RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
I received a message over the weekend from Declude stating that my ticket on this issue has been closed. When I read it, I assumed this meant that Declude has fixed the bug and has released a version that is now able to detect encrypted RAR files. When will we be able to download this newly fixed version? Gary Steiner Original Message From: David Barker [EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 4:19 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Yes I apologize I only realized the next day (Saturday) that this would not work because the message will be scanned if it is under a HOLD or DELETE threshold. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, May 02, 2007 4:03 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures I am confused as to how this would work, as BANEXT RAR in EVA will hold those files regardless of the weight. Has anyone worked out a way to ban small RAR files that would contain the virus, and pass large RAR files that most likely would not? I'm trying to find a work around until Declude figures out how to detect encrypted RAR files. Right now I'm banning all RAR files, then have to go in and manually re-submit the legitimate RAR files that my customers are sending. Gary Original Message From: David Barker [EMAIL PROTECTED] Sent: Friday, April 27, 2007 5:52 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures You may be able to do something with the MSGSIZE test in conjunction with AVAFTERJM ON eg. SIZE-10MB msgsize 10240 x -50 0 David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, April 27, 2007 4:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures It's not that difficult. The legitimate messages with rar attachments are big (usually 10MB and up) so it's not hard to separate them from the image spam and common viruses being held in the virus directory. As mentioned by Craig in an earlier post, it would be nice if Declude added the capability to skip banning on files of large size. Original Message From: John T \(lists\) [EMAIL PROTECTED] Sent: Friday, April 27, 2007 3:56 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Until Declude resolves the issue with BANEXT EZIP, I've had to ban all rar files. Unfortunately some of my customers regularly send rar attachments, so I've had to check the virus hold directory on a regular basis and manually resubmit any false positives there. Gary Instead of manually checking for legit files, use the BANEXT.eml file to send a postmaster message that you get and/or the recipient and/or sender get and that notice can be reviewed a lot easier than manually checking the hold directory. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
Gary, I will post to the list when there is a download available. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Monday, May 07, 2007 1:01 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures I received a message over the weekend from Declude stating that my ticket on this issue has been closed. When I read it, I assumed this meant that Declude has fixed the bug and has released a version that is now able to detect encrypted RAR files. When will we be able to download this newly fixed version? Gary Steiner Original Message From: David Barker [EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 4:19 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Yes I apologize I only realized the next day (Saturday) that this would not work because the message will be scanned if it is under a HOLD or DELETE threshold. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, May 02, 2007 4:03 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures I am confused as to how this would work, as BANEXT RAR in EVA will hold those files regardless of the weight. Has anyone worked out a way to ban small RAR files that would contain the virus, and pass large RAR files that most likely would not? I'm trying to find a work around until Declude figures out how to detect encrypted RAR files. Right now I'm banning all RAR files, then have to go in and manually re-submit the legitimate RAR files that my customers are sending. Gary Original Message From: David Barker [EMAIL PROTECTED] Sent: Friday, April 27, 2007 5:52 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures You may be able to do something with the MSGSIZE test in conjunction with AVAFTERJM ON eg. SIZE-10MB msgsize 10240 x -50 0 David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, April 27, 2007 4:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures It's not that difficult. The legitimate messages with rar attachments are big (usually 10MB and up) so it's not hard to separate them from the image spam and common viruses being held in the virus directory. As mentioned by Craig in an earlier post, it would be nice if Declude added the capability to skip banning on files of large size. Original Message From: John T \(lists\) [EMAIL PROTECTED] Sent: Friday, April 27, 2007 3:56 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Until Declude resolves the issue with BANEXT EZIP, I've had to ban all rar files. Unfortunately some of my customers regularly send rar attachments, so I've had to check the virus hold directory on a regular basis and manually resubmit any false positives there. Gary Instead of manually checking for legit files, use the BANEXT.eml file to send a postmaster message that you get and/or the recipient and/or sender get and that notice can be reviewed a lot easier than manually checking the hold directory. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
I am confused as to how this would work, as BANEXT RAR in EVA will hold those files regardless of the weight. Has anyone worked out a way to ban small RAR files that would contain the virus, and pass large RAR files that most likely would not? I'm trying to find a work around until Declude figures out how to detect encrypted RAR files. Right now I'm banning all RAR files, then have to go in and manually re-submit the legitimate RAR files that my customers are sending. Gary Original Message From: David Barker [EMAIL PROTECTED] Sent: Friday, April 27, 2007 5:52 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures You may be able to do something with the MSGSIZE test in conjunction with AVAFTERJM ON eg. SIZE-10MB msgsize 10240 x -50 0 David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, April 27, 2007 4:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures It's not that difficult. The legitimate messages with rar attachments are big (usually 10MB and up) so it's not hard to separate them from the image spam and common viruses being held in the virus directory. As mentioned by Craig in an earlier post, it would be nice if Declude added the capability to skip banning on files of large size. Original Message From: John T \(lists\) [EMAIL PROTECTED] Sent: Friday, April 27, 2007 3:56 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Until Declude resolves the issue with BANEXT EZIP, I've had to ban all rar files. Unfortunately some of my customers regularly send rar attachments, so I've had to check the virus hold directory on a regular basis and manually resubmit any false positives there. Gary Instead of manually checking for legit files, use the BANEXT.eml file to send a postmaster message that you get and/or the recipient and/or sender get and that notice can be reviewed a lot easier than manually checking the hold directory. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
