Sophos and Corrupt Files
Scott Adkins
adkinss at OHIO.EDU
Wed Feb 5 15:50:53 GMT 2003
Julan,
I know we have had considerable discussion on this topic already, and I
need to find some resolution to it.
The issue seems to be that users are sending documents via attachments
that get flagged as corrupt by Sophos and labeled as a virus in MailScanner.
So far, all the documents I have managed to get my hands on indicate that
these documents are indeed in some way corrupt. Most of the time, I can't
even open the documents myself on my desktop. Periodically, I can find a
PDF document that appears to open and look fine without generating any
errors, but scanning it with Sophos indicates that the PDF is corrupt.
This isn't necessarily untrue, as all of the PDF tools that I have at my
disposal (conversion utilities to convert to postscript format, or other
programs that can open and view the document) also say that the document
is corrupt and refuse to do anything with it... It just happens to be that
Adobe Acrobat Reader was forgiving enough in that particular case to allow
me to view it successfully.
So, I see two problems here:
1) Sophos is very strict in following the document format standards, and
if the document doesn't follow that standard, it says that it can't
scan the document and labels it corrupt. I do not know how sctrict
Sophos is on this, but most of the documents I have found does indeed
have problems when trying to open them up with whatever standard
software installed on my machine.
Indicidentally, Sophos claims that it couldn't find the start *and*
end of the document and that is why it claims it can't scan the
document. I really don't believe this claim. The errors I typically
see when opening the documents myself are things like invalid variable
names, etc. This could be the result of a newer version of document
formats that Sophos doesn't yet understand, or non-standard software
used to create those documents to begin with.
2) When Sophos comes back and says that the document couldn't be scanned
for whatever reason, MailScanner simply labels the file as a virus and
moves on. I don't agree with this, as I think the administrator is
the one that should decide how to handle these situations. This is
no different than how external MIME attachments are handled, since
those attachments can't be scanned by the virus scanner as well.
What are the solutions to this problem?
1) Sophos probably should be a lot less restrictive when scanning some
document formats. Aren't virus patterns determined by the patterns
themselves and not how closely a PDF document adheres to Adobe's
format standards? If you don't see the virus patterns, shouldn't
you say the document is clean? We are going to generate a support
call to them on this later this morning.
2) MailScanner should give us the option to allow documents that are
unable to be scanned by the virus scanner through. We are getting a
lot of calls about this now to our Support Center, and it is being
pushed through the higher ranks. We are an educational institution,
and what we think may be the right answer (i.e. no external MIME
attachments, do filename checking, etc etc), politics dictate the
policies. Anyways, I think we need an option in the config file to
allow these documents through.
Thanks,
Scott
--
+-----------------------------------------------------------------------+
Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/
UNIX Systems Engineer mailto:adkinss at ohio.edu
ICQ 7626282 Work (740)593-9478 Fax (740)593-1944
+-----------------------------------------------------------------------+
PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 231 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030205/04e31fe7/attachment.bin
More information about the MailScanner
mailing list