-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In <mid:15424395968.20021027185451@;theycallmesimon.co.uk>, Simon [S] wrote:'
S> The AVG plugin only catches the eircar.com virus attachment our S> of all the exploits sent by gfi.com. I ran the same test and got the same result with DrWeb. Which begs the question on this test. Are virus scanners supposed to quarantine files that aren't really viruses? I've never had a genuine virus not get quarantined by NOD32 and now DrWeb. S> Although AVG catches the eircar.com virus attachment it failed S> to catch and quarantine any of the others. <yawn> ;) I really question the applicability of such tests. The main problem with this test being that real viruses aren't being used. For example, the message with the .vbs file attached came through saying: ,-----[ begin ]----->> | | Your mail server has just accepted and sent you an | email containing a .vbs attachment! This means it is | relying on desktop level security to protect you. | You should now try to run the attachment.| | '-----[ end ]-----|| Not necessarily. It could just mean that your virus scanner doesn't simply consider any file with a .vbs extension a virus. It further says: ,-----[ begin ]----->> | | If you can run this file, then you are vulnerable to | attacks by email viruses like the LoveLetter, and | AnnaKournikova. VBS files contain commands which, | when executed, can do virtually anything on the | recipient's PC. This includes running malicious code | such as viruses and worms. | | '-----[ end ]-----|| If you can run a .exe file then this makes you vulnerable to all virii that are .exe files. If you run .com files or .cmd files (I do this everyday) then you're vulnerable to virii that use these extensions. I guess it wouldn't be practical to mention those filetypes eh? The statement above just seems ridiculous to me. This is the basic theme of the whole exercise. They send you harmless files, using file extensions that are potentially dangerous when abused, but legitimate file-types in their own right. What protects you is your choice of software, a good anti-virus program not necessarily rigged to pass such tests, and carefulness on the part of the user to not open received attachments willynilly. If you use Outlook then you'll end up crippling your system to really protect it from virii. I don't remember what A-V software I was using at the time, but I was discussing a virus with someone and they quoted the viruses name in their reply, The message was intercepted as being infected, *just because it had the viruses name in the body text*. I don't know about you but I was not impressed and got rid of the scanner. I detest ridiculous false positives as that one. S> Kapersky on its own catches only 5 of the possible 11 (which is S> expected really I suppose). So there is no advantage having both S> plugins installed for one, I fail to see your reasoning behind why this is so and after doing this single test. This test doesn't in any way confirm that one scanner may detect a virus that the other cannot. S> and second, it seems that either I have a problem or the Kapersky S> plugin has a problem. Third, to eventually get around to the S> original question, which I failed to answer ;), no scanners I S> tested detect virii in fragments, or after fragments had been S> reassembled in the inbox, which is a vulnerability of course. Perhaps a vulnerability for Outlook users but not for you. ;) This technique seems to have been designed to get past those who use POP3 scanners and don't run a realtime scanner. However, if you're a TB! user, and the fragmented virus is reassembled in your inbox, it will not be executed. Additionally, if your virus scanner is aware of this virus and you're using one of the TB! anti-virus plug-ins, you will not be allowed to save the file to disk (if you store your attachments with the message. If you don't then the file is already stored on the disk) or execute it. If you're running Outlook with an A-V scanner that doesn't detect the virus, then the virus is automatically executed and installed by Outlook and you're toast. But you're using Outlook. Aside from crippling the system, one cannot help much if the instrument has fundamental flaws. S> Lastly, using both AVG and Kapersky plugins gives unpredictable S> results. Sometimes all 11 emails end up in the inbox, and neither S> scanner manages to quarantine anything. And that is odd! Now you're unto something. This is a valid reason for not running both of them. They seem to interfere with each other, rather than compliment each other. Have them do different things, but not the same thing. I have both NOD32 and DrWeb running. I decided to retry DrWeb because NOD32's plugin causes this annoying flickering into view of the NOD32 window whenever an attachment comes in and is being scanned. The flickering of the window, causes the window I'm working in to lose focus. Anyway, I have DrWeb doing the e-mail scanning. It works really well. And I have NOD32 doing the real-time scanning. I was one of those who couldn't justify running both the plug-in and the real-time scanner. However, after reading about Nimbda, I've changed my mind. Nimbda gets on your machine if you browse an infected server and you have java script enabled. A script on the server is executed that leads to the downloading of the virus to your machine. Through a weakness in IE which has since been fixed, the virus is auto-executed and your machine gets infected. Using only the TB! plug-in wouldn't prevent such an infection, even if the scanner has a definition for Nimbda. However, a realtime scanner would prevent the infection. - -- Allie C Martin \ TB! v1.62/Beta7 & WinXP Pro (SP1) List Moderator / PGP Key - http://pub-key.ac-martin.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Win32) - GPGshell v2.60 iD8DBQE9vF3qV8nrYCsHF+IRAk7XAJ93N5x2bGrkQtNAcUwxNKNc4O35qQCfWRa4 OX6QcJz6tmMNRAzuTwH1uuU= =RRxc -----END PGP SIGNATURE----- ________________________________________________ Current version is 1.61 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
