RE: [Declude.Virus] [IMail Forum] Realistic virus threat?

[Markus Gufler]

Hi Bill   Regarding the viruscodes 9 and 10 that was introduced with f-prot 3.16 I will quote the relaese notes   Archive handling has been improved and is now more consistent. Version 3.16 also includes detection against so-called "archive bombs", archives ...  ... If the limit is exceeded then it will exit with a new exit code 10 (some files were not scanned; in this case because maximum archive level was reached).  The OnDemand Scanner scans an infinite number of levels by default but this behaviour can be changed using the same command-line switch.  The RealTime Protector scans to a depth of one level by default. Another new exit code has been added to the OnDemand Scanner and the Command-Line Scanner, exit code 9.  This exit code indicates that some files were not scanned, e.g., encrypted files, because of unsupported/unknown compression methods, because of unsupported/unknown file formats, corrupted or invalid files. Both exit code 9 and 10 indicate that some files were not scanned and, therefore, they can not be guaranteed to be clean.  The difference between them is that if exit code 10 occurs then some settings can be changed (e.g., increase the maximum allowed archive depth) and the scanner might be able to scan the file. If, however, exit code 9 occurs then the scanner is not able to scan the file. A complete list of the exit codes can be found at http://www.f-prot.com/support/windows/fpwin_faq/65.html So exit code 10 seems ok for me but I'm not sure what exit code 9 means in real world. What "compressions methods" and "file formats" are supported and what not?   If a legit message contains one little unsupported or corrupt file with disabled notifications this will cause a false positive. Right?   Someone has something against a feature request like ONLYIFEXITCODEIS ? So we could set up end user notifications for certain "suspicious" exit codes. Durring outbreaks while signatures are missing this will block messages and show the end users that the virus filter is here and working. After the signature update the exit code usualy should become 3 or 6.   Markus     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Thursday, February 02, 2006 11:31 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] [IMail Forum] Realistic virus threat? Andrew, I already have PRESCAN set to off and use the /server switch with F-Prot, so those were not the issue that was causing this behavior for me.  From my virus.cfg:   # F-Prot SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT -REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 8 VIRUSCODE1 9 VIRUSCODE1 10 REPORT1  Infection: PRESCAN  OFF   Bill ----- Original Message ----- From: Colbeck, Andrew To: Declude.Virus@declude.com Cc: [EMAIL PROTECTED] Sent: Thursday, February 02, 2006 2:09 PM Subject: RE: [Declude.Virus] [IMail Forum] Realistic virus threat? My raw speculation:   1) It is missed because the virus.cfg is using the "PRESCAN  ON" switch (the default, I believe) and the declude.exe application does not decode the MIME or other coding as flexibly as a mail client would, or makes an uninformed decision about what is an object worth scanning.   ANSWER: use PRESCAN OFF instead.  This will incur more CPU time as the selected antivirus scanner(s) will be scanning all objects.   2) For F-Prot specifically, the /server switch is not being used and therefore F-Prot is not doing the message format decoding.  If Declude did a perfect job, this setting would be irrelevant.   ANSWER: use the /server switch in your SCANFILE definition.  This would cause more CPU time on the few messages that appear as nested message encoding; it is intended for scanning servers with multiple mailbox formats and nested messages.     I follow my own advice on these two points and do not have a problem with F-Prot under Declude EVA missing known viruses.     Andrew 8)     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Thursday, February 02, 2006 1:47 PM To: Imail_Forum@list.ipswitch.com; Declude.Virus@declude.com Subject: Re: [Declude.Virus] [IMail Forum] Realistic virus threat? I reported this issue quite some time ago, when Scott was still running the show, and never got a satisfactory answer.  You can scan the raw d*.smd file with f-prot and it will detect the virus, but run it through Declude Virus, and the virus goes though undetected.  After pestering and prodding for several days, I finally gave up on getting a response that made sense.  But it must have something to do with the way Declude Virus is stripping off the mime encapsulation before calling f-prot to scan the message.   I have copied this to the Declude Virus list, as well, since it really belongs there rather than on the IMail list.   Bill ----- Original Message ----- From: Michael Graveen To: Imail_Forum@list.ipswitch.com Sent: Thursday, February 02, 2006 1:15 PM Subject: RE: [IMail Forum] Realistic virus threat? I've had F-Prot miss this virus on the mail server (being called from Declude).  But it's caught coming to my desktop, with the same virus scanner.  Is anyone else seeing this? Mike At 02:25 PM 2/2/2006, you wrote: I believe F-Prot calls it W32/[EMAIL PROTECTED] From: Stephen Guluk [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 02, 2006 2:19 PM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] Realistic virus threat? Off topic but still related to email... Had a couple clients that called concerned about this virus that is said to open and do it's damage tomorrow: [EMAIL PROTECTED] Win32.Nyxem.e I run F-prot on my mail server and their list of virus definitions shows nothing pertaining to this virus name. I wrote them but expect that they are sleeping since they are in Iceland. Anyone else running F-prot and know any more info on it this is a real threat? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769