Sophos missed MyDoom-A bounced msg

Martin Hepworth martinh at SOLID-STATE-LOGIC.COM
Tue Feb 10 10:42:11 GMT 2004


Julian Field wrote:
> At 17:37 09/02/2004, you wrote:
>
>> Travis Taylor wrote:
>>
>>>> Travis,
>>>>
>>>> We have the same situation here.  Right now, I am trying to retreive
>>>> the Symantec quarantined documents, and will be sending them to Sophos.
>>>>
>>>> I would suggest sending them yours, also.
>>>>
>>>> Dustin
>>>> --
>>>> Dustin Baer
>>>> Unix Administrator/Postmaster
>>>> Information Handling Services
>>>> 15 Inverness Way East
>>>> Englewood, CO 80112
>>>> 303-397-2836
>>>
>>>
>>>
>>> I'm in the process of sending it to sophos now, Dustin.
>>>
>>> On a side note, I decided to sent the quarantined message as an
>>> attachment to myself and MailScanner/Sophos caught it.  Though when I
>>> pasted the infected bounced message in the body of a message and sent
>>> it to myself it slipped through without being detected.  I'm wondering
>>> if this has something to do with how the message is encoded (mime,
>>> uuencode, etc).
>>>
>>
>> This is a known issue with MailScanner and specifically one of the Perl
>> modules it uses.
>>
>> From memory Julian asked for anyone with such an email to forward it
>> direct to him (not the list) so he can investigate the problem.
>>
>> I hope Julian doesn't shoot me getting people to send him viruses.
>>
>> You might want to email him before hand to warn him an example is on the
>> way!
>
>
> We have seen some cases where Sophos with MailScanner failed to spot a
> MyDoom. But F-Prot on the same system (running as a secondary scanner)
> spotted the virus just fine. So somehow Sophos is missing it when F-Prot is
> finding it.

Julian

I've seen, very early in the outbreak, ClamAV (NOT using the module
version) and SophosSavi both miss one.

No reports other than that single item..

Anyway I'm upgrading to 3.78d as I type so we'll see I guess..

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************



More information about the MailScanner mailing list