Sobig not detected

[John Rudd]

On Wednesday, Aug 20, 2003, at 09:27 US/Pacific, MailScanner Mailbox
wrote:

>
>
> We are also getting the "Found to be clean" header along with the
> change
> we made "Message infected" (shown below).
>
> It appears as though we are also not detecting the Sobig-F virus even
> though we have the updated ide from Sophos. We are however catching
> most
> of the Sobig-F infected emails due to the unsafe file attachments (scr,
> pif, etc)
>
> Is anybody else not detecting Sobig-f ?
> Currentley we are only running Sophos, and I can see that it is
> catching
> other virus's.
>
> X-MailScanner: Found to be clean, Message infected
>

1) yes, we're using sophos (via sweep, not SAVI perl libs) and we're
detecting it just fine.  I've also put it "Sobig" in our silent viruses
line, helping to reduce the clutter of warnings in our queue.  Our
incoming queue is riding a little high today just from the sheer volume
of Sobig submissions though (usually it's under 100 except at peak
times, today we're in the high 100's varying between 400 and 900).  All
of the other queues are just fine, though.

(total for yesterday, between the time I updated sophos (4pm) and
midnight = 9060 sobig-f's ... that's after a long period of less than
1500 total virus submissions per day; total for today = 21412 sobigs
and the day is barely more than half over in our time zone.)


2) don't use "X-MailScanner" default headers.  Customize them for your
local network and each array of virus scanners (ie. if multiple
departmental mail server clusters are running mailscanner, have a
different set of headers for each department), and I'd also recommend
not appending results -- overwrite the existing header with a new
result if it finds the header already in place.  If your mail cluster
receives a message with a header that only your mail cluster should
generate, then it is either forged, or you've got a forwarding loop.