Print Page | Close Window

Virus question while real-time scanning on SpamFilter server

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=4125
Printed Date: 23 October 2017 at 8:36pm


Topic: Virus question while real-time scanning on SpamFilter server
Posted By: BigDog
Subject: Virus question while real-time scanning on SpamFilter server
Date Posted: 10 August 2004 at 10:54am

I started real time virus scanning a couple days ago as I had read here on the forum that it would remove the infected messages prior to actually being sent into my system (I am running Webshield SMTP in addtion to SpamFilter....

Odd thing is that I keep detecting a virus that I haven't seen before (from WebShield SMTP) which is JS/IIlWill  from the SpamFilter in the temp directory.

Am I just getting a false-positive detection from the workings of SpamFilter or am I detecting an  real occurance of the trojan virus?  It's been a little disturbing as I had one call from user who indicated that they had received a reply back from a AV email gateway on the internet indicating a message had been recieved from their email address that was infected with this trogan.

Should I be panic'ing or is this something I can expect?  Mind you this IllWill is being detected several every few minutes, the SpamFilter server is patched and up to date with MS OS updates and this trogan is at least a 3 year old virus.

 




Replies:
Posted By: LogSat
Date Posted: 10 August 2004 at 11:19pm

Wes,

While we're not in the antivirus business (yet...) we are familiar with them as we deal with them every day. You'll want to double-check with your antivirus vendor, however we believe the TROJ_ILLWILL.A you are encountering is actually a variant of the BAGLE virus, specifically  http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BAGLE.AC" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - TROJ_BAGLE.AC that was discovered on Aug 9, and became very active. Some antivirus vendors (ex. Trend Micro) had initially classified the first virus strains as ILLWILL and then changed name.

You are probably seing real viruses being stopped. Please note that SpamFilter is "antivirus aware", meaning that if one of the temp files SpamFilter caches to drive suddently disappears, SpamFilter will assume antivirus software detected a virus and deleted the file. When this happens, SpamFilter will "understand" and will clean up after itself by deleting the other temp files related to that email and continue processing other messages. If some emails slip thru it is because the antivirus software was not fast enough in deecting the virus in the temp files before SpamFilter processes them (SpamFilter pauses for a few hundreds of a second after writing files to allow A/V software to scan them).

Roberto F.
LogSat Software



Posted By: Guests
Date Posted: 11 August 2004 at 5:52pm

Why don't you just drop any attachment that can possibly carry an virus? It would be so much easier than running a virus scanning software.

 



Posted By: BigDog
Date Posted: 11 August 2004 at 6:12pm

We do block just about everything even  including zip files (I take a beating on that! but my IT director backs me up 100%).

I now use three levels of "purifing" the bad email out of my system.

SpamFlter receives the messages, clears out spam, lots of viruses

NAI AV Client realtime scans the file I/O from the workings of Spamfilter catching 99% of all viruses.

NAI WebShield receives the message from SpamFilter, filters out all messages with zip and messages with macros.  The blocked zip/macro messages directory is scanned from time to time and unwanted messages are discarded and the the good ones forwarded to the user.

In addtion to virus attachement type files all mutlimedia file are dis-allowed including mp3, mepg, avi, mov and such

Last year network had two virus infections which were completly contained to the workstation and both of those cases involved users who were checking outside email systems through webmail.  We have just installed SurfControl web filtering and as of two weeks ago we block all outside webaccess and chat including messenging such as Yahoo chat. Last year all POP3 access to outside email system was closed.

I take all virus threats seriously as you can see!!  :)

Yes, I am no longer seeing that virus now that AV signatures have been updated, all is well in Columbia Missouri!!

Oh and too, my users LOVE Spamfilter ISP !!!!




Print Page | Close Window