RE: [Declude.Virus] [IMail Forum] Realistic virus threat?
Hi Bill
Regarding the viruscodes 9 and 10 that was introduced
with f-prot 3.16I will quote the relaese notes
Archive handling has been improved and is now more consistent.Version
3.16 also includes detection against so-called "archive
bombs", archives... ... If the limit is exceeded then
it will exitwith a new exit code 10 (some files were not
scanned; in this casebecause maximum archive level was reached). The
OnDemand Scannerscans an infinite number of levels by default but this
behaviourcan be changed using the same command-line switch. The
RealTimeProtector scans to a depth of one level by default.Another
new exit code has been added to the OnDemand Scanner andthe Command-Line
Scanner, exit code 9. This exit code indicatesthat
some files were not scanned, e.g., encrypted files,
becauseof unsupported/unknown compression methods, because
ofunsupported/unknown file formats, corrupted or invalid files.Both
exit code 9 and 10 indicate that some files were not scannedand, therefore,
they can not be guaranteed to be clean. Thedifference between them is
that if exit code 10 occurs then somesettings can be changed (e.g., increase
the maximum allowedarchive depth) and the scanner might be able to scan the
file.If, however, exit code 9 occurs then the scanner is not able toscan
the file.A complete list of the exit codes can be found athttp://www.f-prot.com/support/windows/fpwin_faq/65.html
So exit code 10 seems ok for me but I'm not sure what
exit code 9 means in real world.
What "compressions methods" and "file formats" are
supported and what not?
If a legit message containsone little unsupported
or corrupt file with disabled notifications this will cause a false positive.
Right?
Someone has something against a feature request like
ONLYIFEXITCODEIS ?
So we could set up end user notifications for certain
"suspicious" exit codes.
Durring outbreaks while signatures are missing this
will block messages and show the end users that the virus filter is here and
working. After the signature update the exit code usualy should become 3 or
6.
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill
LandrySent: Thursday, February 02, 2006 11:31 PMTo:
Declude.Virus@declude.comSubject: Re: [Declude.Virus] [IMail Forum]
Realistic virus threat?
Andrew, I already have PRESCAN set to off and use
the /server switch with F-Prot, so those were not the issue that was causing
this behavior for me. From my virus.cfg:
#
F-ProtSCANFILE1C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB
-NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT
-REPORT=report.txtVIRUSCODE13VIRUSCODE16VIRUSCODE18VIRUSCODE19VIRUSCODE110REPORT1Infection:
PRESCANOFF
Bill
- Original Message -
From:
Colbeck,
Andrew
To: Declude.Virus@declude.com
Cc: [EMAIL PROTECTED]
Sent: Thursday, February 02, 2006 2:09
PM
Subject: RE: [Declude.Virus] [IMail
Forum] Realistic virus threat?
My raw speculation:
1) It is missed because the virus.cfg is using the
"PRESCANON" switch (the default, I believe) and the declude.exe
application does not decode the MIME or other coding as flexibly as a mail
client would, or makes an uninformed decision about what is an object worth
scanning.
ANSWER: use PRESCAN OFF instead. This will
incur more CPU time as the selected antivirus scanner(s) will be scanning
all objects.
2) For F-Prot specifically, the /server switch is
not being used and therefore F-Prot is not doing the message format
decoding. If Declude did a perfect job, this setting would be
irrelevant.
ANSWER: use the /server switch in your SCANFILE
definition. This would cause more CPU time on the few messages that
appear as nested message encoding; it is intended for scanning servers with
multiple mailbox formats and nested messages.
I follow my own advice on these two points and do
not have a problem with F-Prot under Declude EVA missing known
viruses.
Andrew 8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill
LandrySent: Thursday, February 02, 2006 1:47 PMTo:
Imail_Forum@list.ipswitch.com;
Declude.Virus@declude.comSubject: Re: [Declude.Virus] [IMail
Forum] Realistic virus threat?
I reported this issue quite some time ago,
when Scott was still running the show, and never got a satisfactory
answer. You can scan the raw d*.smd file with f-prot and it will
detect the virus, but run it through Declude Virus, and the virus goes
though undetected. After pestering and prodding for several days, I
finally gave up on getting a response that made sense. But it must
have something to do wi
Re: [Declude.Virus] [IMail Forum] Realistic virus threat?
