Re: [Declude.Virus] F-Prot and HTML object exploit
I did contact f-prot now the second time. I did not get an answer till now. Uwe - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, May 03, 2005 3:21 AM Subject: RE: [Declude.Virus] F-Prot and HTML object exploit The sign*.def files have been updated to: 05/02/2005 11:46 PM Which I'm pretty sure is UTC. However, these still have the false-positive. As of this writing, I've received no reply to my ticket with F-Prot. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 2:03 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit F-Prot may have pulled the latest defs do to the number of complaints received, which could explain why the app reports that you have the latest version. Bill - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 1:54 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I also filled out the form at FProt's site. Thanks for the defs. When I open up FProt, though, it says that my defs are up-to-date, even though I replaced the newest ones with the ones that you sent. I hope that that message indicates whether we've downloaded the latest - not whether we are actually using the latest defs. Colbeck, Andrew wrote: I don't think the engine version matters, just the pattern file. I've confirmed that the culprit is this, the most recent sign.def from 05/02/2005 01:32 PM And yes, I've sent in a support request via their web page; I'd like to supply them with several samples. I've also played around with the switch settings and found that there are no relevant switches that can be used as a workaround (i.e. /ai /noheur and /server make no difference in the detection or not of this false-positive). All of the messages detected either had Office 10 or Office 11 headers or were replies to messages created with Office 10 or Office 11. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, May 02, 2005 1:10 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
Hello, in the moment I got this email from F-prot support: Unfortunately, virus signature files released at 17:00 on 2 May 2005 included a false positive detection identified as: Infection: HTML/[EMAIL PROTECTED] (exact name) causing problems for some of our users. New virus signature files that fix this problem have now been released. These files are dated 3 May 2005 and users need only update to avoid any further false positives. Greetings, Uwe - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, May 03, 2005 3:21 AM Subject: RE: [Declude.Virus] F-Prot and HTML object exploit The sign*.def files have been updated to: 05/02/2005 11:46 PM Which I'm pretty sure is UTC. However, these still have the false-positive. As of this writing, I've received no reply to my ticket with F-Prot. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 2:03 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit F-Prot may have pulled the latest defs do to the number of complaints received, which could explain why the app reports that you have the latest version. Bill - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 1:54 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I also filled out the form at FProt's site. Thanks for the defs. When I open up FProt, though, it says that my defs are up-to-date, even though I replaced the newest ones with the ones that you sent. I hope that that message indicates whether we've downloaded the latest - not whether we are actually using the latest defs. Colbeck, Andrew wrote: I don't think the engine version matters, just the pattern file. I've confirmed that the culprit is this, the most recent sign.def from 05/02/2005 01:32 PM And yes, I've sent in a support request via their web page; I'd like to supply them with several samples. I've also played around with the switch settings and found that there are no relevant switches that can be used as a workaround (i.e. /ai /noheur and /server make no difference in the detection or not of this false-positive). All of the messages detected either had Office 10 or Office 11 headers or were replies to messages created with Office 10 or Office 11. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, May 02, 2005 1:10 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus
RE: [Declude.Virus] F-Prot and HTML object exploit
I have these installed and appears to have corrected. Chris Fitch Sr Network Administrator Industrial Chemicals Inc. [EMAIL PROTECTED] 205-823-7330 Ext. 1039 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wind Sent: Tuesday, May 03, 2005 8:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit Hello, in the moment I got this email from F-prot support: Unfortunately, virus signature files released at 17:00 on 2 May 2005 included a false positive detection identified as: Infection: HTML/[EMAIL PROTECTED] (exact name) causing problems for some of our users. New virus signature files that fix this problem have now been released. These files are dated 3 May 2005 and users need only update to avoid any further false positives. Greetings, Uwe - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, May 03, 2005 3:21 AM Subject: RE: [Declude.Virus] F-Prot and HTML object exploit The sign*.def files have been updated to: 05/02/2005 11:46 PM Which I'm pretty sure is UTC. However, these still have the false-positive. As of this writing, I've received no reply to my ticket with F-Prot. