This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Puremessage for Exchange - lots of viruses being missed lately

Hi

We have Puremessage 3.1.3 for Exchange 2010 and we have noticed in the last few weeks that quite a lot of messages with obviously infected attachments are being missed by puremessage.  Either they are arriving in mailboxes or just being quarantined as suspicious.  Has anyone elase noticed this?  I am wondering if we have something wrong with our puremesssage or it's just that Sophos can't keep up with the definitions.  I have contacted support but as yet have not got a satisfactory response from them.  I'm interested to hear if others have noticed the same.

Thanks.

:54211


This thread was automatically locked due to age.
  • Hello Arq,

    obviously infected attachments

    how did you find out? Very unlikely that Sophos would be the latecomer and that constantly for weeks.

    What kind of attachments are these (you have sent samples of these mails to Labs/Support, havent't you)?

    Christian

    :54213
  • We have similar but specifically around attachments with the .zip.txt malware.  Constant bombarding from different sites but PureMessage rarely drops them. We have a specific rule to drop them and then add then the sender into the filter list if we can find out what the sender is as the console doesn't log the sender, only the message. We have sent numerous examles to sophoslabs but this has been going on for months.  It is surprising this type of malware isn't being classed as spam by now in general.

    :54215
  • Years of experience has taught me to recognise incoming viruses.  I'm not blowing my own trumpet, but most humans can recognise viruses just by looking at the e-mail.  For example, if you get  half a dozen messages, from random e-mail addresses within the space of 5 minutes, all with 57kb word doc attachments, what would you think?   It's a shame computers can't think like us.

    They were infected, because while they were not recognised by sophos, I was able to submit samples and they were confirmed as new variants of infections.   We're getting dozens a day now.  Sophos is at least 24 hours behind the people sending the viruses.  I left some in my inbox and tried saving the attachments this morning, but now SAV quarantines them, so it has caught up.  But I wonder how many of my colleagues opened these when they weren't recognised!

    Andy.

    :54217
  • Hello Andy,

    It's a shame computers can't think like us

    it's equally a blessing - the thought of something making the same misjudgements as I but indefatigably and a million times faster scares me :smileytongue: But true, the gateway should detect the pattern.

    Sophos is at least 24 hours behind the people sending the viruses

    Naturally their ability to foresee the next variant is limited and generic detections are double-edged. The crooks throw considerable resources at the problem of evading detection, it's a shadow industry, they use similar test-rigs and sophisticated procedures to make sure their stuff gets through. If they wouldn't improve they'd already be out of business.

    Not that this helps you though. I'm not in charge of our PM installation so I can't say what's needed to adequately deal with this scenario, but it's definitely frustrating to watch this junk being delivered.

    Christian

    :54221
  • I realise that it's unreasonable to expect 100% protection, but what I am wondering is why has this started for us now?  We have enjoyed extreme reliability from Puremessage in the years we've been using it, maybe around 10 years.  Now all of a sudden it's missing new variants every day.  Perhaps this is just a new strain of very cleverly disguised viruses?

    Andy

    :54223
  • We have a similar setup: Exchange 2010 and PureMessage 3.1.0 and have the same problem as yourselves. PureMessage is letting through a far greater proportion of spam and mail with malicious attachments. I've been thinking too why is puremessage missing these very obvious spam messages.

    :54225
  • Puremessage finally caught up with the virus definitions on the last lot.  Now today we've got a new wave of DOC attachments which are being missed by Puremessage.  I wonder if they will turn out to be new variants of the same virus as last week, or something entirely different?  We've havd about 100 today already.  I've had to set up DOC files as restricted attachments in Puremessage, to ensure they don't slip through the net.  More work for me to release legitimate attachments.  Thankfully we only have around 100 users.  I would hate to think what a headache this would be for an organisation with thousands of users.  You'd need someone on full time looking after the quarantine.

    Andy

    :54337
  • I read the article on snowshow spam.  I see that it's a problem but every problem has a solution.  As I mentioned earlier in this thread, it's extremely easy to see that a batch of mails coming in is malicious.  Puremessage needs to think like we do and recognise the similarities between incoming e-mails, and realise that the dozens of virtually identical e-mails coming in are malicious.    We're getting hundreds a day being let through by Puremessage.  I've had to block all DOC attachments.  I may have to do the same to Excel files to stop the influx, because some end users are not so vigilant as others.  Blocking them obviously causes extra workload releasing the legitimate ones so it's not ideal. 

    Sophos, get your act together, what is being done to tackle the 'snowshoe' viruses?

    :55278
  • i'm probably wrong but I agree with you.

    :55406