[Declude.Virus] RE: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing
de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entité non autorisée est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et le détruire. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. image001.png
RE: [Declude.Virus] RE: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing
Thanks! From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Tuesday, April 09, 2013 12:02 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] RE: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing If you don’t have the last build 4.12.02 get it now! http://interim.declude.com/41202/ U: Interim P: decinterimv4 Also get the latest AVG DB at: http://downloads.declude.com/AVG/ U: DecDown P: DecDown Sunday, April 07, 2013 7:37 PM 72153339 incavi.avm http://downloads.declude.com/AVG/incavi.avm Once you have upgraded to the latest version drop the http://downloads.declude.com/AVG/incavi.avm incavi.avm into \declude\scanners\AVG\db This should resolve the ERROR: Failed Initialize AVG 183”. If you need further assistance contact Linda linda.pagi...@mailsbestfriend.com or myself david.bar...@mailsbestfriend.com David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com http://www.mailsbestfriend.com/ Office: 703.988.3605 x7015 Mobile : 978.518.6461 cid:image001.png@01CE2B2E.8B3E9EF0 From: Colbeck, Andrew [mailto:acolb...@bentallkennedy.com] Sent: Tuesday, April 9, 2013 12:37 PM To: declude.junkm...@declude.com Subject: RE: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing If you upgraded to Declude 4.11.09 to avoid the AVG licence issue, you’ll find that it was a bandaid, and that build’s usefulness also expired contemporaneously with David and Linda’s employee status, on January 31, 2013. C:\IMailstrings decludeproc.exe| grep LicBeg LicBeg, Ver=1.1, Name=Declude, Exp=2013-01-31, +Av, Sign=blahblahblah You still received updates for a grace period (the files with zero bytes are normal for the Declude implementation of AVG): C:\IMaildir C:\IMail\declude\scanners\AVG\db Volume in drive C has no label. Volume Serial Number is 9471-8A74 Directory of C:\IMail\declude\scanners\AVG\db 03/22/2013 07:47 AMDIR . 03/22/2013 07:47 AMDIR .. 03/19/2013 02:44 PM 0 avi7.avg 03/19/2013 02:44 PM 0 microavi.avg 03/19/2013 02:44 PM 0 miniavi.avg 03/22/2013 07:47 AM71,002,023 incavi.avm 4 File(s) 71,002,023 bytes 2 Dir(s) 11,036,254,208 bytes free C:\IMail This might be addressed in the latest (last?) build which you can obtain through the interim downloads website (log into your client support site for the link). If I remember correctly, that build is on 2013-03-15 with v4.12.02 that specifically cites in the change log ReadMe.txt: 4.12.02 == Fix: update AVG Key 4.12.01 == Fix: AVG Bug 4.12.00 == Fix: update AVG Key Which (I think) also fixes the “ERROR: Failed Initialize AVG 183” being spammed all over your c:\imail\declude\diags.txt Andrew. From: Dean Lawrence [mailto:dean...@gmail.com] Sent: Friday, January 11, 2013 7:33 AM To: declude.junkm...@declude.com Subject: Re: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing Thanks Dave, will do. On Fri, Jan 11, 2013 at 10:25 AM, David Barker dbar...@declude.com wrote: Dean, There is currently an issue with the AVG that we are currently working on. As far as backup in the \proc directory and the 0 Kb log that seems like a different issue. Can you please contact supp...@declude.com for assistance. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: Description: -declude From: Dean Lawrence [mailto:dean...@gmail.com] Sent: Friday, January 11, 2013 10:18 AM To: declude.junkm...@declude.com Subject: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing The subject says it all. This morning, declude stated to have high cpu usage, the log file is 0k and messages are backing up in the proc directory. I looked in the diags.txt and I see this message: ERROR: Failed Initialize AVG 183Daisy Chain smtp32.exe I was running 4.11 and upgraded to 4.11.09 and still have the same results. Any thoughts? -- --- Dean M. Lawrence INTERNET DATA TECHNOLOGY p // 888.438.4381 ext. 701 tel:888.438.4381%20ext.%20701 w // www.idatatech.com f // www.facebook.com/idatatech t // www.twitter.com/idatatech Social Marketing | SEO | Design | Internet Development --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can
[Declude.Virus] Per-Domain Per-User settings for EZIP
We usually don't post about every interim release however we thought this would be usefull as it has been requested often. (Please Note: you need to be on 4.11.00 to upgrade just the decludeproc, if you are ealier than 4.11.00 use the setup upgrade from your host record on www.declude.com) Interim access can be found on your My Account home page. // 4.11.04 == ADD: Allowing EZIP (Encrypted ZIP files) for Domains and Users File: Virus.cfg file ALLOWEZIPTO = used for incoming email ALLOWEZIPFROM = used for outgoing email User configuration= u...@example.com Domain Configuration = example.com Example: ALLOWEZIPTO u...@example.com ALLOWEZIPTO example.com ALLOWEZIPFROM senderaddr...@example.com ALLOWEZIPFROM example.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: Description: Description: -declude --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. image001.png
[Declude.Virus] Declude 4.11.00 Interceptor 3.4.11.500 Available
Please contact supp...@declude.com if you need assistance with your upgrade. // 4.11.00 == New Complete Release with setup // 4.10.89 == Updated Dll's // 4.10.88 == Fix: Email attachment being strip due to vulnerability in the boundary string. // 4.10.87 == Fix: AVG issue, Error number 8, Not enough storage is available to process this command. ERROR_NOT_ENOUGH_MEMORY / 4.10.86 == Debug: In the ScanFiles function, AVG test, Comment out two log message so that we get the correct window error message. / 4.10.85 == Updated copyright from 2011 to 2012, / 4.10.84 == IMail: Fix delude notification looping issue due to Alert action / 4.10.83 == Add more debug information for AVG Load error / 4.10.82 == Hijack ALLOWADDR allows authenticated user as well as the FROM address / 4.10.80 == Commtouch recommended not to block the VOD medium classification David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: Description: Description: Description: -declude Description: Description: Description: Description: -dnsstuff --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. image001.pngimage002.png
[Declude.Virus] Test
Sorry for the test folks, new email setup and it is a little to quite. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Test
Too quiet? Problem solved, like a BOSS. -Original Message- From: johnl...@eservicesforyou.com [mailto:johnl...@eservicesforyou.com] Sent: Wednesday, January 04, 2012 8:33 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Test Sorry for the test folks, new email setup and it is a little to quite. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes ou les entites non autorisees doivent respecter la confidentialite de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entite non autorisee est strictement interdite. Si vous avez recu ce message par erreur, veuillez nous en aviser immediatement et le detruire. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Declude 4.10.78 Interceptor 3.4.10.508 Available
Please contact supp...@declude.com if you need assistance with your upgrade. Version Part Type Change 4.10.78 AVG FIX Update AVG Key license key Exp=2012-04-10 4.10.77 AV ADD Fixed virus emails being deleted instead of being held in the virus directory, problem was introduced with 4.10.72. (IMail Only) 4.10.76 JM FIX Fixed crash due to buffer overflow (to many recipients) when the last action is DELETE 4.10.75 DEC FIX Fixed ALLOWVULNERABILITIESFROM which was not working with certain vulnerabilities, such as OBJECT DATA, Partial vulnerability and Outlook 'Blank Folding' vulnerability. 4.10.74 JM FIX Fixed emails being tagged by Declude as Outbound when should be Inbound. Declude will exit from loading the domains name (host) to memory, when the Aliases entry in the registry is missing from one of the domain. (IMail only) 4.10.73 DEC ADD Added the Declude Key in the diags.txt file David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: Description: Description: -declude Description: Description: Description: -dnsstuff --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. image001.pngimage002.png
[Declude.Virus] automated response
Thank you for your message. I am currently out of the office, with limited access to e-mail. I will be returning on Thursday, August 11th. If you have an urgent issue, please contact Bill Slentz at ad...@oasisol.com or 1-800-784-4091. Daniel Slentz Network Engineer Oasis Online --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] MIME segment in MIME Preamble - WHERE?
Hi, Supposedly it's in line 22, layer1: Outlook 'MIME segment in MIME Preamble' vulnerability in line 22 layer 1 [Content-Type: multipart/altern] Attached is the original SMD file from the /Virus folder. I'd like to educate the other side as to what's wrong with their email - but I fail to see it myself (other than possibly the in the message ID - but that's wa earlier than line 22 and not in the MIME preamble.) Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. D8592de5b45a5.smd Description: Binary data
[Declude.Virus]
http://danjacoby.de/modules/Search/life.html --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Declude 4.10.72 Interceptor 3.4.10.500
Please contact supp...@declude.com if you need assistance with your upgrade. Version Part Type Change 4.10.72 DEC ADD Declude no longer use imail1.exe to send notifications as IMail no longer supports imail1.exe. 4.10.71 DEC ADD Create the diags.txt file when the decludeproc service is started, which includes Declude Version, Platform Type, Copyright and Host name 4.10.70 SNF FIX Declude crashed due to SNF header exceeding the buffer size. Improved altering of headers and footers. 4.10.69 VIR FIX File attachments stripped when the following vulnerabilities were allowed OLMIMESEGMIMEPRE, MIMESEGMIMEPOST, OLBOUNDARYSPACEGAP 4.10.68 HI FIX When Hijack is turned off no Hijack log is created. 4.10.67 VIR FIX When the Outlook Boundary Space Gap Vulnerability occurs (triggered) the attachment files are striped. This was due miss match boundary string. 4.10.66 DEC FIX Declude accepts SM default alias as incoming. (Makes Declude compatible with SM default alias mail.* ) For example, domain.com its default alias is mail.domain.com 4.10.65 JM FIX Filter triggered information now displays in medium log level instead of debug. 4.10.64 DEC ADD blklst.txt which is located in the \spool directory is being created every day like the other logs if BLKLST ON in the declude.cfg 4.10.63 JM ADD Split Commtouch test results so each have their own score. Spam, Bulk, Suspect. Also included the match value of nonzero for single line configuration, which will be triggered for spam or bulk. Example of configuration: CT-SPAMCOMMTOUCH 0 4 20 0 CT-BULKCOMMTOUCH 0 3 8 0 CT-SUSPECT COMMTOUCH 0 2 4 0 Example of nonzero configuration: CT-SPAMCOMMTOUCH 0 nonzero 15 0 4.10.61 JM FIX Fix ROUTTO issue with SM Routing when incoming gateway is configured. Accommodate their change by deleting the smarthost: line from hdr file as the SM suggested 4.10.61 DEC FIX Copyright update from 2010 to 2011 4.10.60 JM FIX Compliance with SM 6+ to accommodate changes to their Trusted Sender list. 4.10.59 AV FIX When virus scanning is turned off (OUTGOING OFF, INCOMING OFF, or virus.cfg.off) any plain/text email Declude failed to copy the body of the email from eml to em$. Which resulted in an empty email. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: -declude Description: -dnsstuff --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. image001.pngimage002.png
Re: [Declude.Virus] Do you use the Declude email notification templates?
Hi, After my upgrade to IMail 11.x on a new server the IMail1.exe file is no longer present. As fas as I know that is what Declude uses to send the e-mails, and if so then that is the reason I no longer get them eventhough I have my old templates still present. My templates are only to inform me as the postmaster of the receiving domain when something happens that could very well be a false positive. That is usualy the case with filtering on vulnerabilities. For those I have templates to inform me. All other attempts to inform someone will either warn a falsified sender address or a recipient who cannot do something about it as then mail is held on the server in a directory where only the postmaster has access. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: IMail Admin To: Declude.Virus@declude.com Sent: Friday, May 20, 2011 7:15 PM Subject: [Declude.Virus] Do you use the Declude email notification templates? I’ve just always left these templates in place (the .eml files) that cause various notifications to be sent out. However, in recent years I’ve received complaints that these notifications are unnecessary or a nuisance. I was curious if anyone else bothered with these, or if you deleted them all, or if you kept just some? Any recommendations? Thanks, Ben --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Do you use the Declude email notification templates?
