http://oss.netfarm.it/clamav/
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Gary
Steiner
Sent: Wednesday, November 24, 2010 12:32 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] ClamAv / ClamWin with Declude
What version or port of ClamA
27;t that big either. How do you manually process them?
Do you go in and disable the block, reprocess the email, then put the block
back?
Todd
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott
Fisher
Sent: Tuesday, November 16, 2010 10:28 AM
To: declude.virus@dec
I'm pretty small (125 employees), so encrypted zip files are rare and they
get blocked.
I'll manually reprocess them after getting an alert email.
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Todd
Richards
Sent: Tuesday, November 16, 2010 9:25
Speaking of versions.
I'm running 4.10.42
I noticed there is a 4.10.48 available but no email notice or release notes.
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Wednesday, April 28, 2010 8:12 AM
To: declude.virus@de
Can I replace the decludeproc.exe or is a upgrade install needed?
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, June 01, 2009 2:38 PM
To: declude.junkm...@declude.com; declude.virus@declude.com
Subject: [Declude.Virus]
maintenance renewal
money.
Scott Fisher
Director of IT
Farm Progress Companies
255 38th Avenue, Suite P
St. Charles IL 60174-5410
630/462-2323
fax 630/462-2957
sfis...@farmprogress.com
www.farmprogress.com <http://www.farmprogress.com/>
This email message, including any attachments, is f
I use the runclamscan program to call clamav. Here's my virus.cfg lines
SCANFILE1 c:\clamav\runclamscan.exe log=1 C:\clamav\clamdscan.exe --quiet -l
report.txt
VIRUSCODE1 1
REPORT1 FOUND
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Dodell
Se
clude code. Try switching this OFF to see if it
resolves the issue.
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Monday, July 30, 2007 10:27 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] exe in zip file why not blocked...
,
What version of Declude ?
Are you using the directive AVAFTERJM ON?
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Friday, July 27, 2007 3:06 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] exe in zip file why not blocked...
I
q18d4010e464c.smd Scanned: Error in virus
scanner. [MIME: 2 19668]
virus.cfg lines:
BANEXTexe
BANZIPEXTS ON
I believe this should have been blocked (regardless of the problem with
scanner 2).
Scott Fisher
Dir of IT
Farm Progress Companies
191 S Gary
The -mbox parameter died in .90.1 series.
I'm still using the other two:
SCANFILE1 d:\imail\declude\runclamscan.exe log=1
C:\clamav-devel\bin\clamdscan.exe --quiet --max-ratio 0 --max-space 1M -l
report.txt
- Original Message -
From: Mark Reimer
To: declude.virus@declude.com
S
rrors about the
connection being refused (111).
rsync error: error in socket IO (code 10) at clientserver.c(104)
[receiver=2.6.9]
any idea what I should do?
thanks
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Monday, March 26, 2007
ng
SKIPIFVIRUSNAMEHAS Email.Phishing
SKIPIFVIRUSNAMEHAS Email.Malware
SKIPIFVIRUSNAMEHAS Html.Malware
---------
Scott Fisher
Director of IT
Farm Progress Companies
191 S Gary Ave
Carol Stream, IL 60188
630-462-2323
This email message, including any att
How about native Declude support for Clam AV like AVG?
That would be nice.
- Original Message -
From: "Gary Steiner" <[EMAIL PROTECTED]>
To:
Sent: Thursday, March 01, 2007 11:57 AM
Subject: Re: [Declude.Virus] Current Version of Clam AV
Does anyone want to comment on what might be ca
I definitely still getting them with Clam .90
They only happen here when I run clamav as a service. When I run it as a
non-service (which is CPU foolish), I don't get these.
I also use the clamscan wrapper (runclamscan.exe), so that might be in the
mix.
- Original Message -
From: "
One drawback of spamdomains:
I believe the spamdomains compares the smtp sender with the revdns.
Many phish will come from a SMTP sender of [EMAIL PROTECTED] and
thus won't fail a spamdomains test.
I second the CLAMAV with sanesecurity phish addons.
- Original Message -
From: "Darin
Maybe you love to hate them?