I reported this issue quite some time ago, when Scott was still running the show, and never got a satisfactory answer. You can scan the raw d*.smd file with f-prot and it will detect the virus, but run it through Declude Virus, and the virus goes though undetected. After pestering and prodding for several days, I finally gave up on getting a response that made sense. But it must have something to do with the way Declude Virus is stripping off the mime encapsulation before calling f-prot to scan the message. I have copied this to the Declude Virus list, as well, since it really belongs there rather than on the IMail list. Bill - Original Message - From: Michael Graveen To: Imail_Forum@list.ipswitch.com Sent: Thursday, February 02, 2006 1:15 PM Subject: RE: [IMail Forum] Realistic virus threat? I've had F-Prot miss this virus on the mail server (being called from Declude). But it's caught coming to my desktop, with the same virus scanner. Is anyone else seeing this?MikeAt 02:25 PM 2/2/2006, you wrote: I believe F-Prot calls it W32/[EMAIL PROTECTED] From: Stephen Guluk [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 02, 2006 2:19 PM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] Realistic virus threat? Off topic but still related to email... Had a couple clients that called concerned about this virus that is said to open and do it's damage tomorrow: [EMAIL PROTECTED] Win32.Nyxem.e I run F-prot on my mail server and their list of virus definitions shows nothing pertaining to this virus name. I wrote them but expect that they are sleeping since they are in Iceland. Anyone else running F-prot and know any more info on it this is a real threat? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
RE: [Declude.Virus] [IMail Forum] Realistic virus threat?
My raw speculation: 1) It is missed because the virus.cfg is using the "PRESCANON" switch (the default, I believe) and the declude.exe application does not decode the MIME or other coding as flexibly as a mail client would, or makes an uninformed decision about what is an object worth scanning. ANSWER: use PRESCAN OFF instead. This will incur more CPU time as the selected antivirus scanner(s) will be scanning all objects. 2) For F-Prot specifically, the /server switch is not being used and therefore F-Prot is not doing the message format decoding. If Declude did a perfect job, this setting would be irrelevant. ANSWER: use the /server switch in your SCANFILE definition. This would cause more CPU time on the few messages that appear as nested message encoding; it is intended for scanning servers with multiple mailbox formats and nested messages. I follow my own advice on these two points and do not have a problem with F-Prot under Declude EVA missing known viruses. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, February 02, 2006 1:47 PMTo: Imail_Forum@list.ipswitch.com; Declude.Virus@declude.comSubject: Re: [Declude.Virus] [IMail Forum] Realistic virus threat? I reported this issue quite some time ago, when Scott was still running the show, and never got a satisfactory answer. You can scan the raw d*.smd file with f-prot and it will detect the virus, but run it through Declude Virus, and the virus goes though undetected. After pestering and prodding for several days, I finally gave up on getting a response that made sense. But it must have something to do with the way Declude Virus is stripping off the mime encapsulation before calling f-prot to scan the message. I have copied this to the Declude Virus list, as well, since it really belongs there rather than on the IMail list. Bill - Original Message - From: Michael Graveen To: Imail_Forum@list.ipswitch.com Sent: Thursday, February 02, 2006 1:15 PM Subject: RE: [IMail Forum] Realistic virus threat? I've had F-Prot miss this virus on the mail server (being called from Declude). But it's caught coming to my desktop, with the same virus scanner. Is anyone else seeing this?MikeAt 02:25 PM 2/2/2006, you wrote: I believe F-Prot calls it W32/[EMAIL PROTECTED] From: Stephen Guluk [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 02, 2006 2:19 PM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] Realistic virus threat? Off topic but still related to email... Had a couple clients that called concerned about this virus that is said to open and do it's damage tomorrow: [EMAIL PROTECTED] Win32.Nyxem.e I run F-prot on my mail server and their list of virus definitions shows nothing pertaining to this virus name. I wrote them but expect that they are sleeping since they are in Iceland. Anyone else running F-prot and know any more info on it this is a real threat? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [Declude.Virus] [IMail Forum] Realistic virus threat?