I’ve just always left these templates in place (the .eml files) that cause various notifications to be sent out. However, in recent years I’ve received complaints that these notifications are unnecessary or a nuisance. I was curious if anyone else bothered with these, or if you deleted them all, or if you kept just some? Any recommendations? Thanks, Ben --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] automated response
This address is not being used. Please contact supp...@webjogger.net Webjogger Support team --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] AVG antivirus did not work
Today I have noticed that my AVG antivirus did not work. I really think a long time that does not work. My version of Declude was 4.10.48. When looking at the file vir0202.log: 02/02/2011 00:02:07.505 453300649.eml Log Level set to MID 02/02/2011 00:02:07.520 453300649 Vulnerability flags = 343 02/02/2011 00:02:07.567 453300649 Error: AVG Initialize Fail (5) 02/02/2011 00:02:07.567 453300649 Scanned: Virus Free [MIME: 2 25857] 02/02/2011 00:02:22.677 453300650 Vulnerability flags = 343 02/02/2011 00:02:22.708 453300650 Error: AVG Initialize Fail (5) 02/02/2011 00:02:22.723 453300650 Scanned: Virus Free [MIME: 2 26260] I upgraded Declude to version 4.10.58. Still does not run the AVG antivirus. And the logs are showing the same error. 02/02/2011 20:20:32.574 453317098 Vulnerability flags = 351 02/02/2011 20:20:32.605 453317098 Error: AVG Initialize Fail (5) 02/02/2011 20:20:32.605 453317098 Scanned: Virus Free [MIME: 1 18517] 02/02/2011 20:20:56.043 453317101 Vulnerability flags = 351 02/02/2011 20:20:56.277 453317101 Error: AVG Initialize Fail (5) 02/02/2011 20:20:56.418 453317101 Scanned: Virus Free [Prescan OK][MIME: 2 959768] I looked at the folder declude\scanners\avg\db and see this: Directorio de C:\SmarterMail\declude\scanners\avg\db 02/02/2011 20:26 DIR . 02/02/2011 20:26 DIR .. 02/02/2011 20:230 avi7.avg 02/02/2011 20:26 70.627.222 incavi.avm 02/02/2011 20:230 microavi.avg 02/02/2011 20:230 miniavi.avg 4 archivos 70.627.222 bytes If I stop Declude, I delete these files and I start Declude, after a few minutes its are recreated with the same sizes. What is the problem? Rubén Martí. Món Mariola, S.L. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AVG antivirus did not work
The error means that the AVG database failed to initialize. Did you do a manual upgrade? One way to try resolve this is to delete all the files in C:\SmarterMail\declude\scanners\avg\db then restart decludeproc, wait for the new AVG signature to come down. Once the new signature file is down does the error go away? If not email supp...@declude.com and we can help you resolve the problem. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com -declude -dnsstuff From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Mon Mariola - Rubén Sent: Wednesday, February 02, 2011 3:08 PM To: declude.virus@declude.com Subject: [Declude.Virus] AVG antivirus did not work Today I have noticed that my AVG antivirus did not work. I really think a long time that does not work. My version of Declude was 4.10.48. When looking at the file vir0202.log: 02/02/2011 00:02:07.505 453300649.eml Log Level set to MID 02/02/2011 00:02:07.520 453300649 Vulnerability flags = 343 02/02/2011 00:02:07.567 453300649 Error: AVG Initialize Fail (5) 02/02/2011 00:02:07.567 453300649 Scanned: Virus Free [MIME: 2 25857] 02/02/2011 00:02:22.677 453300650 Vulnerability flags = 343 02/02/2011 00:02:22.708 453300650 Error: AVG Initialize Fail (5) 02/02/2011 00:02:22.723 453300650 Scanned: Virus Free [MIME: 2 26260] I upgraded Declude to version 4.10.58. Still does not run the AVG antivirus. And the logs are showing the same error. 02/02/2011 20:20:32.574 453317098 Vulnerability flags = 351 02/02/2011 20:20:32.605 453317098 Error: AVG Initialize Fail (5) 02/02/2011 20:20:32.605 453317098 Scanned: Virus Free [MIME: 1 18517] 02/02/2011 20:20:56.043 453317101 Vulnerability flags = 351 02/02/2011 20:20:56.277 453317101 Error: AVG Initialize Fail (5) 02/02/2011 20:20:56.418 453317101 Scanned: Virus Free [Prescan OK][MIME: 2 959768] I looked at the folder declude\scanners\avg\db and see this: Directorio de C:\SmarterMail\declude\scanners\avg\db 02/02/2011 20:26 DIR . 02/02/2011 20:26 DIR .. 02/02/2011 20:230 avi7.avg 02/02/2011 20:26 70.627.222 incavi.avm 02/02/2011 20:230 microavi.avg 02/02/2011 20:230 miniavi.avg 4 archivos 70.627.222 bytes If I stop Declude, I delete these files and I start Declude, after a few minutes its are recreated with the same sizes. What is the problem? Rubén Martí. Món Mariola, S.L. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. image001.png Description: Binary data image002.png Description: Binary data
[Declude.Virus] [11]Please protest the CRTC ruling allowing Internet rates to rise significantly at a time when we are all using more and more
Given the recent CRTC ruling, Bell Canada is allowed to increase wholesale residential rate by charging usage billing over a set limit. Although it will not affect about 70% of accounts, it is the 30% that will get seriously affected. My apologies if I have contacted some of you twice. I just want to be sure that as many people as possible do as much as possible to stop this CRTC decision. One of the purposes of regulation is to make sure that the monopolies and oligopolies do not take over everything and thus eliminate small business and victimize clients through exorbitant rates for a service that you cannot get elsewhere. Canada's internet rates are among the highest in the world! And they will be higher soon. It may still be possible for the government to reverse its decision. Please check to following site for suggestions as to how you can protest the ruling by CRTC. http://openmedia.ca/meter http://www.antiubb.com/ Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] mc afee 8.7 not scanning
hello, we just updated our mcafee virus-scanner for 7.? to 8.7. after installing the virus scan commandline 6.00.1 we are catching NO virusses! we did not change the virus.cfg except for the path - now it looks like this: SCANFILEc:\mcafee\scan.exe /ALL /NOMEM /NOBREAK /UNZIP /NODDA /NOBEEP /SILENT /REPORT report.txt VIRUSCODE 13 REPORT Found here's a snap out of our virus.log: 12/19/2010 23:56:29.176 q893d01763439.smd Vulnerability flags = 28 12/19/2010 23:59:20.908 q893d01763439.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:56:31.239 q893f01763449.smd Vulnerability flags = 28 12/19/2010 23:59:19.283 q893f01763449.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:56:35.207 q894000d9345c.smd Vulnerability flags = 28 12/19/2010 23:59:20.689 q894000d9345c.smd ERROR: Virus scanner 1 didn't finish after 120 seconds; terminating. 12/19/2010 23:59:20.689 q894000d9345c.smd Couldn't delete E:\IMail\spool\proc\work\D894000d9345c.vir\report.txt: 32. Error String: [Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.] 12/19/2010 23:59:50.705 q894000d9345c.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:56:35.488 q894001763459.smd Vulnerability flags = 28 12/19/2010 23:59:21.252 q894001763459.smd ERROR: Virus scanner 1 didn't finish after 120 seconds; terminating. 12/19/2010 23:59:21.252 q894001763459.smd Couldn't delete E:\IMail\spool\proc\work\D894001763459.vir\report.txt: 32. Error String: [Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.] 12/19/2010 23:59:51.298 q894001763459.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:56:55.848 q894300dc3481.smd Vulnerability flags = 28 12/19/2010 23:59:21.424 q894300dc3481.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:56:55.754 q89430176347c.smd Vulnerability flags = 28 12/19/2010 23:59:17.580 q89430176347c.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:57:44.222 q894301c9347d.smd Vulnerability flags = 28 12/20/2010 00:00:07.408 q894301c9347d.smd Scanned: Virus Free [MIME: 2 40736] the error string says that the file can't be accessed because it's used by something else. our on-access scanner is deactivated for e:\ and its subdirectories. does anyone know if we did something wrong? greetings bernd goebbels it.nrw.de --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] mc afee 8.7 not scanning
The new virus scanner command line version now uses compressed virus signature and clean files etc. It's intended for the occasional one-time use for a situation where the command line is the only option and where you wouldn't mind to wait a minute or two for the uncompressing to be complete. There IS a way how you can uncompress a new virus signature file every time you download an updated one. Then, the command line tool won't have to do it each and every time. If you lucky that might just be fast enough for Declude to cope. Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of bernd.goebb...@it.nrw.de Sent: Monday, December 20, 2010 3:23 AM To: declude.virus@declude.com Subject: [Declude.Virus] mc afee 8.7 not scanning hello, we just updated our mcafee virus-scanner for 7.? to 8.7. after installing the virus scan commandline 6.00.1 we are catching NO virusses! we did not change the virus.cfg except for the path - now it looks like this: SCANFILEc:\mcafee\scan.exe /ALL /NOMEM /NOBREAK /UNZIP /NODDA /NOBEEP /SILENT /REPORT report.txt VIRUSCODE 13 REPORT Found here's a snap out of our virus.log: 12/19/2010 23:56:29.176 q893d01763439.smd Vulnerability flags = 28 12/19/2010 23:59:20.908 q893d01763439.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:56:31.239 q893f01763449.smd Vulnerability flags = 28 12/19/2010 23:59:19.283 q893f01763449.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:56:35.207 q894000d9345c.smd Vulnerability flags = 28 12/19/2010 23:59:20.689 q894000d9345c.smd ERROR: Virus scanner 1 didn't finish after 120 seconds; terminating. 12/19/2010 23:59:20.689 q894000d9345c.smd Couldn't delete E:\IMail\spool\proc\work\D894000d9345c.vir\report.txt: 32. Error String: [Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.] 12/19/2010 23:59:50.705 q894000d9345c.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:56:35.488 q894001763459.smd Vulnerability flags = 28 12/19/2010 23:59:21.252 q894001763459.smd ERROR: Virus scanner 1 didn't finish after 120 seconds; terminating. 12/19/2010 23:59:21.252 q894001763459.smd Couldn't delete E:\IMail\spool\proc\work\D894001763459.vir\report.txt: 32. Error String: [Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.] 12/19/2010 23:59:51.298 q894001763459.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:56:55.848 q894300dc3481.smd Vulnerability flags = 28 12/19/2010 23:59:21.424 q894300dc3481.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:56:55.754 q89430176347c.smd Vulnerability flags = 28 12/19/2010 23:59:17.580 q89430176347c.smd Scanned: Virus Free [MIME: 2 40736] 12/19/2010 23:57:44.222 q894301c9347d.smd Vulnerability flags = 28 12/20/2010 00:00:07.408 q894301c9347d.smd Scanned: Virus Free [MIME: 2 40736] the error string says that the file can't be accessed because it's used by something else. our on-access scanner is deactivated for e:\ and its subdirectories. does anyone know if we did something wrong? greetings bernd goebbels it.nrw.de --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAv / ClamWin with Declude
http://oss.netfarm.it/clamav/ -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Gary Steiner Sent: Wednesday, November 24, 2010 12:32 PM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAv / ClamWin with Declude What version or port of ClamAV are you using with Declude? I've been reading on the SmarterTools forums about the problems with ClamWin, and was wondering if the majority are using this port or a different one? SmarterTools has been referring people to this link: http://www.h-online.com/open/news/item/Free-ClamWin-virus-scanner-moves-most -of-Windows-into-quarantine-1139430.html Which port of ClamAV does Declude recommend? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] automated response
Hello, I will be out of the office from November 24th until November 30th. I will respond to emails when I return. If this is an absolute emergency please call 800-932-0550, ext 411. Thank you and have a Happy Thanksgiving holiday! Regards, Troy Hilton Serveon, Inc. 800-932-0550 thil...@serveon.net --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAv / ClamWin with Declude
What version or port of ClamAV are you using with Declude? I've been reading on the SmarterTools forums about the problems with ClamWin, and was wondering if the majority are using this port or a different one? SmarterTools has been referring people to this link: http://www.h-online.com/open/news/item/Free-ClamWin-virus-scanner-moves-most -of-Windows-into-quarantine-1139430.html Which port of ClamAV does Declude recommend? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] EZIP files
I had tried to reprocess these messages as well, but they kept getting caught and moved back to the virus folder. I did the same (edit, reprocess, edit) so I was just curious how you handled it. Thanks again! Todd From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Tuesday, November 16, 2010 3:06 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] EZIP files An email will get generated when they are blocked. I just give them the eyeball test. Generally they are mail that I'd expect from a vendor or partner. If they look to be legit, I move them to the imail\spool folder. If that doesn't take care of it, I'll change the virus.cfg and then reprocess and then change the virus.cfg. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Todd Richards Sent: Tuesday, November 16, 2010 2:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] EZIP files Thanks Scott. We aren't that big either. How do you manually process them? Do you go in and disable the block, reprocess the email, then put the block back? Todd From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Tuesday, November 16, 2010 10:28 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] EZIP files I'm pretty small (125 employees), so encrypted zip files are rare and they get blocked. I'll manually reprocess them after getting an alert email. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Todd Richards Sent: Tuesday, November 16, 2010 9:25 AM To: declude.virus@declude.com Subject: [Declude.Virus] EZIP files How many of you ban EZIP files via Declude? I have one that is stuck in the virus hold folder, and I am (by default) banning EZIP files. Just out of curiosity, I created one and sent it to Yahoo via my Hotmail account. It arrived with no problem. I have also had legitimate messages get stuck from other vulnerabilities, which I finally disabled. I'd like to balance security without paranoia, if that's possible. Thanks! Todd --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] EZIP files
How many of you ban EZIP files via Declude? I have one that is stuck in the virus hold folder, and I am (by default) banning EZIP files. Just out of curiosity, I created one and sent it to Yahoo via my Hotmail account. It arrived with no problem. I have also had legitimate messages get stuck from other vulnerabilities, which I finally disabled. I'd like to balance security without paranoia, if that's possible. Thanks! Todd --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] EZIP files
I'm pretty small (125 employees), so encrypted zip files are rare and they get blocked. I'll manually reprocess them after getting an alert email. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Todd Richards Sent: Tuesday, November 16, 2010 9:25 AM To: declude.virus@declude.com Subject: [Declude.Virus] EZIP files How many of you ban EZIP files via Declude? I have one that is stuck in the virus hold folder, and I am (by default) banning EZIP files. Just out of curiosity, I created one and sent it to Yahoo via my Hotmail account. It arrived with no problem. I have also had legitimate messages get stuck from other vulnerabilities, which I finally disabled. I'd like to balance security without paranoia, if that's possible. Thanks! Todd --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] EZIP files
An email will get generated when they are blocked. I just give them the eyeball test. Generally they are mail that I'd expect from a vendor or partner. If they look to be legit, I move them to the imail\spool folder. If that doesn't take care of it, I'll change the virus.cfg and then reprocess and then change the virus.cfg. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Todd Richards Sent: Tuesday, November 16, 2010 2:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] EZIP files Thanks Scott. We aren't that big either. How do you manually process them? Do you go in and disable the block, reprocess the email, then put the block back? Todd From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Tuesday, November 16, 2010 10:28 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] EZIP files I'm pretty small (125 employees), so encrypted zip files are rare and they get blocked. I'll manually reprocess them after getting an alert email. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Todd Richards Sent: Tuesday, November 16, 2010 9:25 AM To: declude.virus@declude.com Subject: [Declude.Virus] EZIP files How many of you ban EZIP files via Declude? I have one that is stuck in the virus hold folder, and I am (by default) banning EZIP files. Just out of curiosity, I created one and sent it to Yahoo via my Hotmail account. It arrived with no problem. I have also had legitimate messages get stuck from other vulnerabilities, which I finally disabled. I'd like to balance security without paranoia, if that's possible. Thanks! Todd --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ZEROHOUR Uknown
I've got a few messages that are ending up in the virus folder. When looking at the headers, I'm seeing x-Declude-Virus: Detected ZEROHOUR Unknown [from IP xxx.xxx.xxx.xxx ()] One of them was from a user who I helped set up their iPhone. They were replying to my test message. The next one was from me back to them. Not sure what to do about this, or how to get the message to go through. Thanks, Todd --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Need Help - How to Rescan Messages
Hi, I had an issue overnight that caused many hundreds of messages to be moved to the /Spool/Virus folder (Q* and D* pairs) and to the /Spool/Proc/Review folder (Q* files only). Question - how to I cause these files to be rescanned (as some may be REAL Trojans). Where do I move Q/D pairs from the /Spool/Virus folder? Do I move the D file to the /Spool folder and the Q file to the /Spool/Proc folder? Or do I move BOTH the Q D file to the /Spool/Proc folder? What about the Q files in the /Spool/Proc/Review folder - do I just move them to /Spool/Proc, or to /Spool/Proc/Work? I checked one file and it seems the matching D file was in the /Spool/Proc/Work folder! Best Regards, Andy --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Need Help - How to Rescan Messages
Hi Andy, To reprocess files through Declude place the matching pairs of Q*.smd and D*.smd into the \proc folder. You can move them together however if it is a lot of files you may want to move the D files first then the Q files. The best way to do it for IMail is to use Invariant Systems free application http://www.invariantsystems.com/download/movefiles20.zip The \Review folder holds messages that were busy being processed when Decludeproc was stopped. Move old files from the \work to the \review then move all the matching pairs to \proc. There is no circumstance to move messages to the \work. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com -declude -dnsstuff From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, September 15, 2010 11:22 AM To: declude.virus@declude.com Subject: [Declude.Virus] Need Help - How to Rescan Messages Importance: High Hi, I had an issue overnight that caused many hundreds of messages to be moved to the /Spool/Virus folder (Q* and D* pairs) and to the /Spool/Proc/Review folder (Q* files only). Question - how to I cause these files to be rescanned (as some may be REAL Trojans). Where do I move Q/D pairs from the /Spool/Virus folder? Do I move the D file to the /Spool folder and the Q file to the /Spool/Proc folder? Or do I move BOTH the Q D file to the /Spool/Proc folder? What about the Q files in the /Spool/Proc/Review folder - do I just move them to /Spool/Proc, or to /Spool/Proc/Work? I checked one file and it seems the matching D file was in the /Spool/Proc/Work folder! Best Regards, Andy --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. image001.png Description: Binary data image002.png Description: Binary data
[Declude.Virus] Declude Compass
Just an FYI. 15 September 2010 we will be increasing the price of Declude Compass from $299 to $349 and including AVG as standard. If you purchase or renew your Compass prior to this date you will receive Compass at the $299 price including AVG. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] automated response
Thank you for the email! However, I am out of the office until August 23rd and will address your message then. In the mean time, if your message can't wait until my return, you can contact Anita O'Donnell aodonn...@medvalu.com, QA Administrator. Anita will be able to assist you in many ways. Thanks again! Doug Cass Network Administrator Med-Valu, Inc. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Banning open.html
Fighting the latest virus, trying to ban open.html file attacements. Any one able to do this succesfully? I am working with Declude right now to figure out why it is not being stopped.John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] AVG reports SPAM as VIRUS!
Hi, For the past few days, I'm seeing AVG suddenly reporting a virus SPAM: Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 19,499 Virus Infected Messages: 232 Percentage Infected: 1.19% VIRUS # INFECTED PERCENTAGE SPAM 232 1.19% resulting in these SMTP headers: X-Declude-Virus: Detected Spam [from IP 41.218.0.202 ([No Reverse DNS])]. and these reports: q061a000274936c02.smd AVG Reports VIRUS: Spam q061a000274936c02.smd File(s) are INFECTED [Spam: 7] q061a000274936c02.smd Scanned: CONTAINS A VIRUS [MIME: 1 424] q061a000274936c02.smd From: bloodiest...@rcbassociats.com To: elopre...@??? [incoming from 41.218.0.202] q061a000274936c02.smd Subject: Please attention! This causes a whole bunch of problems, e.g. a) I am unable to 'weigh' this Spam with other factors BEFORE it gets blocked. b) It bypasses the WhiteList feature (from the user's Webmail Contacts) c) It's treated like a Virus, hundreds of the configured virus notices are being emailed, etc. While I'm certainly in favor of any additional SPAM detection - but then it needs to be PROPERLY IMPLEMENTED as part of Declude JunkMail not just dumped into the regular virus handling! If AVG reports to Declude the virus name Spam, then Declude MUST recognize that and NOT treat it like a virus (or at least give us a config option NOT to.) Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AVG reports SPAM as VIRUS!
