More on the latest 'Petya' Ransomware outbreak here
When using the Exim MTA in conjunction with Sophos Andi-Virus for UNIX/Linux for the purpose of mail scanning, all files that are scanned are reported as being infected.
This occurs if you have installed the Sophos virus identity (IDE) file called 'Foundu-a.ide', which was released on 24 October 2006.
Customers using the Sophie daemon to interface with Sophos should not be affected by this issue.
You must modify the Exim user script that calls the command line version of Sophos Anti-Virus for UNIX, and then scans the output for the string 'found'.
The script is designed to show when a virus has been found when scanning a file, and then matching the string 'found' in the output.
Virus 'W32/Magistr-B' found in file ./example.sh
When the 'sweep' command line scanner scans a file, it first loads the virus data and IDE files, which are then listed on screen. This means that the script in Exim which is looking for the string 'found' will always succeed, meaning that every single file that is scanned will be declared as viral.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.