Andrew, I already have PRESCAN set to off and use the /server switch with F-Prot, so those were not the issue that was causing this behavior for me. From my virus.cfg: # F-ProtSCANFILE1C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT -REPORT=report.txtVIRUSCODE13VIRUSCODE16VIRUSCODE18VIRUSCODE19VIRUSCODE110REPORT1Infection: PRESCANOFF Bill - Original Message - From: Colbeck, Andrew To: Declude.Virus@declude.com Cc: [EMAIL PROTECTED] Sent: Thursday, February 02, 2006 2:09 PM Subject: RE: [Declude.Virus] [IMail Forum] Realistic virus threat? My raw speculation: 1) It is missed because the virus.cfg is using the "PRESCANON" switch (the default, I believe) and the declude.exe application does not decode the MIME or other coding as flexibly as a mail client would, or makes an uninformed decision about what is an object worth scanning. ANSWER: use PRESCAN OFF instead. This will incur more CPU time as the selected antivirus scanner(s) will be scanning all objects. 2) For F-Prot specifically, the /server switch is not being used and therefore F-Prot is not doing the message format decoding. If Declude did a perfect job, this setting would be irrelevant. ANSWER: use the /server switch in your SCANFILE definition. This would cause more CPU time on the few messages that appear as nested message encoding; it is intended for scanning servers with multiple mailbox formats and nested messages. I follow my own advice on these two points and do not have a problem with F-Prot under Declude EVA missing known viruses. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, February 02, 2006 1:47 PMTo: Imail_Forum@list.ipswitch.com; Declude.Virus@declude.comSubject: Re: [Declude.Virus] [IMail Forum] Realistic virus threat? I reported this issue quite some time ago, when Scott was still running the show, and never got a satisfactory answer. You can scan the raw d*.smd file with f-prot and it will detect the virus, but run it through Declude Virus, and the virus goes though undetected. After pestering and prodding for several days, I finally gave up on getting a response that made sense. But it must have something to do with the way Declude Virus is stripping off the mime encapsulation before calling f-prot to scan the message. I have copied this to the Declude Virus list, as well, since it really belongs there rather than on the IMail list. Bill - Original Message - From: Michael Graveen To: Imail_Forum@list.ipswitch.com Sent: Thursday, February 02, 2006 1:15 PM Subject: RE: [IMail Forum] Realistic virus threat? I've had F-Prot miss this virus on the mail server (being called from Declude). But it's caught coming to my desktop, with the same virus scanner. Is anyone else seeing this?MikeAt 02:25 PM 2/2/2006, you wrote: I believe F-Prot calls it W32/[EMAIL PROTECTED] From: Stephen Guluk [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 02, 2006 2:19 PM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] Realistic virus threat? Off topic but still related to email... Had a couple clients that called concerned about this virus that is said to open and do it's damage tomorrow: [EMAIL PROTECTED] Win32.Nyxem.e I run F-prot on my mail server and their list of virus definitions shows nothing pertaining to this virus name. I wrote them but expect that they are sleeping since they are in Iceland. Anyone else running F-prot and know any more info on it this is a real threat? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
RE: [Declude.Virus] [IMail Forum] Realistic virus threat?
3) On a very busy server, Declude may be aborting the scan because it is taking too long. The default is 60 seconds. ANSWER: Use SCANNERTIMEOUT90 in the virus.cfg or some other time value of your choosing. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, February 02, 2006 2:10 PMTo: Declude.Virus@declude.comCc: [EMAIL PROTECTED]Subject: RE: [Declude.Virus] [IMail Forum] Realistic virus threat? My raw speculation: 1) It is missed because the virus.cfg is using the "PRESCANON" switch (the default, I believe) and the declude.exe application does not decode the MIME or other coding as flexibly as a mail client would, or makes an uninformed decision about what is an object worth scanning. ANSWER: use PRESCAN OFF instead. This will incur more CPU time as the selected antivirus scanner(s) will be scanning all objects. 2) For F-Prot specifically, the /server switch is not being used and therefore F-Prot is not doing the message format decoding. If Declude did a perfect job, this setting would be irrelevant. ANSWER: use the /server switch in your SCANFILE definition. This would cause more CPU time on the few messages that appear as nested message encoding; it is intended for scanning servers with multiple mailbox formats and nested messages. I follow my own advice on these two points and do not have a problem with F-Prot under Declude EVA missing known viruses. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, February 02, 2006 1:47 PMTo: Imail_Forum@list.ipswitch.com; Declude.Virus@declude.comSubject: Re: [Declude.Virus] [IMail Forum] Realistic virus threat? I reported this issue quite some time ago, when Scott was still running the show, and never got a satisfactory answer. You can scan the raw d*.smd file with f-prot and it will detect the virus, but run it through Declude Virus, and the virus goes though undetected. After pestering and prodding for several days, I finally gave up on getting a response that made sense. But it must have something to do with the way Declude Virus is stripping off the mime encapsulation before calling f-prot to scan the message. I have copied this to the Declude Virus list, as well, since it really belongs there rather than on the IMail list. Bill - Original Message - From: Michael Graveen To: Imail_Forum@list.ipswitch.com Sent: Thursday, February 02, 2006 1:15 PM Subject: RE: [IMail Forum] Realistic virus threat? I've had F-Prot miss this virus on the mail server (being called from Declude). But it's caught coming to my desktop, with the same virus scanner. Is anyone else seeing this?MikeAt 02:25 PM 2/2/2006, you wrote: I believe F-Prot calls it W32/[EMAIL PROTECTED] From: Stephen Guluk [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 02, 2006 2:19 PM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] Realistic virus threat? Off topic but still related to email... Had a couple clients that called concerned about this virus that is said to open and do it's damage tomorrow: [EMAIL PROTECTED] Win32.Nyxem.e I run F-prot on my mail server and their list of virus definitions shows nothing pertaining to this virus name. I wrote them but expect that they are sleeping since they are in Iceland. Anyone else running F-prot and know any more info on it this is a real threat? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [Declude.Virus] [IMail Forum] Realistic virus threat?
