ILITYOLBOUNDARYSPACEGAP
This only works with 2.0.6.14+. There are more that are listed when you
log into your account on declude.com and go to the page for 2.0.6.16.
All of the above were producing repeated false positives from multiple
sources, and ones like OLCR were especially problematic.
Microsoft has long since patched
the flaw, though it can certainly cause parsing issues in virus scanners
that could lead to missing the payloads due to a message that was
improperly formatted.
Matt
David Dodell wrote:
Had email from a company today (Photodex) rejected due to the Outlook
]
Reply-To: [EMAIL PROTECTED]
MIME-Version: 1.0
X-Mailer: PHP/4.3.8
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: BASE64
It appears that the first set is wrong and should be removed if
possible.
Matt
System Administrator wrote:
on 8/4/05 2:29 PM,
ff if you
wish since it's the formatting that really matters here.
Matt
System Administrator wrote:
We are developing an ecommerce web site but we are having problems with the
e-mail associated with the buying experience. The e-mail message contains a
text part and a base64 part. Dec
fact
that it was previously reported that images were parsed by the Web
browser before they were written to the cache where an antivirus program
could scan them. That is hearsay until I see it in action though.
Matt
Colbeck, Andrew wrote:
Today is Microsoft Patch Tuesday for July 2005.
dding something like Sniffer and
reducing weights on such things I think is still the best overall
solution.
Matt
Colbeck, Andrew wrote:
That's a good point, Matt.
I glossed over analyzing the hops, but wouldn't Declude skip running any
test with DYNA in the name if the message
x27;s from headers when shared because those that might help out
would often benefit from this information. Sometimes it doesn't really
matter of course, and Doug did give enough information to figure this
out, but the three received headers were confusing without a careful read.
Matt
sts, and the net result of this would be trapping more spam with fewer
false positives if you weight things optimally.
Matt
Douglas Cohn wrote:
My desktop IP was erroneously listed on CBL. It seems that declude is
checking autheticated users sending mail for CBL and according to CBL this
If you restart your server without first stopping IMail SMTP service,
it will leak messages for several seconds. Also, if you restart the
IMail Queue Manager service it will steal messages from Declude. Both
situations can lead to messages being passed without headers.
Matt
Daniel Ivey
oming. All encoding of file names should be
decoded before any checks for extensions are made.
Matt
Paul Crouch wrote:
Need some help for a part
time sys admin!
Declude Virus/Junkmail
Standard 2.0.6.16/F-prot.
We have very limited bandwidth so have expanded the b
egree of
testing prior to launching new definitions as has been evidenced a
couple of times, and of course it was developed originally for Linux.
Matt
Douglas Cohn wrote:
Mcafee is a CPU HOG. Uses double the CPU of Fprot. I have a low powered
machine and cannot even run Mcafee but fprot is no proble
d most are never
exploited in E-mail viruses, so there is probably no reason to not
treat all of them the same. I see no reason why virus scanners
wouldn't detect the infected attachments once they were updated with
definitions for known threats.
Matt
John Tolmachoff (Lists) wrote:
Sin
Thanks! The grass is cut and the friends are already on the way over
with beer and stuff to burn :)
Matt
Darin Cox wrote:
Sounds good to me. I tend to think
of both virus and spam detection in the same breath, since I think
they're stronger together than separate... bu
e
headers for a spam campaign. Here's an example of the offending code
in every one of the 423 spams:
Content-Type: multipart/mixed;boundary=
"=_NextPart_000_00C3_5E34EE5.81EF3A57"
Note the space between the equals sign and the quote. You can filter
for this easily i
pace is permitted, it is recommended that struc-
tured fields, such as those containing addresses, limit
folding to higher-level syntactic breaks. For address
fields, it is recommended that such folding occur
between addresses, after th
the folding of headers by agents that do not otherwise
understand the syntax of this field.
For this to have been the vulnerability, the whitespace would have
needed to have been within the quotes that defined the boundary and not
before it.
Matt
Darin Cox wrote:
Hi Matt,
I thi
if not more important as the functionality to the product
and the customer base as a whole.
Matt
Darin Cox wrote:
Matt,
Point taken that it may no longer be
a vulnerability. So, call it something different, maybe just another
type of spam test, but don't take it away. They st
any issues by not detecting it at this point.
http://www.eeye.com/html/Research/Advisories/AD20030820.html
http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx
There are similar conditions for other vulnerabilities as well. It was
good to have them at the time, but now they
hould only really be
done if you can rely on the vulnerability checks to be accurate.
