RE: [Declude.Virus] Network Associates Products Will Soon Detect Bagle Variants with Encrypted Zip Attachments
... we have discovered that their products would detect these viruses if they were executed on a system, I strongly hope that every AV-engine installed on a local machine is able to detect any known virus, if this virus was extracted from the encrypted zip file after the (dumb) user has inserted the password and saved the virus executable on his local hard disk. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Bannotify.eml missing extension.
Good morning. Here's a new twist. I got one this morning that read: The mail server for continentaloffice.com does not accept E-mail with attachments that contain the readme.zip extension. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Thursday, March 04, 2004 1:25 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Bannotify.eml missing extension. I saw this in the flood of messages today [or was it yesterday] and I can't find it to chime in with a [forgive me] me too. I have this line in my bannotify.eml: quote The mail server for %LOCALHOST% does not accept E-mail with attachments that contain the %BANEXT% extension. /quote I just received a notification message that said: quote The mail server for continentaloffice.com does not accept E-mail with attachments that contain the extension. /quote I dug out the D-file for that message and here's the relevant hunk out of the MIME headers: quote --pbgivjxdscnisewbjysa Content-Type: application/octet-stream; name=Readme.zip Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Readme.zip /quote I have the D-file, and I have the log extract. This only happens intermittently, but we've gotten so many over the last few days that I've noticed them more than I would have otherwise. This was an encrypted ZIP attachment, with an EXE inside. I'm doing BANZIPEXTSON and BANEZIPEXTS ON, but not BANEXT ZIP or its ezip cousin. And finally, I am getting other notifications with ZIP-scr or ZIP-exe in the %BANEXT% spot. Having said all that: is this further evidence of a glitch or not? [I'm almost totally befuddled at this point, and I hate being a me too. Sorry.] -- John Shacklett [EMAIL PROTECTED] [EMAIL PROTECTED] www.continentaloffice.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Bannotify.eml missing extension.
Good morning. Here's a new twist. I got one this morning that read: The mail server for continentaloffice.com does not accept E-mail with attachments that contain the readme.zip extension. That's how the new change works to prevent it from saying ... contain the . extension, until a better solution can be found. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files.
the minimum that would be practicaly usable for us : 1- Notifications based on banned extension: ONLYSENDIFEXT, SKIPIFEXT This we hope to add. 2-BANEZIPEXT2 independant from banext, as in BANEZIPEXT2 exe BANEZIPEXT2 com BANEXT scr BANEZIPEXT ON This we will likely be adding. 3- ONLYSENDIFFORGING Interesting. We could probably do this, but would need to figure out how to make sure it doesn't get mis-used. Also, request for 2 cross-product features 1- REVDNS for %REMOTEIP% in virus This is something that we have been considering for quite some time now. 2- Test on attachement type in JM This is an interesting idea. That will happen if we add full MIME support to Declude JunkMail, but in the meantime it might be possible to add for people who are running both products. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files.
I do believe that JunkMail Pro can be used to look at the base64 code of the message, and if you can pull the proper header out, you can tag the attachment type. This is what I was looking to do when I was asking for someone to send me a copy of the virus early on, apparently there is a one character difference between normal zips and password protected ones. Matt R. Scott Perry wrote: That is exactly why I suggested scanning for file types instead of extension. I think Scott mentioned that they need to include full MIME decoding before something like that would be possible. Scott, how feasible is this idea for inclusion? I'm not sure exactly what the idea is. Some of the ideas suggested are already available (such as scanning all attachments, regardless of extension). For Declude Virus, there is no issue of MIME decoding -- Declude Virus complete MIME decodes each E-mail. We can attempt to determine the file type without looking at the extension, and should be able to accurately detect most .EXEs, and all .ZIP files. But it would still not be possible to accurately detect batch files, scripts, etc. (without a huge amount of resources being used to create the test and use it). However, if we *do* do that (as was the case with 1.78i7 and .ZIP files, where it would detect them regardless of extension), it poses a problem: Most people right now want to be able to send .ZIP files. There would need to be many options set up to implement something like this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files.
