[Declude.Virus] F-prot exit code 8 and body content
Today I've had a message hold as false positive (unknown virus exit code 8) F-Prot seems ending with this exit code if there is attached a password protected zip file and in the body is something like password: . This message was definitively no false positive and so I requeued it. I've noted it due the low number of postmaster virus warnings I receive because they are send to me only if the detected virus is not a forging one. Fortunately this legit message wasn't deleted from the virus folder between thousands of unwanted netsky's and sober's. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-prot exit code 8 and body content
Markus, I believe that this is something that several of us railed against and tried to get F-Prot to change. Formerly no known viruses would be tagged with an exit code of 8, but then they suddenly started tagging some known viruses this way, essentially requiring us to add that code in for detection. The downside of this is that this exit code also blocks things like encrypted zips. It was a real shame. It's worth checking to see if F-Prot is tagging more recent known viruses with exit code 8 because if they are no longer doing this, I would assume that turning it off would be wise so long as you had two virus scanners running. Note that I'm not dismissing your primary intention of pointing out the FP issue with virus scanning and a way to deal with it. Matt Markus Gufler wrote: Today I've had a message hold as false positive (unknown virus exit code 8) F-Prot seems ending with this exit code if there is attached a password protected zip file and in the body is something like password: . This message was definitively no false positive and so I requeued it. I've noted it due the low number of postmaster virus warnings I receive because they are send to me only if the detected virus is not a forging one. Fortunately this legit message wasn't deleted from the virus folder between thousands of unwanted netsky's and sober's. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-prot exit code 8 and body content
I am using viruscode 8 and it is not blocking password protected zips. I think like Markus said it is looking for a combination of a password protected zip, and executable and the phrase he listed. Markus, did that attachment have an executable within the zip file? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 31, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-prot exit code 8 and body content Markus, I believe that this is something that several of us railed against and tried to get F-Prot to change. Formerly no known viruses would be tagged with an exit code of 8, but then they suddenly started tagging some known viruses this way, essentially requiring us to add that code in for detection. The downside of this is that this exit code also blocks things like encrypted zips. It was a real shame. It's worth checking to see if F-Prot is tagging more recent known viruses with exit code 8 because if they are no longer doing this, I would assume that turning it off would be wise so long as you had two virus scanners running. Note that I'm not dismissing your primary intention of pointing out the FP issue with virus scanning and a way to deal with it. Matt Markus Gufler wrote: Today I've had a message hold as false positive (unknown virus exit code 8) F-Prot seems ending with this exit code if there is attached a password protected zip file and in the body is something like password: . This message was definitively no false positive and so I requeued it. I've noted it due the low number of postmaster virus warnings I receive because they are send to me only if the detected virus is not a forging one. Fortunately this legit message wasn't deleted from the virus folder between thousands of unwanted netsky's and sober's. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-prot exit code 8 and body content
Matt, John, F-Prot is not catching simple e-zips. I supposed it was the password string in the mailbody. Now after an additional test it turned out that F-Prot is exiting with code 8 if there is an attached e-zip containing .exe files. The mail-body seems not interfering to F-prot's result. This is a problem for thus who need allow any extensions in zip-files. Maybe we can ask F-Prot if they can change the singnatures to catch only exe in ezip's if they are larger then ... Usualy legit ezip's should be much larger then 100 kByte. I wouldn't remove exit code 8 from my configuration because most of the outbreaks in the last year was catched by this exit code before any AV-scanner has had updated signatures. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 7:17 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-prot exit code 8 and body content I am using viruscode 8 and it is not blocking password protected zips. I think like Markus said it is looking for a combination of a password protected zip, and executable and the phrase he listed. Markus, did that attachment have an executable within the zip file? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 31, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-prot exit code 8 and body content Markus, I believe that this is something that several of us railed against and tried to get F-Prot to change. Formerly no known viruses would be tagged with an exit code of 8, but then they suddenly started tagging some known viruses this way, essentially requiring us to add that code in for detection. The downside of this is that this exit code also blocks things like encrypted zips. It was a real shame. It's worth checking to see if F-Prot is tagging more recent known viruses with exit code 8 because if they are no longer doing this, I would assume that turning it off would be wise so long as you had two virus scanners running. Note that I'm not dismissing your primary intention of pointing out the FP issue with virus scanning and a way to deal with it. Matt Markus Gufler wrote: Today I've had a message hold as false positive (unknown virus exit code 8) F-Prot seems ending with this exit code if there is attached a password protected zip file and in the body is something like password: . This message was definitively no false positive and so I requeued it. I've noted it due the low number of postmaster virus warnings I receive because they are send to me only if the detected virus is not a forging one. Fortunately this legit message wasn't deleted from the virus folder between thousands of unwanted netsky's and sober's. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot exit code 8 and body content
Markus, even though I know others have said they can not do this; I am blocking any zip, including ezips that have an executable within them. All of my clients know this and I have a published policy on it which includes instructions on what to do if you must get these through. As such, IMHO, this issue is fine. Others mileage may vary. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, January 31, 2006 10:39 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-prot exit code 8 and body content Matt, John, F-Prot is not catching simple e-zips. I supposed it was the password string in the mailbody. Now after an additional test it turned out that F-Prot is exiting with code 8 if there is an attached e-zip containing .exe files. The mail-body seems not interfering to F-prot's result. This is a problem for thus who need allow any extensions in zip-files. Maybe we can ask F-Prot if they can change the singnatures to catch only exe in ezip's if they are larger then ... Usualy legit ezip's should be much larger then 100 kByte. I wouldn't remove exit code 8 from my configuration because most of the outbreaks in the last year was catched by this exit code before any AV-scanner has had updated signatures. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 7:17 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-prot exit code 8 and body content I am using viruscode 8 and it is not blocking password protected zips. I think like Markus said it is looking for a combination of a password protected zip, and executable and the phrase he listed. Markus, did that attachment have an executable within the zip file? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 31, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-prot exit code 8 and body content Markus, I believe that this is something that several of us railed against and tried to get F-Prot to change. Formerly no known viruses would be tagged with an exit code of 8, but then they suddenly started tagging some known viruses this way, essentially requiring us to add that code in for detection. The downside of this is that this exit code also blocks things like encrypted zips. It was a real shame. It's worth checking to see if F-Prot is tagging more recent known viruses with exit code 8 because if they are no longer doing this, I would assume that turning it off would be wise so long as you had two virus scanners running. Note that I'm not dismissing your primary intention of pointing out the FP issue with virus scanning and a way to deal with it. Matt Markus Gufler wrote: Today I've had a message hold as false positive (unknown virus exit code 8) F-Prot seems ending with this exit code if there is attached a password protected zip file and in the body is something like password: . This message was definitively no false positive and so I requeued it. I've noted it due the low number of postmaster virus warnings I receive because they are send to me only if the detected virus is not a forging one. Fortunately this legit message wasn't deleted from the virus folder between thousands of unwanted netsky's and sober's. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com
