Thank you Matt, no I've to write much less :-) I've tested with F-prot and Mcafee on our server and can see exactly the same results as reported by Matt.
Markus > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Matt > Sent: Tuesday, September 28, 2004 2:09 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Fprot GDI Scanner lines. > > Could it be that the vulnerability detection doesn't work > when enclosed in a zip file? That might be too big of a leap > for Declude at the moment. I just tested the same and > Declude missed it when zipped, F-Prot gave an error 8 which > is a heuristic hit, and McAfee did in fact tag the virus > without the /PANALYZE switch that Scott Fisher suggested > might be required yesterday. > > Maybe F-Prot is tagging this example file in heuristics > because it isn't really a virus, and real viruses will get > blocked with the normal result code once detected??? Here's > my current F-Prot config, but note that there are some new > switches that I haven't made use of and there has been little > discussion about here: > > C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM > /ARCHIVE=5 /PACKED /DUMB /REPORT=report.txt > > I noted that Scott posted about the first JPG virus being in > the wild, but I believe that this is actually just the one > isolated to the newsgroups at the moment, and the real > trouble will probably not arrive for another 24 to 72 hours. > > ---Note to Scott--- > > Scott, please consider allowing us to specify the file types > that are within encrypted archives instead of just relying on > the list of banned extensions. It seems fairly certain that > this virus will be released within an encrypted zip and as > things stand, my system isn't protected under the BANEZIPEXTS > ON setting, and this setting will become completely useless > once one is released this way since we aren't going to add > JPG's to our list of banned extensions, but I would certainly > add it to a list of banned EZIP's instead of being forced to > block all EZIP's. If you don't allow for this, you ought to > retire the BANEZIPEXTS functionality once this becomes > reality, but I would prefer to be a step ahead on something > this obvious. > > Thanks, > > Matt > > > > > marc wrote: > > > > > installed 1.80 declude virus (restart imail smtp) and sending the > > infected JPEG jpegcompoc.zip > (http://www.gulftech.org/?node=downloads) > > it was not automatically detect and goes trough, using F-Prot 3.15B > > updated. > > > > virus.cfg: > > > > SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM > > /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt > > > > # SKIPEXT GIF > > # SKIPEXT JPG > > SKIPEXT TXT > > SKIPEXT MPG > > SKIPEXT PNG > > > > A Desktop AV F-Prot 3.15B (same version and updates) detect > the JPEG > > exploit. any ideas? > > > > marc > > > > > > At 23:31 27.09.2004, you wrote: > > > >>> Same here. Is there a way to make f-prot w\Declude catch these? > >> > >> > >> The latest release of Declude Virus will automatically detect the > >> GDIPlus.dll JPEG exploit. > >> > >> -Scott > >> --- > >> Declude JunkMail: The advanced anti-spam solution for IMail > >> mailservers since 2000. > >> Declude Virus: Ultra reliable virus detection and the leader in > >> mailserver vulnerability detection. > >> Find out what you've been missing: Ask for a free 30-day > evaluation. > >> > >> --- > >> [This E-mail was scanned for viruses by Declude Virus > >> (http://www.declude.com)] > >> > >> --- > >> This E-mail came from the Declude.Virus mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.Virus". The archives can be found > >> at http://www.mail-archive.com. > >> > >> [Scanned for viruses by Declude Virus] > > > > > > > > [Scanned for viruses by Declude Virus] > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > > > -- > ===================================================== > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > ===================================================== > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