- Original Message -
From: Matt
To: declude.virus@declude.com
Sent: Thursday, January 04, 2007 3:23 PM
Subject: Re: [Declude.Virus] I'm currently on a business trip down south and
will be returning January 5th, 2007. If t
I hate autoresponders.
al Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Wednesday, December 06, 2006 7:40 AM
To: declude.virus@declude.com
Subject: [Declude.Virus] EXE in RAR file
Does Declude check for banned extension in RAR files?
If not, please add this to the
Does Declude check for banned extension in RAR files?
If not, please add this to the wish list. RAR files are becoming more popular
and it is difficult to ban RAR files.
I had an email come in with an .EXE file in a RAR file. So I believe it doesn't.
---
This E-mail came from the Declude.Virus m
-David
Since it is out there,
I also have seen rare D* messages without Q* file stranded in the work
folder also.
For me about 2 a month. They tend to be spam (of course so does 80% of all
mail).
If it is a legit message, I'll just forge up a corresponding Q* message and
reprocess them.
I'm
It looks like the Stration worm is causing
backscatter today:
The W32/Stration.dr virus drops the mass
mailing worm W32/[EMAIL PROTECTED]. that uses its own SMTP
engine to send itself to the email addresses that it harvests on the infected
computer. The W32/Stration.dr is written
using Mi
Here are mine:
declude\scanners\AVG\db\avi7.avg
2/21/2006 1:27 PM
declude\scanners\AVG\db\miniavi.avg 9/6/2006
9:40 AM
declude\scanners\AVG\db\microavi.avg 9/7/2006
3:42 PM
declude\scanners\AVG\db\incavi.avm 9/8/2006
10:43 AM
- Original Message -
From:
Mark
Rei
ompressed or not).
It sounds like Gary's configuration is quarantining emails based on any
non-zero return code from ClamAV and that this is not the behaviour he
really wants.
Comments? Flames?
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Sco
I used (and probably posted the --max-ratio 0 ).
The max-ratio defines the "maximum compression ratio for scanned files." I
kept getting legit text files that were zipped that were over ratio, so
that's why I why I went to the max-ration 0.
- Original Message -
From: "Gary Steiner" <
Just kind of curious which "scam" this is targeting?
Pump and Dump stock?
Work at home?
419/Lottery scams?
- Original Message -
From: "Bill Landry" <[EMAIL PROTECTED]>
To: ;
Sent: Monday, August 07, 2006 3:39 PM
Subject: [Declude.Virus] Fw: New ClamAV "scam" database
For anyone tha
Your command lines exactly matches my Clamav lines which are working.
I'm using Declude 3.x
- Original Message -
From: "Gary Steiner" <[EMAIL PROTECTED]>
To:
Sent: Friday, July 14, 2006 4:43 PM
Subject: [Declude.Virus] Declude error, not ClamAV error
Upon further research, the statem
as every instance we have seen of this has been invalid email.
I certainly regularly receive incorrectly formatted email. I'm pretty small
volumne, but looking over my logs (I have an external test for this
condition), it is 111 non-spam messages this month.
My email volume is pretty low. Bu
I'm curious if there is a concensus out there on
which ALLOWVULNERABILITY are appropriate to use?
ALLOWVULNERABILITY
OBJECTDATA
HTML Object Data Vulnerability
ALLOWVULNERABILITY
OLCR
Outlook CR Vulnerability
ALLOWVULNERABILITY
OLSPACEGAP
Outlook
I don't think Declude can do this.
This might be possible with your individual virus
scan engines:
Viruscan has a command line parameter
/MAXFILESIZE
so /MAXFILESIZE 5 would not scan files over 5
MB.
ClamAV has a limit of how much to check from
archives (I believe they mean zip files). W
I originally had them banned, but then I got tired of reproecessing the
legit email that had the attachments, so they are allowed in here.
- Original Message -
From: "Nick Hayer" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, April 11, 2006 2:09 PM
Subject: [Declude.Virus] url file extension
Very similiar problem here.
I have a vir folder left over with a filename of "0".
Imail 8.22 , clamav 0.88-2 (SOSDB Cygwin version), Declude 3.06.
Using runclamd and runclamscan wrapper
- Original Message -
From: "Ken Weise" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, March 08, 2006 12:2
Remotehost Yes. Reciphost no.
