Sophos and PDF revisited

Mike Kercher mike at CAMAROSS.NET
Thu Aug 7 20:50:46 IST 2003


I am seeing the same thing:

The following e-mail messages were found to have viruses in them:

    Sender: tlstauft at purvingertz.com
IP Address: 207.34.112.53
 Recipient: tracy.gallucci at williams.com, deb.bogoros at williams.com,
miriam.mitchell-banks at williams.com
   Subject: RE: Stampede Follow-up
 MessageID: h77JYuj02622
    Report: Could not check
./h77JYuj02622/Williams0803.zip/C2375_R03_Report1.pdf (unexpected error
[0x80040202])

Mike


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Julian Field
Sent: Thursday, August 07, 2003 2:11 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Sophos and PDF revisited


Can you put the troublesome PDF into a password-protected zip file and mail
it to me please (off-list). I'm slightly at a loss as to why this option
works sometimes (e.g. detecting corrupt files) but not in your case. I need
to be able to reproduce the problem.

At 18:55 07/08/2003, you wrote:
>Julian Field wrote:
> >
> > And you are doing a "reload" of MailScanner after changing the 
> > MailScanner.conf file?
>
>Yes:
>
># ps -ef | grep MailScanner
>
>     root  6320  6315  1 10:10:25 ?        0:38 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>     root 14404  6337  0 11:47:59 ?        0:00 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>     root  6316  6315  1 10:10:14 ?        0:42 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>     root  6333  6315  2 10:10:45 ?        0:41 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>     root  6326  6315  0 10:10:35 ?        0:36 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>     root  6337  6315  1 10:10:55 ?        0:37 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>     root  6315     1  0 10:10:14 ?        0:00 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>
># sudo pkill MailScanner
># ps -ef | grep MailScanner
>
>(nothing)
>
># sudo /opt/MailScanner/bin/check_mailscanner
># ps -ef | grep MailScanner
>     root 14577 14576  1 11:50:10 ?        0:00 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>     root 14513 14483  6 11:49:38 ?        0:04 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>     root 14554 14483  8 11:49:58 ?        0:02 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>     root 14576 14513  0 11:50:10 ?        0:00 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>     root 14575 14528  2 11:50:09 ?        0:00 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>     root 14528 14483  9 11:49:48 ?        0:04 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>     root 14498 14483  3 11:49:28 ?        0:04 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>     root 14483     1  0 11:49:17 ?        0:00 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>     root 14484 14483  3 11:49:17 ?        0:05 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>
>Sent another test message and received the same error:
>
>Report: Could not check ./h77HpFbR014728/blah.pdf (unexpected error
>[0x80040202])
>
>Dustin
>
>
>
>
>
> > At 17:44 07/08/2003, you wrote:
> > >Good Day,
> > >
> > >Setup: MS 4.22-5, Sendmail 8.12.9, SpamAssassin 2.55, current 
> > >version of Sophos
> > >
> > >I am receiving the following error messages on some PDFs that go 
> > >through
> > >MailScanner:
> > >
> > >         Report: Could not check ./h77FLfbR002021/blah.pdf 
> > > (unexpected
> error
> > >[0x80040202])
> > >
> > >According to MailScanner.conf, "Anything on the next line that 
> > >appears in brackets at the end of a line of output from Sophos will 
> > >cause the error/infection to be ignored."
> > >
> > >I have added "0x80040202" to "Allowed Sophos Error Messages=" but 
> > >the quarantine still occurs.  I have also tried adding "unexpected 
> > >error," with no luck.
> > >
> > >So, I decided to add "allow \.pdf$ - -" to filename.rules.conf, but 
> > >the quarantined still occurs.
> > >
> > >Any suggestions on what I could do to allow the PDFs with the above 
> > >error message?
> > >
> > >Thanks,
> > >
> > >Dustin
> > >--
> > >Dustin Baer
> > >Unix Administrator/Postmaster
> > >Information Handling Services
> > >15 Inverness Way East
> > >Englewood, CO 80112
> > >303-397-2836
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > Professional Support Services at www.MailScanner.biz MailScanner 
> > thanks transtec Computers for their support

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz MailScanner thanks
transtec Computers for their support




More information about the MailScanner mailing list