RE: [Declude.Virus] Fprot GDI Scanner lines.
installed 1.80 declude virus (restart imail smtp) and sending the infected JPEG jpegcompoc.zip (http://www.gulftech.org/?node=downloads) it was not automatically detect and goes trough, using F-Prot 3.15B updated. virus.cfg: SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt # SKIPEXT GIF # SKIPEXT JPG SKIPEXT TXT SKIPEXT MPG SKIPEXT PNG A Desktop AV F-Prot 3.15B (same version and updates) detect the JPEG exploit. any ideas? marc At 23:31 27.09.2004, you wrote: Same here. Is there a way to make f-prot w\Declude catch these? The latest release of Declude Virus will automatically detect the GDIPlus.dll JPEG exploit. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude Virus] [Scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fprot GDI Scanner lines.
Dear Marc, where did you get the dos scanner for f-prot? On the page of F-prot there is still only Version 3.15A available. Bye, Uwe - Original Message - From: marc [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 1:39 PM Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. installed 1.80 declude virus (restart imail smtp) and sending the infected JPEG jpegcompoc.zip (http://www.gulftech.org/?node=downloads) it was not automatically detect and goes trough, using F-Prot 3.15B updated. virus.cfg: SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt # SKIPEXT GIF # SKIPEXT JPG SKIPEXT TXT SKIPEXT MPG SKIPEXT PNG A Desktop AV F-Prot 3.15B (same version and updates) detect the JPEG exploit. any ideas? marc At 23:31 27.09.2004, you wrote: Same here. Is there a way to make f-prot w\Declude catch these? The latest release of Declude Virus will automatically detect the GDIPlus.dll JPEG exploit. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude Virus] [Scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fprot GDI Scanner lines.
Could it be that the vulnerability detection doesn't work when enclosed in a zip file? That might be too big of a leap for Declude at the moment. I just tested the same and Declude missed it when zipped, F-Prot gave an error 8 which is a heuristic hit, and McAfee did in fact tag the virus without the /PANALYZE switch that Scott Fisher suggested might be required yesterday. Maybe F-Prot is tagging this example file in heuristics because it isn't really a virus, and real viruses will get blocked with the normal result code once detected??? Here's my current F-Prot config, but note that there are some new switches that I haven't made use of and there has been little discussion about here: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /DUMB /REPORT=report.txt I noted that Scott posted about the first JPG virus being in the wild, but I believe that this is actually just the one isolated to the newsgroups at the moment, and the real trouble will probably not arrive for another 24 to 72 hours. ---Note to Scott--- Scott, please consider allowing us to specify the file types that are within encrypted archives instead of just relying on the list of banned extensions. It seems fairly certain that this virus will be released within an encrypted zip and as things stand, my system isn't protected under the BANEZIPEXTS ON setting, and this setting will become completely useless once one is released this way since we aren't going to add JPG's to our list of banned extensions, but I would certainly add it to a list of banned EZIP's instead of being forced to block all EZIP's. If you don't allow for this, you ought to retire the BANEZIPEXTS functionality once this becomes reality, but I would prefer to be a step ahead on something this obvious. Thanks, Matt marc wrote: installed 1.80 declude virus (restart imail smtp) and sending the infected JPEG jpegcompoc.zip (http://www.gulftech.org/?node=downloads) it was not automatically detect and goes trough, using F-Prot 3.15B updated. virus.cfg: SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt # SKIPEXT GIF # SKIPEXT JPG SKIPEXT TXT SKIPEXT MPG SKIPEXT PNG A Desktop AV F-Prot 3.15B (same version and updates) detect the JPEG exploit. any ideas? marc At 23:31 27.09.2004, you wrote: Same here. Is there a way to make f-prot w\Declude catch these? The latest release of Declude Virus will automatically detect the GDIPlus.dll JPEG exploit. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude Virus] [Scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Thank you Matt, no I've to write much less :-) I've tested with F-prot and Mcafee on our server and can see exactly the same results as reported by Matt. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, September 28, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Fprot GDI Scanner lines. Could it be that the vulnerability detection doesn't work when enclosed in a zip file? That might be too big of a leap for Declude at the moment. I just tested the same and Declude missed it when zipped, F-Prot gave an error 8 which is a heuristic hit, and McAfee did in fact tag the virus without the /PANALYZE switch that Scott Fisher suggested might be required yesterday. Maybe F-Prot is tagging this example file in heuristics because it isn't really a virus, and real viruses will get blocked with the normal result code once detected??? Here's my current F-Prot config, but note that there are some new switches that I haven't made use of and there has been little discussion about here: C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOBOOT /NOMEM /ARCHIVE=5 /PACKED /DUMB /REPORT=report.txt I noted that Scott posted about the first JPG virus being in the wild, but I believe that this is actually just the one isolated to the newsgroups at the moment, and the real trouble will probably not arrive for another 24 to 72 hours. ---Note to Scott--- Scott, please consider allowing us to specify the file types that are within encrypted archives instead of just relying on the list of banned