The AOL Feedback loop creates alot of these false positives also...we
deactivated this test in our Declude a while back....
-------
Randy A.
Technical Support Director
Global Web Solutions, Inc.
804-442-5300
http://globalweb.net
----- Original Message -----
From: "Matt" <[EMAIL PROTECTED]>
To: <declude.virus@declude.com>
Sent: Monday, December 03, 2007 11:41 AM
Subject: Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability
Disable it and be done with it. There is no option to partially support
the issue, and the issue is very likely not a threat. Just because
something isn't RFC compliant doesn't mean that it is a threat. The
vulnerability was from Outlook displaying attachments that were hidden by
bad encoding, but that flaw was likely patched, or at least it has not
been exploited in mass.
Matt
Mon Mariola - Rubén wrote:
Matt,
So far, the only case where I find this vulnerability is in the mail sent
from the program Incredimail.
If these lines are actually prohibited in RFC, it is safer to seek
Incredimail technical support to solve your problem.
But I fear that the explanation in Declude manual is false and that there
is a section in RFC that says clearly that these lines are not allowed.
Thank you.
Ruben Marti.
Mon Mariola, S.L.
----- Original Message ----- From: Matt
To: declude.virus@declude.com
Sent: Monday, December 03, 2007 4:15 PM
Subject: Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability
Ruben,
In your Virus.cfg file, add the following line:
ALLOWVULNERABILITY OLBLANKFOLDING
This will turn off this vulnerability detection. There have been no
viruses that I know of that have exploited this flaw, and it is quite
possible that this flaw no longer exists since it is around 5 years old
now. You might also want to consider turning off other vulnerability
detections due to the propensity of them hitting legitimate E-mail.
Here's a list:
BANPARTIAL OFF
ALLOWVULNERABILITY OLCR
ALLOWVULNERABILITY OLSPACEGAP
ALLOWVULNERABILITY OLMIMESEGMIMEPRE
ALLOWVULNERABILITY MIMESEGMIMEPOST
ALLOWVULNERABILITY OLLONGFILENAME
ALLOWVULNERABILITY OLBLANKFOLDING
ALLOWVULNERABILITY OBJECTDATA
ALLOWVULNERABILITY OLBOUNDARYSPACEGAP
ALLOWVULNERABILITY OLMIMEHEADER
ALLOWVULNERABILITY OLLONGBOUNDARY
Matt
Mon Mariola - Rubén wrote:
The program "incredimail" generates subjects, in certain cases, ended
with "0D 0A 09 0D 0A." These messages are captured by Declude virus like
"Outlook 'Blank Folding' Vulnerability". I want to send a letter
requesting to technical support solve this problem, but I really do not
see the point 3.2.3 in RFC 822 indicating that this is not allowed.
Thank you.
Ruben Marti.
Mon Mariola, S.L.
From Declude manual:
Outlook 'Blank Folding' Vulnerability: This vulnerability occurs when
there is a line in the headers with just a single space or a single tab
character. Outlook can treat this as the end of the headers, allowing it
to see a virus that is embedded in the headers. RFC822 3.2.3 says that it
is not valid to have such lines, nor is there any legitimate reason for
an E-mail to contain a blank line in the headers with a single space or
tab (note that it is OK to have a line with a single space or tab in the
E-mail body, just not the headers).
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.