Well, what matters is that you have the correct (older) *.def files, not whether the GUI says you're up to date. As far as it knows, you are.
Remember to temporarily disable your updater, or correct (older) *.def files will just get overwritten again when the auto-updater kicks in. Andrew 8) p.s. Once I received the automated confirmation message from F-Prot, I replied to it with the full information we've discussed here, and supplied 10 sample false-positives. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Monday, May 02, 2005 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I also filled out the form at FProt's site. Thanks for the defs. When I open up FProt, though, it says that my defs are up-to-date, even though I replaced the newest ones with the ones that you sent. I hope that that message indicates whether we've downloaded the latest - not whether we are actually using the latest defs. Colbeck, Andrew wrote: >I don't think the engine version matters, just the pattern file. > >I've confirmed that the culprit is this, the most recent sign.def from > >05/02/2005 01:32 PM > >And yes, I've sent in a support request via their web page; I'd like to >supply them with several samples. > >I've also played around with the switch settings and found that there >are no relevant switches that can be used as a workaround (i.e. "/ai" >"/noheur" and "/server" make no difference in the detection or not of >this false-positive). > >All of the messages detected either had Office 10 or Office 11 headers >or were replies to messages created with Office 10 or Office 11. > >Andrew 8) > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler >Sent: Monday, May 02, 2005 1:10 PM >To: Declude.Virus@declude.com >Subject: RE: [Declude.Virus] F-Prot and HTML object exploit > > >Question: Have you all running the latest v3.16b ? > >I can't see any appearance of "HTML/ObjData" in the entire current >logfile, but I've still running 3.16a > >Markus > > > > >>-----Original Message----- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff >>(Lists) >>Sent: Monday, May 02, 2005 7:47 PM >>To: Declude.Virus@declude.com >>Subject: [Declude.Virus] F-Prot and HTML object exploit >> >>It appears that something has updated on F-Prot in the last hour. Now, >>a lot of outbound HTML e-mails are being flagged >>by F-Prot as having the HTML object exploit. Running the file >>on www.virustotal.com shows clean. >> >>Any one else seeing problems? >> >>For now, as I am at a client, I have turned off F-Prot scanning >>relying on AVG. >> >>John T >>eServices For You >> >> >> >>--- >>This E-mail came from the Declude.Virus mailing list. To unsubscribe, >>just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.Virus". The archives can be found >>at http://www.mail-archive.com. >> >> >> > >--- >This E-mail came from the Declude.Virus mailing list. To unsubscribe, >just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus". The archives can be found >at http://www.mail-archive.com. >--- >This E-mail came from the Declude.Virus mailing list. To unsubscribe, >just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus". The archives can be found >at http://www.mail-archive.com. >--- >[This E-mail was scanned for viruses.] > > > > > --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
