----- Original Message ----- From: "Sanford Whiteman" <[EMAIL PROTECTED]> To: "R. Scott Perry" <[EMAIL PROTECTED]> Sent: Sunday, March 24, 2002 3:39 PM Subject: Re[2]: [IMail Forum] Attn: Declude Confirm users who have upgraded to IMail 7.06HF1
> Scott, > > > FYI, we have just found out that this can cause problems with > > Declude Virus and F-Prot (which uses the 8.3 file names). This needs > > to be set to 0 if using Declude Virus and F-Prot (and likely some > > other scanners, as well). > > Thanks. Interesting caveat (or, "Wow, that sucks."). Seems like a > security hole to me. I know that Frisk is on top of the internals of > scanning, but it seems they need to look at the externals a little bit > as well. Scenario: I write a brand-new virus whose payload is turning > off SFN auto-create; even if they update their sigs to catch the > Registry entry, all of the files created in the interim will always be > invisible, even if they contain age-old viruses. > Your proposed virus would actually have to execute on the (supposedly secure) mail server, and in a context that it could actually change the registry. If an admin allows anything close to that scenario, he has more problems than potentially passing a virus. I would imagine that fpcmd.exe (the 32 bit console command line version) included with the Win version of F-Prot would function OK. It's also not a problem with the on-access stuff, or the Windows GUI on-demand scanner. IOW, it's not an F-Prot problem. Problem is most are using the "DOS" F-Prot.exe with Declude, as fpcmd is relatively new. Turning off SFNs should never be done until a full audit of everything that will be run on a box is done. Even some "32bit" stuff will break. A busy mail server is one of the few applications it could make a real difference though, but I still prefer for programs to stick to 8.3 wherever possible. They were currently only using hex based numbering for the filename, I would have gone to base36 numbering before moving past 8.3 conventions. Jerry Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
