William,
You should probably re-read my original message again regarding this. Declude's PRESCAN will only launch the scanner if it finds code that is capable of being exploited. Standard HTML is not exploitable, but JavaScript is, so standard HTML doesn't get scanned, and HTML with JavaScript will get scanned. Putting the eicar string in the middle of HTML will trigger your scanner if scanned, but I'm not convinced that it is exploitable in this format. Furthermore, turning PRESCAN OFF can result in +40% extra processor utilization on a system running two scanners.
Matt
William Stillwell wrote:
Well, I been goofing with #17
I stopped my Quee Manager, Found the SMD files for the test. and manually ran Mcafee against it.. Finds Virus? But Decluded says that mcafee reported no virus.. Report.Txt to follow:
---------------------------------------------------------------------------------------------
12/17/2004 10:07:58
Options: /LOAD SCANOPT.TXT .\DF1F0000901860D8F.SMD
Scanning C: []
Scanning C:\virus\DF1F0000901860D8F.SMD
C:\virus\Df1f0000901860d8f.SMD\eicar.com ... Found: EICAR test file NOT a virus.
Summary report on C:\virus\DF1F0000901860D8F.SMD File(s) Total files: ........... 2 Clean: ................. 1 Possibly Infected: ..... 1
Time: 00:00.00 -------------------------------------------------
Now, I see "Found:" There, but it not cuaght ? I dunno, me confused.
----- Original Message ----- From: "Matt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, December 17, 2004 9:48 AM Subject: Re: [Declude.Virus] testvirus.org #17
William,
I don't think that you want to do that because of this test. Declude's prescanning will save a server line mine running both F-Prot and McAfee over 40% processor utilization. PRESCAN looks for exploitable code and only sends the HTML to the scanner if it finds something such as JavaScript. The test that is on this site doesn't seem to be sending an exploit, just the eicar string in the middle of an HTML segment, and that can't be executed as far as I can tell (though I didn't run the test).
Take note of the marketing aspects of tests like this in addition to the utility they offer. This one was designed by a Declude customer around their own capabilities, or potential capabilities using the product (maybe it's also been extended since I last checked), but my own experience on a Declude competitor's site resulted in a comparably poor showing for my system. Every such site will likely have tests that will not get captured by your system, but that doesn't mean that you are necessarily vulnerable or exposed to an unreasonable degree of risk.
I'm not sure what is going on with #17. Personally I have never seen something exploit this vulnerability and maybe there's a detection issue created by the eicar code in this way?
Matt
William Stillwell wrote:
fixed #16
PRESCAN OFF
#17 goes thru,
----- Original Message ----- From: "William Stillwell" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 17, 2004 8:59 AM
Subject: Re: [Declude.Virus] testvirus.org #17
I failed 16 & 17
How do i get mcafee to scan the html?
----- Original Message ----- From: "Jeff Lancton" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 17, 2004 8:20 AM
Subject: [Declude.Virus] testvirus.org #17
Hello list,
I'm running 1.81, and caught all but #17, the CR Vulnerability. Yet,
earlier in the morning, Declude caught the 'Outlook CR Vulnerability' in an
email from outside. Is this just due to a difference in the way they send
the test, or do I have something configured wrong?
Thanks,
-Jeff
--- [This E-mail scanned for viruses by Declude Anti-Virus]
DISCLAIMER
This transmission is intended only for the individual or entity to which it is addressed and it contains information that is confidential. If you have received this communication in error, please destroy these materials and contact the sender immediately at the phone number/email address listed above.
This information has been disclosed to you from confidential records and is protected by federal and state law. This information may include confidential mental health, substance abuse, and/or alcohol abuse related information. Federal and state law prohibits you from making any further disclosure of this information without the specific written consent of the person to whom it pertains, or as otherwise permitted by law. Any unauthorized further disclosure in violation of the law may result in a fine or jail sentence or both. A general authorization for the release of this information may not be sufficient authorization for further disclosure.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This email has been scanned for possible viruses by Declude Antivirus.
For more information on Declude Antivirus, Visit www.declude.com
--- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com
--- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com
--- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
