I just spoke to Symantec and they told me that this is not a problem - even though it lets the eicar through.
go figure ;-) PS how much is declude AV? i have just had a sudden urge to change products. Les. ----- Original Message ----- From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 19, 2002 4:12 AM Subject: [IMail Forum] Outlook vulnerability allows viruses to bypass SMTP AV scanners > FYI, we just found out this evening that a new vulnerability has been found > in Outlook that can cause viruses to be sent within the headers of an > E-mail, which will bypass most/all SMTP-based virus scanners. > > We have just released a new version of Declude Virus that will > automatically detect this vulnerability. For people using other virus > scanners, you may want to use our Test Mail Sender at > http://www.declude.com/tools/mailsend.html and send yourself the "eicarcr- > To test Outlook CR vulnerability" file. The E-mail should be caught by > your SMTP-based virus scanner, and should not be delivered to your E-mail > client. If not, you should update your SMTP-based virus scanner as soon as > an update is available. > > The vulnerability entails sending two carriage returns in a row ("CRCR") in > the middle of an E-mail header. This has no meaning in SMTP (and therefore > should be treated as part of the header), but Outlook treats this as if it > were a "CRLFCRLF", which would end the headers. So once this part of the > headers is reached, a standard E-mail program or SMTP-based virus scanner > will treat the next line as a header, but Outlook will treat it as the body > of the E-mail. If an attachment is placed here, Outlook will see it and > treat it as an attachment. However, the standard E-mail client or > SMTP-based virus scanner will realize that these should be standard > headers, and won't see the attachment. > > It has been reported that there are viruses in the works that may take > advantage of this vulnerability. In order to be effective, they would need > to be small (less than about 7K encoded), which will make it difficult for > "script kiddies" to write such a virus, but it can certainly be > done. Since Outlook tends to be the main source for spreading viruses, > this is something that should be taken seriously. > > More details can be found at > http://www.openoffice.nl/special_interest/outlookbug.html . > > -Scott > --- > Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for > IMail. http://www.declude.com > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
