RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
You may be able to do something with the MSGSIZE test in conjunction with AVAFTERJM ON eg. SIZE-10MB msgsize 10240 x -50 0 David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, April 27, 2007 4:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures It's not that difficult. The legitimate messages with rar attachments are big (usually 10MB and up) so it's not hard to separate them from the image spam and common viruses being held in the virus directory. As mentioned by Craig in an earlier post, it would be nice if Declude added the capability to skip banning on files of large size. Original Message > From: "John T \(lists\)" <[EMAIL PROTECTED]> > Sent: Friday, April 27, 2007 3:56 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] More info about encrypted RAR virus and > Declude failures > > > Until Declude resolves the issue with BANEXT EZIP, I've had to ban > > all rar files. Unfortunately some of my customers regularly send > > rar attachments, so I've had to check the virus hold directory on a > > regular basis and manually resubmit any false positives there. > > > > Gary > > Instead of manually checking for legit files, use the BANEXT.eml file > to send a postmaster message that you get and/or the recipient and/or > sender get and that notice can be reviewed a lot easier than manually > checking the hold directory. > > John T > > > > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
It's not that difficult. The legitimate messages with rar attachments are big (usually 10MB and up) so it's not hard to separate them from the image spam and common viruses being held in the virus directory. As mentioned by Craig in an earlier post, it would be nice if Declude added the capability to skip banning on files of large size. Original Message > From: "John T \(lists\)" <[EMAIL PROTECTED]> > Sent: Friday, April 27, 2007 3:56 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude > failures > > > Until Declude resolves the issue with BANEXT EZIP, I've had to ban all > > rar files. Unfortunately some of my customers regularly send rar > > attachments, so I've had to check the virus hold directory on a regular > > basis and manually resubmit any false positives there. > > > > Gary > > Instead of manually checking for legit files, use the BANEXT.eml file to > send a postmaster message that you get and/or the recipient and/or sender > get and that notice can be reviewed a lot easier than manually checking the > hold directory. > > John T > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
Actually, that is the BANNotify.eml file that is used. John T > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > John T (lists) > Sent: Friday, April 27, 2007 12:39 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] More info about encrypted RAR virus and > Declude failures > > > Until Declude resolves the issue with BANEXT EZIP, I've had to ban > all > > rar files. Unfortunately some of my customers regularly send rar > > attachments, so I've had to check the virus hold directory on a > regular > > basis and manually resubmit any false positives there. > > > > Gary > > Instead of manually checking for legit files, use the BANEXT.eml file > to > send a postmaster message that you get and/or the recipient and/or > sender > get and that notice can be reviewed a lot easier than manually checking > the > hold directory. > > John T > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
> Until Declude resolves the issue with BANEXT EZIP, I've had to ban all > rar files. Unfortunately some of my customers regularly send rar > attachments, so I've had to check the virus hold directory on a regular > basis and manually resubmit any false positives there. > > Gary Instead of manually checking for legit files, use the BANEXT.eml file to send a postmaster message that you get and/or the recipient and/or sender get and that notice can be reviewed a lot easier than manually checking the hold directory. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] More info about encrypted RAR virus and Declude failures
Until Declude resolves the issue with BANEXT EZIP, I've had to ban all rar files. Unfortunately some of my customers regularly send rar attachments, so I've had to check the virus hold directory on a regular basis and manually resubmit any false positives there. Gary Original Message > From: Matt <[EMAIL PROTECTED]> > Sent: Friday, April 27, 2007 11:25 AM > To: declude.virus@declude.com > Subject: Re: [Declude.Virus] More info about encrypted RAR virus and Declude > failures > > BANEXT RAR will block all RAR files, encrypted or not. That wasn't the > issue at hand here. It was related to BANEZIPEXTSON (in my case) > and possibly BANEZIPON. > > Matt > > > Dan Shadix wrote: > > > > BANEXT rar has been working great for me. > > > > > > > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of > > *Matt > > *Sent:* Thursday, April 26, 2007 11:36 PM > > *To:* declude.virus@declude.com > > *Subject:* [Declude.Virus] More info about encrypted RAR virus and > > Declude failures > > > > > > > > I have downloaded a copy of the virus and inspected it. The file is a > > functional encrypted RAR with an EXE inside of the same file name. I > > also researched why Declude might not be catching this and I believe > > that I know why. > > > > Declude will properly detect an executable within a RAR file and the > > fact that the file is encrypted. I verified this with my own test on > > a file that I encrypted. The problem however is the fact that you can > > also encrypt the file name within a RAR and not just the file. The > > virus that was being spammed encrypted both the file name and the > > file, so Declude likely got hung up on trying to extract the name from > > the RAR. > > > > Note to Dave. This took me all of 30 minutes to figure out. > > Unfortunately there is somewhat of a conundrum here as you will need > > to introduce new functionality in order to handle this appropriately. > > While I don't expect that RAR