Re: [Declude.Virus] HTML_BOFRA.B not getting caught by Declude Virus

[Matt]

Bill, I believe that Declude creates a directory for all attachments in each message, and then Declude calls the scanner to scan the entire directory.  I believe that for inline content such as text/plain and text/html, these files will be saved in those directories according to the MIME boundaries.  For you to properly replicate the circumstances, it would be a good idea to save an HTML file (example.html) with the body content of this message in a directory with nothing else in it, and then call trend to scan the directory and not specifically the file. One possibility here is that TrendMicro doesn't detect this as a virus when it is called to scan the directory like Declude does, and the above should expose whether or not this is the case. Another alternative is that the message is malformed or Declude has a parsing issue that is preventing it from being successfully scanned.  That would be difficult to prove unless your Debug log has more information such as the file names created and the sizes of each file, and this exposed a flaw. Matt Bill Landry wrote: ----- Original Message ----- From: "R. Scott Perry" <[EMAIL PROTECTED]> Nope, in my testing of three command-line scanners, the attached "test.txt" file contains the minimum needed to detect the file as containing a virus (copied your virustrap address, as well, in case this gets blocked to the list). It certainly does. The question is whether the AV program is expecting the headers. There were no message headers included in the test.txt file I sent, and three virus scanners still detected it as a virus. If there is not a fix coming for this, would you consider sending the entire message file to the scanner? There isn't any known bug here. This would be considered a very low priority, as it does not affect AV scanning, except that we need to be sure that there isn't a problem where actual viruses would not be properly detected. Maybe an "unknown" bug then? ;-) If TrendMicro can detect the virus when scanning the raw D*.SMD file, but not when spawned by Declude Virus, does that not point to a possible issue? The test.txt file you sent does *not* match the actual HTML of the original E-mail. The CR/LFs were off, and there was a part at the end that was missing. And, the length of the HTML segment that was decoded (per the log files) doesn't match the length of the HTML segment in the E-mail you sent. I viewed the source of the message in Outlook Express, and then kept triming parts of the source file (from the top and bottom) until I found the minimum part of the resulting message needed for all three scanners to still detect the file as a virus when manually scanned from the command-line. I suppose I could do the same thing with the raw D*.SMD file, it you think that would prove something other than what I have already shown. After further analysis, it seems that the problem is with the AV software. Specifically, the E-mail you sent was using quoted-printable encoding, yet the body of the E-mail wasn't encoded using quoted-printable encoding. So when it had a line: alink="#000099"> Declude Virus decoded it to something like: alink"#000099"> The AV software was probably looking for the way that you (incorrectly) decoded it. Again, all I did was view the source of the message as it appeared in Outlook Express. And all I was attempting to show what that the message headers were not necessary for the file to be detected as a virus. If the virus scanner were at fault (because of a decoding issue) then I have to ask again, why can TrendMicro detect the virus when scanning the raw D*.SMD file, but not when sent to it by Declude Virus? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================