$ pmdf ver
%PMDF-I-VERSION, PMDF version is PMDF V6.2
COMPAQ AlphaServer DS10 617 MHz running OpenVMS Alpha V7.2-1
PMDF_SHARE_LIBRARY version V6.2-X21; linked 10:35:46, Dec 17
2003
$

Hi all,

This question is slightly off-topic, but I believe many pmdf users are
also using vsweep if running on OpenVMS.

- Background.
I have the conversions file in pmdf running the .com file which is only
slightly modified from the one posted on Process's web site. If a virus
is found by vsweep, I substitute the attachment and let the message
continue on it's way.
The clients have McAfee's Virusscan installed, and email scanning is
included.
Vsweep updates are triggered by a special account I have set up
(mail.delivery) and subscribed to Sophos's mailing list for new ide's.
Virusscan is automatically updated daily against our server.
Each of these pieces email our tech's to let them know a virus was
found.

So, most email viruses should be caught by vsweep, and if it's not up
date for some reason, then they should be caught by Virusscan.

- Enter Mydoom.
I checked the logs and Jan 26 at 8:00pm is when vsweep was automatically
updated with the ide for mydoom.

So, I'm not sure when the virus first got to our site, but if it was
before vsweep was updated, then I would expect to have it in users
inboxes. To check, I did a manual scan of my entire msgstore tree and
found only 1 copy of the virus. The problem is I am continually being
notified by virusscan that it is finding more copies of the mydoom
virus. We're using imap (msgstore), so with all their folders manually
scanned, I don't know why virusscan on the PC is still finding the
virus. I checked, and these users do not have multiple accounts set up
in Outlook. The only thing I can think of is that vsweep is not finding
the virus for some reason.

One thing I noticed is that the vsweep example on Process's web site
does not include the /arch, but I do. I thought that was required in
order to have vsweep look in .zip files.

Has anyone else come across this, or might have some suggestions on what
to check next?

My sweep command is:
$ SOPHOS_SWEEP: SUBROUTINE
$!
$ CONVERTER_COMMAND=="$vsweep_exe:vsweep_axp.exe"
$ CONVERTER_COMMAND 'INPUT_FILE'/ff/ns/il/arch/nooutput

The virus I have seen get through is inside .zip files

Ideas anyone?

David Priebe
Coordinator IT Systems & Networks
Renfrew County District School Board