Virus infected email did not get caught by C370

Dennis Goh · ‎11-12-2012

Hi All,

I have recently received a complaint from my customer's CEO that he received an email with a virus attachment. The file is a .msi file which was attached to an email coming from someone unknown from gmail to him (and several other people after performing message tracking). This attachment was scanned by our C370 Mcafee anti virus engine and was deemed clean, but was caught by my customer's desktop Symantec Antivirus when his CEO tried to open the file.

From what I gather, this particular virus is called trojan.spyeye and discovered in August 2011. My question is, how come the Ironport didn't detect a virus which was discovered a year ago? And what can I do to report this? TAC?

Thanks in advance

Dennis Goh

exMSW4319 · ‎11-12-2012

I assume the nature of your customer's business is such that they routinely need to accept executable content. If not, I wouldn't let most of the mailbox owners receive or send executable content. Yes, it sounds as if McAfee let you down here but what if it were a zero-day threat that no-one knows about?

Dennis Goh · ‎11-13-2012

Hi,

The policies that apply on CEOs and VIPs are much loose than that of normal users, hence the CEO and VIPs were able to receive these emails. As for zero-day, I did consider that, that is why I went on to check whether this virus was new to the world or not. However, after checking, it seems that this virus was discovered slightly more than a year ago.

Any idea how to report this? Any webpage like for reporting SPAMs? Or do I have to open a TAC? Thanks!

Donald Nash · ‎11-13-2012

If you have a copy of the message then I'd say TAC is a good place to start. The problem is with McAfee rather than Cisco, but TAC should be able to point you in the right direction.

In my observation, CEOs and VIPs should be the last people to have the rules loosened. They are the ones who are in the position to cause the most damage if their accounts or computers are compromised.

I asked about the a/v rules because when we turned on McAfee on Friday to deal with the Sophos business, I had to manually update the rules the first time. I didn't know if you had just switched to McAfee or had been using it for a while.

++Don

Dennis Goh · ‎11-13-2012

Hi Don,

Thanks for your advice. I'll ask TAC and see whether they can point me in the correct direction.

In this environment, VIPs are most protected, but VIPs expect to be able to receive emails of any size, and of any kind and etc and they really do rely on Ironport's antispam and antivirus to become the first layer of protection for the VIPs. As for normal users, their policies applied on them are much stringent where they cannot receive certain files and huge emails (example).

Difficult to please these types of customers

Thanks

Greg Hopp · ‎11-13-2012

Just FYI, "antivirusupdate force" worked for me too on my C170 to get the McAfee updates kickstarted. With respect to a VIP getting extra leniency, I consistently see where a C-level is being spearfished and my Ironport stops most of it.

Fortunately, my CEO gets it, and has little sympathy for folks that want more lenient access.

Donald Nash · ‎11-13-2012

Use the command "avstatus mcafee" to see if your a/v rules are up to date.

++Don

Dennis Goh · ‎11-13-2012

Hi Don,

Antivirus is up to date (as in, as of that day). Thanks.

Regards,

Dennis Goh