Andy, AVG is not integrated with Declude JM, this is AVG reporting the name of the virus as spam. Now, something may have changed that AVG is now detecting spam in their signatures however we were not made aware of this by AVG I will look further into this. As much as we do appreciate your feedback which helps Identify such problems, in some things it may be more helpful to first approach mailto:supp...@declude.com supp...@declude.com or myself dbar...@declude.com before engaging everyone in the list, your assumptions of PROPERLY IMPLEMENTED as part of Declude JunkMail not just dumped into the regular virus handling! and Declude MUST recognize that and NOT treat it like a virus are rather harsh to be posting to without having all the facts to begin with. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 12, 2010 10:39 AM To: declude.virus@declude.com Subject: [Declude.Virus] AVG reports SPAM as VIRUS! Importance: High Hi, For the past few days, I'm seeing AVG suddenly reporting a virus SPAM: Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 19,499 Virus Infected Messages: 232 Percentage Infected: 1.19% VIRUS # INFECTED PERCENTAGE SPAM 232 1.19% resulting in these SMTP headers: X-Declude-Virus: Detected Spam [from IP 41.218.0.202 ([No Reverse DNS])]. and these reports: q061a000274936c02.smd AVG Reports VIRUS: Spam q061a000274936c02.smd File(s) are INFECTED [Spam: 7] q061a000274936c02.smd Scanned: CONTAINS A VIRUS [MIME: 1 424] q061a000274936c02.smd From: bloodiest...@rcbassociats.com To: elopre...@??? [incoming from 41.218.0.202] q061a000274936c02.smd Subject: Please attention! This causes a whole bunch of problems, e.g. a) I am unable to 'weigh' this Spam with other factors BEFORE it gets blocked. b) It bypasses the WhiteList feature (from the user's Webmail Contacts) c) It's treated like a Virus, hundreds of the configured virus notices are being emailed, etc. While I'm certainly in favor of any additional SPAM detection - but then it needs to be PROPERLY IMPLEMENTED as part of Declude JunkMail not just dumped into the regular virus handling! If AVG reports to Declude the virus name Spam, then Declude MUST recognize that and NOT treat it like a virus (or at least give us a config option NOT to.) Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AVG reports SPAM as VIRUS!
Dave, I'm aware it's integrated in Declude Virus - that's why I chose the CORRECT list to discuss this. I referenced Declude Junkmail, because IF AVG is now reporting SPAM, the THAT part SHOULD be handled as part of Declude Junkmail NOT as Declude Virus. I choose to use the list, whenever I have expended some time to track down a situation and realize that this will affect all users and thus will save everyone time from working on the same issue. That's the whole point of the list! Consequently, whenever AVG stops working altogether (which was doubted both times when I discovered it - until eventually it was determined to have been a problem after all), I will continue to report this on the list, because everyone needs to be aware that their internal scanner may be non-functioning for extended periods of time. The alternative would be for Declude to post an alert! When I notice that the Sniffer implementation has objectively incorrect or incomplete sample files, or have sample files that don't make it obvious that some IP based results will be triple-counted, then I feel justified in discussing this on the list as this will benefit OTHER users who don't have to re-learn what took me days to figure out. I will post on the list whenever I'm hoping to solicit feedback from a broader audience, to see if a situation I encountered was isolated or turns out to be more widespread. I will contact support@ whenever I suspect that I may have an isolated problem that needs to be analyzed first. In my opinion, I usually use the appropriate venue. But I accept that you may disagree and prefer that the list is quiet. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, May 12, 2010 10:59 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AVG reports SPAM as VIRUS! Andy, AVG is not integrated with Declude JM, this is AVG reporting the name of the virus as spam. Now, something may have changed that AVG is now detecting spam in their signatures however we were not made aware of this by AVG I will look further into this. As much as we do appreciate your feedback which helps Identify such problems, in some things it may be more helpful to first approach mailto:supp...@declude.com supp...@declude.com or myself dbar...@declude.com before engaging everyone in the list, your assumptions of PROPERLY IMPLEMENTED as part of Declude JunkMail not just dumped into the regular virus handling! and Declude MUST recognize that and NOT treat it like a virus are rather harsh to be posting to without having all the facts to begin with. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 12, 2010 10:39 AM To: declude.virus@declude.com Subject: [Declude.Virus] AVG reports SPAM as VIRUS! Importance: High Hi, For the past few days, I'm seeing AVG suddenly reporting a virus SPAM: Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 19,499 Virus Infected Messages: 232 Percentage Infected: 1.19% VIRUS # INFECTED PERCENTAGE SPAM 232 1.19% resulting in these SMTP headers: X-Declude-Virus: Detected Spam [from IP 41.218.0.202 ([No Reverse DNS])]. and these reports: q061a000274936c02.smd AVG Reports VIRUS: Spam q061a000274936c02.smd File(s) are INFECTED [Spam: 7] q061a000274936c02.smd Scanned: CONTAINS A VIRUS [MIME: 1 424] q061a000274936c02.smd From: bloodiest...@rcbassociats.com To: elopre...@??? [incoming from 41.218.0.202] q061a000274936c02.smd Subject: Please attention! This causes a whole bunch of problems, e.g. a) I am unable to 'weigh' this Spam with other factors BEFORE it gets blocked. b) It bypasses the WhiteList feature (from the user's Webmail Contacts) c) It's treated like a Virus, hundreds of the configured virus notices are being emailed, etc. While I'm certainly in favor of any additional SPAM detection - but then it needs to be PROPERLY IMPLEMENTED as part of Declude JunkMail not just dumped into the regular virus handling! If AVG reports to Declude the virus name Spam, then Declude MUST recognize that and NOT treat it like a virus (or at least give us a config option NOT to.) Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com
RE: [Declude.Virus] AVG reports SPAM as VIRUS!
Andy, My point was not that one shouldn't post to the list, we appreciate user input no matter how we feel about it, an open forum is very important for both Declude and users. All I am saying is if you had emailed us first then we could stike the assumption that we dumped a new spam tests into virus handling as you suggested. While I'm certainly in favor of any additional SPAM detection - but then it needs to be PROPERLY IMPLEMENTED as part of Declude JunkMail not just dumped into the regular virus handling! And then we could focus on the real issue of why is AVG reporting SPAM. Working together to solve a problem is the goal, so let's rule out the things we know it is not. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 12, 2010 11:35 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AVG reports SPAM as VIRUS! Dave, I'm aware it's integrated in Declude Virus - that's why I chose the CORRECT list to discuss this. I referenced Declude Junkmail, because IF AVG is now reporting SPAM, the THAT part SHOULD be handled as part of Declude Junkmail NOT as Declude Virus. I choose to use the list, whenever I have expended some time to track down a situation and realize that this will affect all users and thus will save everyone time from working on the same issue. That's the whole point of the list! Consequently, whenever AVG stops working altogether (which was doubted both times when I discovered it - until eventually it was determined to have been a problem after all), I will continue to report this on the list, because everyone needs to be aware that their internal scanner may be non-functioning for extended periods of time. The alternative would be for Declude to post an alert! When I notice that the Sniffer implementation has objectively incorrect or incomplete sample files, or have sample files that don't make it obvious that some IP based results will be triple-counted, then I feel justified in discussing this on the list as this will benefit OTHER users who don't have to re-learn what took me days to figure out. I will post on the list whenever I'm hoping to solicit feedback from a broader audience, to see if a situation I encountered was isolated or turns out to be more widespread. I will contact support@ whenever I suspect that I may have an isolated problem that needs to be analyzed first. In my opinion, I usually use the appropriate venue. But I accept that you may disagree and prefer that the list is quiet. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, May 12, 2010 10:59 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AVG reports SPAM as VIRUS! Andy, AVG is not integrated with Declude JM, this is AVG reporting the name of the virus as spam. Now, something may have changed that AVG is now detecting spam in their signatures however we were not made aware of this by AVG I will look further into this. As much as we do appreciate your feedback which helps Identify such problems, in some things it may be more helpful to first approach mailto:supp...@declude.com supp...@declude.com or myself dbar...@declude.com before engaging everyone in the list, your assumptions of PROPERLY IMPLEMENTED as part of Declude JunkMail not just dumped into the regular virus handling! and Declude MUST recognize that and NOT treat it like a virus are rather harsh to be posting to without having all the facts to begin with. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 12, 2010 10:39 AM To: declude.virus@declude.com Subject: [Declude.Virus] AVG reports SPAM as VIRUS! Importance: High Hi, For the past few days, I'm seeing AVG suddenly reporting a virus SPAM: Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 19,499 Virus Infected Messages: 232 Percentage Infected: 1.19% VIRUS # INFECTED PERCENTAGE SPAM 232 1.19% resulting in these SMTP headers: X-Declude-Virus: Detected Spam [from IP 41.218.0.202 ([No Reverse DNS])]. and these reports: q061a000274936c02.smd AVG Reports VIRUS: Spam q061a000274936c02.smd File(s) are INFECTED [Spam: 7] q061a000274936c02.smd Scanned: CONTAINS A VIRUS [MIME: 1 424] q061a000274936c02.smd From: bloodiest...@rcbassociats.com To: elopre...@??? [incoming from 41.218.0.202] q061a000274936c02.smd Subject: Please attention! This causes a whole bunch of problems, e.g. a) I am unable to 'weigh' this Spam with other factors BEFORE it gets blocked. b) It bypasses the WhiteList feature (from the user's Webmail
RE: [Declude.Virus] AVG reports SPAM as VIRUS!
Dave - you are right! This appears to a matter of poor labeling by AVG - and has nothing to do with Declude. I have since looked through a large sample of held emails and they either are well crafted short Notices about a supposed change in SMTP, POP settings - which even lists the person's email address, and a warning to carefully read the enclosed instructions before making changes. Then there is a link to a ZIP file (which likely will be a virus). The other group of emails deals with a supposed non-deliverable DHL package that one needs to pick up at the post office after printing the attached label (with the link to a zip file). All appears to be emails with links to malicious pages. In that respect, one can't argue that Declude Virus is the appropriate place to catch that (but then it's inconsistent for AVG to detect it with a label Spam). You are further correct, that AVG has done a good job catching this one. I ran it past ClamD and the latest McAfee hourly signature - and neither flagged those emails. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, May 12, 2010 12:20 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] AVG reports SPAM as VIRUS! Looks like it is part of their virus signatures, and the only line in the email was:http://glunis.g**glegroups.com/web/setup.zip We could request that they change the name. if not we will have to make an translation in our code to accommodate this. File 45710617.eml received on 2010.05.12 16:16:29 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED http://www.virustotal.com/img/loader.gif Result: 1/41 (2.44%) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.image001.gif
Re: [Declude.Virus] embedded AVG issue
David, I was having this issue so I followed your directions below. After overwriting the current dlls, I could not get decludeproc to start. I determined that it was the avgsdk.dll that was in the newly downloaded zip file that was the culprit. I had to restore a previous version to get everything working again. I did notice that the new avgsdk.dll is substantially smaller than the old version. So I am still having the issue originally described in the post. Don - Original Message - From: David Barker To: declude.virus@declude.com Sent: Friday, May 07, 2010 1:25 PM Subject: RE: [Declude.Virus] embedded AVG issue We have seen this mostly with manual installs. Error: Could not start AVG Instance (17) has to do with the DLL. Please contact supp...@declude.com if you need assistance. 1. Stop decludeproc 2. Download http://interim.declude.com/41048/AVG-DLL.zip 3. Extract and replace the dll files overwriting your current dlls. 4. Start decludeproc 5. If the error persists or you get error 2 or error 4 6. Stop decludeproc 7. Delete all files in \declude\scanners\avg\db\ 8. Start decludeproc this will initiate a new download of the AVG signatures David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry Vanderzand Sent: Friday, May 07, 2010 2:09 PM To: declude.virus@declude.com Subject: [Declude.Virus] embedded AVG issue I though I would check my virus logs which I have not done for a while. It is not working. See log entry: 05/07/2010 14:06:13.502 qb42e00250010.smd Scanned: Virus Free [MIME: 1 125] 05/07/2010 14:06:18.720 q990400280052.smd Vulnerability flags = 862 05/07/2010 14:06:18.814 q990400280052.smd Error: Could not start AVG Instance (17) 05/07/2010 14:06:18.814 q990400280052.smd Scanned: Virus Free [MIME: 2 1293] What could be the issue here? Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] embedded AVG issue
Hi Don, Here's what I have in C:\Imail\ 11/06/2008 12:49 PM61,440 AvApiBit.dll 11/06/2008 12:49 PM61,440 AvApiSym.dll 04/29/2010 04:13 PM 834,328 avgcerta.dll 04/29/2010 04:13 PM 623,384 avgcertx.dll 04/29/2010 04:13 PM 4,250,392 avgcorex.dll 04/29/2010 04:13 PM 312,320 avgsdk.dll 10/21/2005 10:43 AM32,768 Declude.exe 04/29/2010 04:12 PM 2,318,428 decludeproc.exe (You can disregard the dates/times, they just represent the time when I copied those files). Maybe do a DIR C:\av*.dll /s to make sure you don't have any duplicates elsewhere. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Monday, May 10, 2010 7:28 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] embedded AVG issue David, I was having this issue so I followed your directions below. After overwriting the current dlls, I could not get decludeproc to start. I determined that it was the avgsdk.dll that was in the newly downloaded zip file that was the culprit. I had to restore a previous version to get everything working again. I did notice that the new avgsdk.dll is substantially smaller than the old version. So I am still having the issue originally described in the post. Don - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.virus@declude.com Sent: Friday, May 07, 2010 1:25 PM Subject: RE: [Declude.Virus] embedded AVG issue We have seen this mostly with manual installs. Error: Could not start AVG Instance (17) has to do with the DLL. Please contact supp...@declude.com if you need assistance. 1. Stop decludeproc 2. Download http://interim.declude.com/41048/AVG-DLL.zip http://interim.declude.com/41048/AVG-DLL.zip 3. Extract and replace the dll files overwriting your current dlls. 4. Start decludeproc 5. If the error persists or you get error 2 or error 4 6. Stop decludeproc 7. Delete all files in \declude\scanners\avg\db\ 8. Start decludeproc this will initiate a new download of the AVG signatures David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry Vanderzand Sent: Friday, May 07, 2010 2:09 PM To: declude.virus@declude.com Subject: [Declude.Virus] embedded AVG issue I though I would check my virus logs which I have not done for a while. It is not working. See log entry: 05/07/2010 14:06:13.502 qb42e00250010.smd Scanned: Virus Free [MIME: 1 125] 05/07/2010 14:06:18.720 q990400280052.smd Vulnerability flags = 862 05/07/2010 14:06:18.814 q990400280052.smd Error: Could not start AVG Instance (17) 05/07/2010 14:06:18.814 q990400280052.smd Scanned: Virus Free [MIME: 2 1293] What could be the issue here? Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] False Positives
Kevin, could you please send me one of the actual emails that was caught by the 'uuencoding bad end' Vulnerability as an attachment? Also, could you put your virus.cfg file in debug mode and send me the entire log snip from the next message that is caught by this vulnerability? You can send it directly to me if you like. My email address is lpagi...@declude.com. Thanks. -- From: Linda Pagillo lpagi...@declude.com Sent: Sunday, May 09, 2010 7:07 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] False Positives You're welcome, Kevin and thanks for the log snip. I sent it over to development to obtain more detailed information about it. I will let you know as soon as I receive a response. -- From: Kevin Rogers ke...@rootdesign.com Sent: Friday, May 07, 2010 6:02 PM To: declude.virus@declude.com Cc: Linda Pagillo lpagi...@declude.com Subject: Re: [Declude.Virus] False Positives Thanks for your help Linda. Here are a couple log snippets of the 'uuencoding bad end' Vulnerability 05/06/2010 15:39:30.823 q126c7cd3e05f.smd Vulnerability flags = 65 05/06/2010 15:39:31.854 q126c7cd3e05f.smd 'uuencoding bad end' vulnerability in line 208152 05/06/2010 15:39:32.166 q126c7cd3e05f.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 13110006] 05/06/2010 15:41:21.916 qa51e7cdae07c.smd Vulnerability flags = 65 05/06/2010 15:41:22.932 qa51e7cdae07c.smd 'uuencoding bad end' vulnerability in line 203543 05/06/2010 15:41:23.276 qa51e7cdae07c.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 12819408] On 5/7/2010 7:31 AM, Linda Pagillo wrote: Hi Kevin. Thanks for your post. I first would like to explain that what you are seeing is not a false-positive. The address that the emails are coming from are not a factor in the case of vulnerabilities. Our vulnerability checking looks for exploits in an email. If it finds one, it will mark it no matter who it is coming from. This is correct behavior for the tests and therefore, not a false-positive. As for allowing these for everyone who sends to your server, I would advise against it, but of course, it is your choice. Instead I would allow vulnerabilities on a per-sender basis in order to be safe. For example, you said that you received 10 emails from a legit address that were caught as a vulnerability. In that case, I would allow vulnerabilities for that particular user. You can do that by adding a line to your virus.cfg file... ALLOWVULNERABILITIESFROMu...@domain.com If you wanted to allow vulnerabilities from the entire domain, you would add the following line instead... ALLOWVULNERABILITIESFROMdomain.com (without the @ symbol) You mentioned that the vulnerability you are seeing from the user in question is the 'uuencoding bad end' Vulnerability. Where are you seeing this? Is it in the email or the virus.cfg log? Could you copy and paste it from the log or email so I can send it over to development for review? Thanks again. -- From: Kevin Rogers ke...@rootdesign.com Sent: Thursday, May 06, 2010 8:39 PM To: declude.virus@declude.com Subject: [Declude.Virus] False Positives I'm getting several false positives a day for the following tests: [Outlook 'Blank Folding' Vulnerability] MIME segment in MIME Postamble Today I received 10 false positives (from the same legit email address) of ['uuencoding bad end' Vulnerability] I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to allow it. This is the first I've seen of this test. I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow them. I am running the latest v4.10.48 on Imail. Are other people using these tests without many/any false positives? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] embedded AVG issue