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 2:03 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit F-Prot may have pulled the latest defs do to the number of complaints received, which could explain why the app reports that you have the latest version. Bill - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 1:54 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I also filled out the form at FProt's site. Thanks for the defs. When I open up FProt, though, it says that my defs are up-to-date, even though I replaced the newest ones with the ones that you sent. I hope that that message indicates whether we've downloaded the latest - not whether we are actually using the latest defs. Colbeck, Andrew wrote: I don't think the engine version matters, just the pattern file. I've confirmed that the culprit is this, the most recent sign.def from 05/02/2005 01:32 PM And yes, I've sent in a support request via their web page; I'd like to supply them with several samples. I've also played around with the switch settings and found that there are no relevant switches that can be used as a workaround (i.e. /ai /noheur and /server make no difference in the detection or not of this false-positive). All of the messages detected either had Office 10 or Office 11 headers or were replies to messages created with Office 10 or Office 11. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, May 02, 2005 1:10 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send
Re: [Declude.Virus] F-Prot and HTML object exploit
I tested it the last hours and had no FP since the new update. Uwe - Original Message - From: Chris Fitch [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, May 03, 2005 4:44 PM Subject: RE: [Declude.Virus] F-Prot and HTML object exploit I have these installed and appears to have corrected. Chris Fitch Sr Network Administrator Industrial Chemicals Inc. [EMAIL PROTECTED] 205-823-7330 Ext. 1039 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wind Sent: Tuesday, May 03, 2005 8:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit Hello, in the moment I got this email from F-prot support: Unfortunately, virus signature files released at 17:00 on 2 May 2005 included a false positive detection identified as: Infection: HTML/[EMAIL PROTECTED] (exact name) causing problems for some of our users. New virus signature files that fix this problem have now been released. These files are dated 3 May 2005 and users need only update to avoid any further false positives. Greetings, Uwe - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, May 03, 2005 3:21 AM Subject: RE: [Declude.Virus] F-Prot and HTML object exploit The sign*.def files have been updated to: 05/02/2005 11:46 PM Which I'm pretty sure is UTC. However, these still have the false-positive. As of this writing, I've received no reply to my ticket with F-Prot. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 2:03 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit F-Prot may have pulled the latest defs do to the number of complaints received, which could explain why the app reports that you have the latest version. Bill - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 1:54 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I also filled out the form at FProt's site. Thanks for the defs. When I open up FProt, though, it says that my defs are up-to-date, even though I replaced the newest ones with the ones that you sent. I hope that that message indicates whether we've downloaded the latest - not whether we are actually using the latest defs. Colbeck, Andrew wrote: I don't think the engine version matters, just the pattern file. I've confirmed that the culprit is this, the most recent sign.def from 05/02/2005 01:32 PM And yes, I've sent in a support request via their web page; I'd like to supply them with several samples. I've also played around with the switch settings and found that there are no relevant switches that can be used as a workaround (i.e. /ai /noheur and /server make no difference in the detection or not of this false-positive). All of the messages detected either had Office 10 or Office 11 headers or were replies to messages created with Office 10 or Office 11. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, May 02, 2005 1:10 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found
RE: [Declude.Virus] F-Prot and HTML object exploit
Agreed, the current *.def files no longer trigger on my sample false-positive files. Also, I had exactly the same message from F-Prot support waiting for me that Uwe received this morning regarding the false-positives as HTML/[EMAIL PROTECTED]. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wind Sent: Tuesday, May 03, 2005 8:04 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I tested it the last hours and had no FP since the new update. Uwe - Original Message - From: Chris Fitch [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, May 03, 2005 4:44 PM Subject: RE: [Declude.Virus] F-Prot and HTML object exploit I have these installed and appears to have corrected. Chris Fitch Sr Network Administrator Industrial Chemicals Inc. [EMAIL PROTECTED] 205-823-7330 Ext. 1039 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wind Sent: Tuesday, May 03, 2005 8:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit Hello, in the moment I got this email from F-prot support: Unfortunately, virus signature files released at 17:00 on 2 May 2005 included a false positive detection identified as: Infection: HTML/[EMAIL PROTECTED] (exact name) causing problems for some of our users. New virus signature files that fix this problem have now been released. These files are dated 3 May 2005 and users need only update to avoid any further false positives. Greetings, Uwe - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, May 03, 2005 3:21 AM Subject: RE: [Declude.Virus] F-Prot and HTML object exploit The sign*.def files have been updated to: 05/02/2005 11:46 PM Which I'm pretty sure is UTC. However, these still have the false-positive. As of this writing, I've received no reply to my ticket with F-Prot. