RootsWeb: VIRUS-DISCUSSION-L Re: [VIRUS] For McAfee Users

VIRUS-DISCUSSION-L Archives

Archiver > VIRUS-DISCUSSION > 2001-12 > 1007190242

From: "Robert Hays" <>
Subject: Re: [VIRUS] For McAfee Users
Date: Sat, 1 Dec 2001 01:04:02 -0600
References: <5.1.0.14.2.20011130215552.00a50a30@mail.spwest1.tn.home.com>

I'll have you know Mr. George Durman that this is the very first post I have ever made concerning McAfee and I think I have just as much right to discuss my problems with McAfee as every one else who discuss' their problems with Norton or what ever AV they use. If you are going to flame me for discussing my AV problems, then flame everyone else as well. You are way out of line on this one, and it is not well taken. Your extensive input would be much more constructive if you offered your help rather than flaming. Instead of droning on about proper configuration, tell us how it should be configured, then perhaps we would have no need to make posts such as mine. As you use Eudora, it just may be that McAfee performs differently with Eudora than it does with Outlook Express. This much I do know: 1. In OE, McAfee will move an Attachment into its' C:\Infected folder and it will delete that file from the C:\Infected folder ,, go back into OE and click again on that SAME msg. and it is AGAIN detected as a virus ,,, Move it AGAIN into the C:\Infected folder and do not delete it. Go back and again click on that SAME msg. and it is AGAIN detected as a virus ,, go into its' Headers and the CODE is still there ,,,,, NOW, the code is still contained in the original msg. AND it is also contained within the stored file in the C:\Infected folder ,,, explain to me how the same code from the same msg. can be contained in two different files at two different locations if one of them is not a COPY. As you stated in your #6 I do understand perfectly well WHAT is happening, just not WHY. I can go into the Headers of a msg. and find the code just as well as you can and after I do a Delete or Move, it is STILL there as well as in the C:\Infected folder (when Moved). I have tested this extensively with both Inline & External Attachments and the results are the same for both. As you stated in your #8 : >>>>>THEN make statements about it. In the meanwhile, quit your bitchin' about McAfee -- I'm tired of it! <<<< Frankly I think that is precisely what I was doing and not bitchin'. I also stated that it should be tested on other machines to make sure it was not just me ,,, if that is not asking for help ,,,, then,,,,,,,,,,,,,,,,,,,, You would be well advised to at least gather a few elementary facts from the poster yourself before you start shooting off your mouth. Bob Hays _________________________________ ----- Original Message ----- From: "George W. Durman" <> To: <> Sent: Friday, November 30, 2001 9:18 PM Subject: Re: [VIRUS] For McAfee Users > 1) IF configured properly, McAfee detects an email with an attached/ > embedded virus file. DURING THE DOWNLOAD, my McAfee > pops up a window saying it has detected an infection in so-and-so > file that was attached to/embedded in an email. I choose to let McAfee > move it to my Infected directory. > > 2) If I were to choose to let McAfee delete it, it would NOT be any > where to be activated if I were to open an email with HTML references > to the embedded virus file; likewise, were it a different virus, where the > file is attached, when opened, the email's icon showing the attachment > has the big red circle with the slash through it. Clicking does nothing, > because the referenced file is GONE! > > 3) Therefore, once the actual infected file, whether embedded or > attached, is gone, it CANNOT be activated via the email. > > 4) McAfee does NOT delete a "copy" of the email you're working > on. It does not delete the email at all, and was never intended to. It > deletes the INFECTED FILE !!!!! Thus, how in Hades can you > still get infected by opening a file, or clicking on an attachment, when > the infected file that is called on is no longer there?! > > If the email contains an HTML code that causes other viruses/ > trojans to activate, THEN McAfee, upon detection, will delete > THAT email; but not one containing BadTrans.b. > > 5) If McAfee deletes (erases) or merely moves a virus file, it can no > longer be activated from the email, which by now is harmless. Read > the source code for the email. You will see that, whether the virus > file is embedded or attached, the source code points to a SPECIFIC > drive:/directory on your computer for the location of the file. If the > file has been deleted, or moved, it is NOT THERE any longer for > the email itself to activate. Here is the HTML source code from one > of the emails I received: > > <.HEAD><./HEAD><.BODY bgColor=#ffffff> > <.iframe src="file://c:\eudora\Embedded\IMAGES.COD.fip" height=0 width=0> > <./iframe><./BODY><./HTML> > <.br> > <./body><./html> > > (I added periods in the HTML tags in hopes the example will > not alert your AV program. I also changed the name of the file > for the same reason., by reversing the letters of the two file > extensions.) > > The file, "Images.Doc.pif" is NO LONGER in that directory, since > McAfee moved it to C:\Infected. Opening the email, even in an > unprotected Outlook program has no