Sophos Anti-Virus and Exim MTA

  • Article ID: 17605
  • Updated: 21 Oct 2008

When using the Exim MTA in conjunction with Sophos Andi-Virus for UNIX/Linux for the purpose of mail scanning, all files that are scanned are reported as being infected.

This occurs if you have installed the Sophos virus identity (IDE) file called 'Foundu-a.ide', which was released on 24 October 2006.

Customers using the Sophie daemon to interface with Sophos should not be affected by this issue.

What to do

You must modify the Exim user script that calls the command line version of Sophos Anti-Virus for UNIX, and then scans the output for the string 'found'.

  • Modify the Exim script to scan for the string 'found ' (please note the space in this string) or for 'found in'.

    For more information on the scripts, refer to Exim http://www.exim.org/ .

Technical information

The script is designed to show when a virus has been found when scanning a file, and then matching the string 'found' in the output.

For example:

Virus 'W32/Magistr-B' found in file ./example.sh

When the 'sweep' command line scanner scans a file, it first loads the virus data and IDE files, which are then listed on screen. This means that the script in Exim which is looking for the string 'found' will always succeed, meaning that every single file that is scanned will be declared as viral.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments