RE: [Declude.Virus] F-Prot exit code 8 and body content
Markus, even though I know others have said they can not do this; I am
blocking any zip, including ezips that have an executable within them.
All of my clients know this and I have a published policy on it which
includes instructions on what to do if you must get these through.
As such, IMHO, this issue is fine. Others mileage may vary.
John T
eServices For You
"Seek, and ye shall find!"
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Markus Gufler
> Sent: Tuesday, January 31, 2006 10:39 AM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] F-prot exit code 8 and body content
>
> Matt, John,
>
> F-Prot is not catching simple e-zips. I supposed it was the "password"
> string in the mailbody. Now after an additional test it turned out that
> F-Prot is exiting with code 8 if there is an attached e-zip containing
.exe
> files. The mail-body seems not interfering to F-prot's result.
>
> This is a problem for thus who need allow any extensions in zip-files.
>
> Maybe we can ask F-Prot if they can change the singnatures to catch only
exe
> in ezip's if they are larger then ...
> Usualy legit ezip's should be much larger then 100 kByte.
>
> I wouldn't remove exit code 8 from my configuration because most of the
> outbreaks in the last year was catched by this exit code before any
> AV-scanner has had updated signatures.
>
> Markus
>
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: Tuesday, January 31, 2006 7:17 PM
> > To: Declude.Virus@declude.com
> > Subject: RE: [Declude.Virus] F-prot exit code 8 and body content
> >
> > I am using viruscode 8 and it is not blocking password
> > protected zips. I think like Markus said it is looking for a
> > combination of a password protected zip, and executable and
> > the phrase he listed.
> >
> > Markus, did that attachment have an executable within the zip file?
> >
> > John T
> > eServices For You
> >
> > "Seek, and ye shall find!"
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]
> > > On Behalf Of Matt
> > > Sent: Tuesday, January 31, 2006 10:02 AM
> > > To: Declude.Virus@declude.com
> > > Subject: Re: [Declude.Virus] F-prot exit code 8 and body content
> > >
> > > Markus,
> > >
> > > I believe that this is something that several of us railed
> > against and
> > > tried to get F-Prot to change. Formerly no known viruses would be
> > > tagged with an exit code of 8, but then they suddenly
> > started tagging
> > > some known viruses this way, essentially requiring us to
> > add that code
> > > in for detection. The downside of this is that this exit code also
> > > blocks things like encrypted zips. It was a real shame.
> > >
> > > It's worth checking to see if F-Prot is tagging more recent known
> > > viruses with exit code 8 because if they are no longer
> > doing this, I
> > > would assume that turning it off would be wise so long as
> > you had two
> > > virus scanners running.
> > >
> > > Note that I'm not dismissing your primary intention of pointing out
> > > the FP issue with virus scanning and a way to deal with it.
> > >
> > > Matt
> > >
> > >
> > >
> > > Markus Gufler wrote:
> > >
> > > >Today I've had a message hold as false positive ("unknown
> > virus" exit
> > code
> > > >8)
> > > >
> > > >F-Prot seems ending with this exit code if there is attached a
> > > >password protected zip file and in the body is something like
> > > >
> > > >"password: ."
> > > >
> > > >This message was definitively no false positive and so I
> > requeued it.
> > > >
> > > >I've noted it due the low number of postmaster virus warnings I
> > > >receive because they are send to me only if the detected
> > virus is not
> > > >a forging
> > one.
> > > >Fortunately this legit message wasn't deleted from the virus folder
> > between
> > > >thousands of unwanted netsky's and sober's.
> > > >
> > > >Markus
> > > >
> > > >---
> > > >[This E-mail was scanned for viruses by Declude EVA
> > www.declude.com
RE: [Declude.Virus] F-prot exit code 8 and body content
Matt, John,
F-Prot is not catching simple e-zips. I supposed it was the "password"
string in the mailbody. Now after an additional test it turned out that
F-Prot is exiting with code 8 if there is an attached e-zip containing .exe
files. The mail-body seems not interfering to F-prot's result.
This is a problem for thus who need allow any extensions in zip-files.
Maybe we can ask F-Prot if they can change the singnatures to catch only exe
in ezip's if they are larger then ...
Usualy legit ezip's should be much larger then 100 kByte.
I wouldn't remove exit code 8 from my configuration because most of the
outbreaks in the last year was catched by this exit code before any
AV-scanner has had updated signatures.
Markus
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> Sent: Tuesday, January 31, 2006 7:17 PM
> To: Declude.Virus@declude.com
> Subject: RE: [Declude.Virus] F-prot exit code 8 and body content
>
> I am using viruscode 8 and it is not blocking password
> protected zips. I think like Markus said it is looking for a
> combination of a password protected zip, and executable and
> the phrase he listed.
>
> Markus, did that attachment have an executable within the zip file?
>
> John T
> eServices For You
>
> "Seek, and ye shall find!"
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> > On Behalf Of Matt
> > Sent: Tuesday, January 31, 2006 10:02 AM
> > To: Declude.Virus@declude.com
> > Subject: Re: [Declude.Virus] F-prot exit code 8 and body content
> >
> > Markus,
> >
> > I believe that this is something that several of us railed
> against and
> > tried to get F-Prot to change. Formerly no known viruses would be
> > tagged with an exit code of 8, but then they suddenly
> started tagging
> > some known viruses this way, essentially requiring us to
> add that code
> > in for detection. The downside of this is that this exit code also
> > blocks things like encrypted zips. It was a real shame.
