Replying to try and help Scott out... A New Interim release of 1.78i9 is there that checks for viruses first in this case... version i8 blocked by extension first...
Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Darrell LaRock Sent: Wednesday, March 03, 2004 11:52 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Question: Do the new zip commands reject the file extension and not pass the file to the virus scanner Running 1.78i8 on Declude Virus Pro. Have both the "BANEXT EZIP" and "BANEZIPEXTS ON" in virus.cfg Question: Currently does the BANEXT EZIP and BANEZIPEXTS ON commands block the mail based on the file extension and not scan the email with the configured virus scanner (See snippet #1 below) i.e. the virus scanner is not called or doesn't appear to be? When checking the file which was banned it does contain a virus (Bagle/h pwd) which was being detected fine prior to the new zip features (see snippet #2)? Issue: Currently the files which should be caught by the virus scanner are not being caught by the scanner BUT being rejected due to the file extension which than generates the bannotify.eml (as you can see from below we now have that turned off right now). Previously (prior to the new zip features) banned extensions (see snippet #3) would appear to be scanned by the scanner and if a virus was found it would not generate the bannotify.eml. Snippet #1 03/03/2004 11:04:16 Q01fea15f01b20d9a MIME file: Letter.zip [base64; Length=20780 Checksum=2629640] 03/03/2004 11:04:16 Q01fea15f01b20d9a Banning .ZIP file with exe extension. 03/03/2004 11:04:16 Q01fea15f01b20d9a Scanned: Banned file extension. [MIME: 2 20916] 03/03/2004 11:04:16 Q01fea15f01b20d9a Couldn't open E-mail file e:\imail\Declude\BANnotify.eml. 03/03/2004 11:04:16 Q01fea15f01b20d9a From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 03/03/2004 11:04:16 Q01fea15f01b20d9a Subject: ^_^ meay-meay! Snippet #2 03/02/2004 15:30:25 Qeede7761020e584c MIME file: Letter.zip [base64; Length=20859 Checksum=2628208] 03/02/2004 15:30:25 Qeede7761020e584c Scanner 1: Virus= the W32/Bagle.gen!pwdzip (ED) virus !!! Attachment=Letter.zip [10] O 03/02/2004 15:30:25 Qeede7761020e584c File(s) are INFECTED [ the W32/Bagle.gen!pwdzip (ED) virus !!!: 13] 03/02/2004 15:30:25 Qeede7761020e584c Scanned: CONTAINS A VIRUS [MIME: 2 20975] 03/02/2004 15:30:25 Qeede7761020e584c From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 66.188.246.138] 03/02/2004 15:30:25 Qeede7761020e584c Subject: Hey, ya! =)) Snippet #3 02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file: [text/html][quoted-printable; Length=5254 Checksum=412704] 02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file: [image/gif][base64; Length=3639 Checksum=424621] 02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file: [image/gif][base64; Length=359 Checksum=35758] 02/25/2004 00:03:52 Q2cb6170b005aec2b MIME file: Update28.exe [base64; Length=106496 Checksum=9386997] 02/25/2004 00:03:52 Q2cb6170b005aec2b Banning file with exe extension [application/x-msdownload]. 02/25/2004 00:03:53 Q2cb6170b005aec2b Scanner 1: Virus= the W32/[EMAIL PROTECTED] virus !!! Attachment=Update28.exe [10] O 02/25/2004 00:03:53 Q2cb6170b005aec2b File(s) are INFECTED [ the W32/[EMAIL PROTECTED] virus !!!: 13] 02/25/2004 00:03:53 Q2cb6170b005aec2b Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 5 117540] 02/25/2004 00:03:53 Q2cb6170b005aec2b From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 210.150.150.240] 02/25/2004 00:03:53 Q2cb6170b005aec2b Subject: New Net Patch -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 03, 2004 11:00 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Summary of new options With the latest interim release, you can use: BANEXT EZIP - This line will ban all .ZIP files with an encrypted file in them BANZIPEXTS ON - This line (Pro version only) will ban all file extensions listed in BANEXT lines, if they appear in non-encrypted .ZIP files BANEZIPEXTS ON - This line (Pro version only) will ban all file extensions listed in BANEXT lines, if they appear in encrypted .ZIP files Also, the latest interim (with the Pro version only) will detect bogus .BAT/.COM/.PIF/.SCR files (automatically as vulnerabilities, with no need for config file entries). If you are having any troubles with these, please re-read the information on them, and then be very clear what is happening. There are a lot of possibilities here. You'll need to specify [1] Whether you are using BANZIPEXTS ON or BANEZIPEXTS ON (or the not-recommended-but-still-useful BANEXT EZIP), [2] Whether you have a BANEXT line to block the appropriate file (BANEXT com, for example), [3] What type of file you are sending through (.com? .com within a .zip?), [4] If it is a .ZIP file, is the file inside it encrypted, and [5] What version of Declude Virus are you running (Lite/Standard/Pro, and which version # such as 1.78i8)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
