[Dshield] Big Hole in Sophos AV (from MIMEDefang maillist)

Jon R. Kibler Jon.Kibler at aset.com
Fri Feb 13 20:19:14 GMT 2004

Sophos AV has a new, serious problem handling certain bounced messages. Please see this article for details.

> >
> > http://www.securitynewsportal.com/cgi-bin/securitynews.cgi?database=JanDD&id=74

And I thought that this comment posted on the MD maillist was also important information:
> We have noticed this on our system.  It seems to only be happening
> when cpu-damaged anti-virus programs bounce back a copy of the virus
> as text.  Sophos lets it through because it is not an attachment
> (I've tried sweep against the entire body of the message, so it
> isn't just a matter of MIME:Tools not extracting the virus.)
> Norton, however, does detect it.
> But, Norton does not always do the right thing once the message is detected.
> For Eudora users, it removes the entire in.mbx file.  Even though, in order
> to run the virus, a Eudora user would have to: Save the message, find and
> run a binhex decoder on the body of the message, and double click on the
> resulting file.  In my opinion, the user smart enough to do steps one and
> two, but clueless enough to do step three doesn't exist.
> Still, it would be nice to catch these.  But, my view is that the fault
> is not entirely Sophos, and I would rather run message bodies against
> a binhex extractor to catch fragments missed by MIME:Tools.
> BTW, When MyDoom first came out we tested Norton and it also missed
> MyDoom embedded as text.  An update last week seems to have changed
> NAV's behavior, leading to the deleted in.mbx problem.
> Mike
> -- 
> Michael D. Sofka              sofkam at rpi.edu
> C&CT Sr. Systems Programmer    Email, TeX, epistemology.
> Rensselaer Polytechnic Institute, Troy, NY.  http://www.rpi.edu/~sofkam/

Normally I do not like to cross-post information, but I believe that this is important enough that everyone needs to be aware of it.


Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list