Re: Re[6]: [Declude.Virus] testvirus.org #17
But the Mcafee DOES detect the Virus string in the SMD file., But declude reports no virus. (This is for test #17) - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, December 20, 2004 3:08 PM Subject: RE: Re[6]: [Declude.Virus] testvirus.org #22 I turned if off and it still got through. This test message contains: Test #17: Eicar virus hidden using the CR Vulnerability (attachment can be opened by all versions of Microsoft Outlook and Outlook Express) ... I just checked this one, and it got through here, too. I examined the raw source of the E-mail, and there doesn't appear to be a lone CR character in it, so it doesn't appear to actually contain the Outlook CR Vulnerability. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[6]: [Declude.Virus] testvirus.org #17
But the Mcafee DOES detect the Virus string in the SMD file., But declude reports no virus. (This is for test #17) Declude Virus doesn't detect a virus, because there are no vulnerabilities in the E-mail (despite what the test description says). McAfee does not detect it when called by Declude Virus, because Declude Virus only sends MIME segments, attachments, and other such files to McAfee. Since the eicar.com file appears in the headers, where mail clients should be unable to see an attachment, the eicar.com file isn't sent to McAfee. As to why McAfee detects it, it is most likely due to differences in the way that the E-mail is scanned. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[6]: [Declude.Virus] testvirus.org #17
Ahhh.. So Declude doesn't actually Send the SMD file to the Scanner.. It takes the Message Body, wirtes it to a Tmp File, and then scans it? Why not just scan the SMD file , Headers and All ? - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, December 20, 2004 4:41 PM Subject: Re: Re[6]: [Declude.Virus] testvirus.org #17 But the Mcafee DOES detect the Virus string in the SMD file., But declude reports no virus. (This is for test #17) Declude Virus doesn't detect a virus, because there are no vulnerabilities in the E-mail (despite what the test description says). McAfee does not detect it when called by Declude Virus, because Declude Virus only sends MIME segments, attachments, and other such files to McAfee. Since the eicar.com file appears in the headers, where mail clients should be unable to see an attachment, the eicar.com file isn't sent to McAfee. As to why McAfee detects it, it is most likely due to differences in the way that the E-mail is scanned. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[6]: [Declude.Virus] testvirus.org #17
So Declude doesn't actually Send the SMD file to the Scanner.. Correct. It takes the Message Body, wirtes it to a Tmp File, and then scans it? Why not just scan the SMD file , Headers and All ? Because very few AV programs can read a .SMD file. They make their big bucks by selling mailserver virus scanners ($1,000s), as opposed to desktop scanners ($10s), so they don't want the deskstop scanners to scan .SMD files. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[6]: [Declude.Virus] testvirus.org #17
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] So Declude doesn't actually Send the SMD file to the Scanner.. Correct. It takes the Message Body, wirtes it to a Tmp File, and then scans it? Why not just scan the SMD file , Headers and All ? Because very few AV programs can read a .SMD file. They make their big bucks by selling mailserver virus scanners ($1,000s), as opposed to desktop scanners ($10s), so they don't want the deskstop scanners to scan .SMD files. Many, if not most, desktop command-line scanners today have support for mail/mime encoded files: === F-Prot: -server Turns on heuristics that are suitable when scanning mail messages on a mail server. McAfee: --mime Option tells the VirusScan Command Line application to detect infections within archives converted to UUEncode, XXEncode, Base64, and BinHex formats. ClamAV: ScanMail Enable internal e-mail scanner (Default: enabled) BitDefender: --mail Scan mail databases Sophos: -mime Scan files encoded in MIME format === Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
