I don't have any samples of the latest Sober, but *if* you're using the penultimate pattern file for F-Prot and have your auto-update disabled, then according to the writeups, either of these two techniques in your virus.cfg will keep this specific virus out of your user's mailboxes:
BANEXT PIF BANZIPEXTS ON or BANNAME account_info.zip BANNAME autoemail-text.zip BANNAME LOL.zip BANNAME Fifa_Info-Text.zip BANNAME mail_info.zip BANNAME okTicket-info.zip BANNAME our_secret.zip BANNAME _PassWort-Info.zip Andrew 8) p.s. Now, back to the day job, already! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, May 02, 2005 2:20 PM To: Declude.Virus@declude.com Subject: Fw: [Declude.Virus] Viruses appearing to be getting through... Hi, Oops, correct that. F-prot is catching it as Sober.O, Sophos is still not catching it. :-( Sure glad I'm using two scanners. ;-) > As of now I'm still getting hit by a virus with attachments like our _ > secret . zip which Sophos catches as Sober.O. > > Ff-prot is still nopt catching them and there is as of yet no update. > Just > did a manual update and no new version. I'm at: > SIGN.DEF 2-may-2005, 13:32 CET > SIGN2.DEF 2-may-2005, 16:46 CET > Using f-prot 3.16b Groetjes, Bonno Bloksma > ----- Original Message ----- > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > To: <Declude.Virus@declude.com> > Sent: Monday, May 02, 2005 8:37 PM > Subject: RE: [Declude.Virus] Viruses appearing to be getting through... > > > F-Prot may have already fixed their pattern file. My current sign.def > is timestamped: > > 05/02/2005 03:53 AM > > and checking their website and downloading the current version > manually shows that the current version is: > > 05/02/2005 01:32 PM > > Can anybody with the issue confirm which pattern file they are using > that has the problem? > > Andrew 8) > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry > Sent: Monday, May 02, 2005 11:20 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Viruses appearing to be getting > through... > > > Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV > (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot > (although I have F-Prot updates disabled for now, until they get there > problem with > HTML/[EMAIL PROTECTED] fixed). > > Bill > ----- Original Message ----- > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > To: <Declude.Virus@declude.com> > Sent: Monday, May 02, 2005 11:11 AM > Subject: RE: [Declude.Virus] Viruses appearing to be getting through... > > >>I saw a big bunch about 2 hours ago that were stopped by banned zip >>extensions. >> >> John T >> eServices For You >> >> >>> -----Original Message----- >>> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] >>> On Behalf Of Chuck Schick >>> Sent: Monday, May 02, 2005 10:58 AM >>> To: Declude. Virus >>> Subject: [Declude.Virus] Viruses appearing to be getting through... >>> >>> I am seeing several files getting through that appear to have >>> viruses > >>> attached as zip files. I am running Declude with F-Prot. We ban >> encrypted >>> zips and I have error code 8 included. Anyone else seeing this >>> behavior? Here is part of the log. >>> >>> >>> 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip >>> [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 >>> Scanned: Virus Free [MIME: 2 53979] >>> >>> Chuck Schick >>> Warp 8, Inc. >>> (303)-421-5140 >>> www.warp8.com >>> >>> --- >>> This E-mail came from the Declude.Virus mailing list. To >>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>> type "unsubscribe Declude.Virus". The archives can be found >>> at http://www.mail-archive.com. >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, > >> just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus". The archives can be found >> at http://www.mail-archive.com. >> > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- > [E-mail scanned at tio.nl for viruses by Declude Virus] > > --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
