Re: [Declude.Virus] Partial Vulnerability test failures on legitmate email
Thanks for the response! Randy A. - Original Message - From: Andy Schmidt To: declude.virus@declude.com Sent: Thursday, October 11, 2007 5:14 PM Subject: RE: [Declude.Virus] Partial Vulnerability test failures on legitmate email Hi, Actually, the "Partial/Fragmented Vulnerability" is one that ideally should be left in place. I'm not certain that this test can be circumvented individually - at least it's not on this list: http://www.declude.com/Version/Manuals/EVA/EVA_4.0.8.asp. Before HTML messages and picture attachments - and consequently support for messages that are many megabytes in size, there was a frequently used option (specially for NNTP newsgroups, if I recall correctly), where an email software would split a message into smaller fragments and then send each fragment was one email. The receiving software would look for the fragments and re-assemble them into a single message. Since it prevents virus detection at the server level, fragmented messages should no longer be accepted (and, with today's technology and size allowances, there really is no use for it). I have seen some devices (such as a Ricoh Sanner/Fax/Printer combination) still have the setting to create fragments after xx KB. And even Outlook Express can still generate fragments (see screenshot). However, I've never had trouble explaining to clients (and senders), why this option should remain "off": Best Regards, Andy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Thursday, October 11, 2007 3:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] Partial Vulnerability test failures on legitmate email Does anyone know which Outlook Vulnerability test to REM out in the virus.cfg to keep the [Partial Vulnerability] test from failing? We are on 4.3.59 and this test is catching a number of legitmate emails recently and I need to turn this test off until the vulerability test fix is done so I can try it again. Has MS made updates to Outlook to affect this? this has just started on us about 5 days ago Randy A. Global Web Solutions Inc --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. <>
Re: [Declude.Virus] Partial Vulnerability test failures on legitmate email
To the best of my knowledge, this has never been exploited by a mass mailing virus, but some people do in fact go into their mail client and check the box to enable this despite it being old-hat. I would recommend leaving it off until the exploits actually occur. It is also possible that virus scanners can detect a virus in a partial message and of course there is spam blocking so it wouldn't mean a complete lack of detection on the server side. Matt Andy Schmidt wrote: Hi, Actually, the “Partial/Fragmented Vulnerability” is one that ideally should be left in place. I’m not certain that this test can be circumvented individually – at least it’s not on this list: http://www.declude.com/Version/Manuals/EVA/EVA_4.0.8.asp. Before HTML messages and picture attachments – and consequently support for messages that are many megabytes in size, there was a frequently used option (specially for NNTP newsgroups, if I recall correctly), where an email software would split a message into smaller fragments and then send each fragment was one email. The receiving software would look for the fragments and re-assemble them into a single message. Since it prevents virus detection at the server level, fragmented messages should no longer be accepted (and, with today’s technology and size allowances, there really is no use for it). I have seen some devices (such as a Ricoh Sanner/Fax/Printer combination) still have the setting to create fragments after xx KB. And even Outlook Express can still generate fragments (see screenshot). However, I’ve never had trouble explaining to clients (and senders), why this option should remain “off”: Best Regards, Andy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Randy Armbrecht Sent: Thursday, October 11, 2007 3:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] Partial Vulnerability test failures on legitmate email Does anyone know which Outlook Vulnerability test to REM out in the virus.cfg to keep the [Partial Vulnerability] test from failing? We are on 4.3.59 and this test is catching a number of legitmate emails recently and I need to turn this test off until the vulerability test fix is done so I can try it again. Has MS made updates to Outlook to affect this? this has just started on us about 5 days ago Randy A. Global Web Solutions Inc --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] Partial Vulnerability test failures on legitmate email
Hi, Actually, the "Partial/Fragmented Vulnerability" is one that ideally should be left in place. I'm not certain that this test can be circumvented individually - at least it's not on this list: http://www.declude.com/Version/Manuals/EVA/EVA_4.0.8.asp. Before HTML messages and picture attachments - and consequently support for messages that are many megabytes in size, there was a frequently used option (specially for NNTP newsgroups, if I recall correctly), where an email software would split a message into smaller fragments and then send each fragment was one email. The receiving software would look for the fragments and re-assemble them into a single message. Since it prevents virus detection at the server level, fragmented messages should no longer be accepted (and, with today's technology and size allowances, there really is no use for it). I have seen some devices (such as a Ricoh Sanner/Fax/Printer combination) still have the setting to create fragments after xx KB. And even Outlook Express can still generate fragments (see screenshot). However, I've never had trouble explaining to clients (and senders), why this option should remain "off": Best Regards, Andy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Thursday, October 11, 2007 3:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] Partial Vulnerability test failures on legitmate email Does anyone know which Outlook Vulnerability test to REM out in the virus.cfg to keep the [Partial Vulnerability] test from failing? We are on 4.3.59 and this test is catching a number of legitmate emails recently and I need to turn this test off until the vulerability test fix is done so I can try it again. Has MS made updates to Outlook to affect this? this has just started on us about 5 days ago Randy A. Global Web Solutions Inc --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.<>
Re: [Declude.Virus] [Partial Vulnerability]