Matt
John Tolmachoff (Lists) wrote:
It appears to be stopping when it finds a vulnerability and does not get
scanned for virus.
John T
eServices For You
-Original Message-
From: [EMAIL
Thank you!
Matt
Panda Consulting S.A. Luis Alberto Arango wrote:
Short answer:
MSFT GDIPlus.DLL Vulnerability detection will run with our without SKIPEXT.
Long Answer:
The GDI vulnerability was added to Declude in version 1.8 -September 2004-
and some corrections were added in version
ld also be fine with me.
Thanks,
Matt
David Franco-Rocha [ Declude ] wrote:
From the source it looks like the JPG woul be scanned for the GDIPlus
vulnerability regardless of these other directives.
David Franco-Rocha
Declude Technical Support
- Original Message ----- From: "Matt" &l
d be a big improvement to be able to
skip scanning them, and if we were protected with the vulnerability
detection, I would feel comfortable turning off virus scanning of JPG's
until a mass-mailing virus is seen. I wouldn't want to leave myself
completely unprotected ho
Outlook Long File Name Vulnerability
ALLOWVULNERABILITY OLLONGFILENAME
Matt
Nick wrote:
Does anyone know or have a list of the vulnerabilities that are a
real problem and should be blocked or conversely the vulnerabilities
that are not a virus/worm threat?
Thanks!
-Nick
AWESOME!!!
:)
Thanks,
Matt
[EMAIL PROTECTED] wrote:
For the foreseeable future Declude will be following a different release
strategy.
Beginning today we will be issuing Incremental Releases on a regular basis.
These releases should be regarded as Beta Code although they will be fully
documented
update every 60 minutes
offset 30 minutes from F-Prot.
"C:\Program Files\FSI\F-Prot\FP-Updater\Updater.exe" /HIDDEN /INTERNET
Matt
Darin Cox wrote:
Hi Andrew,
We have monitoring in place to know if any management process fails, so
we'll know if this no longer works and we need
traffic but others like myself are not. Seems like you
have a good handle on things now.
Good luck,
Matt
Panda Consulting S.A. Luis Alberto Arango wrote:
Matt and Dave: First of all thank you very much for answering my post.
I am using fpcmd.exe
Here is my config lines, in case I am
eficial when you run multiple virus scanners since more CPU can
be saved this way. F-Prot is generally very efficient.
Matt
Panda Consulting S.A. Luis Alberto Arango wrote:
FYI:
Today we were flooded with a massive incoming emails containing Sober.O
(f-prot) virus.
We receive aprox 15% of viruses o
SKIPIFEXT works with the banned file names. I believe that they must be
the full file name however. For example:
SKIPIFEXT DELETED0.TXT
Matt
John Tolmachoff (Lists) wrote:
Is there a SKIPIFFILE similar to SKIPIFEXT for use in the BANNotify.eml
file?
John T
eServices For You
---
This E
less you want a full network installation.
Matt
Colbeck, Andrew wrote:
Matt posted the authoritative roundup in a head to head comparison when
he revamped his Declude Virus setup.
Unless he chimes in here with an updated answer, the answer is somewhere
in the archives.
Andrew 8)
-Original Me
%20Shared\Stationery\">
I have no clue what the pattern is that it is hitting of course, but I
assume that F-Prot just simply added an overbroad rule. Most E-mail
isn't constructed anything like what Microsoft Word creates.
Matt
Markus Gufler wrote:
Question: Have you all run
Docket 2005 - 2
It looks like turning F-Prot off might be a good idea, or at least
configuring it to not delete viruses.
Matt
John Tolmachoff (Lists) wrote:
It appears that something has updated on F-Prot in the last hour. Now, a lot
of outbound HTML e-mails are being flagged by F-Prot as
In the very least, they should set up
a page on the site for bugs and plans for when they will be resolved, or
what is being done to resolve them (not everything is a bug in Declude
of course). This would be very helpful if it was in fact timely.
Matt
R. Scott Perry wrote:
If Scott would
t please don't flame me
for speaking my mind :) I just want to compel methodical progress that
benefits more than just myself.
