RE: Re[13]: [Declude.Virus] testvirus.org #22

Thu, 03 Feb 2005 12:17:29 -0800 

No problem, happy to oblige.  See attached text file.

Andrew 8)


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan
Sent: Thursday, February 03, 2005 11:55 AM
To: R. Scott Perry
Subject: Re[13]: [Declude.Virus] testvirus.org #22


Hello R.,

Thursday, February 3, 2005, 2:05:48 PM, you wrote:


>>Ok, Scott...Anybody....any idea why this one is getting through after 
>>looking at my logs? It looks like they're saying:
>>
>>02/02/2005 14:59:04.646 Q310830a90096022a Not starting scanner since 
>>no files to scan.

RSP> That's because the E-mail is text-only, which means that Declude 
RSP> Virus won't scan it, since text files can't contain viruses.

But I can't figure out why Andrew catches it and I'm not. I compared the
config files and the only difference is I have Prescan OFF and I let
normal .zips through.

Andrew, could you run Declude in Debug and send test 22 through so we
could see your log file?

-- 
Best regards,
 David                            mailto:[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.

02/03/2005 12:01:21.453  Setting AVBEFOREJM to ON.
02/03/2005 12:01:21.453  Setting Scan File 1 to        D:\F-Prot\fpcmd.exe /ai 
/type /silent /archive=5 /dumb /noboot /nomem /packed /report=report.txt.
02/03/2005 12:01:21.453  CFG: Setting report parse 1 to Infection: .
02/03/2005 12:01:21.453  Setting virus directory to: D:\IMail\spool\virus
02/03/2005 12:01:21.453  Setting MAXATONCE to 0.
02/03/2005 12:01:21.453  Incoming E-mail scanning turned ON
02/03/2005 12:01:21.453  Outgoing E-mail scanning turned ON
02/03/2005 12:01:21.453  Setting scanner timeout to 90 seconds
02/03/2005 12:01:21.453  Scanner 0 Virus Codes: 3 6 8 .  OK Codes: 
02/03/2005 12:01:21.453  Skip Extensions: GIF TXT MPG PNG BMP PDF MOV TIF WMV 
02/03/2005 12:01:21.453  7 Ban Extensions: scr pif cpl lnk ani ico shs 
02/03/2005 12:01:21.453  Declude v1.82
02/03/2005 12:01:21.671 Q830e0f26011c5c69 Declude Virus Lite Registered
02/03/2005 12:01:21.671 Q830e0f26011c5c69 Starting locality check 
(sender=testvirus.org; nr=1 ca=off).
02/03/2005 12:01:21.671 Q830e0f26011c5c69 CL Opening 
HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains
02/03/2005 12:01:21.671 Q830e0f26011c5c69 Local host = mail.bentall.com
02/03/2005 12:01:21.671 Q830e0f26011c5c69 [EMAIL PROTECTED] Offset=9 Flags=0
02/03/2005 12:01:21.671 Q830e0f26011c5c69 Msgid: <[EMAIL PROTECTED]>
02/03/2005 12:01:21.671 Q830e0f26011c5c69 Subject: Virus Scanner Test #22
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Starting virus scanning section...
02/03/2005 12:01:31.796 Q830e0f26011c5c69 MIMELAYER=0
02/03/2005 12:01:31.796 Q830e0f26011c5c69 DoAv( 
D:\IMail\spool\D830e0f26011c5c69.SMD );
02/03/2005 12:01:31.796 Q830e0f26011c5c69 avtempdir=D:\IMail\spool
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Temp dir set to: 
D:\IMail\spool\D830e0f26011c5c69.vir\
02/03/2005 12:01:31.796 Q830e0f26011c5c69 fp=4501a0
02/03/2005 12:01:31.796 Q830e0f26011c5c69 MIMELAYER++
02/03/2005 12:01:31.796 Q830e0f26011c5c69 DOMIME START
