Markus,
However, Darrell mentioned that the AV scanner still runs once
action is taking agains the SPAM message (i.e. routeto, subject, etc.).
Is this not true?
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Friday, January
rrell
---
Check out http://www.invariantsystems.com for utilities for Declude,
Imail,
mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI
integration, MRTG Integration, and Log Parsers.
Keith Johnson writes:
> Darrell,
> What happens in this scenario. Virus fi
Darrell,
What happens in this scenario. Virus file comes in, AVAFTERJM
is turned on, thus Declude scans it for spam content, lets say it is
spam, thus ROUTETO sends it to a specific mailbox for customer to review
for certain amount of days. Does Declude Virus still run against it
prior
David,
If you don't mind, what is the latest revision of Declude? I know there
has been several 'hot fixes', just want to make sure I have the latest. Thanks
again,
Keith
From: [EMAIL PROTECTED] on behalf of David Barker
Sent: Wed 11/30/2005 9:33 AM
To
David,
Are these to be used to correct issues with Dual-proc, or is
that still an ongoing issue still be looking at? Thanks for the time.
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Thursday, September 22, 2005 11:41
I am seeing this as we attempting to get to certain websites and they
can't be displayed.
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch
Sent: Friday, September 09, 2005 11:30 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus]
Daniel,
Give this a try:
http://www.f-prot.com/support/windows/fpwin_faq/88.html
-Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ivey
Sent: Monday, May 02, 2005 11:06 AM
To: 'Declude.Virus@declude.com'
Subject: RE: [Declude
Aaron,
I have tried F-prot (www.f-prot.com)? It is very fast and not
very expensive, and the reliability is outstanding.
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aaron Moreau-Cook
Sent: Wednesday, April 20, 2005 1:37 PM
To: Declude.
ERROR: Could not open recip file
F:\IMail\spool\_1b38021800b8504b.~MD [2]02/18/2005 11:44:13
Q1b38021800b8504b ERROR: Could not open recip file
F:\IMail\spool\_1b38021800b8504b.~MD [2]
Any ideas or suggestions?
Keith
From: Keith Johnson
[mailto:[EMAIL PROTECTED] On Behalf Of Keith
Scott,
We are not running on access scanners (very careful about that), we are
running Imail 8.15. I didn't even install the Realtime Scanner in f-prot and
have CA Realtime disabled as a service.Anything else that I can look at?
Keith
-Original Message-
Fro
The past few days I am occuring a lot of these type errors in the virus log:
02/18/2005 06:03:21 Qcb35092800dc91ac Couldn't open headers datafile
02/18/2005 06:03:21 Qcb35092800dc91ac ERROR: Could not move virus-infected
E-mail2! Code: 2 0 F:\IMail\spool\Qcb35092800dc91ac.SMD
f:\imail\spool\vi
What would the following indicate:
01/21/2005 15:04:06 Q5df1239b014af8b3 Error 183 creating temp directory
F:\IMail\spool\D5df1239b014af8b3.vir\.
01/21/2005 15:04:06 Q5df1239b014af8b3 Scanned: Error starting scanner
Thanks for the aid.
Keith
---
[This E-mail was scanned for viruses by Declude Vi
Andy,
Upon your phone call with Barry, should we as Declude Users (4 lic. in
my case), contact Barry directly before upgrading or should we await for a post
on this forum for new procedures? I too have a cold spare, however, Declude is
not loaded there until necessary and upon written pr
Scott,
We are backing up in our Queue of about 8000 emails and we
started seeing the below messages as well:
Q08b8153d00e2843a Couldn't rename SMD to SM$ [32]. Priority back to 32.
ERROR: Could not open recip file F:\IMail\spool\_08dc4c3a0030129f.~MD
[2]
Are these related?
