tons of infected files getting though???

Chris Yuzik chris at FRACTALWEB.COM
Tue Jan 27 20:42:45 GMT 2004


Hi Matt,

Matt Kettler wrote:

> 1) is it possible that when the mail arrived, your version of clamav
> didn't
> have the SCO.A signature yet? MailScanner auto-updates clamav hourly, so
> it's possibly that by the time you transferred the file back over to your
> server, it had been updated... check your maillogs to see when it was
> last
> updated.

Clam's definitions get updated here every hour. I'm not sure exactly
what time yesterday they made the new definitions available that detect
this virus, but it's sure catching a lot of them.

> When I first came in this AM, clamav wasn't hitting them, but it is now.
>
> 2) usually questions about problems with MS (or ANY product that matter)
> should be accompanied by information as to what version you're running.
>
I'm running MailScanner version 4.25-14 and Clamav version 0.65 on Red
Hat 7.3. The system detected the first infected email with "worm.sco.a"
at 2:45pm yesterday afternoon. Since then many get detected, yet many
others get through.

If you run MailWatch, just look for messages "where the subject contains
the regular expression hello" in the past day or so. See if any went
though your system that were approximately 31 KB, and were not marked as
infected with this worm.

Cheers,
Chris



More information about the MailScanner mailing list