----- Original Message ----- From: "R. Scott Perry" <[EMAIL PROTECTED]>
> >Nope, in my testing of three command-line scanners, the attached "test.txt" > >file contains the minimum needed to detect the file as containing a virus > >(copied your virustrap address, as well, in case this gets blocked to the > >list). > > It certainly does. > > The question is whether the AV program is expecting the headers. There were no message headers included in the test.txt file I sent, and three virus scanners still detected it as a virus. > >If there is not a fix coming for this, would you consider sending the entire > >message file to the scanner? > > There isn't any known bug here. This would be considered a very low > priority, as it does not affect AV scanning, except that we need to be sure > that there isn't a problem where actual viruses would not be properly detected. Maybe an "unknown" bug then? ;-) If TrendMicro can detect the virus when scanning the raw D*.SMD file, but not when spawned by Declude Virus, does that not point to a possible issue? > The test.txt file you sent does *not* match the actual HTML of the original > E-mail. The CR/LFs were off, and there was a part at the end that was > missing. And, the length of the HTML segment that was decoded (per the log > files) doesn't match the length of the HTML segment in the E-mail you sent. I viewed the source of the message in Outlook Express, and then kept triming parts of the source file (from the top and bottom) until I found the minimum part of the resulting message needed for all three scanners to still detect the file as a virus when manually scanned from the command-line. I suppose I could do the same thing with the raw D*.SMD file, it you think that would prove something other than what I have already shown. > After further analysis, it seems that the problem is with the AV > software. Specifically, the E-mail you sent was using quoted-printable > encoding, yet the body of the E-mail wasn't encoded using quoted-printable > encoding. So when it had a line: > > alink="#000099"> > > Declude Virus decoded it to something like: > > alink"#000099"> > > The AV software was probably looking for the way that you (incorrectly) > decoded it. Again, all I did was view the source of the message as it appeared in Outlook Express. And all I was attempting to show what that the message headers were not necessary for the file to be detected as a virus. If the virus scanner were at fault (because of a decoding issue) then I have to ask again, why can TrendMicro detect the virus when scanning the raw D*.SMD file, but not when sent to it by Declude Virus? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
