RE: [Declude.Virus] [IMail Forum] Realistic virus threat?

[Colbeck, Andrew]

My raw speculation:   1) It is missed because the virus.cfg is using the "PRESCAN  ON" switch (the default, I believe) and the declude.exe application does not decode the MIME or other coding as flexibly as a mail client would, or makes an uninformed decision about what is an object worth scanning.   ANSWER: use PRESCAN OFF instead.  This will incur more CPU time as the selected antivirus scanner(s) will be scanning all objects.   2) For F-Prot specifically, the /server switch is not being used and therefore F-Prot is not doing the message format decoding.  If Declude did a perfect job, this setting would be irrelevant.   ANSWER: use the /server switch in your SCANFILE definition.  This would cause more CPU time on the few messages that appear as nested message encoding; it is intended for scanning servers with multiple mailbox formats and nested messages.     I follow my own advice on these two points and do not have a problem with F-Prot under Declude EVA missing known viruses.     Andrew 8)     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Thursday, February 02, 2006 1:47 PM To: Imail_Forum@list.ipswitch.com; Declude.Virus@declude.com Subject: Re: [Declude.Virus] [IMail Forum] Realistic virus threat? I reported this issue quite some time ago, when Scott was still running the show, and never got a satisfactory answer.  You can scan the raw d*.smd file with f-prot and it will detect the virus, but run it through Declude Virus, and the virus goes though undetected.  After pestering and prodding for several days, I finally gave up on getting a response that made sense.  But it must have something to do with the way Declude Virus is stripping off the mime encapsulation before calling f-prot to scan the message.   I have copied this to the Declude Virus list, as well, since it really belongs there rather than on the IMail list.   Bill ----- Original Message ----- From: Michael Graveen To: Imail_Forum@list.ipswitch.com Sent: Thursday, February 02, 2006 1:15 PM Subject: RE: [IMail Forum] Realistic virus threat? I've had F-Prot miss this virus on the mail server (being called from Declude).  But it's caught coming to my desktop, with the same virus scanner.  Is anyone else seeing this? Mike At 02:25 PM 2/2/2006, you wrote: I believe F-Prot calls it W32/[EMAIL PROTECTED] From: Stephen Guluk [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 02, 2006 2:19 PM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] Realistic virus threat? Off topic but still related to email... Had a couple clients that called concerned about this virus that is said to open and do it's damage tomorrow: [EMAIL PROTECTED] Win32.Nyxem.e I run F-prot on my mail server and their list of virus definitions shows nothing pertaining to this virus name. I wrote them but expect that they are sleeping since they are in Iceland. Anyone else running F-prot and know any more info on it this is a real threat? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769