Thanks Andy, I found that I do not have avgcertx.dll. Should this file have been included in the zip download David made? Don - Original Message - From: Andy Schmidt To: declude.virus@declude.com Sent: Monday, May 10, 2010 9:05 AM Subject: RE: [Declude.Virus] embedded AVG issue Hi Don, Here's what I have in C:\Imail\ 11/06/2008 12:49 PM61,440 AvApiBit.dll 11/06/2008 12:49 PM61,440 AvApiSym.dll 04/29/2010 04:13 PM 834,328 avgcerta.dll 04/29/2010 04:13 PM 623,384 avgcertx.dll 04/29/2010 04:13 PM 4,250,392 avgcorex.dll 04/29/2010 04:13 PM 312,320 avgsdk.dll 10/21/2005 10:43 AM32,768 Declude.exe 04/29/2010 04:12 PM 2,318,428 decludeproc.exe (You can disregard the dates/times, they just represent the time when I copied those files). Maybe do a DIR C:\av*.dll /s to make sure you don't have any duplicates elsewhere. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Monday, May 10, 2010 7:28 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] embedded AVG issue David, I was having this issue so I followed your directions below. After overwriting the current dlls, I could not get decludeproc to start. I determined that it was the avgsdk.dll that was in the newly downloaded zip file that was the culprit. I had to restore a previous version to get everything working again. I did notice that the new avgsdk.dll is substantially smaller than the old version. So I am still having the issue originally described in the post. Don - Original Message - From: David Barker To: declude.virus@declude.com Sent: Friday, May 07, 2010 1:25 PM Subject: RE: [Declude.Virus] embedded AVG issue We have seen this mostly with manual installs. Error: Could not start AVG Instance (17) has to do with the DLL. Please contact supp...@declude.com if you need assistance. 1. Stop decludeproc 2. Download http://interim.declude.com/41048/AVG-DLL.zip 3. Extract and replace the dll files overwriting your current dlls. 4. Start decludeproc 5. If the error persists or you get error 2 or error 4 6. Stop decludeproc 7. Delete all files in \declude\scanners\avg\db\ 8. Start decludeproc this will initiate a new download of the AVG signatures David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry Vanderzand Sent: Friday, May 07, 2010 2:09 PM To: declude.virus@declude.com Subject: [Declude.Virus] embedded AVG issue I though I would check my virus logs which I have not done for a while. It is not working. See log entry: 05/07/2010 14:06:13.502 qb42e00250010.smd Scanned: Virus Free [MIME: 1 125] 05/07/2010 14:06:18.720 q990400280052.smd Vulnerability flags = 862 05/07/2010 14:06:18.814 q990400280052.smd Error: Could not start AVG Instance (17) 05/07/2010 14:06:18.814 q990400280052.smd Scanned: Virus Free [MIME: 2 1293] What could be the issue here? Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list
RE: [Declude.Virus] embedded AVG issue
Don, The ZIP contains the correct dll's the full declude list of dll's is as follows: (avgcertx.dll is not used and was only around during the interim releases) COMMTOUCH asapsdk.dll PCRE pcre3.dll AVG Avgsdk.dll Avgcorex.dll Avgcerta.dll SNF Mingwm10.dll Snfmulti.dll David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Monday, May 10, 2010 5:02 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] embedded AVG issue Thanks Andy, I found that I do not have avgcertx.dll. Should this file have been included in the zip download David made? Don - Original Message - From: Andy Schmidt mailto:andy_schm...@hm-software.com To: declude.virus@declude.com Sent: Monday, May 10, 2010 9:05 AM Subject: RE: [Declude.Virus] embedded AVG issue Hi Don, Here's what I have in C:\Imail\ 11/06/2008 12:49 PM61,440 AvApiBit.dll 11/06/2008 12:49 PM61,440 AvApiSym.dll 04/29/2010 04:13 PM 834,328 avgcerta.dll 04/29/2010 04:13 PM 623,384 avgcertx.dll 04/29/2010 04:13 PM 4,250,392 avgcorex.dll 04/29/2010 04:13 PM 312,320 avgsdk.dll 10/21/2005 10:43 AM32,768 Declude.exe 04/29/2010 04:12 PM 2,318,428 decludeproc.exe (You can disregard the dates/times, they just represent the time when I copied those files). Maybe do a DIR C:\av*.dll /s to make sure you don't have any duplicates elsewhere. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Monday, May 10, 2010 7:28 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] embedded AVG issue David, I was having this issue so I followed your directions below. After overwriting the current dlls, I could not get decludeproc to start. I determined that it was the avgsdk.dll that was in the newly downloaded zip file that was the culprit. I had to restore a previous version to get everything working again. I did notice that the new avgsdk.dll is substantially smaller than the old version. So I am still having the issue originally described in the post. Don - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.virus@declude.com Sent: Friday, May 07, 2010 1:25 PM Subject: RE: [Declude.Virus] embedded AVG issue We have seen this mostly with manual installs. Error: Could not start AVG Instance (17) has to do with the DLL. Please contact supp...@declude.com if you need assistance. 1. Stop decludeproc 2. Download http://interim.declude.com/41048/AVG-DLL.zip http://interim.declude.com/41048/AVG-DLL.zip 3. Extract and replace the dll files overwriting your current dlls. 4. Start decludeproc 5. If the error persists or you get error 2 or error 4 6. Stop decludeproc 7. Delete all files in \declude\scanners\avg\db\ 8. Start decludeproc this will initiate a new download of the AVG signatures David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry Vanderzand Sent: Friday, May 07, 2010 2:09 PM To: declude.virus@declude.com Subject: [Declude.Virus] embedded AVG issue I though I would check my virus logs which I have not done for a while. It is not working. See log entry: 05/07/2010 14:06:13.502 qb42e00250010.smd Scanned: Virus Free [MIME: 1 125] 05/07/2010 14:06:18.720 q990400280052.smd Vulnerability flags = 862 05/07/2010 14:06:18.814 q990400280052.smd Error: Could not start AVG Instance (17) 05/07/2010 14:06:18.814 q990400280052.smd Scanned: Virus Free [MIME: 2 1293] What could be the issue here? Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus
Re: [Declude.Virus] False Positives
You're welcome, Kevin and thanks for the log snip. I sent it over to development to obtain more detailed information about it. I will let you know as soon as I receive a response. -- From: Kevin Rogers ke...@rootdesign.com Sent: Friday, May 07, 2010 6:02 PM To: declude.virus@declude.com Cc: Linda Pagillo lpagi...@declude.com Subject: Re: [Declude.Virus] False Positives Thanks for your help Linda. Here are a couple log snippets of the 'uuencoding bad end' Vulnerability 05/06/2010 15:39:30.823 q126c7cd3e05f.smd Vulnerability flags = 65 05/06/2010 15:39:31.854 q126c7cd3e05f.smd 'uuencoding bad end' vulnerability in line 208152 05/06/2010 15:39:32.166 q126c7cd3e05f.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 13110006] 05/06/2010 15:41:21.916 qa51e7cdae07c.smd Vulnerability flags = 65 05/06/2010 15:41:22.932 qa51e7cdae07c.smd 'uuencoding bad end' vulnerability in line 203543 05/06/2010 15:41:23.276 qa51e7cdae07c.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 12819408] On 5/7/2010 7:31 AM, Linda Pagillo wrote: Hi Kevin. Thanks for your post. I first would like to explain that what you are seeing is not a false-positive. The address that the emails are coming from are not a factor in the case of vulnerabilities. Our vulnerability checking looks for exploits in an email. If it finds one, it will mark it no matter who it is coming from. This is correct behavior for the tests and therefore, not a false-positive. As for allowing these for everyone who sends to your server, I would advise against it, but of course, it is your choice. Instead I would allow vulnerabilities on a per-sender basis in order to be safe. For example, you said that you received 10 emails from a legit address that were caught as a vulnerability. In that case, I would allow vulnerabilities for that particular user. You can do that by adding a line to your virus.cfg file... ALLOWVULNERABILITIESFROMu...@domain.com If you wanted to allow vulnerabilities from the entire domain, you would add the following line instead... ALLOWVULNERABILITIESFROMdomain.com (without the @ symbol) You mentioned that the vulnerability you are seeing from the user in question is the 'uuencoding bad end' Vulnerability. Where are you seeing this? Is it in the email or the virus.cfg log? Could you copy and paste it from the log or email so I can send it over to development for review? Thanks again. -- From: Kevin Rogers ke...@rootdesign.com Sent: Thursday, May 06, 2010 8:39 PM To: declude.virus@declude.com Subject: [Declude.Virus] False Positives I'm getting several false positives a day for the following tests: [Outlook 'Blank Folding' Vulnerability] MIME segment in MIME Postamble Today I received 10 false positives (from the same legit email address) of ['uuencoding bad end' Vulnerability] I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to allow it. This is the first I've seen of this test. I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow them. I am running the latest v4.10.48 on Imail. Are other people using these tests without many/any false positives? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] False Positives
Hi Kevin. Thanks for your post. I first would like to explain that what you are seeing is not a false-positive. The address that the emails are coming from are not a factor in the case of vulnerabilities. Our vulnerability checking looks for exploits in an email. If it finds one, it will mark it no matter who it is coming from. This is correct behavior for the tests and therefore, not a false-positive. As for allowing these for everyone who sends to your server, I would advise against it, but of course, it is your choice. Instead I would allow vulnerabilities on a per-sender basis in order to be safe. For example, you said that you received 10 emails from a legit address that were caught as a vulnerability. In that case, I would allow vulnerabilities for that particular user. You can do that by adding a line to your virus.cfg file... ALLOWVULNERABILITIESFROMu...@domain.com If you wanted to allow vulnerabilities from the entire domain, you would add the following line instead... ALLOWVULNERABILITIESFROMdomain.com (without the @ symbol) You mentioned that the vulnerability you are seeing from the user in question is the 'uuencoding bad end' Vulnerability. Where are you seeing this? Is it in the email or the virus.cfg log? Could you copy and paste it from the log or email so I can send it over to development for review? Thanks again. -- From: Kevin Rogers ke...@rootdesign.com Sent: Thursday, May 06, 2010 8:39 PM To: declude.virus@declude.com Subject: [Declude.Virus] False Positives I'm getting several false positives a day for the following tests: [Outlook 'Blank Folding' Vulnerability] MIME segment in MIME Postamble Today I received 10 false positives (from the same legit email address) of ['uuencoding bad end' Vulnerability] I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to allow it. This is the first I've seen of this test. I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow them. I am running the latest v4.10.48 on Imail. Are other people using these tests without many/any false positives? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] embedded AVG issue
I though I would check my virus logs which I have not done for a while. It is not working. See log entry: 05/07/2010 14:06:13.502 qb42e00250010.smd Scanned: Virus Free [MIME: 1 125] 05/07/2010 14:06:18.720 q990400280052.smd Vulnerability flags = 862 05/07/2010 14:06:18.814 q990400280052.smd Error: Could not start AVG Instance (17) 05/07/2010 14:06:18.814 q990400280052.smd Scanned: Virus Free [MIME: 2 1293] What could be the issue here? Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] embedded AVG issue
We have seen this mostly with manual installs. Error: Could not start AVG Instance (17) has to do with the DLL. Please contact supp...@declude.com if you need assistance. 1. Stop decludeproc 2. Download http://interim.declude.com/41048/AVG-DLL.zip http://interim.declude.com/41048/AVG-DLL.zip 3. Extract and replace the dll files overwriting your current dlls. 4. Start decludeproc 5. If the error persists or you get error 2 or error 4 6. Stop decludeproc 7. Delete all files in \declude\scanners\avg\db\ 8. Start decludeproc this will initiate a new download of the AVG signatures David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry Vanderzand Sent: Friday, May 07, 2010 2:09 PM To: declude.virus@declude.com Subject: [Declude.Virus] embedded AVG issue I though I would check my virus logs which I have not done for a while. It is not working. See log entry: 05/07/2010 14:06:13.502 qb42e00250010.smd Scanned: Virus Free [MIME: 1 125] 05/07/2010 14:06:18.720 q990400280052.smd Vulnerability flags = 862 05/07/2010 14:06:18.814 q990400280052.smd Error: Could not start AVG Instance (17) 05/07/2010 14:06:18.814 q990400280052.smd Scanned: Virus Free [MIME: 2 1293] What could be the issue here? Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] False Positives
Thanks for your help Linda. Here are a couple log snippets of the 'uuencoding bad end' Vulnerability 05/06/2010 15:39:30.823 q126c7cd3e05f.smd Vulnerability flags = 65 05/06/2010 15:39:31.854 q126c7cd3e05f.smd 'uuencoding bad end' vulnerability in line 208152 05/06/2010 15:39:32.166 q126c7cd3e05f.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 13110006] 05/06/2010 15:41:21.916 qa51e7cdae07c.smd Vulnerability flags = 65 05/06/2010 15:41:22.932 qa51e7cdae07c.smd 'uuencoding bad end' vulnerability in line 203543 05/06/2010 15:41:23.276 qa51e7cdae07c.smd Scanned: CONTAINS A VIRUS [UU: 2 46771][MIME: 3 12819408] On 5/7/2010 7:31 AM, Linda Pagillo wrote: Hi Kevin. Thanks for your post. I first would like to explain that what you are seeing is not a false-positive. The address that the emails are coming from are not a factor in the case of vulnerabilities. Our vulnerability checking looks for exploits in an email. If it finds one, it will mark it no matter who it is coming from. This is correct behavior for the tests and therefore, not a false-positive. As for allowing these for everyone who sends to your server, I would advise against it, but of course, it is your choice. Instead I would allow vulnerabilities on a per-sender basis in order to be safe. For example, you said that you received 10 emails from a legit address that were caught as a vulnerability. In that case, I would allow vulnerabilities for that particular user. You can do that by adding a line to your virus.cfg file... ALLOWVULNERABILITIESFROMu...@domain.com If you wanted to allow vulnerabilities from the entire domain, you would add the following line instead... ALLOWVULNERABILITIESFROMdomain.com (without the @ symbol) You mentioned that the vulnerability you are seeing from the user in question is the 'uuencoding bad end' Vulnerability. Where are you seeing this? Is it in the email or the virus.cfg log? Could you copy and paste it from the log or email so I can send it over to development for review? Thanks again. -- From: Kevin Rogers ke...@rootdesign.com Sent: Thursday, May 06, 2010 8:39 PM To: declude.virus@declude.com Subject: [Declude.Virus] False Positives I'm getting several false positives a day for the following tests: [Outlook 'Blank Folding' Vulnerability] MIME segment in MIME Postamble Today I received 10 false positives (from the same legit email address) of ['uuencoding bad end' Vulnerability] I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to allow it. This is the first I've seen of this test. I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow them. I am running the latest v4.10.48 on Imail. Are other people using these tests without many/any false positives? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] False Positives
I'm getting several false positives a day for the following tests: [Outlook 'Blank Folding' Vulnerability] MIME segment in MIME Postamble Today I received 10 false positives (from the same legit email address) of ['uuencoding bad end' Vulnerability] I can't even find the 'uuencoding bad end' vulnerability in virus.cfg to allow it. This is the first I've seen of this test. I was getting too many of the OLMIMESEGMIMEPRE test before I had to allow them. I am running the latest v4.10.48 on Imail. Are other people using these tests without many/any false positives? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] RE: Internal (AVG Scanner) does NOT report file name
Hi Dave (just in case this was overlooked in all the activity last week): Considering that AVG is integrated INTO Declude, it should interface at LEAST as good as any external scanner. However, the virus bounce message filename variable is NOT set when a virus is caught by AVG. Only the Virus Name variable is populated. Obviously, Declude is AWARE of the file name, because when Declude passes control to an external scanners next, then the infected file is reported correctly. So there should be no good reason, why a virus caught by the internal scanner would not report the filename!? This is also evident in the LOG file. Here's the EICAR virus caught by AVG in the .48 build. It only reports the virus name EICAR_Test. 04/29/2010 22:22:20.277 qeae800cc0002.smd AVG Reports VIRUS: EICAR_Test 04/29/2010 22:22:20.277 qeae800cc0002.smd File(s) are INFECTED [EICAR_Test: 7] 04/29/2010 22:22:20.293 qeae800cc0002.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 905] If the SAME file is detected by an external scanner (in this case ClamAV) it reports the virus name AND the file name: 04/28/2010 12:49:29.722 q6748c63e0425.smd Virus scanner 1 reports exit code of 1 04/28/2010 12:49:29.722 q6748c63e0425.smd Scanner 1: Virus= Eicar-Test-Signature Attachment=eicar.zip [61] I 04/28/2010 12:49:29.722 q6748c63e0425.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 875] The AVG integration should be improved to match the quality of integration of external scanners. Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] RE: Internal (AVG Scanner) does NOT report file name
We agreed that adding the file name would be useful and it is on the dev list. I thought I posted this to the list but it may have got overlooked with all the activity from last week ;) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, May 03, 2010 1:41 PM To: declude.virus@declude.com Subject: [Declude.Virus] RE: Internal (AVG Scanner) does NOT report file name Hi Dave (just in case this was overlooked in all the activity last week): Considering that AVG is integrated INTO Declude, it should interface at LEAST as good as any external scanner. However, the virus bounce message filename variable is NOT set when a virus is caught by AVG. Only the Virus Name variable is populated. Obviously, Declude is AWARE of the file name, because when Declude passes control to an external scanners next, then the infected file is reported correctly. So there should be no good reason, why a virus caught by the internal scanner would not report the filename!? This is also evident in the LOG file. Here's the EICAR virus caught by AVG in the .48 build. It only reports the virus name EICAR_Test. 04/29/2010 22:22:20.277 qeae800cc0002.smd AVG Reports VIRUS: EICAR_Test 04/29/2010 22:22:20.277 qeae800cc0002.smd File(s) are INFECTED [EICAR_Test: 7] 04/29/2010 22:22:20.293 qeae800cc0002.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 905] If the SAME file is detected by an external scanner (in this case ClamAV) it reports the virus name AND the file name: 04/28/2010 12:49:29.722 q6748c63e0425.smd Virus scanner 1 reports exit code of 1 04/28/2010 12:49:29.722 q6748c63e0425.smd Scanner 1: Virus= Eicar-Test-Signature Attachment=eicar.zip [61] I 04/28/2010 12:49:29.722 q6748c63e0425.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 875] The AVG integration should be improved to match the quality of integration of external scanners. Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection!
