Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Subscribers 14 subscribers
  • Views 7191 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Linux Server - can it detect more?

Gunsuka

I have installed Sophos Antivirus for Linux on a Debian machine.

Using it for on demand scanning of email messages, it works when I push EICAR test virus through it.

I have a large collection of virus infected messages, when testing those it only detects about 50% of them.

I have confirmed that the system is running the latest definition files, following these instructions.

One could argue that Sophos does not know about the specific viruses yet, especially if they are new.

HOWEVER, if I test the messages with VirusTotal their system will detect the virus infection and it states that found by Sophos AV.

If I have the latest data files, how can I get my install to operate as well as VirusTotal is performing?

I have confirmed that I have the system set to scan compressed files, what else can I do?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to MarkToshack

    I found  some interesting results today.  To clarify what we are doing.

    We are using SSSP and submitting raw email messages, these messages contain attachments as part of the email.

    When we feed the raw messages to SSSP it is successful in detecting infected viruses in attachments that are .pdf and .html, so we know it is reading the message content and successfully decoding the files that exist in the message.  It will actually feed back the temp filenames it is creating when it decodes the attachments from the message, which is great.

    The problem is, the system is not detecting the viruses in .doc files that we have been testing and know are infected.

    Today we conducted the same scanning tests, by placing the messages on disk and scanning them with SAVDID command line scanning.

    The results were the same, the system misses the viruses if they are .doc files.

    If we decode the .doc file and place it on disk, then request savdid to scan it the virus is found.

    Either we have something configured incorrectly or the scanner is not working correctly, since we know the viruses are there but the conditions have to be just right for them to be found.  Seems like a fairly serious security issue.

  • 0 in reply to Gunsuka

    Hi  

    sorry for the lete reply - i did not get a notification for this thread. 

    Please can you contact support, if you have not already, and we can look into it for you.

     

    cheers

    Mark 

Unfiltered HTML