If you upgraded to Declude 4.11.09 to avoid the AVG licence issue, you’ll find
that it was a bandaid, and that build’s usefulness also expired
contemporaneously with David and Linda’s employee status, on January 31, 2013.
C:\IMailstrings decludeproc.exe| grep LicBeg
LicBeg, Ver=1.1,
Too quiet? Problem solved, like a BOSS.
-Original Message-
From: johnl...@eservicesforyou.com [mailto:johnl...@eservicesforyou.com]
Sent: Wednesday, January 04, 2012 8:33 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Test
Sorry for the test folks, new email setup and it is
David, this log excerpt seems to indicate that my AVG hasn't been
working since May 1st 2009. Is this correct?
C:\IMail\Spoolgrep -c smd Scanned: Error in virus scanner vir.log
vir0401.log:0
vir0402.log:0
vir0403.log:0
vir0404.log:0
vir0405.log:0
vir0406.log:0
vir0407.log:0
vir0408.log:0
:00 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX
Not for everyone, but certainly for your server that would be true if
that is what your logs indicate.
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of
Colbeck, Andrew
That's very good news, David.
I suggest an entry on the Declude.com website, either public or in the
members' account area, that shows the current datestamp for when an
update was made available on the Declude.com webserver, and if relevant,
the update number that AVG gets it.
In this way,
The updates are currently 4 days behind... I believe that fetching and
approving the updates from AVG, then publishing them on the Declude
server is a manual process that Declude support staff must perform, and
that it's not a reliable process.
I think it best that we consider the AVG scanner to
For what it's worth, I never move messages from HOLD to SPOOL. When I do
move false positives out, I fix the problem in my configuration, so that
the same circumstance doesn't happen again, and then I move the files
from the HOLD to the PROC folder.
By re-scanning them, they get virus scanned
Try this on for size:
http://www.f-secure.com/weblog/archives/1303.html
Malicious PDF file (report.pdf or debt.2007.pdf or
overdraft.2007.10.26.pdf or so) has been massively spammed through email
during last hour and the spam run is still continuing.
Andrew.
-Original
Brief, and to to the point.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Marc Catuogno
Sent: Thursday, July 12, 2007 11:54 AM
To: Declude Virus
Subject: [Declude.Virus]
Marc Catuogno
MIS Director
Prudential Rand Realty
845-825-8025
:[EMAIL PROTECTED] On Behalf
Of Colbeck, Andrew
Sent: Tuesday, July 03, 2007 1:23 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] FYI Storm worm mutates to incorporate
Independence Day text
It has been updated to broadcast text that incorporates 4th of
July
Without offering up the exact how-to, I can point out that the SIZE test
and a BODY CONTAINS combination would likely help in Declude JunkMail,
and that you would have to stop banning RAR files in Declude EVA.
Judicious use of the SIZE test would help Gary to HOLD only small RAR
files, whether
http://www.viruslist.com/en/weblog?calendar=2007-04
For example, here is point 8 of 10:
* Most Common Malicious Program in Email Traffic -
Email-Worm.Win32.NetSky.q
http://www.viruslist.com/en/viruses/encyclopedia?virusid=22760 , which
has been around for years, but still managed to
activity from Kaspersky
Or does this show that there are too many people out there
who don't have anti-virus software on their computers?
Original Message
From: Colbeck, Andrew [EMAIL PROTECTED]
Sent: Tuesday, May 01, 2007 1:11 PM
To: declude.virus@declude.com
Gary, you beat them by a day with your own assessment, but Symantec
blogged about this virus twice today:
http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam
_attack_rared_trojan.html
An interesting point is that they have blocked 1.2 million messages by
tackling the text of
Virus via email is dwindling, but not dying.
I regularly see scams reported where people are asked to open the
attachment, which purports to be some purpose but is of course a virus.
For example:
http://www.f-secure.com/weblog/#1149
From my own content, I see that old viruses are not
F-prot is $50 for 10 licenses per year. $5 per machine per
year. Version 6
Why is that not still reasonable?