Keith
: [Declude.Virus] What are these
Do you have an on-access scanner running?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Keith Johnson
> Sent: Monday, October 25, 2004 7:38 AM
Also getting:
Q08b8153d00e2843a Couldn't rename SMD to SM$ [32]. Priority back to 32.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson
Sent: Monday, October 25, 2004 10:24 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] What are
Also,
ERROR: Could not open recip file F:\IMail\spool\_08dc4c3a0030129f.~MD
[2]
Please advise to what this is, thanks,
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson
Sent: Monday, October 25, 2004 10:24 AM
To: [EMAIL PROTECTED
Q06634053002e6803 Error 183 creating temp directory
F:\IMail\spool\D06634053002e6803.vir\.
10/25/2004 10:26:26 Q06634053002e6803 Scanned: Error starting scanner
Thanks for the aid, running 1.81
---
Keith Johnson
Senior Network Engineer
Network Advocates, Inc.
9001
I too am seeing this same behavior. I am running HIGH logging and 1.80 version. All
I see is my scanners detecting it, no extra lines from Declude that it stopped it,
same behavior under 1.79. I also wanted to see if there would be any additional aid
with F-prot not being able to report the v
4-028.Exploit.Trojan
Attachment=jpegcompoc.zip.ZIP [1] I
09/27/2004 15:52:20 Q6f7408d2006085b0 File(s) are INFECTED [
JPEG.MS04-028.Exploit.Trojan: 101]
Keith
-Original Message-
From: Keith Johnson on behalf of Keith Johnson
Sent: Mon 9/27/2004 3:02 PM
Mark,
What did you use to generate the GDI Exploit test file? Thanks
Keith
-Original Message-
From: [EMAIL PROTECTED] on behalf of Mark Smith
Sent: Mon 9/27/2004 1:55 PM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [Declude.Virus] Fpro
Scott,
It seems that social engineering will be play a huge part in
future viruses (already seen it will passwords listed in body of
encrypted zips), what are your thoughts on the following:
I have recently saw a bounce message that contained the recent
Bagle.aq virus that contained
Scott,
Is there a limit on the BANEXT? I thought I read somewhere it was 100?
Thanks again for your time. Just need a few more entries to over the _ character.
Keith
-Original Message-
From: [EMAIL PROTECTED] on behalf of R. Scott Perry
Sent: Mon 7
Scott,
Thanks for the email and quick follow-up. Below is the log snippet and it
shows:
07/19/2004 20:21:30 Q658a1246012405b6 MIME file: happy.pi_ [base64; Length=80
Checksum=8732]
07/19/2004 20:21:30.546 Q658a1246012405b6 Comparing |pi| to SKIPEXTs and BANEXTs
07/19/2004 20:21:31.171
We modify extensions at our Firewall that changes an executable listing and removes
the last character and adds an underscore (no harm to file). For example, an exe
would be modified to ex_ Works great, however, it seems that Declude will not see it
in our Banned Extension listing even though
Scott,
We use InoculateIT as our second scanner, for some reason it is
giving off an Error 101 when it encounters Bagle.X.Dll virus. Error 101
means it found a virus, however, action upon it was unsuccessfull.
Would it be prudent to add 101 to the list of codes taken in Declude
Virus so th
Scott,
Thanks for creating the following tool on your website, is a lot
easier than creating Eicar zip encrypted test files.
eicardynamicencodedzip
I will be attempting to move to i9 from i7 tonight. Due to the
volume of viruses today, I just couldn't chance it in full
Matt,
I had a space in mine, not a tab. For what it is worth.
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, March 03, 2004 11:31 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] New interim Declude Virus Pro to
Matt,
Is yours working with the TAB, I'll try anything?
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, March 03, 2004 11:31 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block
Scott,
I apologize for the flood of emails to you as I know your time
is precious. However, I pulled the following that BANZIPEXTS and
BANEZIPEXTS was added in i7:
>FYI, we now have a new interim release 1.78i7 (at
http://www.declude.com/interim ) that will allow you to ban file
>extensi
Scott,
I don't know that our firewall is the issue due to it working
under i7 and all prior Declude versions. The Firewall only modifies the
extension, it does not in anyway alter the file. When you wrote that i7
will not block encrypted zips without the BANEXT EZIP line, it was my
unders
Scott,
This is my top portion of my virus.cfg file under i7 and i8.
