban about 5 extensions and that seems to have done the trick with most of these viruses lately as a pre-emptive solution. I allow EXE files through my server also, and no customers (including systems integrators) have asked that I block things like EXE's. I'm sure that I could expand my list a bit more without harm, but I'm thinking there is a middle ground between where I am and where this list goes. Feel free to point out the flaws in my thinking. BTW, I like the format of this notification. Matt R. Lee Heath wrote: !--[if !supportLineBreakNewLine]-- !--[endif]-- Thought some here would find this interesting. This is the banned extensions at Bechtel.. the prominent information resource... and their responder message. File(s): document.scr Matching filename: *.scr Your attachment did not reach the intended recipient. To protect Bechtel's network from viruses or other potentially harmful files, the following types of attachments are not allowed to enter or leave the Bechtel network: . ADE Microsoft Access Project Extension . ADP Microsoft Access Project . BAS Visual Basic? Class Module . BAT Batch File . CHM Compiled HTML Help File . CMD Windows NT? Command Script . COM MS-DOS? Application . CPL Control Panel Extension . CRT Security Certificate . EXE Application . HLP Windows? Help File . HTA HTML Applications . INF Setup Information File . INS Internet Communication Settings . ISP Internet Communication Settings . JS JScript? File . JSE JScript Encoded Script File . LNK Shortcut . MSC Microsoft Common Console Document . MSI Windows Installer Package . MSP Windows Installer Patch . MST Visual Test Source File . PCD Photo CD Image . PIF Shortcut to MS-DOS Program . REG Registration Entries . SCR Screen Saver . SCT Windows Script Component . SHS Shell Scrap Object . URL Internet Shortcut (Uniform Resource Locator) . VB VBScript File . VBE VBScript Encoded Script File . VBS VBScript Script File . WSC Windows Script Component . WSF Windows Script File . WSH Windows Scripting Host
RE: [Declude.Virus] BANEXT
Geeze.. So you want the virus to only effect certain users? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Monday, January 26, 2004 9:19 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] BANEXT Thanks to all for the quick notification of the new virus. We seemed to have escaped any harm. We immediately put BANEXT zip into our virus.cfg file, and that seemed to be a good thing. Now I'm thinking about lowering our protection back to where it was. Is it possible, with Virus Standard, and/or Junkmail Pro, to ban by extension for just some users? Or, better yet, conversely ban an extension for all user EXCEPT certain power users? Inquring minds want to know. Thanks in advance Rob www.iGive.com Turn your online shopping into cash for your charity. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus in town..
Yes.. I think another poster recommended adding Private.zip into the declude virus.cfg file to block that attachment ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kami Razvan Sent: Wednesday, November 26, 2003 12:00 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] New virus in town.. Hi; I think this is the one that was reported by Matt earlier.. Here is some release.. http://www.eweek.com/article2/0,4149,1396835,00.asp?kc=EWNWS112603DTX1K5 99 The Trojan arrives in an e-mail with an attachment that is zipped and contains an executable. The e-mail begins: Hello my dear Mary, I have been thinking about you all night. I would like to apologize for the other night when . The message then goes into more explicit detail. The e-mail comes from [EMAIL PROTECTED] and the subject line says Re[2]: Mary. === Perhaps a block on: [EMAIL PROTECTED] is in order just in case. Regards, Kami ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] containing the Unknown Virus
Is this true for the DOS version of f-prot too? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Tuesday, October 28, 2003 6:50 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] containing the Unknown Virus Thanks for the help. I have included those files, plus the declude.log file. I look forward to hearing from you. The problem is here: SCANFILED:\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt This line should be changed to: SCANFILED:\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /DUMB /REPORT=report.txt The /NOFLOPPY options caused fpcmd.exe to choke (and it prefers not to have /NOBOOT, as well). -Scott ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-prot
Pat, Here's a start for you: http://www.mail-archive.com/[EMAIL PROTECTED]/msg72506.html hth, ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pat Hastings Sent: Monday, September 29, 2003 4:46 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] F-prot Hi, I am using f-prot as the av engine for declude but have noticed that it's auto update of file definitions only runs when there is a user logged into a windows session. I see that it is possible to download the virus definitions manually and that there is even a perl script to do it for *nix servers. As anyone got a nice little script that will do this for me on a Windows server? Regards, Pat ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