Because that is not the correct price.
Following the product link on their home page:
http://www.f-prot.com/products/corporate_users/win/
At the bottom it says:
To use the
My two cents (I don't run ClamAV)...
Observations:
- .vir directories are orphaned
- .vir directories are locked by something and can not be deleted
without stopping some service(s)
- .vir directories are only created on Scott's system when ClamAV is
run as a service and Sandy's
Yes, and it should be old news by now.
http://isc.sans.org/diary.html?storyid=2071
The end of the page lists the four executables to ban, if you don't
trust your antivirus software, i.e.
#Jan-18-2007 AC New fake news clips virus called Small.Dam by F-Secure
and W32/Downloader.AYDY by F-Prot
: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, Andrew
Sent: Friday, January 19, 2007 1:01 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] Any one heard about or seen this one yet?
Yes, and it should be old news by now.
http://isc.sans.org/diary.html?storyid
New variations have arisen... No surprise there, either.
http://isc.sans.org/diary.html?storyid=2071
No word on new explicit filenames, yet.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, Andrew
Sent: Friday, January 19
If you allow .exe in Declude Virus product, you may want to add:
BANNAME RechnungGEZ.pdf.exe
to your virus.cfg file. See this antivirus company's blog entry:
http://www.f-secure.com/weblog/#1080
There's a fairly large malware spam run going on in Germany.
The emails claim to be
I think I received 36 of them.
Andrew.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Craig Edmonds
Sent: Thursday, January 04, 2007 12:55 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] I'm currently on a business trip
down
http://isc.sans.org/diary.php?storyid=1988
BANNAME Greeting Card.exe
BANNAME Greeting Postcard.exe
BANNAME GreetingCard.exe
Which may be related to a rash these that my mailserver received on Dec
28th, as the executables are the same size but contain may differences:
BANNAME postcard.exe
As of
p.s. No, the conversation thread at the end of my posting was not
relevant to the antivirus tip, that was simply poor copy and paste on my
part.
Andrew 8)
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type
names in virus.cfg
Andrew..
Why not block any .exe attachments?
In our system AVG is detecting it.
Kami
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, Andrew
Sent: Saturday, December 30, 2006 12:11 PM
To: declude.virus
I suggested adding STRATION a week or more
ago.
Likewise, the string
WAREZOV
should be added to the AUTOFORGE database (or your own
virus.cfg e.g. FORGINGVIRUS WAREZOV). There have been many interations of
this virus, and according to F-Secure, the creators are still pumping out new
Sounds like a very popular eBay scam, not a virus.
Was there actually a hostile application attached?
Submit the executable to:
http://www.virustotal.com/en/indexf.html
Or:
http://virusscan.jotti.org/
I believe that both services share unknown executables with the
antivirus vendors.
Or you
Another mass-mailing worm, this time a variant of an .HTA
attached worm that was first seen in April 2006.
F-Prot users who don't
want to be bothered by their alerts for this sender-forging-malware can add this
to their virus.cfg ...
FORGINGVIRUS
VBS/Scano@
Here are there results of my
.. I hope that Declude will agree with Matt's point that
backscatter must be avoided. There is ample precedent,for
examplein that the BOUNCE action was renamed to BOUNCEONLYIFYOUMUST to
prevent backscatter.
Andrew.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Those of us still running F-Prot* as a primary virus
scanner will want to add one or both of these to their virus.cfg in order to
block notifications for detection of the Stration malware:
FORGINGVIRUS W32/Tricky-Malware-based!Maximus
FORGINGVIRUS Tricky-Malware-based!
The first is the
Disclaimer: I haven't implemented ClamAV with Declude, so I'm guessing
here...
It sounds like the max-ratio solution is a red herring.
It sounds like ClamAV returned an error because it couldn't scan the
overlarge file (compressed or not).
It sounds like Gary's configuration is quarantining
My logs tell me that we received more than the usual number
of viruses yesterday. These were split into two groups, a version of Bagle
that was released back in June, and a new worm which Trend Micro calls
WORM_STRATION.BD
In the samples I looked at, the messages were fake
bounces with an
The Internet Storm Center also notes two
items...