Matt
Colbeck, Andrew wrote:
Ding!
... and that's why we've spent so much time on
this.
The log will show that F-Prot return
d the error code for each
scanner. Some scanners don't have parseable reports so when they are
run in a multiple scanner config the new logging mechanism would be the
only way to properly identify the result for that particular scanner.
Matt
Colbeck, Andrew wrote:
Yes, dur
hes a VIRUSCODE value.
That leaves two real issues; 1) Time/CPU utilization with F-Prot, and
2) F-Prot continuing to report viruses with an exit code of 8.
Matt
Matt wrote:
Colbeck, Andrew wrote:
F-Prot is indeed returning an errorlevel of 8 on
this, and it's definitely way out of lin
Title: Message
When running Andrew's script, I confirmed that fpcmd.exe hit about 35%
during the ~10 seconds that it was running, which is totally
uncharacteristic. I have dual 3.06 Xeons which have hyperthreading
turned on (shows up as 4 processors in Windows).
Matt
Darrell ([
h it seems related,
but there also seems to be a different bug here with at least F-Prot
but possibly also Declude.
Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
know if there is a different code
being returned, or if F-Prot is just bugging out and not returning a
code. Maybe some of you can clear that part up.
Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
not
only keeping more Declude processes open, but also increased CPU
utilization. Such a condition is ripe for exploiting, and I'm
concerned that it has existed for so long without resolution, and maybe
even detection...
Matt
Nick wrote:
On 28 Apr 2005 at 16:44, Matt wrote:
Hi Mat
lpful.
Matt
Bill Landry wrote:
Matt, I searched 2 weeks of logs on
both of my servers (both of which run F-Prot and TrendMicro) and could
only find 4 instances of "Could not find parse string Infection", and
they were found on the server that is very heavily loaded. I use the
f
1/2005 14:37:11 Qa2dce53900ee9f9d Scanned: CONTAINS A VIRUS
[Prescan OK][MIME: 3 28098]
04/01/2005 14:37:11 Qa2dce53900ee9f9d From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] [outgoing from 208.7.179.200]
04/01/2005 14:37:11 Qa2dce53900ee9f9d Subject: Re:
Matt
Colbeck, Andrew wrote:
Ma
Nick,
I know. I sometimes don't read carefully myself :)
Matt
Nick wrote:
On 28 Apr 2005 at 13:50, Matt wrote:
Sorry about being wrong on both counts.. but I was trying to help!
-Nick
Nick,
Thanks for the reply, but I think you missed part of the
discussion.This
y close attention to this. I
haven't yet contacted F-Prot because I'm busy at this moment and this
was only just confirmed by someone else. I would have to say that
Scott would be quite useful in a situation like this because it
appeared that he had a line of contact with them (Sco
sorts of delays with the
same characteristics. Seems like a pretty serious and longer-term
issue with F-Prot.
Matt
Markus Gufler wrote:
No I've checked this already
before: there is no appearance of the spool file name above this line.
All I can see is something like
d and shouldn't otherwise be.
Matt
Nick wrote:
On 28 Apr 2005 at 12:57, Matt wrote:
Matt -
If this becomes a real problem that you see and can monitor I would
revert back to an older scan.exe to eliminate the issue of versions.
This is a possible clue:
" Could not fi
nding the
first entries. Your entries should look the same or similar to mine.
The first entry for each such message that passes PRESCAN will start
with the "MIME file" line. It seems likely that you are experiencing
the same thing.
Matt
Markus Gufler wrote:
Matt,
how
file contains
a report of an error???
I'm also guessing that this might explain the high CPU usage that
Darrell was reporting for F-Prot yesterday, though these events are not
very common on my system, only about twice an hour it would seem.
Matt
--
==
also the first time that I upgraded from 1.82, so I am watching
my logs carefully. Everything else seems hunky-dory. If it's F-Prot
that is causing the issue, I would imagine that it should disappear
soon. I would expect that others would also see some of the same.
Matt
Colbeck, And
u usage as most people
has leaved the office some hours ago. Time to say good night for me too
after haven't seen anything strange with f-prot on my server at the moment.
|-)
Markus
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
I saw F-Prot time out 3 times today in my logs, and I can't remember
that ever happening before. McAfee didn't time out once, and that's
usually the first to go. Maybe this explains the issue. I think it's
time to so some performance monitoring to see what is up.
