#==========================================================================================# # Declude Virus configuration file. # # Updated by MAILS BEST FRIEND 09/11/2019 # # # #==========================================================================================# #========================================= LOGS ========================================== # "####" in the LOGFILE option, if present, automatically gets replaced with the month/date. # Log Level options: WARN / LOW / MID / HIGH / DEBUG / ERROR LOGFILE Logs\vir####.log LOGLEVEL LOW #If you do not want Declude EVA to record to the log e-mails that does not contain a virus #LOG_OK NONE CONSOLE ON #========================================= SCANFILE SETTINGS ================================ # SCANFILE is the location of the command-line virus scanner. Note that it must include the full path. # VIRUSCODE is the code that scanner returns if it finds a virus. #[MORE INFO SEE VIRUS CONFIGURATION http://www.declude.com/Articles.asp?ID=117 FOR DETAILS] #CLAMAV #SCANFILE C:\Smarte~1\declude\scanners\ClamAV\bin\clamscan.exe --verbose --database="C:\Smarte~1\declude\scanners\ClamAV\db" --tempdir="C:\Smarte~1\declude\scanners\ClamAV\Temp" --no-summary -l report.txt #VIRUSCODE 1 #F-Prot #SCANFILE3 C:\Progra~1\FSI\F-PROT\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt #VIRUSCODE3 3 #VIRUSCODE3 6 #VIRUSCODE3 8 #REPORT3 Infection: #ESET #SCANFILE C:\ECLS\ecls.exe /mail /no-boots /sfx /rtp /adware /unsafe /unwanted /pattern /heur /clean-mode=NONE /no-quarantine /no-log-console /log-file=report.txt #========================================= ADVANCED OPTIONS =============================== # VIRDIR is the directory to move E-mails with viruses; by default, it is set to 'spool\virus' (\spool\virus). VIRDIR spool\virus # The following options allow you to limit scanning to only incoming or outgoing E-mail. INCOMING ON OUTGOING ON #Change the order in which JunkMail and Declude EVA scan. The default is JunkMail followed by Declude EVA. AVAFTERJM ON #This directive, will cause Declude to stop calling the remaining scanners after a virus has been detected. #This directive has meaning only when there is more than one scanner listed. The default behavior is for Declude to call all scanners. EXITSCANONVIRUSDETECT ON # The MAXATONCE option limits the number of AV processes. For example, # MAXATONCE 1 will only allow 1 AV process to run at once (for licensing purposes). # A value of 0 (or commenting it out) allows unlimited processes to run at the same time. MAXATONCE 0 # The ONACCESS option should be set to OFF unless you have an on-access virus scanner # that will be deleting attachments with viruses. It is recommended NOT to have an # on-access scanner interfering, and to leave this at OFF. ONACCESS OFF # The SCANNERTIMEOUT option lets you choose the number of seconds that Declude will # wait for the virus scanner to finish. The minimum value is 10 seconds. Most # scanners will not need to take that long. This option is mainly to prevent # defective scanners (that never finish) from interfering with your outgoing E-mail. # Raising this will NOT help if your virus scanner always times out. SCANNERTIMEOUT 60 # Declude can pre-scan HTML files. If no dangerous code is detected, the # virus scanner will not get called. This can significantly cut down on CPU usage. PRESCAN ON # The FOOTER lines will add a footer to the bottom of E-mails that are scanned. This may # not be visible if you send HTML or attachments with the E-mail. #FOOTERIN [This E-mail