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 2:03 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit F-Prot may have pulled the latest defs do to the number of complaints received, which could explain why the app reports that you have the latest version. Bill - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 1:54 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I also filled out the form at FProt's site. Thanks for the defs. When I open up FProt, though, it says that my defs are up-to-date, even though I replaced the newest ones with the ones that you sent. I hope that that message indicates whether we've downloaded the latest - not whether we are actually using the latest defs. Colbeck, Andrew wrote: I don't think the engine version matters, just the pattern file. I've confirmed that the culprit is this, the most recent sign.def from 05/02/2005 01:32 PM And yes, I've sent in a support request via their web page; I'd like to supply them with several samples. I've also played around with the switch settings and found that there are no relevant switches that can be used as a workaround (i.e. /ai /noheur and /server make no difference in the detection or not of this false-positive). All of the messages detected either had Office 10 or Office 11 headers or were replies to messages created with Office 10 or Office 11. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, May 02, 2005 1:10 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from
RE: [Declude.Virus] F-Prot and HTML object exploit
2 Declude Virus users on this list have attempted to contact me off list asking if this has been fixed. 1. It is inappropriate to contact some one off list just to ask if something has been fixed. 2. If I have been able to test it and found I was no longer getting the error I would have posted so. 3. I am extremely busy right now and have not had a chance to verify on my servers that it is fixed. 4. Andrew has posted (below) that it appears to be fixed now. As Andrew is a long time Declude Virus user and poster I will take his word for now as I am busy with other things. I have no reason to doubt Andrew and if you are questioning whether or not it is now working the best way to tell is too active the use of F-Prot on your server and monitor your logs. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, May 03, 2005 9:13 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Agreed, the current *.def files no longer trigger on my sample false-positive files. Also, I had exactly the same message from F-Prot support waiting for me that Uwe received this morning regarding the false-positives as HTML/[EMAIL PROTECTED]. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wind Sent: Tuesday, May 03, 2005 8:04 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I tested it the last hours and had no FP since the new update. Uwe - Original Message - From: Chris Fitch [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, May 03, 2005 4:44 PM Subject: RE: [Declude.Virus] F-Prot and HTML object exploit I have these installed and appears to have corrected. Chris Fitch Sr Network Administrator Industrial Chemicals Inc. [EMAIL PROTECTED] 205-823-7330 Ext. 1039 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wind Sent: Tuesday, May 03, 2005 8:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit Hello, in the moment I got this email from F-prot support: Unfortunately, virus signature files released at 17:00 on 2 May 2005 included a false positive detection identified as: Infection: HTML/[EMAIL PROTECTED] (exact name) causing problems for some of our users. New virus signature files that fix this problem have now been released. These files are dated 3 May 2005 and users need only update to avoid any further false positives. Greetings, Uwe - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, May 03, 2005 3:21 AM Subject: RE: [Declude.Virus] F-Prot and HTML object exploit The sign*.def files have been updated to: 05/02/2005 11:46 PM Which I'm pretty sure is UTC. However, these still have the false-positive. As of this writing, I've received no reply to my ticket with F-Prot. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 2:03 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit F-Prot may have pulled the latest defs do to the number of complaints received, which could explain why the app reports that you have the latest version. Bill - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 1:54 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I also filled out the form at FProt's site. Thanks for the defs. When I open up FProt, though, it says that my defs are up-to-date, even though I replaced the newest ones with the ones that you sent. I hope that that message indicates whether we've downloaded the latest - not whether we are actually using the latest defs. Colbeck, Andrew wrote: I don't think the engine version matters, just the pattern file. I've confirmed that the culprit is this, the most recent sign.def from 05/02/2005 01:32 PM And yes, I've sent in a support request via their web page; I'd like to supply them with several samples. I've also played around with the switch settings and found that there are no relevant switches that can be used as a workaround (i.e. /ai /noheur and /server make no difference in the detection or not of this false-positive). All of the messages detected either had Office 10 or Office 11 headers or were replies to messages created with Office 10 or Office 11. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, May 02, 2005 1:10 PM