files will be commonly used for viruses > > due to the rarity of the client, it is definitely necessary to allow > > users to block encrypted RAR's when the file names are not > > extractable. I have a recommendation for how to handle this which > > would be quite consistent with current behavior and possibly help with > > unexpected conditions with ZIP's too: > > > > For both encrypted ZIP's and encrypted RAR's where the file names > > can't be extracted, assume that it contains an EXE. This will allow > > for those that want to block all encrypted files and those that only > > want to block them when there is an executable inside to maintain > > proper levels of protection. > > > > > > Let me know if you would like some more feedback or information. > > > > Thanks, > > > > Matt > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > > > > > The information contained in this communication is privileged and > > confidential. If you have received this communication in error, please > > forward back to the sender and delete your copy immediately. You are > > hereby notified that any dissemination, distribution or copying of > > this communication is strictly prohibited. > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] More info about encrypted RAR virus and Declude failures
BANEXT RAR will block all RAR files, encrypted or not. That wasn't the issue at hand here. It was related to BANEZIPEXTSON (in my case) and possibly BANEZIPON. Matt Dan Shadix wrote: BANEXT rar has been working great for me. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt *Sent:* Thursday, April 26, 2007 11:36 PM *To:* declude.virus@declude.com *Subject:* [Declude.Virus] More info about encrypted RAR virus and Declude failures I have downloaded a copy of the virus and inspected it. The file is a functional encrypted RAR with an EXE inside of the same file name. I also researched why Declude might not be catching this and I believe that I know why. Declude will properly detect an executable within a RAR file and the fact that the file is encrypted. I verified this with my own test on a file that I encrypted. The problem however is the fact that you can also encrypt the file name within a RAR and not just the file. The virus that was being spammed encrypted both the file name and the file, so Declude likely got hung up on trying to extract the name from the RAR. Note to Dave. This took me all of 30 minutes to figure out. Unfortunately there is somewhat of a conundrum here as you will need to introduce new functionality in order to handle this appropriately. While I don't expect that RAR files will be commonly used for viruses due to the rarity of the client, it is definitely necessary to allow users to block encrypted RAR's when the file names are not extractable. I have a recommendation for how to handle this which would be quite consistent with current behavior and possibly help with unexpected conditions with ZIP's too: For both encrypted ZIP's and encrypted RAR's where the file names can't be extracted, assume that it contains an EXE. This will allow for those that want to block all encrypted files and those that only want to block them when there is an executable inside to maintain proper levels of protection. Let me know if you would like some more feedback or information. Thanks, Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. The information contained in this communication is privileged and confidential. If you have received this communication in error, please forward back to the sender and delete your copy immediately. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] skip checking on files larger than Xmb
Hi All, Its probably been asked before, but how do I tell declude to skip virus and spam checking on files say larger than 20mb? Also if you could let me know which file I have to insert the code in that would be great? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
BANEXT rar has been working great for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, April 26, 2007 11:36 PM To: declude.virus@declude.com Subject: [Declude.Virus] More info about encrypted RAR virus and Declude failures I have downloaded a copy of the virus and inspected it. The file is a functional encrypted RAR with an EXE inside of the same file name. I also researched why Declude might not be catching this and I believe that I know why. Declude will properly detect an executable within a RAR file and the fact that the file is encrypted. I verified this with my own test on a file that I encrypted. The problem however is the fact that you can also encrypt the file name within a RAR and not just the file. The virus that was being spammed encrypted both the file name and the file, so Declude likely got hung up on trying to extract the name from the RAR. Note to Dave. This took me all of 30 minutes to figure out. Unfortunately there is somewhat of a conundrum here as you will need to introduce new functionality in order to handle this appropriately. While I don't expect that RAR files will be commonly used for viruses due to the rarity of the client, it is definitely necessary to allow users to block encrypted RAR's when the file names are not extractable. I have a recommendation for how to handle this which would be quite consistent with current behavior and possibly help with unexpected conditions with ZIP's too: For both encrypted ZIP's and encrypted RAR's where the file names can't be extracted, assume that it contains an EXE. This will allow for those that want to block all encrypted files and those that only want to block them when there is an executable inside to maintain proper levels of protection. Let me know if you would like some more feedback or information. Thanks, Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. The information contained in this communication is privileged and confidential. If you have received this communication in error, please forward back to the sender and delete your copy immediately. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.