RE: [Declude.Virus] Extension Modify
Is this a new possible feature for Declude Virus? The option of changing the attachment file extension to a non-executable extension? [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, July 19, 2004 6:45 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Extension Modify We modify extensions at our Firewall that changes an executable listing and removes the last character and adds an underscore (no harm to file). For example, an exe would be modified to ex_ Works great, however, it seems that Declude will not see it in our Banned Extension listing even though we have it listed as BANEXT ex_Does Declude Pro Virus (1.79+) allow for this? \ I have tested it with varying sizes of files and none get banned. Thanks for the aid. Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Extension Modify
Post a Declude Virus log snippet of a message that got through, preferably in DEBUG
mode.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Keith Johnson
Sent: Monday, July 19, 2004 4:45 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Extension Modify
We modify extensions at our Firewall that changes an executable listing and removes
the last character and adds an underscore (no harm to file). For example, an exe
would be modified to ex_ Works great, however, it seems that Declude will not see
it
in our Banned Extension listing even though we have it listed as BANEXT ex_Does
Declude Pro Virus (1.79+) allow for this? \
I have tested it with varying sizes of files and none get banned.
Thanks for the aid.
Keith
Nf_
ynu b!
0u %d j)\jg r[yXXX:. m
fy nu(*^{.n+ynu b rz jm
j)Zb(
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
Re: [Declude.Virus] Extension Modify
We modify extensions at our Firewall that changes an executable listing and removes the last character and adds an underscore (no harm to file). For example, an exe would be modified to ex_ Works great, however, it seems that Declude will not see it in our Banned Extension listing even though we have it listed as BANEXT ex_Does Declude Pro Virus (1.79+) allow for this? \ I believe the problem here is that the underscore is not a valid character for file extensions. If you change it to BANEXT ex, it should take care of the problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Extension Modify
Scott, Thanks for the email and quick follow-up. Below is the log snippet and it shows: 07/19/2004 20:21:30 Q658a1246012405b6 MIME file: happy.pi_ [base64; Length=80 Checksum=8732] 07/19/2004 20:21:30.546 Q658a1246012405b6 Comparing |pi| to SKIPEXTs and BANEXTs 07/19/2004 20:21:31.171 Q658a1246012405b6 Starting EXT check . 07/19/2004 20:21:31.171 Q658a1246012405b6 1: happy.pi_ adfa 07/19/2004 20:21:31.171 Q658a1246012405b6 Starting EXT check pi. It seems Declude drops the _ in pi_ and checks pi Is this by design? Thanks again. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of R. Scott Perry Sent: Mon 7/19/2004 8:19 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [Declude.Virus] Extension Modify We modify extensions at our Firewall that changes an executable listing and removes the last character and adds an underscore (no harm to file). For example, an exe would be modified to ex_ Works great, however, it seems that Declude will not see it in our Banned Extension listing even though we have it listed as BANEXT ex_Does Declude Pro Virus (1.79+) allow for this? \ I believe the problem here is that the underscore is not a valid character for file extensions. If you change it to BANEXT ex, it should take care of the problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.Virus] Extension Modify
Scott, Is there a limit on the BANEXT? I thought I read somewhere it was 100? Thanks again for your time. Just need a few more entries to over the _ character. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of R. Scott Perry Sent: Mon 7/19/2004 8:19 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [Declude.Virus] Extension Modify We modify extensions at our Firewall that changes an executable listing and removes the last character and adds an underscore (no harm to file). For example, an exe would be modified to ex_ Works great, however, it seems that Declude will not see it in our Banned Extension listing even though we have it listed as BANEXT ex_Does Declude Pro Virus (1.79+) allow for this? \ I believe the problem here is that the underscore is not a valid character for file extensions. If you change it to BANEXT ex, it should take care of the problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.Virus] Extension Modify
Thanks for the email and quick follow-up. Below is the log snippet and it shows: 07/19/2004 20:21:31.171 Q658a1246012405b6 Starting EXT check pi. It seems Declude drops the _ in pi_ and checks pi Is this by design? Thanks again. Yes, that is by design, since _ is invalid in an extension. That way, a hacker can't use something like filename.exe_ to bypass virus scanning. Is there a limit on the BANEXT? I thought I read somewhere it was 100? Thanks again for your time. It was 20, but in the latest beta is 100. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
