RE: [Declude.Virus] [Encrypted .ZIP file]
I've seen that NAI's engine is now able to detect Bagle.h even if contained in passworded zip files. 03/02/2004 17:29:04 Qb64d05700068a0de Scanner 2: Virus=W32/Bagle.h!pwdzip virus !!! Attachment=Readme.zip [18] I 03/02/2004 17:29:04 Qb64d05700068a0de File(s) are INFECTED [[Encrypted .ZIP file]: 13] 03/02/2004 17:29:05 Qb64d05700068a0de Scanned: CONTAINS A VIRUS [MIME: 2 21347] Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, March 02, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] [Encrypted .ZIP file] The interim release 1.78i5 appears to be making headway against the encrypted .zip file but it appears that the sender is forged. Is this suppose to be added to the SKIPIFFORGING database or should I add it to the SKIPIFVIRUSNAMEHAS list and if so what should it be listed as? Encrypted .ZIP file.? Yes, that should work fine. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] [Encrypted .ZIP file]
Didn't Scott say yesterday that most virus scanner will catch the password protected zip files; however you HAD to update the ENGINE, not just the DEFINITIONS? I am still using F-Prot version b as I heard of too many problems with the C version, does anyone know if the C version is fixed yet? Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Markus Gufler Sent: Tuesday, March 02, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] [Encrypted .ZIP file] I've seen that NAI's engine is now able to detect Bagle.h even if contained in passworded zip files. 03/02/2004 17:29:04 Qb64d05700068a0de Scanner 2: Virus=W32/Bagle.h!pwdzip virus !!! Attachment=Readme.zip [18] I 03/02/2004 17:29:04 Qb64d05700068a0de File(s) are INFECTED [[Encrypted .ZIP file]: 13] 03/02/2004 17:29:05 Qb64d05700068a0de Scanned: CONTAINS A VIRUS [MIME: 2 21347] Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, March 02, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] [Encrypted .ZIP file] The interim release 1.78i5 appears to be making headway against the encrypted .zip file but it appears that the sender is forged. Is this suppose to be added to the SKIPIFFORGING database or should I add it to the SKIPIFVIRUSNAMEHAS list and if so what should it be listed as? Encrypted .ZIP file.? Yes, that should work fine. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Encrypted .ZIP file]
Haven't heard anything back from F-Prot since I reported it a week ago. Darin. - Original Message - From: Grant Griffith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 12:07 PM Subject: RE: [Declude.Virus] [Encrypted .ZIP file] Didn't Scott say yesterday that most virus scanner will catch the password protected zip files; however you HAD to update the ENGINE, not just the DEFINITIONS? I am still using F-Prot version b as I heard of too many problems with the C version, does anyone know if the C version is fixed yet? Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Markus Gufler Sent: Tuesday, March 02, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] [Encrypted .ZIP file] I've seen that NAI's engine is now able to detect Bagle.h even if contained in passworded zip files. 03/02/2004 17:29:04 Qb64d05700068a0de Scanner 2: Virus=W32/Bagle.h!pwdzip virus !!! Attachment=Readme.zip [18] I 03/02/2004 17:29:04 Qb64d05700068a0de File(s) are INFECTED [[Encrypted .ZIP file]: 13] 03/02/2004 17:29:05 Qb64d05700068a0de Scanned: CONTAINS A VIRUS [MIME: 2 21347] Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, March 02, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] [Encrypted .ZIP file] The interim release 1.78i5 appears to be making headway against the encrypted .zip file but it appears that the sender is forged. Is this suppose to be added to the SKIPIFFORGING database or should I add it to the SKIPIFVIRUSNAMEHAS list and if so what should it be listed as? Encrypted .ZIP file.? Yes, that should work fine. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. _ [This E-mail virus scanned by 4C Web] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Encrypted .ZIP file]
Marcus, interesting because NAI is not catching for us... we're at defs version 4.0.4331 and scan engine 4.3.20 Weird thing for us is that if we use the command line to scan file that is infected with bagle.h, then mcafee catches it. But not when it runs with declude using same command line command. Do you have anything special in your config? I am pasting below what we have in our virus cfg SCANFILE C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL /NOMEM /NOBEEP /ANALYZE /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txt VIRUSCODE 13 REPORT Found Thanks Peter - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 11:39 AM Subject: RE: [Declude.Virus] [Encrypted .ZIP file] I've seen that NAI's engine is now able to detect Bagle.h even if contained in passworded zip files. 03/02/2004 17:29:04 Qb64d05700068a0de Scanner 2: Virus=W32/Bagle.h!pwdzip virus !!! Attachment=Readme.zip [18] I 03/02/2004 17:29:04 Qb64d05700068a0de File(s) are INFECTED [[Encrypted .ZIP file]: 13] 03/02/2004 17:29:05 Qb64d05700068a0de Scanned: CONTAINS A VIRUS [MIME: 2 21347] Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, March 02, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] [Encrypted .ZIP file] The interim release 1.78i5 appears to be making headway against the encrypted .zip file but it appears that the sender is forged. Is this suppose to be added to the SKIPIFFORGING database or should I add it to the SKIPIFVIRUSNAMEHAS list and if so what should it be listed as? Encrypted .ZIP file.? Yes, that should work fine. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] [Encrypted .ZIP file]
interesting because NAI is not catching for us... we're at defs version 4.0.4331 and scan engine 4.3.20 Same status here. Do you have anything special in your config? Nothing special. I'm running the latest declude interim and can see 3 banned EZIP atachments in the latest 20 hours. All 3 catched also by NAI but not by F-Prot 3.14b and latest defs. I've isolated one Bagle.h message and can send it to you for testing if you want. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.