Sophos and Corrupt Files

Mike Kercher mike at CAMAROSS.NET
Wed Feb 5 21:04:00 GMT 2003


Sorry for the short answer...I was in the middle of a water change in my
aquarium.  You bring up some very valid points.  One of our environments is
an accounting firm and pdf's are a must.  All of our documents are either
generated in-house by the Digital Sender or the full blown Acrobat product.
In my own experience, I have created a few pdf's with lesser products, but
have yet to have a failure from it.  I can certainly understand your
position though...not having a standardized routine for generating a pdf
could certainly produce unexpected and less that favorable results.  I was
just throwing my $0.02 out there.

Mike


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Scott Adkins
Sent: Wednesday, February 05, 2003 1:04 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Sophos and Corrupt Files


That may be, but that isn't the case for us.  I don't know what you mean
with respect to "HP Digital Senders".  Is that an application that somehow
generates the PDF documents on the fly?  If that is the case, then I would
say that it would make sense that you would have zero defects with a LOT
of PDFs, especially if they all come from a single source that generates
valid PDF documents.

We are a University environment with all kinds of software installed on all
kinds of machines.  Lots of applications can now save directly to PDF format
and I don't believe that all of them would necessarily follow the Adobe
specifications to the tee... I imagine some of the cheaper products would
cheat here and there, and may even some products would inject their own
additions to the format in hopes of making the PDF documents work or look
better in their products.  *shrugs*

The point is, we do see them here.  On the grand scheme of things, the
number of corrupted documents is a small number compared to the number of
documents that are fine and scan properly... but the ones that scan fine
aren't the ones that complain to our Support Center.  It further doesn't
help when I can take some of these documents and look at them fine with
Acrobat Reader, but any other PDF tool won't even touch them... From the
perspective of the users, who mostly use Reader around here), the file
is okay and not corrupted, but the emails are saying they contain viruses
(and they don't seem to read what the message actually says, which says
the document is corrupt).  They see the {Virus?} in the subject line and
basically freak out.  *shakes head*

Anyways, maybe the newer verson of Sophos (3.66a) will help.

Scott

--On Wednesday, February 05, 2003 10:48 AM -0600 Mike Kercher 
<mike at CAMAROSS.NET> wrote:

> I have zero defects with .pdf documents going through my servers and we
> do a LOT of pdf's with HP Digital Senders all over the place.
>
> Mike
>
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Scott Adkins
> Sent: Wednesday, February 05, 2003 9:51 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Sophos and Corrupt Files
>
>
> Julan,
>
> I know we have had considerable discussion on this topic already, and I
> need to find some resolution to it.
>
> The issue seems to be that users are sending documents via attachments
> that get flagged as corrupt by Sophos and labeled as a virus in
> MailScanner. So far, all the documents I have managed to get my hands on
> indicate that these documents are indeed in some way corrupt.  Most of
> the time, I can't even open the documents myself on my desktop.
> Periodically, I can find a PDF document that appears to open and look
> fine without generating any errors, but scanning it with Sophos indicates
> that the PDF is corrupt. This isn't necessarily untrue, as all of the PDF
> tools that I have at my disposal (conversion utilities to convert to
> postscript format, or other programs that can open and view the document)
> also say that the document is corrupt and refuse to do anything with
> it... It just happens to be that Adobe Acrobat Reader was forgiving
> enough in that particular case to allow me to view it successfully.
>
> So, I see two problems here:
>
>   1) Sophos is very strict in following the document format standards, and
>      if the document doesn't follow that standard, it says that it can't
>      scan the document and labels it corrupt.  I do not know how sctrict
>      Sophos is on this, but most of the documents I have found does indeed
>      have problems when trying to open them up with whatever standard
>      software installed on my machine.
>
>      Indicidentally, Sophos claims that it couldn't find the start *and*
>      end of the document and that is why it claims it can't scan the
>      document.  I really don't believe this claim.  The errors I typically
>      see when opening the documents myself are things like invalid
> variable      names, etc.  This could be the result of a newer version of
> document      formats that Sophos doesn't yet understand, or non-standard
> software      used to create those documents to begin with.
>
>   2) When Sophos comes back and says that the document couldn't be scanned
>      for whatever reason, MailScanner simply labels the file as a virus
> and      moves on.  I don't agree with this, as I think the administrator
> is      the one that should decide how to handle these situations.  This
> is      no different than how external MIME attachments are handled, since
>      those attachments can't be scanned by the virus scanner as well.
>
> What are the solutions to this problem?
>
>   1) Sophos probably should be a lot less restrictive when scanning some
>      document formats.  Aren't virus patterns determined by the patterns
>      themselves and not how closely a PDF document adheres to Adobe's
>      format standards?  If you don't see the virus patterns, shouldn't
>      you say the document is clean?  We are going to generate a support
>      call to them on this later this morning.
>
>   2) MailScanner should give us the option to allow documents that are
>      unable to be scanned by the virus scanner through.  We are getting a
>      lot of calls about this now to our Support Center, and it is being
>      pushed through the higher ranks.  We are an educational institution,
>      and what we think may be the right answer (i.e. no external MIME
>      attachments, do filename checking, etc etc), politics dictate the
>      policies.  Anyways, I think we need an option in the config file to
>      allow these documents through.
>
> Thanks,
> Scott
> --
>  +-----------------------------------------------------------------------+
>       Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
>    UNIX Systems Engineer                  mailto:adkinss at ohio.edu
>         ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
>  +-----------------------------------------------------------------------+
>      PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/


-- 
 +-----------------------------------------------------------------------+
      Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
   UNIX Systems Engineer                  mailto:adkinss at ohio.edu
        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
 +-----------------------------------------------------------------------+
     PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/




More information about the MailScanner mailing list