FedEx email virus? not detected

Okay, I'm confused.  I did some testing.

From Mail, I saved the attachment to the desktop and Sophos detected it and told me to manually remove it.  So after reading how to do that, I did get Sophos to delete it from the Desktop.

BUT, and this is a BIG BUT, Sophos does not detect it when it is embedded in my email message when I scan my library folder on my hard drive.  SO, this zipped file could sit in my Library folder (in the Mail subfolder) forever and Sophos would never detect it??

I created a new scan and even told it to scan inside Zipped files and Sophos did not detect it in the Library folder.  do I have to create a new Scan for each subfolder?  doesn't Sophos scan all the folders inside a folder??

I don't want zipped viruses sitting on my hard drive forever, even if Sophos detects them if they ever try to unzip.

What is the solution for this??  Any workaround to prevent this??

Thanks.

Hello leilani,

the email transfer protocol is historically 7bit ASCII and although it has been extended to allow 8bit any content that is not plain text has to be encoded  or wrapped in some form. I'll spare you the details here. Suffice to say a mail message is kind of special container which will not be "unpacked" by the operating system or it extensions. Thus a stored email (whether a single item or in a mailbox) is neither "executable" nor an archive in the narrower sense.

Mail does not "extract" and decode the attachments to their original form when storing email (in Library), other clients (like Eudora) do. Thus a scan of Documents/Eudora Folder/ would have detected it in the .zip archive in some of the subfolders. 

What is the solution for this??

 Just delete the mail   

Christian

Is there a procedure for sending in samples

Yes. But read carefully (sorry if this should be too technical for you but others might benefit from it).

Please do so only for items you have scanned (see the reply to your second post why you have to extract a suspicious attachment first) and either:

• the analysis for the item in the Action tab asks you to do so (and, I want to add, it's not a Windows-only threat)
• the scan turns up clean but you have a strong suspicion
• it might be related to an alert (that's more esoteric and usually involves e.g. inspecting and assessing objects in temp or cache locations)

Please do not send "something" just because you don't know what it is or where it comes from and do not report spam (ignore the link to article 23113 in the document I'll point to below - it should be used only by customers using the applicable products).

Now, Submitting samples of suspicious files to Sophos describes the procedure to follow. You have to put the sample in a password protected .zip file (otherwise a gateway security software might remove it -or- the on-access scanner will prevent browser upload). To do this you first have to safely collect it. While the article describes the procedure for WIndows only (it'll probably get amended) you can easily "translate" it to Mac OS.

So, Linda, you'll probably just delete this one. But kudos for thinking of and asking about it.

Christian

Sophos detected the FedEx_mailing_label.exe in 

That's part of the Bredo family; a Botnet that emails out files with names related to FedEx and UPS to infect your Windows computer and join it to the botnet.  They update the actual malware multiple times per day.

In our enterprise products, we block the emails with our email products, the websites with our web appliance, and the malicious attachments with our Antivirus.

Looking at the details you listed, it appears you have on access scanning set to scan inside archives... so it is repeatedly detecting the exe INSIDE the zip file.  You'll need to delete the zip file or disable in-archive scanning to stop this from happening.  I recommend just deleting the email message.

Does Sophos automatically scan all new emails. Also, what about emails (in gmail and aol mail) already received? Thanks in advance.

The free product does not scan email at the gateway; we have an enterprise product for that.  However, if On-Access scanning is enabled, the emails will be scanned whenever they touch the disk, either during caching (if using a webmail client or IMAP) or when stored locally (via a local mail client such as Mail.app).  The Sophos AV engine knows how to parse mailbox files and encoded attachments, and can properly extract and scan embedded attachments that have not yet been extracted and saved to disk.