[thelist] McAfee AV 4.51 Download/Active Scan killing Eudora spooling.... work around

John C Bullas jcbullas at nildram.co.uk
Sat Jan 31 04:00:41 CST 2004 

Basically with McAfee active scan and download scan working the 
interception of
virii during download from the mail server hangs the spooling process
resulting in possible loss of emails as spooling falls over if you stop the
process or quit eudora in mid download

I think I have found a work around

============================
#1 Email / Download scan: Disabled ... Internet Scan stays running

To allow the files in to allow the Eudora spooling process to complete 
successfully

============================

#2 Active Scanning as files are opened

Explicitly ONLY Exclude the Eudora Spooling Directory, the true location of 
which will be
identifiable when the unmodified active scanning picks up the attachments 
as they
are spooled and quarantined, when Eudora thenn falls over in mid spool

For systems where you have the potential for different logins look for

D:\Documents and Settings\<user name>\Local Settings\Temp\EuSpool

or something of the like......    EuSpool (with one sub directory for each
personality?)

HOWEVER Active scan WILL pick up the file when it is relocated elsewhere by 
the
Eudora filtering/processing to the folder:

F:\DATAFILES\eudoramailfolder\attach

or whatever you call your Eudora folder that keeps your messages in....

==============================================
#3 Scan My computer

Basically allow your regular scanning set to include all files and 
heuristics etc
etc to proceed as usual.. this will pick up and deal with any remnant files 
inthe spooling
directory (set to run hourly)

======== VULNERABILITIES =============

You could click on a file in the eudora spooler folder
and infect your computer as active scan ignores that folder
but the files in there don't exist for long :)

===== DOWNSIDE ======

Scan My Computer hits on a file while in the process of spooling

===== TESTING =======

I have just let a MyDoom one in without killing Eudoras download and McAfee 
flagged it up
as soon as it got transferred by Eudora from the spooler directory to the 
attach directory!!!!

AND There is no evidence of any active file remnants  left in the spooling 
directory

Any more likely downsides?

FB

More information about the thelist mailing list