Security Incidents mailing list archives

Re: wmon16.exe

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 11 May 2004 12:20:20 +1200

"Willem Tahon" <tahon () un org> wrote:

Also keep in mind that some of the AV developers require specific handling
of viruses (e.g. password-protected zipping) before sending them.


Indeed, which is why the McAfee entry appears as follows:

   Network Associates (McAfee)     <virus_research () nai com>
     (use a ZIP file with the password 'infected' without the quotes)


Some of the others may _prefer_ you to do similar or recommend you to 
do so to prevent the attachment being stripped by virus-scanning 
gateways between the sender and recipient (though these days, zealous 
content-filtering gateways will consider passworded ZIPs suitably 
dubious to be stripped anyway), but AFAIK only McAfee "requires" this 
(and even then they will accept non-ZIP'ed samples but weird things can 
happen due to stuffed-up internal message routing resulting in them 
sending you back a malicious file along with a message suggesting there 
is nothing wrong with it).


Regards,

Nick FitzGerald


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

wmon16.exe Jason High (May 10)
- Re: wmon16.exe Peter Kosinar (May 10)
- Re: wmon16.exe Harlan Carvey (May 10)
- Re: wmon16.exe KUIJPERS Jimmy (May 10)
- Re: wmon16.exe Nick FitzGerald (May 10)
  - RE: wmon16.exe Ken Dunham (May 11)
- <Possible follow-ups>
- RE: wmon16.exe Meidinger Chris (May 10)
- RE: wmon16.exe Levinson, Karl (May 10)
  - RE: wmon16.exe lsi (May 11)
- Re: wmon16.exe Willem Tahon (May 11)
  - Re: wmon16.exe Nick FitzGerald (May 11)
- RE: wmon16.exe lsi (May 11)
- Re: wmon16.exe Willem Tahon (May 11)