Re: [Full-Disclosure] Trend Micro Interscan Viruswall: missing whole_file_scan=yes let pass at least one Sobig.f eMail

From: haraldat_private
Date: Thu Sep 04 2003 - 01:02:56 PDT

Next message: Matthias Andree: "[VulnWatch] leafnode 1.9.3 - 1.9.41 security announcement SA-2003-01"

Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2003:240-01] Updated httpd packages fix Apache security vulnerabilities"
In reply to: Dr. Peter Bieringer: "[Full-Disclosure] Trend Micro Interscan Viruswall: missing whole_file_scan=yes let pass at least one Sobig.f eMail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Sep 03, 2003 at 12:56:31PM +0200, Dr. Peter Bieringer wrote:
> Response from support: add in section "[smtp]" option "whole_file_scan=yes"

this is only partly a remedy. in our case VirusWall (in SMTP daemon mode)
detects the virus if an 'original' mail containing the SOBIG.F virus is
manually bounced (e.g.  by bouncing it in the mutt MUA) to our VirusWall.

if the bounce is made by qmail on the other side, the bounced mail
contains some more text and the original mail and it is not detected by
our VirusWall (Solaris, engine 5.6150, current pattern).

ScanMail on NT detects the virus either way.

cu - Harry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Matthias Andree: "[VulnWatch] leafnode 1.9.3 - 1.9.41 security announcement SA-2003-01"
Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2003:240-01] Updated httpd packages fix Apache security vulnerabilities"
In reply to: Dr. Peter Bieringer: "[Full-Disclosure] Trend Micro Interscan Viruswall: missing whole_file_scan=yes let pass at least one Sobig.f eMail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 04 2003 - 01:32:00 PDT