Declude 3.06
.eml:
REMOTE HOST NAME: %REMOTEHOST%
RECIPIENT HOST: %RECIPHOST%
result:
REMOTE HOST NAME: farmprogress.com
RECIPIENT HOST:
- Original Message -
From: "David Sullivan" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, March 08, 2006 11:04 AM
Subject
-Craig,
you can use runclamscan which is a wrapper program
that returns the virus name to Declude.
http://www.smartbusiness.net/imail/declude/
- Original Message -
From:
Craig
Edmonds
To: Declude.Virus@declude.com
Sent: Wednesday, March 08, 2006 3:27
AM
Subj
Here's my clam command line:
SCANFILE2 d:\imail\declude\runclamscan.exe log=1
C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l
report.txt
I call clamdscan.exe not clamscan.exe
I use the runclamscam wrapperL
This program is just a wrapper calling clamscan or
c
I use runclamd and run it as a service.
clamscan is pretty CPU intensive.
Using clamdscan with the clamd service really cuts down on the CPU time.
- Original Message -
From: "Goran Jovanovic" <[EMAIL PROTECTED]>
To:
Sent: Monday, March 06, 2006 3:38 PM
Subject: RE: [Declude.Virus] CLAM
My guess is they refer to different builds of
clamav.
- Original Message -
From:
Goran Jovanovic
To: Declude.Virus@declude.com
Sent: Monday, March 06, 2006 9:44
AM
Subject: [Declude.Virus] CLAMSCAN Scanner
Command Line
Hi,
I have just added the
Here's a couple of parameters I personally
use for Clam-AV:
--max-ratio 0 --max-space 1M
max ratio sets a maximum ratio for compressed
files. I've had zip files that contained txt files get false positives. Setting
it to 0 disables this test.
max space sets the maximum amount of mega
Personally I haven't seen any false positives. I
spot checked a few messages, and they were phish. All of the subject lines are
definitely phishy.
I whitelisted the Declude support lists, so I don't
have any concerns about blocking the support lists.
What I also liked was that it only too
I running clamav as one of my scanners. The
SaneSecurity is an additional defintion database named phish.ndb.
I put the phish.ndb into my
c:\clamav-devel\share\clamav folder and it does all of the rest.
- Original Message -
From:
Colbeck,
Andrew
To: Declude.Virus@declude
As a followup on last week's discussions on
the SaneSecurity phish definitions for ClamAv.
ClamAv (without SaneSecurity) caught 273 phish for
me in February (all 28 days).
SaneSecurity definitions caught 178 phish for me in
the last 8 days of February.
McAfee caught 118 and none after I ins
If your Imail, I'd go to 3.0.5.23... That had a licensing fix.
This release fixes a bug in the IMail version of Declude whereby the wrong
service level (Pro, Standard, Lite) was being reported. This issue affected
IMail users only.
- Original Message -
From: "John Pearson" <[EMAIL
-Barry,
I did not receive the email sent to every customer
(and I have Declude whitelisted). That irks me even more.
Not having received the email, this all comes
straight out of left field for me. If I had received the email, perhaps it
wouldn't be such an unpleasant shock.
It certainly
I upgraded to clamav 0.88-1 yesterday (and 0.88-2
today) and since the upgrades,
I'm seeing sporadic .vir folders left behind. These
all have a file name 0 in them
02/03/2006 10:04:08.258 q7eb10620bac6.smd
WARNING: Couldn't remove .vir directory
D:\IMail\spool\proc\work\D7eb10620ba
Am I the only one that is wondering why there
wouldn't have been an official response to this from Declude?
While I have added the extension listed to block
attachments, (and FProt did detect on all of my instances), when a potential
flaw is pointed out, it would be nice to have an official
Thanks, Matt that'll be helpful.
- Original Message -
From:
Matt
To: Declude.Virus@declude.com
Sent: Friday, January 27, 2006 2:32
PM
Subject: Re: [Declude.Virus] Feature
request: DELETEVIRUSNAME
Sorry. If you add the following directive to your
Global.cfg it
-Declude
I'd be a lot more interested in the AVAFTERJM ON if the HOLD action messages where
virus scanned.
