It seems that Declude is handling this "Unknown Virus" not with this string even if showed in the %VIRUSNAME% variable.
In the Mailheader for other known viruses I can see X-Declude-Virus: Detected W32/[EMAIL PROTECTED] For this new virus comming in with price/joke.com/exe/cpl/scr attachments the same line is showed up as X-Declude-Virus: Detected . In the message header. So should we use "SKIPIFVIRUSNAMEHAS " And "FORGINGVIRUS " ? In the meantime I've renamed recip , sender_local and sender_remot.eml to .offline extensions to prevent wrong warnings. I've also added BANNAME price.com BANNAME price.scr BANNAME price.cpl BANNAME price.exe BANNAME joke.com BANNAME joke.scr BANNAME joke.cpl BANNAME joke.exe To the virus.cfg file but I'm not sure if this will prevent scanning and warnings of all this messages. Markus > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of E. Ballerini > Sent: Friday, October 29, 2004 11:52 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Unknown virus warnings > > Franco Celli wrote: > > >Hi Markus, > >I have no idea, but our server is registering a peak of incoming > >messages, with above-normal banned cpl extension attachments > in virus folder. > > > > > According to F-secure it's the new Bagle virus: > > New Bagle variant, Bagle.AT, has been spotted in several > locations. It sends emails with a smiley ":)" as the message > body. Attachment filename starts with "Price" or "Joke" and > extension is COM, EXE, SCR or CPL. > > Erminio > > -- > Erminio Ballerini [EMAIL PROTECTED] http://www.scp.nl > Social and Cultural Planning Office (SCP) Department of Data > Services and Information Technology (I&A) > P.O. Box 16164 2500 BD Den Haag > Parnassusplein 5 Den Haag > > > --- > [This E-mail has been scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
