Mydoom Virus getting Through

[Michael Dahlberg]

Kyle Harris [lists at TRCINTL.COM] wrote:
> I have been running MailScanner for quite some time and it has successfully
> found literally thousands of e-mail's infected with the Mydoom virus, as
> well as many others.  However, I have noticed that every now and then for
> whatever reason one seems to slip through MailScanner.  The reason I know
> this is that my mail is first scanned with MailScanner (using eTrust
> Antivirus 7.0) and then it is sent on to another machine running TrendMicro
> InterScan VirusWall (I had that in place before MailScanner).
>
> On about 4 occasions since the outbreak of Mydoom, a copy of the virus has
> made it through MailScanner undetected and has then been caught by the
> TrendMicro product.  I had it happen several times already today.  I
> checked the e-mail ID and I see in the log on MailScanner where it passed
> through without a hitch.
>
> I seem to recall someone posting something earlier about this occuring
> while using the Sophos antivirus product.  I just thought this might be
> something to take note of.  By the way, I am currently using MailScanner
> version 4.26.8 and my virus signatures are up to date.  TrendMicro
> InterScan VirusWall reports the e-mail messages in question as having
> Mydoom.A.

Kyle:

Did you ever find a fix to this problem?

We're experiencing a similar problem.  A number of messages are
passing through MailScanner(4.13-3)/Sophos and then are interpreted as
MyDoom-infected when they reach the client's MUA (Eudora) on a system
which is running Symantec's Antivirus software.  If these messages are
intercepted before being downloaded to the client's system, they look
as if they might have something wrong with the MIME header because
some MUAs will interpret the message as not having an attachment.

Do you see something similar?

Thanks.