Sophos missed MyDoom-A bounced msg

Tue Feb 10 13:38:20 GMT 2004

Will do.  Maybe, I should just change to F-prot since it seems to be the
better one.
----- Original Message -----
From: "Martin Hepworth" <martinh at SOLID-STATE-LOGIC.COM>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Tuesday, February 10, 2004 3:42 AM
Subject: Re: Sophos missed MyDoom-A bounced msg


> Julian Field wrote:
> > At 17:37 09/02/2004, you wrote:
> >
> >> Travis Taylor wrote:
> >>
> >>>> Travis,
> >>>>
> >>>> We have the same situation here.  Right now, I am trying to retreive
> >>>> the Symantec quarantined documents, and will be sending them to
Sophos.
> >>>>
> >>>> I would suggest sending them yours, also.
> >>>>
> >>>> Dustin
> >>>> --
> >>>> Dustin Baer
> >>>> Unix Administrator/Postmaster
> >>>> Information Handling Services
> >>>> 15 Inverness Way East
> >>>> Englewood, CO 80112
> >>>> 303-397-2836
> >>>
> >>>
> >>>
> >>> I'm in the process of sending it to sophos now, Dustin.
> >>>
> >>> On a side note, I decided to sent the quarantined message as an
> >>> attachment to myself and MailScanner/Sophos caught it.  Though when I
> >>> pasted the infected bounced message in the body of a message and sent
> >>> it to myself it slipped through without being detected.  I'm wondering
> >>> if this has something to do with how the message is encoded (mime,
> >>> uuencode, etc).
> >>>
> >>
> >> This is a known issue with MailScanner and specifically one of the Perl
> >> modules it uses.
> >>
> >> From memory Julian asked for anyone with such an email to forward it
> >> direct to him (not the list) so he can investigate the problem.
> >>
> >> I hope Julian doesn't shoot me getting people to send him viruses.
> >>
> >> You might want to email him before hand to warn him an example is on
the
> >> way!
> >
> >
> > We have seen some cases where Sophos with MailScanner failed to spot a
> > MyDoom. But F-Prot on the same system (running as a secondary scanner)
> > spotted the virus just fine. So somehow Sophos is missing it when F-Prot
is
> > finding it.
>
> Julian
>
> I've seen, very early in the outbreak, ClamAV (NOT using the module
> version) and SophosSavi both miss one.
>
> No reports other than that single item..
>
> Anyway I'm upgrading to 3.78d as I type so we'll see I guess..
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************