That a new-ish botnet has been found:
http://isc.sans.org/diary.php?storyid=1657
Previously, that there is elevated port scanning for
139/TCP:
http://isc.sans.org/diary.php?storyid=1654
In that second link,they note two malwares that are
Marc, check the contents of your c:\ for 666INSE_1.EXE as this is the
dropper file that the macro drops. If it's there, the macro was
executed, and the dropper has probably also download further malware.
Modern versions of Office will, by default, not execute the macro so you
might be safe.
I
I haven't seen any yet; I don't know if F-Prot is catching them.
From the published information at the antivirus vendors' sites, I'm
using the BANNAME feature, e.g.
BANNAME My_Notebook.doc
And further, I catch most of the viruses as junkmail because they
typically come from zombie machines, so
PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, Andrew
Sent: Wednesday, June 28, 2006 2:14 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
I haven't seen any yet; I don't know if F-Prot is catching them.
From the published
http://www.f-secure.com/weblog/archives/archive-062006.html#0909
The writeup is interesting in the follow-on details but the information
that Markus posted earlier is more helpful to us in keeping the darn
thing out of users' mailboxes.
Andrew 8)
-Original Message-
From: [EMAIL
JT Declude, this is a feature who's time has come.
Hear, hear! The ability to ban filenames that are contained in archives
would be a good feature, and most of the code must be in place, because
Declude Virus already pulls apart at least the zip file format for
selective file scanning.
It is
This came up just last Friday, Mark.
Here's the end of that thread on the mail archive
website:
http://www.mail-archive.com/declude.virus@declude.com/msg13314.html
Andrew 8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark ReimerSent:
Thursday, June 22,
Ditto.
F-Prot notices that the zip file is password protected and
I can see that there is a very-Bagle-ish gif fileof the
password.
David Barker's earlier response of
using:
BANEXT
EZIP
in your virus.cfg will work
to catch these.
I received a single copy,
and it was from a likely
... and here'sone writeup on that new
Bagle:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EFNVSect=T
Andrew 8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
AndrewSent: Tuesday, June 20, 2006 1:17 PMTo:
It might be this, if my F-Prot is more up to date than yours, as mine
has identified a few zip files with a plus sign in the name as
W32/Brepibot.gen
http://www.f-secure.com/weblog/archives/archive-062006.html#0902
The fake HELO names were CNN.com and TradersWorld.com if that's any use.
Backdoor.Naninf.E
TheHacker 5.9.8.160 06.16.2006 no virus found
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, Andrew
Sent: Friday, June 16, 2006 2:21 PM
To: declude.virus@declude.com
Subject: RE
: 416 322-0333
Cell: 416 805-HELP (4357)
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
Colbeck, Andrew
Sent: Friday, June 16, 2006 5:31 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] new virus
Bob, drop an email to the handler on duty at http://isc.sans.org/ for
some general advice. They may also have some specific reference to
point you to regarding a vulnerability or they may recognize the modus
operandi of what you saw. I don't recognize it, myself.
Generally speaking, your best
(Another country heard from)
Release announcements? Why, that's why I subscribed to Declude.Releases
on May-11-2005 ... The only message I've kept (the only one received!?)
was from Barry on Sep-26-2005 and had the subject:
Declude 3.0 Availability
Andrew.
-Original Message-
Title: Possible virus?
It's been years, but I do remember that there were several
viruses that would take random MS Office documents off the infected user's
computer as "cover" when it sent itself out. Their names, though, I don't
remember.
Andrew 8)
From: [EMAIL PROTECTED]
#Dec-10-2004 AC Note that I've added 'ai' and 'packed' to the switches
suggested in the manual. The noboot and nomem options
# are not listed when you ask fpcmd.exe for help, but they
are definitely in the logs.
SCANFILED:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed
Scott,
Are you running ClamAV with the SaneSecurity antiphishing
signatures as an external spam test in Declude Pro, or as an antivirus engine in
Declude Virus Pro?
