Scott - I'm glad that you have been able to nail this. Thank you for once again action so quickly.
Would this have shown as one of those "premature" EOF log entries? Given that we have seen two viruses sneak by, I feel you should make it a priority that we can BLOCK the "premature EOF" mime attachments. You ALREADY detect and log these situations in the VIRUS.log and you acknowledged that, at best, these are SPAM messages sent by broken clients - what's preventing you from letting us "BANMIMEFAILURE" pronto and "BADBOGUSURL" right now? Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 http://www.hm-software.com/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Monday, March 18, 2002 09:50 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Patch.exe Going through >Let me know what you find out from that file It turns out that this virus, like Gibe, also can be sent using malformed MIME segments (in this case, it is sending an "end of file" marker about 10% of the way through the file, and is sending longer lines than are allowed). We should have a new version of Declude Virus in the morning that will process these two abnormalities in a way that the original file will be seen, in case it is sent to a mail client that can decode it. >, but it looks like F-Prot is >not picking it up the patch.exe, I scanned the mbx file with Norton AV and >F-Prot and only Norton Picked it up as the W32.Impo.gen@mm Virus. That is normal. Most virus scanners will not be able to properly detect a virus in an .mbx file, since it is in a (semi) proprietary format. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
