Autor: Nigel Metheringham Data: A: Exim users list Assumpte: [exim] Fwd: Issue with Exim and Sophos
Just back from holiday and found this in the first pile of mail I looked
at...
Nigel.
Begin forwarded message:
> Date: 26 October 2006 09:08:41 BDT
> To: postmaster@???
> Subject: Issue with Exim and Sophos
>
>
> Hello,
>
> We started having enquiries from customers who are using the Exim
> MTA in
> conjunction with Sophos for the purpose of mail scanning.
>
> The issues that they are seeing is that every file that they scan
> is found
> to be viral. This seems to be due to a script in Exim designed to
> show
> when a virus has been found when scanning a file,by matching the
> string
> 'found' in the output from SWEEP.
>
> For example:
>
> Virus 'W32/Magistr-B' found in file ./example.sh
>
> On the 24th of this month we released an IDE file called 'Foundu-
> a.ide'
> which obviously contains the string 'found'.
> When 'sweep' scans a file it first loads the virus data and IDE files,
> which are listed. This means that the script in Exim which is
> looking for
> the string 'found' will always succeed, meaning that every single
> file that
> is scanned will be declared as viral.
>
> We have been recommending to customers that they should modify the
> Exim
> script to scan for the string 'found ' (please note the space in this
> string), or for 'found in'.
> However, i was wondering if this is something that could be added
> to the
> faq (or another appropriate area on the Exim website) that we can
> point
> Exim users to?
>
> Customers using the Sophie daemon to interface with Sophos should
> not be
> affected by this issue as the virus data and IDEs are only loaded
> once, and
> so the names of the IDEs are not included in the output that it
> produces.
>
> If you have any questions, or would like to discuss this issue further
> please feel free to contact me.
>
> Kind regards
>
> Ben Jupp
>
>
--
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]