> >
> > It's worth checking to see if F-Prot is tagging more recent known
> > viruses with exit code 8 because if they are no longer
> doing this, I
> > would assume that turning it off would be wise so long as
> you had two
> > virus scanners running.
> >
> > Note that I'm not dismissing your primary intention of pointing out
> > the FP issue with virus scanning and a way to deal with it.
> >
> > Matt
> >
> >
> >
> > Markus Gufler wrote:
> >
> > >Today I've had a message hold as false positive ("unknown
> virus" exit
> code
> > >8)
> > >
> > >F-Prot seems ending with this exit code if there is attached a
> > >password protected zip file and in the body is something like
> > >
> > >"password: ."
> > >
> > >This message was definitively no false positive and so I
> requeued it.
> > >
> > >I've noted it due the low number of postmaster virus warnings I
> > >receive because they are send to me only if the detected
> virus is not
> > >a forging
> one.
> > >Fortunately this legit message wasn't deleted from the virus folder
> between
> > >thousands of unwanted netsky's and sober's.
> > >
> > >Markus
> > >
> > >---
> > >[This E-mail was scanned for viruses by Declude EVA
> www.declude.com]
> > >
> > >---
> > >This E-mail came from the Declude.Virus mailing list. To
> > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > >type "unsubscribe Declude.Virus".The archives can be found
> > >at http://www.mail-archive.com.
> > >
> > >
> > >
> > >
> > ---
> > [This E-mail was scanned for viruses by Declude EVA www.declude.com]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list. To
> unsubscribe,
> > just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
>
> ---
> [This E-mail was scanned for viruses by Declude EVA www.declude.com]
>
> ---
> This E-mail came from the Declude.Virus mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
RE: [Declude.Virus] F-prot exit code 8 and body content
I am using viruscode 8 and it is not blocking password protected zips. I
think like Markus said it is looking for a combination of a password
protected zip, and executable and the phrase he listed.
Markus, did that attachment have an executable within the zip file?
John T
eServices For You
"Seek, and ye shall find!"
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Matt
> Sent: Tuesday, January 31, 2006 10:02 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] F-prot exit code 8 and body content
>
> Markus,
>
> I believe that this is something that several of us railed against and
> tried to get F-Prot to change. Formerly no known viruses would be
> tagged with an exit code of 8, but then they suddenly started tagging
> some known viruses this way, essentially requiring us to add that code
> in for detection. The downside of this is that this exit code also
> blocks things like encrypted zips. It was a real shame.
>
> It's worth checking to see if F-Prot is tagging more recent known
> viruses with exit code 8 because if they are no longer doing this, I
> would assume that turning it off would be wise so long as you had two
> virus scanners running.
>
> Note that I'm not dismissing your primary intention of pointing out the
> FP issue with virus scanning and a way to deal with it.
>
> Matt
>
>
>
> Markus Gufler wrote:
>
> >Today I've had a message hold as false positive ("unknown virus" exit
code
> >8)
> >
> >F-Prot seems ending with this exit code if there is attached a password
> >protected zip file and in the body is something like
> >
> >"password: ."
> >
> >This message was definitively no false positive and so I requeued it.
> >
> >I've noted it due the low number of postmaster virus warnings I receive
> >because they are send to me only if the detected virus is not a forging
one.
> >Fortunately this legit message wasn't deleted from the virus folder
between
> >thousands of unwanted netsky's and sober's.
> >
> >Markus
> >
> >---
> >[This E-mail was scanned for viruses by Declude EVA www.declude.com]
> >
> >---
> >This E-mail came from the Declude.Virus mailing list. To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.Virus".The archives can be found
> >at http://www.mail-archive.com.
> >
> >
> >
> >
> ---
> [This E-mail was scanned for viruses by Declude EVA www.declude.com]
>
> ---
> This E-mail came from the Declude.Virus mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
Re: [Declude.Virus] F-prot exit code 8 and body content
Markus,
I believe that this is something that several of us railed against and
tried to get F-Prot to change. Formerly no known viruses would be
tagged with an exit code of 8, but then they suddenly started tagging
some known viruses this way, essentially requiring us to add that code
in for detection. The downside of this is that this exit code also
blocks things like encrypted zips. It was a real shame.
It's worth checking to see if F-Prot is tagging more recent known
viruses with exit code 8 because if they are no longer doing this, I
would assume that turning it off would be wise so long as you had two
virus scanners running.
Note that I'm not dismissing your primary intention of pointing out the
FP issue with virus scanning and a way to deal with it.
Matt
Markus Gufler wrote:
Today I've had a message hold as false positive ("unknown virus" exit code
8)
F-Prot seems ending with this exit code if there is attached a password
protected zip file and in the body is something like
"password: ."
This message was definitively no false positive and so I requeued it.
I've noted it due the low number of postmaster virus warnings I receive
because they are send to me only if the detected virus is not a forging one.
Fortunately this legit message wasn't deleted from the virus folder between
thousands of unwanted netsky's and sober's.
Markus
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
[Declude.Virus] F-prot exit code 8 and body content
Today I've had a message hold as false positive ("unknown virus" exit code
8)
F-Prot seems ending with this exit code if there is attached a password
protected zip file and in the body is something like
"password: ."
This message was definitively no false positive and so I requeued it.
I've noted it due the low number of postmaster virus warnings I receive
because they are send to me only if the detected virus is not a forging one.
Fortunately this legit message wasn't deleted from the virus folder between
thousands of unwanted netsky's and sober's.
Markus
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