M
are in one's config and that's fine with me. I also think that
the new release has turned the corner as far as bugs and changes are
concerned.
Matt
Nick wrote:
On 27 Apr 2005 at 8:55, Scott Fisher wrote:
Thanks Scott - you have some switches I haven't seen !
Also -
Declude
rted issues, so I'm going to assume that it is safe to use
along with /NOBOOT.
I'm still unsure about the heuristic stuff and the other switches. It
seems like using the heuristics are fairly common for those that have
tweaked, but the other stuff doesn't seem to be used
urning PRESCAN OFF does result in a
50% increase in CPU utilization on my system when running both F-Prot
and McAfee.
Would you prefer the approach of including more qualifications for
PRESCAN, or just switching it on and off per scanner?
Matt
Scott Fisher wrote:
I'm using:
SC
ristics.
I'm not sure what FP's either one of these could cause,
but some around here do prefer tighter controls despite the risk of
more FP's and these might be desirable under those conditions. I'm not
sure how they differ.
Any comments or experiences would be appreciat
things to detect what is likely a virus that may
have passed the virus scanning.
Matt
Markus Gufler wrote:
Although Adobe recommends enabling scanning all file types in
order to scan a PDF (and ass/u/me'ing its embedded contents
as well), an AV scanner is not currently going to b
27;t recall F-Prot ever throwing
similar errors, though it isn't reliable enough on its own.
Matt
Scott Fisher wrote:
I haven't seen anything obvious in a quick glance through
today's logs.
Do you have an example?
Usually, I just force another download of the dats.
such
errors. Is anyone else seeing this?
Thanks,
Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
This E-mail came from the Declude.Virus mailing
Title: Message
Interesting!
Matt
Colbeck, Andrew wrote:
Thanks for the insight, Matt.
We are used to seeing virus authors doing their
seeding from the home-user cable, DSL and even dial-up pools, but these
samples were definitely spammer web and email server blocks, and
d to be many years behind us in terms of
infrastructure. SBL should not be listing DUL space.
Matt
Colbeck, Andrew wrote:
The return code = 8 in F-Prot does mean
"suspicious file" and not "virus". In this case, they are not calling
the executable Bagle, they are calling
Title: Message
I'm going to send a support request as well. Maybe if others would do
the same, it might have a better chance of getting attention.
Matt
Colbeck, Andrew wrote:
The return code = 8 in F-Prot does mean
"suspicious file" and not "virus". I
John,
If you don't mind sharing, what was the issue that you had last week
with F-Prot throwing a code 8 on legitimate E-mail? Or did I get that
wrong?
Thanks,
Matt
John Tolmachoff (Lists) wrote:
From my
understanding is that code 8
means the file is suspect but doe
a banned extension within it).
Has anyone contacted F-Prot?
Matt
Goran Jovanovic wrote:
This was originally a thread from the
Junkmail list but I am moving it
over to the virus list.
> Check your virus log and you may see
some code 8
> errors in it. Adding viru
cy, it's
just a matter of due diligence and if that doesn't work out then I will
step it up a bit.
Matt
Markus Gufler wrote:
Another idea, now with the
ability to use customizable hold folders in v2
create a test that will move all
messages containing a relative small zip
und with
that a bit as well.
Matt
Gufler Markus wrote:
Good idea to create some combo
filter for small zip file attachments!
What about creating an external
test that will count up small zip file attachments in a separate file
and check if there are more then x suspicious zip
nism (a virus). I'm confident that I can
do this in a way that can capture most if not all zip viruses that have
been in the wild in the last year though I am concerned about the
potential of false positives and that will be the biggest problem in
figuring out how to do this.
Matt
John Tolmachof
as
a zero byte file with a zip extension. The pattern that this virus
uses results in an automatic hold on my system based on filters
designed for zombies (for instance it forges the HELO to match the
recipient domain), but most will also fail some DUL or other such
tests. I think Sniffer hit t
on of the file itself as well as the renamed extension,
though this appears to not be globally the case based on Andrew's tests
that he shared.
Matt
John Tolmachoff (Lists) wrote:
The thing
is, it used to work as I have
done that before. Renaming the file is only to
McAfee has been picking this up as "W32/[EMAIL PROTECTED]" since the first
copy arrived at 3 p.m. EST. I assume from the name that this is a
generic Bagle detection heuristic that pre-existed the virus.
