RE: [Declude.Virus] Blocked Extension getting through
Any solution yet? Hermann Straßner > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry > Sent: Wednesday, December 15, 2004 6:59 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Blocked Extension getting through > > > > >I hope that what you're assuming is NOT true. Given that > Declude Virus > >unpacks all of the attachments and calls your antivirus scanner(s) on > >the unpacked attachments, I would expect that the BAN option takes > >effect based on that MIME decoding, so that it sees the correct > >filename. > > The problem here is that the filename is encoded using a very unusual > format -- we are currently investigating this. > > The files will get caught by a virus scanner, but the banned file > extensions may not work as expected. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail > mailservers > since 2000. > Declude Virus: Ultra reliable virus detection and the leader > in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > > > This outgoing message is guaranteed to be authentic by > Message Level users. > Guarantee the authenticity of your email @ > http://www.messagelevel.com. > --- > [This E-mail was scanned for > viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocked Extension getting through
I hope that what you're assuming is NOT true. Given that Declude Virus unpacks all of the attachments and calls your antivirus scanner(s) on the unpacked attachments, I would expect that the BAN option takes effect based on that MIME decoding, so that it sees the correct filename. The problem here is that the filename is encoded using a very unusual format -- we are currently investigating this. The files will get caught by a virus scanner, but the banned file extensions may not work as expected. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocked Extension getting through
Hermann, since we're not seeing a response in this list, I'd suggest that your directly contact [EMAIL PROTECTED] about this. I hope that what you're assuming is NOT true. Given that Declude Virus unpacks all of the attachments and calls your antivirus scanner(s) on the unpacked attachments, I would expect that the BAN option takes effect based on that MIME decoding, so that it sees the correct filename. If you do get an official answer, please let us know. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hermann Strassner Sent: Wednesday, December 15, 2004 5:25 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Blocked Extension getting through What do you want me to do? I still have BANEXT CHM in my virus.cfg, and i successfully block .chm attachments. Here it is not working because of the "encryption" of the filename, as you can see in the mail. I show you the virus logfile: vir1215.log: 12/15/2004 04:06:29 Qaa3414bd035a6555 MIME file: =?koi8-r?B?UmVjaG51bmcxODc0NTUxNC5j?==?koi8-r?B?aG0=?= [base64; Length=33018 Checksum=3232477] vir1215.log: 12/15/2004 04:06:29 Qaa3414bd035a6555 Scanned: Virus Free [MIME: 2 33569] Hermann > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of William > Stillwell > Sent: Wednesday, December 15, 2004 2:00 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Blocked Extension getting through > > > BANEXT CHM > > > > - Original Message - > From: "Hermann Strassner" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, December 15, 2004 4:12 AM > Subject: [Declude.Virus] Blocked Extension getting through > > > > Hello! > > > > I have blocked a few extensions in Declude Virus, e.g. zip, > exe, bat, > > scr, pif, chm and a few others. Normally that workes. > > > > But since a few days some mails (with virus) are getting through. > > They have an attachment like Rechnung18745514.chm, it is > displayed as > > Rechnung18745514.chm in Outlook or other mail clients, but > in virus scan > > or in raw mail format its name is: > > 86BA342CB7A4 > > Content-Type: CHEMICAL/X-CS-CHEMDRAW; > > name="=?koi8-r?B?UmVjaG51bmcxODc0NTUxNC5j?= > > =?koi8-r?B?aG0=?=" > > Content-transfer-encoding: base64 > > Content-Disposition: attachment; > > filename="=?koi8-r?B?UmVjaG51bmcxODc0NTUxNC5j?= > > =?koi8-r?B?aG0=?=" > > > > What can i do to block this? This is a new worm yet not > detected from > > virus scanners. This happens often. But this mails are blocked by > > extension filtering. Now they are getting through to the clients. > > > > Hermann > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > --- > > This email has been scanned for possible viruses by Declude > Antivirus. > > For more information on Declude Antivirus, Visit www.declude.com > > > > > > --- > This email has been scanned for possible viruses by Declude Antivirus. > For more information on Declude Antivirus, Visit www.declude.com > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocked Extension getting through
What do you want me to do? I still have BANEXT CHM in my virus.cfg, and i successfully block .chm attachments. Here it is not working because of the "encryption" of the filename, as you can see in the mail. I show you the virus logfile: vir1215.log: 12/15/2004 04:06:29 Qaa3414bd035a6555 MIME file: =?koi8-r?B?UmVjaG51bmcxODc0NTUxNC5j?==?koi8-r?B?aG0=?= [base64; Length=33018 Checksum=3232477] vir1215.log: 12/15/2004 04:06:29 Qaa3414bd035a6555 Scanned: Virus Free [MIME: 2 33569] Hermann > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of William > Stillwell > Sent: Wednesday, December 15, 2004 2:00 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Blocked Extension getting through > > > BANEXT CHM > > > > - Original Message - > From: "Hermann Strassner" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, December 15, 2004 4:12 AM > Subject: [Declude.Virus] Blocked Extension getting through > > > > Hello! > > > > I have blocked a few extensions in Declude Virus, e.g. zip, > exe, bat, > > scr, pif, chm and a few others. Normally that workes. > > > > But since a few days some mails (with virus) are getting through. > > They have an attachment like Rechnung18745514.chm, it is > displayed as > > Rechnung18745514.chm in Outlook or other mail clients, but > in virus scan > > or in raw mail format its name is: > > 86BA342CB7A4 > > Content-Type: CHEMICAL/X-CS-CHEMDRAW; > > name="=?koi8-r?B?UmVjaG51bmcxODc0NTUxNC5j?= > > =?koi8-r?B?aG0=?=" > > Content-transfer-encoding: base64 > > Content-Disposition: attachment; > > filename="=?koi8-r?B?UmVjaG51bmcxODc0NTUxNC5j?= > > =?koi8-r?B?aG0=?=" > > > > What can i do to block this? This is a new worm yet not > detected from > > virus scanners. This happens often. But this mails are blocked by > > extension filtering. Now they are getting through to the clients. > > > > Hermann > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > --- > > This email has been scanned for possible viruses by Declude > Antivirus. > > For more information on Declude Antivirus, Visit www.declude.com > > > > > > --- > This email has been scanned for possible viruses by Declude Antivirus. > For more information on Declude Antivirus, Visit www.declude.com > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocked Extension getting through
BANEXT CHM - Original Message - From: "Hermann Strassner" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 15, 2004 4:12 AM Subject: [Declude.Virus] Blocked Extension getting through Hello! I have blocked a few extensions in Declude Virus, e.g. zip, exe, bat, scr, pif, chm and a few others. Normally that workes. But since a few days some mails (with virus) are getting through. They have an attachment like Rechnung18745514.chm, it is displayed as Rechnung18745514.chm in Outlook or other mail clients, but in virus scan or in raw mail format its name is: 86BA342CB7A4 Content-Type: CHEMICAL/X-CS-CHEMDRAW; name="=?koi8-r?B?UmVjaG51bmcxODc0NTUxNC5j?= =?koi8-r?B?aG0=?=" Content-transfer-encoding: base64 Content-Disposition: attachment; filename="=?koi8-r?B?UmVjaG51bmcxODc0NTUxNC5j?= =?koi8-r?B?aG0=?=" What can i do to block this? This is a new worm yet not detected from virus scanners. This happens often. But this mails are blocked by extension filtering. Now they are getting through to the clients. Hermann --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