was scanned by Declude] #FOOTEROUT This message is intended only for the designated recipient(s). It may contain confidential or proprietary information and may be subject to the attorney-client privilege or other confidentiality protections. If you are not the designated recipient of this e-mail or its attachment(s), you may not review, copy or distribute this message. If you receive this e-mail or its attachment(s) in error, please notify the sender by reply e-mail and delete this message and its attachment(s). Thank you. # The DELIVERERRORS option, when set to ON, will treat errors from the virus scanner as if no # virus was found. When set to ON, this could cause viruses to get through in rare situations, # but will also prevent legitimate mail from being quarantined due to an error in the scanner. # It is recommend to leave this at ON. DELIVERERRORS ON #========================================= VULNERABILITY OPTIONS ================================= #By default, emails with vulnerabilities will be quarantined. You may, however, choose to delete these vulnerabilities. DELETEVULNERABILITIES OFF # The BANCRVIRUSES option will automatically treat E-mail with malformed headers that could # contain a virus as if they did contain a virus. It is strongly recommended that you keep # this set to ON; otherwise, viruses could slip through. BANCRVIRUSES ON #This option instructs Declude EVA to allow vulnerabilities to and from a specific E-mail address or domain. #ALLOWVULNERABILITIESFROM webmaster-vir@declude.com #ALLOWVULNERABILITIESTO webmaster-vir@declude.com #You may selectively allow certain vulnerabilities not to be blocked by Declude EVA. #ALLOWVULNERABILITY OBJECTDATA #ALLOWVULNERABILITY OLCR #ALLOWVULNERABILITY OLSPACEGAP #ALLOWVULNERABILITY OLBLANKFOLDING #ALLOWVULNERABILITY OLMIMEHEADER #ALLOWVULNERABILITY OLMIMESEGMIMEPRE #ALLOWVULNERABILITY MIMESEGMIMEPOST #ALLOWVULNERABILITY OLLONGBOUNDARY #ALLOWVULNERABILITY OLBOUNDARYSPACEGAP #ALLOWVULNERABILITY OLLONGFILENAME # Declude EVA can block treat files using CLSID extensions as viruses. This type of # extension will force a certain type of program to be run, while making the file appear # to be a .TXT or other safe file. There is no known legitimate reason to send this # type of file through E-mail. BANPARTIAL ON bans the Partial Vulnerability. BANCLSID ON BANPARTIAL ON #MIME header mismatch, Declude assumes it is an executable. You can turn on/off the MIME header mismatch test.If this test #is turned off then the e-mail will not be caught as vulnerability. However, there is a log message that the mismatch was #found but ignored because it is turned off. MISMATCHEDEXT ON #========================================= VIRUS OPTIONS ================================= # The DELETEVIRUSES option, when set to ON, will delete viruses, rather than quarantine them. # E-mails that are blocked but not virus is detected (such as banned file extensions and vulnerabilities) # will not be deleted as they have the potential of being legitimate E-mails. # It is recommended to leave this at OFF, just to be safe, but many people set this to ON. DELETEVIRUSES OFF # The SKIPEXT option will let you skip scanning of certain file extensions. For # example, a GIF file can't contain a virus, so there is no need to scan it. SKIPEXT GIF SKIPEXT TXT SKIPEXT MPG SKIPEXT PNG #File extensions within .ZIP files can be banned. For example, if you have a line BANEXT EXE and BANZIPEXTS ON #then .EXE files within .ZIP files will be blocked. BANZIPEXTS ON # The BANEXT option will