02/03/2005 12:01:31.796 Q830e0f26011c5c69 CT: Content-Type: 
multipart/mixed;boundary="====================
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Got boundary; 
=--=====================_804689079==_.
02/03/2005 12:01:31.796 Q830e0f26011c5c69 DOMIME end-of-headers
02/03/2005 12:01:31.796 Q830e0f26011c5c69 ISMULTI
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Hit boundary... Recursing... 0 (0-0-).
02/03/2005 12:01:31.796 Q830e0f26011c5c69 MIMELAYER++
02/03/2005 12:01:31.796 Q830e0f26011c5c69 DOMIME START
02/03/2005 12:01:31.796 Q830e0f26011c5c69 CT: Content-Type: text/plain; 
charset="us-ascii"; format=flowed
02/03/2005 12:01:31.796 Q830e0f26011c5c69 DOMIME end-of-headers
02/03/2005 12:01:31.796 Q830e0f26011c5c69 !ISMULTI
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Handling a MIME segment 
[Boundary=--=====================_804689079==_].
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Encoding type: *DEFAULT* [1/]
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Starting BASE64
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Hit new boundary (fseek)
02/03/2005 12:01:31.796 Q830e0f26011c5c69 curpos=1243
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Deleting (1) plaintext segment 
D:\IMail\spool\D830e0f26011c5c69.vir\0..
02/03/2005 12:01:31.796 Q830e0f26011c5c69 MIMELAYER--
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Done Recursing...
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Hit boundary... Recursing... 1 (0-0-).
02/03/2005 12:01:31.796 Q830e0f26011c5c69 MIMELAYER++
02/03/2005 12:01:31.796 Q830e0f26011c5c69 DOMIME START
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Got Encoding base64.
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Setting MimeName to eicar.zip [9].
02/03/2005 12:01:31.796 Q830e0f26011c5c69 Got disp name=eicar.zip 
[MimeName=eicar.zip].
02/03/2005 12:01:31.796 Q830e0f26011c5c69 DOMIME end-of-headers
02/03/2005 12:01:31.812 Q830e0f26011c5c69 !ISMULTI
02/03/2005 12:01:31.812 Q830e0f26011c5c69 Handling a MIME segment 
[Boundary=--=====================_804689079==_].
02/03/2005 12:01:31.812 Q830e0f26011c5c69 Encoding type: base64 [1/zip]
02/03/2005 12:01:31.812 Q830e0f26011c5c69 Starting BASE64
02/03/2005 12:01:31.812 Q830e0f26011c5c69 Hit new boundary (fseek)
02/03/2005 12:01:31.812 Q830e0f26011c5c69 curpos=1663
02/03/2005 12:01:31.812 Q830e0f26011c5c69 Ending BASE64
02/03/2005 12:01:31 Q830e0f26011c5c69 MIME file: eicar.zip [base64; Length=184 
Checksum=10742]
02/03/2005 12:01:31.812 Q830e0f26011c5c69 Comparing |zip| to SKIPEXTs and 
BANEXTs
02/03/2005 12:01:31.812 Q830e0f26011c5c69 SAVEABLE PLAINTEXT:  zip.
02/03/2005 12:01:31.812 Q830e0f26011c5c69 MIMELAYER--
02/03/2005 12:01:31.812 Q830e0f26011c5c69 Done Recursing...
02/03/2005 12:01:31.812 Q830e0f26011c5c69 Hit end of layer
02/03/2005 12:01:31.812 Q830e0f26011c5c69 MIMELAYER layer--
02/03/2005 12:01:31.812 Q830e0f26011c5c69 0 - eicar.zip
02/03/2005 12:01:31.812 Q830e0f26011c5c69 Scanning files (1 scanners)
02/03/2005 12:01:31.812 Q830e0f26011c5c69 Starting scanner #1: 
