RE: [Declude.Virus] OT: F prot as a desktop scanner
At 03:10 PM 08/01/2004, Douglas Cohn wrote: I have used it on client machines for the past 6 months and also find it equal to Norton Corp except for one thing. It handles mail clients differently in that it does not scan email as they come in but instead seems to scan it only when you attempt to read it. Norton Corp seemed to catch the viruses as soon as the mail was popped and worked with exchange client very well also. Only if you're using Microsoft clients. If you're using something like Eudora, which writes the attachments to disk as soon as they are received (and is also immune to attacks or exploits targeted at Outlook/Outlook Express), it alerts on the viruses immediately.
Re: [Declude.Virus] OT anyone know these guys ?
Hmm... They're asking for your bank card number PIN, SSN, credit card number and date of birth. They also use perfect English such as your credit card will be frozen during 10 day. Looks pretty legitimate to me. At 03:30 PM 10/15/2003, ISPhuset Nordic AS wrote: http://authorizations.net/ sending this mail as html, the webpage looks ok but I can't take such email serious Benny Attention! In our global system of monitoring there was a technical failure. In avoidance of frauds with your credit card enter the full data for authorization, otherwise your credit card will be frozen during 10 day. First name: Last name: Date of Birth SSN: MMN: Alternative password: max 8 char. Full Name on Credit Card: Card Type: VisaMasterCardAmexDinersClub Card Number: Expiry date: CVV2 code: ATM PIN (Bank Verification) #: Credit Card Billing Address: City: State/Province: Province if not US/Canada: Zip/Postal Code: Phone Number: Fax Number: Country: AfghanistanAlbaniaAlgeriaAmerican SamoaAngolaAnguillaAntarcticaAntiguaArgentinaArmeniaArubaAscension IslandAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBosnia-HerzegovinaBotsw anaBrazilBritish Virgin IslandsBruneiBulgariaBarkinoa FasoBurundiCameroonCambodiaCanadaCape Verde IslandsCayman IslandsCentral African Rep.Chad RepublicChileChinaColombiaComorosCongoCook IslandsCosta RicaCroatiaCyprusCzech RepublicDenmarkDiego GarciaDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEqitorial GuineaEritreaEstoniaEthiopiaFaeroe IslandsFalkland IslandsFiji IslandsFinlandFrench GuyanaFrench PolynesiaFranceFrench AntillesGabonGambiaGeorgiaGermanyGhanaGibralterGreeceGreenlandGrenadaGuadeloupeGuamGuantanemo BayGuatemalaGuineaGuinea BissauGuyanaHaitiHondurasHong KongHungaryIcelandIndiaIndonesiaIranIraqIrelandIsraelItalyIvory CoastJamaicaJapanJordanKazakhstanKenyaKiribatiKorea (South)Korea (North)KuwaitKyrgyzstanLaosLatviaLebanonLesothoLiberiaLibyaLithuaniaLuxembourgMacaoMacedoniaMadagascarMalawiMalaysiaMaldivesMali RepublicMaltaMarshall IslandsMauritaniaMauritiusMexicoMicronesiaMoldovaMongoliaMontserratMoroccoMozambiqueNamibiaNauruNepalNetherland AntillesNetherlandsNevisNew CalidoniaNew ZealandNicaraguaNigerNigeriaNiue IslandNorfork IslandNorwayOmanPakistanPalauPanamaPapua New GuiniaParaguayPeruPhilipinesPolandPortugalQatarReunion IslandRomaniaRussian FederationRwandaSaipanSao TomeSaudi ArabiaSenegal RepublicSeychelles IslandSierrra LeoneSingaporeSlovakiaSloveniaSoloman IslandSomaliaSouth AfricaSpainSri LankaSt HelenSt KittsSt LuciaSt PierreSt VincentSudanSurinameSwazilandSwedenSwitzerlandSyriaTaiwanTanzaniaThailandTogoTongaTrinidad TobagoTunisiaTurkeyTurks/CaicosTuvaluUgandaUkraineUnited Arab EmiratesUnited KingdomUnited StatesCanadaUruguayVanuatuVenezuelaViet NamWallis / FutunaWest SamoaYemen RepublicYugoslaviaZaireZambiaZimbabwe Authorizations.Net, an InfoSpace service, is the preferred global payment-processing service for e-commerce, enabling merchants to process secure transactions in real time, 24 hours a day. Authorizations.Net Payment Solutions process credit cards and electronic checks, and work with any business