Re: [Declude.Virus] W32.Netsky.B@mm Slipping through
Doubtful - we've been catching the same Netskys both before and after these slipped through. Hundreds of em. Jonathan At 06:43 AM 2/25/2004, you wrote: I realize this generally does mean it's corrupt -- but you're missing the "scary" part. If I scan the file that came in with the same install of F-Prot, (from the mail server), it catches it as Netsky. If scanning it from F-Prot on the mailserver catches it, it should get caught when Declude Virus calls F-Prot (assuming that F-Prot is working, the eicar.com file gets caught, and there are no messages in the log file when the E-mail with the virus is scanned). We aren't aware of any cases where the same copy of F-Prot with the same virus definitions will catch an attachment that passes through Declude Virus. Is it possible that the virus definitions were updated after the E-mail first arrived? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] W32.Netsky.B@mm Slipping through
I realize this generally does mean it's corrupt -- but you're missing the "scary" part. If I scan the file that came in with the same install of F-Prot, (from the mail server), it catches it as Netsky. If scanning it from F-Prot on the mailserver catches it, it should get caught when Declude Virus calls F-Prot (assuming that F-Prot is working, the eicar.com file gets caught, and there are no messages in the log file when the E-mail with the virus is scanned). We aren't aware of any cases where the same copy of F-Prot with the same virus definitions will catch an attachment that passes through Declude Virus. Is it possible that the virus definitions were updated after the E-mail first arrived? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] W32.Netsky.B@mm Slipping through
I realize this generally does mean it's corrupt -- but you're missing the "scary" part. If I scan the file that came in with the same install of F-Prot, (from the mail server), it catches it as Netsky. Jonathan At 06:23 AM 2/23/2004, you wrote: We've gotten several, here are a couple: 02/18/2004 10:33:12 Q93c835e1004873e1 Scanned: Virus Free [MIME: 2 22065] 02/18/2004 15:56:37 Qdf95a7880150b2de Scanned: Virus Free [MIME: 2 22057] Running F-Prot, Mcafee and now AVG. The "Virus Free" message means that none of the virus scanners detected a virus. Most likely, these are corrupt, non-viable variants. With Netsky, we've seen a version in .ZIP files that were corrupt (yet about the same size as normal), so that it would not be possible to extract the virus out of the .ZIP file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] W32.Netsky.B@mm Slipping through
We've gotten several, here are a couple: 02/18/2004 10:33:12 Q93c835e1004873e1 Scanned: Virus Free [MIME: 2 22065] 02/18/2004 15:56:37 Qdf95a7880150b2de Scanned: Virus Free [MIME: 2 22057] Running F-Prot, Mcafee and now AVG. The "Virus Free" message means that none of the virus scanners detected a virus. Most likely, these are corrupt, non-viable variants. With Netsky, we've seen a version in .ZIP files that were corrupt (yet about the same size as normal), so that it would not be possible to extract the virus out of the .ZIP file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] W32.Netsky.B@mm Slipping through
We've gotten several, here are a couple: 02/18/2004 10:33:12 Q93c835e1004873e1 Scanned: Virus Free [MIME: 2 22065] 02/18/2004 15:56:37 Qdf95a7880150b2de Scanned: Virus Free [MIME: 2 22057] Running F-Prot, Mcafee and now AVG. Jonathan At 07:53 AM 2/21/2004, you wrote: Has anyone seen a lot of W32.Netsky.B slipping through? No. > Why didn't declude tag it? I don't see any errors in the vir* logs, and others have been getting infected notices. What does the Declude Virus log file say for that E-mail? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] W32.Netsky.B@mm Slipping through
Has anyone seen a lot of W32.Netsky.B slipping through? No. > Why didn't declude tag it? I don't see any errors in the vir* logs, and others have been getting infected notices. What does the Declude Virus log file say for that E-mail? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] W32.Netsky.B@mm Slipping through
Sidenote to the above .. I ran F-Prot (right from the mail server, actually) on one of the files from quarantine. stuff.com.dont-execute Infection: W32/[EMAIL PROTECTED] Results of virus scanning: Files: 1 MBRs: 1 Boot sectors: 1 Objects scanned: 3 Infected: 1 Why didn't declude tag it? I don't see any errors in the vir* logs, and others have been getting infected notices. Thoughts? Jonathan --- Has anyone seen a lot of W32.Netsky.B slipping through? We see tons of them getting trapped, but we've also had lots of reports of them getting through. Ordinarily, we just tell people that they're just corrupted versions, but we've had many more reports than usual with Netsky.B. I haven't verified that it's the actual virus -- I'm not sure of the best way to do this. If they can get me a quarantined version, is there an MD5 checksum published for it? Any comments? Any way they could be slipping through? Jonathan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] W32.Netsky.B@mm Slipping through
Has anyone seen a lot of W32.Netsky.B slipping through? We see tons of them getting trapped, but we've also had lots of reports of them getting through. Ordinarily, we just tell people that they're just corrupted versions, but we've had many more reports than usual with Netsky.B. I haven't verified that it's the actual virus -- I'm not sure of the best way to do this. If they can get me a quarantined version, is there an MD5 checksum published for it? Any comments? Any way they could be slipping through? Jonathan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.