Replying to try and help Scott out...
A New Interim release of 1.78i9 is there that checks for viruses first in
this case... version i8 blocked by extension first...
Sincerely,
Grant Griffith, Vice President
EI8HT LEGS Web Management Co., Inc.
http://www.getafreewebsite.com
877-483-3393
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Darrell LaRock
Sent: Wednesday, March 03, 2004 11:52 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Question: Do the new zip commands reject the
file extension and not pass the file to the virus scanner
Running 1.78i8 on Declude Virus Pro.
Have both the BANEXT EZIP and BANEZIPEXTS ON in virus.cfg
Question:
Currently does the BANEXT EZIP and BANEZIPEXTS ON commands block the mail
based on the file extension and not scan the email with the configured virus
scanner (See snippet #1 below) i.e. the virus scanner is not called or
doesn't appear to be?
When checking the file which was banned it does contain a virus (Bagle/h
pwd) which was being detected fine prior to the new zip features (see
snippet #2)?
Issue: Currently the files which should be caught by the virus scanner are
not being caught by the scanner BUT being rejected due to the file extension
which than generates the bannotify.eml (as you can see from below we now
have that turned off right now). Previously (prior to the new zip features)
banned extensions (see snippet #3) would appear to be scanned by the scanner
and if a virus was found it would not generate the bannotify.eml.
Snippet #1
03/03/2004 11:04:16 Q01fea15f01b20d9a MIME file: Letter.zip [base64;
Length=20780 Checksum=2629640]
03/03/2004 11:04:16 Q01fea15f01b20d9a Banning .ZIP file with exe extension.
03/03/2004 11:04:16 Q01fea15f01b20d9a Scanned: Banned file extension. [MIME:
2 20916]
03/03/2004 11:04:16 Q01fea15f01b20d9a Couldn't open E-mail file
e:\imail\Declude\BANnotify.eml.
03/03/2004 11:04:16 Q01fea15f01b20d9a From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED]
03/03/2004 11:04:16 Q01fea15f01b20d9a Subject: ^_^ meay-meay!
Snippet #2
03/02/2004 15:30:25 Qeede7761020e584c MIME file: Letter.zip [base64;
Length=20859 Checksum=2628208]
03/02/2004 15:30:25 Qeede7761020e584c Scanner 1: Virus= the
W32/Bagle.gen!pwdzip (ED) virus !!! Attachment=Letter.zip [10] O
03/02/2004 15:30:25 Qeede7761020e584c File(s) are INFECTED [ the
W32/Bagle.gen!pwdzip (ED) virus !!!: 13]
03/02/2004 15:30:25 Qeede7761020e584c Scanned: CONTAINS A VIRUS [MIME: 2
20975]
03/02/2004 15:30:25 Qeede7761020e584c From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [outgoing from 66.188.246.138]
03/02/2004 15:30:25 Qeede7761020e584c Subject: Hey, ya! =))
Snippet #3
02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file:
[text/html][quoted-printable; Length=5254 Checksum=412704]
02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file: [image/gif][base64;
Length=3639 Checksum=424621]
02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file: [image/gif][base64;
Length=359 Checksum=35758]
02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file: Update28.exe [base64;
Length=106496 Checksum=9386997]
02/25/2004 00:03:52 Q2cb6170b005aec2b Banning file with exe extension
[application/x-msdownload].
02/25/2004 00:03:53 Q2cb6170b005aec2b Scanner 1: Virus= the W32/[EMAIL PROTECTED]
virus !!! Attachment=Update28.exe [10] O
02/25/2004 00:03:53 Q2cb6170b005aec2b File(s) are INFECTED [ the W32/[EMAIL PROTECTED]
virus !!!: 13]
02/25/2004 00:03:53 Q2cb6170b005aec2b Scanned: CONTAINS A VIRUS [Prescan
OK][MIME: 5 117540]
02/25/2004 00:03:53 Q2cb6170b005aec2b From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [outgoing from 210.150.150.240]
02/25/2004 00:03:53 Q2cb6170b005aec2b Subject: New Net Patch
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Wednesday, March 03, 2004 11:00 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Summary of new options
With the latest interim release, you can use:
BANEXT EZIP - This line will ban all .ZIP files with an
encrypted file in them
BANZIPEXTS ON - This line (Pro version only) will ban all file extensions
listed in BANEXT lines, if they appear in non-encrypted .ZIP files
BANEZIPEXTS ON - This line (Pro version only) will ban all file extensions
listed in BANEXT lines, if they appear in encrypted .ZIP files
Also, the latest interim (with the Pro version only) will detect bogus
.BAT/.COM/.PIF/.SCR files (automatically as vulnerabilities, with no need
for config file entries).
If you are having any troubles with these, please re-read the information
on them, and then be very clear what is happening. There are a lot of
possibilities here. You'll need to specify [1] Whether you are using
BANZIPEXTS ON or BANEZIPEXTS ON (or the not-recommended-but-still-useful
BANEXT EZIP), [2] Whether you have a BANEXT line to block the appropriate
file (BANEXT com, for example), [3] What type of file you are sending
through (.com? .com within a .zip?), [4] If it is a .ZIP file, is the file
inside it
