[Dshield] FW: virus found in sent message "illegal..."

allan.vanleeuwen@orangemail.nl allan.vanleeuwen at orangemail.nl
Wed Mar 10 10:29:41 GMT 2004

AFAIK Symantec's Corporate version doesn't do script blocking and/or POP3
email scanning.

-----Original Message-----
From: Al Reust [mailto:areust at comcast.net] 
Sent: woensdag 10 maart 2004 5:12
To: General DShield Discussion List
Subject: RE: [Dshield] FW: virus found in sent message "illegal..."

This is interesting, I apologize in that I should have stated that this 
particular machine was running Symantec Corporate 8.1 AV

It means that I should check to see if NSW 2003 will detect the same


At 01:41 PM 3/9/2004 -0500, you wrote:
>I can't remember ever getting an alert  from NAV 2003 while browsing in IE 
>6/5, but then I'm the zealot with his ActiveX/Java and a bunch of other 
>stuff turned off. Now while doing weekly scans, I've found & cleaned 
>things in the cache that never got rendered by the browser.
>One would think that NAV stands between the incoming data & IE, therefore 
>should be able to deny access to the file & remove it. Biggest surprise 
>years ago was when a sample of the1st IE exploit changed files on my 
>system & NAV at the time never raised any flags. Ever since then I've been 
>using dumbed down IE settings & custom security zones.
>Emptying the cache is good & bad: Good in that there aren't a huge number 
>of little files to be scanned. Bad in that if a site gave you an infected 
>file, you wouldn't know at all. When scanning from a boot CD, I always 
>clear the cache of suffer the potential hours of scanning temp Internet 
>files w/ HDD caching.
>Won't be trying NAV 2004 w/ it's activation nightmares here, almost not 
>even using 2003 after it crapped out a week before my subscription was to 
>expire and taking my network stack with it (symtdi) doing an uninstall.
>At 09:32 AM 3/9/2004, Peter Stendahl-Juvonen wrote:
>>Should the Auto-Protect feature of the antivirus SW not be able to
>>delete the contaminated temporary Internet file as soon as the user
>>closes the browser?
>>At least that is how NAV2004 behaves when it detects and identifies the
>>threat as W32.Sobig.F at mm.enc.
>>[File located at C:\Documents and Settings\UserName\Local
>>Settings\Temporary Internet Files\Content.IE5\G5ABKTY7\msg00002[1].htm.
>>Should be no problem deleting that file, should there?]
>>Nevertheless, I second your recommendation about cleaning the Internet
>>cache and scanning the system for viruses post festum.
>>Yet the system should be clean as soon as the antivirus SW's
>>Auto-Protect feature is able to delete the infected temporary Internet
>>file, i.e. when user exits the browser (unloads IE from RAM).
>Joshua MacCraw
>warpmedia at comcast.net
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt,
wordt u verzocht de inhoud niet te gebruiken en de afzender direct te
informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft
genomen om virussen in deze email of attachments te voorkomen, dient u ook
zelf na te gaan of virussen aanwezig zijn aangezien Orange niet
aansprakelijk is voor computervirussen die veroorzaakt zijn door deze

The information contained in this message may be confidential and is
intended to be only for the addressee. Should you receive this message
unintentionally, please do not use the contents herein and notify the sender
immediately by return e-mail. Although Orange has taken steps to ensure that
this email and attachments are free from any virus, you do need to verify
the possibility of their existence as Orange can take no responsibility for
any computer virus which might be transferred by way of this email.

More information about the list mailing list