Re: [Declude.Virus] F-Prot and HTML object exploit
Thank you for the tip, John. I searched the logs and since the update there are legitimate E-mail, which are caught. Uwe - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 7:46 PM Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
Yes, this is a problem! I rolled back to my latest defs prior to the last update and all is well again. I disabled my updates for a while to see if F-Prot fixes this issue. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 10:46 AM Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
I am having the same problems here. It all started around 12:30 Central time... Don - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 12:56 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit John,Thanks a bunch for pointing this out. I have found two of these in the last hour that are tagging what appears to be legitimate E-mail, bother from the same person. This is gatewayed E-mail: 05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: [text/html][quoted-printable; Length=6657 Checksum=558425]05/02/2005 13:44:21 Q66F5EF3A00E815E6 Found potentially dangerous stuff in F:\D66F5EF3A00E815E6.vir\0.!05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: image001.jpg [base64; Length=11748 Checksum=1305364]05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: image002.gif [base64; Length=2184 Checksum=243507]05/02/2005 13:44:22 Q66F5EF3A00E815E6 Scanner 1: Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML segment] [0] O05/02/2005 13:44:22 Q66F5EF3A00E815E6 File(s) are INFECTED [HTML/[EMAIL PROTECTED]: 0]05/02/2005 13:44:22 Q66F5EF3A00E815E6 Deleting file with virus05/02/2005 13:44:22 Q66F5EF3A00E815E6 Deleting E-mail with virus!05/02/2005 13:44:22 Q66F5EF3A00E815E6 Scanned: CONTAINS A VIRUS [MIME: 4 21877]05/02/2005 13:44:22 Q66F5EF3A00E815E6 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]05/02/2005 13:44:22 Q66F5EF3A00E815E6 Subject: RE: NCC Docket 2005 - 2It looks like turning F-Prot off might be a good idea, or at least configuring it to not delete viruses.MattJohn Tolmachoff (Lists) wrote: It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.Virus] F-Prot and HTML object exploit
I saw it start at about 10:00 AM PDT. Some one please contact F-Prot. I would but I am at a client trying to recover data from a failed hard drive. Fun. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Hickey Sent: Monday, May 02, 2005 11:14 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I am having the same problems here. It all started around 12:30 Central time... Don - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 12:56 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit John, Thanks a bunch for pointing this out. I have found two of these in the last hour that are tagging what appears to be legitimate E-mail, bother from the same person. This is gatewayed E-mail: 05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: [text/html][quoted-printable; Length=6657 Checksum=558425] 05/02/2005 13:44:21 Q66F5EF3A00E815E6 Found potentially dangerous stuff in F:\D66F5EF3A00E815E6.vir\0.! 05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: image001.jpg [base64; Length=11748 Checksum=1305364] 05/02/2005 13:44:21 Q66F5EF3A00E815E6 MIME file: image002.gif [base64; Length=2184 Checksum=243507] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Scanner 1: Virus=HTML/[EMAIL PROTECTED] Attachment=[HTML segment] [0] O 05/02/2005 13:44:22 Q66F5EF3A00E815E6 File(s) are INFECTED [HTML/[EMAIL PROTECTED]: 0] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Deleting file with virus 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Deleting E-mail with virus! 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Scanned: CONTAINS A VIRUS [MIME: 4 21877] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200] 05/02/2005 13:44:22 Q66F5EF3A00E815E6 Subject: RE: NCC Docket 2005 - 2 It looks like turning F-Prot off might be a good idea, or at least configuring it to not delete viruses. Matt John Tolmachoff (Lists) wrote: It appears that something has updated on F-Prot in the last hour. Now, a lotof outbound HTML e-mails are being flagged by F-Prot as having the HTMLobject exploit. Running the file on www.virustotal.com shows clean.Any one else seeing problems?For now, as I am at a client, I have turned off F-Prot scanning relying onAVG.John TeServices For You---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype unsubscribe Declude.Virus. The archives can be foundat http://www.mail-archive.com. -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
Re: [Declude.Virus] F-Prot and HTML object exploit
How can I roll back ?? - Original Message - From: Bill Landry [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 2:12 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit Yes, this is a problem! I rolled back to my latest defs prior to the last update and all is well again. I disabled my updates for a while to see if F-Prot fixes this issue. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 10:46 AM Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