- Original Message -
From:
Matt
To: Declude.Virus@declude.com
Sent: Friday, January 27, 2006 1:25
PM
Subject: Re: [Declude.Virus] Feature
request: DELETEVIR
COPYFILE does not add any Declude
headers.
- Original Message -
From:
Matt
To: Declude.Virus@declude.com
Sent: Friday, January 27, 2006 1:28
PM
Subject: Re: [Declude.Virus] Feature
request: DELETEVIRUSNAME
Dan,You might try COPYFILE which is essentially HOLD,
Excellent idea!
- Original Message -
From: "Markus Gufler" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, January 25, 2006 4:37 PM
Subject: [Declude.Virus] Feature request: DELETEVIRUSNAME
Maybe someone has already requested it:
Why not allow commands like
DELETEVIRUSNAME Netsky
DELETEV
When I used AVG it was consistantly in the back of
the pack for virus detections.
It lagged so badly at the beginning of the
encrypted zip days, that I had to swap it out with Clam.
It had pretty good scanning times.
I use FProt, Clam AV as a service and Mcafee
VirusScan.
From a cost persp
I use a customized version of Mailpure's antiav filter. I then combo this
with a mailfrom-postmaster filter to add points when the bounce comes from a
postmaster.
- Original Message -
From: "Marc Catuogno" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, November 23, 2005 8:12 AM
Subject: [D
Just the DOS scanner
Dirt cheap if you can find someone to sell it to you.
A little spikey on the CPU utilization, but also pretty quick at
definitions.
- Original Message -
From: "David Dodell" <[EMAIL PROTECTED]>
To: "Scott Fisher"
Sent: Wednesday,
I use F-Prot 1, McAfee 2, Clam 3
I use the Cygwin version of clam with runclamd and runclamscan. You'll find
those at http://www.smartbusiness.net/imail/declude/
runclamd runs clam as a service. much faster.
runclamscan returns a virus name to Declude
Don't forget this is allowable:
#
# (2.0.6
I would consider 3.0.5.10/11 interim releases... Scott would never have
documented them.
I too would like to see the release notes updated with each and every
version...
but it's a long long standing issue.
- Original Message -
From: "Darin Cox" <[EMAIL PROTECTED]>
To:
Sent: Saturd
So I though with Declude 3 running ok, I'm going to
try the clam av service again.
I'm running into a problem with
runclamd
when I issue a runclamd -start, these log messages
are produced
10-20-2005 11:42:39
SERVICE_START_PENDING10-20-2005 11:42:39 Status:
410-20-2005 11:42:41 star
I block all encrypted zips based on the fact that I can't virus scan them.
But then again I'm slightly paranoid and should not be trusted with sharp
objects.
- Original Message -
From: "Kevin Rogers" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, October 11, 2005 3:08 PM
Subject: Re: [Declu
I've caught 76 conflicting encoding messages with
EVA this month all 3 days. All spam messages.
What's odd is I've I had 53 conflicting encoding
messages the whole last month.
Is this a change in Declude 3.05 or a shift in my
spammers?
Arrrggg.
Mr. Obvious says if you rename the
win_netware_betadat.zip, wget will never find a file to compare it to and will
always download the update.
- Original Message -
From:
Matt
To: Declude.Virus@declude.com
Sent: Monday, September 12, 2005 5:34
PM
Subject: Re:
-Matt,
Does the wget -N command work for you with
Mcafee.
I also use the -N and get the full download every
time.
- Original Message -
From:
Matt
To: Declude.Virus@declude.com
Sent: Monday, September 12, 2005 4:13
PM
Subject: Re: [Declude.Virus] Seemingly
bad v
Here's the Mcafee page:
http://vil.mcafeesecurity.com/vil/virus-4d.asp
- Original Message -
From:
Matt
To: Declude.Virus@declude.com
Sent: Monday, September 12, 2005 2:26
PM
Subject: Re: [Declude.Virus] Seemingly
bad virus this morning
This is a new Bagel varia
Great catch Matt.
Mine's gone too since August 2
Thank you Declude for multiple virus scanner
option.
Try:
http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip
From:
http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfd
You can't do an internet reboot on a Friday. You need to wait until the
weekend.
