Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Virus question while real-time scanning on SpamFilter server
  FAQ FAQ  Forum Search   Register Register  Login Login

Virus question while real-time scanning on SpamFilter server
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
BigDog View Drop Down
Newbie
Newbie


Joined: 26 January 2005
Location: United States
Status: Offline
Points: 11 		Post Options Post Options   Thanks (0) Thanks(0)   Quote BigDog Quote  Post ReplyReply Direct Link To This Post Topic: Virus question while real-time scanning on SpamFilter server
    Posted: 10 August 2004 at 10:54am

I started real time virus scanning a couple days ago as I had read here on the forum that it would remove the infected messages prior to actually being sent into my system (I am running Webshield SMTP in addtion to SpamFilter....

Odd thing is that I keep detecting a virus that I haven't seen before (from WebShield SMTP) which is JS/IIlWill  from the SpamFilter in the temp directory.

Am I just getting a false-positive detection from the workings of SpamFilter or am I detecting an  real occurance of the trojan virus?  It's been a little disturbing as I had one call from user who indicated that they had received a reply back from a AV email gateway on the internet indicating a message had been recieved from their email address that was infected with this trogan.

Should I be panic'ing or is this something I can expect?  Mind you this IllWill is being detected several every few minutes, the SpamFilter server is patched and up to date with MS OS updates and this trogan is at least a 3 year old virus.

 
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 10 August 2004 at 11:19pm

Wes,

While we're not in the antivirus business (yet...) we are familiar with them as we deal with them every day. You'll want to double-check with your antivirus vendor, however we believe the TROJ_ILLWILL.A you are encountering is actually a variant of the BAGLE virus, specifically TROJ_BAGLE.AC that was discovered on Aug 9, and became very active. Some antivirus vendors (ex. Trend Micro) had initially classified the first virus strains as ILLWILL and then changed name.

You are probably seing real viruses being stopped. Please note that SpamFilter is "antivirus aware", meaning that if one of the temp files SpamFilter caches to drive suddently disappears, SpamFilter will assume antivirus software detected a virus and deleted the file. When this happens, SpamFilter will "understand" and will clean up after itself by deleting the other temp files related to that email and continue processing other messages. If some emails slip thru it is because the antivirus software was not fast enough in deecting the virus in the temp files before SpamFilter processes them (SpamFilter pauses for a few hundreds of a second after writing files to allow A/V software to scan them).

Roberto F.
LogSat Software
Back to Top
Benny View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Benny Quote  Post ReplyReply Direct Link To This Post Posted: 11 August 2004 at 5:52pm

Why don't you just drop any attachment that can possibly carry an virus? It would be so much easier than running a virus scanning software.

 
Back to Top
BigDog View Drop Down
Newbie
Newbie


Joined: 26 January 2005
Location: United States
Status: Offline
Points: 11 		Post Options Post Options   Thanks (0) Thanks(0)   Quote BigDog Quote  Post ReplyReply Direct Link To This Post Posted: 11 August 2004 at 6:12pm

We do block just about everything even  including zip files (I take a beating on that! but my IT director backs me up 100%).

I now use three levels of "purifing" the bad email out of my system.

SpamFlter receives the messages, clears out spam, lots of viruses

NAI AV Client realtime scans the file I/O from the workings of Spamfilter catching 99% of all viruses.

NAI WebShield receives the message from SpamFilter, filters out all messages with zip and messages with macros.  The blocked zip/macro messages directory is scanned from time to time and unwanted messages are discarded and the the good ones forwarded to the user.

In addtion to virus attachement type files all mutlimedia file are dis-allowed including mp3, mepg, avi, mov and such

Last year network had two virus infections which were completly contained to the workstation and both of those cases involved users who were checking outside email systems through webmail.  We have just installed SurfControl web filtering and as of two weeks ago we block all outside webaccess and chat including messenging such as Yahoo chat. Last year all POP3 access to outside email system was closed.

I take all virus threats seriously as you can see!!  :)

Yes, I am no longer seeing that virus now that AV signatures have been updated, all is well in Columbia Missouri!!

Oh and too, my users LOVE Spamfilter ISP !!!!
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.257 seconds.

Copyright (c)2002-2021 LogSat Software LLC - Sales: sales@LogSat.com
Contact Us