Re: [Declude.Virus] BANEXT SHS
> Hope that helps. Thanks John! Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! "Whenever you find yourself on the side of the majority, it's time to pause and reflect." Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] BANEXT SHS
http://www.antichip.org/virusinfo/extensions.html http://www.internetworking.ch/htme/security13.htm http://www.f-secure.com/v-descs/stages.shtml http://www.quickheal.com/stages.htm http://www.geocities.com/floydian_99/inv2.html http://archives.neohapsis.com/archives/vuln-dev/1999-q4/0122.html Hope that helps. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sheldon Koehler Sent: Monday, December 16, 2002 11:18 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] BANEXT SHS I have 2 people that are mad at me for blocking the SHS extension. Are there any web pages from anti virus companies or some such "Authority" that I can send them on why I am blocking it? They say they are sending a Christmas card. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! "Whenever you find yourself on the side of the majority, it's time to pause and reflect." Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] BANEXT SHS
I have 2 people that are mad at me for blocking the SHS extension. Are there any web pages from anti virus companies or some such "Authority" that I can send them on why I am blocking it? They say they are sending a Christmas card. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! "Whenever you find yourself on the side of the majority, it's time to pause and reflect." Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to explain the [Partial Vulnerability] virus to a user.
Thanks for the explanation Scott and John. Steven > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry > Sent: Monday, December 16, 2002 12:15 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] How to explain the [Partial Vulnerability] > virus to a user. > > > > >How do you explain the [Partial Vulnerability] virus to a user? > > Something like "Back in the old days, E-mails were limited to 50K > each, and > large files had to be broken down among several smaller E-mails. > For year > now, however, E-mails haven't been limited to a specific size, and so > people rarely ever split up E-mails anymore. Recently, it was discovered > that splitting up E-mails would bypass many virus scanners, so it is now > recommended practice for mailservers to block any E-mails that have been > split up in this way." > > >How do they fix it? > > They need to set their mail client not to split up outgoing > E-mails. They > almost certainly at some point saw a checkbox in their mail > client settings > and said "Gee, let me check this!"; that's the one they need to uncheck. > > > I believe it comes from having this setting turned on in my config? > > > >BANCRVIRUSESON > > Correct. It is STRONGLY recommended to keep that at its default > setting of > ON; otherwise, future viruses WILL get through your server. > -Scott > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Order of operations
I got this today and have a question. - Declude Virus v1.65 caught the [Outlook 'MIME Header' Vulnerability] virus in CLEAR.pif from [EMAIL PROTECTED] to: Does Declude check for the vulnerabilities and if one is found that's it? No virus check? It checks for both vulnerabilities and viruses and about the same time, but will always give priority to viruses that are detected. In this case, the virus was not detected as a virus. Have you checked the log file to see if it reports anything unusual about this E-mail? Have you checked recently to see if the eicar.com file gets caught when sent from our Test Mail Sender at http://www.declude.com/tools ? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Order of operations
I got this today and have a question. - Declude Virus v1.65 caught the [Outlook 'MIME Header' Vulnerability] virus in CLEAR.pif from [EMAIL PROTECTED] to: Does Declude check for the vulnerabilities and if one is found that's it? No virus check? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] How to explain the [Partial Vulnerability] virus to a user.
> Below is a copy of the postmaster e-mail this domain is getting. Any help in explaining this would be appreciated. I am sure Scott will respond, but until he does, what is happening is the user is send an e-mail with an attachment using Outlook Express that is too large. Outlook Express is breaking it up into a number of messages so that it can be sent. The problem with this is that a virus could hide an not be detected. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] How to explain the [Partial Vulnerability]virus to a user.
How do you explain the [Partial Vulnerability] virus to a user? Something like "Back in the old days, E-mails were limited to 50K each, and large files had to be broken down among several smaller E-mails. For year now, however, E-mails haven't been limited to a specific size, and so people rarely ever split up E-mails anymore. Recently, it was discovered that splitting up E-mails would bypass many virus scanners, so it is now recommended practice for mailservers to block any E-mails that have been split up in this way." How do they fix it? They need to set their mail client not to split up outgoing E-mails. They almost certainly at some point saw a checkbox in their mail client settings and said "Gee, let me check this!"; that's the one they need to uncheck. I believe it comes from having this setting turned on in my config? BANCRVIRUSESON Correct. It is STRONGLY recommended to keep that at its default setting of ON; otherwise, future viruses WILL get through your server. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] How to explain the [Partial Vulnerability] virus to a user.
How do you explain the [Partial Vulnerability] virus to a user? How do they fix it? I believe it comes from having this setting turned on in my config? # # The BANCRVIRUSES option will automatically treat E-mail with malformed headers that could # contain a virus as if they did contain a virus. It is strongly recommended that you keep # this set to ON; otherwise, viruses could slip through. # BANCRVIRUSESON Below is a copy of the postmaster e-mail this domain is getting. Any help in explaining this would be appreciated. Steven - Original Message - From: "Postmaster" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 12, 2002 1:54 PM Subject: Your mail server sent us a virus > > The E-mail Virus detection system on bps.k12.ok.us detected the > [Partial Vulnerability] virus that appears to have come from your mail server. > > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED], > Subject: "Fw: HAPPY 2003 Happy 2003.pps [02/15]". > The [Partial Vulnerability] was sent in the attachment Unknown File. > > The Message-ID was: > <001d01c2a218$0ac20f00$0e0afa0a@tpatrick>. > > Remote IP: 64.250.195.9 > > Original Header information is provided below: > -START E-MAIL HEADERS- > Received: from tpatrick [64.250.195.9] by schoolnet.pldi.net > (SMTPD32-7.13) id A97F3D600E4; Thu, 12 Dec 2002 13:54:39 -0600 > Message-ID: <001d01c2a218$0ac20f00$0e0afa0a@tpatrick> > Reply-To: "Tiffani Patrick" <[EMAIL PROTECTED]> > From: "Tiffani Patrick" <[EMAIL PROTECTED]> > To: "Andrea Stewart" <[EMAIL PROTECTED]> > Subject: Fw: HAPPY 2003 Happy 2003.pps [02/15] > Date: Thu, 12 Dec 2002 13:52:44 -0600 > Organization: Bethany Public Schools > MIME-Version: 1.0 > Content-Type: message/partial; > total=15; > id="01C2A218.0A44EFC0@tpatrick"; > number=2 > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 5.00.2615.200 > X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 > -END E-MAIL HEADERS- > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Scanning Process
We are testing two virus scanners with Declude Pro and wanted to confirm or thoughts. Is it true that the scanners scan the file first, whether you have one, two, or five and then once done, the action on the virus is taken (i.e. quarantined)? That is correct. Declude Virus Pro will check the attachments against all the virus scanners that you have configured, and if any of them report that a virus was detected, Declude Virus will quarantine the E-mail. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Scanning Process
Title: Scanning Process We are testing two virus scanners with Declude Pro and wanted to confirm or thoughts. Is it true that the scanners scan the file first, whether you have one, two, or five and then once done, the action on the virus is taken (i.e. quarantined)? ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] "Good pings come in small packets"