model, including Internet, broadband, wireless, call centers, and retail. More businesses are using Authorizations.Net to process their transactions over the Internet than any other payment solutions provider. Since 1996, Authorizations.Net has rapidly become a leading provider of Internet-based transaction services, with thousands of online and traditional business customers around the world. Authorizations.Net has also formed strategic alliances with leading financial institutions and technology partners to deliver the most comprehensive online authorization and processing services in the industry. Business Development As the Internet's leading real-time payment processor, Authorizations.Net is the clear choice for e-commerce-related business development opportunities. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] W32.Brid.A@mm
I have started seeing this worm getting through my Declude setup running F-Prot with up-to-date files (3.12b, definition files 10/7 2:32 pm): http://securityresponse.symantec.com/avcenter/venc/data/w32.brid.a;mm.html Anyone else? ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] RAMDisk
Is anyone using a RAMDisk on their server (with F-Prot) to attempt to speed things up and lessen the load on the hard drives? If so, what results did you see, and how did you configure it? ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com
RE: [Declude.Virus] W32/Frethem-Fam
At 12:24 PM 6/12/2002, Thomas E. Hall wrote: I was wondering does F-Prot have daily downloadable virus updates? If not what virus software do you recommend if you want to schedule jobs to run to make sure that we have the latest updates. Or should we use 2 virus checkers. I don't remember who originally wrote this and posted it to the list, but I've been using it ever since, and it works perfectly. Updates both F-Prot program files and the virus updates, and checks for updates every 30 minutes. I've modified it a bit, so YMMV. rem Update of F-Prot update program to eliminate redundant downloads. rem Requires info-zip's unzip.exe 5.42 www.info-zip.org rem Requires gnu wget, links to Windows binaries at www.wget.org or www.cygwin.com rem Will keep the last three versions of f-prot on disk. SETLOCAL :Set Path Info SET fprotdrv=c: SET fprotdir=\program files\fsi\F-Prot SET DownloadDir=%fprotdrv%%fprotdir%\Zips :Set Unzip Command Info SET unzipcmd=UNZIP -o -u SET unziptail=-x f-prot.pif -d %fprotdrv%%fprotdir%\Updates :Set FTP Info SET wgetcmd=c:\winnt\wget.exe SET BaseURL=ftp://ftp.f-prot.com/pub :CheckDirectories md %fprotdrv%%fprotdir% md %fprotdrv%%fprotdir%\Updates md %DownloadDir% if not exist %DownloadDir% goto end :FTPDownload %wgetcmd% -t 2 -N -nv -P %DownloadDir% %BaseURL%/fp-3*.zip %BaseURL%/fp-def.zip %BaseURL%/macrdef2.zip 21 | find in 0 files if errorlevel 1 goto UnzipFiles goto end :UnzipFiles SET T=0 for /F %%I in ('dir %DownloadDir%\fp-3*.zip /a-d-s /b /o:-d') do call :DoNewVersion %DownloadDir%\%%I %unzipcmd% %DownloadDir%\fp-def.zip %unziptail% %unzipcmd% %DownloadDir%\macrdef2.zip %unziptail% copy /y %fprotdrv%%fprotdir%\Updates\*.def %fprotdrv%%fprotdir% copy /y %fprotdrv%%fprotdir%\Updates\*.asc %fprotdrv%%fprotdir% copy /y %fprotdrv%%fprotdir%\Updates\*.exe %fprotdrv%%fprotdir% :Cleanup attrib -r %DownloadDir%\*.zip if exist %fprotdrv%%fprotdir%\f-prot.pif del %fprotdrv%%fprotdir%\f-prot.pif goto end :DoNewVersion SET /a T = 1+%T% if %T% EQU 1 %unzipcmd% %1 %unziptail% if %T% LEQ 3 goto :DoNewVersion_exit if exist %1 del /F %1 :DoNewVersion_exit echo %T% goto :EOF :END ENDLOCAL ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com
RE: [Declude.Virus] Outlook-CR vulnerability