Matt
John Carter wrote:
Starting to see repeat names. Reminds me of viruses s
My fault for the misread, but I also addressed the issue regardless.
Remove VIRUS CODE 8 from your config if you don't want for this to
happen.
Matt
John Tolmachoff (Lists) wrote:
John,
I know that you don't follow this logic, but banning regular zips is
extreme and u
ate and I'm
more than covered there.
Matt
John Tolmachoff (Lists) wrote:
I sent an encrypted zip file out, changing the .zip to ._ip. F-prot scanned
it and returned code 8, so Declude dutifly tagged it as infected.
Virus Code 8 means suspect, correct?
If this is what F-Prot is going to do, we n
virus scanners with better management features such as
Symantec. It all depends on your exact goals.
Matt
Uwe Degenhardt wrote:
Hi list,
I have the following problem:
From time to time I got
virusses on my eMail-Server's HD (IMail, 6.06).
We have Declude and F-Prot 5.42 running on
a Win 2000 S
erver without
additional configuration, and it will not use Covad's server for lookups
unless you configure it to forward requests to their server (which you
don't want to do).
Setting up a DNS server is really your only legitimate option here.
Matt
Kevin Rogers wrote:
I received the follow
it's
just spam with a poor choice of name for an image file that is attached.
http://news.com.com/Zombie+PCs+being+sent+to+steal+IDs/2100-7349_3-5616202.html?tag=cd.top
Matt
Andy Schmidt wrote:
Hm,
What version of Declude Virus are you using?
mine
with time as his spam campaign ramps up.
Matt
Scott Fisher wrote:
I had to put SKIPIFEXT COM into my
bannotify.eml file as a workaround.
-
Original Message -
From:
Matt
To:
Declude.Virus@declude.com
Sent:
Wednesday, March 16, 2005 10:09 AM
bouncing when such a condition is detected.
Matt
Darin Cox wrote:
Yep. I just added SKIPIFEXT COM to
my bannotify.eml yesterday.
Darin.
-
Original Message -
From:
Scott Fisher
To: Declude.Virus@declude.com
Sent: Tuesday, March 15, 2005 3:31 PM
Subject:
an
Bogus files should be treated as vulnerabilities are (historically),
and not as banned extensions. I'm running 1.82.
Declude, will you please respond to the problem.
Matt
Darin Cox wrote:
Yep. I just added SKIPIFEXT COM to
my bannotify.eml yesterday.
Darin.
-
If so, that's one to add to the Declude Virus manualScott?
Matt
Scott Fisher wrote:
Try adding this to your command line:
--max-ratio 0
The support compression ratio feature (--max-ratio). Overly compressed files
may get falsely detected. I believe the 0 turns it off.
it worke
Title: Message
Sounds like it's worth a test and some monitoring just to see if there
is a measurable difference in mail scanning activities.
Thanks for sharing.
Matt
Colbeck, Andrew wrote:
I should have also mentioned that the script
first makes a list of the files to
ke being able to turn that off, or at least remove files from
the root might make a big performance difference when you have high
volume.
Thanks,
Matt
Colbeck, Andrew wrote:
FWIW, I recently ran into a weirdness with McAfee; I use the daily dat
download (engine plus dats), and have so for
e else seen either one of these errors on their systems?
Thanks,
Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
are using IMail 8.1x, otherwise, try the Mail From address.
IMail should log the SMTP session and you should be able to piece that
together and figure out what happened.
Matt
Thomas Doxtater wrote:
Hi
all,
We
had some problems with a spam assassin box filling up over the past
w
#x27;t know. Anyway, it seems like it would be your choice
what to do with TIFF, though personally, I would not bother scanning it
unless I was made aware of JPG viruses spreading and morphing into other
extensions.
Matt
David Sullivan wrote:
Does anyone know a reason why .tiff should not be ex
ng HLP files is extremely uncommon and
shouldn't be causing too many issues if you do.
Matt
Greg Little wrote:
http://msmvps.com/trafton/
Just added HLP to my block list.
(anyone what to vote, we just shut down the internet)
Greg
---
[This E-mail scanned for viruses by Findlay Internet]
--
would include major changes like this in
the release notes, otherwise it gives the appearance of being sneaky
when it comes to such items.
