MailScanner + Sophos: a serious bug?

Wed Jul 2 11:29:42 IST 2003

Can you (in a password-protected zip) send me an example or two so I can
see exactly what you mean.

At 09:58 02/07/2003, you wrote:
>Re. my earlier messages about Sophos sometimes missing Sobig variants in
>messages.
>
>I switched on quarantining of virus containing messages and believe I
>can now see what is going on. In fact the problem is not just limited to
>Sobig (the most common infection at present) but to Yaha.G as well and
>most probably all other viruses.
>
>It seems that Sophos will not recognise viruses, including at least
>Yaha.G and all variants of Sobig, when the message being scanned is a
>bounce/error return message which contains the whole of the original
>message, including the zipped attachment with the virus/worm in it.
>
>At this site McAfee but not Sophos recognises the virus in such a
>message.
>
>Two questions:
>
>1. Is this a problem with MailScanner's parsing of messages or with the
>A-V product it calls and to which it passes the message contents?
>
>2. How serious is it if such a message is delivered intact?
>
>I would like to understand the problem and its possible consequences a
>bit better before I forward some example messages to Sophos.
>
>Quentin
>---
>PHONE: +44 191 222 8209    Computing Service, University of Newcastle
>FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
>------------------------------------------------------------------------
>"Any opinion expressed above is mine. The University can get its own."
>
> > -----Original Message-----
> > From: Quentin Campbell [mailto:Q.G.Campbell at NEWCASTLE.AC.UK]
> > Sent: 01 July 2003 12:34
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Sobig.{E,D,EML} not found by Sophos and McAfee -
> > further info
> >
> >
> > > -----Original Message-----
> > > From: Quentin Campbell [mailto:Q.G.Campbell at newcastle.ac.uk]
> > > Sent: 01 July 2003 10:40
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Re: Sobig.{E,D,EML} not found by Sophos and McAfee
> > >
> > [snip]
> > > > By the way, what's Sobig.EML and ...
> > >
> > > Good question. I cannot find this virus at the NAI site yet
> > > it is McAfee that is recognising it! The notification I got says:
> > >
> > > The following e-mail messages were found to have viruses in them:
> > >
> > >     Sender: auto.reply at compuserve.com
> > > IP Address: 149.174.40.6
> > >  Recipient: xxx at newcastle.ac.uk
> > >    Subject: Undeliverable Message
> > >  MessageID: h611uKu05157
> > >     Report: /h611uKu05157/msg-32244-1482.txt        Found the
> > > W32/Sobig.eml virus !!!
> > >
> > > > ...what harm can it do in a .txt file?
> > >
> > > That is not the point unless you are suggesting that is why
> > > Sophos does not recognise it? The issue for me is why one A-V
> > > scanner finds it but another doesn't.
> >
> > The one thing all these messages have in common are that they
> > are bounce messages of one sort or another:
> >
> >  o undeliverable message
> >  o failure notice
> >  o returned mail - nameserver error ...
> >
> > It appears that they retain some sort of "signature" text,
> > probably harmless, that the McAfee scanner recognises but not
> > the Sophos scanner. Does this sound plausible?
> >
> > Note that this applies to both "Sobig.e", "Sobig.d" and
> > "Sobig.eml" (what ever that is).
> >
> > The latter suggests an alternative theory that it might be
> > MailScanner wrongly picking up a string from the McAfee
> > scanner or wrongly reporting a string that it has; that is,
> > it reports as "Sobig.eml" a string that is something else?
> >
> > I will see if I can quarantine some of these messages.
> >
> > Quentin
> > ---
> > PHONE: +44 191 222 8209    Computing Service, University of Newcastle
> > FAX:   +44 191 222 8765    Newcastle upon Tyne, United
> > Kingdom, NE1 7RU.
> > --------------------------------------------------------------
> > ----------
> > "Any opinion expressed above is mine. The University can get
> > its own."
> >
> >
> >

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support