I'm running Declude EVA 3.1.0 (the latest is 3.13 according to my support site and the release notes at Declude.com ...)
The combination of "BANEXT EXE" and "BANZIPEXTS ON" option is not, in fact, actually banning executables in zip files. I've run the test with two different executables (one 11 KB zip file, and one 250 KB zip file) and neither were banned. I ran the log level on DEBUG and there's no indication that the contents of the zip files were enumerated. I'll attach one of those runs as a text file here. Andrew. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
[The Declude JunkMail log] 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd BASE64BODY:1 MPM-EMAILSERVER:-3 BENTALLNEGEXCH:-13 SKIPATTACH:-12 SPFGOOD:-7 BENTALLIPISINMX:-4 BENTALLSPAMHEAD:3 . Total weight = -35. 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd Tests failed [weight=-35]: NOLEGITCONTENT=LOG[0] BASE64BODY=WARN[1] SPFPASS=LOG[0] COUNTRY=LOG[0] SIZE-S=LOG[0] MPM-EMAILSERVER=LOG[-3] BENTALLNEGEXCH=LOG[-13] SKIPATTACH=LOG[-12] SPFGOOD=LOG[-7] BENTALLIPISINMX=LOG[-4] BENTALLSPAMHEAD=WARN[3] 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd R1 Message OK 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd Subject: executable attachment test 1 at 12:21 PM 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 209.139.204.6 ID: 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd Action(s) taken for [EMAIL PROTECTED] = LOG WARN [LAST ACTION=WARN] 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd Cumulative action(s) taken on this email = LOG WARN [LAST ACTION=WARN] [The Declude EVA log] 10/17/2006 12:31:44.629 q2f9d01b0000005e7.smd Setting AVAFTERJM to ON. 10/17/2006 12:31:44.629 q2f9d01b0000005e7.smd Setting Scan File 1 to D:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed /dumb /noboot /nomem /silent /report=report.txt. 10/17/2006 12:31:44.629 q2f9d01b0000005e7.smd CFG: Setting report parse 1 to Infection:. 10/17/2006 12:31:44.629 q2f9d01b0000005e7.smd Setting virus directory to: D:\IMAIL\spool\virus 10/17/2006 12:31:44.629 q2f9d01b0000005e7.smd Setting MAXATONCE to 0. 10/17/2006 12:31:44.629 q2f9d01b0000005e7.smd Incoming E-mail scanning turned ON 10/17/2006 12:31:44.629 q2f9d01b0000005e7.smd Outgoing E-mail scanning turned ON 10/17/2006 12:31:44.629 q2f9d01b0000005e7.smd Setting scanner timeout to 90 seconds 10/17/2006 12:31:44.629 q2f9d01b0000005e7.smd Setting BANPARTIAL to OFF. 10/17/2006 12:31:44.629 q2f9d01b0000005e7.smd Allowing OBJECTDATA vulnerability 10/17/2006 12:31:44.629 q2f9d01b0000005e7.smd Scanner 0 Virus Codes: 3 6 8 9 10 . OK Codes: 10/17/2006 12:31:44.629 q2f9d01b0000005e7.smd Skip Extensions: GIF TXT JPEG JPG PNG TIF TIFF BMP PDF AVI MOV MPG MPEG WMV ASX MPE DAT LOG VCF ICS CSV EMZ EMF RTF DWG 10/17/2006 12:31:44.629 q2f9d01b0000005e7.smd 14 Ban Extensions: ANI CPL HTA ICO JS LNK PIF RP RT SCR VBE VBS EXE EZIP 10/17/2006 12:31:44.629 q2f9d01b0000005e7.smd Virus Lite Registered 10/17/2006 12:31:44.644 q2f9d01b0000005e7.smd Starting locality check (sender=synchroserv.com; nr=1 ca=off). nHas=3. 10/17/2006 12:31:44.644 q2f9d01b0000005e7.smd Ending locality check (cached), sender=remote. 10/17/2006 12:31:44.644 q2f9d01b0000005e7.smd Local host = mail.bentall.com 10/17/2006 12:31:44.644 q2f9d01b0000005e7.smd [EMAIL PROTECTED] Offset=9 Flags=0 10/17/2006 12:31:44.644 q2f9d01b0000005e7.smd Msgid: <[EMAIL PROTECTED]> 10/17/2006 12:31:44.644 q2f9d01b0000005e7.smd Subject: executable attachment test 1 at 12:21 PM 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd Starting virus scanning section... 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd MIMELAYER=0 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd DoAv( D:\IMail\spool\proc\work\D2f9d01b0000005e7.smd ); 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd avtempdir=D:\IMail\spool\proc\work 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd Temp dir set to: D:\IMail\spool\proc\work\D2f9d01b0000005e7.vir\ 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd fp=458120 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd Vulnerability flags = 2 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd MIMELAYER++ 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd DOMIME START 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd CT: Content-Type: multipart/mixed;boundary="----_=_NextPart_001_ 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd Got boundary; =------_=_NextPart_001_01C6F221.7E3C9264. 10/17/2006 12:31:53.363 q2f9d01b0000005e7.smd DOMIME end-of-headers 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd ISMULTI 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Hit boundary... Recursing... 0 (0-0-). 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd MIMELAYER++ 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd DOMIME START 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd CT: Content-Type: multipart/alternative;boundary="----_=_NextPar 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Got boundary; =------_=_NextPart_002_01C6F221.7E3C9264. 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd DOMIME end-of-headers 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd ISMULTI 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Hit boundary... Recursing... 0 (0-0-). 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd MIMELAYER++ 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd DOMIME START 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd CT: Content-Type: text/plain;charset="UTF-8" 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Got Encoding base64. 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd DOMIME end-of-headers 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd !ISMULTI 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Handling a MIME segment [Boundary=------_=_NextPart_002_01C6F221.7E3C9264]. 