Sophos issues

Julian Field mailscanner at ecs.soton.ac.uk
Mon Jan 27 16:34:44 GMT 2003


At 15:51 27/01/2003, you wrote:
>I just spoke with Sophos about this issue.  The person I spoke for tells
>me that this is definitely a MailScanner issue.

They are getting good at saying that. Shame they never actually tell me 
about it.

>   The files are already
>"corrupt" by the time that Sophos sees it (basically, it can't see both
>the start of the file and the end of the file, is what I was told).  I
>asked about the RAR archives, and she said that Sophos currently can't
>scan RAR version 3 archives, but that will be available in the next
>release.  She suggested that I quarantine messages and release the files
>that get labeled corrupted, or in the case of the RAR files, maybe put
>the file extension on a whitelist, basically.

When it finds a file is corrupt, MailScanner removes it, right?

Is it happening often enough that you could archive all mail for a little 
while until it happens? If so, we can actually get a test case together to 
prove exactly what is happening to the message.
Until I can get my hands on a test case, it is very difficult to work out 
what is happening.

Are they suggesting that the file put into the quarantine is actually okay, 
but the file being scanned is not? That would be a neat trick...

>Anyways, without the original files from these people, I can't verify
>for sure if the documents were already corrupted.  I am still working
>that issue.  How does MailScanner send files to Sophos?  I assume it
>extracts the file in the attachment to a real file on the disk and then
>points Sophos to it, right?

Correct.

>   Are there cases where the whole file may
>not be written to disk for some reason?

Other than you running out of disk space, no.

>What would be really helpful, at this point, is a way for me to set an
>option to allow corrupted files to pass through MailScanner without being
>flagged as viruses and without being touched.  The same goes for scanning
>of external MIME attachments (which is another thread).  There should be
>an option to not flag those as viruses and to allow the messages to pass
>through untouched.  Both of these issues are generated support calls for
>us right now.

The "external bodies" switch will be in the next version. I'll have to take 
a look at how easy it would be to add a switch for the other bit.

How come this is only happening with Sophos? No-one else is reporting any 
problems, only the people using Sophos.



