Hermann, since we're not seeing a response in this list, I'd suggest that your directly contact [EMAIL PROTECTED] about this.
I hope that what you're assuming is NOT true. Given that Declude Virus unpacks all of the attachments and calls your antivirus scanner(s) on the unpacked attachments, I would expect that the BAN option takes effect based on that MIME decoding, so that it sees the correct filename. If you do get an official answer, please let us know. Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hermann Strassner Sent: Wednesday, December 15, 2004 5:25 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Blocked Extension getting through What do you want me to do? I still have BANEXT CHM in my virus.cfg, and i successfully block .chm attachments. Here it is not working because of the "encryption" of the filename, as you can see in the mail. I show you the virus logfile: vir1215.log: 12/15/2004 04:06:29 Qaa3414bd035a6555 MIME file: =?koi8-r?B?UmVjaG51bmcxODc0NTUxNC5j?==?koi8-r?B?aG0=?= [base64; Length=33018 Checksum=3232477] vir1215.log: 12/15/2004 04:06:29 Qaa3414bd035a6555 Scanned: Virus Free [MIME: 2 33569] Hermann > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of William > Stillwell > Sent: Wednesday, December 15, 2004 2:00 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Blocked Extension getting through > > > BANEXT CHM > > > > ----- Original Message ----- > From: "Hermann Strassner" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, December 15, 2004 4:12 AM > Subject: [Declude.Virus] Blocked Extension getting through > > > > Hello! > > > > I have blocked a few extensions in Declude Virus, e.g. zip, > exe, bat, > > scr, pif, chm and a few others. Normally that workes. > > > > But since a few days some mails (with virus) are getting through. > > They have an attachment like Rechnung18745514.chm, it is > displayed as > > Rechnung18745514.chm in Outlook or other mail clients, but > in virus scan > > or in raw mail format its name is: > > ------------86BA342CB7A4 > > Content-Type: CHEMICAL/X-CS-CHEMDRAW; > > name="=?koi8-r?B?UmVjaG51bmcxODc0NTUxNC5j?= > > =?koi8-r?B?aG0=?=" > > Content-transfer-encoding: base64 > > Content-Disposition: attachment; > > filename="=?koi8-r?B?UmVjaG51bmcxODc0NTUxNC5j?= > > =?koi8-r?B?aG0=?=" > > > > What can i do to block this? This is a new worm yet not > detected from > > virus scanners. This happens often. But this mails are blocked by > > extension filtering. Now they are getting through to the clients. > > > > Hermann > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > --- > > This email has been scanned for possible viruses by Declude > Antivirus. > > For more information on Declude Antivirus, Visit www.declude.com > > > > > > --- > This email has been scanned for possible viruses by Declude Antivirus. > For more information on Declude Antivirus, Visit www.declude.com > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
