Author Topic: RS doesn NOT pick up Sober-Worm in .EML-Files  (Read 3512 times)

0 Members and 1 Guest are viewing this topic.

whocares

  • Guest
RS doesn NOT pick up Sober-Worm in .EML-Files
« on: October 30, 2003, 09:54:12 AM »
Hi,

Win2k-SP4 with all important updates,
avast 4 home (4.1.289, VPS 310-3 from 29.10.03)


the Resident shield does pick up the infected .BAT-file from
Win32:Sober [Wrm],
 but it DOES NOT alert to the saved wormmail (.EML-file from Netscape 7.02 german); neither on copy nor write

- RS is set to scan the default extensionlist including EML both on open & create/modify
- Quickscan picks up bot BAT & EML correctly, as do other OD-scanners


How come ? any files/logs you'd like from me ?


P.S.: Where do I find the RS-Log on virus-findings ? I only find OD-Reports or Install/error-Logs



 ??? ???

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:RS doesn NOT pick up Sober-Worm in .EML-Files
« Reply #1 on: October 30, 2003, 11:08:19 AM »
Maybe because the worm is uuencoded(base64) inside the EML. You can say it is a kind of Archive.
MfG Ralf

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:RS doesn NOT pick up Sober-Worm in .EML-Files
« Reply #2 on: October 30, 2003, 11:11:12 AM »
The Standard Shield does not scan inside archives by default (MIME/uue are treated as archives)/

See e.g. http://www.avast.com/forum/index.php?board=2;action=display;threadid=15;start=msg50#msg50 (the MIME packer is what you need in this case)

Vlk
If at first you don't succeed, then skydiving's not for you.

whocares

  • Guest
Re:RS doesn NOT pick up Sober-Worm in .EML-Files
« Reply #3 on: October 30, 2003, 11:55:47 AM »
ok, silly me.. forgot all about mailarchives

I'll try including MIME only for RS to scan


However, I find it a bit misleading then if EML shows up in the default extension-list