I will do - virtually *every* instance I've seen so far has been legitimate email. At 10:11 AM 4/16/2002, John Tolmachoff wrote: From what Scott Perry has said before is that he has not seen any legitimate e-mail with the CR vulnerability. If you do have evidence of legitimate e-mail that does have the CR vulnerability, you might want to forward those examples directly to him so he can review them. John Tolmachoff IT Manager, Network Engineer 211 E. Imperial Hwy., Suite 106 Fullerton, CA 92835 714-578-7999, ext. 104 [EMAIL PROTECTED] www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott MacLean Sent: Tuesday, April 16, 2002 5:11 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Outlook-CR vulnerability Might I make this suggestion for detecting the Outlook-CR vulnerability, to try to attempt to reduce the false positives (which seem to be close to 100% at this point): Whenever a CR without a LF is seen, check the message header to see if a BEGIN ... is actually enclosed within it, indicating that a payload actually exists. If not, perhaps a different notification could be made, so we can determine whether to simply warn, or quarantine based on the analysis. Right now, I've had to turn off the Outlook-CR check altogether, because of too many complaints from users who are getting virus warnings (as well as their senders) instead of their valid, non-infected, albeit header-munged messages. ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com
Re: [Declude.Virus] W32.FBound.gen@mm
I am running Declude 1.45. At 09:28 AM 3/26/2002, R. Scott Perry wrote: I had a user's infected PC send a copy of the W32.FBound.gen@mm worm to a mailing list on my Declude-protected IMail 6 server, which then dutifully distributed the worm to everyone on the mailing list, without Declude seeing a thing. I'm running the most recent Declude, F-Prot and F-Prot definitions, and it continues to trap other viruses and worms just fine. Anyone else have this experience with this worm? Are you running Declude v1.45 or higher? FBound uses illegally formatted MIME segments that some mail clients may be able to decode while others can not. Declude v1.45 will be able to detect these bogus MIME segments, and decode them the same way that those mail clients would, allowing the virus to get caught. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com
Re: [Declude.Virus] F-Prot error?
For anyone who comes across the Symantec problem I mentioned, when I opened the registry key mentioned in the KB article, I found the VDD key contained the SYMEVNT1.DLL file that is mentioned in my error box. When I deleted and re-created the VDD key with blank content as directed in the KB (using REGEDT32, as the value has to be a REG_MULTI_STRING), it seems to have (so far) solved my problem. Thanks, Scott! At 08:59 AM 2/4/2002, R. Scott Perry wrote: Actually, I get a similar Windows error related to f-prot. Something to the effect of VDD error: a device attached to your system isn't functioning and we aren't running any Symantec products on either of the servers that get this error. I'll get the exact message when it happens again. We just today came across this error message: 16 bit MS-DOS Subsystem C:\Progra~1\FSI\F-Prot\F-Prot.exe SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers. VDD. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application. This one caused by a problem in several versions of Windows. Microsoft has a Knowledge Base article at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q254914 acknowledging the problem and explaining how to fix it (you need to delete and re-add a new registry entry). This looks like a different message than the one you got, but I figured it may be related. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com
[Declude.Virus] F-Prot error?
Since installing Declude three days ago, I have twice found my server sitting with the attached message box showing on the desktop. The only Symantec product running on the server is PCAnywhere. Anyone have any clues? attachment: 3754455.jpg ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com