Print Page | Close Window

Antivirus and password-protected zips

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5838
Printed Date: 13 December 2017 at 7:41pm


Topic: Antivirus and password-protected zips
Posted By: LogSat
Subject: Antivirus and password-protected zips
Date Posted: 21 October 2006 at 4:32pm
Some email viruses contain password-protected zip attachments that could not be scanned by SpamFilter's antivirus plugin. Until now, the only solution to stpo them was to configure SpamFilter to block all emails containing password protected compressed attachments.

We're beta testing a new version of the antivirus plugin that attempts to crack the password for the zip so that its contents can be scanned. If you've purchased the antivirus plugin, or have an evaluating activation code, you may use the new feature by using an updated DLL file. The file is dwnse.dll, and is in SpamFilter's program directory. Simply stop SpamFilter, replace the old DLL, and restart SpamFilter.

The updated file is available at http://www.logsat.com/spamfilter/pub/dwnse.zip - www.logsat.com/spamfilter/pub/dwnse.zip

Please also verify that the correct NCL.DLL file is on your server. It's in the \SpamFilter\nse\bin directory. The correct file size is 212KB (217088 bytes), and should be dated 9/27/06 or later. This file should be automatically be updated along with the virus definitions. If it's not, you can download it from:
http://www.logsat.com/spamfilter/pub/ncl.zip - www.logsat.com/spamfilter/pub/ncl.zip


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Replies:
Posted By: mikek
Date Posted: 23 October 2006 at 4:32am
I have an existing Norman Antivirus Installation on my server. The NCL.DLL is therefore in c:\program files\norman\nse, but is dated 08/24/2006. The Norman Installation is up to date, but I did not receive a new NCL.DLL since then.

Can I safely replace the NCL.DLL with your version?


Posted By: LogSat
Date Posted: 23 October 2006 at 8:44am
Strange, as the updated NCL.DLL should have been automatically updated by your existing Norman back in September, as it's not SpamFilter-specific. It's the Norman Compression Library, and is the updated file by Norman that has extra capabilities in dealing with compressed archives. Is the filesize for you existing file different than the one reported in the thread? If it's the same, you probably received the updated before we did, and in that case there's no need to update.

If it's different, I'm afraid I don't have a final answer. I would not think this would be an issue, but it's a configuration we have not tested so cannot be 100% sure.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: mikek
Date Posted: 23 October 2006 at 8:53am
hmm, really is strange - spamfilter shows that the version dated 9/27/06 is loaded, but i haven't been able to find that version on my harddisk... a complete disk search is running as I type...


Posted By: mikek
Date Posted: 23 October 2006 at 11:14am
now I'm totally confused - there is no ncl.dll dated 9/27/06 on the harddisk, but spamfilter shows that version as loaded.

using sysinternals process explorer, I can see that spamfiltersvc.exe has c:\program files\norman\nse\bin\ncl.dll loaded, which is dated 08/24/06 and has a size of 212'992 bytes...


Posted By: mikek
Date Posted: 23 October 2006 at 11:28am
ok, I think I found the reason:
I deleted the ncl.dll date in spamfilter.ini and restarted the service. Sure enough, ncl.dll got downloaded (as ncl.dll~) but it could not be replaced since our mail server on the same machine is using the file as well. Spamfilter didn't notice this though and wrote the date of the downloaded ncl.dll into spamfilter.ini although the "old" version was still loaded.

It's funny though that the update function of Norman Antivirus itself does not download the new ncl.dll...


Posted By: Vader
Date Posted: 26 October 2006 at 8:21am

For some reason my ncl.dll is dated 5/8/2006.  Tried the link provided but it takes me to http://logsat.com - http://logsat.com

 



Posted By: LogSat
Date Posted: 26 October 2006 at 8:30am
Yeap, sorry. While the address displayed on the forum is correct, the hyperlink itself was relative instead of full.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: mikek
Date Posted: 31 October 2006 at 10:17am
manually installed the new ncl.dll together with the updated dwnse.dll and SF build 605, and all seems to be ok (on the anti-virus side, sfdb timeouts see other thread)



Print Page | Close Window