By detecting the file type instead of just the extension, and allowing configurable actions based on detected filetype, we could avoid future viruses that ask the user to rename the file upon receipt. But, that prevents people from doing the same for good purposes, too. So you can no longer say If you rename the .exe file to .xex, it will go through OK. FWIW, though, we do have some code already written for detection of certain file types (actually, most of the code is backwards, checking to see if a file type is really what the extension claims to be). So it may not be that difficult to add. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Virus Questions
I am trying to allow standard .zip files but block encrypted/password protected .zip files. I have the BANEXT ezip line included in the virus.cfg file, but it still allows the message through. Am I doing something wrong? Thanks, Greg --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Network Associates Products, McAfee what does it catch?
According to AVERT (McAfee's Virus Lab), their Gateway products are catching the .J (variable password) files, but the desktops are not. I read by "Gateway products" they are pulling the password from the body and using that to unpack and check. Unless there is a "simple/quick" backdoor/crack for passworded ZIPs for the AV companies to use, variable password is going to be a BIG pain for all of us. There are other variations on the random password problem that would make "find it in the e-mail" impossible. So, while I see the short/medium term benefits of "find the password", I doubt that will be our long term solution. I would class the "hint/clue type" as only annoying on that scale, they would tend to follow predictable patterns. (reactive solutions should be possible) Another variable in "What does McAfee catch?" is using the Daily DATs. These are always labeled 4100. Also the Extra.Dat (think quick patch to the regular DAT files) that included .H .I had a generic Zip check. I pull out just that check and it is getting some of the encrypted zips. Looks like the static .F version and not the dynamic .J . (This doesn't add much, except better info. Blocking all pwd protected zips is currently the only safe plan for most of us.) Also they claim that a switch added to the command line can cause it to catch the .J versions. I blanked out the possible switch until I get to do some more testing and the dust settles a little. They are evolving daily, just like Declude. If someone wants to test, e-mail me or AVERT (off list). Greg Little Dear Greg, The following is true: "We DO still detect the !pwdzip at the gateway. We DO NOT detect the !pwdzip at the desktop." However, you can also detect the !pwdzip by using the Command-Line Scanner with the / switch. And: "Of course, when the user opens the zip and provides the password we will still detect the worm and prevent it running." ... Regards, Brant Yaeger Virus Research Analyst McAfee AVERT (TM) A division of McAfee, Inc. --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] 32-bit avgscan.exe does now work.
Matt, Would you please provide a description of the switches your are using with the 32-bit AVG setup. Thanks, Bill -- Original Message -- From: Butch Andrews [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 05 Mar 2004 09:38:12 -0600 Scott This setup works for me. The 16-bit version of AVG would not stay up with the 32-bit F-Prot and caused constant Error Starting Scanner errors. On heavy days the Imail overflow folder would begin to fill and mail would back up. Since changing to the 32-bit version and using this setup late last night, the mail has flowed with no errors and no slow down. Just checked my console that was refreshed after a re-booted earlier this week and the report line reads: E-mails scanned: 1369680 [Spam 1316181 Virus 29538] Relay High: 13 and delivery is as close to instant as possible. By the way the log analyzer shows 0 outbound viruses, a great testimony to your valiant efforts. It's been a hell of a week and you deserve many kudos, the weekend off, and at the least a standing ovation. -Butch *** REPLY SEPARATOR *** On 3/4/2004 at 8:12 PM R. Scott Perry wrote: I should have read the previous message closer, so point the finger at me for jumping the gun totally. The 32-bit version of avgscan.exe does in fact now work (this definitely wasn't the case earlier). The switches for this should be modified when moving to the 32-bit version. I'm not positive that all of this is necessary, but here's what I'm using after researching what they did. SCANFILE2 C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOEXPORT /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txt VIRUSCODE25 VIRUSCODE26 REPORT2 identified If others can agree on the best switches, this should probably be added to the Declude Virus manual. This is good news. :) After this gets discussed, we'll add the configuration to the manual. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
