Sophos and Corrupt Files

Scott Adkins adkinss at OHIO.EDU
Wed Feb 5 15:50:53 GMT 2003


I know we have had considerable discussion on this topic already, and I
need to find some resolution to it.

The issue seems to be that users are sending documents via attachments
that get flagged as corrupt by Sophos and labeled as a virus in MailScanner.
So far, all the documents I have managed to get my hands on indicate that
these documents are indeed in some way corrupt.  Most of the time, I can't
even open the documents myself on my desktop.  Periodically, I can find a
PDF document that appears to open and look fine without generating any
errors, but scanning it with Sophos indicates that the PDF is corrupt.
This isn't necessarily untrue, as all of the PDF tools that I have at my
disposal (conversion utilities to convert to postscript format, or other
programs that can open and view the document) also say that the document
is corrupt and refuse to do anything with it... It just happens to be that
Adobe Acrobat Reader was forgiving enough in that particular case to allow
me to view it successfully.

So, I see two problems here:

  1) Sophos is very strict in following the document format standards, and
     if the document doesn't follow that standard, it says that it can't
     scan the document and labels it corrupt.  I do not know how sctrict
     Sophos is on this, but most of the documents I have found does indeed
     have problems when trying to open them up with whatever standard
     software installed on my machine.

     Indicidentally, Sophos claims that it couldn't find the start *and*
     end of the document and that is why it claims it can't scan the
     document.  I really don't believe this claim.  The errors I typically
     see when opening the documents myself are things like invalid variable
     names, etc.  This could be the result of a newer version of document
     formats that Sophos doesn't yet understand, or non-standard software
     used to create those documents to begin with.

  2) When Sophos comes back and says that the document couldn't be scanned
     for whatever reason, MailScanner simply labels the file as a virus and
     moves on.  I don't agree with this, as I think the administrator is
     the one that should decide how to handle these situations.  This is
     no different than how external MIME attachments are handled, since
     those attachments can't be scanned by the virus scanner as well.

What are the solutions to this problem?

  1) Sophos probably should be a lot less restrictive when scanning some
     document formats.  Aren't virus patterns determined by the patterns
     themselves and not how closely a PDF document adheres to Adobe's
     format standards?  If you don't see the virus patterns, shouldn't
     you say the document is clean?  We are going to generate a support
     call to them on this later this morning.

  2) MailScanner should give us the option to allow documents that are
     unable to be scanned by the virus scanner through.  We are getting a
     lot of calls about this now to our Support Center, and it is being
     pushed through the higher ranks.  We are an educational institution,
     and what we think may be the right answer (i.e. no external MIME
     attachments, do filename checking, etc etc), politics dictate the
     policies.  Anyways, I think we need an option in the config file to
     allow these documents through.

      Scott W. Adkins      
   UNIX Systems Engineer                  mailto:adkinss at
        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
     PGP Public Key available at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 231 bytes
Desc: not available
Url :

More information about the MailScanner mailing list