MailScanner + Sophos: a serious bug?
Quentin Campbell
Q.G.Campbell at NEWCASTLE.AC.UK
Wed Jul 2 09:58:41 IST 2003
Re. my earlier messages about Sophos sometimes missing Sobig variants in
messages.
I switched on quarantining of virus containing messages and believe I
can now see what is going on. In fact the problem is not just limited to
Sobig (the most common infection at present) but to Yaha.G as well and
most probably all other viruses.
It seems that Sophos will not recognise viruses, including at least
Yaha.G and all variants of Sobig, when the message being scanned is a
bounce/error return message which contains the whole of the original
message, including the zipped attachment with the virus/worm in it.
At this site McAfee but not Sophos recognises the virus in such a
message.
Two questions:
1. Is this a problem with MailScanner's parsing of messages or with the
A-V product it calls and to which it passes the message contents?
2. How serious is it if such a message is delivered intact?
I would like to understand the problem and its possible consequences a
bit better before I forward some example messages to Sophos.
Quentin
---
PHONE: +44 191 222 8209 Computing Service, University of Newcastle
FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."
> -----Original Message-----
> From: Quentin Campbell [mailto:Q.G.Campbell at NEWCASTLE.AC.UK]
> Sent: 01 July 2003 12:34
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Sobig.{E,D,EML} not found by Sophos and McAfee -
> further info
>
>
> > -----Original Message-----
> > From: Quentin Campbell [mailto:Q.G.Campbell at newcastle.ac.uk]
> > Sent: 01 July 2003 10:40
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Sobig.{E,D,EML} not found by Sophos and McAfee
> >
> [snip]
> > > By the way, what's Sobig.EML and ...
> >
> > Good question. I cannot find this virus at the NAI site yet
> > it is McAfee that is recognising it! The notification I got says:
> >
> > The following e-mail messages were found to have viruses in them:
> >
> > Sender: auto.reply at compuserve.com
> > IP Address: 149.174.40.6
> > Recipient: xxx at newcastle.ac.uk
> > Subject: Undeliverable Message
> > MessageID: h611uKu05157
> > Report: /h611uKu05157/msg-32244-1482.txt Found the
> > W32/Sobig.eml virus !!!
> >
> > > ...what harm can it do in a .txt file?
> >
> > That is not the point unless you are suggesting that is why
> > Sophos does not recognise it? The issue for me is why one A-V
> > scanner finds it but another doesn't.
>
> The one thing all these messages have in common are that they
> are bounce messages of one sort or another:
>
> o undeliverable message
> o failure notice
> o returned mail - nameserver error ...
>
> It appears that they retain some sort of "signature" text,
> probably harmless, that the McAfee scanner recognises but not
> the Sophos scanner. Does this sound plausible?
>
> Note that this applies to both "Sobig.e", "Sobig.d" and
> "Sobig.eml" (what ever that is).
>
> The latter suggests an alternative theory that it might be
> MailScanner wrongly picking up a string from the McAfee
> scanner or wrongly reporting a string that it has; that is,
> it reports as "Sobig.eml" a string that is something else?
>
> I will see if I can quarantine some of these messages.
>
> Quentin
> ---
> PHONE: +44 191 222 8209 Computing Service, University of Newcastle
> FAX: +44 191 222 8765 Newcastle upon Tyne, United
> Kingdom, NE1 7RU.
> --------------------------------------------------------------
> ----------
> "Any opinion expressed above is mine. The University can get
> its own."
>
>
>
More information about the MailScanner
mailing list