I've just received a message containing a file account_info.zip to my inbox.
I've tried to open it but winzip was not able to open this 53 kByte zip-archive: "start of central directory not found: zip file corrupt" So I believe in this case neither AV-Scanner nor BANZIPEXTS ON will work, as absolutely no content from the archive could be read. Only BANNAMEs will work to block it before it reaches the recipients mailbox. At least such corrupt files can't create any damage beside the problem that some user could believe the virus filter does not work as good as it should. Markus > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew > Sent: Monday, May 02, 2005 11:54 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Viruses appearing to be getting > through... > > I don't have any samples of the latest Sober, but *if* you're > using the penultimate pattern file for F-Prot and have your > auto-update disabled, then according to the writeups, either > of these two techniques in your virus.cfg will keep this > specific virus out of your user's mailboxes: > > BANEXT PIF > BANZIPEXTS ON > > or > > BANNAME account_info.zip > BANNAME autoemail-text.zip > BANNAME LOL.zip > BANNAME Fifa_Info-Text.zip > BANNAME mail_info.zip > BANNAME okTicket-info.zip > BANNAME our_secret.zip > BANNAME _PassWort-Info.zip > > Andrew 8) > > p.s. Now, back to the day job, already! > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma > Sent: Monday, May 02, 2005 2:20 PM > To: Declude.Virus@declude.com > Subject: Fw: [Declude.Virus] Viruses appearing to be getting > through... > > > Hi, > > Oops, correct that. F-prot is catching it as Sober.O, Sophos > is still not catching it. :-( > > Sure glad I'm using two scanners. ;-) > > > As of now I'm still getting hit by a virus with attachments > like our _ > > secret . zip which Sophos catches as Sober.O. > > > > Ff-prot is still nopt catching them and there is as of yet > no update. > > Just > > did a manual update and no new version. I'm at: > > SIGN.DEF 2-may-2005, 13:32 CET > > SIGN2.DEF 2-may-2005, 16:46 CET > > Using f-prot 3.16b > > Groetjes, > > > Bonno Bloksma > > > ----- Original Message ----- > > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > > To: <Declude.Virus@declude.com> > > Sent: Monday, May 02, 2005 8:37 PM > > Subject: RE: [Declude.Virus] Viruses appearing to be getting > through... > > > > > > F-Prot may have already fixed their pattern file. My > current sign.def > > > is timestamped: > > > > 05/02/2005 03:53 AM > > > > and checking their website and downloading the current version > > manually shows that the current version is: > > > > 05/02/2005 01:32 PM > > > > Can anybody with the issue confirm which pattern file they > are using > > that has the problem? > > > > Andrew 8) > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry > > Sent: Monday, May 02, 2005 11:20 AM > > To: Declude.Virus@declude.com > > Subject: Re: [Declude.Virus] Viruses appearing to be getting > > through... > > > > > > Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV > > (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot > > (although I have F-Prot updates disabled for now, until > they get there > > > problem with > > HTML/[EMAIL PROTECTED] fixed). > > > > Bill > > ----- Original Message ----- > > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > > To: <Declude.Virus@declude.com> > > Sent: Monday, May 02, 2005 11:11 AM > > Subject: RE: [Declude.Virus] Viruses appearing to be getting > through... > > > > > >>I saw a big bunch about 2 hours ago that were stopped by banned zip > >>extensions. > >> > >> John T > >> eServices For You > >> > >> > >>> -----Original Message----- > >>> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] > >>> On Behalf Of Chuck Schick > >>> Sent: Monday, May 02, 2005 10:58 AM > >>> To: Declude. Virus > >>> Subject: [Declude.Virus] Viruses appearing to be getting > through... > >>> > >>> I am seeing several files getting through that appear to have > >>> viruses > > > >>> attached as zip files. I am running Declude with F-Prot. We ban > >> encrypted > >>> zips and I have error code 8 included. Anyone else seeing this > >>> behavior? Here is part of the log. > >>> > >>> > >>> 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip > >>> [base64; Length=53728 Checksum=5837399] 05/02/2005 > 10:34:21 Q568a382 > >>> Scanned: Virus Free [MIME: 2 53979] > >>> > >>> Chuck Schick > >>> Warp 8, Inc. > >>> (303)-421-5140 > >>> www.warp8.com > >>> > >>> --- > >>> This E-mail came from the Declude.Virus mailing list. To > >>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >>> type "unsubscribe Declude.Virus". The archives can be found > >>> at http://www.mail-archive.com. > >> > >> --- > >> This E-mail came from the Declude.Virus mailing list. To > >> unsubscribe, > > > >> just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.Virus". The archives can be found > >> at http://www.mail-archive.com. > >> > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > --- > > [E-mail scanned at tio.nl for viruses by Declude Virus] > > > > > > --- > [E-mail scanned at tio.nl for viruses by Declude Virus] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.