Re[2]: antivirus plugin with fragmented email
Monday, October 28, 2002, 5:19:10 PM, Chris wrote in message mid:2782432111.20021028091910;Surfcity.net CW I'm not sure about other AV's, but DrWeb actually scans compressed files CW before execution. Therefore, if it has a virus, it'll recognise it CW before you even attempt to save it and then unpack it. Kaspersky does the same Chris - in fact this afternoon I was trying to download the eicar test file to use on the test box downstairs and it as in a zip format. As soon as the download had finished and before I had even managed to get to the directory it was in Kaspersky blocked access to it. Resort to plan B - write my own eicar file on the standalone box! g -- Cheers, Anne Using The Bat! v1.61 on Windows 98 4.10 Build A Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: antivirus plugin with fragmented email
Tuesday, October 29, 2002, 8:13:12 PM, Chris wrote in message mid:144179274523.20021029121312;Surfcity.net CW This is another feature I really liked with DrWeb, because if you're CW about to download a big file, it'll warn you before you start CW downloading it rather than when you've finished. This has me puzzled Chris - how can an AV on a local machine be scanning a file on a remote server before it's downloaded? -- Cheers, Anne Using The Bat! v1.61 on Windows 98 4.10 Build A Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: antivirus plugin with fragmented email
Hello Simon, Allie, others following this important thread. It seems to me that Simon and Allie are basing their positions on two different principles or givens, which are always correct by definition. That's what produces a stalemate, in absolute terms. In relative terms, each of us can decide for him or herself which principles are more or less (or equally) important. Below, I present a third principle that I believe is also relevant. As I understand it, Simon maintains that using a AV app that provides a greater degree of security by selecting for potentially dangerous file types and patterns is preferable. No one can argue with that, since that IS his preference, one which I'm sure is shared by many others as well (including myself, in many cases). OTOH, Allie maintains that the true function of an AV app is to provide protection against real viruses (virii?) in the wild, and questions the validity of (and therefore, the degree of security provided by) the tests that Simon believes demonstrate a capacity for providing a greater degree of protection. Allie also mentions ways to implement multiple AV apps that may provide an even greater benefit. Obviously, the AV app that provides the greatest protection against real virii in the wild is what most of us want. Unfortunately, conflicting data sources provide incomplete support for arriving at a definitive conclusion in what is in any case, a continually changing field. All of us need virus protection and use applications intended to provided it. Kapersky, DrWeb, NOD32, F-Prot and probably a few others are indisputably among the best there are, while AVG may well be the best free AV app available. All have their relative strengths and weaknesses and are more or less effective, depending on the situation. In the context of any TB! list, it can be assumed that compatibility with TB! is also an important issue for any AV app. Beyond that, I believe that maintaining a friendly atmosphere is also important on all TB-lists, which are excellent forums we all use to share knowledge and help each other in a constructive and civil manner. While differences of opinion and preferences are inevitable, maintaining the friendly nature of the interchange is even more important than proclaiming which of the very competent AV apps mentioned (Kapersky, DrWeb, NOD32, F-Prot, AVG etc,) is king of the hill. (Which hill)? Douglas -- Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: antivirus plugin with fragmented email
Hello Paul, On Monday, October 28, 2002, 9:30:07 AM, you wrote: PC and a fourth- if you don't keep ANY anti-virus package up-to-date it is PC almost worthless. I have used many PCs where the virus definitions are PC over 1 year old. THEY think they are protected! PC and lets not forget AVG is FREE for personal use only, they PC DO SELL a professional product. And in fact, if I recall, you don't get the heuristics capability unless you register it as such. D -- Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: antivirus plugin with fragmented email
Hello Simon others following this thread, Simon wrote when Lourdes inquired: LJ http://www.gfi.com/emailsecuritytest/ has a nice set of test emails LJ I'm interested in knowing if the Anti-Virus plugins will catch the LJ fragmented email (eicar.com attachment) S I was testing the AVG plugin with TB! yesterday with eircar.com available S from here http://www.eicar.org/anti_virus_test_file.htm When I checked my S mail AVG caught the attached file and created a new quarantine folder in S TB!, then moved the infected email there before continuing to process other S incoming mail - So obviously after reassembly but it still gets caught :) Are attachments contained in the message body or in a separate folder? If it's the latter, AVG will alert you and quarantine the message but the infected file remains in the attach (or other) folder, so you'll need to run AVG to heal it or right (NOT left) click to delete it. Also, WinXP makes backup files that will also contain the virus, so run AVG on the whole partition. Douglas -- Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: antivirus plugin with fragmented email