Andrew 8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott
FisherSent: Wednesday, March
Tu peut l'escrite en Francais et Espanol dans la meme recip.eml; je vu
beaucoup de cette technique en Canada, mais c'est en Anglais et
Francais.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Thursday, February
Goran, I actually avoid any bounce and alerts to recipients and senders.
I only use alerting to send virus alerts inbound to our postmaster
account.
I do this because I know firsthand how hard it is to keep junk alerts
from the Internet from coming in to my users' mailboxes.
Likewise, I
$.junkmail file for this test
I tag at 10 and delete at 30 so this would only trigger on legit
messages
Just a thought
Goran Jovanovic
Omega Network Solutions
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.Virus-
[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
My raw speculation:
1) It is missed because the virus.cfg is using the
"PRESCANON" switch (the default, I believe) and the declude.exe
application does not decode the MIME or other coding as flexibly as a mail
client would, or makes an uninformed decision about what is an object worth
3) On a very busy server, Declude may be aborting
the scan because it is taking too long. The default is 60
seconds.
ANSWER: Use SCANNERTIMEOUT90 in the virus.cfg or some
other time value of your choosing.
Andrew 8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
zip all of my
MG logs nightly,so it isn't practical to search through
all ofthem.
MG Matt
MG Colbeck, Andrew wrote:
MG
MG On the plus side, there are mitigating circumstances...
MG
MG First, let me point out that although the antivirus
MG
John, the other formats are common (or, were common) on
Macintosh and Unix based systems for binary attachments and for attached
messages. Eudora for Windows used to expose several of these formats for
message construction.
They've fallen into disuse in favour of MIME attachments,
but they
On the plus side, there are mitigating
circumstances...
First, let me point out that although the antivirus
companies will lag behind the virus authors, the antivirus guys aren't
sleeping.
For many years, the bad guys have been using encoding
methods and 3rd party applications to
We've all made good points [except Matt, he's apparently high on life...
;) ] and that is precisely the value of the debating club we've formed
here.
Excellent features have been put into Declude precisely because of the
debating club. When Scott was the sole developer, this debate and
feedback
Markus would find this handy (as would other die-hards who are often see
to post in this forum) and would be willing to maintain a small list of
entries for which he would like this behaviour.
However, in addition to the FORGINGVIRUS DNS lookup feature that Declude
already implements*, perhaps
No Matt, it wouldn't be a complete solution for you
orme. We don't trust DELETE actions at all.
Markus however, is ok with a DELETE action, as with many
others, so I'm pretty confident that they would be ok with an autodelete as
well, while trusting that Declude.com isn't going to make a
Just because it's easy to produce...
This is from the viruses that get caught as spam from Dec
01 2005 through yesterday:
13
Suspicious program in Archive
1
Suspicious program
5
Unknown Virus
57
IIRC, the HOLD action was where the risk came in. Messages
that are held by Declude using AVAFTERJM and then manually
re-queued (via, say, the old SpamReview app) would NOT be
scanned for viruses at all, since
re-queued messages bypass Declude altogether.
snip
At the very least,
Do you mean this script on my disk who creates one hour each
day with 100% CPU usage?
Markus, I found that a pretty fun bit of sarcasm. But I have a dry
sense of humour.
It sounds like you're not using AVAFTERJM so that you catch viruses as
viruses and spam as spam.
In this scenario I'm
Title: Mail.zip from AOL Encrypted Messaging Service?
You've caught an instance of the "Feebs"
worm.
HTA in email should automatically be suspect. I won't
go as far as to say it should be banned, but it's not a bad idea. Myself,
I've never seen an "HTML help file" sent in email.
There is
No, you shouldn't block .mim
attachments.
The .mim
attachment means that there was a MIME formatted, which is encoding that
converts binary attachments and non-ASCII text to nice and safe 7 bit ASCII
encoding to make SMTP servers happy.
You are mostly likely to see this when an entire
A kapser was detected on my F-Prot based system today.