Andy is correct, it should be remembered that no AV is 100% accurate. This is why besides AVG and Commtouch which are integrated into Declude users can run up to 5 additional external virus scanners using Declude, and as seen from the lists CalmAV is a good choice for a free scanner. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 11:13 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Declude Users - take note! CommTouch/Zerohous does a good job, but does not catch all known viruses (some days I have 5 or 6 DIFFERENT viruses/trojans sneaking by, some to multiple users each!), it's absolutely imperative that AVG works if you don't have additional scanners set up. Unfortunately, AVG had stopped working (no one has said for how many weeks or possible months it has not worked). I have confirmed that AVG is now working again after I upgraded from 4.10.42-A to 4.10.48. So - I recommend all Declude users get on top of this quickly! (PS: This is the second time AVG has gone AWOL inside of Declude for extended periods of times - and it's never discovered until I finally insist. Naturally, I have zero confidence in the built-in scanner. It's unreliable and there is no notification whenever it stops working.) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 12:56 PM To: declude.junkm...@declude.com; declude.virus@declude.com; declude.relea...@declude.com Subject: [Declude.Virus] New Release Declude 4.10.48 The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44 Optimize code for moving files to the spool directory for Smartermail 4.10.43 Fixed variable names in the MoveToError function which were declared globally 4.10.42-A Fix for SNF Authentication to turn off without having to restart Decludeproc 4.10.42 Message Sniffer integrated into Declude 4.10.41 Added variable %AUTH% to show the authenticated sender of the email 4.10.40 XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment
RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection!
Uhhh.. I am pretty sure that was not the point he was trying to make. While no AV is 100 percent effective, there is no reason for it not to work for days or weeks. It would appear that when core files with AVG are exploited, AVG obviously pushed out a software update to their software and I assume it needs manually implemented in Declude. Some clarification on this matter would be great. Mike -Original Message- From: David Barker dbar...@declude.com Sent: Friday, April 30, 2010 10:21 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Andy is correct, it should be remembered that no AV is 100% accurate. This is why besides AVG and Commtouch which are integrated into Declude users can run up to 5 additional external virus scanners using Declude, and as seen from the lists CalmAV is a good choice for a free scanner. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 11:13 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Declude Users take note! CommTouch/Zerohous does a good job, but does not catch all known viruses (some days I have 5 or 6 DIFFERENT viruses/trojans sneaking by, some to multiple users each!), its absolutely imperative that AVG works if you dont have additional scanners set up. Unfortunately, AVG had stopped working (no one has said for how many weeks or possible months it has not worked). I have confirmed that AVG is now working again after I upgraded from 4.10.42-A to 4.10.48. So I recommend all Declude users get on top of this quickly! (PS: This is the second time AVG has gone AWOL inside of Declude for extended periods of times and its never discovered until I finally insist. Naturally, I have zero confidence in the built-in scanner. Its unreliable and there is no notification whenever it stops working.) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 12:56 PM To: declude.junkm...@declude.com; declude.virus@declude.com; declude.relea...@declude.com Subject: [Declude.Virus] New Release Declude 4.10.48 The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44 Optimize code for moving files to the spool directory for Smartermail 4.10.43 Fixed variable names in the MoveToError function which were declared globally 4.10.42-A Fix for SNF Authentication to turn off without having to restart Decludeproc 4.10.42 Message Sniffer integrated into Declude 4.10.41 Added variable %AUTH% to show the authenticated sender of the email 4.10.40 XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR
RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection!
Mike, I understand what the point of Andy's email is. I was commenting on CommTouch/Zerohour does a good job, but does not catch all known viruses Yes AVG made a change to their database structure - Declude 4.10.46+ makes use of their new data structure, this is integrated into the new release. In order for Declude to work with the latest AVG updates one needs to be running Declude version 4.10.46 or greater. If you have additional virus scanners other than AVG or are running Commtouch then the move to the latest version is not as imperative. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Biddle (via mobile device) Sent: Friday, April 30, 2010 4:40 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Uhhh.. I am pretty sure that was not the point he was trying to make. While no AV is 100 percent effective, there is no reason for it not to work for days or weeks. It would appear that when core files with AVG are exploited, AVG obviously pushed out a software update to their software and I assume it needs manually implemented in Declude. Some clarification on this matter would be great. Mike _ From: David Barker dbar...@declude.com Sent: Friday, April 30, 2010 10:21 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Andy is correct, it should be remembered that no AV is 100% accurate. This is why besides AVG and Commtouch which are integrated into Declude users can run up to 5 additional external virus scanners using Declude, and as seen from the lists CalmAV is a good choice for a free scanner. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 11:13 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Declude Users - take note! CommTouch/Zerohous does a good job, but does not catch all known viruses (some days I have 5 or 6 DIFFERENT viruses/trojans sneaking by, some to multiple users each!), it's absolutely imperative that AVG works if you don't have additional scanners set up. Unfortunately, AVG had stopped working (no one has said for how many weeks or possible months it has not worked). I have confirmed that AVG is now working again after I upgraded from 4.10.42-A to 4.10.48. So - I recommend all Declude users get on top of this quickly! (PS: This is the second time AVG has gone AWOL inside of Declude for extended periods of times - and it's never discovered until I finally insist. Naturally, I have zero confidence in the built-in scanner. It's unreliable and there is no notification whenever it stops working.) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 12:56 PM To: declude.junkm...@declude.com; declude.virus@declude.com; declude.relea...@declude.com Subject: [Declude.Virus] New Release Declude 4.10.48 The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44 Optimize code for moving files to the spool directory for Smartermail 4.10.43 Fixed variable names in the MoveToError function which were declared globally 4.10.42-A Fix for SNF Authentication to turn off without having to restart Decludeproc 4.10.42 Message Sniffer integrated into Declude 4.10.41 Added variable %AUTH
[Declude.Virus] ClamD and mangled DB's
Hello! I have had freshclam mangle the DB a number of times, and when it does, clamd will freak out until the next successful DB update fixes things, which may be several hours. For this reason, I do not run clamd as a service, but as a process in a window which is started with a script that loops. When clamd resets for a new (mangled) DB, the script will delete and refresh all of the DB's and then restart clamd. A side benefit is that you can also pull up the clamd windows to see its output. Take care! John On 4/29/2010 11:10 PM, Michael Cummins wrote: When I set up Clam earlier today, I was able to run it from the command line and test it against an EICAR file, get a response, etc. I saw it fail against the bad database and succeed when properly configured. I imagine that I could easily schedule that, pipe the results to a text file and schedule a bot to read it regularly and e-mail me if the test fails. That would let me know if FreshClam ever mangled the database. Is there a way we could do the same with Declude and the Internal AVG scanner / database? Is there some way to execute it from a command line, point it at EICAR and get a parse-able result? That could be awfully handy. -- Michael Cummins From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 11:13 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Declude Users - take note! CommTouch/Zerohous does a good job, but does not catch all known viruses (some days I have 5 or 6 DIFFERENT viruses/trojans sneaking by, some to multiple users each!), it's absolutely imperative that AVG works if you don't have additional scanners set up. Unfortunately, AVG had stopped working (no one has said for how many weeks or possible months it has not worked). I have confirmed that AVG is now working again after I upgraded from 4.10.42-A to 4.10.48. So - I recommend all Declude users get on top of this quickly! (PS: This is the second time AVG has gone AWOL inside of Declude for extended periods of times - and it's never discovered until I finally insist. Naturally, I have zero confidence in the built-in scanner. It's unreliable and there is no notification whenever it stops working.) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 12:56 PM To: declude.junkm...@declude.com; declude.virus@declude.com; declude.relea...@declude.com Subject: [Declude.Virus] New Release Declude 4.10.48 The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44 Optimize code for moving files to the spool directory for Smartermail 4.10.43 Fixed variable names in the MoveToError function which were declared globally 4.10.42-A Fix for SNF Authentication to turn off without having to restart Decludeproc 4.10.42 Message Sniffer integrated into Declude 4.10.41 Added variable %AUTH% to show the authenticated sender of the email 4.10.40 XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory
RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection!
Hi Dave, I guess the key question is - WHEN did AVG make the change. They released Version AVG 9 last October. Is THAT when AVG made the database structure change which disabled the internal Virus Scanner in Declude until 4.10.46 was made available as an interim? If so - I must have missed the big announcement that 4.10.46 was critical to install (since there is no way of knowing how many Declude customers are using secondary scanner and thus are not fully exposed.). Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 4:52 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Mike, I understand what the point of Andy's email is. I was commenting on CommTouch/Zerohour does a good job, but does not catch all known viruses Yes AVG made a change to their database structure - Declude 4.10.46+ makes use of their new data structure, this is integrated into the new release. In order for Declude to work with the latest AVG updates one needs to be running Declude version 4.10.46 or greater. If you have additional virus scanners other than AVG or are running Commtouch then the move to the latest version is not as imperative. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Biddle (via mobile device) Sent: Friday, April 30, 2010 4:40 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Uhhh.. I am pretty sure that was not the point he was trying to make. While no AV is 100 percent effective, there is no reason for it not to work for days or weeks. It would appear that when core files with AVG are exploited, AVG obviously pushed out a software update to their software and I assume it needs manually implemented in Declude. Some clarification on this matter would be great. Mike _ From: David Barker dbar...@declude.com Sent: Friday, April 30, 2010 10:21 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Andy is correct, it should be remembered that no AV is 100% accurate. This is why besides AVG and Commtouch which are integrated into Declude users can run up to 5 additional external virus scanners using Declude, and as seen from the lists CalmAV is a good choice for a free scanner. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 11:13 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Declude Users - take note! CommTouch/Zerohous does a good job, but does not catch all known viruses (some days I have 5 or 6 DIFFERENT viruses/trojans sneaking by, some to multiple users each!), it's absolutely imperative that AVG works if you don't have additional scanners set up. Unfortunately, AVG had stopped working (no one has said for how many weeks or possible months it has not worked). I have confirmed that AVG is now working again after I upgraded from 4.10.42-A to 4.10.48. So - I recommend all Declude users get on top of this quickly! (PS: This is the second time AVG has gone AWOL inside of Declude for extended periods of times - and it's never discovered until I finally insist. Naturally, I have zero confidence in the built-in scanner. It's unreliable and there is no notification whenever it stops working.) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 12:56 PM To: declude.junkm...@declude.com; declude.virus@declude.com; declude.relea...@declude.com Subject: [Declude.Virus] New Release Declude 4.10.48 The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44
RE: [Declude.Virus] ClamAV
In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps up FreshClam as a service and gets everything pointed and configured for Declude to use. It includes pthreadVC2.dll , but I don't know if it uses it once we replace the files here in a bit, because. .when FreshClam goes to update the DB, it mangles the DB dies, because version 0.92 isn't supported anymore. Immediately after installing ClamAID I stopped the ClamAVSvc and FreshClam services and I commented out the lines it added in virus.cfg so I could get it all running properly again. I downloaded the clamav-win32-0.96.7z from http://oss.netfarm.it/clamav/ and extracted the files to a folder. I grabbed all the .exe and .dll files and replaced the old ones in \Program Files\Clam AV. I edited \conf\clamd.conf and commented out the deprecated MailFollowURLs on line 226. I deleted the files in \data\ and crated a \db\. I set the log levels in clamd.conf and freshclam.conf to high so I could see things chugging along until I was comfortable. I hard set the database to \db\ in the conf files, and set verbose logging. I cranked up the services, and watched FreshClam download new profiles to \db\. Once the db was downloaded, I tested Clam from the command prompt as described on the armresearch page, and everything looked like it was working fine. I uncommented the lines in Declude, restarted Declude, and watched it all start humming. Now I am just keeping an eye on things, and waiting for Clam to catch a virus. -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
There really is no need for ClamAid, because the recent builds (including oss.netfarm.it) already are able to install themselves as services, and the additional ClamAid DLLs will obsolete once you install the official version. So unless you need help adding the 3 lines to the Virus.cfg, ClamAid probably makes things unnecessary complicated... From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Thursday, April 29, 2010 2:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps up FreshClam as a service and gets everything pointed and configured for Declude to use. It includes pthreadVC2.dll , but I don't know if it uses it once we replace the files here in a bit, because. .when FreshClam goes to update the DB, it mangles the DB dies, because version 0.92 isn't supported anymore. Immediately after installing ClamAID I stopped the ClamAVSvc and FreshClam services and I commented out the lines it added in virus.cfg so I could get it all running properly again. I downloaded the clamav-win32-0.96.7z from http://oss.netfarm.it/clamav/ and extracted the files to a folder. I grabbed all the .exe and .dll files and replaced the old ones in \Program Files\Clam AV. I edited \conf\clamd.conf and commented out the deprecated MailFollowURLs on line 226. I deleted the files in \data\ and crated a \db\. I set the log levels in clamd.conf and freshclam.conf to high so I could see things chugging along until I was comfortable. I hard set the database to \db\ in the conf files, and set verbose logging. I cranked up the services, and watched FreshClam download new profiles to \db\. Once the db was downloaded, I tested Clam from the command prompt as described on the armresearch page, and everything looked like it was working fine. I uncommented the lines in Declude, restarted Declude, and watched it all start humming. Now I am just keeping an eye on things, and waiting for Clam to catch a virus. -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
