Viruses - Missed by mailscanner, caught by Sophos NSV

Julian Field jkf at ecs.soton.ac.uk
Mon Mar 25 14:22:19 GMT 2002 

This is due to the virus embedding newline characters in the middle of the
subject :-(
Version 3.13-1 (just released) corrects this behaviour by removing newline
characters from the middle of header lines.

At 16:22 12/03/2002, you wrote:
>On Tue, 12 Mar 2002, David Sullivan wrote:
>
><snip...>
> > > > The following message seems to be a spanner in the works however:
>(names
> > > > changed to protect the innocent) ...
> > > >         http://www.barnet.ac.uk/~sully/missed.txt
> > >
> > > David,
> > >
> > > which virus did Sophos NSV report and what version of Sophos are you
> running
> > > on the hubs?
> >
> > Real-time: >>>  Virus 'W32/Magistr-A' found in file
> > STAFF:/*****/PMAIL/Y08850/SULFNBK.EXE
> > Reported by 3.55NSV on Netware, we're still running 3.54 on Linux on the
> > mailhub, I will be upgrading soon once I've fixed up MailScanner to be
> happy
> > with the nsv version as covered previously
>
>After more investigation I can see that our second layer virus scanning at
>the Exchange level is also picking up instances of viruses that should be
>screened out by mailscanner. Most of the instances involve the virus
>Magistr-A
>
>David, you are right in believing the new enhanced version 3.55NSV detects
>and disinfects this ;-). However there is still a problem for those people
>who aren't using sophos :-(
>
> > If sweep can do it's own parsing and potentially pick up things that
> > MailScanner's mime parser doesn't it might be the case of going down
> the same
> > road as TNEF and use sweep in preference to parsing MIME ourselves.
>
>I agree partly, however I would prefer to leave in the mailscanner
>parsing as I think mailscanner needs it to filter for prohibited
>filenames and filetypes and it can work in addition to Sophos 3.55NSV parsing.
>
> >
> > --
> > David Sullivan        IT Services, Barnet College, London
> >                             David.Sullivan at barnet.ac.uk
> >                             020 8275 5036
> >
> > ==============================================================
> > This communication may contain privileged or confidential information which
> > is for the exclusive use of the intended recipient.  If you are not the
> > intended recipient, please note that you may not distribute or use this
> > communication or the information it contains.  If this e-mail has
> reached you
> > in error, please delete it and any attachment.
> >
> > Internet communications are not secure and Barnet College does not accept
> > legal responsibility for the content of this message.  Any views or
> opinions
> > expressed are those of the author and not necessarily those of Barnet
> College.
> >
> > Please note that Barnet College reserves the right to monitor the
> > source/destinations of all incoming or outgoing e-mail communications.
> > ==============================================================
> >

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list