Jeff, I ran into this the other day. Outlook/Outlook Express allows users to "split attachments" over a certain size, and the default size is 60 KB. People tend to turn this on when they run into a limitation and then never turn it off. You can turn off in Declude with BANPARTIAL OFF in your Virus.cfg, you can also instruct the sender to disable the message splitting by going to the account properties, last tab in Outlook Express, and have them uncheck the box. Scott is of course correct that this represents a hole that can be exploited. My take on this is that AV companies should have sufficient definitions in place to detect fragments of an attachment that might use this method of propagation, though I haven't tested that theory because I am not aware of any viruses exploiting the hole if it can be effectively exploited. A search of my logs showing the last 500,000 or so messages shows one bounce message generated by a misbehaving GroupWise 5.5 server belonging to a client, and then a bunch of legit messages sent by a single person to one of my clients. I turned this off last week, and will probably keep it off until I find evidence of an active exploit that can bypass virus scanning. I am also advising senders to turn off the functionality because the current configuration that allows these through is subject to change without warning. I suppose that you could also develop a bounce message unique to this vulnerability using ONLYSENDIF that advises the sender about how to turn this off in Outlook/Outlook Express, and possibly other mail clients if supported. I may also take that route. Matt Jeff Kratka wrote: Scott, What is the Partial Vulnerability that Declude Virus is picking up. I have a customer asking me why and what and how to fix. "[Partial Vulnerability] virus in the Unknown File attachment. " Jeff Kratka TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [Partial Vulnerability]
What is the Partial Vulnerability that Declude Virus is picking up. I have a customer asking me why and what and how to fix. "[Partial Vulnerability] virus in the Unknown File attachment. " See http://www.declude.com/virus/vulnerability.htm for details. They are using a *very* outdated option in their mail client that cannot be used anymore. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Partial Vulnerability
Do you have the full headers? That will tell you what the actual client is. For Outlook 2000, a quick search of the MS KB found this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;283184 Tell him to reverse that. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Partial Vulnerability
Same procedure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Rooth Sent: Tuesday, 26 November 2002 9:26 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Partial Vulnerability Going back through her emails I see she is using Outlook Express 5.0and not Outlook 5.0. Jim Rooth KLOTRON,INC. Office: 817.654.3018.103 Home: 972.606.6341 Mobile: 214.244.0979 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jim Rooth Sent: Tuesday, November 26, 2002 08:18 To: [EMAIL PROTECTED] Subject: [Declude.Virus] Partial Vulnerability Quick question to the group... Do anyone know any settings in Outlook 5 for splitting outgoing emails? >I am getting one client that is having problems sending emails to >people. It seems several are coming back with " Partial Vulnerability" >as the virus name. She is using Outlook 5 as her email. I thought the >main reason for this is a leading blank space in the subject area. > >I told her to look for a patch on Microsoft or a security update. Do >you have any ideas (dumb question) as to how we can correct this? It sounds like she was changing settings in Outlook and set it up somehow to split outgoing E-mails into several messages, which can't be done anymore. You might want to try the Declude Virus mailing list to see if someone there knows what setting in Outlook does this. -Scott Jim Rooth KLOTRON,INC. Office: 817.654.3018.103 Home: 972.606.6341 Mobile: 214.244.0979 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Partial Vulnerability
>Going back through her emails I see she is using Outlook Express 5.0and not Outlook 5.0. Makes more sense now, as I do not believe Outlook will do that. The OE setting is by default to break up messages. Look at the Internet Account Properties Advanced tab. Oh, and good morning Jim. (BTW, I am not ignoring you, I will answer your question this morning.) John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Partial Vulnerability
Tools --> Accounts --> "account" --> Properties --> Advanced --> clear the "break messages apart" checkbox -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Rooth Sent: Tuesday, 26 November 2002 9:18 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Partial Vulnerability Quick question to the group... Do anyone know any settings in Outlook 5 for splitting outgoing emails? >I am getting one client that is having problems sending emails to >people. It seems several are coming back with " Partial Vulnerability" >as the virus name. She is using Outlook 5 as her email. I thought the >main reason for this is a leading blank space in the subject area. > >I told her to look for a patch on Microsoft or a security update. Do >you have any ideas (dumb question) as to how we can correct this? It sounds like she was changing settings in Outlook and set it up somehow to split outgoing E-mails into several messages, which can't be done anymore. You might want to try the Declude Virus mailing list to see if someone there knows what setting in Outlook does this. -Scott Jim Rooth KLOTRON,INC. Office: 817.654.3018.103 Home: 972.606.6341 Mobile: 214.244.0979 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Partial Vulnerability
Going back through her emails I see she is using Outlook Express 5.0and not Outlook 5.0. Jim Rooth KLOTRON,INC. Office: 817.654.3018.103 Home: 972.606.6341 Mobile: 214.244.0979 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jim Rooth Sent: Tuesday, November 26, 2002 08:18 To: [EMAIL PROTECTED] Subject: [Declude.Virus] Partial Vulnerability Quick question to the group... Do anyone know any settings in Outlook 5 for splitting outgoing emails? >I am getting one client that is having problems sending emails to >people. It seems several are coming back with " Partial Vulnerability" >as the virus name. She is using Outlook 5 as her email. I thought the >main reason for this is a leading blank space in the subject area. > >I told her to look for a patch on Microsoft or a security update. Do >you have any ideas (dumb question) as to how we can correct this? It sounds like she was changing settings in Outlook and set it up somehow to split outgoing E-mails into several messages, which can't be done anymore. You might want to try the Declude Virus mailing list to see if someone there knows what setting in Outlook does this. -Scott Jim Rooth KLOTRON,INC. Office: 817.654.3018.103 Home: 972.606.6341 Mobile: 214.244.0979 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.