I'm attaching the output of the scan from virustotal.com for your
interest.
I also scanned it with my TrendMicro which detects it by a different
name:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG
REW%2EA
You
I agree completely.
I use the postmaster notification only, so only internal
notifications happen. I use the FORGINGVIRUS statements to limit what we
have to see.
Recently, we had a single "macro virus" type issue, and
that was where a HTML based Microsoft Word document used a document
begin to
enhance their naming convention by an initial name of the av-company.
Something like: F-ProtW32/[EMAIL PROTECTED]
Markus
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Colbeck, Andrew
Sent: Tuesday, January 17, 2006 11:21 PM
I haven't seen it. It's also not unusual for F-Prot to have a signature
for a virus, but no write up on their website.
If the virus was caught, you could submit the attachment to one of the
free websites that will check an executable against multiple virus
engines and give you a summary of which
Another buffer overflow has been found in ClamAV and ClamWin, this time
in decompressing UPX packed executables, which is fairly common for
virus and spyware variants. See:
http://blogs.washingtonpost.com/securityfix/2006/01/clam_antivirus_.html
The current ClamWin version is 0.88 here:
I haven't checked today's results with fpcmd 3.16f, but here are
yesterday's quick stats with fpcmd 3.16e
8 W32/[EMAIL PROTECTED]
3 W32/[EMAIL PROTECTED]
27 W32/[EMAIL PROTECTED]
1 W32/[EMAIL PROTECTED]
10 W32/[EMAIL PROTECTED]
9 W32/[EMAIL PROTECTED]
81
Richie
You visit illegal websites
You_visit_illegal_websites
Your IP was logged
Your_IP_was_logged
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Friday, January 06, 2006 8:53 PM
To: Declude.Virus@declude.com
Subject
I just saw two today. This may not be what you're seeing, JT, but here
goes:
What I saw were two broken Sober.X messages that were bounced with the
original message (the viral message) truncated. F-Prot didn't trigger
on the broken attachment and the bounce didn't trigger my custom filters
to
For what it's worth, I just tested the 3.16d and 3.16e versions of
fpcmd.exe and they behaved identically on the single sample I had.
They return errorlevel = 8 (suspicious file found) and here is the text
when run manually (as opposed to within Declude):
c:\virus-quarantine\wmf\bg.wmf Contains
http://www.microsoft.com/technet/security/bulletin/advance.mspx
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
Andrew 8)
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe,
Ouch. Not in the wild yet (most of these
vulnerabilities don't get to be in the wild), but serious nonetheless due to
it's potential. If you're not running keeping your Symantec up to date
with a subscription, you should:
You can upload it to this website where it will be scanned by all the
leading virus vendors that haven't sent them a cease-and-desist order:
http://www.virustotal.com/flash/index_en.html
And you can also upload it to here to have their 'bot run the
application in a sandbox and report back to you
There are very interesting details in Trend Micro's writeup.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS
OBER%2EADVSect=T
i.e. it uses its own SMTP server plus a hardcoded list of accounts and
IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious
are catching them. That way new variants
that use the names are caught before definitions are available.
Darin.
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Tuesday, November 15, 2005 11:57 AM
Subject: RE: [Declude.Virus] New
Hmmm, now that's interesting.
http://www.f-secure.com/weblog/#0705
Andrew.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at
A 20 year old man goes from abusing phish to being abused as a fish:
http://www.wired.com/news/print/0,1294,69480,00.html
Andrew 8)
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.
Ouch. F-Prot is very popular on this group. This vulnerability may
never turn into an exploit, but it's better that we keep abreast of
issues like this.
