I just checked my version 3.14e and indeed it is able to accept the /archive=3 parameter even though the help option does not show that as a valid option
C:\Test>q:\progra~1\fsi\f-prot\fpcmd /? Usage: f-prot [drive, file or directory] [options] -ai Enable neural-network virus detection. -append Append to existing report file. -archive Scan inside .ZIP and .ARJ files. Goran Jovanovic The LAN Shoppe > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > [EMAIL PROTECTED] On Behalf Of Rick Davidson > Sent: Tuesday, July 27, 2004 11:23 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Blocking the files in mydoom /Archive=3 > > Correct if you do not use that option F-prot will only search one level, > that option tells F-Prot to search zips within zips. I think you need > Version 3.14e or better to use this option > > /Archive=2 will catch the current mydoom variants > > /Archive=3 will search a third level if it exists > > you can easily test this with the eicar test file > > Rick Davidson > National Systems Manager > North American Title Group > - > ----- Original Message ----- > From: "Jim Matuska" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, July 27, 2004 11:12 AM > Subject: Re: [Declude.Virus] Blocking the files in mydoom /Archive=3 > > > > Scott, > > Can I get a clarification on this /Archive=3 Option. Should we be > setting > > this option? If we don't will F-Prot not see past the first zip file? > If > > we do set the 3 will it let us pick up viruses in the second or 3rd zip > > file? > > > > Jim Matuska Jr. > > Computer Tech II > > CCNA > > Nez Perce Tribe > > Information Systems > > [EMAIL PROTECTED] > > ----- Original Message ----- > > From: "Goran Jovanovic" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, July 26, 2004 4:33 PM > > Subject: RE: [Declude.Virus] Blocking the files in mydoom > > > > > > For F-Prot do you need the /ARCHIVE parameter to scan zip within zip or > > do you need the /ARCHIVE=3 option? I checked the help on fpcmd command > > and there is no indication that the /ARCHIVE takes any options. > > > > > > > > Goran Jovanovic > > The LAN Shoppe > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > > > [EMAIL PROTECTED] On Behalf Of Matt > > > Sent: Monday, July 26, 2004 7:18 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [Declude.Virus] Blocking the files in mydoom > > > > > > Scott, > > > > > > Thanks for the clarifications. I have the latest definitions from > > both > > > McAfee and F-Prot, and I have F-Prot set to scan 3 deep into zips. > > > > > > I have dozens of these files in my spam capture account. It seems > > > however that many of the more recent ones are very small files on the > > > order of just 2K, and I would imagine that these are damaged payloads > > > and that's why they are passing through Declude Virus with F-Prot and > > > McAfee. > > > > > > My real issue though is that my logs show absolutely no indications of > > > MyDoom.O. I fear that I have no protection against this virus, and I > > > fear that there is an issue with the detection of double-zips. I am > > > definitely seeing double zips. > > > > > > Matt > > > > > > > > > > > > > > > R. Scott Perry wrote: > > > > > > > > > > >> Please excuse me, but I'm having trouble figuring out exactly what > > is > > > >> going on here. > > > >> > > > >> It sounds like this virus is double-zipping files, and that this > > > >> technique is tricking the virus scanners. Is that correct? > > > > > > > > > > > > McAfee is reporting that *some* copies are being double-zipped (a > > .ZIP > > > > file within a .ZIP file). I'm not aware of any virus scanners that > > > > will be fooled by that. I'm guessing only a very small percentage > > are > > > > double-zipped. > > > > > > > >> If so, BANZIPEXTS, which will by default ban double-zips in > > addition > > > >> to other banned extensions, is the presumeably best work-around? > > If > > > >> not that, then custom filters in Declude? > > > > > > > > > > > > All BANZIPEXTS does is checks to see if the .ZIP file has a file in > > it > > > > with an extension that you ban, and if so, will ban it. > > > > > > > > BANZIPEXTS doesn't check .ZIP files within .ZIP files. > > > > > > > > -Scott > > > > --- > > > > Declude JunkMail: The advanced anti-spam solution for IMail > > > > mailservers since 2000. > > > > Declude Virus: Ultra reliable virus detection and the leader in > > > > mailserver vulnerability detection. > > > > Find out what you've been missing: Ask for a free 30-day evaluation. > > > > > > > > --- > > > > [This E-mail was scanned for viruses by Declude Virus > > > > (http://www.declude.com)] > > > > > > > > --- > > > > This E-mail came from the Declude.Virus mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.Virus". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > -- > > > ===================================================== > > > MailPure custom filters for Declude JunkMail Pro. > > > http://www.mailpure.com/software/ > > > ===================================================== > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude Virus > > > (http://www.declude.com)] > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.