Sophos issues

Scott Adkins adkinss at OHIO.EDU
Mon Jan 27 15:51:24 GMT 2003 

I just spoke with Sophos about this issue.  The person I spoke for tells
me that this is definitely a MailScanner issue.  The files are already
"corrupt" by the time that Sophos sees it (basically, it can't see both
the start of the file and the end of the file, is what I was told).  I
asked about the RAR archives, and she said that Sophos currently can't
scan RAR version 3 archives, but that will be available in the next
release.  She suggested that I quarantine messages and release the files
that get labeled corrupted, or in the case of the RAR files, maybe put
the file extension on a whitelist, basically.

Anyways, without the original files from these people, I can't verify
for sure if the documents were already corrupted.  I am still working
that issue.  How does MailScanner send files to Sophos?  I assume it
extracts the file in the attachment to a real file on the disk and then
points Sophos to it, right?  Are there cases where the whole file may
not be written to disk for some reason?

What would be really helpful, at this point, is a way for me to set an
option to allow corrupted files to pass through MailScanner without being
flagged as viruses and without being touched.  The same goes for scanning
of external MIME attachments (which is another thread).  There should be
an option to not flag those as viruses and to allow the messages to pass
through untouched.  Both of these issues are generated support calls for
us right now.

Thanks,
Scott

--On Monday, January 27, 2003 9:12 AM -0500 Scott Adkins <adkinss at OHIO.EDU> 
wrote:

> This problem seems to be even more widespread than that... Friday, I
> somebody complained about an XLS document that was getting flagged as
> a virus... They sent it multiple times and every time, it would get
> to the other side flagged as a virus and the message would indicate
> that it was corrupted.  Today, I have a couple reports on PDF documets
> doing the same thing.
>
> Looking at the PDF document on the destination side (after it gets
> there and says it is corrupted), I get these error messags:
>
>   Insufficient data for an image
>
> AND
>
>   Unable to extract the embedded font "DOrchesterScriptMT".  Some
>     characters may not display or print correctly.
>
> I am trying to get the original documents described above so I can do
> a better check on them, but it all depends on them getting back to me.
>
> Ah... My grep on the syslog files just finished.  Attached is the output
> of what I found with regards to looking for corrupt documents that
> MailScanner reports...
>
> So, is it correct to assume that Sophos is the one having problems with
> this?  The question that I have is whether or not the document was already
> corrupted when Sophos got a hold of it, or if Sophos corrupted it when
> trying to scan it...
>
> Scott
>
> --On Thursday, January 23, 2003 2:28 PM +0000 Julian Field
> <mailscanner at ECS.SOTON.AC.UK> wrote:
>
>> I have heard of other similar problems with RAR archives and Sophos in
>> the last few days. Supposedly Sophos tech support are working on them.
>>
>> If you do a standard ("Sophos"'s standard) installation of their virus
>> scanner, and use sweep to scan the RAR file, and it still produces the
>> errors (which I believe it will), then you should log a fault call with
>> Sophos tech support so that they work faster on fixing this problem.
>>
>> At 13:48 23/01/2003, you wrote:
>>> Hello,
>>>
>>> Yesterday I added Sophos to McAfee as my virus scanners in MS.  I then
>>> noticed the following messages in my logs:
>>> Jan 22 12:21:20 smtp2 MailScanner[10906]: Could not check
>>> ./h0MHL9O22471/StAR2001_2002Fleury et alH.rar/StAR2001_2002Fleury et
>>> alH.doc (format not supported)
>>> Jan 22 12:21:20 smtp2 MailScanner[10906]: Could not check
>>> ./h0MHL9O22471/StAR2001_2002Fleury et alH.rar (corrupt)
>>> Jan 22 12:21:20 smtp2 MailScanner[10906]: Virus Scanning: sophos found 2
>>> infections
>>> Jan 22 12:21:20 smtp2 MailScanner[10906]: Virus Scanning: Found 2
>>> viruses Jan 22 12:21:20 smtp2 MailScanner[10906]: Saved infected
>>> "StAR2001_2002Fleury et alH.rar (corrupt)" to
>>> /quarantaine/usherbrooke/20030122/h0MHL9O22471
>>> Jan 22 12:21:20 smtp2 MailScanner[10906]: Saved infected
>>> "StAR2001_2002Fleury et alH.rar" to
>>> /quarantaine/usherbrooke/20030122/h0MHL9O22471
>>> Jan 22 12:58:33 smtp2 MailScanner[10824]: Could not check
>>> ./h0MHwPO31882/Calendrier2003.pps (corrupt)
>>> Jan 22 12:58:33 smtp2 MailScanner[10824]: Could not check
>>> ./h0MHwPO31882/Calendrier2003.pps (corrupt)
>>> Jan 22 12:58:34 smtp2 MailScanner[10824]: Virus Scanning: sophos found 1
>>> infections
>>> Jan 22 12:58:34 smtp2 MailScanner[10824]: Virus Scanning: Found 1
>>> viruses Jan 22 12:58:34 smtp2 MailScanner[10824]: Saved infected
>>> "Calendrier2003.pps (corrupt)" to
>>> /quarantaine/hermes/20030122/h0MHwPO31882 Jan 22 16:26:55 smtp2
>>> MailScanner[22132]: Could not check
>>> ./h0MLQmO04098/winmail.dat (corrupt)
>>> Jan 22 16:26:55 smtp2 MailScanner[22132]: Virus Re-scanning: sophos
>>> found  1
>>> infections
>>> Jan 22 16:26:55 smtp2 MailScanner[22132]: Disinfection: Rescan found
>>> only  1 viruses
>>>
>>> I checked my old logs and these messages had never appeared before I
>>> added Sophos so I'm pretty sure it is the culprit.  McAfee didn't
>>> complain about those files.
>>>
>>> I'm running version 4.11-1 on RH 7.3 with the external winmail.dat
>>> extractor.
>>>
>>> The problem is annoying because the attachments were not transmitted to
>>> the users and even though MS informed them that they were quarantined in
>>> directory X, they are not there except for the RAR file. For the others,
>>> the directory is empty.
>>>
>>> Until this issue is resolved I deactivated Sophos.  Anyhow the Sophos
>>> quote I received was based on the number of users my mail gateways
>>> protect and was way too expensive for us.
>>>
>>> Thanks again!
>>>
>>> Denis
>>> --
>>> Denis Beauchemin, analyste
>>> Université de Sherbrooke, S.T.I.
>>> T: 819.821.8000x2252 F: 819.821.8045
>>
>> --
>> Julian Field
>> www.MailScanner.info
>> MailScanner thanks transtec Computers for their support
>
>
> --
>  +-----------------------------------------------------------------------+
>       Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
>    UNIX Systems Engineer                  mailto:adkinss at ohio.edu
>         ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
>  +-----------------------------------------------------------------------+
>      PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/


-- 
 +-----------------------------------------------------------------------+
      Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
   UNIX Systems Engineer                  mailto:adkinss at ohio.edu
        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
 +-----------------------------------------------------------------------+
     PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 231 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030127/00c5f38c/attachment.bin

More information about the MailScanner mailing list