----- Original Message -----
Sent: Thursday, February 02, 2006 2:09
PM
Subject: RE: [Declude.Virus] [IMail
Forum] Realistic virus threat?
My raw speculation:
1) It is missed because the virus.cfg is using the
"PRESCAN ON" switch (the default, I believe) and the declude.exe
application does not decode the MIME or other coding as flexibly as a mail
client would, or makes an uninformed decision about what is an object worth
scanning.
ANSWER: use PRESCAN OFF instead. This will
incur more CPU time as the selected antivirus scanner(s) will be scanning all
objects.
2) For F-Prot specifically, the /server switch is not
being used and therefore F-Prot is not doing the message format
decoding. If Declude did a perfect job, this setting would be
irrelevant.
ANSWER: use the /server switch in your SCANFILE
definition. This would cause more CPU time on the few messages that
appear as nested message encoding; it is intended for scanning servers with
multiple mailbox formats and nested messages.
I follow my own advice on these two points and do not
have a problem with F-Prot under Declude EVA missing known
viruses.
Andrew 8)
I reported this issue quite some time ago, when
Scott was still running the show, and never got a satisfactory answer.
You can scan the raw d*.smd file with f-prot and it will detect the virus,
but run it through Declude Virus, and the virus goes though
undetected. After pestering and prodding for several days, I finally
gave up on getting a response that made sense. But it must have
something to do with the way Declude Virus is stripping off the mime
encapsulation before calling f-prot to scan the message.
I have copied this to the Declude Virus list,
as well, since it really belongs there rather than on the IMail
list.
Bill
----- Original Message -----
Sent: Thursday, February 02, 2006
1:15 PM
Subject: RE: [IMail Forum] Realistic
virus threat?
I've had F-Prot miss this virus on the mail server (being
called from Declude). But it's caught coming to my desktop, with the
same virus scanner. Is anyone else seeing
this?
Mike
At 02:25 PM 2/2/2006, you wrote:
I believe F-Prot calls it W32/[EMAIL PROTECTED]
- From: Stephen Guluk [mailto:[EMAIL PROTECTED]]
- Sent: Thursday, February 02, 2006 2:19 PM
- To: Imail_Forum@list.ipswitch.com
- Subject: [IMail Forum] Realistic virus threat?
- Off topic but still related to email...
- Had a couple clients that called concerned about this virus that
is said to open and do it's damage tomorrow:
- [EMAIL PROTECTED]
- Win32.Nyxem.e
- I run F-prot on my mail server and their list of virus definitions
shows nothing pertaining to this virus name. I wrote them but expect
that they are sleeping since they are in Iceland.
- Anyone else running F-prot and know any more info on it this is a
real threat?
- Regards,
- Steve Guluk
- SGDesign
- (949) 661-9333
- ICQ:
7230769