RE: [Declude.Virus] GDI false Postive
Is there a way for Declude to stop checking for the GDI Vulnerability and rely on F-Prot? I went to 1.8 and we found that MANY JPG photos were being caught as false positives. Mark Smith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] GDI false Postive
Can we advise anyone sending pictures from a MAC to zip them? Change the extension? Would either solution bypass the scanning? Changing the extension or zipping them would bypass the scanning. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] GDI false Postive
When you release next fix, can you add the ability to disable this test from inside of declude and rely on the AV software? It killed our photos department yesterday... :) Mark Smith Associated Press -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, September 30, 2004 7:53 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] GDI false Postive Is there a way for Declude to stop checking for the GDI Vulnerability and rely on F-Prot? Yes, you can go back to 1.79. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] GDI false Postive
When you release next fix, can you add the ability to disable this test from inside of declude and rely on the AV software? We probably will, but there should be no legitimate reason for JPEGs to contain the exploit. The issue is that Microsoft's algorithm for detecting them was bad. Our algorithm should be perfect. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] GDI false Postive
Scott, Any idea on ETA for the new algorithm? Also, will this be an interim, release, or beta? Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 30, 2004 10:21 AM Subject: RE: [Declude.Virus] GDI false Postive When you release next fix, can you add the ability to disable this test from inside of declude and rely on the AV software? We probably will, but there should be no legitimate reason for JPEGs to contain the exploit. The issue is that Microsoft's algorithm for detecting them was bad. Our algorithm should be perfect. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] GDI false Postive
How about adding per domain too.. for the pro.. ie, in virus_domains.txt do: DOMAINON / OFF / INONLY / OUTONLY ADD: DOMAIN FILEX.CFG and in x.cfg have the standard: Skipext, Banext, Prescan, Ban Options, Footer, Delivererrors,Delete options, which overwrite the standard settings in virus.cfg just for that domain. I am tearing my hair out trying to block all attachments for a single domain. without doing funky filters. When you release next fix, can you add the ability to disable this test from inside of declude and rely on the AV software? We probably will, but there should be no legitimate reason for JPEGs to contain the exploit. The issue is that Microsoft's algorithm for detecting them was bad. Our algorithm should be perfect. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] GDI false Postive
How about adding per domain too.. for the pro.. DOMAIN FILEX.CFG and in x.cfg have the standard: Skipext, Banext, Prescan, Ban Options, Footer, Delivererrors,Delete options, which overwrite the standard settings in virus.cfg just for that domain. We do have enhanced per-user/per-domain options in the suggestion database. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] GDI false Postive
R. Scott Perry wrote: We probably will, but there should be no legitimate reason for JPEGs to contain the exploit. The issue is that Microsoft's algorithm for detecting them was bad. Our algorithm should be perfect. If you provided a switch for all such vulnerabilities, then we wouldn't have to downgrade to fix another issue if it appeared, and of course we would have the granularity that we desire in our systems as far as vulnerability detection goes. This really must happen, and I have been waiting very patiently for it to happen for quite some time, and I will continue to wait patiently since I don't expect miracles to happen overnight, but I would really, really appreciate it if you could raise the priority of when to allow us to turn these all off and on individually. Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] GDI false Postive
And not to upset anyone, how long does it take it to make it to production or beta? I noticed this has been in the Suggestion Database for almost two years. --- From: R. Scott Perry Subject: Re: [Declude.Virus] Customized Footer for domain Date: Thu, 19 Dec 2002 15:40:28 -0800 Thanks for the aid on other question. We currently have the virus footer disabled, but I have one client who would like a footer added to his email that it was scanned for viruses. Is there a way to do this except globally in the virus.cfg file? Again, thank you. Unfortunately, there isn't any way to do it except globally. However, having footers configurable per domain is already in the suggestion database. -Scott -- William Stillwell Palm Harbor, FL. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 30, 2004 4:41 PM Subject: Re: [Declude.Virus] GDI false Postive How about adding per domain too.. for the pro.. DOMAIN FILEX.CFG and in x.cfg have the standard: Skipext, Banext, Prescan, Ban Options, Footer, Delivererrors,Delete options, which overwrite the standard settings in virus.cfg just for that domain. We do have enhanced per-user/per-domain options in the suggestion database. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] GDI false Postive
And not to upset anyone, how long does it take it to make it to production or beta? I noticed this has been in the Suggestion Database for almost two years. It is important to realize that the suggestion database is not a list of features for the next release. It is as the name implies -- a database of suggestions that have been reported by customers. So saying that it is already in the suggestion database simply means that it has been requested in the past, and will be considered for future releases. Whether or not it makes it to a future release depends on many factors -- the amount of development time allotted to the new release, how many customers will benefit from it, how long it would take to add the feature, etc. In this case, it is a feature that would likely require a lot of work. On the other hand, it is something that a number of customers have requested. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] GDI false Postive