file to activate now. > > 6) You do not understand what is happening in your computer. > The AV does NOT delete a COPY of the email. It deletes the > danged infected file, whether embedded or attached. The code > example above is from an email I just received while typing this > reply. The email itself is now harmless -- the infected file is gone. > > 7) IF CONFIGURED PROPERLY, McAfee WILL detect an > infected file DURING DOWNLOAD and delete the file from > wherever you have configured to have such files to go on your > system. > > 8) You ARE protected by McAfee and don't HAVE to rely on > the security patch which YOU SAY is the only thing that prevents > infection. Again, find out exactly what is happening on your > system, THEN make statements about it. In the meanwhile, > quit your bitchin' about McAfee -- I'm tired of it! > > SgtGeorge > George W. Durman > > At 05:07 PM 11/30/2001, Robert Hays wrote: > *********START OF ORIGINAL MESSAGE TEXT********* > >On the off chance everyone did not read all the way to the bottom of IM's > >msg. about how my McAfee is performing, I will > >repeat it. > > > >I have already received private email to the effect that their McAfee is > >doing the same as mine, and my reply to them > >was.: > > > >XXXXXXX ,,, you don't know how glad I am to find out that I am not in this > >boat all by myself. <g> > >If you add up all the clues on how McAfee is operating, it tells you one > >thing ,,,,, it offers you NO protection what so > >ever from infected email ,,, it is nothing more than a virus identifier then > >lets you become infected. > > On your HD McAfee appears to work properly (have not fully tested this > > aspect of it) but for email PROTECTION, it is > >totally worthless. > >I tried the Shift+Delete while the McAfee warning was displayed ,,,,, > >nothing happened, so back to the drawing board. > >Thank you very much for your reply. > >************************************************************** > >An addendum to the above note should be: Totally worthless against this > >new BadTrans B virus. > >eventhou you get a warning from McAfee, if your MS patches are not up to > >date you will still get infected, no matter what > >option you choose in the McAfee warning box. > > > >***************************************************************** > >Hi IM ,,,, you have been pounding on McAfee for a while now and doing a good > >job of it, so thought I would pass something > >else along for you to chew on. What I am about to tell you should really > >be checked out on another system to confirm how > >McAfee works on my system, because if it works every where as it does here, > >then it creates an infection danger. > >Here is what happens: > >An infected email arrives in my Inbox, McAfee does not detect it as it > >comes in, it only detects it when you click on it, > >then attempt to do something with it, such as Open it or Save an attachment > >to disk ,,,,, with this new variant of > >BadTrans, you don't even have to do either, just click on it ,,,,,,,, OK, > >now I have clicked on it in my Inbox, McAfee's > >virus warning box pops up along with the Options on what to do with it ,,,, > >so I select DELETE it ,,,,, very good, as soon > >as I click on Delete, McAfee's warning box goes away and immediately up pops > >a warning box about Opening an Attachment and > >what do I want to do about it ,,, the only Options are, Open it, Save to > >disk or Cancel ,,,,,,,,, Good Lord, how do I get > >out of this mess and how did I get into this mess in the first place ,,,,, > >the correct answer is CANCEL.. This stops you > >from getting infected but still leaves you sitting there with that infected > >email highlighted. > > What is happening here is when you tell McAfee to Delete it, it deletes > > it ok, but what it deletes is a COPY of the > >email that it is working with ,,,,, McAfee DOES NOT delete the email from > >your Inbox ,,,, as soon as McAfee has deleted > >its' copy, it deactivates and the virus again attempts to activate, this is > >when the MS security patch kicks in about > >Opening an attachment and stops the virus. SO, what has McAfee done to > >protect me ?? ,,,, Not a D_ _ _ thing. Even > >though McAfee caught the virus and I told it to delete, It was the security > >patch that saved me. > > I have a long list of saved virus' and have tested all of them to see > > what I can make McAfee do in the way of > >protecting me and in EVERY case McAfee does NOT remove the infected email > >from the Inbox. If you tell McAfee to > >Quarantine, it Quarantines alright, but it Quarantines a COPY of the virus > >in its' "Infected" folder but the original > >email+Attachment is still in your Inbox and ready for action. > > > >How about that crap. > >Bob Hays > > > **********END OF ORIGINAL MESSAGE TEXT********** > > > ==== VIRUS-DISCUSSION Mailing List ==== > To contact the Listowner, send to: > > OR > > > Homepage is: > http://lists.rootsweb.com/index/other/Internet_Help/VIRUS-DISCUSSION.html > > ============================== > Search over 1 Billion names at Ancestry.com! > http://www.ancestry.com/rd/rwlist1.asp >

This thread:

Re: [VIRUS] For McAfee Users by "Robert Hays" <>
- Re: [VIRUS] For McAfee Users by "Robert Hays" <>
- Re: [VIRUS] For McAfee Users by "Robert Hays" <>