The official download from Clam wouldn't install on my Windows 2003 box. It said it only supports Windows 7, Vista, told me to go pound sand, yada yada. The stuff at oss.netfarm.it didn't come with very much in the way of instructions, but the ClamAID stuff did and it was also familiar with Declude so it gave me a warm and fuzzy feeling. It also didn't look like clamav-win32-0.96.7z was going to set up FreshClam as a service, or at least didn't mention it, and I hate installing random product just to see what it does. Not dissing anything, just explaining why I chose it. You're completely right. I'm completely clam-n00b. I've never worked with ClamAV, don't know its parts and pieces from a racoon skin hat, and was grateful to have a nice page of instructions (thanks, ARM!), especially on how to test it before configuring Declude.Also, the ClamAID example used the .conf file in their Declude config, while the Declude example didn't. I thought that was handy, too. It at least gave me a place I could kludge from, and now I know a lot more about how the product works. Just splaining where my head was and leaving a trail here in the archives in case it helps someone else. :) - Michael Cummins From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 3:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV There really is no need for ClamAid, because the recent builds (including oss.netfarm.it) already are able to install themselves as services, and the additional ClamAid DLLs will obsolete once you install the official version. So unless you need help adding the 3 lines to the Virus.cfg, ClamAid probably makes things unnecessary complicated... From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Thursday, April 29, 2010 2:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps up FreshClam as a service and gets everything pointed and configured for Declude to use. It includes pthreadVC2.dll , but I don't know if it uses it once we replace the files here in a bit, because. .when FreshClam goes to update the DB, it mangles the DB dies, because version 0.92 isn't supported anymore. Immediately after installing ClamAID I stopped the ClamAVSvc and FreshClam services and I commented out the lines it added in virus.cfg so I could get it all running properly again. I downloaded the clamav-win32-0.96.7z from http://oss.netfarm.it/clamav/ and extracted the files to a folder. I grabbed all the .exe and .dll files and replaced the old ones in \Program Files\Clam AV. I edited \conf\clamd.conf and commented out the deprecated MailFollowURLs on line 226. I deleted the files in \data\ and crated a \db\. I set the log levels in clamd.conf and freshclam.conf to high so I could see things chugging along until I was comfortable. I hard set the database to \db\ in the conf files, and set verbose logging. I cranked up the services, and watched FreshClam download new profiles to \db\. Once the db was downloaded, I tested Clam from the command prompt as described on the armresearch page, and everything looked like it was working fine. I uncommented the lines in Declude, restarted Declude, and watched it all start humming. Now I am just keeping an eye on things, and waiting for Clam to catch a virus. -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
Thanks Michael for the effort to 'splain! I appreciated it. Make sure you are using the sanesecurity sigs as well as the MSRBL's -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Michael Cummins mich...@i-magery.com Sent: Thursday, April 29, 2010 3:02 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps up FreshClam as a service and gets everything pointed and configured for Declude to use. It includes pthreadVC2.dll , but I don't know if it uses it once we replace the files here in a bit, because. .when FreshClam goes to update the DB, it mangles the DB dies, because version 0.92 isn't supported anymore. Immediately after installing ClamAID I stopped the ClamAVSvc and FreshClam services and I commented out the lines it added in virus.cfg so I could get it all running properly again. I downloaded the clamav-win32-0.96.7z from http://oss.netfarm.it/clamav/ and extracted the files to a folder. I grabbed all the .exe and .dll files and replaced the old ones in \Program Files\Clam AV. I edited \conf\clamd.conf and commented out the deprecated MailFollowURLs on line 226. I deleted the files in \data\ and crated a \db\. I set the log levels in clamd.conf and freshclam.conf to high so I could see things chugging along until I was comfortable. I hard set the database to \db\ in the conf files, and set verbose logging. I cranked up the services, and watched FreshClam download new profiles to \db\. Once the db was downloaded, I tested Clam from the command prompt as described on the armresearch page, and everything looked like it was working fine. I uncommented the lines in Declude, restarted Declude, and watched it all start humming. Now I am just keeping an eye on things, and waiting for Clam to catch a virus. -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV
Michael, I created a step-by-step guide a little over a year ago for the proper installation. It's pretty simple to do. I can't say however if the steps have changed in the latest release, and obviously the version that I linked to is old now and should be updated. So here are my abridged directions for a standard install. 1) You need 7zip installed (http://www.7-zip.org/), and to open files in 7zip, you open the file manager and double click the 7z or ZIP files. 2) Download the Current Stable code from http://oss.netfarm.it/clamav/ For Windows 32bit, it would be clamav-win32-0.94.2.7z 3) Create a directory structure with C:\ClamAV and also create a sub-directory of C:\ClamAV\DB Put the files from the above 7z file into C:\ClamAV 4) Run C:\ClamAV\clamav.reg to put some directory entries into the registry. These are by default pointing to the directory structure that I am using. 5) From a command prompt run C:\ClamAV\freshclam.exe --datadir=C:\ClamAV\DB --daemon-notify This will download the latest definitions and let the service know to reload them if new ones are found. You want to schedule a task to run this every 15 minutes (there is virtually no load if no updates are available). There is no need to install freshclam as a service. 6) From a command prompt run C:\ClamAV\clamd --install This will install the ClamWin Free Antivirus Scanner Service You then want to edit the service properties to start automatically, and set your recovery options to restart the service. 7) Download the ClamAV GUI Wrapper from http://oss.netfarm.it/clamav/ You only need one file from this zip, ClamAV-GUI.exe, and yo uwant to place that in C:\ClamAV This is a simple GUI for scanning files and directories and can be useful. You can create a short-cut for it if you want. 8) Configure Declude for ClamAV with the following (it is probably best to have this as the first scanner since it is the fastest): SCANFILE1 C:\ClamAV\ClamDScan.exe --quiet --no-summary -l report.txt VIRUSCODE1 1 REPORT1. 9) Check your virus logs for Virus scanner 1 reports in order to verify that it is running. Note, if you want to use a non-default location, you will need to change the location in the following three things (don't quote me on this) 1) clamav.reg 2) clamd.conf 3) The freshclam.exe --datadir argument Matt On 4/29/2010 4:14 PM, Michael Cummins wrote: The official download from Clam wouldn't install on my Windows 2003 box. It said it only supports Windows 7, Vista, told me to go pound sand, yada yada. The stuff at oss.netfarm.it didn't come with very much in the way of instructions, but the ClamAID stuff did and it was also familiar with Declude so it gave me a warm and fuzzy feeling. It also didn't look like clamav-win32-0.96.7z was going to set up FreshClam as a service, or at least didn't mention it, and I hate installing random product just to see what it does. Not dissing anything, just explaining why I chose it. You're completely right. I'm completely clam-n00b. I've never worked with ClamAV, don't know its parts and pieces from a racoon skin hat, and was grateful to have a nice page of instructions (thanks, ARM!), especially on how to test it before configuring Declude.Also, the ClamAID example used the .conf file in their Declude config, while the Declude example didn't. I thought that was handy, too. It at least gave me a place I could kludge from, and now I know a lot more about how the product works. Just splaining where my head was and leaving a trail here in the archives in case it helps someone else. :) - Michael Cummins *From:* supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of *Andy Schmidt *Sent:* Thursday, April 29, 2010 3:14 PM *To:* declude.virus@declude.com *Subject:* RE: [Declude.Virus] ClamAV There really is no need for ClamAid, because the recent builds (including oss.netfarm.it) already are able to install themselves as services, and the additional ClamAid DLLs will obsolete once you install the official version. So unless you need help adding the 3 lines to the Virus.cfg, ClamAid probably makes things unnecessary complicated... *From:* supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of *Michael Cummins *Sent:* Thursday, April 29, 2010 2:50 PM *To:* declude.virus@declude.com *Subject:* RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps up FreshClam as a service and gets everything pointed and configured for Declude to use. It includes pthreadVC2.dll , but I don't
RE: [Declude.Virus] ClamAV
Nothing really changed with the current version - other than making sure that you have the proper version of the VC runtime installed. It absolutely HAS to match - so it's worth mentioning as an installation step. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt Sent: Thursday, April 29, 2010 6:05 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] ClamAV Michael, I created a step-by-step guide a little over a year ago for the proper installation. It's pretty simple to do. I can't say however if the steps have changed in the latest release, and obviously the version that I linked to is old now and should be updated. So here are my abridged directions for a standard install. 1) You need 7zip installed (http://www.7-zip.org/), and to open files in 7zip, you open the file manager and double click the 7z or ZIP files. 2) Download the Current Stable code from http://oss.netfarm.it/clamav/ For Windows 32bit, it would be clamav-win32-0.94.2.7z 3) Create a directory structure with C:\ClamAV and also create a sub-directory of C:\ClamAV\DB Put the files from the above 7z file into C:\ClamAV 4) Run C:\ClamAV\clamav.reg to put some directory entries into the registry. These are by default pointing to the directory structure that I am using. 5) From a command prompt run C:\ClamAV\freshclam.exe --datadir=C:\ClamAV\DB --daemon-notify This will download the latest definitions and let the service know to reload them if new ones are found. You want to schedule a task to run this every 15 minutes (there is virtually no load if no updates are available). There is no need to install freshclam as a service. 6) From a command prompt run C:\ClamAV\clamd --install This will install the ClamWin Free Antivirus Scanner Service You then want to edit the service properties to start automatically, and set your recovery options to restart the service. 7) Download the ClamAV GUI Wrapper from http://oss.netfarm.it/clamav/ You only need one file from this zip, ClamAV-GUI.exe, and yo uwant to place that in C:\ClamAV This is a simple GUI for scanning files and directories and can be useful. You can create a short-cut for it if you want. 8) Configure Declude for ClamAV with the following (it is probably best to have this as the first scanner since it is the fastest): SCANFILE1 C:\ClamAV\ClamDScan.exe --quiet --no-summary -l report.txt VIRUSCODE1 1 REPORT1. 9) Check your virus logs for Virus scanner 1 reports in order to verify that it is running. Note, if you want to use a non-default location, you will need to change the location in the following three things (don't quote me on this) 1) clamav.reg 2) clamd.conf 3) The freshclam.exe --datadir argument Matt On 4/29/2010 4:14 PM, Michael Cummins wrote: The official download from Clam wouldn't install on my Windows 2003 box. It said it only supports Windows 7, Vista, told me to go pound sand, yada yada. The stuff at oss.netfarm.it didn't come with very much in the way of instructions, but the ClamAID stuff did and it was also familiar with Declude so it gave me a warm and fuzzy feeling. It also didn't look like clamav-win32-0.96.7z was going to set up FreshClam as a service, or at least didn't mention it, and I hate installing random product just to see what it does. Not dissing anything, just explaining why I chose it. You're completely right. I'm completely clam-n00b. I've never worked with ClamAV, don't know its parts and pieces from a racoon skin hat, and was grateful to have a nice page of instructions (thanks, ARM!), especially on how to test it before configuring Declude.Also, the ClamAID example used the .conf file in their Declude config, while the Declude example didn't. I thought that was handy, too. It at least gave me a place I could kludge from, and now I know a lot more about how the product works. Just splaining where my head was and leaving a trail here in the archives in case it helps someone else. :) - Michael Cummins From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 3:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV There really is no need for ClamAid, because the recent builds (including oss.netfarm.it) already are able to install themselves as services, and the additional ClamAid DLLs will obsolete once you install the official version. So unless you need help adding the 3 lines to the Virus.cfg, ClamAid probably makes things unnecessary complicated... From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Thursday, April 29, 2010 2:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me
RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection!
Declude Users - take note! CommTouch/Zerohous does a good job, but does not catch all known viruses (some days I have 5 or 6 DIFFERENT viruses/trojans sneaking by, some to multiple users each!), it's absolutely imperative that AVG works if you don't have additional scanners set up. Unfortunately, AVG had stopped working (no one has said for how many weeks or possible months it has not worked). I have confirmed that AVG is now working again after I upgraded from 4.10.42-A to 4.10.48. So - I recommend all Declude users get on top of this quickly! (PS: This is the second time AVG has gone AWOL inside of Declude for extended periods of times - and it's never discovered until I finally insist. Naturally, I have zero confidence in the built-in scanner. It's unreliable and there is no notification whenever it stops working.) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 12:56 PM To: declude.junkm...@declude.com; declude.virus@declude.com; declude.relea...@declude.com Subject: [Declude.Virus] New Release Declude 4.10.48 The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44 Optimize code for moving files to the spool directory for Smartermail 4.10.43 Fixed variable names in the MoveToError function which were declared globally 4.10.42-A Fix for SNF Authentication to turn off without having to restart Decludeproc 4.10.42 Message Sniffer integrated into Declude 4.10.41 Added variable %AUTH% to show the authenticated sender of the email 4.10.40 XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,SORBS-D UL=5,FIVETENRC=2,ZEN=7,SORBS=7,DYNHELO=5,FROMNOMATCH=2,WEIGHT10=10,WEIGHT14= 14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration
[Declude.Virus] Internal (AVG Scanner) does NOT report file name
Hi, Considering that AVG is integrated INTO Declude, it should interface at LEAST as good as any external scanner. However, the virus bounce message filename variable is NOT set when a virus is caught by AVG. Only the Virus Name variable is populated. But when a virus is caught by the external scanners, then the infected file is reported correctly. This is also evident in the LOG file. Here's the EICAR virus caught by AVG in the .48 build. It only reports the virus name EICAR_Test. 04/29/2010 22:22:20.277 qeae800cc0002.smd AVG Reports VIRUS: EICAR_Test 04/29/2010 22:22:20.277 qeae800cc0002.smd File(s) are INFECTED [EICAR_Test: 7] 04/29/2010 22:22:20.293 qeae800cc0002.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 905] If the SAME file is detected by an external scanner (in this case ClamAV) it reports the virus name AND the file name: 04/28/2010 12:49:29.722 q6748c63e0425.smd Virus scanner 1 reports exit code of 1 04/28/2010 12:49:29.722 q6748c63e0425.smd Scanner 1: Virus= Eicar-Test-Signature Attachment=eicar.zip [61] I 04/28/2010 12:49:29.722 q6748c63e0425.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 875] The AVG integration should be improved to match the quality of external scanner. Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection!