extensions. It seems fairly certain that this virus will be released within an encrypted zip and as things stand, my system isn't protected under the BANEZIPEXTS ON setting, and this setting will become completely useless once one is released this way since we aren't going to add JPG's to our list of banned extensions, but I would certainly add it to a list of banned EZIP's instead of being forced to block all EZIP's. If you don't allow for this, you ought to retire the BANEZIPEXTS functionality once this becomes reality, but I would prefer to be a step ahead on something this obvious. Thanks, Matt marc wrote: installed 1.80 declude virus (restart imail smtp) and sending the infected JPEG jpegcompoc.zip (http://www.gulftech.org/?node=downloads) it was not automatically detect and goes trough, using F-Prot 3.15B updated. virus.cfg: SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt # SKIPEXT GIF # SKIPEXT JPG SKIPEXT TXT SKIPEXT MPG SKIPEXT PNG A Desktop AV F-Prot 3.15B (same version and updates) detect the JPEG exploit. any ideas? marc At 23:31 27.09.2004, you wrote: Same here. Is there a way to make f-prot w\Declude catch these? The latest release of Declude Virus will automatically detect the GDIPlus.dll JPEG exploit. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude Virus] [Scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Uwe is right: http://www.f-prot.com/news/gen_news/040924_release_all.html New versions of F-Prot Antivirus for Exchange and of F-Prot Antivirus for DOS will be released in the next few days. 3.15B just windows upgraded. but i understand, that the new release of Declude Virus will automatically detect the JPEG exploit!? marc At 14:18 28.09.2004, you wrote: Hi Uwe: I am not sure where you are seeing 3.15A- I downloaded B version last week by logging into our account on F-Prot site. Kami [Scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
On 27 Sep 2004 at 17:31, R. Scott Perry wrote: The latest release of Declude Virus will automatically detect the GDIPlus.dll JPEG exploit. How can I confirm this? When I send myself the exploit I do not receive the email - good- but in my virus logs all I see is 'error in scannerx' and nothing in the declude log file. This is with v180 -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fprot GDI Scanner lines.
Yes, I doubt that in the early examples, there will be a need to do anything but pump out automatically executing E-mails with bogus JPG's. Over time infected JPG's might very well become a standard method of infection in along with all of the various forms which may include infected JPG's within encrypted zips. If I was a virus writer and opportunity was becoming more limited by E-mail virus scanners, I would look to include this method. I believe it will happen eventually. BTW, you forgot to mention the possibility of a Code Red type of exploit where a worm crawls from server to server and installs it's automatically infecting payload on the sites that it infects. With most desktop virus scanners not bothering with image files as is, a visit to an infected Web site with an unpatched version could mean rapid infection. They only need a good method of spreading from server to server, and there's a new XML exploit that might be prime for this, but note that I'm not sure if that can be attacked by way of HTTP connections. The only caveat here is that it seems that if people have been keeping up to date with patches, it's possible that things like IE and Outlook could have been fixed for this flaw for months. Microsoft has been sneaking out the fix since at least May so it's had some time to propagate within their products. I don't expect that apps by other companies will be likely to be host to the infection since they typically don't handle the files directly from the Internet, and most of course aren't using Microsoft's code for this. I do a lot of graphic design work and haven't found a non-MS app yet that had a vulnerable version of GDI on all of the machines that I own. Matt Sanford Whiteman wrote: It seems fairly certain that this virus will be released within an encrypted zip Maybe, maybe not. The easiest way to get a payload delivered via e-mail right now is certainly to just pop a JPEG directly into an HTML message and rely on unpatched Outlook to render it; remember, launching a JPEG from an archive may end up launching a full-fledged photo editor that may not even be a Microsoft product. Another e-mail-driven infection vector will be messages from "known senders" with clickable text that simply generates an image/jpeg response stream for unpatched IE. EZIPs aren't my worry with this one. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.Virus] Fprot GDI Scanner lines.
I too am seeing this same behavior. I am running HIGH logging and 1.80 version. All I see is my scanners detecting it, no extra lines from Declude that it stopped it, same behavior under 1.79. I also wanted to see if there would be any additional aid with F-prot not being able to report the virus correctly do to it yielding an Error #8. Seems there was discussion that the Report line changed in the latest 3.15b, where it also reports: REPORTInfection: REPORTContains the exploit named As I understand it, we can only have 1 report line per scanner, is this true? Thanks for the aid, Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Nick Sent: Tue 9/28/2004 9:40 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. On 27 Sep 2004 at 17:31, R. Scott Perry wrote: The latest release of Declude Virus will automatically detect the GDIPlus.dll JPEG exploit. How can I confirm this? When I send myself the exploit I do not receive the email - good- but in my virus logs all I see is 'error in scannerx' and nothing in the declude log file. This is with v180 -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
Re: [Declude.Virus] Fprot GDI Scanner lines.