Yes I apologize I only realized the next day (Saturday) that this would not work because the message will be scanned if it is under a HOLD or DELETE threshold. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, May 02, 2007 4:03 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures I am confused as to how this would work, as BANEXT RAR in EVA will hold those files regardless of the weight. Has anyone worked out a way to ban small RAR files that would contain the virus, and pass large RAR files that most likely would not? I'm trying to find a work around until Declude figures out how to detect encrypted RAR files. Right now I'm banning all RAR files, then have to go in and manually re-submit the legitimate RAR files that my customers are sending. Gary Original Message From: David Barker [EMAIL PROTECTED] Sent: Friday, April 27, 2007 5:52 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures You may be able to do something with the MSGSIZE test in conjunction with AVAFTERJM ON eg. SIZE-10MB msgsize 10240 x -50 0 David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, April 27, 2007 4:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures It's not that difficult. The legitimate messages with rar attachments are big (usually 10MB and up) so it's not hard to separate them from the image spam and common viruses being held in the virus directory. As mentioned by Craig in an earlier post, it would be nice if Declude added the capability to skip banning on files of large size. Original Message From: John T \(lists\) [EMAIL PROTECTED] Sent: Friday, April 27, 2007 3:56 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Until Declude resolves the issue with BANEXT EZIP, I've had to ban all rar files. Unfortunately some of my customers regularly send rar attachments, so I've had to check the virus hold directory on a regular basis and manually resubmit any false positives there. Gary Instead of manually checking for legit files, use the BANEXT.eml file to send a postmaster message that you get and/or the recipient and/or sender get and that notice can be reviewed a lot easier than manually checking the hold directory. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
Without offering up the exact how-to, I can point out that the SIZE test and a BODY CONTAINS combination would likely help in Declude JunkMail, and that you would have to stop banning RAR files in Declude EVA. Judicious use of the SIZE test would help Gary to HOLD only small RAR files, whether encrypted or not. Meanwhile, a strategy of chasing BODY and SUBJECT lines in Declude JunkMail text filters would help to target this worm, as this family heavily recycles their own text. Using BODY CONTAINS Subject: yadda Fragments also helps to catch annoying blowback as your users get automatic responses from 3rd party email servers that naively believed the MAILFROM was not a fake. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, May 02, 2007 1:07 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Yes I apologize I only realized the next day (Saturday) that this would not work because the message will be scanned if it is under a HOLD or DELETE threshold. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, May 02, 2007 4:03 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures I am confused as to how this would work, as BANEXT RAR in EVA will hold those files regardless of the weight. Has anyone worked out a way to ban small RAR files that would contain the virus, and pass large RAR files that most likely would not? I'm trying to find a work around until Declude figures out how to detect encrypted RAR files. Right now I'm banning all RAR files, then have to go in and manually re-submit the legitimate RAR files that my customers are sending. Gary Original Message From: David Barker [EMAIL PROTECTED] Sent: Friday, April 27, 2007 5:52 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures You may be able to do something with the MSGSIZE test in conjunction with AVAFTERJM ON eg. SIZE-10MB msgsize 10240 x -50 0 David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, April 27, 2007 4:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures It's not that difficult. The legitimate messages with rar attachments are big (usually 10MB and up) so it's not hard to separate them from the image spam and common viruses being held in the virus directory. As mentioned by Craig in an earlier post, it would be nice if Declude added the capability to skip banning on files of large size. Original Message From: John T \(lists\) [EMAIL PROTECTED] Sent: Friday, April 27, 2007 3:56 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Until Declude resolves the issue with BANEXT EZIP, I've had to ban all rar files. Unfortunately some of my customers regularly send rar attachments, so I've had to check the virus hold directory on a regular basis and manually resubmit any false positives there. Gary Instead of manually checking for legit files, use the BANEXT.eml file to send a postmaster message that you get and/or the recipient and/or sender get and that notice can be reviewed a lot easier than manually checking the hold directory. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