When I set up Clam earlier today, I was able to run it from the command line and test it against an EICAR file, get a response, etc. I saw it fail against the bad database and succeed when properly configured. I imagine that I could easily schedule that, pipe the results to a text file and schedule a bot to read it regularly and e-mail me if the test fails. That would let me know if FreshClam ever mangled the database. Is there a way we could do the same with Declude and the Internal AVG scanner / database? Is there some way to execute it from a command line, point it at EICAR and get a parse-able result? That could be awfully handy. -- Michael Cummins From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 11:13 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Declude Users - take note! CommTouch/Zerohous does a good job, but does not catch all known viruses (some days I have 5 or 6 DIFFERENT viruses/trojans sneaking by, some to multiple users each!), it's absolutely imperative that AVG works if you don't have additional scanners set up. Unfortunately, AVG had stopped working (no one has said for how many weeks or possible months it has not worked). I have confirmed that AVG is now working again after I upgraded from 4.10.42-A to 4.10.48. So - I recommend all Declude users get on top of this quickly! (PS: This is the second time AVG has gone AWOL inside of Declude for extended periods of times - and it's never discovered until I finally insist. Naturally, I have zero confidence in the built-in scanner. It's unreliable and there is no notification whenever it stops working.) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 12:56 PM To: declude.junkm...@declude.com; declude.virus@declude.com; declude.relea...@declude.com Subject: [Declude.Virus] New Release Declude 4.10.48 The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44 Optimize code for moving files to the spool directory for Smartermail 4.10.43 Fixed variable names in the MoveToError function which were declared globally 4.10.42-A Fix for SNF Authentication to turn off without having to restart Decludeproc 4.10.42 Message Sniffer integrated into Declude 4.10.41 Added variable %AUTH% to show the authenticated sender of the email 4.10.40 XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple
[Declude.Virus] Testing Internal Scanner
Hi, I've been watching this now for a few months. The internal scanner NEVER ever catches a virus - while my two other scanner catch them daily. However, since CommTouch doesn't allow the Eicar file to pass, there is no way to easily test the internal scanner. I think this is something that should eventually be addressed - either by a parameter that allows a user to disable CommTouch for a few minutes at night while testing OR by CommTouch recognizing the EICAR file as a good file and letting it pass! Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 17,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 17,402 Virus Infected Messages: 4 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE PDF.DROPPER-3 3 0.02% SUSPECT.DOUBLEEXTENSION-ZIPPWD-9 1 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 17,402 Virus Infected Messages: 1 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE GENERIC.DX!SED TROJAN !!! 1 0.01% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Testing Internal Scanner
Andy what version of Declude are you running ? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, April 28, 2010 8:16 AM To: declude.virus@declude.com Subject: [Declude.Virus] Testing Internal Scanner Hi, I've been watching this now for a few months. The internal scanner NEVER ever catches a virus - while my two other scanner catch them daily. However, since CommTouch doesn't allow the Eicar file to pass, there is no way to easily test the internal scanner. I think this is something that should eventually be addressed - either by a parameter that allows a user to disable CommTouch for a few minutes at night while testing OR by CommTouch recognizing the EICAR file as a good file and letting it pass! Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 17,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 17,402 Virus Infected Messages: 4 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE PDF.DROPPER-3 3 0.02% SUSPECT.DOUBLEEXTENSION-ZIPPWD-9 1 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 17,402 Virus Infected Messages: 1 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE GENERIC.DX!SED TROJAN !!! 1 0.01% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Testing Internal Scanner
Speaking of versions. I'm running 4.10.42 I noticed there is a 4.10.48 available but no email notice or release notes. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 8:12 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Testing Internal Scanner Andy what version of Declude are you running ? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, April 28, 2010 8:16 AM To: declude.virus@declude.com Subject: [Declude.Virus] Testing Internal Scanner Hi, I've been watching this now for a few months. The internal scanner NEVER ever catches a virus - while my two other scanner catch them daily. However, since CommTouch doesn't allow the Eicar file to pass, there is no way to easily test the internal scanner. I think this is something that should eventually be addressed - either by a parameter that allows a user to disable CommTouch for a few minutes at night while testing OR by CommTouch recognizing the EICAR file as a good file and letting it pass! Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 17,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 17,402 Virus Infected Messages: 4 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE PDF.DROPPER-3 3 0.02% SUSPECT.DOUBLEEXTENSION-ZIPPWD-9 1 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 17,402 Virus Infected Messages: 1 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE GENERIC.DX!SED TROJAN !!! 1 0.01% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Testing Internal Scanner
The release was yesterday. I am putting together the release notes today and I will post to the list. From: Scott Fisher sfis...@farmprogress.com Sent: Wednesday, April 28, 2010 9:48 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Testing Internal Scanner Speaking of versions. I'm running 4.10.42 I noticed there is a 4.10.48 available but no email notice or release notes. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 8:12 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Testing Internal Scanner Andy what version of Declude are you running ? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, April 28, 2010 8:16 AM To: declude.virus@declude.com Subject: [Declude.Virus] Testing Internal Scanner Hi, I've been watching this now for a few months. The internal scanner NEVER ever catches a virus - while my two other scanner catch them daily. However, since CommTouch doesn't allow the Eicar file to pass, there is no way to easily test the internal scanner. I think this is something that should eventually be addressed - either by a parameter that allows a user to disable CommTouch for a few minutes at night while testing OR by CommTouch recognizing the EICAR file as a good file and letting it pass! Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 17,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 17,402 Virus Infected Messages: 4 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE PDF.DROPPER-3 3 0.02% SUSPECT.DOUBLEEXTENSION-ZIPPWD-9 1 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 17,402 Virus Infected Messages: 1 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE GENERIC.DX!SED TROJAN !!! 1 0.01% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Testing Internal Scanner
4.10.42-A From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 9:12 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Testing Internal Scanner Andy what version of Declude are you running ? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, April 28, 2010 8:16 AM To: declude.virus@declude.com Subject: [Declude.Virus] Testing Internal Scanner Hi, I've been watching this now for a few months. The internal scanner NEVER ever catches a virus - while my two other scanner catch them daily. However, since CommTouch doesn't allow the Eicar file to pass, there is no way to easily test the internal scanner. I think this is something that should eventually be addressed - either by a parameter that allows a user to disable CommTouch for a few minutes at night while testing OR by CommTouch recognizing the EICAR file as a good file and letting it pass! Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 17,402 Virus Infected Messages: 0 Percentage Infected: 0.00% VIRUS # INFECTED PERCENTAGE No Records Matched Your Criteria Virus Scanner Summary Report (ClamAV) Total Messages Processed: 17,402 Virus Infected Messages: 4 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE PDF.DROPPER-3 3 0.02% SUSPECT.DOUBLEEXTENSION-ZIPPWD-9 1 0.01% Virus Scanner Summary Report (McAfee VirusScan) Total Messages Processed: 17,402 Virus Infected Messages: 1 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE GENERIC.DX!SED TROJAN !!! 1 0.01% Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Release Declude 4.10.48
The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44 Optimize code for moving files to the spool directory for Smartermail 4.10.43 Fixed variable names in the MoveToError function which were declared globally 4.10.42-A Fix for SNF Authentication to turn off without having to restart Decludeproc 4.10.42 Message Sniffer integrated into Declude 4.10.41 Added variable %AUTH% to show the authenticated sender of the email 4.10.40 XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,SORBS-D UL=5,FIVETENRC=2,ZEN=7,SORBS=7,DYNHELO=5,FROMNOMATCH=2,WEIGHT10=10,WEIGHT14= 14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In declude.cfg file: POSTINIFIXON in order for the Postini Fix to work 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
Generally, ClamD catches most viruses that AVG misses (during those times when it actually runs), and McAfee catches the occasional virus that ClamD misses. ClamD downloads updates automatically (using the FreshClam). I found the http://oss.netfarm.it/clamav build very useful. I don't recall any installation difficulty. It did have a successful installer and is able to install itself as a service. There is a .REG file that sets up a registry entry where the path is stored. In their registry, I use the following: [HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV] ConfigDir=C:\\Progra~1\\ClamAV\\conf DataDir=C:\\Progra~1\\ClamAV\\db For FreshClam.conf, I changed these parameters: DatabaseDirectory C:\Program Files\clamAV\db UpdateLogFile C:\Program Files\clamAV\log\freshclam.log LogTime yes For ClamD.conf, I changed these: LogFile C:\Program Files\clamAV\log\clamd.log LogTime yes TemporaryDirectory C:\Temp DatabaseDirectory C:\Program Files\clamAV\db For the service, I removed the spaces from the path (not sure if this was needed): C:\Progra~1\ClamAV\clamd.exe --daemon In Declude, you'd use: #ClamAV SCANFILE1 C:\Progra~1\ClamAV\ClamDScan.exe VIRUSCODE1 1 Of course, that still leaves the problem of the virus report file. I had contacted Declude and they said they would check if they can natively parse the report file. For now I still use a simple script to reformat the Report file to suit Declude. ClamAV now has an official Windows build AND compiles under Visual Studio. So, ideally, Declude would just integrate ClamAV as an internal scanner instead of having to deal with all this command-line jazz. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Wednesday, April 28, 2010 1:30 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Internal Scanner - Nonfunctional? What's the best way to look into using Clam as a second scanner? I found this at ARM, does anyone else use this install aid? http://www.armresearch.com/tools/arm/clamAID.jsp What's your general opinion of Clam when compared to McAffee, or another favorite scanner? How do you update your Clam database files? Thanks for the discussion and feedback! -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
Thanks John, Yes, that'll work too. Of course, rather than you having to modify the source code of 2 or 3 modules for every build - or me having to write a report file parser, the REAL solution is for Declude to provide at least a minimum amount of flexibility in parsing report files (or - to integrate the ClamLib and eliminate any command line needs). Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Cert Sent: Wednesday, April 28, 2010 7:26 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] ClamAV Hello! The sherpya Clam port at oss.netfarm.it is very easy to build and use, and there are only about 10 lines of code in 2 or 3 modules where you need to add a VirusName- prefix before the actual name of the virus so Declude can pick it up in the report file. I just mod the code and recompile instead of trying to manipulate the report file. I do not use any sort of installer. I just setup the conf files, spawn a clamd process on startup, schedule a freshclam run periodically, and point Declude to the clamdscan scanner. I also grab the MSRBL Images spam database for use with Clam. The clamd/clamdscan combo are very light and fast. Take care! John On 4/28/2010 1:13 PM, Andy Schmidt wrote: Generally, ClamD catches most viruses that AVG misses (during those times when it actually runs), and McAfee catches the occasional virus that ClamD misses. ClamD downloads updates automatically (using the FreshClam). I found the http://oss.netfarm.it/clamav build very useful. I don't recall any installation difficulty. It did have a successful installer and is able to install itself as a service. There is a .REG file that sets up a registry entry where the path is stored. In their registry, I use the following: [HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV] ConfigDir=C:\\Progra~1\\ClamAV\\conf DataDir=C:\\Progra~1\\ClamAV\\db For FreshClam.conf, I changed these parameters: DatabaseDirectory C:\Program Files\clamAV\db UpdateLogFile C:\Program Files\clamAV\log\freshclam.log LogTime yes For ClamD.conf, I changed these: LogFile C:\Program Files\clamAV\log\clamd.log LogTime yes TemporaryDirectory C:\Temp DatabaseDirectory C:\Program Files\clamAV\db For the service, I removed the spaces from the path (not sure if this was needed): C:\Progra~1\ClamAV\clamd.exe --daemon In Declude, you'd use: #ClamAV SCANFILE1 C:\Progra~1\ClamAV\ClamDScan.exe VIRUSCODE1 1 Of course, that still leaves the problem of the virus report file. I had contacted Declude and they said they would check if they can natively parse the report file. For now I still use a simple script to reformat the Report file to suit Declude. ClamAV now has an official Windows build AND compiles under Visual Studio. So, ideally, Declude would just integrate ClamAV as an internal scanner instead of having to deal with all this command-line jazz. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Wednesday, April 28, 2010 1:30 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Internal Scanner - Nonfunctional? What's the best way to look into using Clam as a second scanner? I found this at ARM, does anyone else use this install aid? http://www.armresearch.com/tools/arm/clamAID.jsp What's your general opinion of Clam when compared to McAffee, or another favorite scanner? How do you update your Clam database files? Thanks for the discussion and feedback! -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] RE: Outlook
Hi Rob, By False Positive you mean the message was good yet did not have a virus but the email does contain the vulnerability, which can be exploited which puts your server or recipient at risk. The best thing to do if it comes from a specific address is to contact the sender and make them aware of the issue so they can upgrade or patch their side. If this is not possible, you do have the option of disabling this vulnerability check either for the sender specifically or turn it off completely on your server (which we do not advise) so in short we suggest to continue to check for this vulnerability. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Robert Grosshandler Sent: Monday, April 12, 2010 6:07 PM To: declude.junkm...@declude.com Subject: [Declude.JunkMail] Outlook Hi Occassionally, we're getting false positives on the email to us containing: [Outlook 'MIME segment in MIME Postamble' Vulnerability] I'm sure they do contain that problem, but false in that they're not malicious (I don't think.) People still blocking on this? Thanks, Rob --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAV 0.96 Released - Now a native Windows Port!
Native Windows Support: ClamAV will now build natively under Visual Studio. This will allow 3rd Party application developers on Windows to easily integrate LibClamAV into their applications. http://www.clamav.net/lang/en/2010/04/02/announcing-clamav-0-96/ Also: ClamAV for Windows Released http://www.clamav.net/lang/en/about/win32/ Haven't checked yet, whether this official ClamAV for Windows will also work with normal signature files and has ClamD - or if it's an entirely different animal. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] automated response
I will be out on vacation starting April 5th returning to work April 12th. If you should have any problems,questions or concerns you may reach Roger Mellor at: 407-296-2911. rmel...@afm-fla.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] automated response
I will be out of the office from April 2nd through April 5th, 2010. I will be checking emails and will respond to emergency emails as quickly as I can. Happy Easter!!! Troy Hilton Serveon, Inc. 302-529-8640 thil...@serveon.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Commtouch/Temp files going back to last year?
Hi David, A while ago I was told these can be deleted almost immediatly but the running DecludeProc service has them locked so it will be needed to stop DecludeProc, remove the temp files and then start Declude proc. As part of my nightly routine I have now: --quote--- Set LogFile=C:\Beheer\Logs\CleanTemp.log echo %Date% %Time% Starting CleanTemp %LogFile% Del /Q C:\IMail\declude\invuribl\Exception\*.* Del /Q C:\IMail\WebDir\WebClient\temp\*.* del /Q C:\IMail\Spool\tmp*.tmp net stop Decludeproc Del /Q C:\IMail\declude\scanners\CommTouch\Temp\*.* Del /Q C:\IMail\spool\proc\work\*.smd.tmp net start Decludeproc echo %Date% %Time% End CleanTemp %LogFile% exit --quote--- Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: David Barker To: declude.virus@declude.com Sent: Thursday, March 18, 2010 4:44 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? These are cached CT files. I will find out when the can be deleted and get back to you. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:35 AM To: Declude.virus@declude.com Subject: [Declude.Virus] Commtouch/Temp files going back to last year? Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Commtouch/Temp files going back to last year?
Thanks, I'll make it part of my monthly job that deletes files older than 30 days - that's tight enough for me. Of course, Declude or Commtouch should be cleaning up after itself (e.g., whenever new files/signatures are downloaded) - but that's a different story. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Friday, March 19, 2010 2:27 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Commtouch/Temp files going back to last year? Hi David, A while ago I was told these can be deleted almost immediatly but the running DecludeProc service has them locked so it will be needed to stop DecludeProc, remove the temp files and then start Declude proc. As part of my nightly routine I have now: --quote--- Set LogFile=C:\Beheer\Logs\CleanTemp.log echo %Date% %Time% Starting CleanTemp %LogFile% Del /Q C:\IMail\declude\invuribl\Exception\*.* Del /Q C:\IMail\WebDir\WebClient\temp\*.* del /Q C:\IMail\Spool\tmp*.tmp net stop Decludeproc Del /Q C:\IMail\declude\scanners\CommTouch\Temp\*.* Del /Q C:\IMail\spool\proc\work\*.smd.tmp net start Decludeproc echo %Date% %Time% End CleanTemp %LogFile% exit --quote--- Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:b.blok...@tio.nl b.blok...@tio.nl / http://www.tio.nl/ www.tio.nl - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.virus@declude.com Sent: Thursday, March 18, 2010 4:44 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? These are cached CT files. I will find out when the can be deleted and get back to you. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:35 AM To: Declude.virus@declude.com Subject: [Declude.Virus] Commtouch/Temp files going back to last year? Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing)
Thanks - downloaded and installed. I'll have to take a look at the integrated Sniffer. I got pulled away and never got back to it. I'll have to take a good luck at the rulebase update - on first glace it seems as if your script is leaving out the crucial SNF2CHECK to make sure that the downloaded rulebase is valid BEFORE replacing it. So I'll have to look at it very carefully. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, March 18, 2010 4:05 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Release notes for Declude Security Suite 4.10.42 [28 December 2009] EVA FIX Fix for Virus test not catching the eicar test due to e-mail formatting This was done in interim 4.8.36 which is still on the Interim site if you just want to try switching out the decludeproc.exe and testing to see if the issue is resolved. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 12:22 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Declude 4.6.35 Diagnostics Compilation Platform: IMail Copyright (c) 2000-2009 Declude, Inc. Host Name MAYWOOD-IS-0012.WEBHOST.HM-SOFTWARE.COM Daisy Chain smtp32.exe DNS Server 127.0.0.1 Product Details JunkMail ON EVAON Hijack OFF AVGON CommTouch ON From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, March 18, 2010 12:07 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) What version of Declude are you running ? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] How to disable CommTouch Zerohour (for testing)
On 3/19/2010 11:26 AM, Andy Schmidt wrote: Thanks - downloaded and installed. I'll have to take a look at the integrated Sniffer. I got pulled away and never got back to it. I'll have to take a good luck at the rulebase update - on first glace it seems as if your script is leaving out the crucial SNF2CHECK to make sure that the downloaded rulebase is valid BEFORE replacing it. So I'll have to look at it very carefully. Andy, The script cannot call snf2check for the embedded SNF because that would expose the OEM rulebase. The SNF engine performs the SNF2CHECK task before it accepts a new rulebase so it's ok to leave that out of the update script in OEM integrations of the SNF engine. In fact, the getRulebase.cmd script need not be used at all by an OEM -- they can use their own facility. However in this case I recommended strongly that Declude use a modified getRulebase script so that Declude customers could modify it to perform additional tasks in the way they are used to. Hope this helps, Best, _M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Integrated Sniffer
Hi Pete: Thanks for jumping in. 1. The SNF engine performs the SNF2CHECK task before it accepts a new rulebase I'm a little confused - the script replaces the rulebase - without checking. So what happens if the rulebase is bad. By the time the engine checks the good one is already rename and the bad one is already called .snf if exist %LICENSE_ID%.old del %LICENSE_ID%.old if exist %LICENSE_ID%.snf rename %LICENSE_ID%.snf %LICENSE_ID%.old rename %LICENSE_ID%.new %LICENSE_ID%.snf 2. I assume I can still just update the XML file to move the logfiles, rulebase and workspace to its own subfolders to keep things tidy and for improved maintainability? log path='[PATH]\declude\scanners\SNF\logs\'/ rulebase path='[PATH]\declude\scanners\SNF\rulebase\'/ workspace path='[PATH]\declude\scanners\SNF\work\'/ Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Friday, March 19, 2010 1:22 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] How to disable CommTouch Zerohour (for testing) On 3/19/2010 11:26 AM, Andy Schmidt wrote: Thanks - downloaded and installed. I'll have to take a look at the integrated Sniffer. I got pulled away and never got back to it. I'll have to take a good luck at the rulebase update - on first glace it seems as if your script is leaving out the crucial SNF2CHECK to make sure that the downloaded rulebase is valid BEFORE replacing it. So I'll have to look at it very carefully. Andy, The script cannot call snf2check for the embedded SNF because that would expose the OEM rulebase. The SNF engine performs the SNF2CHECK task before it accepts a new rulebase so it's ok to leave that out of the update script in OEM integrations of the SNF engine. In fact, the getRulebase.cmd script need not be used at all by an OEM -- they can use their own facility. However in this case I recommended strongly that Declude use a modified getRulebase script so that Declude customers could modify it to perform additional tasks in the way they are used to. Hope this helps, Best, _M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Integrated Sniffer
On 3/19/2010 1:46 PM, Andy Schmidt wrote: Hi Pete: Thanks for jumping in. 1. The SNF engine performs the SNF2CHECK task before it accepts a new rulebase I'm a little confused - the script replaces the rulebase - without checking. So what happens if the rulebase is bad. By the time the engine checks the good one is already rename and the bad one is already called .snf If the rulebase does not properly authenticate in the SNF engine then the reload is rejected. Once the guard time expires the update script will be run again (by default after 3 minutes). 2. I assume I can still just update the XML file to move the logfiles, rulebase and workspace to its own subfolders to keep things tidy and for improved maintainability? log path='[PATH]\declude\scanners\SNF\logs\'/ rulebase path='[PATH]\declude\scanners\SNF\rulebase\'/ workspace path='[PATH]\declude\scanners\SNF\work\'/ As far as I know that should be ok -- but you need to check with Declude on that first. They may have certain expectations built into their software and/or their support process. _M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Integrated Sniffer
Thanks If the rulebase does not properly authenticate in the SNF engine then the reload is rejected. Once the guard time expires the update script will be run again (by default after 3 minutes). Which also means, if the corrupt rulebase persists and the server or services happen to be restarted during those times, we have a potential problem because upon restart it won't have a good rulebase to fall back on. So there's definitely a (calculated) risk in NOT checking the rulebase BEFORE renaming it. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Commtouch/Temp files going back to last year?
