Hmmm, I thought that since Declude Virus does the decoding and scanner
calls, that you might be interested it testing this yourself...
Yes. That's why I tested it, and found that Declude Virus is decoding the
attachments properly, and found a very plausible explanation as to why
ClamAV isn't
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
Hmmm, I thought that since Declude Virus does the decoding and scanner
calls, that you might be interested it testing this yourself...
Yes. That's why I tested it, and found that Declude Virus is decoding the
attachments
Nope, in my testing of three command-line scanners, the attached test.txt
file contains the minimum needed to detect the file as containing a virus
(copied your virustrap address, as well, in case this gets blocked to the
list).
It certainly does.
The question is whether the AV program is
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
Nope, in my testing of three command-line scanners, the attached
test.txt
file contains the minimum needed to detect the file as containing a virus
(copied your virustrap address, as well, in case this gets blocked to the
If the virus scanner were at fault (because of a decoding issue) then I have
to ask again, why can TrendMicro detect the virus when scanning the raw
D*.SMD file, but not when sent to it by Declude Virus?
You would have to ask them. Declude Virus is decoding the E-mail properly.
My guess is that
- Original Message -
From: Matt [EMAIL PROTECTED]
I believe that Declude creates a directory for all attachments in each
message, and then Declude calls the scanner to scan the entire
directory. I believe that for inline content such as text/plain and
text/html, these files will be
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
If the virus scanner were at fault (because of a decoding issue) then I
have
to ask again, why can TrendMicro detect the virus when scanning the raw
D*.SMD file, but not when sent to it by Declude Virus?
You would have to
- Original Message -
From: Matt [EMAIL PROTECTED]
I believe that Declude creates a directory for all attachments in each
message, and then Declude calls the scanner to scan the entire
directory. I believe that for inline content such as text/plain and
text/html, these files will be
Scott, attached is the raw source of this BOFRA.B message, it looks like
HTML to me. In fact, when I scan the D*.SMD file from the command-line,
TrendMicro identifies the file as HTML_BOFRA.B and ClamAV as
HTML.Mydoom.email-gen-1.
What does the Declude Virus log file show for this E-mail?
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
Scott, attached is the raw source of this BOFRA.B message, it looks like
HTML to me. In fact, when I scan the D*.SMD file from the command-line,
TrendMicro identifies the file as HTML_BOFRA.B and ClamAV as
Attached is the log output for the message I forwarded to your virustrap
address.
It looks like everything is working fine. My guess is that the virus
scanner will only try to detect the phishing E-mails if it gets the entire
E-mail file (including headers), perhaps as a precaution to help
Scott, we have the following entry in our virus.cfg files on both of our
IMail/Declude servers:
SCANFILE2 C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q
/VSTEMP=m:\temp\ /LR=report.txt
VIRUSCODE2 1
REPORT2 Found
I also have: PRESCAN OFF
However, this particular PayPal phishing
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
Scott, we have the following entry in our virus.cfg files on both of our
IMail/Declude servers:
SCANFILE2 C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q
/VSTEMP=m:\temp\ /LR=report.txt
VIRUSCODE2 1
REPORT2
As you can see, Declude is seeing the exit code as 0 from both scanners.
How is the file changed when scanned by Declude Virus versus when scanned
manually by TrendMicro that would cause TrendMicro to report the file
differently?
Declude Virus won't send the text section to the virus scanner, as
14 matches
Mail list logo
