Re: [Declude.Virus] What is "Partial Vulnerability" on a PDF

Thu, 03 Jun 2004 12:37:16 -0700 

Goran,

Outlook/Outlook Express allows a sender to split messages over a certain size into multiple attachments. Messages of this type can bypass virus scanning and therefore represent a vulnerability. I have however personally determined that because it is so easy to turn on, and because I have yet to find any viruses that are currently exploiting this flaw, that it is better to leave it off for now rather than comb over my hold file looking for such messages and alerting those that are set up for this. Scott does provide a stitch for your Virus.cfg that can turn this off with the following:

   BANPARTIAL    OFF

I don't feel that this is a "set it and forget it" type of setting, so use at your own risk, and keep your eyes and ears pealed for exploits in the event that a virus does start exploiting the flaw. Thankfully the trickery has gone down since the arrested that German teenager :)

Matt



Goran Jovanovic wrote:

Declude Virus and F-Prot reported 

X-Declude-Virus: Detected [Partial Vulnerability].

This is an e-mail that has been cut into 5 part and it has a PDF
attached to it.

------=_NextPart_000_0019_01C4494C.0AFFE0A0
Content-Type: application/octet-stream;
        name="Report.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="Report.pdf"

We stopped the 5 e-mails but why would it have triggered on a PDF file?

Also how does the client out the PDF back together???

Thanx


    Goran Jovanovic
    The LAN Shoppe

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.





--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.

Reply via email to