This is the answer directly from Commtouch: You can safely stop commtouch [declude] and delete all of these files. If any are needed, the application will download them again, but any handled in this matter should be a few days old. Usually Commtouch will clean up these files on its own, but at times problems do develop due to the index.dat file. If you see any .tmp files older than a month, it is a good sign that a delete should be done to clean up these temp files. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, March 19, 2010 10:16 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? Thanks, I'll make it part of my monthly job that deletes files older than 30 days - that's tight enough for me. Of course, Declude or Commtouch should be cleaning up after itself (e.g., whenever new files/signatures are downloaded) - but that's a different story. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Friday, March 19, 2010 2:27 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Commtouch/Temp files going back to last year? Hi David, A while ago I was told these can be deleted almost immediatly but the running DecludeProc service has them locked so it will be needed to stop DecludeProc, remove the temp files and then start Declude proc. As part of my nightly routine I have now: --quote--- Set LogFile=C:\Beheer\Logs\CleanTemp.log echo %Date% %Time% Starting CleanTemp %LogFile% Del /Q C:\IMail\declude\invuribl\Exception\*.* Del /Q C:\IMail\WebDir\WebClient\temp\*.* del /Q C:\IMail\Spool\tmp*.tmp net stop Decludeproc Del /Q C:\IMail\declude\scanners\CommTouch\Temp\*.* Del /Q C:\IMail\spool\proc\work\*.smd.tmp net start Decludeproc echo %Date% %Time% End CleanTemp %LogFile% exit --quote--- Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:b.blok...@tio.nl b.blok...@tio.nl / http://www.tio.nl/ www.tio.nl - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.virus@declude.com Sent: Thursday, March 18, 2010 4:44 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? These are cached CT files. I will find out when the can be deleted and get back to you. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:35 AM To: Declude.virus@declude.com Subject: [Declude.Virus] Commtouch/Temp files going back to last year? Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Commtouch/Temp files going back to last year?
Thanks! DecludeProc should probably just delete that folder content when the service is restarted the first time before the first email is processed. Then CommTouch can reinitialize itself subsequently. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, March 19, 2010 3:23 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? This is the answer directly from Commtouch: You can safely stop commtouch [declude] and delete all of these files. If any are needed, the application will download them again, but any handled in this matter should be a few days old. Usually Commtouch will clean up these files on its own, but at times problems do develop due to the index.dat file. If you see any .tmp files older than a month, it is a good sign that a delete should be done to clean up these temp files. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, March 19, 2010 10:16 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? Thanks, I'll make it part of my monthly job that deletes files older than 30 days - that's tight enough for me. Of course, Declude or Commtouch should be cleaning up after itself (e.g., whenever new files/signatures are downloaded) - but that's a different story. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Friday, March 19, 2010 2:27 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Commtouch/Temp files going back to last year? Hi David, A while ago I was told these can be deleted almost immediatly but the running DecludeProc service has them locked so it will be needed to stop DecludeProc, remove the temp files and then start Declude proc. As part of my nightly routine I have now: --quote--- Set LogFile=C:\Beheer\Logs\CleanTemp.log echo %Date% %Time% Starting CleanTemp %LogFile% Del /Q C:\IMail\declude\invuribl\Exception\*.* Del /Q C:\IMail\WebDir\WebClient\temp\*.* del /Q C:\IMail\Spool\tmp*.tmp net stop Decludeproc Del /Q C:\IMail\declude\scanners\CommTouch\Temp\*.* Del /Q C:\IMail\spool\proc\work\*.smd.tmp net start Decludeproc echo %Date% %Time% End CleanTemp %LogFile% exit --quote--- Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:b.blok...@tio.nl b.blok...@tio.nl / http://www.tio.nl/ www.tio.nl - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.virus@declude.com Sent: Thursday, March 18, 2010 4:44 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? These are cached CT files. I will find out when the can be deleted and get back to you. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:35 AM To: Declude.virus@declude.com Subject: [Declude.Virus] Commtouch/Temp files going back to last year? Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus
Re: [Declude.Virus] Integrated Sniffer
On 3/19/2010 2:48 PM, Andy Schmidt wrote: Thanks If the rulebase does not properly authenticate in the SNF engine then the reload is rejected. Once the guard time expires the update script will be run again (by default after 3 minutes). Which also means, if the corrupt rulebase persists and the server or services happen to be restarted during those times, we have a potential problem because upon restart it won't have a good rulebase to fall back on. So there's definitely a (calculated) risk in NOT checking the rulebase BEFORE renaming it. That's true -- but the risk is very small. _M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Commtouch/Temp files going back to last year?
Hi Andy, What tool are you using to specify x days old when deleting? Or are you allready using Powershell? Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: Andy Schmidt To: declude.virus@declude.com Sent: Friday, March 19, 2010 3:15 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? Thanks, I'll make it part of my monthly job that deletes files older than 30 days - that's tight enough for me. Of course, Declude or Commtouch should be cleaning up after itself (e.g., whenever new files/signatures are downloaded) - but that's a different story. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Friday, March 19, 2010 2:27 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Commtouch/Temp files going back to last year? Hi David, A while ago I was told these can be deleted almost immediatly but the running DecludeProc service has them locked so it will be needed to stop DecludeProc, remove the temp files and then start Declude proc. As part of my nightly routine I have now: --quote--- Set LogFile=C:\Beheer\Logs\CleanTemp.log echo %Date% %Time% Starting CleanTemp %LogFile% Del /Q C:\IMail\declude\invuribl\Exception\*.* Del /Q C:\IMail\WebDir\WebClient\temp\*.* del /Q C:\IMail\Spool\tmp*.tmp net stop Decludeproc Del /Q C:\IMail\declude\scanners\CommTouch\Temp\*.* Del /Q C:\IMail\spool\proc\work\*.smd.tmp net start Decludeproc echo %Date% %Time% End CleanTemp %LogFile% exit --quote--- Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: David Barker To: declude.virus@declude.com Sent: Thursday, March 18, 2010 4:44 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? These are cached CT files. I will find out when the can be deleted and get back to you. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:35 AM To: Declude.virus@declude.com Subject: [Declude.Virus] Commtouch/Temp files going back to last year? Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Commtouch/Temp files going back to last year?
Hi, No I have a little cscript I wrote that iterates through subdirectories and takes parameters like /lastweek /lastmonth etc. I'll be happy to share, if you need it. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Friday, March 19, 2010 5:33 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Commtouch/Temp files going back to last year? Hi Andy, What tool are you using to specify x days old when deleting? Or are you allready using Powershell? Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:b.blok...@tio.nl b.blok...@tio.nl / http://www.tio.nl/ www.tio.nl - Original Message - From: Andy Schmidt mailto:andy_schm...@hm-software.com To: declude.virus@declude.com Sent: Friday, March 19, 2010 3:15 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? Thanks, I'll make it part of my monthly job that deletes files older than 30 days - that's tight enough for me. Of course, Declude or Commtouch should be cleaning up after itself (e.g., whenever new files/signatures are downloaded) - but that's a different story. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Friday, March 19, 2010 2:27 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Commtouch/Temp files going back to last year? Hi David, A while ago I was told these can be deleted almost immediatly but the running DecludeProc service has them locked so it will be needed to stop DecludeProc, remove the temp files and then start Declude proc. As part of my nightly routine I have now: --quote--- Set LogFile=C:\Beheer\Logs\CleanTemp.log echo %Date% %Time% Starting CleanTemp %LogFile% Del /Q C:\IMail\declude\invuribl\Exception\*.* Del /Q C:\IMail\WebDir\WebClient\temp\*.* del /Q C:\IMail\Spool\tmp*.tmp net stop Decludeproc Del /Q C:\IMail\declude\scanners\CommTouch\Temp\*.* Del /Q C:\IMail\spool\proc\work\*.smd.tmp net start Decludeproc echo %Date% %Time% End CleanTemp %LogFile% exit --quote--- Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:b.blok...@tio.nl b.blok...@tio.nl / http://www.tio.nl/ www.tio.nl - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.virus@declude.com Sent: Thursday, March 18, 2010 4:44 PM Subject: RE: [Declude.Virus] Commtouch/Temp files going back to last year? These are cached CT files. I will find out when the can be deleted and get back to you. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:35 AM To: Declude.virus@declude.com Subject: [Declude.Virus] Commtouch/Temp files going back to last year? Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Commtouch/Temp files going back to last year?
On 3/19/2010 5:52 PM, Andy Schmidt wrote: Hi, No I have a little cscript I wrote that iterates through subdirectories and takes parameters like /lastweek /lastmonth etc. If you're looking for something ready-made and don't need anything extra I used to have good luck with delold. Googling for it will get you there. _M ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to imail...@declude.com, andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] Commtouch/Temp files going back to last year?
I have a similar routine that I run, but I utilize a batch file that uses the command line forfiles utility. It was part of the windows resource kits and takes parameters like /d -7 which would affect files with a modification date of 7 days ago. No I have a little cscript I wrote that iterates through subdirectories and takes parameters like /lastweek /lastmonth etc. -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] How to disable CommTouch Zerohour (for testing)
Hi, I want to test the virus scanners using EICAR. However, CommTouch gets in the way and blocks it. How do I temporarily disable CommTouch in Declude Virus, so that the EICAR file is handled by the interna/external scanners? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Commtouch/Temp files going back to last year?
Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing)
Andy work with our support so we can disable it for you for testing. Let us know when you want to do it. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:29 AM To: Declude.virus@declude.com Subject: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Hi, I want to test the virus scanners using EICAR. However, CommTouch gets in the way and blocks it. How do I temporarily disable CommTouch in Declude Virus, so that the EICAR file is handled by the interna/external scanners? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Commtouch/Temp files going back to last year?
These are cached CT files. I will find out when the can be deleted and get back to you. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:35 AM To: Declude.virus@declude.com Subject: [Declude.Virus] Commtouch/Temp files going back to last year? Hi, That folder has over 1,000 files, some several MB large, CTM*.tmp, CTENG*.tmp and CTENG*.dat. How old do these files have to be, before I can safely delete them? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing)
Hi Dave, Thanks. So the answer is, there is no local override where we can disable CommTouch ourselves. Such a directive maybe something for the to-do list. To be frank - I was trying to test AVG. I've noticed in recent weeks that my external scanners (ClamAV and my trusted McAfee) have been catching infected emails - but AVG never catches any. The files in the AVG folder are all from today. So when I had 2 minutes, I just wanted to quickly check if AVG had somehow disabled itself again by passing an EICAR file through - but I don't have time to make a big project out of it. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, March 18, 2010 11:43 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Andy work with our support so we can disable it for you for testing. Let us know when you want to do it. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:29 AM To: Declude.virus@declude.com Subject: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Hi, I want to test the virus scanners using EICAR. However, CommTouch gets in the way and blocks it. How do I temporarily disable CommTouch in Declude Virus, so that the EICAR file is handled by the interna/external scanners? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing)
What version of Declude are you running ? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 12:02 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Hi Dave, Thanks. So the answer is, there is no local override where we can disable CommTouch ourselves. Such a directive maybe something for the to-do list. To be frank - I was trying to test AVG. I've noticed in recent weeks that my external scanners (ClamAV and my trusted McAfee) have been catching infected emails - but AVG never catches any. The files in the AVG folder are all from today. So when I had 2 minutes, I just wanted to quickly check if AVG had somehow disabled itself again by passing an EICAR file through - but I don't have time to make a big project out of it. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, March 18, 2010 11:43 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Andy work with our support so we can disable it for you for testing. Let us know when you want to do it. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 11:29 AM To: Declude.virus@declude.com Subject: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Hi, I want to test the virus scanners using EICAR. However, CommTouch gets in the way and blocks it. How do I temporarily disable CommTouch in Declude Virus, so that the EICAR file is handled by the interna/external scanners? Best Regards, Andy --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing)
Declude 4.6.35 Diagnostics Compilation Platform: IMail Copyright (c) 2000-2009 Declude, Inc. Host Name MAYWOOD-IS-0012.WEBHOST.HM-SOFTWARE.COM Daisy Chain smtp32.exe DNS Server 127.0.0.1 Product Details JunkMail ON EVAON Hijack OFF AVGON CommTouch ON From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, March 18, 2010 12:07 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) What version of Declude are you running ? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing)
Release notes for Declude Security Suite 4.10.42 [28 December 2009] EVA FIX Fix for Virus test not catching the eicar test due to e-mail formatting This was done in interim 4.8.36 which is still on the Interim site if you just want to try switching out the decludeproc.exe and testing to see if the issue is resolved. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, March 18, 2010 12:22 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) Declude 4.6.35 Diagnostics Compilation Platform: IMail Copyright (c) 2000-2009 Declude, Inc. Host Name MAYWOOD-IS-0012.WEBHOST.HM-SOFTWARE.COM Daisy Chain smtp32.exe DNS Server 127.0.0.1 Product Details JunkMail ON EVAON Hijack OFF AVGON CommTouch ON From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, March 18, 2010 12:07 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] How to disable CommTouch Zerohour (for testing) What version of Declude are you running ? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Which scanner?
Hi Dave, Not at the moment but we can look at adding this request to our dev list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Dodell Sent: Saturday, February 06, 2010 9:43 PM To: declude.virus@declude.com Subject: [Declude.Virus] Which scanner? In my email reports, is there a way to also signify which scanner caught the virus; ie internal vs one of the external scanners? so my reports now look like; Declude Virus v4.6.35 caught the following: Virus Name: Sanesecurity.Junk.26145.UNOFFICIAL Virus File: Unknown File From: lyris-nore...@listhost.stat.com To : junkm...@stat.com Date: 06 Feb 2010 17:10:56 Subject:Re: You have spam Spool File: D050a00d3693b.smd RemoteIP: 65.163.175.26 SenderHost: listhost.stat.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Which scanner?
In my email reports, is there a way to also signify which scanner caught the virus; ie internal vs one of the external scanners? so my reports now look like; Declude Virus v4.6.35 caught the following: Virus Name: Sanesecurity.Junk.26145.UNOFFICIAL Virus File: Unknown File From: lyris-nore...@listhost.stat.com To : junkm...@stat.com Date: 06 Feb 2010 17:10:56 Subject:Re: You have spam Spool File: D050a00d3693b.smd RemoteIP: 65.163.175.26 SenderHost: listhost.stat.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.