Hello Peter, Sunday, October 27, 2002, 3:00:20 PM, you wrote: PP This re-assembling is done _after_ mails are received, as I could see PP at the flicker in my message list, but there's no known hook to me in PP The Bat! that gives the message to an AV-plugin when message list PP actions are done; the only hook there is at attachment actions like PP 'save' or 'open'. AIUI - TB! uses temp files to bring in mail and that's where the AV would pick up the virus definition ( providing you have it set to scan all file types ). When we tried out the whole range of test e-mails from www.gfi.com using Kaspersky AVP it picked up *all* of them without a hitch ! HTH -- Best regards, Barry2 Using The Bat! v1.61 on Windows 98 4.10 Build Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: antivirus plugin with fragmented email
Yo Simon, you wrote regarding: DH Are attachments contained in the message body or in a separate DH folder? If it's the latter, AVG will alert you and quarantine the DH message but the infected file remains in the attach (or other) DH folder... S I had always kept attachments in a separate folder, until recently. I liked S it that way, and any infected files that I received got dropped there and S pgp wiped by me later. However, I got fed up with managing the folder and S having to sort through hundreds of files so recently changed to keeping S attachments in the message bodies. Still unsure about this, but of course in S this case it shows how advantageous this method is :) Even if the attachment isn't in the message body, the message will give you the name of the file, so disposing of the file's not much of a problem. Also, selecting it will active AVG. I get few of them anyway, since I use the mail dispatcher on the main accounts and check for message size before downloading. A message with an attachment not specifically desired isn't downloaded but rather, deleted on the server. As for the hundreds of files in an attach directory, anything important is copied or moved to another folder and often renamed. BTW, your signature delimitator isn't functioning. D -- Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: antivirus plugin with fragmented email
Replying to your message of Sunday, October 27, 2002, 2:43:07 PM: ACM The ACM main problem with this test being that real viruses aren't being ACM used. I have lots of real viruses if you really want to do some testing. ;O) -- Pete www.milneweb.com Sunday, October 27, 2002 3:27:01 PM This e-mail is brought to you by: The Bat: Version 1.61 Windows 2000 build 2195 Service Pack 3 Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: antivirus plugin with fragmented email
Hello Peter, Sunday, October 27, 2002, 9:07:24 PM, you wrote: PP Hello Barry2, PP On Sunday, October 27, 2002 at 8:32:52 PM you [B] wrote (at least in PP part): B AIUI - TB! uses temp files to bring in mail and that's where the AV B would pick up the virus definition ( providing you have it set to scan B all file types ). PP CMIIW, but these .tmp fiels are used on 'per message basis' when PP fetching them from POP/IMAP. PP The fragmented message will come in as x messages with x .tmp files, PP non of them containing the complete virus. So the AV-engine must be PP very lucky to detect the virus, maybe occasionally this is possible. PP But in general The Bat! will 'rebuild' the virus _after_ those .tmp PP files are imported to message base and already deleted, so in case of PP a 'fragmented message virus attack' there will be no single .tmp file PP an AV-engine could catch. In the case of the fragmented message virus that's right. I was really referring to the way the temp files are created and then automatically scanned by the AV. When TB! recreates the message / virus I'm not sure whether or not it would also use a temporary file too ( it must create something to put all the parts into ? ) and that's what will get scanned as each bit is added .. once all the bits are in there the AV gets a hit. PP Nevertheless, The Bat! uses temporarily files as well when opening PP attachments from inside The Bat!, so first an eventually configured PP 'Scan attachments when opening' plug in will take effect and second an PP eventually installed and configured resident virus shield will PP recognize the virus if the plugin is missing / not activated. That's what we find with the Kaspersky Personal Edition we are using, there's no specific plug-in for TB! but it doesn't stop it picking up those GFI exploits :-) -- Best regards, Barry2 Using The Bat! v1.61 on Windows 98 4.10 Build Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: antivirus plugin with fragmented email
Hello Simon, Sunday, October 27, 2002, 8:15:34 PM, you wrote: S -BEGIN PGP SIGNED MESSAGE- S Hash: SHA1 S 'Lo Barry2, S On Sun, 27 Oct 2002 19:32:52 + your time, you authored this: B When we tried out the whole range of test e-mails from www.gfi.com B using Kaspersky AVP it picked up *all* of them without a hitch ! S I've done a *lot* of testing today using the Kapersky plugin it S does not lead to 100% detection of all the gfi.com test files. Are S you talking about using the resident components? We don't have the plug-in here for our Kaspersky edition ( there isn't one ) but yep, all the exploits were picked up OK. Is a while since we did that so I'll nip over to GFI and do it again will report back later when I've done it. -- Best regards, Barry2 Using The Bat! v1.61 on Windows 98 4.10 Build Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: antivirus plugin with fragmented email