- Original Message -
From: "Matt" <[EMAIL PROTECTED]>
To:
Sent: Friday, September 09, 2005 10:48 AM
Subject: Re: [Declude.Virus] Sudden Internet Slowdown
Maybe someone should reboot the Internet.
Matt
ich might
not put things in the correct format.
Thanks,
Grant Griffith
EI8HTLEGS, A Division of ETC
(812)932-1000
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Tuesday, August 09, 2005 2:09 PM
To: Declude.Virus@declude.com
Subject: Re: [D
http://www.mail-archive.com/declude.virus@declude.com/msg12070.html
This vulnerability is triggered if the file format diverges from the
official ZIP format specification.
- Original Message -
From: "Grant Griffith" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, August 09, 2005 1:42 PM
Subj
...and hope that Declude or the AV-Engine will catch this vulnerability as
soon as possible.
I completely agree. As a publishing company we receive lots of large jpeg
files and the thought of having to virus scan all those, makes my mail
server want to run and hide.
I'd like to see a comment
I use skipext to bypass some of my larger file
types:
SKIPEXT EPSSKIPEXT GIFSKIPEXT inddSKIPEXT JPGSKIPEXT JPEGSKIPEXT MPGSKIPEXT MPEGSKIPEXT MOVSKIPEXT P65SKIPEXT PMDSKIPEXT PDFSKIPEXT
PSDSKIPEXT QXDSKIPEXT TIFSKIPEXT
TIFF
Of course by skipping these extensions (especially
Yes I have seen them too:
email starts with:
Dear Valued Member, According to our site policy
you will have to confirm your account by the following link or else your account
will be suspended within 24 hours for security reasons.
- Original Message -
From:
Jim Matuska
I also use Terry's runclamscan with no issues.
I have had rare email melt downs when I was running runclamd. I could never
pin it firmly on anything. So I stopped the runclamd to see how it handles.
- Original Message -
From: "David Sullivan" <[EMAIL PROTECTED]>
To:
Sent: Saturday,
One last ClamAV comment...
I've added the command line switch --max-ratio 0
I've had some false positives on some .zip files that forced me to add the
switch.
- Original Message -
From: "Terry Fritts" <[EMAIL PROTECTED]>
To: "David Sullivan"
Sent: Thursday, June 02, 2005 5:52 PM
Su
I'm running 2.0.6.16 and would consider it as stable as 1.82
- Original Message -
From: "David Sullivan" <[EMAIL PROTECTED]>
To: "John Carter"
Sent: Friday, June 03, 2005 2:02 PM
Subject: Re[4]: [Declude.Virus] Second Scanner
Looks like I have clam up and running. I'm testing it as
-mail was sent from 206-72-95-86.wi.skypipeline.com ([206.72.95.86])" or
in the X-Declude-Sender field?
Maybe I should just use the HEADERS 0 CONTAINS.... instead.
Thanks again.
Scott Fisher wrote:
One caveat. The MAILFROM uses the envelope mailfrom, which is different
than the one
One other ClamAV tip.
If you can afford the performance hit and can use PRESCAN OFF, clamav will
be a very effective Phish blocker.
- Original Message -
From: "David Sullivan" <[EMAIL PROTECTED]>
To:
Sent: Friday, June 03, 2005 3:20 PM
Subject: Re[2]: [Declude.Virus] Second Scanner
P.S. You can schedule freshclam often because it makes a DNS call to
determine if there is a new version of the database, it will only download
if that DNS result tells it to.
Very efficient. I schedule freshclam every 15 minutes.
- Original Message -
From: "David Sullivan" <[EMAIL PRO
line "MAILFROM10 CONTAINS [EMAIL PROTECTED]" in
virus.cfg or global.cfg? Do I need to use another file?
If I use the HEADERS option "HEADERS 10 CONTAINS [EMAIL PROTECTED]"
- where would I put that?
Sorry for the newbie questions.
Kevin
Scott Fisher wrote:
If you've got
l.cfg for outgoing messages, and add it to your $default$.junkmail as
well.
Lastly, make sure you have a carriage return at the end of the
fromblacklist.txt to avoid the last line being ignored..