I'm having the same problem. Again - how do you rollback the virus defs? Wind wrote: Thank you for the tip, John. I searched the logs and since the update there are legitimate E-mail, which are caught. Uwe - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 7:46 PM Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
Depends on how you execute your updates. I use a script that saves a copy of the previous defs to a backup directory. I can zip and send the previous defs to you if you do not have copies of them. Bill - Original Message - From: Jeff [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 11:50 AM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit How can I roll back ?? - Original Message - From: Bill Landry [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 2:12 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit Yes, this is a problem! I rolled back to my latest defs prior to the last update and all is well again. I disabled my updates for a while to see if F-Prot fixes this issue. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 10:46 AM Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
sure - thanks! Has anyone let F-Prot know about this? Kevin Bill Landry wrote: Depends on how you execute your updates. I use a script that saves a copy of the previous defs to a backup directory. I can zip and send the previous defs to you if you do not have copies of them. Bill - Original Message - From: Jeff [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 11:50 AM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit How can I roll back ?? - Original Message - From: Bill Landry [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 2:12 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit Yes, this is a problem! I rolled back to my latest defs prior to the last update and all is well again. I disabled my updates for a while to see if F-Prot fixes this issue. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 10:46 AM Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot and HTML object exploit
Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
Markus, 3.16b here, but only 3 hits so far for this on a busy server, so it's not necessarily common. I was able to capture one of these and it appears to be hitting at least E-mails generated in "Microsoft Word 11". META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii" meta name=Generator content="Microsoft Word 11 (filtered medium)" base href="" class="moz-txt-link-rfc2396E" href="file:///C:\Program%20Files\Common%20Files\Microsoft%20Shared\Stationery\">"file:///C:\Program%20Files\Common%20Files\Microsoft%20Shared\Stationery\" I have no clue what the pattern is that it is hitting of course, but I assume that F-Prot just simply added an overbroad rule. Most E-mail isn't constructed anything like what Microsoft Word creates. Matt Markus Gufler wrote: Question: Have you all running the latest v3.16b ? I can't see any appearance of "HTML/ObjData" in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] F-Prot and HTML object exploit
I have not updated to 3.16b and have this problem... Don - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 3:09 PM Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
I've been running 3.15b - I'm downloading the latest version now. Should I install? or will this have no effect on this particular issue? And what about the previous defs - anyone out there want to email me a previous def file as a work around?? Thanks Kevin Markus Gufler wrote: Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot and HTML object exploit
I don't think the engine version matters, just the pattern file. I've confirmed that the culprit is this, the most recent sign.def from 05/02/2005 01:32 PM And yes, I've sent in a support request via their web page; I'd like to supply them with several samples. I've also played around with the switch settings and found that there are no relevant switches that can be used as a workaround (i.e. /ai /noheur and /server make no difference in the detection or not of this false-positive). All of the messages detected either had Office 10 or Office 11 headers or were replies to messages created with Office 10 or Office 11. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, May 02, 2005 1:10 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
I e-mailed you the latest, non-affected defs, offline. I run 3.16b and it has the same problem (since it's a detection issue with the virus definition, not the application), but I would still upgrade to the latest version. Bill - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 1:36 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I've been running 3.15b - I'm downloading the latest version now. Should I install? or will this have no effect on this particular issue? And what about the previous defs - anyone out there want to email me a previous def file as a work around?? Thanks Kevin Markus Gufler wrote: Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
