Andrew, I suspected that but we'll see my results. I did what John suggested and I also have ClamAV and F-Prot running simultaneously. Doing this has seemed to cut down the Sober.Xs completely but now I have a customer complaining that trojan.lodear and sober.l variant is getting through, I haven't investigated yet but I'll keep you posted.
JT On Thu, 2006-01-05 at 11:31 -0800, Colbeck, Andrew wrote: > I just saw two today. This may not be what you're seeing, JT, but here > goes: > > What I saw were two broken Sober.X messages that were bounced with the > original message (the viral message) truncated. F-Prot didn't trigger > on the broken attachment and the bounce didn't trigger my custom filters > to weed out junk bounces. > > The messages made it into my internal mail system, where they were > caught by Trend Micro ScanMail for Exchange. When I looked up the > details on the virus that was named, the alias matched the Symantec name > for the virus. > > Given that it was broken, I regard this as a spam issue, and not a case > of F-Prot failing to detect the damaged Sober virus. If I can get the > original, I'll submit to F-Prot anyway in the hope that they will come > with a signature. > > Andrew 8) > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of JT > > Sent: Thursday, January 05, 2006 10:39 AM > > To: [email protected] > > Subject: RE: [Declude.Virus] Sober.X Variant > > > > John, > > > > Thanks for the help! > > > > Regards, > > JT > > > > On Thu, 2006-01-05 at 09:31 -0800, John T (Lists) wrote: > > > Into the Virus.cfg file: > > > > > > BANEZIPEXTS ON > > > BANZIPEXTS ON > > > > > > John T > > > eServices For You > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] > > > > On Behalf Of JT > > > > Sent: Thursday, January 05, 2006 9:20 AM > > > > To: [email protected] > > > > Subject: RE: [Declude.Virus] Sober.X Variant > > > > > > > > John, > > > > > > > > What do I need to do to block banned extensions within zip files > > > > > > > > Thanks, > > > > JT > > > > > > > > On Thu, 2006-01-05 at 09:14 -0800, John T (Lists) wrote: > > > > > That means you are not blocking banned extensions > > within zip files? > > > > > > > > > > John T > > > > > eServices For You > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] > > > > > > On Behalf Of JT > > > > > > Sent: Thursday, January 05, 2006 8:45 AM > > > > > > To: [email protected] > > > > > > Subject: RE: [Declude.Virus] Sober.X Variant > > > > > > > > > > > > What I am experiencing is that the server lets the virus go > > > > > > through > > > the > > > > > > system. It scans and result is clean, the end user gets the > > > > > > email and their Symantec Enterprise snags it and tags it as > > > > > > [EMAIL PROTECTED] > > > > > > > > > > > > On Thu, 2006-01-05 at 08:25 -0800, John T (Lists) wrote: > > > > > > > Is this what you are seeing? > > > > > > > > > > > > > > http://www.sophos.com/virusinfo/analyses/w32feebsa.html > > > > > > > > > > > > > > John T > > > > > > > eServices For You > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: [EMAIL PROTECTED] > > > > > > > [mailto:[EMAIL PROTECTED] > > > > > > > > On Behalf Of JT > > > > > > > > Sent: Thursday, January 05, 2006 6:44 AM > > > > > > > > To: [email protected] > > > > > > > > Subject: [Declude.Virus] Sober.X Variant > > > > > > > > > > > > > > > > Has anyone seen an influx of this virus come through? I've > > > upgraded to > > > > > > > > the latest F-Prot and it seems like it still > > sneaking through. > > > > > Although > > > > > > > > the Z variant is being stopped by F-prot. Any light that > > > > > > > > could be > > > shed > > > > > > > > on this would be greatly appreciated. > > > > > > > > > > > > > > > > Also I've tried setting up ClamAV for Windows on > > our imail > > > > > > > > server > > > as a > > > > > > > > scanner. I've got it to scan but it randomly generated an > > > > > > > > exit > > > code of > > > > > > > > 50. Does anyone know what exit code 50 from ClamAV means? > > > > > > > > > > > > > > > > Thanks, > > > > > > > > JT > > > > > > > > > > > > > > > > --- > > > > > > > > [This E-mail was scanned for viruses by Declude EVA > > > www.declude.com] > > > > > > > > > > > > > > > > --- > > > > > > > > This E-mail came from the Declude.Virus mailing list. To > > > > > > > > unsubscribe, just send an E-mail to > > [EMAIL PROTECTED], and > > > > > > > > type "unsubscribe Declude.Virus". The archives > > can be found > > > > > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > --- > > > > > > > [This E-mail was scanned for viruses by Declude EVA > > > > > > > www.declude.com] > > > > > > > > > > > > > > --- > > > > > > > This E-mail came from the Declude.Virus mailing list. To > > > > > > > unsubscribe, just send an E-mail to > > [EMAIL PROTECTED], and > > > > > > > type "unsubscribe Declude.Virus". The archives > > can be found > > > > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > > > > --- > > > > > > [This E-mail was scanned for viruses by Declude EVA > > > > > > www.declude.com] > > > > > > > > > > > > --- > > > > > > This E-mail came from the Declude.Virus mailing list. To > > > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > > > type "unsubscribe Declude.Virus". The archives can be found > > > > > > at http://www.mail-archive.com. > > > > > > > > > > --- > > > > > [This E-mail was scanned for viruses by Declude EVA > > > > > www.declude.com] > > > > > > > > > > --- > > > > > This E-mail came from the Declude.Virus mailing list. To > > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > > type "unsubscribe Declude.Virus". The archives can be found > > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > --- > > > > [This E-mail was scanned for viruses by Declude EVA > > www.declude.com] > > > > > > > > --- > > > > This E-mail came from the Declude.Virus mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.Virus". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > --- > > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
