Thanks, Scott. I constructed 2 tests anyway, one with an executable in an attached .eml file and one where that executable is a virus.
It *looks* like this is a special case, i.e. where all unpacked attachments, including .smd are unpacked, and then the folder scanned: So with a single message, the .smd file is not scanned. If an attachment is itself an .smd file, it will be scanned and also all of the attachments that need to be unpacked and scanned. Ditto for .mim attachments that contain an executable. I haven't trotted out Winternals FileMon to verify that though... I'm guesstimating based on what I see at DEBUG level. I'd agree with Bill Landry and also request that Declude implement a switch in virus.cfg that lets us choose whether to scan the "native" email and all "native" attachment formats. Since you wrote that optimization into Declude, the antivirus scanners have progressed. F-Prot has the /dumn and /server options, and McAfee has the /MIME option. Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, December 20, 2004 2:16 PM To: [email protected] Subject: RE: Re[8]: [Declude.Virus] testvirus.org #22 >Also, does Declude recursively unpack MIME segments, if one of the >attachments is itself a .eml file or .smd file, would any attachments >inside it be unpacked and the scanner(s) called on those? Yes. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. ---- This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