Sunday, October 27, 2002, 11:19:52 PM, Scott wrote in message mid:1050671.20021027171952;local.nu SM A properly-implemented AV program *should* consider the EICAR test SM virus to be a real virus. Otherwise, it defeats the purpose of even SM having a test. Interestingly enough Nod32 -which is another of the highly rated AV programs- doesn't detect the eicar test file, and when asked about this their response apparently was that Nod32 was designed to detect real viruses not test files! -- Cheers, Anne Using The Bat! v1.61 on Windows 98 4.10 Build A Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: antivirus plugin with fragmented email
Monday, October 28, 2002, 3:09:22 AM, Scott wrote in message mid:5879820890.20021027210922;local.nu SM The entire purpose of the EICAR test virus is to be able to confirm SM that the antivirus software is indeed installed and working properly. Yep I know Scott - which is why I thought the comment by Eset/Nod32 was interesting! It's true that it doesn't detect the eicar test file we used - this is one to check for the long filename vulnerability in zipped files, which we put onto the standalone test box downstairs and ran a range of AV's across it. The only one which detected it was Kaspersky - the others either didn't detect it or crashed the system trying to check the file. -- Cheers, Anne Using The Bat! v1.61 on Windows 98 4.10 Build A Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: antivirus plugin with fragmented email
Monday, October 28, 2002, 3:17:05 AM, Gary wrote in message mid:20021027211705.A3136;major.mygirlfriday.info G Anne, As an afterthought, I purchased the Personal Kaspersky edition, last G January, for $49, I believe. It worked well, and even on their site, said G it would have a plug-in for TB!... Well this turned out not to be true, G even though it said so on their web site. You now must have the Pro G edition which costs about $99 to get the plug-in for TB!... I was really G upset about this, and do not plan on renewing my subscription. I currently G use AVG when in Windows, and it is free, with a plug-in. Thanks for this Gary - I sort of thought I'd read something on the KAV site about it but when I went back to check I couldn't find it again. I still prefer KAV without the plugin to any of the others with one to be honest - in all the tests we've seen and those we have run KAV seems to be more reliable than any other AV. -- Cheers, Anne Using The Bat! v1.61 on Windows 98 4.10 Build A Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: antivirus plugin with fragmented email
Hello Gary, Monday, October 28, 2002, 3:17:05 AM, you wrote: G Anne, As an afterthought, I purchased the Personal Kaspersky edition, last G January, for $49, I believe. It worked well, and even on their site, said G it would have a plug-in for TB!... Well this turned out not to be true, G even though it said so on their web site. Until this thread popped up we did even think about the plug-in apart from finding out it wasn't available. All we knew was it worked and worked very well :-) G You now must have the Pro edition which costs about $99 to get the G plug-in for TB!... I was really upset about this, and do not plan G on renewing my subscription. I currently use AVG when in Windows, G and it is free, with a plug-in. Your choice of course but AVG doesn't get as good a score in the real virus tests - and with an anti-virus surely it's performance rather than price that should be the main criteria ?? -- Best regards, Barry2 Using The Bat! v1.61 on Windows 98 4.10 Build Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: antivirus plugin with fragmented email
Hi Anne and Lourdes, You wrote, Anne: A I'd be interested to know this also, as when I ran the checks recently A my AV (Kaspersky) allowed the reconstruction of the fragments before A it checked the mail. Also, is there a Kaspersky plugin for TB and if A so where would I find it to try please? I downloaded the Kaspersky Pro version, Anti-Virus Monitor No. 4.0.5.15. -- It was Friday 25 October I think. Dates running together in my sleepy head. :) When I clicked on Options-Anti-Virus Protection, a window came up that offered me the Kaspersky Plug-In to Add. I did this and it says I have version 3.5.9 of a COM-based plug-in. Every time I launch TB a box shows on top of the Logo, Loading Kaspersky Anti-Virus Plug-In. Flashes and then disappears with the TB Logo. I had a little trouble with the download. The sales site confused me and I accidentally first downloaded the Demo. I went back and managed to find the Purchase and Register download, but mistakenly assumed it would overwrite the Demo. Not so. The Wizard told me to uninstall it. So I exited the Wizard. I had mistakenly let the download Run from Current Location. So had to go back and re-download (I bought the $5 privilege at purchase.) This download I saved to disk, but it was faulty. Windows said that driver files were missing. Then the people at the Buy site had lost my order number. I had to write to Kaspersky customer service. Finally got everything done. So far as I know, no bugs. But the plug-in came with it. I have described this at such length, because maybe you are supposed to have the plug-in there to enable at the click of a mouse, and the code you got (whether download or disk, I didn't know) left it out, the way my driver got left out. -- Cheers, Mary Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html