Ah yes, thanks for the clarification, I misread John's e-mail. Hmmm, that is an interesting issue. Might possibly help to enable AI/Heuristics in the virus config's command line options. I did this a while back with F-Prot (-AI) and McAfee (/ANALYZE), so hopefully that will add a little bit of added capabilities for capturing these new viruses and variants before the new definitions are released.
Otherwise, like you stated, it may require holding messages containing zip files so they can be reviewed before being sent back to the queue for delivery. Bill ----- Original Message ----- From: "Joshua Levitsky" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 21, 2003 6:57 PM Subject: Re: [Declude.Virus] SoBig.E > > ----- Original Message ----- > From: "Bill Landry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, July 21, 2003 9:27 PM > Subject: Re: [Declude.Virus] SoBig.E > > > > Virus scanners will scan inside of compressed and archived files (if > > configured to do so), so I don't see how this should be an issue. The > > default configurations that Scott has set for the different Declude Virus > > supported virus scanners are setup to scan inside of these types of files. > > > > Did you find a virus (SoBig.E) that was inside a zip file that made it > past > > Declude Virus? > > I think the point was that there is a window between a virus existing and > definitions being available. In the past we could rest easy knowing viruses > couldn't zip themselves so if you ban all the exe's and such then you would > protect your users even during that window. Unfortunately now that viruses > can zip themselves there is a window of potential for exposure. I get pages > from Symantec when nasties come out because I have platinum support. When I > hear of a virus that will mail itself as a zip, but there are no defs yet > then the action I am going to take is to put all the subject lines and such > that it does in a filter so it will be banned by Declude JunkMail with high > enough value that it won't bounce, but will be held. Usually www.sarc.com > (symantec) is good about documenting them. > > -Josh > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.