I sent an encrypted zip file out, changing the .zip to ._ip. F-prot scanned
it and returned code 8, so Declude dutifly tagged it as infected.
Virus Code 8 means suspect, correct?
If this is what F-Prot is going to do, we need to rethink having
users/clients rename files.
04/14/2005 09:04:54.958
John,
I know that you don't follow this logic, but banning regular zips is
extreme and unnecessary IMO. Declude will scan any attachment
regardless of the extension unless you tell it to skip a particular
extension. The error that F-Prot returned is one of those non-specific,
possible virus
John,
I know that you don't follow this logic, but banning regular zips is
extreme and unnecessary IMO. Declude will scan any attachment
Matt, my original post said encrypted zips. This was an encrypted zip and
contained a executable.
I do not ban regular zips unless they contain an
My fault for the misread, but I also addressed the issue regardless.
Remove VIRUS CODE 8 from your config if you don't want for this to
happen.
Matt
John Tolmachoff (Lists) wrote:
John,
I know that you don't follow this logic, but banning regular zips is
extreme and unnecessary
I guess my question is what has changed
in F-Prot and is any one else seeing this? F-Prot was not tagging these before?
John T
eServices For You
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Thursday, April 14, 2005 11:13
Title: Message
John,
I don't think you mention whatkind offile was in your encrypted
zip. I just took a try at repeating the test as it may be applicable to my
own environment.
I
block encrypted banned extensions with:
BANEZIPEXTS ON
and
.doc file is not in my list of banned extensions,
I have seen in the last hour 4 e-mails blocked for [RAR-EXE] and each one
had a blank subject line.
Each one also had the recipients user part of the e-mail address as the
sender's user part of the e-mail address.
John T
eServices For You
---
This E-mail came from the Declude.Virus mailing
I am currently getting a LOT of msgs with RAR attachments coming in. None
of the scanners are finding anything yet, the nature of volume,
sender/recipient is suspicious. Often as not the username of sender and
recipient are the same, but sender domain is always changing. Have not seen
any
Starting to see repeat names. Reminds me of viruses sent by RAR last year
(and caught by scanners.) Names: Forest, It_is_about_you, prices, jokes
John
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe
I had some today that fit this description.
Mcafee found them as: the W32/[EMAIL PROTECTED]
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Thursday, April 14, 2005 4:19 PM
Subject: [Declude.Virus] Possible new virus?
I have
McAfee has been picking this up as W32/[EMAIL PROTECTED] since the first
copy arrived at 3 p.m. EST. I assume from the name that this is a
generic Bagle detection heuristic that pre-existed the virus.
Matt
John Carter wrote:
Starting to see repeat names. Reminds me of viruses sent by RAR last
We just saw a rash of them as well. Same patterns you mentioned. Glad
we're holding on RAR!
Darin.
- Original Message -
From: John Carter [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Thursday, April 14, 2005 5:29 PM
Subject: [Declude.Virus] RAR followup
Starting to see
Title: Message
The thing is, it used to work as I have
done that before. Renaming the file is only to bypass the banned extension. The
file is still scanned. However, F-Prot never stopped it as code 8 before.
John T
eServices For You
-Original Message-
From:
[EMAIL
Title: Message
John,
I think that you might be starting with the assumption that renaming
the file is what is causing the code 8, but that might be a bad
assumption. If you resend the same file with the normal extension, it
should still get a code 8 if this is the case. This should be easy to
14 matches
Mail list logo
