Sophos and Corrupt Files
mailscanner at ecs.soton.ac.uk
Wed Feb 5 17:16:07 GMT 2003
What version of Sophos are you running?
The "corrupt" errors seem to disappear with 3.66 (i.e. the very latest off
the web). I have seen 3.62 - 3.65 complain about documents that 3.66 is
perfectly happy with. And the fact that absolutely no-one except Sophos
users are having any corrupted file problems does slightly point the finger
at Sophos. Maybe when asked to disinfect a file that it thinks is corrupt,
it damages it? Just a thought.
I know Sophos are blaming me for this problem.
But it strikes me as very odd that only Sophos users are having file
And I can't reproduce it in Sophos 3.66.
At 15:50 05/02/2003, you wrote:
>I know we have had considerable discussion on this topic already, and I
>need to find some resolution to it.
>The issue seems to be that users are sending documents via attachments
>that get flagged as corrupt by Sophos and labeled as a virus in MailScanner.
>So far, all the documents I have managed to get my hands on indicate that
>these documents are indeed in some way corrupt. Most of the time, I can't
>even open the documents myself on my desktop. Periodically, I can find a
>PDF document that appears to open and look fine without generating any
>errors, but scanning it with Sophos indicates that the PDF is corrupt.
>This isn't necessarily untrue, as all of the PDF tools that I have at my
>disposal (conversion utilities to convert to postscript format, or other
>programs that can open and view the document) also say that the document
>is corrupt and refuse to do anything with it... It just happens to be that
>Adobe Acrobat Reader was forgiving enough in that particular case to allow
>me to view it successfully.
>So, I see two problems here:
> 1) Sophos is very strict in following the document format standards, and
> if the document doesn't follow that standard, it says that it can't
> scan the document and labels it corrupt. I do not know how sctrict
> Sophos is on this, but most of the documents I have found does indeed
> have problems when trying to open them up with whatever standard
> software installed on my machine.
> Indicidentally, Sophos claims that it couldn't find the start *and*
> end of the document and that is why it claims it can't scan the
> document. I really don't believe this claim. The errors I typically
> see when opening the documents myself are things like invalid variable
> names, etc. This could be the result of a newer version of document
> formats that Sophos doesn't yet understand, or non-standard software
> used to create those documents to begin with.
> 2) When Sophos comes back and says that the document couldn't be scanned
> for whatever reason, MailScanner simply labels the file as a virus and
> moves on. I don't agree with this, as I think the administrator is
> the one that should decide how to handle these situations. This is
> no different than how external MIME attachments are handled, since
> those attachments can't be scanned by the virus scanner as well.
>What are the solutions to this problem?
> 1) Sophos probably should be a lot less restrictive when scanning some
> document formats. Aren't virus patterns determined by the patterns
> themselves and not how closely a PDF document adheres to Adobe's
> format standards? If you don't see the virus patterns, shouldn't
> you say the document is clean? We are going to generate a support
> call to them on this later this morning.
> 2) MailScanner should give us the option to allow documents that are
> unable to be scanned by the virus scanner through. We are getting a
> lot of calls about this now to our Support Center, and it is being
> pushed through the higher ranks. We are an educational institution,
> and what we think may be the right answer (i.e. no external MIME
> attachments, do filename checking, etc etc), politics dictate the
> policies. Anyways, I think we need an option in the config file to
> allow these documents through.
> Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/
> UNIX Systems Engineer mailto:adkinss at ohio.edu
> ICQ 7626282 Work (740)593-9478 Fax (740)593-1944
> PGP Public Key available at
MailScanner thanks transtec Computers for their support
More information about the MailScanner