-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 'Lo,
Well I should have been more thorough, so please accept my apologies to everyone to start with. Having both Kapersky and AVG plugins loaded was confusing matters somewhat, and causing problems as well. I shall explain as it answers a previous question I asked about multiple plugins use as well. First: *ONLY* the AVG Plugin installed The AVG plugin only catches the eircar.com virus attachment our of all the exploits sent by gfi.com. It pops up a notification window before quarantining the infected email message: http://www.netbanger.com/offsite/avgeircar.gif These are rest of the test files from gfi.com that ended up in my mailbox. * Object Codebase vulnerability test * MIME header vulnerability test * Iframe remote vulnerability test * ActiveX vulnerability test * eicar.com [1/5] * VBS attachment vulnerability test * CLSID extension vulnerability test * Malformed file extension vulnerability test (for Outlook 2002 - XP) * GFI's Access exploit vulnerability test * CLSID extension vulnerability test (for Outlook 2002 - XP) You'll probably notice eicar.com [1/5] in the list, and this message is the only part 1 of the 5 fragments to arrive so maybe something to do with my earlier expieriences. However, after a second poll to the server the remaining fragments were retrieved and the fragmented message was immediately reasembled in the inbox as: * Fragmented message vulnerability test (for Outlook Express) In any event, with *only* the AVG plugin installed nothing but the eircar.com attachment is detected and quarantined. Second: *ONLY* the Kapersky Plugin installed The Kapersky plugin catches 5 of the emails, but also kicks up an error 1 test out of 3: http://www.netbanger.com/offsite/kaperskyeircar.gif After Kapersky has quit the *quarantine* folder contains the following messages: * CLSID extension vulnerability test (for Outlook 2002 - XP) * Object Codebase vulnerability test * MIME header vulnerability test * Eicar anti-virus test * Malformed file extension vulnerability test (for Outlook 2002 - XP) The *inbox* contains the following messages: * Iframe remote vulnerability test * VBS attachment vulnerability test * GFI's Access exploit vulnerability test * CLSID extension vulnerability test * ActiveX vulnerability test * Fragmented message vulnerability test (for Outlook Express) Third: *BOTH* the AVG (first in list) and Kapersky Plugins installed both the AVG notification window and the Kapersky error window pop up: http://www.netbanger.com/offsite/onkpavgeircar.gif Obviously, this indicates that both plugins are run in succession (in the snap AVG has focus because I clicked it. The Kapersky window had focus before that, being that it is second in the plugin list so ran last. With both AVG and Kapersky plugins installed the following files get moved to the *quarantine* folder: * CLSID extension vulnerability test (for Outlook 2002 - XP) * Object Codebase vulnerability test * MIME header vulnerability test * Eicar anti-virus test * Malformed file extension vulnerability test (for Outlook 2002 - XP) The *inbox* contains the following messages: * Iframe remote vulnerability test * VBS attachment vulnerability test * GFI's Access exploit vulnerability test * CLSID extension vulnerability test * ActiveX vulnerability test * Fragmented message vulnerability test (for Outlook Express) Conclusion: Although AVG catches the eircar.com virus attachment it failed to catch and quarantine any of the others. Kapersky on its own catches only 5 of the possible 11 (which is expected really I suppose). So there is no advantage having both plugins installed for one, and second, it seems that either I have a problem or the Kapersky plugin has a problem. Third, to eventually get around to the original question, which I failed to answer ;), no scanners I tested detect virii in fragments, or after fragments had been reassembled in the inbox, which is a vulnerability of course. Lastly, using both AVG and Kapersky plugins gives unpredictable results. Sometimes all 11 emails end up in the inbox, and neither scanner manages to quarantine anything. And that is odd! - -- Slán, Simon @ theycallmesimon.co.uk _______________________________________ Faffing about with TB! v1.61 on W2K SP3 PGP Key: http://pgp.netbanger.com/ -----BEGIN PGP SIGNATURE----- Comment: Privacy is freedom. Protect your privacy with PGP! Comment: KeyID: 0x5C7E8966 Comment: Fingerprint: 851C F927 0296 FF1C 70A2 474F CB6E 6FFE 5C7E 8966 iQA/AwUBPbw2h8tub/5cfolmEQL7fACgzoRP8Ih710J+YwubJaQdPUWOaoYAn2pR gW+hsDZYK9lgdfJRbn+n+1qx =kgP7 -----END PGP SIGNATURE----- ________________________________________________ Current version is 1.61 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html