Full Disclosure mailing list archives
RE: f-prot not catching mimail ?
From: "Aditya" <aditya () mail15 com>
Date: Mon, 4 Aug 2003 17:01:08 +0530
hi all, fprot is catching the virus all right, but only the exe file then the virus signatures are only for the exe file and not for the zip or the htm - the only logical conclusion i could come to. if you have f-prot on your desktop then you will catch the vieus just before executing and on the mailserver just add this address to the blocked senders list - - hope that helped Aditya -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Paul Szabo Sent: Monday, August 04, 2003 3:07 AM To: full-disclosure () lists netsys com; mike () sentex net Subject: Re: [Full-disclosure] f-prot not catching mimail ? Mike Tancsa <mike () sentex net> wrote:
I have a few copies of the mimail virus from yesterday that f-prot even with its latest updates do not catch. Both the Windows and FreeBSD version fail to identify the two main variants I have got sent my way.
I found the same lack of detection, on Linux. Normally I save the suspect email message as a "UNIX mbox" file and feed that to f-prot; it then finds the attached ZIP within, and the files contained within the ZIP. However with Mimail, it does not detect the ZIP within the message. If I unpack the ZIP from the message, then the HTM from the ZIP, and finally the EXE from the HTM, then f-prot seems to skip all those except for the EXE, which it detects correctly. I cannot see anything "special" in the MIME structure of Mimail that would cause f-prot to miss the ZIP attachment (or maybe it is the structure of the ZIP that f-prot cannot unpack?). Cheers, Paul Szabo - psz () maths usyd edu au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia --- $ f-prot virus/mimail -ai -archive -packed -list Virus scanning report - 4 August 2003 @ 7:26 F-PROT ANTIVIRUS Program version: 4.1.1 Engine version: 3.13.3 VIRUS SIGNATURE FILES SIGN.DEF created 1 August 2003 SIGN2.DEF created 2 August 2003 MACRO.DEF created 28 July 2003 Search: virus/mimail Action: Report only Files: Attempt to identify files Switches: -ARCHIVE -PACKED -LIST -AI /usr/users/amstaff/psz/virus/mimail Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 1 Time: 0:00 No viruses or suspicious files/boot sectors were found. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- f-prot not catching mimail ? Mike Tancsa (Aug 02)
- RE: f-prot not catching mimail ? Curt Purdy (Aug 03)
- Re: f-prot not catching mimail ? dizzy (Aug 13)
- <Possible follow-ups>
- Re: f-prot not catching mimail ? Paul Szabo (Aug 03)
- Re: f-prot not catching mimail ? Mike Tancsa (Aug 04)
- RE: f-prot not catching mimail ? Aditya (Aug 05)
- Re: f-prot not catching mimail ? Paul Szabo (Aug 04)
- Re: f-prot not catching mimail ? Nick FitzGerald (Aug 04)
- Re: f-prot not catching mimail ? (now fixed) Mike Tancsa (Aug 05)
- Re: f-prot not catching mimail ? Nik Reiman (Aug 06)
- Re: f-prot not catching mimail ? Paul Szabo (Aug 04)
- Re: f-prot not catching mimail ? Paul Szabo (Aug 06)