I just checked my version 3.14e and indeed it is able to accept the
/archive=3 parameter even though the help option does not show that as a
valid option
C:\Test>q:\progra~1\fsi\f-prot\fpcmd /?
Usage: f-prot [drive, file or directory] [options]
-ai Enable neural-network virus detection.
-append Append to existing report file.
-archive Scan inside .ZIP and .ARJ files.
Goran Jovanovic
The LAN Shoppe
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of Rick Davidson
> Sent: Tuesday, July 27, 2004 11:23 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] Blocking the files in mydoom /Archive=3
>
> Correct if you do not use that option F-prot will only search one
level,
> that option tells F-Prot to search zips within zips. I think you need
> Version 3.14e or better to use this option
>
> /Archive=2 will catch the current mydoom variants
>
> /Archive=3 will search a third level if it exists
>
> you can easily test this with the eicar test file
>
> Rick Davidson
> National Systems Manager
> North American Title Group
> -
> ----- Original Message -----
> From: "Jim Matuska" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, July 27, 2004 11:12 AM
> Subject: Re: [Declude.Virus] Blocking the files in mydoom /Archive=3
>
>
> > Scott,
> > Can I get a clarification on this /Archive=3 Option. Should we be
> setting
> > this option? If we don't will F-Prot not see past the first zip
file?
> If
> > we do set the 3 will it let us pick up viruses in the second or 3rd
zip
> > file?
> >
> > Jim Matuska Jr.
> > Computer Tech II
> > CCNA
> > Nez Perce Tribe
> > Information Systems
> > [EMAIL PROTECTED]
> > ----- Original Message -----
> > From: "Goran Jovanovic" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Monday, July 26, 2004 4:33 PM
> > Subject: RE: [Declude.Virus] Blocking the files in mydoom
> >
> >
> > For F-Prot do you need the /ARCHIVE parameter to scan zip within zip
or
> > do you need the /ARCHIVE=3 option? I checked the help on fpcmd
command
> > and there is no indication that the /ARCHIVE takes any options.
> >
> >
> >
> > Goran Jovanovic
> > The LAN Shoppe
> >
> >
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> > > [EMAIL PROTECTED] On Behalf Of Matt
> > > Sent: Monday, July 26, 2004 7:18 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: [Declude.Virus] Blocking the files in mydoom
> > >
> > > Scott,
> > >
> > > Thanks for the clarifications. I have the latest definitions from
> > both
> > > McAfee and F-Prot, and I have F-Prot set to scan 3 deep into zips.
> > >
> > > I have dozens of these files in my spam capture account. It seems
> > > however that many of the more recent ones are very small files on
the
> > > order of just 2K, and I would imagine that these are damaged
payloads
> > > and that's why they are passing through Declude Virus with F-Prot
and
> > > McAfee.
> > >
> > > My real issue though is that my logs show absolutely no
indications of
> > > MyDoom.O. I fear that I have no protection against this virus,
and I
> > > fear that there is an issue with the detection of double-zips. I
am
> > > definitely seeing double zips.
> > >
> > > Matt
> > >
> > >
> > >
> > >
> > > R. Scott Perry wrote:
> > >
> > > >
> > > >> Please excuse me, but I'm having trouble figuring out exactly
what
> > is
> > > >> going on here.
> > > >>
> > > >> It sounds like this virus is double-zipping files, and that
this
> > > >> technique is tricking the virus scanners. Is that correct?
> > > >
> > > >
> > > > McAfee is reporting that *some* copies are being double-zipped
(a
> > .ZIP
> > > > file within a .ZIP file). I'm not aware of any virus scanners
that
> > > > will be fooled by that. I'm guessing only a very small
percentage
> > are
> > > > double-zipped.
> > > >
> > > >> If so, BANZIPEXTS, which will by default ban double-zips in
> > addition
> > > >> to other banned extensions, is the presumeably best
work-around?
> > If
> > > >> not that, then custom filters in Declude?
> > > >
> > > >
> > > > All BANZIPEXTS does is checks to see if the .ZIP file has a file
in
> > it
> > > > with an extension that you ban, and if so, will ban it.
> > > >
> > > > BANZIPEXTS doesn't check .ZIP files within .ZIP files.
> > > >
> > > > -Scott
> > > > ---
> > > > Declude JunkMail: The advanced anti-spam solution for IMail
> > > > mailservers since 2000.
> > > > Declude Virus: Ultra reliable virus detection and the leader in
> > > > mailserver vulnerability detection.
> > > > Find out what you've been missing: Ask for a free 30-day
evaluation.
> > > >
> > > > ---
> > > > [This E-mail was scanned for viruses by Declude Virus
> > > > (http://www.declude.com)]
> > > >
> > > > ---
> > > > This E-mail came from the Declude.Virus mailing list. To
> > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > > type "unsubscribe Declude.Virus". The archives can be found
> > > > at http://www.mail-archive.com.
> > > >
> > > >
> > >
> > > --
> > > =====================================================
> > > MailPure custom filters for Declude JunkMail Pro.
> > > http://www.mailpure.com/software/
> > > =====================================================
> > >
> > >
> > > ---
> > > [This E-mail was scanned for viruses by Declude Virus
> > > (http://www.declude.com)]
> > >
> > > ---
> > > This E-mail came from the Declude.Virus mailing list. To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.Virus". The archives can be found
> > > at http://www.mail-archive.com.
> >
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list. To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus". The archives can be found
> > at http://www.mail-archive.com.
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list. To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus". The archives can be found
> > at http://www.mail-archive.com.
> >
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus". The archives can be found
> at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
