Sophos issues

Scott Adkins adkinss at OHIO.EDU
Tue Jan 28 13:05:01 GMT 2003


Ah, okay... I will give that a try... I will let you know what happens...

Scott

--On Tuesday, January 28, 2003 9:52 AM +0000 Julian Field 
<mailscanner at ECS.SOTON.AC.UK> wrote:

> Can I suggest you upgrade to the latest 3.66 release of Sophos.
> I have been sent a few files which 3.62 and other releases complains are
> corrupt.
> 3.66 happily scans them.
>
> At 17:59 27/01/2003, you wrote:
>> --On Monday, January 27, 2003 4:34 PM +0000 Julian Field
>> <mailscanner at ECS.SOTON.AC.UK> wrote:
>>
>>>>   The files are already
>>>> "corrupt" by the time that Sophos sees it (basically, it can't see both
>>>> the start of the file and the end of the file, is what I was told).  I
>>>> asked about the RAR archives, and she said that Sophos currently can't
>>>> scan RAR version 3 archives, but that will be available in the next
>>>> release.  She suggested that I quarantine messages and release the
>>>> files that get labeled corrupted, or in the case of the RAR files,
>>>> maybe put the file extension on a whitelist, basically.
>>>
>>> When it finds a file is corrupt, MailScanner removes it, right?
>>
>> Actually no... It looks like the attachments come through okay, though,
>> the files are indeed corrupted.  I am still trying to get the original
>> fines from the authors to see if they started that way or not... So, I
>> can't know for sure what happens, but the attachment doesn't appear to be
>> removed, just a warning message inserted into the body of the message
>> indicating that the file is corrupted.
>>
>>> Is it happening often enough that you could archive all mail for a
>>> little while until it happens? If so, we can actually get a test case
>>> together to prove exactly what is happening to the message. Until I can
>>> get my hands on a test case, it is very difficult to work out what is
>>> happening.
>>
>> I don't think so... We get several hundred emails going through our
>> system a minute... We have enough problems trying to stay afloat with
>> CPU load and (especially) disk I/O.  When we turned on quarantining for
>> about a 10 hour time period, we had about 1.5GB of disk space
>> consumed... so, it makes me a bit afraid to do anything on our
>> production server like that :-)
>>
>>> Are they suggesting that the file put into the quarantine is actually
>>> okay, but the file being scanned is not? That would be a neat trick...
>>
>> That is a good point... My concern was with regards of a message coming
>> in that was fine and somehow MailScanner or Sophos was corrupting the
>> message and that was what got put into the attachment... but that seems
>> a bit less likely at this point, and I feel like the file is starting out
>> corrupt.  If I had to guess right now, Sophos is expecting documents to
>> be exactly compliant with those document standard formats (i.e. DOC files
>> must follow Microsoft Word Document format, PDF files follow Adobe PDF
>> file formats etc).  There doesn't appear to be much room in the way of
>> flexibility.  I have seen other programs, like Star Office, write their
>> documents that are mostly compliant, but not quite, and maybe those would
>> be flagged by Sophos as being corrupted.  Anyways, those are guesses.
>>
>>>> What would be really helpful, at this point, is a way for me to set an
>>>> option to allow corrupted files to pass through MailScanner without
>>>> being flagged as viruses and without being touched.  The same goes for
>>>> scanning of external MIME attachments (which is another thread).
>>>> There should be an option to not flag those as viruses and to allow
>>>> the messages to pass through untouched.  Both of these issues are
>>>> generated support calls for us right now.
>>>
>>> The "external bodies" switch will be in the next version. I'll have to
>>> take a look at how easy it would be to add a switch for the other bit.
>>
>> Great!  I will let the users know about this (the external bodies thing).
>>
>>> How come this is only happening with Sophos? No-one else is reporting
>>> any problems, only the people using Sophos.
>>
>> That is a good point... If I knew our system could support another virus
>> scanner, such as ClamV or something like that, I would put it on.... as
>> is, we are now running without spam checking just so we can get some
>> benefit of MailScanner doing virus checking on messages... when we start
>> to fall behind in the mail queues, even that gets turned off.
>>
>> On average, we get several hundred messages a minute.  When we get
>> spammed (usually by our own university departments), we get way more
>> than that :)
>>
>> Scott
>> --
>> +-----------------------------------------------------------------------+
>>      Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
>>   UNIX Systems Engineer                  mailto:adkinss at ohio.edu
>>        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
>> +-----------------------------------------------------------------------+
>>     PGP Public Key available at
>> http://www.cns.ohiou.edu/~sadkins/pgp/</x-flowed>
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support


-- 
 +-----------------------------------------------------------------------+
      Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
   UNIX Systems Engineer                  mailto:adkinss at ohio.edu
        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
 +-----------------------------------------------------------------------+
     PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 231 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030128/22a60f28/attachment.bin


More information about the MailScanner mailing list