Scan timeouts were not the issue either, since my
secondary Declude Virus scanner (TrendMicro) would catch the virus fine, and the
logs would show the scanning to be taking a mere second or two.
Bill
- Original Message -
From:
Colbeck,
Andrew
To: Declude.Virus@declude.com
Sent: Thursday, February 02, 2006 2:34
PM
Subject: RE: [Declude.Virus] [IMail
Forum] Realistic virus threat?
3) On a very busy server, Declude may be aborting
the scan because it is taking too long. The default is 60
seconds.
ANSWER: Use SCANNERTIMEOUT90 in the virus.cfg or
some other time value of your choosing.
Andrew 8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
AndrewSent: Thursday, February 02, 2006 2:10 PMTo:
Declude.Virus@declude.comCc: [EMAIL PROTECTED]Subject:
RE: [Declude.Virus] [IMail Forum] Realistic virus
threat?
My raw speculation:
1) It is missed because the virus.cfg is using the
"PRESCANON" switch (the default, I believe) and the declude.exe
application does not decode the MIME or other coding as flexibly as a mail
client would, or makes an uninformed decision about what is an object worth
scanning.
ANSWER: use PRESCAN OFF instead. This will
incur more CPU time as the selected antivirus scanner(s) will be scanning
all objects.
2) For F-Prot specifically, the /server switch is
not being used and therefore F-Prot is not doing the message format
decoding. If Declude did a perfect job, this setting would be
irrelevant.
ANSWER: use the /server switch in your SCANFILE
definition. This would cause more CPU time on the few messages that
appear as nested message encoding; it is intended for scanning servers with
multiple mailbox formats and nested messages.
I follow my own advice on these two points and do
not have a problem with F-Prot under Declude EVA missing known
viruses.
Andrew 8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill
LandrySent: Thursday, February 02, 2006 1:47 PMTo:
Imail_Forum@list.ipswitch.com;
Declude.Virus@declude.comSubject: Re: [Declude.Virus] [IMail
Forum] Realistic virus threat?
I reported this issue quite some time ago,
when Scott was still running the show, and never got a satisfactory
answer. You can scan the raw d*.smd file with f-prot and it will
detect the virus, but run it through Declude Virus, and the virus goes
though undetected. After pestering and prodding for several days, I
finally gave up on getting a response that made sense. But it must
have something to do with the way Declude Virus is stripping off the mime
encapsulation before calling f-prot to scan the message.
I have copied this to the Declude Virus list,
as well, since it really belongs there rather than on the IMail
list.
Bill
- Original Message -
From:
Michael Graveen
To: Imail_Forum@list.ipswitch.com
Sent: Thursday, February 02, 2006
1:15 PM
Subject: RE: [IMail Forum]
Realistic virus threat?
I've had F-Prot miss this virus on the mail server (being
called from Declude). But it's caught coming to my desktop, with
the same virus scanner. Is anyone else seeing
this?MikeAt 02:25 PM 2/2/2006, you wrote:
I believe F-Prot calls it W32/[EMAIL PROTECTED]
From: Stephen Guluk [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 02, 2006 2:19 PM
To: Imail_Forum@list.ipswitch.com
Subject: [IMail Forum] Realistic virus
threat?
Off topic but still related to email...
Had a couple clients that called concerned about this virus that
is said to open and do it's damage tomorrow:
[EMAIL PROTECTED]
Win32.Nyxem.e
I run F-prot on my mail server and their list of virus
definitions shows nothing pertaining to this virus name. I wrote
them but expect that they are sleeping since they are in
Iceland.
Anyone else running F-prot and know any more info on it this is
a real threat?
Regards,
Steve Guluk
SGDesign
(949) 661-9333
ICQ:
7230769