Keith
-Original Message-
From: Keith Johnson on behalf of Keith Johnson
Sent: Wed 3/3/2004 8:10 AM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [Declude.Virus
Scott,
I am not using BANEXT EZIP with i7 nor i8 per your instructions to remove it
in place of the new commands:
BANEZIPEXTS and BANZIPEXTS ON
I used that encoded file to test it under i8 first and it went straight
through, that is what tipped me off that something was not rig
Kami,
What verison of Declude are you running (1.78i7 or 1.78i8)? Thanks,
Keith
-Original Message-
From: [EMAIL PROTECTED] on behalf of Kami Razvan
Sent: Wed 3/3/2004 8:32 AM
To: [EMAIL PROTECTED]
Cc:
Subject: [Declude.Virus
Scott,
I believe it is only with the new encrypted (password) zip files. I saw in
my log (when running i8) that my Scanners were picking up and detecting normal zip's,
normal pifs, normal scr. etc. of all virus flavors (if there is such thing as normal).
I believe I wouldn't see (as l
ikely problem: Your virus scanner
is leaving extra files/directories behind, so Declude can't delete the
directory.
Any thoughts...
Keith
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson
Sent: Tuesday, March 02, 2004 2:03 PM
To: [EMAIL
I know this has been touched on a few times, however, I just needed some
clarification. I just got a note from CA that informed me that their
engine was unable to scan inside a password protected file. Will F-prot
do this with the latest defs? I know that Scott put EZIP in place, many
thanks. T
Paul,
I think this was out awhile back...
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.coreflo
od.html
Keith
-Original Message-
From: paul [mailto:[EMAIL PROTECTED]
Sent: Friday, October 24, 2003 3:16 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Bac
Scott,
I have had at times, with both scanners (up to date sig files,
both catching mydoom) taking a pounding (we are getting mydoom.a in 1
every second), when Scanner1 (f-prot) would pick up the virus and
Scanner2 (InoculateIT) would not show anything, and at other times
Scanner1 would not
John,
Did you add: Mydoom or Mydoom.A or the full W32/[EMAIL PROTECTED] to your
SKIP...
Keith
-Original Message-
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED]
Sent: Mon 1/26/2004 6:32 PM
To: [EMAIL PROTECTED]
Cc:
Su
It seems that this file maybe related to Microsoft's InstallShield
erroring out. Did you install any 'major' products lately?
Keith
-Original Message-
From: Djerr C. de Meijer [mailto:[EMAIL PROTECTED]
Sent: Monday, December 15, 2003 11:01 AM
To: [EMAIL PROTECTED]
Subject: [Declude.V
Does anyone know what the command line string is for scanning your sig file to see if
it is catching a certain named virus file? I saw it posted over 6 months ago,
however, I guess my search isn't picking it up. Thanks,
Keith
†+™¨¥Á,q©çy×è®ø«ºÇo Þr[yX«ºÈm¶ŸÿÃ
yÉnuç(™8b°IšŠW™çë¢kax7œ–ç^V
>In this case, you can use the per-user settings to turn off virus
scanning completely for the recipient.
Scott,
Is is possible (using per user settings) to simply suspend the
vulnerability scanning, yet still keep the main virus scanning on?
Thanks again for your time,
Keith
---
[This
>Why do you want them to be allowed to send E-mail with vulnerabilities?