let you ban file extensions. E-mails containing attachments # with these file extensions will be quarantined, and if you have a BANnotify.EML file, # it will be sent out. You can ban up to 100 extensions. #EXECUTABLES BANEXT adp BANEXT app BANEXT application BANEXT class BANEXT com BANEXT cpl BANEXT dll BANEXT exe BANEXT gadget BANEXT grp BANEXT hlp BANEXT hta BANEXT jar BANEXT msc BANEXT msi BANEXT msp BANEXT pif BANEXT scr BANEXT sys BANEXT vxd #SCRIPTS BANEXT bat BANEXT cmd BANEXT csh BANEXT js BANEXT jse BANEXT msh BANEXT msh1 BANEXT msh1xml BANEXT msh2 BANEXT msh2xml BANEXT mshxml BANEXT mst BANEXT ocx BANEXT pl BANEXT ps1 BANEXT ps1xml BANEXT ps2 BANEXT ps2xml BANEXT psc1 BANEXT psc2 BANEXT sct BANEXT vb BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsc BANEXT wsf BANEXT wsh #SHORTCUTS BANEXT inf BANEXT lnk BANEXT scf #MS BANEXT ade BANEXT bas BANEXT mad BANEXT maf BANEXT mag BANEXT mam BANEXT maq BANEXT mar BANEXT mas BANEXT mat BANEXT mau BANEXT mav BANEXT maw BANEXT mda BANEXT mdb BANEXT mde BANEXT mdt BANEXT mdw BANEXT mdz BANEXT vss BANEXT vst BANEXT vsw BANEXT vsmacros #OTHER BANEXT cer BANEXT chm BANEXT crt BANEXT fxp BANEXT ins BANEXT isp BANEXT its BANEXT ksh BANEXT ops BANEXT pcd BANEXT prf BANEXT prg BANEXT pst BANEXT reg BANEXT sea BANEXT shb BANEXT shs BANEXT taz BANEXT tmp BANEXT url BANEXT vbx #All versions of Declude EVA have a BANNAME option that can be used to specific specific filenames that should be banned. #This can be useful if a new virus starts spreading, and virus definitions have not yet been updated for it #You can ban up to 50 files by name. When a banned file is detected, the BANnotify.eml file will be sent out. #Example W32.Mytob.H@mm BANNAME account-details.zip BANNAME important-details.zip BANNAME email-details.zip BANNAME account-password.zip BANNAME email-password.zip BANNAME important-details.zip BANNAME aytpvo.zip BANNAME update-password.zip BANNAME accepted-password.zip BANNAME account-info.zip BANNAME account-report.zip BANNAME invoice.doc # The BANEXT EZIP line blocks all encrypted .ZIP and .RAR files, which is necessary # to be fully protected against viruses (since it is impossible to detect a well- # constructed virus within an encrypted .ZIP or .RAR file) BANEXT EZIP #Allowing EZIP (Encrypted ZIP files) for Domains and Users #ALLOWEZIPTO user@example.com #ALLOWEZIPTO example.com #ALLOWEZIPFROM senderaddress@example.com #ALLOWEZIPFROM example.com # The FORGINGVIRUS option is used to list viruses that forge the return address, so Declude # can replace the name of the sender with "[Forged]". FORGINGVIRUS Avril FORGINGVIRUS Bagle FORGINGVIRUS Braid FORGINGVIRUS Bridex FORGINGVIRUS Bugbear FORGINGVIRUS Dumar FORGINGVIRUS Dumaru FORGINGVIRUS Evaman FORGINGVIRUS Exploit-ObjectData FORGINGVIRUS Fizzer FORGINGVIRUS Ganda FORGINGVIRUS Gibe FORGINGVIRUS Holar FORGINGVIRUS Hybris FORGINGVIRUS IFrame FORGINGVIRUS IFromot FORGINGVIRUS Illwill FORGINGVIRUS Inor FORGINGVIRUS Klez FORGINGVIRUS Lentin FORGINGVIRUS Lovgate FORGINGVIRUS Mabut FORGINGVIRUS Magistr FORGINGVIRUS MiMai FORGINGVIRUS Mimail FORGINGVIRUS MyDoom FORGINGVIRUS Mytob FORGINGVIRUS Netsky FORGINGVIRUS ObjData FORGINGVIRUS Palyh FORGINGVIRUS Phish- FORGINGVIRUS Plexus FORGINGVIRUS Proxy-Cidra FORGINGVIRUS Reblin FORGINGVIRUS Sefex FORGINGVIRUS Sober FORGINGVIRUS SoBig FORGINGVIRUS Somefool FORGINGVIRUS Swen FORGINGVIRUS Tanx FORGINGVIRUS Torvil FORGINGVIRUS Trojan FORGINGVIRUS Unknown FORGINGVIRUS Vulnerability FORGINGVIRUS Wurmark FORGINGVIRUS Yaha FORGINGVIRUS Zafi FORGINGVIRUS Zerolin