[Snort-sigs] Trend antivirus bug?

Harald Finnaas mailings at ...582...
Thu May 2 15:44:55 EDT 2002


I'm just wondering of anyone else has seen Klez viruses pass throught mail
servers using Trend Viruswall with the latest pattern (271)?

I'm running Snort with one of the experimental sigs from this list, and what
worries me is that it seems that SOME of the Klez messages are delivered
FROM our SMTP server. Looking at the payload of the packet, it really seems
like the real thing. It contains
the usual "Klez wording" and mime attachments usually ending in .SCR, .PIF
and .BAT.

When I tested by sending a virus myself, it was stopped properly.

Harald






More information about the Snort-sigs mailing list