Darin.
- Original Message -
From: "Scott Fisher" <[EMAIL PROTECTED]>
To
If you've got pro, you could add a filter:
MAILFROM10 CONTAINS [EMAIL PROTECTED]
that will check the envelope mailfrom.
To check for those addresses in the headers:
HEADERS 10 CONTAINS [EMAIL PROTECTED]
Another option is to update your virus software more often to minimize the
opportunity windo
Matt posted speed comparison's I'd say about a year ago.
I use F-Prot
ClamAV
and McAfee
- Original Message -
From: "David Sullivan" <[EMAIL PROTECTED]>
To:
Sent: Thursday, June 02, 2005 4:50 PM
Subject: [Declude.Virus] Second Scanner
I know this comes up every now and then, but the
I'll second the EXITSCANONVULNERABILITY option.
There is an occasional need to requeue a message
that false positived on a vulnerability, so I would myself prefer that all those
messages would be checked for viruses.
I'd run:
EXITSCANONVIRUS ON
EXITSCANONVULNERABILITY OFF
I think it would
I've seen it here rarely also.
Not positive here but here is a theory:
The zip file may gave been created on a Mac and contain some Mac specific
size 0 files?
- Original Message -
From: "Paul Navarre" <[EMAIL PROTECTED]>
To:
Sent: Friday, May 27, 2005 12:54 AM
Subject: [Declude.Vir
I'd like to know the answer to this as well...
I do use
SKIPEXT JPG
SKIPEXT JPEG
to skip JPEGs since the larger couple MB JPEGs sure choke the virus scanning
engines.
- Original Message -
From: "Matt" <[EMAIL PROTECTED]>
To:
Sent: Friday, May 06, 2005 11:57 AM
Subject: [Declude.Virus]
Mcafee command line.
If you can find a license it should run about $25 a year.
- Original Message -
From: "Chuck Schick" <[EMAIL PROTECTED]>
To:
Sent: Monday, May 02, 2005 4:02 PM
Subject: [Declude.Virus] F-Prot Alternative
> We have been running F-prot as the virus scanner with Declude
I'm using:
SCANFILE3 D:\VIRUSSCAN\scan.exe /ALL /NOMEM
/NOBEEP /NOBREAK /UNZIP /SILENT /NODDA /MANALYZE /MIME /PANALYZE /PROGRAM
/REPORT report.txt
Haven't seen any FPs with /MANALYZE or
/PANALYZE
I run PRESCAN OFF and the /MAILBOX isn't needed to
find Phish/Links
I sense a frustratio
I haven't seen anything obvious in a quick glance through today's logs.
Do you have an example?
Usually, I just force another download of the dats.
- Original Message -
From: "Matt" <[EMAIL PROTECTED]>
To:
Sent: Monday, April 25, 2005 3:42 PM
Subject: [Declude.Virus] McAfee throwing error
I also had to add the SKIPIFVIRUSNAMEHAS Mytob to my eml files.
- Original Message -
From: "John Carter" <[EMAIL PROTECTED]>
To:
Sent: Friday, April 15, 2005 2:53 PM
Subject: RE: [Declude.Virus] Skipifforging not working on Mytob
Shayne:
I haven't heard anything from anyone else. To th
I had some today that fit this description.
Mcafee found them as: the W32/[EMAIL PROTECTED]
- Original Message -
From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
To:
Sent: Thursday, April 14, 2005 4:19 PM
Subject: [Declude.Virus] Possible new virus?
I have seen in the last hour 4 e
Also Declude will check the previous hops up to the HOPHIGH parameter unless
the test name has DUL/DUHL/DYNA in it. So you may be checking multiple IP's
for each mail.
- Original Message -
From: "Kevin Rogers" <[EMAIL PROTECTED]>
To:
Sent: Thursday, March 31, 2005 4:03 PM
Subject: [Dec
This won't help you now, but Declude Version 2.x has this feature
:
AV
ADD
ALLOWVULNERABILITIESFROM option that instructs Declude Virus to allow
vulnerabilities from a specific E-mail address or domain.
- Original Message -
From: "Dan Geiser" <[EMAIL PROTECTED]>
To:
Sent:
Title: Message
1.82 is what I am running.