BANEXT rar has been working great for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, April 26, 2007 11:36 PM To: declude.virus@declude.com Subject: [Declude.Virus] More info about encrypted RAR virus and Declude failures I have downloaded a copy of the virus and inspected it. The file is a functional encrypted RAR with an EXE inside of the same file name. I also researched why Declude might not be catching this and I believe that I know why. Declude will properly detect an executable within a RAR file and the fact that the file is encrypted. I verified this with my own test on a file that I encrypted. The problem however is the fact that you can also encrypt the file name within a RAR and not just the file. The virus that was being spammed encrypted both the file name and the file, so Declude likely got hung up on trying to extract the name from the RAR. Note to Dave. This took me all of 30 minutes to figure out. Unfortunately there is somewhat of a conundrum here as you will need to introduce new functionality in order to handle this appropriately. While I don't expect that RAR files will be commonly used for viruses due to the rarity of the client, it is definitely necessary to allow users to block encrypted RAR's when the file names are not extractable. I have a recommendation for how to handle this which would be quite consistent with current behavior and possibly help with unexpected conditions with ZIP's too: For both encrypted ZIP's and encrypted RAR's where the file names can't be extracted, assume that it contains an EXE. This will allow for those that want to block all encrypted files and those that only want to block them when there is an executable inside to maintain proper levels of protection. Let me know if you would like some more feedback or information. Thanks, Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. The information contained in this communication is privileged and confidential. If you have received this communication in error, please forward back to the sender and delete your copy immediately. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] More info about encrypted RAR virus and Declude failures
BANEXT RAR will block all RAR files, encrypted or not. That wasn't the issue at hand here. It was related to BANEZIPEXTSON (in my case) and possibly BANEZIPON. Matt Dan Shadix wrote: BANEXT rar has been working great for me. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt *Sent:* Thursday, April 26, 2007 11:36 PM *To:* declude.virus@declude.com *Subject:* [Declude.Virus] More info about encrypted RAR virus and Declude failures I have downloaded a copy of the virus and inspected it. The file is a functional encrypted RAR with an EXE inside of the same file name. I also researched why Declude might not be catching this and I believe that I know why. Declude will properly detect an executable within a RAR file and the fact that the file is encrypted. I verified this with my own test on a file that I encrypted. The problem however is the fact that you can also encrypt the file name within a RAR and not just the file. The virus that was being spammed encrypted both the file name and the file, so Declude likely got hung up on trying to extract the name from the RAR. Note to Dave. This took me all of 30 minutes to figure out. Unfortunately there is somewhat of a conundrum here as you will need to introduce new functionality in order to handle this appropriately. While I don't expect that RAR files will be commonly used for viruses due to the rarity of the client, it is definitely necessary to allow users to block encrypted RAR's when the file names are not extractable. I have a recommendation for how to handle this which would be quite consistent with current behavior and possibly help with unexpected conditions with ZIP's too: For both encrypted ZIP's and encrypted RAR's where the file names can't be extracted, assume that it contains an EXE. This will allow for those that want to block all encrypted files and those that only want to block them when there is an executable inside to maintain proper levels of protection. Let me know if you would like some more feedback or information. Thanks, Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. The information contained in this communication is privileged and confidential. If you have received this communication in error, please forward back to the sender and delete your copy immediately. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
Until Declude resolves the issue with BANEXT EZIP, I've had to ban all rar files. Unfortunately some of my customers regularly send rar attachments, so I've had to check the virus hold directory on a regular basis and manually resubmit any false positives there. Gary Instead of manually checking for legit files, use the BANEXT.eml file to send a postmaster message that you get and/or the recipient and/or sender get and that notice can be reviewed a lot easier than manually checking the hold directory. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
It's not that difficult. The legitimate messages with rar attachments are big (usually 10MB and up) so it's not hard to separate them from the image spam and common viruses being held in the virus directory. As mentioned by Craig in an earlier post, it would be nice if Declude added the capability to skip banning on files of large size. Original Message From: John T \(lists\) [EMAIL PROTECTED] Sent: Friday, April 27, 2007 3:56 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Until Declude resolves the issue with BANEXT EZIP, I've had to ban all rar files. Unfortunately some of my customers regularly send rar attachments, so I've had to check the virus hold directory on a regular basis and manually resubmit any false positives there. Gary Instead of manually checking for legit files, use the BANEXT.eml file to send a postmaster message that you get and/or the recipient and/or sender get and that notice can be reviewed a lot easier than manually checking the hold directory. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
You may be able to do something with the MSGSIZE test in conjunction with AVAFTERJM ON eg. SIZE-10MB msgsize 10240 x -50 0 David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, April 27, 2007 4:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures It's not that difficult. The legitimate messages with rar attachments are big (usually 10MB and up) so it's not hard to separate them from the image spam and common viruses being held in the virus directory. As mentioned by Craig in an earlier post, it would be nice if Declude added the capability to skip banning on files of large size. Original Message From: John T \(lists\) [EMAIL PROTECTED] Sent: Friday, April 27, 2007 3:56 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Until Declude resolves the issue with BANEXT EZIP, I've had to ban all rar files. Unfortunately some of my customers regularly send rar attachments, so I've had to check the virus hold directory on a regular basis and manually resubmit any false positives there. Gary Instead of manually checking for legit files, use the BANEXT.eml file to send a postmaster message that you get and/or the recipient and/or sender get and that notice can be reviewed a lot easier than manually checking the hold directory. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
