I'm using interim release 16, Pro. Here should be the relevant lines. Chriis
BANEZIPEXTS ON BANEXT EZIP BANEXT asd BANEXT ade BANEXT adp BANEXT asp BANEXT ATT BANEXT bat BANEXT cab BANEXT chm BANEXT CEO BANEXT cmd BANEXT COM BANEXT css BANEXT crt BANEXT cpl BANEXT cnt BANEXT dll BANEXT EXE BANEXT hta BANEXT hto BANEXT hlp BANEXT js BANEXT lnk BANEXT nws BANEXT ocx BANEXT pif BANEXT pi BANEXT reg BANEXT scr BANEXT sct BANEXT shs BANEXT SWF BANEXT sys BANEXT vbe BANEXT vb BANEXT vbs BANEXT vbx BANEXT wsc BANEXT wsf BANEXT wsh BANEXT xml
TEMPDIR d:\Spool
DELIVERERRORS ON DELETEVIRUSES ON
BANNAME message.zip BANNAME movies.zip BANNAME sex videos.zip BANNAME 911.jpg BANNAME NAV32.zip BANNAME photos.zip BANNAME readmenow.zip BANNAME readnow.zip BANNAME mymovie.zip BANNAME myprofile.zip BANNAME private.zip BANNAME body.zip BANNAME document.zip BANNAME file.zip BANNAME test.zip BANNAME object.zip
At 12:30 PM 03/12/2004 -0500, you wrote:
I just had a email slip by my IMail server to my PC with the Inor.D in a .zip (with a .exe inside)
Both are running latest .C version of F-Prot.
What could I have in my virus.cfg that allowed this? I still have the .zip if anyone wants it.
The first question is why it was not caught by F-Prot. The second is why it was not caught by other options (banning .ZIP files, etc.).
My guess is that it was not caught by F-Prot because it is a trojan, which can't spread on its own. That means that if you open it, it will not spread to other computers. It's a bad program, but not one that would normally be considered a virus (so some scanners may block it while others will not).
As for why it was not blocked as an .exe within a .zip, that all depends on your settings -- if you use "BANEXT ZIP" or both "BANEXT EXE" and "BANZIPEXTS" with the latest interim, it should get caught (if you are using the Standard/Pro version, depending on which technique you are using).
--- [This E-mail scanned for viruses by Declude/F-Prot AV]
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
