installed 1.80 declude virus (restart imail smtp) and sending the infected
JPEG jpegcompoc.zip (http://www.gulftech.org/?node=downloads) it was not
automatically detect and goes trough, using F-Prot 3.15B updated.
virus.cfg:
SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM
Dear Marc,
where did you get the dos scanner for f-prot? On the page of F-prot there is
still only Version 3.15A available.
Bye,
Uwe
- Original Message -
From: marc [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, September 28, 2004 1:39 PM
Subject: RE: [Declude.Virus] Fprot GDI
Could it be that the vulnerability detection doesn't work when enclosed
in a zip file? That might be too big of a leap for Declude at the
moment. I just tested the same and Declude missed it when zipped,
F-Prot gave an error 8 which is a heuristic hit, and McAfee did in fact
tag the virus
, 2004 2:09 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Fprot GDI Scanner lines.
Could it be that the vulnerability detection doesn't work
when enclosed in a zip file? That might be too big of a leap
for Declude at the moment. I just tested the same and
Declude missed it when
Uwe is right: http://www.f-prot.com/news/gen_news/040924_release_all.html
New versions of F-Prot Antivirus for Exchange and of F-Prot Antivirus for
DOS will be released in the next few days.
3.15B just windows upgraded.
but i understand, that the new release of Declude Virus will automatically
It seems fairly certain that this virus will be released within an
encrypted zip
Maybe, maybe not. The easiest way to get a payload delivered via
e-mail right now is certainly to just pop a JPEG directly into an HTML
message and rely on unpatched Outlook to render it;
On 27 Sep 2004 at 17:31, R. Scott Perry wrote:
The latest release of Declude Virus will automatically detect the
GDIPlus.dll JPEG exploit.
How can I confirm this? When I send myself the exploit I do not
receive the email - good- but in my virus logs all I see is 'error
in scannerx' and
Yes, I doubt that in the early examples, there will be a need to do
anything but pump out automatically executing E-mails with bogus
JPG's. Over time infected JPG's might very well become a standard
method of infection in along with all of the various forms which may
include infected JPG's
, is this true?
Thanks for the aid,
Keith
-Original Message-
From: [EMAIL PROTECTED] on behalf of Nick
Sent: Tue 9/28/2004 9:40 AM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [Declude.Virus] Fprot GDI Scanner lines
As I recall, IF a virus scanner calls it bad, there is no further checking.
(So, if your AV vender is doing their job right, you would have to
disable the AV scanner(s) to test.)
Greg
Keith Johnson wrote:
I too am seeing this same behavior. I am running HIGH logging and 1.80 version. All
I
On 28 Sep 2004 at 10:43, Greg Little wrote:
Greg,
As I recall, IF a virus scanner calls it bad, there is no further
checking.
Is this for an individual scanner or multiple scanners?
All the scanners run (sic) even if the one before discovers a virus
on my system.
-Nick
.
---
[This E-mail
Good catch.
ALL AV scanners will run.
If one or serveral scanners finds a virus, then I belive the new JPEG
tests in 1.80 will be ignored.
(This would complicate confirmation testing for the new JPEG test)
Greg
Nick wrote:
On 28 Sep 2004 at 10:43, Greg Little wrote:
Greg,
As I
: Tue, 28 Sep 2004 13:18:15 -0500
From: Terry Fritts [EMAIL PROTECTED]
Organization: Smart Business Solutions, Inc.
To: Nick [EMAIL PROTECTED]
Subject:Re: [Declude.Virus] Fprot GDI Scanner lines.
Send reply to: [EMAIL PROTECTED
] On Behalf Of Bill Landry
Sent: Saturday, September 25, 2004 11:22 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Fprot GDI Scanner lines.
- Original Message -
From: Mark Smith [EMAIL PROTECTED]
Actually
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [Declude.Virus] Fprot GDI Scanner lines.
Mark,
What did you use to generate the GDI Exploit test file? Thanks
Keith
-Original Message-
From: [EMAIL
Title: RE: [Declude.Virus] Fprot GDI Scanner lines.
Same here. Is there a way to make f-prot w\Declude
catch these?
-Original Message-
From: Keith Johnson
[mailto:[EMAIL PROTECTED] On
Behalf Of Keith Johnson
Sent: Monday, September 27, 2004
12:51 PM
To: [EMAIL PROTECTED
Same here. Is there a way to make f-prot w\Declude catch these?
The latest release of Declude Virus will automatically detect the
GDIPlus.dll JPEG exploit.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
] On Behalf Of R. Scott Perry
Sent: Monday, September 27, 2004 05:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Fprot GDI Scanner lines.
Same here. Is there a way to make f-prot w\Declude catch these?
The latest release of Declude Virus will automatically detect the
GDIPlus.dll JPEG exploit
Which one is considered the latest.
Unless otherwise specified, latest refers to a beta or release. In this
case, it is specifically the v1.80 release.
Is that the mysterious latest interim 20 that end-users have announced on
this list?
There's nothing mysterious about interims. We do not
Just did some testing with the POC and noticed that Fprot now is adding a
new line to the report.txt:
e:\imail\test\poc.jpg Contains the exploit named W32/[EMAIL PROTECTED]
So I had to add the line:
REPORT Contains the exploit named
To my virus.cfg file.
My complete setup for F-Prot
: Saturday, September 25, 2004 2:49 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Fprot GDI Scanner lines.
Just did some testing with the POC and noticed that Fprot now
is adding a new line to the report.txt:
e:\imail\test\poc.jpg Contains the exploit named W32/[EMAIL PROTECTED]
So I had
My complete setup for F-Prot is now:
SCANFILE c:\progra~1\fsi\f-prot\FPcmd.exe /TYPE /SILENT /NOMEM
/ARCHIVE=5 /NOBOOT /DUMB /SERVER /REPORT=report.txt
VIRUSCODE 3
VIRUSCODE 6
VIRUSCODE 8
REPORTInfection:
REPORTContains the exploit named
- Original Message -
From: Mark Smith [EMAIL PROTECTED]
Actually this breaks Declude because Declude Virus can't look for multiple
REPORT lines.
Scott,
How can we setup Declude Virus to look for multiple lines in the
report.txt
file?
I've been running F-Prot Version 3.15b since
How can we setup Declude Virus to look for multiple lines in the
report.txt file?
Perhaps two almost-but-not-quite-identical SCANFILE entries with
different REPORT entries...?
Yes, double the resource utilization. Only a stopgap and not tested
yet.
--Sandy
24 matches
Mail list logo
