Re[8]: [Declude.Virus] testvirus.org #22
I turned if off and it still got through. Test #17: Eicar virus hidden using the CR Vulnerability (attachment can be opened by all versions of Microsoft Outlook and Outlook Express) RSP I just checked this one, and it got through here, too. I examined the raw RSP source of the E-mail, and there doesn't appear to be a lone CR character in RSP it, so it doesn't appear to actually contain the Outlook CR Vulnerability. Scott, what do you get for test #22. Some have reported it caught while others haven't. My F-Prot config is: SCANFILE P:\Progra~1\fsi\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=3 /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 REPORT Infection: -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[8]: [Declude.Virus] testvirus.org #22
Ditto. I thought Declude called the scanner(s) on the d*.smd, plus extracted all the segments out and scanned those too. Is that incorrect? Also, does Declude recursively unpack MIME segments, if one of the attachments is itself a .eml file or .smd file, would any attachments inside it be unpacked and the scanner(s) called on those? Sorry to ask that second part, as I know I could test that second case, but first I'd have to go and turn off my internal scanner! Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Monday, December 20, 2004 1:48 PM To: Declude.Virus@declude.com Subject: Re[8]: [Declude.Virus] testvirus.org #22 I turned if off and it still got through. Test #17: Eicar virus hidden using the CR Vulnerability (attachment can be opened by all versions of Microsoft Outlook and Outlook Express) RSP I just checked this one, and it got through here, too. I examined RSP the raw source of the E-mail, and there doesn't appear to be a lone RSP CR character in it, so it doesn't appear to actually contain the RSP Outlook CR Vulnerability. Scott, what do you get for test #22. Some have reported it caught while others haven't. My F-Prot config is: SCANFILE P:\Progra~1\fsi\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=3 /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 REPORT Infection: -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[8]: [Declude.Virus] testvirus.org #22
Also, does Declude recursively unpack MIME segments, if one of the attachments is itself a .eml file or .smd file, would any attachments inside it be unpacked and the scanner(s) called on those? Yes. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[8]: [Declude.Virus] testvirus.org #22
- Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, December 20, 2004 1:57 PM Subject: RE: Re[8]: [Declude.Virus] testvirus.org #22 Ditto. I thought Declude called the scanner(s) on the d*.smd, plus extracted all the segments out and scanned those too. Is that incorrect? This is actually what I was requesting that Scott have Declude do (same as what amavisd-new recently enabled mail admins to do), set a switch to enable scanning of the decoded parts as well as the message in it's entirety, if desired. However, there would be a trade-off here in that scanning would take a bit longer to complete, but it would be up to each individual mail admin to decide whether to enable the switch or not. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[8]: [Declude.Virus] testvirus.org #22
Scott, what do you get for test #22. Some have reported it caught while others haven't. My F-Prot config is: It's caught here. Unfortunately, I can't find any information on that vulnerability, so I can't explain why it might or might not get caught. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[8]: [Declude.Virus] testvirus.org #22
Thanks, Scott. I constructed 2 tests anyway, one with an executable in an attached .eml file and one where that executable is a virus. It *looks* like this is a special case, i.e. where all unpacked attachments, including .smd are unpacked, and then the folder scanned: So with a single message, the .smd file is not scanned. If an attachment is itself an .smd file, it will be scanned and also all of the attachments that need to be unpacked and scanned. Ditto for .mim attachments that contain an executable. I haven't trotted out Winternals FileMon to verify that though... I'm guesstimating based on what I see at DEBUG level. I'd agree with Bill Landry and also request that Declude implement a switch in virus.cfg that lets us choose whether to scan the native email and all native attachment formats. Since you wrote that optimization into Declude, the antivirus scanners have progressed. F-Prot has the /dumn and /server options, and McAfee has the /MIME option. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, December 20, 2004 2:16 PM To: Declude.Virus@declude.com Subject: RE: Re[8]: [Declude.Virus] testvirus.org #22 Also, does Declude recursively unpack MIME segments, if one of the attachments is itself a .eml file or .smd file, would any attachments inside it be unpacked and the scanner(s) called on those? Yes. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