Is there a test yet? I would really like to know if we are atleast protected by email. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 30, 2004 2:21 PM Subject: Re: [Declude.Virus] GDI false Postive And not to upset anyone, how long does it take it to make it to production or beta? I noticed this has been in the Suggestion Database for almost two years. It is important to realize that the suggestion database is not a list of features for the next release. It is as the name implies -- a database of suggestions that have been reported by customers. So saying that it is already in the suggestion database simply means that it has been requested in the past, and will be considered for future releases. Whether or not it makes it to a future release depends on many factors -- the amount of development time allotted to the new release, how many customers will benefit from it, how long it would take to add the feature, etc. In this case, it is a feature that would likely require a lot of work. On the other hand, it is something that a number of customers have requested. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] GDI false Postive
I had a JPG held by declude as: X-Declude-Virus: Detected [Microsoft GDIPlus.DLL JPEG Vulnerability]. However, this was a JPG sent from one of my users to another. I seriously doubt it was infected with anything. The only thing was that it was sent from a MAC. User-Agent: Microsoft-Entourage/10.1.0.2006 Does he need to update his version? Or is it something else? Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] GDI false Postive
I had a JPG held by declude as: X-Declude-Virus: Detected [Microsoft GDIPlus.DLL JPEG Vulnerability]. However, this was a JPG sent from one of my users to another. I seriously doubt it was infected with anything. The only thing was that it was sent from a MAC. User-Agent: Microsoft-Entourage/10.1.0.2006 Does he need to update his version? Or is it something else? The problem is that Microsoft decided not to give out any information on how to detect the exploit. The person that discovered the exploit, however, provided details on how the exploit could be detected. There was, unfortunately, a flaw in the detection method, causing occasional false positives (in our tests, about 1 in 1,000 legitimate JPEG files was getting caught as a result). We are planning to change the detection code to use our own (more complex) method. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] GDI false Postive
I had a JPG held by declude as: X-Declude-Virus: Detected [Microsoft GDIPlus.DLL JPEG Vulnerability]. However, this was a JPG sent from one of my users to another. I seriously doubt it was infected with anything. The only thing was that it was sent from a MAC. After looking in the logfiles I can see a lot of GDIPlus.DLL-vulnerabilities where sender and recipient are well known to me and it also have seriuos doubts that this are all real vulnerabilities. Some of them I know are using MAC's. Other lines in the logfile shows GDIPlus-Errors with recipients working as graphic designers (and so are using also MAC's) Anyone having a MAC and using v1.80 to verify this? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] GDI false Postive
For example there is a message showing up in the logfile as 09/29/2004 16:02:55 Qc07307e2007404eb [Microsoft GDIPlus.DLL JPEG Vulnerability] 09/29/2004 16:02:55 Qc07307e2007404eb [Microsoft GDIPlus.DLL JPEG Vulnerability] 09/29/2004 16:02:55 Qc07307e2007404eb [Microsoft GDIPlus.DLL JPEG Vulnerability] 09/29/2004 16:02:56 Qc07307e2007404eb Found a bogus .jpg file 09/29/2004 16:02:56 Qc07307e2007404eb Found a bogus .jpg file 09/29/2004 16:02:56 Qc07307e2007404eb Found a bogus .jpg file 09/29/2004 16:02:56 Qc07307e2007404eb File(s) are INFECTED [[Microsoft GDIPlus.DLL JPEG Vulnerability]: 0] 09/29/2004 16:02:56 Qc07307e2007404eb Scanned: CONTAINS A VIRUS [MIME: 10 2230347] 09/29/2004 16:02:56 Qc07307e2007404eb From:xx To: x [incoming from x.x.x.x] 09/29/2004 16:02:56 Qc07307e2007404eb Subject: xx What Attacker would use 2 MB images? (or at least 3 images each one having 700 kByte) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] GDI false Postive
Thanks- Both jpgs held were sent by the same person - a graphic designer using a MAC. If that helps you change the code. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, September 29, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] GDI false Postive I had a JPG held by declude as: X-Declude-Virus: Detected [Microsoft GDIPlus.DLL JPEG Vulnerability]. However, this was a JPG sent from one of my users to another. I seriously doubt it was infected with anything. The only thing was that it was sent from a MAC. User-Agent: Microsoft-Entourage/10.1.0.2006 Does he need to update his version? Or is it something else? The problem is that Microsoft decided not to give out any information on how to detect the exploit. The person that discovered the exploit, however, provided details on how the exploit could be detected. There was, unfortunately, a flaw in the detection method, causing occasional false positives (in our tests, about 1 in 1,000 legitimate JPEG files was getting caught as a result). We are planning to change the detection code to use our own (more complex) method. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] GDI false Postive
Sent a test message with jpg attached from Macintosh Entourage 11.0.0 (040405) and it was not caught. Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.