11-11-2010 09:47 AM
today I received an email with a zipped file that pretends to be from FedEx. I had prior knowledge of the "scam" and I'm pretty sure the attached zip is a virus; probably a "Windows OS" virus, but a virus.
Sophos for Mac did not detect any threats, I got no pop ups, nothing. So I opened Sophos and had it scan the directory that the email is in. It still did not find it.
Is there a procedure for sending in samples of "suspected" viruses?? (I realize that I need to delete the file and email, but was wondering if I could send it in so Sophos can add it to a database or something.)
11-11-2010 11:44 AM
Okay, I'm confused. I did some testing.
From Mail, I saved the attachment to the desktop and Sophos detected it and told me to manually remove it. So after reading how to do that, I did get Sophos to delete it from the Desktop.
BUT, and this is a BIG BUT, Sophos does not detect it when it is embedded in my email message when I scan my library folder on my hard drive. SO, this zipped file could sit in my Library folder (in the Mail subfolder) forever and Sophos would never detect it??
I created a new scan and even told it to scan inside Zipped files and Sophos did not detect it in the Library folder. do I have to create a new Scan for each subfolder? doesn't Sophos scan all the folders inside a folder??
I don't want zipped viruses sitting on my hard drive forever, even if Sophos detects them if they ever try to unzip.
What is the solution for this?? Any workaround to prevent this??
11-12-2010 12:35 AM
the email transfer protocol is historically 7bit ASCII and although it has been extended to allow 8bit any content that is not plain text has to be encoded or wrapped in some form. I'll spare you the details here. Suffice to say a mail message is kind of special container which will not be "unpacked" by the operating system or it extensions. Thus a stored email (whether a single item or in a mailbox) is neither "executable" nor an archive in the narrower sense.
Mail does not "extract" and decode the attachments to their original form when storing email (in Library), other clients (like Eudora) do. Thus a scan of Documents/Eudora Folder/ would have detected it in the .zip archive in some of the subfolders.
What is the solution for this??
Just delete the mail
03-03-2011 04:02 PM
Sophos detected the FedEx_mailing_label.exe in
03-04-2011 01:06 PM
That's part of the Bredo family; a Botnet that emails out files with names related to FedEx and UPS to infect your Windows computer and join it to the botnet. They update the actual malware multiple times per day.
In our enterprise products, we block the emails with our email products, the websites with our web appliance, and the malicious attachments with our Antivirus.
Looking at the details you listed, it appears you have on access scanning set to scan inside archives... so it is repeatedly detecting the exe INSIDE the zip file. You'll need to delete the zip file or disable in-archive scanning to stop this from happening. I recommend just deleting the email message.
11-12-2010 01:39 AM
Is there a procedure for sending in samples
Yes. But read carefully (sorry if this should be too technical for you but others might benefit from it).
Please do so only for items you have scanned (see the reply to your second post why you have to extract a suspicious attachment first) and either:
Please do not send "something" just because you don't know what it is or where it comes from and do not report spam (ignore the link to article 23113 in the document I'll point to below - it should be used only by customers using the applicable products).
Now, Submitting samples of suspicious files to Sophos describes the procedure to follow. You have to put the sample in a password protected .zip file (otherwise a gateway security software might remove it -or- the on-access scanner will prevent browser upload). To do this you first have to safely collect it. While the article describes the procedure for WIndows only (it'll probably get amended) you can easily "translate" it to Mac OS.
So, Linda, you'll probably just delete this one. But kudos for thinking of and asking about it.
05-01-2012 10:48 AM
The free product does not scan email at the gateway; we have an enterprise product for that. However, if On-Access scanning is enabled, the emails will be scanned whenever they touch the disk, either during caching (if using a webmail client or IMAP) or when stored locally (via a local mail client such as Mail.app). The Sophos AV engine knows how to parse mailbox files and encoded attachments, and can properly extract and scan embedded attachments that have not yet been extracted and saved to disk.