Sophos and Corrupt Files

Julian Field mailscanner at ecs.soton.ac.uk
Wed Feb 5 17:16:07 GMT 2003 

What version of Sophos are you running?

The "corrupt" errors seem to disappear with 3.66 (i.e. the very latest off
the web). I have seen 3.62 - 3.65 complain about documents that 3.66 is
perfectly happy with. And the fact that absolutely no-one except Sophos
users are having any corrupted file problems does slightly point the finger
at Sophos. Maybe when asked to disinfect a file that it thinks is corrupt,
it damages it? Just a thought.

I know Sophos are blaming me for this problem.
But it strikes me as very odd that only Sophos users are having file
corruption problems...
And I can't reproduce it in Sophos 3.66.

At 15:50 05/02/2003, you wrote:
>Julan,
>
>I know we have had considerable discussion on this topic already, and I
>need to find some resolution to it.
>
>The issue seems to be that users are sending documents via attachments
>that get flagged as corrupt by Sophos and labeled as a virus in MailScanner.
>So far, all the documents I have managed to get my hands on indicate that
>these documents are indeed in some way corrupt.  Most of the time, I can't
>even open the documents myself on my desktop.  Periodically, I can find a
>PDF document that appears to open and look fine without generating any
>errors, but scanning it with Sophos indicates that the PDF is corrupt.
>This isn't necessarily untrue, as all of the PDF tools that I have at my
>disposal (conversion utilities to convert to postscript format, or other
>programs that can open and view the document) also say that the document
>is corrupt and refuse to do anything with it... It just happens to be that
>Adobe Acrobat Reader was forgiving enough in that particular case to allow
>me to view it successfully.
>
>So, I see two problems here:
>
>  1) Sophos is very strict in following the document format standards, and
>     if the document doesn't follow that standard, it says that it can't
>     scan the document and labels it corrupt.  I do not know how sctrict
>     Sophos is on this, but most of the documents I have found does indeed
>     have problems when trying to open them up with whatever standard
>     software installed on my machine.
>
>     Indicidentally, Sophos claims that it couldn't find the start *and*
>     end of the document and that is why it claims it can't scan the
>     document.  I really don't believe this claim.  The errors I typically
>     see when opening the documents myself are things like invalid variable
>     names, etc.  This could be the result of a newer version of document
>     formats that Sophos doesn't yet understand, or non-standard software
>     used to create those documents to begin with.
>
>  2) When Sophos comes back and says that the document couldn't be scanned
>     for whatever reason, MailScanner simply labels the file as a virus and
>     moves on.  I don't agree with this, as I think the administrator is
>     the one that should decide how to handle these situations.  This is
>     no different than how external MIME attachments are handled, since
>     those attachments can't be scanned by the virus scanner as well.
>
>What are the solutions to this problem?
>
>  1) Sophos probably should be a lot less restrictive when scanning some
>     document formats.  Aren't virus patterns determined by the patterns
>     themselves and not how closely a PDF document adheres to Adobe's
>     format standards?  If you don't see the virus patterns, shouldn't
>     you say the document is clean?  We are going to generate a support
>     call to them on this later this morning.
>
>  2) MailScanner should give us the option to allow documents that are
>     unable to be scanned by the virus scanner through.  We are getting a
>     lot of calls about this now to our Support Center, and it is being
>     pushed through the higher ranks.  We are an educational institution,
>     and what we think may be the right answer (i.e. no external MIME
>     attachments, do filename checking, etc etc), politics dictate the
>     policies.  Anyways, I think we need an option in the config file to
>     allow these documents through.
>
>Thanks,
>Scott
>--
>+-----------------------------------------------------------------------+
>      Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
>   UNIX Systems Engineer                  mailto:adkinss at ohio.edu
>        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
>+-----------------------------------------------------------------------+
>     PGP Public Key available at
> http://www.cns.ohiou.edu/~sadkins/pgp/</x-flowed>

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list