Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Virus Definitions
  FAQ FAQ  Forum Search   Register Register  Login Login

Virus Definitions

 Post Reply Post Reply
Author
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Topic: Virus Definitions
    Posted: 01 June 2005 at 9:21am

Roberto,

How can we check if a virus is in the defs?  I am getting a LOT of the W32.Mytob.CU@mm viruses passing through the filter.

The following Banned Attachments SHOULD help catch most but I have not yet tested them so use at your own risk:

((?i)[^\.]+\.((tmp)|(doc)|(htm)|(txt))[\s]*?\.((pif)|(scr)|(exe)|(cmd)|(bat)))


((?i)((email-info)|(email-doc)|(information)|(account-detail s)|(document)|(INFO))\.zip)


((?i)((instructions)|(info-text)|(information)|(hello)|(zcum grr))\.zip)

Regards,



Edited by Desperado
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 01 June 2005 at 6:45pm
Dan,

I've uploaded at http://www.logsat.com/SpamFilter/pub/nselist.zip a small DOS utility. Just extract and run from a DOS prompt nselist.exe, it's rather self-explanatory - needs one of two switches, /b and /m, to list either binary or macro virruses. Remember you can use the ">" switch to send the results to a file, for ex:

nselist /b > list.txt



Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 01 June 2005 at 7:00pm

PERFECT!  And Thanks as usual!

Regards,

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
GregJ View Drop Down
Newbie
Newbie


Joined: 06 June 2005
Status: Offline
Points: 4
Post Options Post Options   Thanks (0) Thanks(0)   Quote GregJ Quote  Post ReplyReply Direct Link To This Post Posted: 06 June 2005 at 11:19am

How can I check to ensure that I have the most up-to-date Anti-Virus definitions?  I think mine are out-dated?

Here's what I've got (as of 06/06/05 at 10:15AM CST)...from my spamfilter.ini file:

AVUpdateURL=https://www.logsat.com/SpamFilter/
AVEnableUpdates=1
NvcBinDate=5/2/05 12:41:18 PM
NvcIncrDate=6/4/05 4:52:50 PM
NvcMacroDate=5/2/05 12:41:20 PM

Can someone verify that these are the most up-to-date definitions?  I think some viruses are passing through without being "trapped" by SpamFilter.  I've clicked the 'Update Now' button, but I've only seen the NvcIncrDate change, the other two have never changed.

Thanks,

GJ

 

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 06 June 2005 at 11:40am

Greg,

The NvcIncrDate=6/4/05 4:52:50 PM is the "Incremental" def file so that is the most important date (i believe).  However,  I, too had some viruses sneak by but have not received any information from the customer as to WHAT virus it was. If you know what virus it is that got past your system, I thing we all would linke to know what it was.

Regards,

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
GregJ View Drop Down
Newbie
Newbie


Joined: 06 June 2005
Status: Offline
Points: 4
Post Options Post Options   Thanks (0) Thanks(0)   Quote GregJ Quote  Post ReplyReply Direct Link To This Post Posted: 06 June 2005 at 12:07pm

Dan,

I have Symantec real-time scanner running on my SpamFilter/Email server as well, so I don't have any reports that a virus got through.  I do know that my Symantec scanner has removed the Mytob.CU, Mytob.DB, and Mytob.DF, and all of which aren't shown in the list when I run the nselist /b.  So, I just want to make sure that my Norman def's are up to date, in case my Symantec hicups and doesn't catch the viruses.

Also, this is how I understand it, correct me if I'm wrong...Since I have Symantec real-time scanner, and the Norman Anti-Virus plug in for SpamFilter on the same machine, in many cases Symantec might remove the virus before Norman does.  When emails come in, it's put in the "temp" folder, then I beleive Norman cleans viruses from the folder (but in many cases Symantec might clean the virus before Norman does).

GJ

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 06 June 2005 at 12:39pm

Greg,

My defs show all 3 that you list and my nselist header shows:

NSE Norman Scanner Engine Version 05.82.01
nvcbin.def   version 05.82 #0 99405 signatures. Built 2005/06/04 13:41:44

ALso,  I have a slighty newer version at http://spamman.mags.net/repl/norman/nselist.zip

Regards,

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
GregJ View Drop Down
Newbie
Newbie


Joined: 06 June 2005
Status: Offline
Points: 4
Post Options Post Options   Thanks (0) Thanks(0)   Quote GregJ Quote  Post ReplyReply Direct Link To This Post Posted: 06 June 2005 at 1:25pm

Dan,

Thanks for the information... Interestingly enough, I went into the spamfilter.ini and removed the Date and Time from each of the four AV entries, then stopped and re-started the SpamFilter service, and the system re-downloaded the Norman files.

Now when I run the nselist /b, it shows:

NSE Norman Scanner Engine Version 05.82.01
nvcbin.def Version 05.82 of 2005/06/04 65535 signatures

...and the new nselist /b does show protection on more viruses (including the three Mytob viruses I named in my previous post).

Although, in SpamFilter, on the AntiVirus tab, my NvcBin.def still shows a date of 05/02/05 12:41:18PM, but when I run the nselist /b, the nvcbin.def shows 06/04/05.  Very confusing!

I guess clearing out the ini AV entries, forced the SpamFilter to download new def's, so I hope I don't have this issue in the future (or I hope no one else has this issue).

Thanks Dan!

Greg

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 06 June 2005 at 1:34pm

Greg,

A couple of things.  First the 65535 is bogus which is why I got the new one from norman and compiled it (c code).  Also, the may dates are correct.  The incremental file is where the day - to -day updates are downloaded to. 

Regards,

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
GregJ View Drop Down
Newbie
Newbie


Joined: 06 June 2005
Status: Offline
Points: 4
Post Options Post Options   Thanks (0) Thanks(0)   Quote GregJ Quote  Post ReplyReply Direct Link To This Post Posted: 06 June 2005 at 1:41pm

Dan, thanks, I understand now.

I re-ran the nselist you re-compiled and I show the same header information as you have.  I guess I'll check the header information in the nselist /b file for the next couple of days to make sure my def's are downloading correctly.

Thanks again for your help!!

GJ

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.063 seconds.