RE: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files.
BANEXT EZIP BANEZIPEXT ON John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Bennie Sent: Sunday, March 07, 2004 4:03 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files. how would you ban encrypted zips... signed Confused (aka Bennie) - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 04, 2004 6:22 PM Subject: Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files. that is going to be a chalenge for scott to incorporate in declude :) It's unlikely that we will do this. It makes for a great marketing gimmick, but won't work in the long term. All it will take is for a virus to say The password is 1 2 3 4 5 or The password is 12344 plus 1, and those AV programs will quickly leave the spotlight. We are an isp, and for us blocking zips is out of the question. Remember that all AV programs can catch viruses in standard .ZIP files. It's only the encrypted .ZIP files that pose a problem, and it is recommended that people block all encrypted .ZIP files (but allow standard .ZIP files through). That way, extremely few people are inconvenienced, but it would be very hard for a virus to get through. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files.
I have added BANEXT EZIP BANEZIPEXT ON To my virus.cfg file and tested it. No doubt that the passworded .zip files are not getting thru, but also normal .zip files are not either. I am getting a little confused (but hey that's easy for me) about it all now Is there something else I should or not be doing? Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, 8 March 2004 9:21 p.m. To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files. BANEXT EZIP BANEZIPEXT ON John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Bennie Sent: Sunday, March 07, 2004 4:03 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files. how would you ban encrypted zips... signed Confused (aka Bennie) - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 04, 2004 6:22 PM Subject: Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files. that is going to be a chalenge for scott to incorporate in declude :) It's unlikely that we will do this. It makes for a great marketing gimmick, but won't work in the long term. All it will take is for a virus to say The password is 1 2 3 4 5 or The password is 12344 plus 1, and those AV programs will quickly leave the spotlight. We are an isp, and for us blocking zips is out of the question. Remember that all AV programs can catch viruses in standard .ZIP files. It's only the encrypted .ZIP files that pose a problem, and it is recommended that people block all encrypted .ZIP files (but allow standard .ZIP files through). That way, extremely few people are inconvenienced, but it would be very hard for a virus to get through. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files.
how would you ban encrypted zips... signed Confused (aka Bennie) - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 04, 2004 6:22 PM Subject: Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files. that is going to be a chalenge for scott to incorporate in declude :) It's unlikely that we will do this. It makes for a great marketing gimmick, but won't work in the long term. All it will take is for a virus to say The password is 1 2 3 4 5 or The password is 12344 plus 1, and those AV programs will quickly leave the spotlight. We are an isp, and for us blocking zips is out of the question. Remember that all AV programs can catch viruses in standard .ZIP files. It's only the encrypted .ZIP files that pose a problem, and it is recommended that people block all encrypted .ZIP files (but allow standard .ZIP files through). That way, extremely few people are inconvenienced, but it would be very hard for a virus to get through. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files.
the minimum that would be practicaly usable for us : 1- Notifications based on banned extension: ONLYSENDIFEXT, SKIPIFEXT This we hope to add. 2-BANEZIPEXT2 independant from banext, as in BANEZIPEXT2 exe BANEZIPEXT2 com BANEXT scr BANEZIPEXT ON This we will likely be adding. 3- ONLYSENDIFFORGING Interesting. We could probably do this, but would need to figure out how to make sure it doesn't get mis-used. Also, request for 2 cross-product features 1- REVDNS for %REMOTEIP% in virus This is something that we have been considering for quite some time now. 2- Test on attachement type in JM This is an interesting idea. That will happen if we add full MIME support to Declude JunkMail, but in the meantime it might be possible to add for people who are running both products. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files.
I do believe that JunkMail Pro can be used to look at the base64 code of the message, and if you can pull the proper header out, you can tag the attachment type. This is what I was looking to do when I was asking for someone to send me a copy of the virus early on, apparently there is a one character difference between normal zips and password protected ones. Matt R. Scott Perry wrote: That is exactly why I suggested scanning for file types instead of extension. I think Scott mentioned that they need to include full MIME decoding before something like that would be possible. Scott, how feasible is this idea for inclusion? I'm not sure exactly what the idea is. Some of the ideas suggested are already available (such as scanning all attachments, regardless of extension). For Declude Virus, there is no issue of MIME decoding -- Declude Virus complete MIME decodes each E-mail. We can attempt to determine the file type without looking at the extension, and should be able to accurately detect most .EXEs, and all .ZIP files. But it would still not be possible to accurately detect batch files, scripts, etc. (without a huge amount of resources being used to create the test and use it). However, if we *do* do that (as was the case with 1.78i7 and .ZIP files, where it would detect them regardless of extension), it poses a problem: Most people right now want to be able to send .ZIP files. There would need to be many options set up to implement something like this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files.
By detecting the file type instead of just the extension, and allowing configurable actions based on detected filetype, we could avoid future viruses that ask the user to rename the file upon receipt. But, that prevents people from doing the same for good purposes, too. So you can no longer say If you rename the .exe file to .xex, it will go through OK. FWIW, though, we do have some code already written for detection of certain file types (actually, most of the code is backwards, checking to see if a file type is really what the extension claims to be). So it may not be that difficult to add. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files.
Scott the minimum that would be practicaly usable for us : 1- Notifications based on banned extension: ONLYSENDIFEXT, SKIPIFEXT AND 2-BANEZIPEXT2 independant from banext, as in BANEZIPEXT2 exe BANEZIPEXT2 com BANEXT scr BANEZIPEXT ON AND 3- ONLYSENDIFFORGING Also, request for 2 cross-product features 1- REVDNS for %REMOTEIP% in virus 2- Test on attachement type in JM I know your are curently overwhelmed in this bagle issue, but at least let me know if you are willing to consider adding these features to your todo list - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 04, 2004 11:22 PM Subject: Re: [Declude.Virus] Bagle.J / news.com article on AV software opening zipped files. that is going to be a chalenge for scott to incorporate in declude :) It's unlikely that we will do this. It makes for a great marketing gimmick, but won't work in the long term. All it will take is for a virus to say The password is 1 2 3 4 5 or The password is 12344 plus 1, and those AV programs will quickly leave the spotlight. We are an isp, and for us blocking zips is out of the question. Remember that all AV programs can catch viruses in standard .ZIP files. It's only the encrypted .ZIP files that pose a problem, and it is recommended that people block all encrypted .ZIP files (but allow standard .ZIP files through). That way, extremely few people are inconvenienced, but it would be very hard for a virus to get through. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.