Scott,
It was the formatting in the last email. I have attached a
section of the log file below.
11/09/2001 16:02:30 Console turned OFF
11/09/2001 16:02:30 Setting Scan File to
D:\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT
/DUMB /REPORT=report.txt.
11/09/2001 16:02:30 CFG: Setting report parse to Infection.
11/09/2001 16:02:30 Setting virus directory to: D:\IMail\spool\virus
11/09/2001 16:02:30 Setting MAXATONCE to 0.
11/09/2001 16:02:30 Incoming E-mail scanning turned ON
11/09/2001 16:02:30 Outgoing E-mail scanning turned ON
11/09/2001 16:02:30 Setting scanner timeout to 0 seconds
11/09/2001 16:02:30 Virus Codes: 3 6
11/09/2001 16:02:30 Skip Extensions: GIF TXT JPG MPG PNG
11/09/2001 16:02:30 Ban Extensions:
11/09/2001 16:02:30 Declude v1.26a
11/09/2001 16:02:30 Q44660b8 Declude Virus Pro Registered
11/09/2001 16:02:30 Q44660b8 Local host = internalmatters.com
11/09/2001 16:02:30 Q44660b8 [EMAIL PROTECTED] Offset=7
Flags=1
11/09/2001 16:02:30 Q44660b8 Msgid: <3A27BB3C.7352C61B@localhost>
11/09/2001 16:02:30 Q44660b8 Subject: Test eicar.com file [eicarinline]
11/09/2001 16:02:30 Q44660b8 Starting virus scanning section...
11/09/2001 16:02:30 Q44660b8 DoAv( D:\IMAIL\spool\D44660b8.SMD );
11/09/2001 16:02:30 Q44660b8 Exclude Default=1
11/09/2001 16:02:30 Q44660b8 Exclude Domain=0
11/09/2001 16:02:30 Q44660b8 Exclude Final=0
11/09/2001 16:02:30 Q44660b8 Got boundary;
=--------------AD3A703054639BBF5AEBC796.
11/09/2001 16:02:30 Q44660b8 Hit boundary... Recursing...
11/09/2001 16:02:30 Q44660b8 Got Encoding 7bit.
11/09/2001 16:02:30 Q44660b8
Boundary=--------------AD3A703054639BBF5AEBC796.
11/09/2001 16:02:30 Q44660b8 Encoding type: 7bit [1/]
11/09/2001 16:02:30 Q44660b8 Hit new boundary
11/09/2001 16:02:30 Q44660b8 Comparing || to SKIPEXTs and BANEXTs
11/09/2001 16:02:30 Q44660b8 Will be scanning possibly dangerous HTML
file D:\IMAIL\spool\D44660b8.vir\0..
11/09/2001 16:02:30 Q44660b8 Deleting (1) plaintext segment
D:\IMAIL\spool\D44660b8.vir\0..
11/09/2001 16:02:30 Q44660b8 Closed with readshare
11/09/2001 16:02:30 Q44660b8 Done Recursing...
11/09/2001 16:02:30 Q44660b8 Hit boundary... Recursing...
11/09/2001 16:02:30 Q44660b8 Got Encoding base64.
11/09/2001 16:02:30 Q44660b8
Boundary=--------------AD3A703054639BBF5AEBC796.
11/09/2001 16:02:30 Q44660b8 MIME file: eicar.com [base64]
11/09/2001 16:02:30 Q44660b8 Encoding type: base64 [1/com]
11/09/2001 16:02:30 Q44660b8 Hit new boundary
11/09/2001 16:02:30 Q44660b8 Comparing |com| to SKIPEXTs and BANEXTs
11/09/2001 16:02:30 Q44660b8 NOT PLAINTEXT:
application/x-unknown-content-type-comfile.
11/09/2001 16:02:30 Q44660b8 Closed with readshare
11/09/2001 16:02:30 Q44660b8 Done Recursing...
11/09/2001 16:02:30 Q44660b8 Hit end of layer
11/09/2001 16:02:30 Q44660b8 0 - eicar.com
11/09/2001 16:02:30 Q44660b8 Scanning files
11/09/2001 16:02:30 Q44660b8 cmdline: D:\FSI\F-Prot\F-Prot.exe /TYPE
/SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt
D:\IMAIL\spool\D44660b8.vir\
11/09/2001 16:02:30 Q44660b8 I don't want to wait for other processes to
finish.
11/09/2001 16:02:30 Q44660b8 Virus Scanner Started:
D:\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOFLOPPY /NOBOOT
/DUMB /REPORT=report.txt D:\IMAIL\spool\D44660b8.vir\
11/09/2001 16:02:31 Q44660b8 Virus scanner reports exit code of 0
11/09/2001 16:02:31 Q44660b8 D:\IMAIL\spool\D44660b8.vir\*.*
11/09/2001 16:02:31 Q44660b8 If true
11/09/2001 16:02:31 Q44660b8 0.com
11/09/2001 16:02:31 Q44660b8 Couldn't delete
D:\IMAIL\spool\D44660b8.vir\0.com: 5.
11/09/2001 16:02:31 Q44660b8 If true
11/09/2001 16:02:31 Q44660b8 REPORT.TXT
11/09/2001 16:02:31 Q44660b8 Deleted
D:\IMAIL\spool\D44660b8.vir\REPORT.TXT: 183.
11/09/2001 16:02:31 Q44660b8 Scanned: OK
11/09/2001 16:02:31 Q44660b8 WARNING: Couldn't remove .vir directory:
145.
11/09/2001 16:02:31 Q44660b8 High code=0.
11/09/2001 16:02:31 Q44660b8 Scanned: Virus Free [MIME: 2 478]
11/09/2001 16:02:31 Q44660b8 Passing to SMTP3: D:\IMAIL\SMTP32.EXE
"D:\IMAIL\spool\Q44660b8.SMD".
Thanks,
____________________________
Christopher A. Melo
Internal Matters, Inc.
http://www.internalmatters.com
[EMAIL PROTECTED]
Tel. 401-739-3686
Fax. 508-448-0497
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry
Sent: Friday, November 09, 2001 3:52 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] MISSING_REVERSE_DNS:Which of the eicar test
files should be blocked
> We are using F-Prot and I have included my cfg file below.
What
>am I doing wrong?
It the SCANFILE option all on one line (starting with "SCANFILE" and
ending
with "/REPORT=report.txt")? If it is on two separate lines (as it
appears
in the E-mail, although that may be due to formatting), the "/DUMB" will
not get sent to F-Prot.
Is only the inline version of the eicar.com file not getting caught, or
are
there other ones that are not getting caught?
The next step would be to send the inline version of the eicar.com file
again, this time using the Declude debug mode. To do this, change the
"LOGLEVEL LOW" line in \IMail\Declude\virus.cfg to "LOGLEVEL DEBUG".
Then,
send the inline eicar.com file through again, and then switch back to
"LOGLEVEL LOW". You can then E-mail me the \IMail\Declude\vir####.log
file
(or, if you cut out just the part for that one E-mail, you can post it
here
if you prefer), and I can take a look at it to see what the problem may
be.
-Scott
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
