Scott, you may want to add a switch to your default virus config settings
for F-Prot when using the 32bit version scanner (fpcmd). You currently
have:
-archive (Scan inside .ZIP and .ARJ files)
But you may want to add:
-packed (Unpack compressed executables)
Bill
----- Original Message -----
From: "Bill Landry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 21, 2003 7:21 PM
Subject: Re: [Declude.Virus] SoBig.E
> Ah yes, thanks for the clarification, I misread John's e-mail. Hmmm, that
> is an interesting issue. Might possibly help to enable AI/Heuristics in
the
> virus config's command line options. I did this a while back with F-Prot
> (-AI) and McAfee (/ANALYZE), so hopefully that will add a little bit of
> added capabilities for capturing these new viruses and variants before the
> new definitions are released.
>
> Otherwise, like you stated, it may require holding messages containing zip
> files so they can be reviewed before being sent back to the queue for
> delivery.
>
> Bill
> ----- Original Message -----
> From: "Joshua Levitsky" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, July 21, 2003 6:57 PM
> Subject: Re: [Declude.Virus] SoBig.E
>
>
> >
> > ----- Original Message -----
> > From: "Bill Landry" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Monday, July 21, 2003 9:27 PM
> > Subject: Re: [Declude.Virus] SoBig.E
> >
> >
> > > Virus scanners will scan inside of compressed and archived files (if
> > > configured to do so), so I don't see how this should be an issue. The
> > > default configurations that Scott has set for the different Declude
> Virus
> > > supported virus scanners are setup to scan inside of these types of
> files.
> > >
> > > Did you find a virus (SoBig.E) that was inside a zip file that made it
> > past
> > > Declude Virus?
> >
> > I think the point was that there is a window between a virus existing
and
> > definitions being available. In the past we could rest easy knowing
> viruses
> > couldn't zip themselves so if you ban all the exe's and such then you
> would
> > protect your users even during that window. Unfortunately now that
viruses
> > can zip themselves there is a window of potential for exposure. I get
> pages
> > from Symantec when nasties come out because I have platinum support.
When
> I
> > hear of a virus that will mail itself as a zip, but there are no defs
yet
> > then the action I am going to take is to put all the subject lines and
> such
> > that it does in a filter so it will be banned by Declude JunkMail with
> high
> > enough value that it won't bounce, but will be held. Usually
www.sarc.com
> > (symantec) is good about documenting them.
> >
> > -Josh
> >
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list. To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus". The archives can be found
> > at http://www.mail-archive.com.
> >
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus". The archives can be found
> at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
