Further to my previous posting, the latest version of Virscan has a separate option in Virscan.ini, called Enczip= which can have two values Deny (which is default) or Skip
Martin
On a Win 7 machine with Norton Internet Security (NIS), I installed PMail 4.70 and VirScan (VS). To see if VS was properly configured, I created a test message, a .CNM file with the EICAR test file string in the message body, <http://www.eicar.org/>. When I opened the test message, NIS displayed the accompanying screen shot snip. Disabled VS and got the same result. If I were to uninstall VS, am I any less protected?
KSQR
Virscan acts on attachments. Read more on the download page
http://community.pmail.com/files/folders/pegadd/entry20083.aspx
as well as in the virscan.txt file included in the download.
[quote user="bfluet"]
Virscan acts on attachments. Read more on the download page
http://community.pmail.com/files/folders/pegadd/entry20083.aspx
as well as in the virscan.txt file included in the download.
[/quote]
What is a good way to test to ensure that the Virscan.ini file is actually configured correctly?
KSQR
I have used services in the past that email you an eicar attachment. I did a quick websearch and found that Panda provides this service but they are not one I have used in the past. I didn't spend a lot of time reviewing the search results so there are probably other services. I remember using one that could send eicar in numerous different file types. I don't remember who provided that service though.
Here is the url of the Panda site I found. You may want to tick the "I do not want to receive marketing information..." option at the bottom of the page.
http://www.pandasecurity.com/usa/homeusers/security-info/protected/eicar-test/eicar3.htm
Keep in mind that the vircan.ini file is configurable to block files with certain
extensions and blocks some extensions by default. I don't know what
extension Panda sends their test attachment as so be aware that it might
get blocked rather than scanned if the extension is in the virscan.ini
deny list.
Finally, I believe you can write the eicar string to a text file then rename it to a .com file to serve as a test attachment.
[quote user="bfluet"]
I have used services in the past that email you an eicar attachment. I did a quick websearch and found that Panda provides this service but they are not one I have used in the past. I didn't spend a lot of time reviewing the search results so there are probably other services. I remember using one that could send eicar in numerous different file types. I don't remember who provided that service though.
Here is the url of the Panda site I found. You may want to tick the "I do not want to receive marketing information..." option at the bottom of the page.
http://www.pandasecurity.com/usa/homeusers/security-info/protected/eicar-test/eicar3.htm
[/quote]
Even though the page had a graphic promoting their 2012 products in lower left hand corner, I completed the form. Panda sent me a message with a link. Clicking the cited link returned a 404 with:
Server Error in '/Virus_info' Application.
The resource cannot be found.
KSQR
[quote user="caisson"]Try searching online for Eicar email test service or similar.
[/quote]
Have tried many services that say they send messages with attached EICAR type test files. To date no such message has made it to my Inbox. Has anyone received such test messages recently?
KSQR
[quote user="caisson"]
This one works but the messages may be blocked by your provider.
http://www.aleph-tec.com/eicar/
[/quote]
Using a non-free email I got the Clean notification e-mail and only the two with password Zip files. When I tried to look at the Zip files, a Virscan Stop graphic was displayed.
Now I know that VirScan (VS) is properly configured.
Is there a more convenient way to disable VS than renaming Virscn32.fff?
KSQR
You can let zip files through the process by adding the extension zip to the SkipExtensions line in Virscan.ini Your AV *should* examine the file when it is stored on your hard drive. However it will have to prompt for the password before starting to examine the content of the file.
this Virscan feature was introduced back in 2004 when bad guys got virus etc onto your hard drive by marking them as encrypted, knowing that a silent install would be allowed through. Since then the AV companies have learned a few things, and you should check your AV product documentation to see what it does when encountering this type of file. The original bypass of this security check was to make the file transfer into either a web or FTP download.
Martin
