[Declude.Virus] blocking exe in zips

[Bonno Bloksma]

Hi,   I must be missing something. I thought I had blocked exe's in zip's but some new virusses came through using the exe in zip trick. here is my virus.cfg, what am I missing?         # # Declude Virus configuration file # # This file was distributed with v2.0 #   CODE            xxxxxxxxxxxxxxxx   #=========================================    LOGS    ========================================== # "####" in the LOGFILE option, if present, automatically gets replaced with the month/date. # Log Level options: WARN / LOW / MID / HIGH / DEBUG / ERROR   LOGFILE         Spool\vir####.log ## BB 23-3-2004 ## Changed to high to see more info LOGLEVEL        HIGH   # # SCANFILE is the location of the command-line virus scanner. Note that it # must include the full path.  VIRUSCODE is the code that scanner returns if # it finds a virus. #   #SCANFILE        C:\Scanner\Scan.exe /ALL /NOBEEP /NOMEM #VIRUSCODE 13   ## BB 19-nov-04 ## Added viruscode 8 to the f-prot config. This should catch "new" viri based on heuristic scanning SCANFILE1 C:\Progra~1\FSI\f-prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE1      3 VIRUSCODE1      6 VIRUSCODE1 8 REPORT1  Infection   SCANFILE2 C:\Progra~1\Sophos\Sophos~1\sav32cli.exe -nc -nb -p=report.txt -mac -archive VIRUSCODE2 3 VIRUSCODE2 6 REPORT2  >>> Virus   # VIRDIR is the directory to move E-mails with viruses; by default, # it is set to 'spool\virus' (\IMail\spool\virus).   VIRDIR  spool\virus   # The MAXATONCE option limits the number of AV processes.  For example, # MAXATONCE 1 will only allow 1 AV process to run at once (IE for licensing # purposes).  A value of 0 (or commenting it out) allows unlimited processes # to run at the same time.   MAXATONCE 0   # # The following options allow you to limit scanning to only incoming or outgoing # E-mail. #   INCOMING ON OUTGOING ON   # # The ONACCESS option should be set to OFF unless you have an on-access virus scanner # that will be deleting attachments with viruses.  It is recommended NOT to have an # on-access scanner interfering, and to leave this at OFF. #   ONACCESS OFF   # # The SCANNERTIMEOUT option lets you choose the number of seconds that Declude will # wait for the virus scanner to finish.  The minimum value is 10 seconds.  Most # scanners will not need to take that long.  This option is mainly to prevent # defective scanners (that never finish) from interfering with your outgoing E-mail. # Raising this will NOT help if your virus scanner always times out. #   ## BB 26-4-2005 # Changed from 60 to 90 because of slow disksystem SCANNERTIMEOUT 90   # # The SKIPEXT option will let you skip scanning of certain file extensions.  For # example, a GIF file can't contain a virus, so there is no need to scan it. #   SKIPEXT  GIF SKIPEXT  TXT SKIPEXT  JPG SKIPEXT  MPG SKIPEXT  PNG   # # The BANEXT option will let you ban file extensions.  E-mails containing attachments # with these file extensions will be quarantined, and if you have a BANnotify.EML file, # it will be sent out.  This works in the Standard and Pro versions. #   BANEXT  scr BANEXT  pif BANEXT  vbs BANEXT  vbe BANEXT  bat BANEXT  cpl # BB 21-10-05 # Added EXE files, no longer needs to exclude them BANEXT  exe   # # The BANEXT EZIP line blocks all encrypted .ZIP and .RAR files, which is necessary # to be fully protected against viruses (since it is impossible to detect a well- # constructed virus within an encrypted .ZIP or .RAR file). #   BANEXT  EZIP   # # BANZIPEXT will block files based on EXT within ZIP files. EXT as declared with BANEXT # BANEZIPEXT will do the same for ecrypted ZIPs. # # BB 1-11-05 # Added BANxZIPEXT directives, BANEZIPEXT not neccesary as we block ALL EZIP files. BANZIPEXT on #BANEZIPEXT on   # # Declude Virus Pro can pre-scan HTML files.  If no dangerous code is detected, the # virus scanner will not get called.  This can significantly cut down on CPU usage. #   PRESCAN  OFF   # # Declude Virus can block treat files using CLSID extensions as viruses.  This type of # extension will force a certain type of program to be run, while making the file appear # to be a .TXT or other safe file.  There is no known legitimate reason to send this # type of file through E-mail.  BANPARTIAL ON bans the Partial Vulnerability. #   BANCLSID ON BANPARTIAL ON   # # The FOOTER lines will add a footer to the bottom of E-mails that are scanned.  This may # not be visible if you send HTML or attachments with the E-mail. #   FOOTER  --- FOOTER  [E-mail scanned at tio.nl for viruses by Declude Virus]   # # The DELETEVIRUSES option, when set to ON, will delete viruses, rather than quarantine them. # It is recommended to leave this at OFF. #   DELETEVIRUSES OFF   # # The DELIVERERRORS option, when set to ON, will treat errors from the virus scanner as if no # virus was found.  When set to ON, this could cause viruses to get through in rare situations, # but will also prevent legitimate mail from being quarantined due to an error in the scanner. # It is recommend to leave this at ON. #   DELIVERERRORS ON   # # The BANCRVIRUSES option will automatically treat E-mail with malformed headers that could # contain a virus as if they did contain a virus.  It is strongly recommended that you keep # this set to ON; otherwise, viruses could slip through. #   BANCRVIRUSES ON   # # The FORGINGVIRUS option is used to list viruses that forge the return address, so Declude # can replace the name of the sender with "[Forged]". #   FORGINGVIRUS Avril FORGINGVIRUS Bagle FORGINGVIRUS Braid FORGINGVIRUS Bridex FORGINGVIRUS Bugbear FORGINGVIRUS Dumaru FORGINGVIRUS Fizzer FORGINGVIRUS Gibe FORGINGVIRUS Hybris FORGINGVIRUS Klez FORGINGVIRUS Lentin FORGINGVIRUS Lovgate FORGINGVIRUS Mabuto FORGINGVIRUS Magistr FORGINGVIRUS Mimail FORGINGVIRUS MyDoom FORGINGVIRUS Mytob FORGINGVIRUS Netsky FORGINGVIRUS Newstuff FORGINGVIRUS Palyh FORGINGVIRUS Sefex FORGINGVIRUS Sober FORGINGVIRUS Sobig FORGINGVIRUS Tanx FORGINGVIRUS Swen FORGINGVIRUS Wurmark FORGINGVIRUS Yaha FORGINGVIRUS Zafi # Specific virus, not a general name FORGINGVIRUS HTML/[EMAIL PROTECTED] FORGINGVIRUS HTML/[EMAIL PROTECTED]