As I recall, IF a virus scanner calls it bad, there is no further checking. (So, if your AV vender is doing their job right, you would have to disable the AV scanner(s) to test.) Greg Keith Johnson wrote: I too am seeing this same behavior. I am running HIGH logging and 1.80 version. All I see is my scanners detecting it, no extra lines from Declude that it stopped it, same behavior under 1.79. I also wanted to see if there would be any additional aid with F-prot not being able to report the virus correctly do to it yielding an Error #8. Seems there was discussion that the Report line changed in the latest 3.15b, where it also reports: REPORTInfection: REPORTContains the exploit named As I understand it, we can only have 1 report line per scanner, is this true? Thanks for the aid, --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fprot GDI Scanner lines. - slight change of topic multiple scanners
On 28 Sep 2004 at 10:43, Greg Little wrote: Greg, As I recall, IF a virus scanner calls it bad, there is no further checking. Is this for an individual scanner or multiple scanners? All the scanners run (sic) even if the one before discovers a virus on my system. -Nick . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fprot GDI Scanner lines. - slight change of topic multiple scanners
Good catch. ALL AV scanners will run. If one or serveral scanners finds a virus, then I belive the new JPEG tests in 1.80 will be ignored. (This would complicate confirmation testing for the new JPEG test) Greg Nick wrote: On 28 Sep 2004 at 10:43, Greg Little wrote: Greg, As I recall, IF a virus scanner calls it bad, there is no further checking. Is this for an individual scanner or multiple scanners? All the scanners run (sic) even if the one before discovers a virus on my system. -Nick --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fprot GDI Scanner lines.
On 28 Sep 2004 at 13:18, Terry Fritts wrote: Terry - Scott clarified it for me - I was scanning a zip - when the regular jpeg comes through I do get a log entry like you do below. Now I understand the thread about multiple report lines for a scanner... Regards, -Nick Date sent: Tue, 28 Sep 2004 13:18:15 -0500 From: Terry Fritts [EMAIL PROTECTED] Organization: Smart Business Solutions, Inc. To: Nick [EMAIL PROTECTED] Subject:Re: [Declude.Virus] Fprot GDI Scanner lines. Send reply to: [EMAIL PROTECTED] How can I confirm this? When I send myself the exploit I do not receive the email - good- but in my virus logs all I see is 'error in scannerx' and nothing in the declude log file. Here's what I'm seeing (also 1.80): 09/28/2004 10:07:56 Q7e4a0ec70222a6ae File(s) are INFECTED [[Microsoft GDIPlus.DLL JPEG Vulnerability]: 0] This was a jpg. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Mark, What did you use to generate the GDI Exploit test file? Thanks Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Mark Smith Sent: Mon 9/27/2004 1:55 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Send a GDI Exploit test file through. You'll get the error Can't Parse Virus type in the Declude Virus log. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Saturday, September 25, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Fprot GDI Scanner lines. - Original Message - From: Mark Smith [EMAIL PROTECTED] Actually this breaks Declude because Declude Virus can't look for multiple REPORT lines. Scott, How can we setup Declude Virus to look for multiple lines in the report.txt file? I've been running F-Prot Version 3.15b since it was released yesterday and have not had to make any changes to my virus config to support the new version. It has been running exactly the way it always has. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.Virus] Fprot GDI Scanner lines.
Nevermind, found a copy of it, just had trouble with the German. It seems my Inoc caught it correctly, however, the Fprot didn't, gave me error. Q6f7408d2006085b0 Scanner 1 reported error code #8, which is listed as OK 09/27/2004 15:52:20 Q6f7408d2006085b0 Scanner 2: Virus= JPEG.MS04-028.Exploit.Trojan Attachment=jpegcompoc.zip.ZIP [1] I 09/27/2004 15:52:20 Q6f7408d2006085b0 File(s) are INFECTED [ JPEG.MS04-028.Exploit.Trojan: 101] Keith -Original Message- From: Keith Johnson on behalf of Keith Johnson Sent: Mon 9/27/2004 3:02 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Mark, What did you use to generate the GDI Exploit test file? Thanks Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Mark Smith Sent: Mon 9/27/2004 1:55 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Send a GDI Exploit test file through. You'll get the error Can't Parse Virus type in the Declude Virus log. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Saturday, September 25, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Fprot GDI Scanner lines. - Original Message - From: Mark Smith [EMAIL PROTECTED] Actually this breaks Declude because Declude Virus can't look for multiple REPORT lines. Scott, How can we setup Declude Virus to look for multiple lines in the report.txt file? I've been running F-Prot Version 3.15b since it was released yesterday and have not had to make any changes to my virus config to support the new version. It has been running exactly the way it always has. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.Virus] Fprot GDI Scanner lines.
