Markus, even though I know others have said they can not do this; I am blocking any zip, including ezips that have an executable within them.
All of my clients know this and I have a published policy on it which includes instructions on what to do if you must get these through. As such, IMHO, this issue is fine. Others mileage may vary. John T eServices For You "Seek, and ye shall find!" > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Markus Gufler > Sent: Tuesday, January 31, 2006 10:39 AM > To: [email protected] > Subject: RE: [Declude.Virus] F-prot exit code 8 and body content > > Matt, John, > > F-Prot is not catching simple e-zips. I supposed it was the "password" > string in the mailbody. Now after an additional test it turned out that > F-Prot is exiting with code 8 if there is an attached e-zip containing .exe > files. The mail-body seems not interfering to F-prot's result. > > This is a problem for thus who need allow any extensions in zip-files. > > Maybe we can ask F-Prot if they can change the singnatures to catch only exe > in ezip's if they are larger then ... > Usualy legit ezip's should be much larger then 100 kByte. > > I wouldn't remove exit code 8 from my configuration because most of the > outbreaks in the last year was catched by this exit code before any > AV-scanner has had updated signatures. > > Markus > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) > > Sent: Tuesday, January 31, 2006 7:17 PM > > To: [email protected] > > Subject: RE: [Declude.Virus] F-prot exit code 8 and body content > > > > I am using viruscode 8 and it is not blocking password > > protected zips. I think like Markus said it is looking for a > > combination of a password protected zip, and executable and > > the phrase he listed. > > > > Markus, did that attachment have an executable within the zip file? > > > > John T > > eServices For You > > > > "Seek, and ye shall find!" > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > > On Behalf Of Matt > > > Sent: Tuesday, January 31, 2006 10:02 AM > > > To: [email protected] > > > Subject: Re: [Declude.Virus] F-prot exit code 8 and body content > > > > > > Markus, > > > > > > I believe that this is something that several of us railed > > against and > > > tried to get F-Prot to change. Formerly no known viruses would be > > > tagged with an exit code of 8, but then they suddenly > > started tagging > > > some known viruses this way, essentially requiring us to > > add that code > > > in for detection. The downside of this is that this exit code also > > > blocks things like encrypted zips. It was a real shame. > > > > > > It's worth checking to see if F-Prot is tagging more recent known > > > viruses with exit code 8 because if they are no longer > > doing this, I > > > would assume that turning it off would be wise so long as > > you had two > > > virus scanners running. > > > > > > Note that I'm not dismissing your primary intention of pointing out > > > the FP issue with virus scanning and a way to deal with it. > > > > > > Matt > > > > > > > > > > > > Markus Gufler wrote: > > > > > > >Today I've had a message hold as false positive ("unknown > > virus" exit > > code > > > >8) > > > > > > > >F-Prot seems ending with this exit code if there is attached a > > > >password protected zip file and in the body is something like > > > > > > > >"password: ....." > > > > > > > >This message was definitively no false positive and so I > > requeued it. > > > > > > > >I've noted it due the low number of postmaster virus warnings I > > > >receive because they are send to me only if the detected > > virus is not > > > >a forging > > one. > > > >Fortunately this legit message wasn't deleted from the virus folder > > between > > > >thousands of unwanted netsky's and sober's. > > > > > > > >Markus > > > > > > > >--- > > > >[This E-mail was scanned for viruses by Declude EVA > > www.declude.com] > > > > > > > >--- > > > >This E-mail came from the Declude.Virus mailing list. To > > > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > >type "unsubscribe Declude.Virus". The archives can be found > > > >at http://www.mail-archive.com. > > > > > > > > > > > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
