Sobig.{E,D,EML} not found by Sophos and McAfee

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Tue Jul 1 07:40:49 IST 2003


I reported yesterday that McAfee was not always recognising the Sobig.E
worm in messages. That problem appeared to fix itself after I restarted
MailScanner.

However further monitoring of logs shows that it is Sophos now that is
not always recognising Sobig variants. I have instances where Sophos has
missed Sobig.E (in both .txt and .pif files), Sobig.EML (.txt file) and
Sobig.D (.pif file). In all these cases McAfee has found the worms and I
have not found a new instance of McAfee missing a virus.

What I cannot tell is whether there have been instances where _both_
scanners have missed a virus/worm at the same time. It is very worrying.

The times at which these exceptions have occured are no where near the
hourly updates of the DAT/IDE files. 

Any suggestions as to how I can more systematiclly investigate what is
going on?

Quentin
---
PHONE: +44 191 222 8209    Computing Service, University of Newcastle
FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own." 




More information about the MailScanner mailing list