Tim Howell wrote:
Several of my users have received the virus classified by ClamAV as Worm.Sober.K today. I use qmail with SpamAssassin and ClamAV through qmailscanner. I'm not sure how it is getting through as:
1. All of my mail is scanned by ClamAV and Clam definitely recognizes this virus. If I take the zip attachment that comes through on these messages and manually scan with Clam the file is marked infected.
First off, check your logs. Do you see "qmail-scanner.*CLAM.*Sober" at all? If so, then your system is catching it. If not, you should be able to search for the Subject line in the logs of an infected email, then look at the qmail-queue.log file for debug information about why it wasn't caught. However, your email implies everything is working....
...So then the next question is: are there other ways for infected mail to get onto your network? If you allow user to POP or IMAP mail directly from end-Internet mail servers onto your LAN, how do you know that's not where these infected e-mails are coming from? Webmail like Hotmail is also another source.
Just some ideas...
-- Cheers
Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________ http://lurker.clamav.net/list/clamav-users.html
