Bounced sobig passes thru MS and anti-virus checks

Gerry Doris gerry at dorfam.ca
Fri Sep 5 18:33:10 IST 2003


> Some automated replies, which also contained the Sobig virus,  notifying
> users that they had sent an infected message apparently made it thru MS
> and anti-virus checks. The desktop AV package identified the message
> attachment as infected with Sobig.f. Directly sent Sobig messages are
> correctly handled both by MS checking the extension and by the
> anti-virus scan.
>
>
>
> Any suggestions as to where to start looking to determine why these
> messages made it thru?
>
>
>
>
>
> Steve Ellis
>
> Sr Engineer
>
> KaZaK Composites, Inc.
>
> 781.932.5667 x105


I just sent a message to the list where I described two difference Sobig.F
virus emails arriving at my system.  One was picked up by F-Prot and Trend
and the other was picked up by F-Prot, Trend, and ClamAV.  Also,
MailScanner flagged the filename in the second message by missed the
first.

It appears that the actual virus vile was contained within another file in
the first message.  While I expected that MailScanner wouldn't see the
problem file name I wasn't aware that ClamAV would just pass the entire
mess right through!

Gerry



More information about the MailScanner mailing list