I also filled out the form at FProt's site. Thanks for the defs. When I open up FProt, though, it says that my defs are up-to-date, even though I replaced the newest ones with the ones that you sent. I hope that that message indicates whether we've downloaded the latest - not whether we are actually using the latest defs. Colbeck, Andrew wrote: I don't think the engine version matters, just the pattern file. I've confirmed that the culprit is this, the most recent sign.def from 05/02/2005 01:32 PM And yes, I've sent in a support request via their web page; I'd like to supply them with several samples. I've also played around with the switch settings and found that there are no relevant switches that can be used as a workaround (i.e. /ai /noheur and /server make no difference in the detection or not of this false-positive). All of the messages detected either had Office 10 or Office 11 headers or were replies to messages created with Office 10 or Office 11. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, May 02, 2005 1:10 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot and HTML object exploit
Well, what matters is that you have the correct (older) *.def files, not whether the GUI says you're up to date. As far as it knows, you are. Remember to temporarily disable your updater, or correct (older) *.def files will just get overwritten again when the auto-updater kicks in. Andrew 8) p.s. Once I received the automated confirmation message from F-Prot, I replied to it with the full information we've discussed here, and supplied 10 sample false-positives. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Monday, May 02, 2005 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I also filled out the form at FProt's site. Thanks for the defs. When I open up FProt, though, it says that my defs are up-to-date, even though I replaced the newest ones with the ones that you sent. I hope that that message indicates whether we've downloaded the latest - not whether we are actually using the latest defs. Colbeck, Andrew wrote: I don't think the engine version matters, just the pattern file. I've confirmed that the culprit is this, the most recent sign.def from 05/02/2005 01:32 PM And yes, I've sent in a support request via their web page; I'd like to supply them with several samples. I've also played around with the switch settings and found that there are no relevant switches that can be used as a workaround (i.e. /ai /noheur and /server make no difference in the detection or not of this false-positive). All of the messages detected either had Office 10 or Office 11 headers or were replies to messages created with Office 10 or Office 11. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, May 02, 2005 1:10 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot and HTML object exploit
F-Prot may have pulled the latest defs do to the number of complaints received, which could explain why the app reports that you have the latest version. Bill - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 1:54 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I also filled out the form at FProt's site. Thanks for the defs. When I open up FProt, though, it says that my defs are up-to-date, even though I replaced the newest ones with the ones that you sent. I hope that that message indicates whether we've downloaded the latest - not whether we are actually using the latest defs. Colbeck, Andrew wrote: I don't think the engine version matters, just the pattern file. I've confirmed that the culprit is this, the most recent sign.def from 05/02/2005 01:32 PM And yes, I've sent in a support request via their web page; I'd like to supply them with several samples. I've also played around with the switch settings and found that there are no relevant switches that can be used as a workaround (i.e. /ai /noheur and /server make no difference in the detection or not of this false-positive). All of the messages detected either had Office 10 or Office 11 headers or were replies to messages created with Office 10 or Office 11. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, May 02, 2005 1:10 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot and HTML object exploit
The sign*.def files have been updated to: 05/02/2005 11:46 PM Which I'm pretty sure is UTC. However, these still have the false-positive. As of this writing, I've received no reply to my ticket with F-Prot. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 2:03 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-Prot and HTML object exploit F-Prot may have pulled the latest defs do to the number of complaints received, which could explain why the app reports that you have the latest version. Bill - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 1:54 PM Subject: Re: [Declude.Virus] F-Prot and HTML object exploit I also filled out the form at FProt's site. Thanks for the defs. When I open up FProt, though, it says that my defs are up-to-date, even though I replaced the newest ones with the ones that you sent. I hope that that message indicates whether we've downloaded the latest - not whether we are actually using the latest defs. Colbeck, Andrew wrote: I don't think the engine version matters, just the pattern file. I've confirmed that the culprit is this, the most recent sign.def from 05/02/2005 01:32 PM And yes, I've sent in a support request via their web page; I'd like to supply them with several samples. I've also played around with the switch settings and found that there are no relevant switches that can be used as a workaround (i.e. /ai /noheur and /server make no difference in the detection or not of this false-positive). All of the messages detected either had Office 10 or Office 11 headers or were replies to messages created with Office 10 or Office 11. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, May 02, 2005 1:10 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot and HTML object exploit Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
