[Dshield] Big Hole in Sophos AV (from MIMEDefang maillist)
Jon R. Kibler
Jon.Kibler at aset.com
Fri Feb 13 20:19:14 GMT 2004
Sophos AV has a new, serious problem handling certain bounced messages. Please see this article for details.
> > http://www.securitynewsportal.com/cgi-bin/securitynews.cgi?database=JanDD&id=74
And I thought that this comment posted on the MD maillist was also important information:
> We have noticed this on our system. It seems to only be happening
> when cpu-damaged anti-virus programs bounce back a copy of the virus
> as text. Sophos lets it through because it is not an attachment
> (I've tried sweep against the entire body of the message, so it
> isn't just a matter of MIME:Tools not extracting the virus.)
> Norton, however, does detect it.
> But, Norton does not always do the right thing once the message is detected.
> For Eudora users, it removes the entire in.mbx file. Even though, in order
> to run the virus, a Eudora user would have to: Save the message, find and
> run a binhex decoder on the body of the message, and double click on the
> resulting file. In my opinion, the user smart enough to do steps one and
> two, but clueless enough to do step three doesn't exist.
> Still, it would be nice to catch these. But, my view is that the fault
> is not entirely Sophos, and I would rather run message bodies against
> a binhex extractor to catch fragments missed by MIME:Tools.
> BTW, When MyDoom first came out we tested Norton and it also missed
> MyDoom embedded as text. An update last week seems to have changed
> NAV's behavior, leading to the deleted in.mbx problem.
> Michael D. Sofka sofkam at rpi.edu
> C&CT Sr. Systems Programmer Email, TeX, epistemology.
> Rensselaer Polytechnic Institute, Troy, NY. http://www.rpi.edu/~sofkam/
Normally I do not like to cross-post information, but I believe that this is important enough that everyone needs to be aware of it.
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list