>
>-Scott
It is not that I want them to send one of my clients a vuln. However,
the company sending them is an online faxing company that is sending fax
emails to one of
Is it possible to not scan an email from a specific sender for
vulnerabilities? They are tripping the 'blank folding' vuln. and we
quarantine it. Thanks,
Keith
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing
Just wanted to confirm, if I want to suspend virus notifications to all users on a
single domain that we host, I would do the following:
In the appropriate .eml files, add a line:
SKIPIFRECIP @domaintoskip.com
Thanks,
Keith
N¬f¢—¬±Æç_¢»â®ë±¼ƒyÉnuåb®ë!¶Úÿ
0uç%¹×¢dáŠÁ&j)\jgŸ®‰…àÞr[
Is it possible to not send out virus notifications to a specific domain that we host
within Imail? For example, if we host 100 domains, and only 1 of the domains says
they do not care to receive the virus notifies (i.e. recep.eml). Thanks,
Keith
áÁ&j)pjËjyÞuú+¾*î±ëÈ7ç^V*î²m§ÿðÃ^r[yÊ&
large attachment scanning.
Thanks again for being a sounding board.
Keith Johnson
-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED]
Sent: Wed 6/4/2003 6:31 PM
To: [EMAIL PROTECTED]
Cc:
Subject: Re: [Declude.Virus] Log
Scott,
Today we had a 'horrible' thing happened with our scanner (have two in place
F-Prot and InoculateIT), not sure which one had issues:
06/04/2003 14:51:29 Q3ef6000501666762 ERROR: Virus scanner didn't finish after 60
seconds; terminating.
06/04/2003 14:51:29 Q3ef6000501666762 WARNIN
Scott,
We have had a lot of viruses get through today (new Backdoor
AVF), seems McAffee is the only one that has it available (sig file).
Luckily we already alter .exe files so that can't be executed. Should I
be concerned with these Content-Disposition, I just started to see a lot
(100's
We have started to get numerous of these in our log file, do you know what these may
be.
06/02/2003 09:02:09 Q4acf0c270148af58 No filename in disp Content-Disposition:
attachment.
06/02/2003 09:02:09 Q4acf0c270148af58 No filename in disp Content-Disposition:
attachment.
06/02/2003 09:07:09 Q4b
>Are you using two or more virus scanners?
Yes, I am using F-prot 3.13a as my 1st scanner and InoculateIT 6.0 SP2 as my 2nd
scanner
>There does appear to be an issue
>with 1.70 where this message will appear in the log file if one or more
>scanners report an error, but the last one does not
>Are there any other entries for the E-mail?
Here is a list of two in a row:
05/29/2003 06:26:39 Qe05301090146bcae Could not find parse string Infection: in
report.txt
05/29/2003 06:26:42 Qe05301090146bcae Error 0 in virus scanner.
05/29/2003 06:26:42 Qe05301090146bcae Scanned: Error in viru
upgrading to 1.69beta, thanks for the aid.
Keith Johnson
N¬f¢¬±Ƨç_¢»â®ë±¼yÉnuåb®ë!¶Úÿ
0uç%¹ל¢dáÁ&j)\jg®
àÞr[yX«ºɚX§X¬µ:.˛±Êâmèî²Û֧f¢Ú"¨¥²»ÝyÉnuç(©ݷ*^º{.nÇ+·yÉnuåb®ë
æ«r¯zÇ·¢éÝjØm¶ÿÃ
&j)ZÈb½ç(
.
___
Keith Johnson, MCP
Network Engineer
Network Advocates, Inc.
Tel: 502.412.1050
Fax: 502.412.1058
Email: [EMAIL PROTECTED]
"Good pings come in small packets"
Stephen,
I had the similar issue with 7.13hf2. It ended up being the IMail Monitor
was consuming all my open sessions. To see if this is happening to you, simply go to
the command line and run a netstat -an and look to see if you have a tremendous amount
of open sessions (ports) for
t was possible or not. Thanks for the aid.
___
Keith Johnson, MCP
Network Engineer
Network Advocates, Inc.
Tel: 502.412.1050
Fax: 502.412.1058
Email: [EMAIL PROTECTED]
"Good pings come in small packets"
Scott,
During the initial setup of Declude Virus we copied down the virus_domain.txt
and the virus_users.txt file and placed them in the Declude directory. Since then, by
default, we are scanning all incoming/outgoing email for all domains. Is it more
efficient (hence faster scans) for
Scott,
Thank you for your wisdom, you are awesome.
