Sophos and PDF revisited

Julian Field mailscanner at ecs.soton.ac.uk
Tue Aug 12 09:21:42 IST 2003 

At 23:24 11/08/2003, you wrote:
>This may be a stupid question, but do I just save this text as a file and
>then 'patch < filename.patch'?

Yes.

>AND...does this patch apply to 4.21-9?

Patch will let you know if it succeeded or failed. It should work okay though.


>Mike
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
>Of Julian Field
>Sent: Thursday, August 07, 2003 3:06 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Sophos and PDF revisited
>
>
>Please try this patch to SweepViruses.pm.
>
>--- SweepViruses.pm    2003-08-05 21:42:19.000000000 +0100
>+++ SweepViruses.pm.new     2003-08-07 21:00:09.000000000 +0100
>@@ -961,8 +961,13 @@
>     # If the error is one of the allowed errors, then don't report any
>     # infections on this file.
>     if ($error ne "") {
>+    # Treat their string as a list of words, any of which can match
>       my $errorlist = MailScanner::Config::Value('sophosallowederrors');
>-    if ($errorlist && $errorlist =~ /$error/) {
>+    $errorlist =~ s/\s+/ /g;
>+    $errorlist =~ s/[^0-9A-Za-z ]/\\$&/g;
>+    $errorlist =~ s/ /\|/g;
>+    #if ($errorlist ne "" && $errorlist =~ /$error/) {
>+    if ($errorlist ne "" && $error =~ /$errorlist/) {
>         MailScanner::Log::WarnLog("Ignored Sophos '%s' error", $error);
>         return 0;
>       }
>
>At 20:50 07/08/2003, you wrote:
> >I am seeing the same thing:
> >
> >The following e-mail messages were found to have viruses in them:
> >
> >     Sender: tlstauft at purvingertz.com
> >IP Address: 207.34.112.53
> >  Recipient: tracy.gallucci at williams.com, deb.bogoros at williams.com,
> >miriam.mitchell-banks at williams.com
> >    Subject: RE: Stampede Follow-up
> >  MessageID: h77JYuj02622
> >     Report: Could not check
> >./h77JYuj02622/Williams0803.zip/C2375_R03_Report1.pdf (unexpected error
> >[0x80040202])
> >
> >Mike
> >
> >
> >-----Original Message-----
> >From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> >Behalf Of Julian Field
> >Sent: Thursday, August 07, 2003 2:11 PM
> >To: MAILSCANNER at JISCMAIL.AC.UK
> >Subject: Re: Sophos and PDF revisited
> >
> >
> >Can you put the troublesome PDF into a password-protected zip file and
> >mail it to me please (off-list). I'm slightly at a loss as to why this
> >option works sometimes (e.g. detecting corrupt files) but not in your
> >case. I need to be able to reproduce the problem.
> >
> >At 18:55 07/08/2003, you wrote:
> > >Julian Field wrote:
> > > >
> > > > And you are doing a "reload" of MailScanner after changing the
> > > > MailScanner.conf file?
> > >
> > >Yes:
> > >
> > ># ps -ef | grep MailScanner
> > >
> > >     root  6320  6315  1 10:10:25 ?        0:38 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >     root 14404  6337  0 11:47:59 ?        0:00 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >     root  6316  6315  1 10:10:14 ?        0:42 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >     root  6333  6315  2 10:10:45 ?        0:41 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >     root  6326  6315  0 10:10:35 ?        0:36 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >     root  6337  6315  1 10:10:55 ?        0:37 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >     root  6315     1  0 10:10:14 ?        0:00 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >
> > ># sudo pkill MailScanner
> > ># ps -ef | grep MailScanner
> > >
> > >(nothing)
> > >
> > ># sudo /opt/MailScanner/bin/check_mailscanner
> > ># ps -ef | grep MailScanner
> > >     root 14577 14576  1 11:50:10 ?        0:00 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >     root 14513 14483  6 11:49:38 ?        0:04 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >     root 14554 14483  8 11:49:58 ?        0:02 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >     root 14576 14513  0 11:50:10 ?        0:00 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >     root 14575 14528  2 11:50:09 ?        0:00 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >     root 14528 14483  9 11:49:48 ?        0:04 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >     root 14498 14483  3 11:49:28 ?        0:04 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >     root 14483     1  0 11:49:17 ?        0:00 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >     root 14484 14483  3 11:49:17 ?        0:05 /usr/bin/perl
> > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail
> > >
> > >Sent another test message and received the same error:
> > >
> > >Report: Could not check ./h77HpFbR014728/blah.pdf (unexpected error
> > >[0x80040202])
> > >
> > >Dustin
> > >
> > >
> > >
> > >
> > >
> > > > At 17:44 07/08/2003, you wrote:
> > > > >Good Day,
> > > > >
> > > > >Setup: MS 4.22-5, Sendmail 8.12.9, SpamAssassin 2.55, current
> > > > >version of Sophos
> > > > >
> > > > >I am receiving the following error messages on some PDFs that go
> > > > >through
> > > > >MailScanner:
> > > > >
> > > > >         Report: Could not check ./h77FLfbR002021/blah.pdf
> > > > > (unexpected
> > > error
> > > > >[0x80040202])
> > > > >
> > > > >According to MailScanner.conf, "Anything on the next line that
> > > > >appears in brackets at the end of a line of output from Sophos
> > > > >will cause the error/infection to be ignored."
> > > > >
> > > > >I have added "0x80040202" to "Allowed Sophos Error Messages=" but
> > > > >the quarantine still occurs.  I have also tried adding
> > > > >"unexpected error," with no luck.
> > > > >
> > > > >So, I decided to add "allow \.pdf$ - -" to filename.rules.conf,
> > > > >but the quarantined still occurs.
> > > > >
> > > > >Any suggestions on what I could do to allow the PDFs with the
> > > > >above error message?
> > > > >
> > > > >Thanks,
> > > > >
> > > > >Dustin
> > > > >--
> > > > >Dustin Baer
> > > > >Unix Administrator/Postmaster
> > > > >Information Handling Services
> > > > >15 Inverness Way East
> > > > >Englewood, CO 80112
> > > > >303-397-2836
> > > >
> > > > --
> > > > Julian Field
> > > > www.MailScanner.info
> > > > Professional Support Services at www.MailScanner.biz MailScanner
> > > > thanks transtec Computers for their support
> >
> >--
> >Julian Field
> >www.MailScanner.info
> >Professional Support Services at www.MailScanner.biz MailScanner thanks
> >transtec Computers for their support
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz MailScanner thanks
>transtec Computers for their support

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list