Mydoom Virus getting Through
lists at TRCINTL.COM
Wed Feb 11 16:08:54 GMT 2004
On Wed, 11 Feb 2004 10:50:31 -0500, Michael Dahlberg
<dahlberg at BUCKNELL.EDU> wrote:
>Kyle Harris [lists at TRCINTL.COM] wrote:
>> I have been running MailScanner for quite some time and it has
>> found literally thousands of e-mail's infected with the Mydoom virus, as
>> well as many others. However, I have noticed that every now and then for
>> whatever reason one seems to slip through MailScanner. The reason I know
>> this is that my mail is first scanned with MailScanner (using eTrust
>> Antivirus 7.0) and then it is sent on to another machine running
>> InterScan VirusWall (I had that in place before MailScanner).
>> On about 4 occasions since the outbreak of Mydoom, a copy of the virus
>> made it through MailScanner undetected and has then been caught by the
>> TrendMicro product. I had it happen several times already today. I
>> checked the e-mail ID and I see in the log on MailScanner where it passed
>> through without a hitch.
>> I seem to recall someone posting something earlier about this occuring
>> while using the Sophos antivirus product. I just thought this might be
>> something to take note of. By the way, I am currently using MailScanner
>> version 4.26.8 and my virus signatures are up to date. TrendMicro
>> InterScan VirusWall reports the e-mail messages in question as having
>Did you ever find a fix to this problem?
>We're experiencing a similar problem. A number of messages are
>passing through MailScanner(4.13-3)/Sophos and then are interpreted as
>MyDoom-infected when they reach the client's MUA (Eudora) on a system
>which is running Symantec's Antivirus software. If these messages are
>intercepted before being downloaded to the client's system, they look
>as if they might have something wrong with the MIME header because
>some MUAs will interpret the message as not having an attachment.
>Do you see something similar?
I experienced this at least 10 times yesterday (they seemed to come
relatively close together) and had expierenced it about 3 or 4 times in
days prior to that. Julian asked if I could send one to him so I enabled
archiving and as luck would have it, I have not seen another one get
through since. I had to disable archiving as I had too many mail messages
building up, but I am keeping a close eye for them and if I see one go
through I am planning on quickly enabling the archive option again to see
if maybe another will go through that I can catch and send to Julian.
It does sound like you are expierencing what I am though.
More information about the MailScanner