Agreed, the current *.def files no longer trigger on my sample false-positive files.
Also, I had exactly the same message from F-Prot support waiting for me that Uwe received this morning regarding the false-positives as "HTML/[EMAIL PROTECTED]". Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wind Sent: Tuesday, May 03, 2005 8:04 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I tested it the last hours and had no FP since the new update. Uwe ----- Original Message ----- From: "Chris Fitch" <[EMAIL PROTECTED]> To: <Declude.Virus@declude.com> Sent: Tuesday, May 03, 2005 4:44 PM Subject: RE: [Declude.Virus] F-Prot and HTML object exploit >I have these installed and appears to have corrected. > > > Chris Fitch > Sr Network Administrator > Industrial Chemicals Inc. > [EMAIL PROTECTED] > 205-823-7330 Ext. 1039 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Wind > Sent: Tuesday, May 03, 2005 8:02 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] F-Prot and HTML object exploit > > Hello, > > in the moment I got this email from F-prot support: > > Unfortunately, virus signature files released at 17:00 on 2 May 2005 > included a false positive detection identified as: "Infection: > HTML/[EMAIL PROTECTED]" (exact name) causing problems for some of our > users. New virus signature files that fix this problem have now been > released. These files are dated 3 May 2005 and users need only update > to avoid any further false positives. > > > Greetings, > Uwe > > ----- Original Message ----- > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > To: <Declude.Virus@declude.com> > Sent: Tuesday, May 03, 2005 3:21 AM > Subject: RE: [Declude.Virus] F-Prot and HTML object exploit > > > The sign*.def files have been updated to: > > 05/02/2005 11:46 PM > > Which I'm pretty sure is UTC. However, these still have the > false-positive. As of this writing, I've received no reply to my > ticket with F-Prot. > > Andrew 8) > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry > Sent: Monday, May 02, 2005 2:03 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] F-Prot and HTML object exploit > > > F-Prot may have pulled the latest defs do to the number of complaints > received, which could explain why the app reports that you have the > latest version. > > Bill > ----- Original Message ----- > From: "Kevin Rogers" <[EMAIL PROTECTED]> > To: <Declude.Virus@declude.com> > Sent: Monday, May 02, 2005 1:54 PM > Subject: Re: [Declude.Virus] F-Prot and HTML object exploit > > >> I also filled out the form at FProt's site. Thanks for the defs. >> When I open up FProt, though, it says that my defs are up-to-date, >> even though I replaced the newest ones with the ones that you sent. >> I > >> hope that that message indicates whether we've downloaded the latest >> - > >> not whether we are actually using the latest defs. >> >> >> >> Colbeck, Andrew wrote: >> >> >I don't think the engine version matters, just the pattern file. >> > >> >I've confirmed that the culprit is this, the most recent sign.def >> >from >> > >> >05/02/2005 01:32 PM >> > >> >And yes, I've sent in a support request via their web page; I'd like >> >to supply them with several samples. >> > >> >I've also played around with the switch settings and found that >> >there > >> >are no relevant switches that can be used as a workaround (i.e. >> >"/ai" > >> >"/noheur" and "/server" make no difference in the detection or not >> >of > >> >this false-positive). >> > >> >All of the messages detected either had Office 10 or Office 11 >> >headers or were replies to messages created with Office 10 or Office >> >11. >> > >> >Andrew 8) >> > >> >-----Original Message----- >> >From: [EMAIL PROTECTED] >> >[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler >> >Sent: Monday, May 02, 2005 1:10 PM >> >To: Declude.Virus@declude.com >> >Subject: RE: [Declude.Virus] F-Prot and HTML object exploit >> > >> > >> >Question: Have you all running the latest v3.16b ? >> > >> >I can't see any appearance of "HTML/ObjData" in the entire current >> >logfile, but I've still running 3.16a >> > >> >Markus >> > >> > >> > >> > >> >>-----Original Message----- >> >>From: [EMAIL PROTECTED] >> >>[mailto:[EMAIL PROTECTED] On Behalf Of John >> >>Tolmachoff (Lists) >> >>Sent: Monday, May 02, 2005 7:47 PM >> >>To: Declude.Virus@declude.com >> >>Subject: [Declude.Virus] F-Prot and HTML object exploit >> >> >> >>It appears that something has updated on F-Prot in the last hour. >> >>Now, a lot of outbound HTML e-mails are being flagged by F-Prot as >> >>having the HTML object exploit. Running the file on >> >>www.virustotal.com shows clean. >> >> >> >>Any one else seeing problems? >> >> >> >>For now, as I am at a client, I have turned off F-Prot scanning >> >>relying on AVG. >> >> >> >>John T >> >>eServices For You >> >> >> >> >> >> >> >>--- >> >>This E-mail came from the Declude.Virus mailing list. To >> >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> >>type "unsubscribe Declude.Virus". The archives can be found >> >>at http://www.mail-archive.com. >> >> >> >> >> >> >> > >> >--- >> >This E-mail came from the Declude.Virus mailing list. To >> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> >type "unsubscribe Declude.Virus". The archives can be found >> >at http://www.mail-archive.com. >> >--- >> >This E-mail came from the Declude.Virus mailing list. To >> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> >type "unsubscribe Declude.Virus". The archives can be found >> >at http://www.mail-archive.com. >> >--- >> >[This E-mail was scanned for viruses.] >> > >> > >> > >> > >> > >> >> --- >> [This E-mail was scanned for viruses.] >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, > >> just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus". The archives can be found >> at http://www.mail-archive.com. >> > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
