Hi Bill
Regarding the viruscodes 9 and 10 that was introduced
with f-prot 3.16 I will quote the relaese notes
Archive handling has been improved and is now more consistent.
Version 3.16 also includes detection against so-called "archive bombs", archives ... ... If the limit is exceeded then it will exit with a new exit code 10 (some files were not scanned; in this case because maximum archive level was reached). The OnDemand Scanner scans an infinite number of levels by default but this behaviour can be changed using the same command-line switch. The RealTime Protector scans to a depth of one level by default. Another new exit code has been added to the OnDemand Scanner and the Command-Line Scanner, exit code 9. This exit code indicates that some files were not scanned, e.g., encrypted files, because of unsupported/unknown compression methods, because of unsupported/unknown file formats, corrupted or invalid files. Both exit code 9 and 10 indicate that some files were not scanned and, therefore, they can not be guaranteed to be clean. The difference between them is that if exit code 10 occurs then some settings can be changed (e.g., increase the maximum allowed archive depth) and the scanner might be able to scan the file. If, however, exit code 9 occurs then the scanner is not able to scan the file. A complete list of the exit codes can be found at http://www.f-prot.com/support/windows/fpwin_faq/65.html So exit code 10 seems ok for me but I'm not sure what
exit code 9 means in real world.
What "compressions methods" and "file formats" are
supported and what not?
If a legit message contains one little unsupported
or corrupt file with disabled notifications this will cause a false positive.
Right?
Someone has something against a feature request like
ONLYIFEXITCODEIS ?
So we could set up end user notifications for certain
"suspicious" exit codes.
Durring outbreaks while signatures are missing this
will block messages and show the end users that the virus filter is here and
working. After the signature update the exit code usualy should become 3 or
6.
Markus
|
- Re: [Declude.Virus] [IMail Forum] Realistic virus thre... Bill Landry
- RE: [Declude.Virus] [IMail Forum] Realistic virus... Colbeck, Andrew
- Re: [Declude.Virus] [IMail Forum] Realistic v... Bill Landry
- RE: [Declude.Virus] [IMail Forum] Realist... Markus Gufler
- [Declude.Virus] Declude V4.0 [EMAIL PROTECTED]
- [Declude.Virus] Changes @ Declud... [EMAIL PROTECTED]
- RE: [Declude.Virus] Changes ... Robert Grosshandler
- RE: [Declude.Virus] Chan... Grant Griffith
- RE: [Declude.Virus] Changes ... Andy Schmidt
- RE: [Declude.Virus] Chan... Kevin Bilbee
- RE: [Declude.Virus] Chan... Andy Schmidt
- Re: [Declude.Virus] Chan... Don Brown
- RE: [Declude.Virus] Chan... Barry Simpson
- Re: [Declude.Virus] Chan... Darin Cox