John,
I know that you don't follow this logic, but banning regular zips is extreme and unnecessary IMO. Declude will scan any attachment regardless of the extension unless you tell it to skip a particular extension. The error that F-Prot returned is one of those non-specific, possible virus or something else codes, and you don't have to have Declude Virus block on that code (I don't, nor is it a part of the standard published config). Scott repeatedly recommenced against it due to the potential of false positives. For instance he speculated/indicated that DOC files with macros could trigger a code of 8 in F-Prot. It's a judgment call, but you would be in the minority.
I have no issues when running two virus scanners that are any worse than blocking legitimate messages that either banning zips or using result code 8 would produce. Declude JunkMail tends to block any infected zip that gets through early on in a new outbreak, and Declude Virus might even capture it based on the ZIP vulnerability detection that was added last year. I don't even ban all encrypted zips, I only ban ones with a banned extension inside, and I figure that those that need encryption should be passing non-banned extensions such as DOC files within them and they won't be blocked. Banning encrypted zips by extensions contained has not missed any viruses that I know of because there is a fixed set of extensions that these viruses have used to date and I'm more than covered there.
Matt
John Tolmachoff (Lists) wrote:
I sent an encrypted zip file out, changing the .zip to ._ip. F-prot scanned it and returned code 8, so Declude dutifly tagged it as infected.
Virus Code 8 means suspect, correct?
If this is what F-Prot is going to do, we need to rethink having users/clients rename files.
04/14/2005 09:04:54.958 Q949B0A0B0000D0F1 [392] 0 - filename._ip 04/14/2005 09:04:54.958 Q949B0A0B0000D0F1 [392] Scanning files (2 scanners) 04/14/2005 09:04:54.973 Q949B0A0B0000D0F1 [392] Starting scanner #1: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt F:\SPOOL\D949B0~1.VIR\ 04/14/2005 09:04:54.973 Q949B0A0B0000D0F1 [392] Waiting for free processes [20 fpcmd.exe] 04/14/2005 09:04:54.973 Q949B0A0B0000D0F1 [392] Done waiting for free processes [0]. 04/14/2005 09:04:54.973 Q949B0A0B0000D0F1 [392] Virus Scanner Started: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt F:\SPOOL\D949B0~1.VIR\ 04/14/2005 09:04:55.067 Q949B0A0B0000D0F1 [392] Scanning Time: 109ms [kernel=31 user=78] 04/14/2005 09:04:55.067 Q949B0A0B0000D0F1 [392] Virus scanner 1 reports exit code of 8
John T eServices For You
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