-Keith
-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 20, 2002 2:03 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Issues running the fpcmd.exe scanner
>Reading some of the arc
>Reading some of the archives suggested that if using F-Prot it was best
>to
>use the fpcmd.exe over the f-prot.exe due to some errors encountered
with
>using f-prot.exe
> 12/20/2002 12:59:44 Q5a90002f0078444b Starting scanner #1:
C:\Progra~1\FSI\F-Prot\fpcmd.exe
> /TYPE /SILENT /NOMEM /
Title: Issues running the fpcmd.exe scanner
Reading some of the archives suggested that if using F-Prot it was best to use the fpcmd.exe over the f-prot.exe due to some errors encountered with using f-prot.exe. Upon testing the f-prot.exe works great, reports in the log just fine, and sends
Title: Monitoring of Declude Virus
I have downloaded and installed/tested the Virus Log Analyzer to take a look at what is being caught in the way of viruses. However, I wanted to see what others are using to 'real' time monitor the virus logs. Outside of using WinTail to watch the log file
I got this same bogus file showing up in the log (MID) when I sent the eicar virus
(zipped format) off the eicar.com website to our server.
Keith
-Original Message-
From: John Tolmachoff [mailto:[EMAIL PROTECTED]]
Sent: Thu 12/19/2002 7:14 PM
virus.cfg file? Again, thank you.
___
Keith Johnson, MCP
Network Engineer
Network Advocates, Inc.
Tel: 502.412.1050
Fax: 502.412.1058
Email: [EMAIL PROTECTED]
"Good pings come in small packets"
d get caught as banext (i.e. shs) , as I think this maybe a dull point if they contain a virus as the scanner should catch it and thus tip Declude to quarantine it, however my thoughts were if it was not a virus file. Thanks for the info.
_______
Keith Johnson, MCP
Network En
)?
___
Keith Johnson, MCP
Network Engineer
Network Advocates, Inc.
Tel: 502.412.1050
Fax: 502.412.1058
Email: [EMAIL PROTECTED]
"Good pings come in small packets"
Server, my onboard Antivirus caught it. I checked the virxx.log file and it showed it was scanned as OK. Is there anything else I can check to see what it going on. I could increase the logging to DEBUG from MID. Thanks for the aid.
___
Keith Johnson, MCP
Network Engineer
from the originator. Thank you for your aid and knowledge!!
_______
Keith Johnson, MCP
Network Engineer
Network Advocates, Inc.
Tel: 502.412.1050
Fax: 502.412.1058
Email: [EMAIL PROTECTED]
"Good pings come in small packets"
Title: Is this safely ignored...
In the virxxx.log, I found this error. Can this be safely ignored?
Warning: EOF in middle of MIME segment [] [---
___
Keith Johnson, MCP
Network Engineer
Network Advocates, Inc.
Tel: 502.412.1050
Fax
Server (scanning wise). Thanks for the aid...
___
Keith Johnson, MCP
Network Engineer
Network Advocates, Inc.
Tel: 502.412.1050
Fax: 502.412.1058
Email: [EMAIL PROTECTED]
"Good pings come in small packets"
John,
Thank you for the info. With the Dos Version, how are you
getting your auto sig updates and on what interval can you obtain these.
-Original Message-
From: John Tolmachoff [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 03, 2002 11:12 AM
To: [EMAIL PROTECTED]
Subject: R
F-Prot seems to be the flavor. Do you guys run (under Windows 2000
Server) the DOS version, Windows version or the F-Secure version.
Thanks again!
Keith
-Original Message-
From: John Tolmachoff [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 03, 2002 10:40 AM
To: [EMAIL PROTECTED]
Su
I wanted to see what type of virus scanner everyone has had luck with. We have used
Computer Assoc. Inoc. for years, however, the 6.0 SP1 version does not allow for the
virus name to be extracted from the report.txt file. Any suggestions would be great
(experience in the field is a much better
73 matches
Mail list logo