Title: RE: [Declude.Virus] Fprot GDI Scanner lines. Same here. Is there a way to make f-prot w\Declude catch these? -Original Message- From: Keith Johnson [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, September 27, 2004 12:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Nevermind, found a copy of it, just had trouble with the German. It seems my Inoc caught it correctly, however, the Fprot didn't, gave me error. Q6f7408d2006085b0 Scanner 1 reported error code #8, which is listed as OK 09/27/2004 15:52:20 Q6f7408d2006085b0 Scanner 2: Virus= JPEG.MS04-028.Exploit.Trojan Attachment=jpegcompoc.zip.ZIP [1] I 09/27/2004 15:52:20 Q6f7408d2006085b0 File(s) are INFECTED [ JPEG.MS04-028.Exploit.Trojan: 101] Keith -Original Message- From: Keith Johnsonon behalf ofKeith Johnson Sent: Mon 9/27/2004 3:02 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Mark, What did you use to generate the GDI Exploit test file? Thanks Keith -Original Message- From: [EMAIL PROTECTED]on behalf ofMark Smith Sent: Mon 9/27/2004 1:55 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Send a GDI Exploit test file through. You'll get the error Can't Parse Virus type in the Declude Virus log. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bill Landry Sent: Saturday, September 25, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Fprot GDI Scanner lines. - Original Message - From: Mark Smith [EMAIL PROTECTED] Actually this breaks Declude because Declude Virus can't look for multiple REPORT lines. Scott, How can we setup Declude Virus to look for multiple lines in the report.txt file? I've been running F-Prot Version 3.15b since it was released yesterday and have not had to make any changes to my virus config to support the new version. It has been running exactly the way it always has. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Same here. Is there a way to make f-prot w\Declude catch these? The latest release of Declude Virus will automatically detect the GDIPlus.dll JPEG exploit. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Which one is considered the latest. Is that the mysterious latest interim 20 that end-users have announced on this list? Or is that the Version 1.80 that end-users have announced on this list. (If I somehow got unsubscribed form the announcement list then I apologize for wasting bandwidth.) Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, September 27, 2004 05:32 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Fprot GDI Scanner lines. Same here. Is there a way to make f-prot w\Declude catch these? The latest release of Declude Virus will automatically detect the GDIPlus.dll JPEG exploit. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Which one is considered the latest. Unless otherwise specified, latest refers to a beta or release. In this case, it is specifically the v1.80 release. Is that the mysterious latest interim 20 that end-users have announced on this list? There's nothing mysterious about interims. We do not announce interims, but have a URL where people can get them. Someone found that there was a new interim, posted about it, and asked questions about it. There was nothing mysterious about it -- we needed to come out with a new interim, did, and made it available for the person who needed it. Yes, I know there are people who want interims that are more like betas (announced and/or documented somehow), but if people want to bring that up, they should do so in another thread. And yes, I know that you know how interims work, and that you know there is nothing mysterious about this one (in that it was handled exactly the same as interims have been handled for several years now). Or is that the Version 1.80 that end-users have announced on this list. (If I somehow got unsubscribed form the announcement list then I apologize for wasting bandwidth.) It hasn't been announced on the lists yet. It was decided to have the release announced on the website before notifying customers via E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
Actually this breaks Declude because Declude Virus can't look for multiple REPORT lines. Scott, How can we setup Declude Virus to look for multiple lines in the report.txt file? Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith Sent: Saturday, September 25, 2004 2:49 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Fprot GDI Scanner lines. Just did some testing with the POC and noticed that Fprot now is adding a new line to the report.txt: e:\imail\test\poc.jpg Contains the exploit named W32/[EMAIL PROTECTED] So I had to add the line: REPORTContains the exploit named To my virus.cfg file. My complete setup for F-Prot is now: SCANFILE c:\progra~1\fsi\f-prot\FPcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /SERVER /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 REPORTInfection: REPORTContains the exploit named --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Fprot GDI Scanner lines.
My complete setup for F-Prot is now: SCANFILE c:\progra~1\fsi\f-prot\FPcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /SERVER /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 VIRUSCODE 8 REPORTInfection: REPORTContains the exploit named Thanks for pointing that out. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fprot GDI Scanner lines.
- Original Message - From: Mark Smith [EMAIL PROTECTED] Actually this breaks Declude because Declude Virus can't look for multiple REPORT lines. Scott, How can we setup Declude Virus to look for multiple lines in the report.txt file? I've been running F-Prot Version 3.15b since it was released yesterday and have not had to make any changes to my virus config to support the new version. It has been running exactly the way it always has. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
