Matt, John, F-Prot is not catching simple e-zips. I supposed it was the "password" string in the mailbody. Now after an additional test it turned out that F-Prot is exiting with code 8 if there is an attached e-zip containing .exe files. The mail-body seems not interfering to F-prot's result.
This is a problem for thus who need allow any extensions in zip-files. Maybe we can ask F-Prot if they can change the singnatures to catch only exe in ezip's if they are larger then ... Usualy legit ezip's should be much larger then 100 kByte. I wouldn't remove exit code 8 from my configuration because most of the outbreaks in the last year was catched by this exit code before any AV-scanner has had updated signatures. Markus > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) > Sent: Tuesday, January 31, 2006 7:17 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] F-prot exit code 8 and body content > > I am using viruscode 8 and it is not blocking password > protected zips. I think like Markus said it is looking for a > combination of a password protected zip, and executable and > the phrase he listed. > > Markus, did that attachment have an executable within the zip file? > > John T > eServices For You > > "Seek, and ye shall find!" > > > -----Original Message----- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > On Behalf Of Matt > > Sent: Tuesday, January 31, 2006 10:02 AM > > To: Declude.Virus@declude.com > > Subject: Re: [Declude.Virus] F-prot exit code 8 and body content > > > > Markus, > > > > I believe that this is something that several of us railed > against and > > tried to get F-Prot to change. Formerly no known viruses would be > > tagged with an exit code of 8, but then they suddenly > started tagging > > some known viruses this way, essentially requiring us to > add that code > > in for detection. The downside of this is that this exit code also > > blocks things like encrypted zips. It was a real shame. > > > > It's worth checking to see if F-Prot is tagging more recent known > > viruses with exit code 8 because if they are no longer > doing this, I > > would assume that turning it off would be wise so long as > you had two > > virus scanners running. > > > > Note that I'm not dismissing your primary intention of pointing out > > the FP issue with virus scanning and a way to deal with it. > > > > Matt > > > > > > > > Markus Gufler wrote: > > > > >Today I've had a message hold as false positive ("unknown > virus" exit > code > > >8) > > > > > >F-Prot seems ending with this exit code if there is attached a > > >password protected zip file and in the body is something like > > > > > >"password: ....." > > > > > >This message was definitively no false positive and so I > requeued it. > > > > > >I've noted it due the low number of postmaster virus warnings I > > >receive because they are send to me only if the detected > virus is not > > >a forging > one. > > >Fortunately this legit message wasn't deleted from the virus folder > between > > >thousands of unwanted netsky's and sober's. > > > > > >Markus > > > > > >--- > > >[This E-mail was scanned for viruses by Declude EVA > www.declude.com] > > > > > >--- > > >This E-mail came from the Declude.Virus mailing list. To > > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > >type "unsubscribe Declude.Virus". The archives can be found > > >at http://www.mail-archive.com. > > > > > > > > > > > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