D:\F-Prot\fpcmd.exe /ai /type /silent /archive=5 /dumb /noboot /nomem /packed 
/report=report.txt D:\IMail\spool\D830E0~1.VIR\
02/03/2005 12:01:31.812 Q830e0f26011c5c69 Scanner to start immediately, no need 
to wait for others to end.
02/03/2005 12:01:31.812 Q830e0f26011c5c69 Virus Scanner Started: 
D:\F-Prot\fpcmd.exe /ai /type /silent /archive=5 /dumb /noboot /nomem /packed 
/report=report.txt D:\IMail\spool\D830E0~1.VIR\
02/03/2005 12:01:31.921 Q830e0f26011c5c69 Process Time: 78ms [kernel=31 user=46]
02/03/2005 12:01:31.921 Q830e0f26011c5c69 Virus scanner 1 reports exit code of 3
02/03/2005 12:01:31.921 Q830e0f26011c5c69 D:\IMail\spool\D830e0f26011c5c69.vir\
02/03/2005 12:01:31.921 Q830e0f26011c5c69 
D:\IMail\spool\D830e0f26011c5c69.vir\report.txt
02/03/2005 12:01:31.921 Q830e0f26011c5c69 report.txt len=737 rflen=47 cs=0
02/03/2005 12:01:31.921 Q830e0f26011c5c69 file#=0 [name=0.zip->EICAR.COM  ]
02/03/2005 12:01:31.921 Q830e0f26011c5c69 Ending report.txt parsing
02/03/2005 12:01:31 Q830e0f26011c5c69 Scanner 1: Virus=EICAR_Test_File 
Attachment=eicar.zip [38] O
02/03/2005 12:01:31.921 Q830e0f26011c5c69 
D:\IMail\spool\D830e0f26011c5c69.vir\*.*
02/03/2005 12:01:31.921 Q830e0f26011c5c69 0.zip
02/03/2005 12:01:31.921 Q830e0f26011c5c69 Deleted 
D:\IMail\spool\D830e0f26011c5c69.vir\0.zip.
02/03/2005 12:01:31.921 Q830e0f26011c5c69 report.txt
02/03/2005 12:01:31.921 Q830e0f26011c5c69 Deleted 
D:\IMail\spool\D830e0f26011c5c69.vir\report.txt.
02/03/2005 12:01:31.921 Q830e0f26011c5c69 han=13d458 b=False
02/03/2005 12:01:31 Q830e0f26011c5c69 File(s) are INFECTED [EICAR_Test_File: 3]
02/03/2005 12:01:31.921 Q830e0f26011c5c69 # Received: headers: 1 [A]
02/03/2005 12:01:31.921 Q830e0f26011c5c69 
A.206.158.107.157.EICAR_Test_File.forging.declude.com
02/03/2005 12:01:32.562 Q830e0f26011c5c69 High code=23.
02/03/2005 12:01:32.562 Q830e0f26011c5c69 AV returned 23
02/03/2005 12:01:32 Q830e0f26011c5c69 Scanned: CONTAINS A VIRUS [MIME: 2 939]
02/03/2005 12:01:32 Q830e0f26011c5c69 From: [EMAIL PROTECTED] To: [EMAIL 
PROTECTED] [outgoing from 206.158.107.157]
02/03/2005 12:01:32 Q830e0f26011c5c69 Subject: Virus Scanner Test #22
02/03/2005 12:01:32.562 Q830e0f26011c5c69 Skipping non-AV E-mail 
BentallBadClikFixBOUNCE.eml
02/03/2005 12:01:32.562 Q830e0f26011c5c69 Skipping non-AV E-mail 
BounceJdbMgrHoax.eml
02/03/2005 12:01:32.562 Q830e0f26011c5c69 
D:\IMail\Declude\NotifyInternal.Virus.eml
02/03/2005 12:01:32.562 Q830e0f26011c5c69 
D:\IMail\Declude\NotifyInternal.Virus.eml
02/03/2005 12:01:32.562 Q830e0f26011c5c69 Starting E-mail file 
D:\IMail\Declude\NotifyInternal.Virus.eml
02/03/2005 12:01:32.578 Q830e0f26011c5c69 D:\IMail\IMail1.exe -h 
"mail.bentall.com" -t "[EMAIL PROTECTED]" -u "[EMAIL PROTECTED]" -s "Virus 
detected in inbound email on mail.bentall.com" -f 
"D:\IMail\spool\D830e0f26011c5c69.SM0"
02/03/2005 12:01:32.906 Q830e0f26011c5c69 Set process priority back to 32.
02/03/2005 12:01:32.906 Q830e0f26011c5c69 feof=16, ferr=0
02/03/2005 12:01:32.906 Q830e0f26011c5c69 Moving file to virus hold directory

Reply via email to