I get an IP address with vulnerabilities and with
viruses but not with Banned file extensions.
- Original Message -
From:
Andy Schmidt
To: Declude.Virus@declude.com
Sent: Wednesday, March 16, 2005 11:38
AM
Subject: RE: [Dec
tion is detected.MattDarin Cox wrote:
Yep. I just added
SKIPIFEXT COM to my bannotify.eml
yesterday.
Darin.
- Original Message -
From: Scott
Fisher
To: Declude.Virus@declude.com
Sent: Tuesday,
March 15, 2005 3:31 PM
otify.eml yesterday.
Darin.
-
Original Message -
From:
Scott Fisher
To: Declude.Virus@declude.com
Sent: Tuesday, March 15, 2005 3:31 PM
Subject: [Declude.Virus] Spam .com files being
blocked.
I block .com files.
The last 3 days, I've been
I block .com files.
The last 3 days, I've been getting consistent
blocking of spam messages referring to a gif file named .com:
Content-Type:
image/gif;
name="wdjgamexmail.com"
These are getting blocked, but the users are
getting a little tired of the bannotify.eml messages that t
F-Prot was catching some price...zips
Mcafee caught one at 6:30
But then this appears:
03/01/2005 09:09:30 Q8599093a02820e36 MIME file: price.zip [base64;
Length=15789 Checksum=2053241]
03/01/2005 09:09:30 Q8599093a02820e36 Banning .ZIP file with exe extension.
03/01/2005 09:09:33 Q8599093a02820e3
Try adding this to your command line:
--max-ratio 0
The support compression ratio feature (--max-ratio). Overly compressed files
may get falsely detected. I believe the 0 turns it off.
it worked for me.
- Original Message -
From: "Hirthe, Alexander" <[EMAIL PROTECTED]>
To:
Sent: Thursda
I'd like to submit this for a Declude Virus feature
change:
I like having Prescan OFF to provide the maximum
amount of protection that I can.
I also run 3 virus scanners.
I'm wondering if it would possible to migrate the
Prescan parameter into the virus engines definitions to turn it on
the BANZIPEXTS ON is for non encypted zips
the BANEZIPEXTS ON is for encrypted zips
- Original Message -
From: "David Sullivan" <[EMAIL PROTECTED]>
To:
Sent: Monday, January 31, 2005 2:30 PM
Subject: Re[5]: [Declude.Virus] RAR Support - why not?
> Hello Scott,
>
> Monday, January 31, 2
If you wish the banned file extensions to apply to files with .ZIP files,
you can add a line "BANZIPEXTS ON" to your \{MAILSERVER}\Declude\virus.cfg
file. For example, if you have a line "BANEXT EXE" and "BANZIPEXTS ON", then
.EXE files within .ZIP files will be blocked. You can also use BANEZIPEXT
These seem to be the changes I have
made:
Looking at my config:
Change the BANEXT to ban what extensions you want
to ban.
Decide what to do with Zip files:
BANEXT EZIP to ban encrypted zip files if you can
get away with it
BANZIPEXTS ON to apply Banned Extensions to
contents of Zip files
A plus to Symantec for me is that since I can't use Symantec for my Declude
e-mail protection, and I do use it on workstations and servers, any e-mail
virus needs to make it through an additional and different A/V program on
the desktop. The higher the hurdle, the less that can make the leap.
I have noticed this problem with large files, usually TIFFs.
No solutions though...
-- Original Message --
From: "John Carter" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date: Mon, 15 Nov 2004 16:44:35 -0600
>Has anyone using ClamAV had problems with
Since these are HTML segments, my guess this is
another case of where Declude Virus Pro's Prescan would need to be turned off
for these to be scanned.
I am catching these segments with Prescan off with
Clam and Mcafee.
- Original Message -
From:
Greg Little
To: [EMAIL PR
I use this version of clamav: http://www.sosdg.org/clamav-win32/index.php
with this wrapper to get virus names:
http://www.smartbusiness.com/imail/declude/
My global.cfg lines:
SCANFILE2 d:\imail\declude\runclamscan.exe log=0
C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt
VIRUSCOD
1 - 100 of 153 matches
Mail list logo
