Sophos issues

Julian Field mailscanner at ecs.soton.ac.uk
Tue Jan 28 09:52:31 GMT 2003 

Can I suggest you upgrade to the latest 3.66 release of Sophos.
I have been sent a few files which 3.62 and other releases complains are
corrupt.
3.66 happily scans them.

At 17:59 27/01/2003, you wrote:
>--On Monday, January 27, 2003 4:34 PM +0000 Julian Field
><mailscanner at ECS.SOTON.AC.UK> wrote:
>
>>>   The files are already
>>>"corrupt" by the time that Sophos sees it (basically, it can't see both
>>>the start of the file and the end of the file, is what I was told).  I
>>>asked about the RAR archives, and she said that Sophos currently can't
>>>scan RAR version 3 archives, but that will be available in the next
>>>release.  She suggested that I quarantine messages and release the files
>>>that get labeled corrupted, or in the case of the RAR files, maybe put
>>>the file extension on a whitelist, basically.
>>
>>When it finds a file is corrupt, MailScanner removes it, right?
>
>Actually no... It looks like the attachments come through okay, though,
>the files are indeed corrupted.  I am still trying to get the original
>fines from the authors to see if they started that way or not... So, I
>can't know for sure what happens, but the attachment doesn't appear to be
>removed, just a warning message inserted into the body of the message
>indicating that the file is corrupted.
>
>>Is it happening often enough that you could archive all mail for a little
>>while until it happens? If so, we can actually get a test case together
>>to prove exactly what is happening to the message. Until I can get my
>>hands on a test case, it is very difficult to work out what is happening.
>
>I don't think so... We get several hundred emails going through our system
>a minute... We have enough problems trying to stay afloat with CPU load and
>(especially) disk I/O.  When we turned on quarantining for about a 10 hour
>time period, we had about 1.5GB of disk space consumed... so, it makes me
>a bit afraid to do anything on our production server like that :-)
>
>>Are they suggesting that the file put into the quarantine is actually
>>okay, but the file being scanned is not? That would be a neat trick...
>
>That is a good point... My concern was with regards of a message coming
>in that was fine and somehow MailScanner or Sophos was corrupting the
>message and that was what got put into the attachment... but that seems
>a bit less likely at this point, and I feel like the file is starting out
>corrupt.  If I had to guess right now, Sophos is expecting documents to
>be exactly compliant with those document standard formats (i.e. DOC files
>must follow Microsoft Word Document format, PDF files follow Adobe PDF
>file formats etc).  There doesn't appear to be much room in the way of
>flexibility.  I have seen other programs, like Star Office, write their
>documents that are mostly compliant, but not quite, and maybe those would
>be flagged by Sophos as being corrupted.  Anyways, those are guesses.
>
>>>What would be really helpful, at this point, is a way for me to set an
>>>option to allow corrupted files to pass through MailScanner without being
>>>flagged as viruses and without being touched.  The same goes for scanning
>>>of external MIME attachments (which is another thread).  There should be
>>>an option to not flag those as viruses and to allow the messages to pass
>>>through untouched.  Both of these issues are generated support calls for
>>>us right now.
>>
>>The "external bodies" switch will be in the next version. I'll have to
>>take a look at how easy it would be to add a switch for the other bit.
>
>Great!  I will let the users know about this (the external bodies thing).
>
>>How come this is only happening with Sophos? No-one else is reporting any
>>problems, only the people using Sophos.
>
>That is a good point... If I knew our system could support another virus
>scanner, such as ClamV or something like that, I would put it on.... as is,
>we are now running without spam checking just so we can get some benefit
>of MailScanner doing virus checking on messages... when we start to fall
>behind in the mail queues, even that gets turned off.
>
>On average, we get several hundred messages a minute.  When we get spammed
>(usually by our own university departments), we get way more than that :)
>
>Scott
>--
>+-----------------------------------------------------------------------+
>      Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
>   UNIX Systems Engineer                  mailto:adkinss at ohio.edu
>        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
>+-----------------------------------------------------------------------+
>     PGP Public Key available at
> http://www.cns.ohiou.edu/~sadkins/pgp/</x-flowed>

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list