Sophos issues

Scott Adkins adkinss at OHIO.EDU
Tue Jan 28 16:45:38 GMT 2003 

My initial testing with the new release is that it acts the same as the
old release... But part of the problem is that the only files I currently
have for testing are files that look like they are already corrupted.  So,
I don't know if the new version really fixes it or not.  It is definitely
the case that corrupted PDF and XLS files come out on the other end as
being flagged {Virus?} and (corrupt), which is still not desired.

Scott

--On Tuesday, January 28, 2003 8:05 AM -0500 Scott Adkins 
<adkinss at OHIO.EDU> wrote:

> Ah, okay... I will give that a try... I will let you know what happens...
>
> Scott
>
> --On Tuesday, January 28, 2003 9:52 AM +0000 Julian Field
> <mailscanner at ECS.SOTON.AC.UK> wrote:
>
>> Can I suggest you upgrade to the latest 3.66 release of Sophos.
>> I have been sent a few files which 3.62 and other releases complains are
>> corrupt.
>> 3.66 happily scans them.
>>
>> At 17:59 27/01/2003, you wrote:
>>> --On Monday, January 27, 2003 4:34 PM +0000 Julian Field
>>> <mailscanner at ECS.SOTON.AC.UK> wrote:
>>>
>>>>>   The files are already
>>>>> "corrupt" by the time that Sophos sees it (basically, it can't see
>>>>> both the start of the file and the end of the file, is what I was
>>>>> told).  I asked about the RAR archives, and she said that Sophos
>>>>> currently can't scan RAR version 3 archives, but that will be
>>>>> available in the next release.  She suggested that I quarantine
>>>>> messages and release the files that get labeled corrupted, or in the
>>>>> case of the RAR files, maybe put the file extension on a whitelist,
>>>>> basically.
>>>>
>>>> When it finds a file is corrupt, MailScanner removes it, right?
>>>
>>> Actually no... It looks like the attachments come through okay, though,
>>> the files are indeed corrupted.  I am still trying to get the original
>>> fines from the authors to see if they started that way or not... So, I
>>> can't know for sure what happens, but the attachment doesn't appear to
>>> be removed, just a warning message inserted into the body of the message
>>> indicating that the file is corrupted.
>>>
>>>> Is it happening often enough that you could archive all mail for a
>>>> little while until it happens? If so, we can actually get a test case
>>>> together to prove exactly what is happening to the message. Until I can
>>>> get my hands on a test case, it is very difficult to work out what is
>>>> happening.
>>>
>>> I don't think so... We get several hundred emails going through our
>>> system a minute... We have enough problems trying to stay afloat with
>>> CPU load and (especially) disk I/O.  When we turned on quarantining for
>>> about a 10 hour time period, we had about 1.5GB of disk space
>>> consumed... so, it makes me a bit afraid to do anything on our
>>> production server like that :-)
>>>
>>>> Are they suggesting that the file put into the quarantine is actually
>>>> okay, but the file being scanned is not? That would be a neat trick...
>>>
>>> That is a good point... My concern was with regards of a message coming
>>> in that was fine and somehow MailScanner or Sophos was corrupting the
>>> message and that was what got put into the attachment... but that seems
>>> a bit less likely at this point, and I feel like the file is starting
>>> out corrupt.  If I had to guess right now, Sophos is expecting
>>> documents to be exactly compliant with those document standard formats
>>> (i.e. DOC files must follow Microsoft Word Document format, PDF files
>>> follow Adobe PDF file formats etc).  There doesn't appear to be much
>>> room in the way of flexibility.  I have seen other programs, like Star
>>> Office, write their documents that are mostly compliant, but not quite,
>>> and maybe those would be flagged by Sophos as being corrupted.
>>> Anyways, those are guesses.
>>>
>>>>> What would be really helpful, at this point, is a way for me to set an
>>>>> option to allow corrupted files to pass through MailScanner without
>>>>> being flagged as viruses and without being touched.  The same goes for
>>>>> scanning of external MIME attachments (which is another thread).
>>>>> There should be an option to not flag those as viruses and to allow
>>>>> the messages to pass through untouched.  Both of these issues are
>>>>> generated support calls for us right now.
>>>>
>>>> The "external bodies" switch will be in the next version. I'll have to
>>>> take a look at how easy it would be to add a switch for the other bit.
>>>
>>> Great!  I will let the users know about this (the external bodies
>>> thing).
>>>
>>>> How come this is only happening with Sophos? No-one else is reporting
>>>> any problems, only the people using Sophos.
>>>
>>> That is a good point... If I knew our system could support another virus
>>> scanner, such as ClamV or something like that, I would put it on.... as
>>> is, we are now running without spam checking just so we can get some
>>> benefit of MailScanner doing virus checking on messages... when we start
>>> to fall behind in the mail queues, even that gets turned off.
>>>
>>> On average, we get several hundred messages a minute.  When we get
>>> spammed (usually by our own university departments), we get way more
>>> than that :)
>>>
>>> Scott
>>> --
>>> +----------------------------------------------------------------------
>>> -+ Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
>>>   UNIX Systems Engineer                  mailto:adkinss at ohio.edu ICQ
>>>        7626282                 Work (740)593-9478 Fax (740)593-1944
>>> +----------------------------------------------------------------------
>>> -+ PGP Public Key available at
>>> http://www.cns.ohiou.edu/~sadkins/pgp/</x-flowed>
>>
>> --
>> Julian Field
>> www.MailScanner.info
>> MailScanner thanks transtec Computers for their support
>
>
> --
>  +-----------------------------------------------------------------------+
>       Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
>    UNIX Systems Engineer                  mailto:adkinss at ohio.edu
>         ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
>  +-----------------------------------------------------------------------+
>      PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/


-- 
 +-----------------------------------------------------------------------+
      Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
   UNIX Systems Engineer                  mailto:adkinss at ohio.edu
        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
 +-----------------------------------------------------------------------+
     PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 231 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030128/7c600a58/attachment.bin

More information about the MailScanner mailing list