F-Prot Antivirus Lets Remote Users Bypass the Scanning Engine with
Specially Crafted ZIP Files
http://isc.sans.org/diary.php?storyid=820
Current F-Prot definitions catch this as a Mitglieder variant, and Trend
Micro reports that they are investigating Bagle.AB
The zip files contain a non-password protected executable; I've noticed
the following names:
Loader.exe
t_535475.exe
Here is an F-Prot report on one catch:
Forewarned is fore-armed. Blogged by F-Secure here:
http://www.f-secure.com/weblog/#0682
With a writeup on the virus itself here:
http://www.f-secure.com/v-descs/rbot.shtml
The email seeding run doesn't contain virus, just a scam plus a URL. I
haven't seen any yet, so I can't comment on
How about cock of the walk jokes?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL PROTECTED])
Sent: Tuesday, October 11, 2005 2:44 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Slightly OT: Encrypting or
#New
Sober.R aka CME-151
per http://cme.mitre.org... expectGerman right-wingpropaganda in a few days
Oct-05-2005 ACBANNAME pword_change.zipBANNAME
screen_photo.zipBANNAME KlassenFoto.zipBANNAME Regis.info.zipBANNAME
Privat-Foto.zipBANNAME Brief.zip
banned extensions for both flavours as
PONG
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Thursday, September 29, 2005 8:15 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] PING
PING
---
This E-mail came from the Declude.Virus mailing list. To
FYI, Kaspersky reports that they're now up to something
like 20 new variants of Bagle between Monday and Tuesday.
Andrew 8)
... and F-Secure notes that they've hit a record of
publishing 12 pattern updates in one day.
Andrew 8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
MattSent: Tuesday, September 20, 2005 11:28 AMTo:
Declude.Virus@declude.comSubject: Re: [Declude.Virus]
Mr. Obvious says:
You would have to change the URL plus the name of the file
you're unzipping!
So that I didn't have to change my script much, I changed
my wget line to:
wget http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip
-O dailyscan.zip
The -O
Hmm, yes.
Something along the lines of:
wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini
and then parsing out the line:
FileName=dat-4579.zip
or
DATVersion=4579
in order to construct the filename... but it seems like
re-inventing the wheel. The readme.txt talks abouta
Scott, in various older versions of wget, the -N
parameteras well as the --header=Accept-Encoding:gzip parameterplain
old didn't work. Pick up the current version here:
http://xoomer.virgilio.it/hherold/#Files
andit should be fine.
Andrew 8)
From: [EMAIL PROTECTED]
which is all well and good, but...
It worked fine for the update.ini, but not for the .zip
file.The currentstable versionofwgetdoes in
download a full file every time.
Andrew 8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
AndrewSent: Monday,
A very basic:
wget -N http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip
was not working when Scott (and then I) tried
it. But it does now, including with the -O parameter. I'd
hazard a guess that they have some kind of front-end webcache or cluster, and
According to this:
http://loadrunner.uits.iu.edu/weathermaps/abilene/
Most of the major links on the Internet are very busy. Interestingly,
the Houston-Atlanta link is back up, and was hard down due to Katrina
for a week.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
No problem, Darin.
We'll have Newfoundland reboot it. They're half an hour off of
everybody else.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
Sent: Friday, September 09, 2005 10:55 AM
To: Declude.Virus@declude.com
. Then if someone wants
something done on a particular day, and you missed it, you
could just
walk over to
the
other side of the building, finish it, and tell them it's done.
Darin.
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: Declude.Virus
Hmmm. I don't specifically remember that, John. But this is a handy
place to check:
http://www.dshield.org/warning_explanation.php
DShield is fed by volunteers who run whatever firewall or IDS they like
and submit the logs to DShield. It's an offshoot of the SANS Internet
Storm Center.
A site
David, with your version of Declude Virus, you'd have to turn off all 10
of the CR vulnerability checks at one go. I'm at the same or similar
version, and that's what I've decided to do. This directive goes in
your virus.cfg:
BANCRVIRUSESOFF
Andrew 8)
-Original Message-
From:
I hadn't until last night, Markus. But now I've got 35 copies from
different sources, all flagged by F-Prot as suspicious files. F-Prot
detects the executable inside a zip file as a Mitglieder variant, and
submitting it to http://www.VirusTotal.com shows that all the big name
vendors there are
1 - 100 of 174 matches
Mail list logo