Well, if the virus is forging the from, a user receives the zipped file, sees it is from [EMAIL PROTECTED], says to himself hey, I know Joe, he must have sent me a joke, opens the zip and away we go.
John Tolmachoff Engineer/Consultant/Owner eServices For You > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Todd Holt > Sent: Friday, October 22, 2004 9:07 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] MyDoom.o's slipping through. > > Is it not true that EXEs in zip files are inert until opened by the user? > We don't ban EXEs in zips because our users sometimes need to receive EXE > files, but we constantly remind them to not open anything that is not > verified (content expected from the sender). > > What do most admins do about this problem? > > Todd > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff > (Lists) > Sent: Thursday, October 21, 2004 1:12 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] MyDoom.o's slipping through. > > Why are you not banning executable files within zip files? > > John Tolmachoff > Engineer/Consultant/Owner > eServices For You > > > -----Original Message----- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > On Behalf Of Chris Patterson > > Sent: Thursday, October 21, 2004 12:42 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [Declude.Virus] MyDoom.o's slipping through. > > > > Thanks, I was not aware of the /ARCHIVE=5. I have adjusted that, here > > is my current cfg line: > > > > C:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 > > /NOFLOPPY /NOBOOT /DUMB /REPORT=report.txt > > > > If there is something I am missing, please let me know. > > > > Thanks, > > > > Chris Patterson, CCNA > > Network Engineer > > > > > > > > -----Original Message----- > > From: R. Scott Perry [mailto:[EMAIL PROTECTED] > > Sent: Thursday, October 21, 2004 3:25 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [Declude.Virus] MyDoom.o's slipping through. > > > > > > >I have had two reports in the last 2 days about a virus coming through. > > > > > >The customer forwarded these to me on an Exchange mailbox using Mcaffee > > >which identified them as MyDoom.o. Tracing the Logs, they were scanned > > >and Deemed Virus Free using Prescan. > > > > Given that it is in a .ZIP file, and you are using F-Prot, do you have > > "/ARCHIVE=5 " in the SCANFILE line in the \IMail\Declude\virus.cfg > > file? If it is just "/ARCHIVE ", you should change it to "/ARCHIVE=5 ", > > > > due to a bug in the latest version of F-Prot. > > > > -Scott > > --- > > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > > since 2000. > > Declude Virus: Ultra reliable virus detection and the leader in > > mailserver > > vulnerability detection. > > Find out what you've been missing: Ask for a free 30-day evaluation. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] > > > --- > [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
