Hi Jason, I admit I can be wrong about decoding with f-prot's latest release, seems like fpcmd grew quite a lot in size since 3.14 and that might be an improved decoder, it's nice to hear that. Winmail.dat files were caught by f-prot since 3.14 so I expected something new in the next release ;)
The problem with f-prot is that still now bagle.at is not caught, but it was discovered on the 29th of October. And it's not the first time I'm seeing this lack of support. When I'll find some examples I used for f-prot, I'll test them on 3.15b and let you know if something goes wrong. One I can tell you about right now, although very unusual for virus packaging, is: take an eicar, zip it with password protection, and zip it again. XXencode is not used much anymore, mainly in unix world. Nice to hear you are coding an av filter for windows. And yes, it would be nice to have a fast production quality av filter. I think the way to go is a tcp/ip service that has auto blacklist, dns and rfc checking (pre-data) and other testing capabilities before passing data to the real av filter. But that's a long way... maybe one day ;) Dario -----Messaggio originale----- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] conto di Jason J. Ellingson Inviato: venerdi 5 novembre 2004 14.57 A: [EMAIL PROTECTED] Oggetto: [xmail] Re: R: Re: RE: Re: Spam Filters Glad to hear from you Dario! Your code was the inspiration for mine. So I value your input a lot. Per your observations, I tested my mail server for detecting viruses... It caught BASE64, UUENCODE (I think you typoed? -- never heard of XXEMCODE), and BINHEX viruses I have on hand. It also caught zipped versions as well (MIME and UUENCODED). Later I will see how many recursive zips it will go into to find the viruses (for now, I limit checking to 3 archives deep). I use the following switches: -ai -archive=3 -collect -dumb -noboot -nomem -packed -server -silent -report=report.txt The F-Prot .EXEs are 3.15b and the DATs are updated hourly. I have UUDeview in my code as well... but when I tested against my virus corpus, I found that F-Prot still caught them all without it, and by using UUDeview, it slowed the overall process time by a large factor (took at least twice the time, often more).... I also included a WMDecode in it to decode winmail.dat files to scan (UUDeview can't), but again, found fprot could find them just fine without it. So external decoding is turned off. As for catching the bleeding edge virus outbreaks. You are correct. I have seen my NAI scanner get it about two hours before F-Prot on 3 occassions and only once the other way. (both F-Prot and NAI scanners are updated hourly). I just hadn't implemented the NAI scanner in my AV scanner filter because it is a bit slower. Next release of my code will allow for one, or both, and whether to use the UUDeview/WMDecode stuff or not. If you have example emails that will pass through F-Prot's scanner, I'd be happy to get them from you. Then I'll default my scanner to using the external decoders. I hope to release my source code soon, and between all of us, we can create some bullet-proof anti-virus and anti-spam filters! ------------------------------------------------------------ Jason J Ellingson Technical Consultant 615.301.1682 : nashville 612.605.1132 : minneapolis www.ellingson.com [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dario Sent: Friday, November 05, 2004 6:34 AM To: [EMAIL PROTECTED] Subject: [xmail] R: Re: RE: Re: Spam Filters Just a few suggestions I have a spamc port for windows that will work without cygwin. http://www.henry.it/xmail (look for xspamc) I'm using it with spamd on linux (cause of razor, dcc ...) but I have instructions to setup spamd on windows. I'm still using 2.64 so don't know if it will work for 3.0. Also, I cannot say what will the performance boost be, but for sure it will run faster then cygwin. About f-prot and lack of serious decoding I must say it is true, I'm not saying there is no mime decoder in f-prot but it is not capable of catching everything (ex. BASE64, XXEMCODE, BINHEX). The /SERVER switch will not help, it just enables searching for executables in password protected zip & rar archives, evenmore the /ARCHIVE=n switch was modified (in 3.10 I think) to speed up things but this can be a security risk as you can nest archives many many times. Another thing that makes me mad about f-prot is that sometimes they just miss a bagle or mydoom release. Recently beagle.at and beagle.av Curiously this doesn't apply to their f-secure products. For this reason I'm using f-prot and nai superdat togheter in my avfilter (0.5), decoding everything (even nested) with built in decoder (uudeview). I'm a big fan of frisk software, I use it since 1990, but they are obviously putting more effort into f-secure than f-prot and probably this is going to get worse in the future. Dario - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
