Viruses - Missed by mailscanner, caught by Sophos NSV

[David Sullivan]

On 12 Mar 2002 at 8:58, Ray Gardener wrote:
> > We've recently upgraded to the Sophos NSV (non standard version) on
> Netware and
> > as an added feature it seems to be scanning and picking up viruses in mime
> > attachments as Mercury delivers them since this version now can parse mime
> > messages. Since we run mailscanner at our mail hub we certainly
> *shouldn't* see
> > any infected messages from outside.
> >
> > The following message seems to be a spanner in the works however: (names
> > changed to protect the innocent) ...
> >         http://www.barnet.ac.uk/~sully/missed.txt
>
> David,
>
> which virus did Sophos NSV report and what version of Sophos are you running
> on the hubs?

Real-time: >>>  Virus 'W32/Magistr-A' found in file
STAFF:/*****/PMAIL/Y08850/SULFNBK.EXE
Reported by 3.55NSV on Netware, we're still running 3.54 on Linux on the
mailhub, I will be upgrading soon once I've fixed up MailScanner to be happy
with the nsv version as covered previously

>
> I had a quick look at the text of the message in Pine on Unix. Pine (usually
> fairly good with mime) seems unable to recognise the section containing the
> executable as a valid mime part. Did your MUA show this as a mime
> attachment?

Pegasus Mail 3.12 and 4 show this message to be a valid MIME message with the
attachment as mime part, as soon as I save the attachment the sophos picks up
the virus straight away.

> To me this looks similar to the stuff produced by sircam which tries to
> generate mine attachments but not always in a compliant way.

The problem being, compliant or not a number of MUAs have been written to parse
all kinds of rubbish that has been thrown at them generated by other less
compliant MUAs

If sweep can do it's own parsing and potentially pick up things that
MailScanner's mime parser doesn't it might be the case of going down the same
road as TNEF and use sweep in preference to parsing MIME ourselves.

--
David Sullivan        IT Services, Barnet College, London
                            David.Sullivan at barnet.ac.uk
                            020 8275 5036

==============================================================
This communication may contain privileged or confidential information which
is for the exclusive use of the intended recipient.  If you are not the
intended recipient, please note that you may not distribute or use this
communication or the information it contains.  If this e-mail has reached you
in error, please delete it and any attachment.

Internet communications are not secure and Barnet College does not accept
legal responsibility for the content of this message.  Any views or opinions
expressed are those of the author and not necessarily those of Barnet College.

Please note that Barnet College reserves the right to monitor the
source/destinations of all incoming or outgoing e-mail communications.
==============================================================