It is good that this is coming out now while in beta.
Matt
Info Wind wrote:
Dear Greg,
I think Declude will not make the mistake like Ipswitch. In the past
In which regard?
- forging virus detection/MTLDB population (turned off by disabling
forging virus detection with the "AUTOFORGE OFF" switch)
- v1.8x installation (can't turn off, sends an E-mail, not sure what
triggers it)
- v2.0b installation (unconfirmed, but speculated).
Matt
understand that Declude has a well warranted concern about unlicensed
usage of their software and improvements have to be made, however my
hands can't be tied nor my or my customer's privacy violated in order
to achieve this goal. Hopefully that will not be the case here.
Matt
Colbeck, Andr
HTML with
JavaScript will get scanned. Putting the eicar string in the middle of
HTML will trigger your scanner if scanned, but I'm not convinced that it
is exploitable in this format. Furthermore, turning PRESCAN OFF can
result in +40% extra processor utilization on a system running two scanners.
een
something exploit this vulnerability and maybe there's a detection issue
created by the eicar code in this way?
Matt
William Stillwell wrote:
fixed #16
PRESCAN OFF
#17 goes thru,
- Original Message - From: "William Stillwell"
<[EMAIL PROTECTED]>
To: <[
http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=pdf+virus
Matt
Mark Smith wrote:
Does anyone know of a reason why to scan PDF files?
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus
loyees that tends to create more spam,
and of course a general rise in spam rates. Earlier this year I
thought that zombie spam had gone through the roof, but in fact what
was happening was isolated to the domains that started being dictio
F-Prot. McAfee is of course a
bit more responsible with their definitions, so if capacity isn't a
problem, I would use that over ClamAV regardless.
Matt
Colbeck, Andrew wrote:
I'm using the f-prot command line scanner, and the lines in the
virus.cfg look like this:
SCANFILEC:\
single scanner since it appears that
they are more stable, though it is clear that any single scanner can
have issues from time to time.
Matt
Colbeck, Andrew wrote:
Thanks, Matt.
I only went for the Lite version because this is a gateway scanner. The
internal mail servers are indeed protected
Bill,
Thanks a bunch for the kind words.
Matt
Bill Green dfn Systems wrote:
Thanks Matt. I dare say there are probably many like myself that you
don't hear from much, but we read the postings and learn a lot from
you "regular posters". It is much appreciated.
Bill Gr
I'm not an expert on Symantec licensing, but you can definitely buy the
media online as well.
http://shopper-search.cnet.com/search?part=&q=Symantec+Corporate+Edition+media+9.0
Matt
Dean Lawrence wrote:
Matt,
Looking at the costs on cnet, I don't see any mention of if you
sure that you purchase over the Internet to save substantially.
http://shopper-search.cnet.com/search?part=&q=Symantec+Corporate+Edition+Server+9.0
Matt
Bill Green dfn Systems wrote:
We've been using Declude/F-Prot to protect our email users, and
Symantec Corp. Ed. to protect t
anned.
That would be difficult to prove unless your Debug log has more
information such as the file names created and the sizes of each file,
and this exposed a flaw.
Matt
Bill Landry wrote:
- Original Message -
From: "R. Scott Perry" <[EMAIL PROTECTED]>
riggering exit code 9 on damaged files
might be highly indicative of corrupt viruses, but it could also trip on
many different forms of corrupt data, and could cause false positives.
I wouldn't recommend adding these codes to Declude based on the release
notes.
Matt
Goran Jovanovic wrote
t's own,
but I could be wrong).
http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html
Matt
Panda Consulting S.A. Luis Alberto Arango wrote:
Their release notes say
"Among improvements introduced in version 3.16 of F-Prot Antivirus for
Windows is a new
ubstantial relief.
If his other scanner isn't F-Prot, he should also think about switching
because there is nothing as efficient as F-Prot, and it hardly uses any
resources.
Matt
Terry Fritts wrote:
ClamAV when not run in daemon mode is very slow in comparison to other
virus scanners.
s.
I played around with daemon mode several months back, but there was an
issue with the service not shutting down when you told it to, so I
abandoned it for the time being. Maybe some others have information
about how to do this properly now with newer builds.
Matt
John Carter wrote:
Has a
101 - 200 of 332 matches
Mail list logo