>Thanks,
>Scott
>
>--On Monday, January 27, 2003 9:12 AM -0500 Scott Adkins 
><adkinss at OHIO.EDU> wrote:
>
>>This problem seems to be even more widespread than that... Friday, I
>>somebody complained about an XLS document that was getting flagged as
>>a virus... They sent it multiple times and every time, it would get
>>to the other side flagged as a virus and the message would indicate
>>that it was corrupted.  Today, I have a couple reports on PDF documets
>>doing the same thing.
>>
>>Looking at the PDF document on the destination side (after it gets
>>there and says it is corrupted), I get these error messags:
>>
>>   Insufficient data for an image
>>
>>AND
>>
>>   Unable to extract the embedded font "DOrchesterScriptMT".  Some
>>     characters may not display or print correctly.
>>
>>I am trying to get the original documents described above so I can do
>>a better check on them, but it all depends on them getting back to me.
>>
>>Ah... My grep on the syslog files just finished.  Attached is the output
>>of what I found with regards to looking for corrupt documents that
>>MailScanner reports...
>>
>>So, is it correct to assume that Sophos is the one having problems with
>>this?  The question that I have is whether or not the document was already
>>corrupted when Sophos got a hold of it, or if Sophos corrupted it when
>>trying to scan it...
>>
>>Scott
>>
>>--On Thursday, January 23, 2003 2:28 PM +0000 Julian Field
>><mailscanner at ECS.SOTON.AC.UK> wrote:
>>
>>>I have heard of other similar problems with RAR archives and Sophos in
>>>the last few days. Supposedly Sophos tech support are working on them.
>>>
>>>If you do a standard ("Sophos"'s standard) installation of their virus
>>>scanner, and use sweep to scan the RAR file, and it still produces the
>>>errors (which I believe it will), then you should log a fault call with
>>>Sophos tech support so that they work faster on fixing this problem.
>>>
>>>At 13:48 23/01/2003, you wrote:
>>>>Hello,
>>>>
>>>>Yesterday I added Sophos to McAfee as my virus scanners in MS.  I then
>>>>noticed the following messages in my logs:
>>>>Jan 22 12:21:20 smtp2 MailScanner[10906]: Could not check
>>>>./h0MHL9O22471/StAR2001_2002Fleury et alH.rar/StAR2001_2002Fleury et
>>>>alH.doc (format not supported)
>>>>Jan 22 12:21:20 smtp2 MailScanner[10906]: Could not check
>>>>./h0MHL9O22471/StAR2001_2002Fleury et alH.rar (corrupt)
>>>>Jan 22 12:21:20 smtp2 MailScanner[10906]: Virus Scanning: sophos found 2
>>>>infections
>>>>Jan 22 12:21:20 smtp2 MailScanner[10906]: Virus Scanning: Found 2
>>>>viruses Jan 22 12:21:20 smtp2 MailScanner[10906]: Saved infected
>>>>"StAR2001_2002Fleury et alH.rar (corrupt)" to
>>>>/quarantaine/usherbrooke/20030122/h0MHL9O22471
>>>>Jan 22 12:21:20 smtp2 MailScanner[10906]: Saved infected
>>>>"StAR2001_2002Fleury et alH.rar" to
>>>>/quarantaine/usherbrooke/20030122/h0MHL9O22471
>>>>Jan 22 12:58:33 smtp2 MailScanner[10824]: Could not check
>>>>./h0MHwPO31882/Calendrier2003.pps (corrupt)
>>>>Jan 22 12:58:33 smtp2 MailScanner[10824]: Could not check
>>>>./h0MHwPO31882/Calendrier2003.pps (corrupt)
>>>>Jan 22 12:58:34 smtp2 MailScanner[10824]: Virus Scanning: sophos found 1
>>>>infections
>>>>Jan 22 12:58:34 smtp2 MailScanner[10824]: Virus Scanning: Found 1
>>>>viruses Jan 22 12:58:34 smtp2 MailScanner[10824]: Saved infected
>>>>"Calendrier2003.pps (corrupt)" to
>>>>/quarantaine/hermes/20030122/h0MHwPO31882 Jan 22 16:26:55 smtp2
>>>>MailScanner[22132]: Could not check
>>>>./h0MLQmO04098/winmail.dat (corrupt)
>>>>Jan 22 16:26:55 smtp2 MailScanner[22132]: Virus Re-scanning: sophos
>>>>found  1
>>>>infections
>>>>Jan 22 16:26:55 smtp2 MailScanner[22132]: Disinfection: Rescan found
>>>>only  1 viruses
>>>>
>>>>I checked my old logs and these messages had never appeared before I
>>>>added Sophos so I'm pretty sure it is the culprit.  McAfee didn't
>>>>complain about those files.
>>>>
>>>>I'm running version 4.11-1 on RH 7.3 with the external winmail.dat
>>>>extractor.
>>>>
>>>>The problem is annoying because the attachments were not transmitted to
>>>>the users and even though MS informed them that they were quarantined in
>>>>directory X, they are not there except for the RAR file. For the others,
>>>>the directory is empty.
>>>>
>>>>Until this issue is resolved I deactivated Sophos.  Anyhow the Sophos
>>>>quote I received was based on the number of users my mail gateways
>>>>protect and was way too expensive for us.
>>>>
>>>>Thanks again!
>>>>
>>>>Denis
>>>>--
>>>>Denis Beauchemin, analyste
>>>>Université de Sherbrooke, S.T.I.
>>>>T: 819.821.8000x2252 F: 819.821.8045
>>>
>>>--
>>>Julian Field
>>>www.MailScanner.info
>>>MailScanner thanks transtec Computers for their support
>>
>>
>>--
>>  +-----------------------------------------------------------------------+
>>       Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
>>    UNIX Systems Engineer                  mailto:adkinss at ohio.edu
>>         ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
>>  +-----------------------------------------------------------------------+
>>      PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/
>
>
>--
>+-----------------------------------------------------------------------+
>      Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
>   UNIX Systems Engineer                  mailto:adkinss at ohio.edu
>        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
>+-----------------------------------------------------------------------+
>     PGP Public Key available at 
> http://www.cns.ohiou.edu/~sadkins/pgp/</x-flowed>

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support




More information about the MailScanner mailing list