Sophos and PDF revisited
Mike Kercher
mike at CAMAROSS.NET
Thu Aug 7 20:50:46 IST 2003
I am seeing the same thing:
The following e-mail messages were found to have viruses in them:
Sender: tlstauft at purvingertz.com
IP Address: 207.34.112.53
Recipient: tracy.gallucci at williams.com, deb.bogoros at williams.com,
miriam.mitchell-banks at williams.com
Subject: RE: Stampede Follow-up
MessageID: h77JYuj02622
Report: Could not check
./h77JYuj02622/Williams0803.zip/C2375_R03_Report1.pdf (unexpected error
[0x80040202])
Mike
-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Julian Field
Sent: Thursday, August 07, 2003 2:11 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Sophos and PDF revisited
Can you put the troublesome PDF into a password-protected zip file and mail
it to me please (off-list). I'm slightly at a loss as to why this option
works sometimes (e.g. detecting corrupt files) but not in your case. I need
to be able to reproduce the problem.
At 18:55 07/08/2003, you wrote:
>Julian Field wrote:
> >
> > And you are doing a "reload" of MailScanner after changing the
> > MailScanner.conf file?
>
>Yes:
>
># ps -ef | grep MailScanner
>
> root 6320 6315 1 10:10:25 ? 0:38 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> root 14404 6337 0 11:47:59 ? 0:00 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> root 6316 6315 1 10:10:14 ? 0:42 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> root 6333 6315 2 10:10:45 ? 0:41 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> root 6326 6315 0 10:10:35 ? 0:36 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> root 6337 6315 1 10:10:55 ? 0:37 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> root 6315 1 0 10:10:14 ? 0:00 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>
># sudo pkill MailScanner
># ps -ef | grep MailScanner
>
>(nothing)
>
># sudo /opt/MailScanner/bin/check_mailscanner
># ps -ef | grep MailScanner
> root 14577 14576 1 11:50:10 ? 0:00 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> root 14513 14483 6 11:49:38 ? 0:04 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> root 14554 14483 8 11:49:58 ? 0:02 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> root 14576 14513 0 11:50:10 ? 0:00 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> root 14575 14528 2 11:50:09 ? 0:00 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> root 14528 14483 9 11:49:48 ? 0:04 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> root 14498 14483 3 11:49:28 ? 0:04 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> root 14483 1 0 11:49:17 ? 0:00 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> root 14484 14483 3 11:49:17 ? 0:05 /usr/bin/perl
>-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
>
>Sent another test message and received the same error:
>
>Report: Could not check ./h77HpFbR014728/blah.pdf (unexpected error
>[0x80040202])
>
>Dustin
>
>
>
>
>
> > At 17:44 07/08/2003, you wrote:
> > >Good Day,
> > >
> > >Setup: MS 4.22-5, Sendmail 8.12.9, SpamAssassin 2.55, current
> > >version of Sophos
> > >
> > >I am receiving the following error messages on some PDFs that go
> > >through
> > >MailScanner:
> > >
> > > Report: Could not check ./h77FLfbR002021/blah.pdf
> > > (unexpected
> error
> > >[0x80040202])
> > >
> > >According to MailScanner.conf, "Anything on the next line that
> > >appears in brackets at the end of a line of output from Sophos will
> > >cause the error/infection to be ignored."
> > >
> > >I have added "0x80040202" to "Allowed Sophos Error Messages=" but
> > >the quarantine still occurs. I have also tried adding "unexpected
> > >error," with no luck.
> > >
> > >So, I decided to add "allow \.pdf$ - -" to filename.rules.conf, but
> > >the quarantined still occurs.
> > >
> > >Any suggestions on what I could do to allow the PDFs with the above
> > >error message?
> > >
> > >Thanks,
> > >
> > >Dustin
> > >--
> > >Dustin Baer
> > >Unix Administrator/Postmaster
> > >Information Handling Services
> > >15 Inverness Way East
> > >Englewood, CO 80112
> > >303-397-2836
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > Professional Support Services at www.MailScanner.biz MailScanner
> > thanks transtec Computers for their support
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz MailScanner thanks
transtec Computers for their support
More information about the MailScanner
mailing list