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Encoding type: base64 [1/] 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Starting BASE64 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Hit new boundary (fseek) 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd curpos=1216 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Ending BASE64 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Deleting (1) plaintext segment D:\IMail\spool\proc\work\D2f9d01b0000005e7.vir\0.. 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd MIMELAYER-- 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Done Recursing... 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Hit boundary... Recursing... 1 (0-0-). 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd MIMELAYER++ 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd DOMIME START 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd CT: Content-Type: text/html;charset="UTF-8" 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Got Encoding base64. 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd DOMIME end-of-headers 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd !ISMULTI 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Handling a MIME segment [Boundary=------_=_NextPart_002_01C6F221.7E3C9264]. 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Encoding type: base64 [1/htm] 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Starting BASE64 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Hit new boundary (fseek) 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd curpos=1740 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Ending BASE64 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd MIME file: [text/html][base64; Length=291 Checksum=24449] 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Comparing |htm| to SKIPEXTs and BANEXTs 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Checking HTML file htm. 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Will be scanning possibly ss HTML file D:\IMail\spool\proc\work\D2f9d01b0000005e7.vir\0.. 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd NOT PLAINTEXT: text/html. 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd MIMELAYER-- 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Done Recursing... 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Hit end of layer 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd MIMELAYER layer-- 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Done Recursing... 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Hit boundary... Recursing... 2 (0-0-). 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd MIMELAYER++ 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd DOMIME START 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd CT: Content-Type: application/x-zip-compressed;name="dbclean.zip 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Setting MimeName to dbclean.zip [11]. 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Got Encoding base64. 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Got disp name=dbclean.zip [MimeName=dbclean.zip]. 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd DOMIME end-of-headers 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd !ISMULTI 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Handling a MIME segment [Boundary=------_=_NextPart_001_01C6F221.7E3C9264]. 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Encoding type: base64 [2/zip] 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Starting BASE64 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Hit new boundary (fseek) 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd curpos=17760 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Ending BASE64 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd MIME file: dbclean.zip [base64; Length=11498 Checksum=1498813] 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Comparing |zip| to SKIPEXTs and BANEXTs 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd NOT PLAINTEXT: application/x-zip-compressed. 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd MIMELAYER-- 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Done Recursing... 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Hit end of layer 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd MIMELAYER layer-- 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd 0 - [HTML segment] 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd 1 - dbclean.zip 10/17/2006 12:31:53.379 q2f9d01b0000005e7.smd Scanning files (1 scanners) 10/17/2006 12:31:53.394 q2f9d01b0000005e7.smd Starting scanner #1: D:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed /dumb /noboot /nomem /silent /report=report.txt D:\IMail\spool\proc\work\D2F9D0~1.VIR\ 10/17/2006 12:31:53.394 q2f9d01b0000005e7.smd Scanner to start immediately, no need to wait for others to end. 10/17/2006 12:31:53.394 q2f9d01b0000005e7.smd Virus Scanner Started: D:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed /dumb /noboot /nomem /silent /report=report.txt D:\IMail\spool\proc\work\D2F9D0~1.VIR\ 10/17/2006 12:31:53.723 q2f9d01b0000005e7.smd Scanning Time: 328ms [kernel=46 user=281] 10/17/2006 12:31:53.723 q2f9d01b0000005e7.smd Virus scanner 1 reports exit code of 0 10/17/2006 12:31:53.723 q2f9d01b0000005e7.smd D:\IMail\spool\proc\work\D2f9d01b0000005e7.vir\*.* 10/17/2006 12:31:53.723 q2f9d01b0000005e7.smd 0 10/17/2006 12:31:53.723 q2f9d01b0000005e7.smd Deleted D:\IMail\spool\proc\work\D2f9d01b0000005e7.vir\0. 10/17/2006 12:31:53.723 q2f9d01b0000005e7.smd 1.zip 10/17/2006 12:31:53.723 q2f9d01b0000005e7.smd Deleted D:\IMail\spool\proc\work\D2f9d01b0000005e7.vir\1.zip. 10/17/2006 12:31:53.723 q2f9d01b0000005e7.smd report.txt 10/17/2006 12:31:53.723 q2f9d01b0000005e7.smd Deleted D:\IMail\spool\proc\work\D2f9d01b0000005e7.vir\report.txt. 10/17/2006 12:31:53.723 q2f9d01b0000005e7.smd han=151fd0 b=False 10/17/2006 12:31:53.723 q2f9d01b0000005e7.smd Scanned: OK 10/17/2006 12:31:53.723 q2f9d01b0000005e7.smd High code=0. 10/17/2006 12:31:53.723 q2f9d01b0000005e7.smd AV returned 0 10/17/2006 12:31:53.723 q2f9d01b0000005e7.smd Scanned: Virus Free [MIME: 3 12059] 10/17/2006 12:31:53.723 q2f9d01b0000005e7.smd feof=16, ferr=0 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
